new speed records 640838 pentium m cycles for point
play

New speed records 640838 Pentium M cycles for point multiplication - PowerPoint PPT Presentation

Aug 29, 2022 •366 likes •850 views

New speed records 640838 Pentium M cycles for point multiplication to compute a 32-byte secret shared by Dan and Tanja, D. J. Bernstein given Dans 32-byte secret key and Tanjas 32-byte public key . 2 128 cycles. All known

  1. � New speed records 640838 Pentium M cycles for point multiplication to compute a 32-byte secret shared by Dan and Tanja, D. J. Bernstein given Dan’s 32-byte secret key and Tanja’s 32-byte public key . 2 128 cycles. All known attacks: This is the new speed record for high-security Diffie-Hellman. Thanks to: Encrypt and authenticate messages University of Illinois at Chicago using hash of shared secret as key. NSF CCR–9983950 Diffie-Hellman is the bottleneck Alfred P. Sloan Foundation if total message length is short.

  2. ✂ ✂ ✂ ✂ ✂ ✁ � ✂ ✁ ✄ ✁ ✁ � ✂ ✂ ✁ ✄ � ✄ � � rds 640838 Pentium M cycles 640838 Pentium M multiplication to compute a 32-byte secret to compute � -coordinate shared by Dan and Tanja, multiple of ( ✂ ) given Dan’s 32-byte secret key given 0 ✁ 1 2 254 + 8 0 and Tanja’s 32-byte public key . ✁ 1 2 128 cycles. All known attacks: Curve25519 is the 2 = � 3 + 486662 This is the new speed record mod the prime 2 255 for high-security Diffie-Hellman. 624786 Athlon (622) Encrypt and authenticate messages 832457 Pentium II Illinois at Chicago using hash of shared secret as key. 957904 Pentium 4 CCR–9983950 Diffie-Hellman is the bottleneck I anticipate similar Foundation if total message length is short. for UltraSPARC, P

  3. ✂ ✁ ✂ ✁ ✂ ✂ ✄ � ✂ ✁ ✂ ✂ ✄ � � ✄ ✂ 640838 Pentium M cycles 640838 Pentium M (695) cycles � th to compute a 32-byte secret to compute � -coordinate of shared by Dan and Tanja, multiple of ( ✂ ) on Curve25519, ✁ 2 256 given Dan’s 32-byte secret key given 0 ✁ 1 1 and 2 254 + 8 0 ✁ 2 251 and Tanja’s 32-byte public key . ✁ 1 1 . 2 128 cycles. All known attacks: Curve25519 is the elliptic curve 2 = � 3 + 486662 � 2 + This is the new speed record mod the prime 2 255 19. for high-security Diffie-Hellman. 624786 Athlon (622) cycles; Encrypt and authenticate messages 832457 Pentium III (686) cycles; using hash of shared secret as key. 957904 Pentium 4 (f12) cycles. Diffie-Hellman is the bottleneck I anticipate similar cycle counts if total message length is short. for UltraSPARC, PowerPC, etc.

  4. ✁ ✂ ✂ ✂ ✁ ✂ ✄ � ✄ ✂ ✂ ✂ ✄ ✄ ✄ � � ✂ ✁ M cycles 640838 Pentium M (695) cycles Immune to timing � th 32-byte secret to compute � -coordinate of including cache-timing and Tanja, multiple of ( ✂ ) on Curve25519, including hyperthreading ✁ 2 256 yte secret key given 0 ✁ 1 1 and No data-dependent 2 254 + 8 0 ✁ 2 251 yte public key . ✁ 1 1 . no data-dependent 2 128 cycles. attacks: Curve25519 is the elliptic curve Software is in public 2 = � 3 + 486662 � 2 + 16 kilobytes when speed record mod the prime 2 255 19. cr.yp.to/ecdh.html Diffie-Hellman. 624786 Athlon (622) cycles; No known patent p authenticate messages 832457 Pentium III (686) cycles; shared secret as key. For comparison, Bro 957904 Pentium 4 (f12) cycles. the bottleneck much smaller prime, I anticipate similar cycle counts length is short. 780000 PII cycles; for UltraSPARC, PowerPC, etc. no timing-attack p

  5. ✂ ✄ ✄ ✂ ✂ ✂ ✁ ✁ ✄ ✂ � ✂ ✂ ✁ ✄ � ✂ ✄ 640838 Pentium M (695) cycles Immune to timing attacks, � th to compute � -coordinate of including cache-timing attacks, multiple of ( ✂ ) on Curve25519, including hyperthreading attacks. ✁ 2 256 given 0 ✁ 1 1 and No data-dependent branches; 2 254 + 8 0 ✁ 2 251 ✁ 1 1 . no data-dependent indexing. Curve25519 is the elliptic curve Software is in public domain. 2 = � 3 + 486662 � 2 + 16 kilobytes when compiled. mod the prime 2 255 19. cr.yp.to/ecdh.html 624786 Athlon (622) cycles; No known patent problems. 832457 Pentium III (686) cycles; For comparison, Brown et al.: 957904 Pentium 4 (f12) cycles. much smaller prime, 2 192 2 64 1; I anticipate similar cycle counts 780000 PII cycles; given; for UltraSPARC, PowerPC, etc. no timing-attack protection.

  6. � ✄ � ✄ ✄ � ✂ ✂ ✂ ✁ ✂ � ✄ ✂ ✂ ✂ ✁ ✁ ✄ ✂ ✂ ✁ M (695) cycles Immune to timing attacks, Where are the cycles � th ordinate of including cache-timing attacks, Focus today on Pentium ✂ ) on Curve25519, including hyperthreading attacks. Fastest arithmetic ✁ 2 256 1 and No data-dependent branches; uses floating-point ✁ 2 251 ✁ 1 1 . no data-dependent indexing. fp adds, fp subs, fp the elliptic curve Software is in public domain. � 2 + Each Pentium M cycle 486662 16 kilobytes when compiled. 1 fp op. 255 19. cr.yp.to/ecdh.html Point multiplication: (622) cycles; No known patent problems. 589825 fp ops; 0 III (686) cycles; For comparison, Brown et al.: 4 (f12) cycles. Understand cycle counts much smaller prime, 2 192 2 64 1; similar cycle counts by simply counting 780000 PII cycles; given; ARC, PowerPC, etc. no timing-attack protection.

  7. ✄ ✄ Immune to timing attacks, Where are the cycles going? including cache-timing attacks, Focus today on Pentium M. including hyperthreading attacks. Fastest arithmetic on Pentium M No data-dependent branches; uses floating-point operations: no data-dependent indexing. fp adds, fp subs, fp mults. Software is in public domain. Each Pentium M cycle does 16 kilobytes when compiled. 1 fp op. cr.yp.to/ecdh.html Point multiplication: 640838 cycles. No known patent problems. 589825 fp ops; 0 ✂ 92 per cycle. For comparison, Brown et al.: Understand cycle counts fairly well much smaller prime, 2 192 2 64 1; by simply counting fp ops. 780000 PII cycles; given; no timing-attack protection.

  8. ✄ ✄ � � ✄ timing attacks, Where are the cycles going? Avoiding all time va cache-timing attacks, to stop timing attacks: Focus today on Pentium M. erthreading attacks. 1. For 0 ✁ 1 , compute Fastest arithmetic on Pentium M endent branches; as � [1] + (1 ) uses floating-point operations: endent indexing. Avoids data-dependent fp adds, fp subs, fp mults. public domain. Costs 36210 fp ops Each Pentium M cycle does when compiled. 2. Compute final recip 1 fp op. cr.yp.to/ecdh.html by Fermat, not extended Point multiplication: 640838 cycles. patent problems. Avoids data-dependent 589825 fp ops; 0 ✂ 92 per cycle. Brown et al.: 3. Don’t branch fo Understand cycle counts fairly well rime, 2 192 2 64 1; Allow non-least remainders. by simply counting fp ops. cycles; given; No cost—this saves protection.

  9. ✄ Where are the cycles going? Avoiding all time variability to stop timing attacks: Focus today on Pentium M. 1. For 0 ✁ 1 , compute � [ ] Fastest arithmetic on Pentium M as � [1] + (1 ) � [0] or similar. uses floating-point operations: Avoids data-dependent indexing. fp adds, fp subs, fp mults. Costs 36210 fp ops (6%). Each Pentium M cycle does 2. Compute final reciprocal 1 fp op. by Fermat, not extended Euclid. Point multiplication: 640838 cycles. Avoids data-dependent branching. 589825 fp ops; 0 ✂ 92 per cycle. 3. Don’t branch for remainders. Understand cycle counts fairly well Allow non-least remainders. by simply counting fp ops. No cost—this saves time!

  10. � ✄ ✄ cycles going? Avoiding all time variability Main loop: 545700 to stop timing attacks: 2140 times 255 iterations. Pentium M. 1. For 0 ✁ 1 , compute � [ ] Reciprocal: 43821 rithmetic on Pentium M as � [1] + (1 ) � [0] or similar. 41148 = 254 � 162 oint operations: Avoids data-dependent indexing. 2673 = 11 � 243 for subs, fp mults. Costs 36210 fp ops (6%). Additional work: 304 cycle does 2. Compute final reciprocal Inside one main-loop by Fermat, not extended Euclid. 80 = 8 � 10 for 8 adds/subs; multiplication: 640838 cycles. Avoids data-dependent branching. 55 for mult by 121665; 0 ✂ 92 per cycle. 3. Don’t branch for remainders. 648 = 4 � 162 for 4 cycle counts fairly well Allow non-least remainders. 1215 = 5 � 243 for counting fp ops. No cost—this saves time! 142 for � [1] + (1

  11. ✄ ✄ Avoiding all time variability Main loop: 545700 fp ops (92.5%). to stop timing attacks: 2140 times 255 iterations. 1. For 0 ✁ 1 , compute � [ ] Reciprocal: 43821 fp ops (7.4%). as � [1] + (1 ) � [0] or similar. 41148 = 254 � 162 for 254 squarings; Avoids data-dependent indexing. 2673 = 11 � 243 for 11 more mults. Costs 36210 fp ops (6%). Additional work: 304 fp ops. 2. Compute final reciprocal Inside one main-loop iteration: by Fermat, not extended Euclid. 80 = 8 � 10 for 8 adds/subs; Avoids data-dependent branching. 55 for mult by 121665; 3. Don’t branch for remainders. 648 = 4 � 162 for 4 squarings; Allow non-least remainders. 1215 = 5 � 243 for 5 more mults; No cost—this saves time! 142 for � [1] + (1 ) � [0] etc.

Recommend

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D. J. Bernstein Real-world cost measures: Pentium cycles, Athlon cycles, Thanks to: etc. for generating keys, signing, University of Illinois at

541 views • 35 slides
Q: According to Intel, the Pentium conforms to the IEEE standards 754 and 854 for floating point

Q: According to Intel, the Pentium conforms to the IEEE standards 754 and 854 for floating point

Q: According to Intel, the Pentium conforms to the IEEE standards 754 and 854 for floating point arithmetic. If you fly in aircraft designed using a Pentium, what is the correct pronunciation of "IEEE"? A:

517 views • 20 slides
Understanding CPU Caches Ulrich Drepper Introduction Discrepancy main CPU and main memory speed

Understanding CPU Caches Ulrich Drepper Introduction Discrepancy main CPU and main memory speed

Understanding CPU Caches Ulrich Drepper Introduction Discrepancy main CPU and main memory speed Intel lists for Pentium M nowadays: ~240 cycles to access main memory The gap is widening Faster memory is too expensive The Solution

343 views • 18 slides
1 CPI Cycles per Instruction Instruction Classes We can have different CPIs for different

1 CPI Cycles per Instruction Instruction Classes We can have different CPIs for different

Performance Introduction Many factors impact performance: Technology: basic circuit speed (clock speed, usually in MHz, now in GHz - billions of cycles per second) process technology (# of transistors per chip) Organization:

138 views • 3 slides
DLX Floating Point Extend MIPS Pipeline to Floating Point Operations Functional units

DLX Floating Point Extend MIPS Pipeline to Floating Point Operations Functional units

DLX Floating Point Extend MIPS Pipeline to Floating Point Operations Functional units more complex than simple integer ALU Require several clock cycles for a FP arithmetic operation Add: 4 cycles, Multiply: 7 cycles, Divide: 25

377 views • 22 slides
The Pentium Processor Chapter 7 S. Dandamudi Outline Pentium family history Protected

The Pentium Processor Chapter 7 S. Dandamudi Outline Pentium family history Protected

The Pentium Processor Chapter 7 S. Dandamudi Outline Pentium family history Protected mode memory architecture Pentium processor details Segment registers Pentium registers Segment descriptors Data Segment

910 views • 41 slides
POWERED STARTUPS Speed@BDD Presentation July 2017 SPEED@BDD IN A NUTSHELL Speed@BDD is a

POWERED STARTUPS Speed@BDD Presentation July 2017 SPEED@BDD IN A NUTSHELL Speed@BDD is a

ROCKET POWERED STARTUPS Speed@BDD Presentation July 2017 SPEED@BDD IN A NUTSHELL Speed@BDD is a Lebanese-grown startup accelerator software 2 acceleration 10 startups 3-month 10% equity idea & early cycles per year per cycle

417 views • 4 slides
Performance What do we mean by Performance? We must take many different factors into account:

Performance What do we mean by Performance? We must take many different factors into account:

Performance What do we mean by Performance? We must take many different factors into account: Technology basic circuit speed (clock speed, usually in MHz: millions of cycles per second, now in GHz: billions of cycles per sec.)

188 views • 7 slides
Pentium 4 Deeply pipelined processor supporting multiple issue with speculation and

Pentium 4 Deeply pipelined processor supporting multiple issue with speculation and

Pentium 4 Deeply pipelined processor supporting multiple issue with speculation and multi-threading 2004 version: 31 clock cycles from fetch to retire, 3.2 GHZ clock rate (deep pipeline allows higher clock rate) Front end decoder

692 views • 22 slides
ECM speed records on CPU and GPU D. J. Bernstein University of Illinois at Chicago NSF

ECM speed records on CPU and GPU D. J. Bernstein University of Illinois at Chicago NSF

ECM speed records on CPU and GPU D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 New EECM web site: http://eecm.cr.yp.to Joint work with: 1 2 3 Tanja Lange 1 Peter Birkner 1 Christiane Peters 2 3 Chen-Mou Cheng 2 3

470 views • 29 slides
Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J. Bernstein for public-key cryptography. University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

868 views • 73 slides
Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime

Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime

Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime Characteristic Fields K. Jrvinen 1 , A. Miele 2 , R. Azarderakhsh 3 , and P . Longa 4 1 Aalto University 2 Intel Corporation 3 Rochester Institute of

831 views • 81 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

746 views • 73 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work

969 views • 94 slides
medical records to uncover missed diagnosis: The SPEED-EXTRACT Study Aldo F Saavedra, Richard

medical records to uncover missed diagnosis: The SPEED-EXTRACT Study Aldo F Saavedra, Richard

Applying machine learning to electronic medical records to uncover missed diagnosis: The SPEED-EXTRACT Study Aldo F Saavedra, Richard Morris, Charmaine Tam, Janice Gullick, Stephen T Vernon, Jonathan Morris, David Brieger Centre for

454 views • 18 slides
Scalable Concurrent Hash Tables via Relativistic Programming Josh Triplett April 29, 2010 Speed

Scalable Concurrent Hash Tables via Relativistic Programming Josh Triplett April 29, 2010 Speed

Scalable Concurrent Hash Tables via Relativistic Programming Josh Triplett April 29, 2010 Speed of data < Speed of light Speed of light: 3e8 meters/second Processor speed: 3 GHz, 3e9 cycles/second 0.1 meters/cycle (4 inches/cycle)

619 views • 34 slides
GRO: Surviving 10Gbp/s with Cycles to Spare Herbert Xu Red Hat Inc. Background Ethernet

GRO: Surviving 10Gbp/s with Cycles to Spare Herbert Xu Red Hat Inc. Background Ethernet

GRO: Surviving 10Gbp/s with Cycles to Spare Herbert Xu Red Hat Inc. Background Ethernet bandwidth from 10Mb/s to 10Gb/s. MTU (Maximum Transmit Unit) 1500 bytes. Packet rate from 833pps to 833000pps. CPU speed has flatlined.

110 views • 10 slides
Records Retention Program Training Managing Records in Schools The Records Liaison What does

Records Retention Program Training Managing Records in Schools The Records Liaison What does

Records Retention Program Training Managing Records in Schools The Records Liaison What does that mean? The guardian ofyour schools records Rule 2380 The RL knows what records are kept in your school The RL is the expert!

361 views • 13 slides
Risk and Records at UTS Records Management Program > University Records, Governance Support

Risk and Records at UTS Records Management Program > University Records, Governance Support

THINK.CHANGE.DO Risk and Records at UTS Records Management Program > University Records, Governance Support Unit, Registrar, DVC (Corporate Services) 6 dedicated f/t positions > Devolved system 2 campuses (city campus over

325 views • 13 slides
Cedar Rapids RLR & Speed Des Moines RLR & Speed

Cedar Rapids RLR & Speed Des Moines RLR & Speed

Davenport.RLR & Speed Cedar Rapids RLR & Speed Des Moines RLR & Speed Sioux City.. RLR & Speed Muscatine...RLR & Speed Council

248 views • 11 slides
Speed kills 2 but people like speed! 3 Speed Higher speeds are associated with higher

Speed kills 2 but people like speed! 3 Speed Higher speeds are associated with higher

Effects of automated highway speed enforcement: average versus instantaneous speed control 27 th annual ICTCT workshop 16-17 Oct 2014, Karlsruhe - Germany dr. Stijn Daniels, PhD Transportation Research Institute Hasselt University, Belgium

413 views • 9 slides
Simultaneous Multithreading on Pentium 4 Presented by: Thomas Repantis trep@cs.ucr.edu

Simultaneous Multithreading on Pentium 4 Presented by: Thomas Repantis trep@cs.ucr.edu

Hyper-Threading: Simultaneous Multithreading on Pentium 4 Presented by: Thomas Repantis trep@cs.ucr.edu CS203B-Advanced Computer Architecture, Spring 2004 p.1/32 Overview Multiple threads executing on a single processor without

980 views • 32 slides
Three-colourability of planar graphs without 5-cycles and triangular 3- and 6-cycles Asiyeh

Three-colourability of planar graphs without 5-cycles and triangular 3- and 6-cycles Asiyeh

Three-colourability of planar graphs without 5-cycles and triangular 3- and 6-cycles Asiyeh Sanaei Brock University Joint work with Babak Farzad June 12, 2013 1 / 80 Graph Colouring; An Introduction Figure : A colouring of vertices of a

1.34k views • 77 slides
Life Cycles Return to Table of Contents Slide 6 / 115 Living and Nonliving Think back to what

Life Cycles Return to Table of Contents Slide 6 / 115 Living and Nonliving Think back to what

Slide 1 / 115 Slide 2 / 115 3 rd Grade PSI Growth and Development of Organisms 2015-12-06 www.njctl.org Slide 3 / 115 Table of Contents Click on the topic to go to that section Life Cycles Plant Life Cycles Animal Life Cycles

417 views • 39 slides

More recommend