Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein “Through our inefficient use of University of Illinois at Chicago & energy (gas guzzling vehicles, Technische Universiteit Eindhoven badly insulated buildings, Tanja Lange poorly optimized crypto, etc) Technische Universiteit Eindhoven we needlessly throw away almost a third of the energy we use.” —Greenpeace UK
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein “Through our inefficient use of University of Illinois at Chicago & energy (gas guzzling vehicles, Technische Universiteit Eindhoven badly insulated buildings, Tanja Lange poorly optimized crypto , etc) Technische Universiteit Eindhoven we needlessly throw away almost a third of the energy we use.” —Greenpeace UK (mostly)
er-and-elliptic-curve DH speed cryptography Sandy Bridge is not the same as: security ❛❀ P ✼✦ ❛P erelliptic-curve cryptography (“?” if not elliptic-curve cryptography) 2011 Bernstein–Duif–Lange– Schwabe–Y J. Bernstein 2012 Hamburg: “Through our inefficient use of University of Illinois at Chicago & 2012 Longa–Sica: energy (gas guzzling vehicles, echnische Universiteit Eindhoven 2013 Bos–Costello–Hisil– badly insulated buildings, Lauter: Lange poorly optimized crypto , etc) 2013 Oliveira–L´ echnische Universiteit Eindhoven we needlessly throw away almost Rodr´ ıguez-Henr a third of the energy we use.” 2013 Faz-Hern S´ anchez: —Greenpeace UK (mostly) 2014 Bernstein–Chuengsatiansup– Lange–Schw
er-and-elliptic-curve DH speed records Sandy Bridge cycles the same as: security constant-time ❛❀ P ✼✦ ❛P erelliptic-curve cryptography (“?” if not SUPERCOP-verified): elliptic-curve cryptography) 2011 Bernstein–Duif–Lange– Schwabe–Yang: Bernstein 2012 Hamburg: “Through our inefficient use of Illinois at Chicago & 2012 Longa–Sica: energy (gas guzzling vehicles, Universiteit Eindhoven 2013 Bos–Costello–Hisil– badly insulated buildings, Lauter: poorly optimized crypto , etc) 2013 Oliveira–L´ opez–Aranha– Universiteit Eindhoven we needlessly throw away almost Rodr´ ıguez-Henr´ ıquez: a third of the energy we use.” 2013 Faz-Hern´ andez–Longa– S´ anchez: —Greenpeace UK (mostly) 2014 Bernstein–Chuengsatiansup– Lange–Schwabe:
DH speed records Sandy Bridge cycles for high- as: security constant-time ❛❀ P ✼✦ ❛P cryptography (“?” if not SUPERCOP-verified): cryptography) 2011 Bernstein–Duif–Lange– Schwabe–Yang: 194036 2012 Hamburg: 153000? “Through our inefficient use of Chicago & 2012 Longa–Sica: 137000? energy (gas guzzling vehicles, Eindhoven 2013 Bos–Costello–Hisil– badly insulated buildings, Lauter: 122716 poorly optimized crypto , etc) 2013 Oliveira–L´ opez–Aranha– Eindhoven we needlessly throw away almost Rodr´ ıguez-Henr´ ıquez: 114800? a third of the energy we use.” 2013 Faz-Hern´ andez–Longa– S´ anchez: 96000? —Greenpeace UK (mostly) 2014 Bernstein–Chuengsatiansup– Lange–Schwabe: 91320
DH speed records Sandy Bridge cycles for high- security constant-time ❛❀ P ✼✦ ❛P (“?” if not SUPERCOP-verified): 2011 Bernstein–Duif–Lange– Schwabe–Yang: 194036 2012 Hamburg: 153000? “Through our inefficient use of 2012 Longa–Sica: 137000? energy (gas guzzling vehicles, 2013 Bos–Costello–Hisil– badly insulated buildings, Lauter: 122716 poorly optimized crypto , etc) 2013 Oliveira–L´ opez–Aranha– we needlessly throw away almost Rodr´ ıguez-Henr´ ıquez: 114800? a third of the energy we use.” 2013 Faz-Hern´ andez–Longa– S´ anchez: 96000? —Greenpeace UK (mostly) 2014 Bernstein–Chuengsatiansup– Lange–Schwabe: 91320
DH speed records Critical fo Sandy Bridge cycles for high- 1986 Chudnovsky–Chudnovsky: security constant-time ❛❀ P ✼✦ ❛P traditional (“?” if not SUPERCOP-verified): allows fa 14 M for ❳ P ✼✦ ❳ P 2011 Bernstein–Duif–Lange– Schwabe–Yang: 194036 2006 Gaudry: 2012 Hamburg: 153000? “Through our inefficient use of 25 M for ❳ P ❀ ❳ ◗ ❀ ❳ ◗ � P 2012 Longa–Sica: 137000? (gas guzzling vehicles, ✼✦ ❳ (2 P ❀ ❳ ◗ P 2013 Bos–Costello–Hisil– insulated buildings, 6 M by surface Lauter: 122716 optimized crypto , etc) 2013 Oliveira–L´ opez–Aranha– 2012 Gaudry–Schost: needlessly throw away almost Rodr´ ıguez-Henr´ ıquez: 114800? 1000000-CPU-hour of the energy we use.” 2013 Faz-Hern´ andez–Longa– found secure S´ anchez: 96000? —Greenpeace UK (mostly) 2014 Bernstein–Chuengsatiansup– surface over � Lange–Schwabe: 91320
DH speed records Critical for 122716, Sandy Bridge cycles for high- 1986 Chudnovsky–Chudnovsky: security constant-time ❛❀ P ✼✦ ❛P traditional Kummer (“?” if not SUPERCOP-verified): allows fast scalar mult. 14 M for ❳ ( P ) ✼✦ ❳ P 2011 Bernstein–Duif–Lange– Schwabe–Yang: 194036 2006 Gaudry: even 2012 Hamburg: 153000? inefficient use of 25 M for ❳ ( P ) ❀ ❳ ( ◗ ❀ ❳ ◗ � P 2012 Longa–Sica: 137000? guzzling vehicles, ✼✦ ❳ (2 P ) ❀ ❳ ( ◗ + P 2013 Bos–Costello–Hisil– buildings, 6 M by surface coefficients. Lauter: 122716 optimized crypto , etc) 2013 Oliveira–L´ opez–Aranha– 2012 Gaudry–Schost: throw away almost Rodr´ ıguez-Henr´ ıquez: 114800? 1000000-CPU-hour energy we use.” 2013 Faz-Hern´ andez–Longa– found secure small-co S´ anchez: 96000? UK (mostly) 2014 Bernstein–Chuengsatiansup– surface over F 2 127 � Lange–Schwabe: 91320
DH speed records Critical for 122716, 91320: Sandy Bridge cycles for high- 1986 Chudnovsky–Chudnovsky: security constant-time ❛❀ P ✼✦ ❛P traditional Kummer surface (“?” if not SUPERCOP-verified): allows fast scalar mult. 14 M for ❳ ( P ) ✼✦ ❳ (2 P ). 2011 Bernstein–Duif–Lange– Schwabe–Yang: 194036 2006 Gaudry: even faster. 2012 Hamburg: 153000? use of 25 M for ❳ ( P ) ❀ ❳ ( ◗ ) ❀ ❳ ( ◗ � P 2012 Longa–Sica: 137000? vehicles, ✼✦ ❳ (2 P ) ❀ ❳ ( ◗ + P ), including 2013 Bos–Costello–Hisil– 6 M by surface coefficients. Lauter: 122716 , etc) 2013 Oliveira–L´ opez–Aranha– 2012 Gaudry–Schost: almost Rodr´ ıguez-Henr´ ıquez: 114800? 1000000-CPU-hour computation use.” 2013 Faz-Hern´ andez–Longa– found secure small-coefficient S´ anchez: 96000? (mostly) 2014 Bernstein–Chuengsatiansup– surface over F 2 127 � 1 . Lange–Schwabe: 91320
DH speed records Critical for 122716, 91320: Sandy Bridge cycles for high- 1986 Chudnovsky–Chudnovsky: security constant-time ❛❀ P ✼✦ ❛P traditional Kummer surface (“?” if not SUPERCOP-verified): allows fast scalar mult. 14 M for ❳ ( P ) ✼✦ ❳ (2 P ). 2011 Bernstein–Duif–Lange– Schwabe–Yang: 194036 2006 Gaudry: even faster. 2012 Hamburg: 153000? 25 M for ❳ ( P ) ❀ ❳ ( ◗ ) ❀ ❳ ( ◗ � P ) 2012 Longa–Sica: 137000? ✼✦ ❳ (2 P ) ❀ ❳ ( ◗ + P ), including 2013 Bos–Costello–Hisil– 6 M by surface coefficients. Lauter: 122716 2013 Oliveira–L´ opez–Aranha– 2012 Gaudry–Schost: Rodr´ ıguez-Henr´ ıquez: 114800? 1000000-CPU-hour computation 2013 Faz-Hern´ andez–Longa– found secure small-coefficient S´ anchez: 96000? 2014 Bernstein–Chuengsatiansup– surface over F 2 127 � 1 . Lange–Schwabe: 91320
� � � � � � � � � � � � � � � � � eed records Critical for 122716, 91320: ① 2 ② 2 ③ t ① ② ③ t Bridge cycles for high- 1986 Chudnovsky–Chudnovsky: Hadama y constant-time ❛❀ P ✼✦ ❛P traditional Kummer surface if not SUPERCOP-verified): allows fast scalar mult. ✁ ❆ 2 ✁ ❆ ✁ ❆ ❇ 2 ❈ ❉ 14 M for ❳ ( P ) ✼✦ ❳ (2 P ). Bernstein–Duif–Lange– abe–Yang: 194036 ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ 2006 Gaudry: even faster. Hamburg: 153000? 25 M for ❳ ( P ) ❀ ❳ ( ◗ ) ❀ ❳ ( ◗ � P ) Longa–Sica: 137000? Hadama ✼✦ ❳ (2 P ) ❀ ❳ ( ◗ + P ), including Bos–Costello–Hisil– 6 M by surface coefficients. Lauter: 122716 ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ Oliveira–L´ opez–Aranha– 2012 Gaudry–Schost: ıguez-Henr´ ıquez: 114800? ✁ ❛ 2 ✁ ① ✁ ① ✁ ① ✁ ❛ ✁ ❛ 1000000-CPU-hour computation ❜ 2 ② ③ t az-Hern´ andez–Longa– ❝ ❞ found secure small-coefficient anchez: 96000? ① 4 ② 4 ③ t ① ② ③ t Bernstein–Chuengsatiansup– surface over F 2 127 � 1 . Lange–Schwabe: 91320
Recommend
More recommend
