Tsuyoshi Takagi scite author profile

Abstract. This paper proposes a fast elliptic curve multiplication algorithm applicable for any types of curves over finite fields Fp (p a prime), based on [Mon87], together with criteria which make our algorithm resistant against the side channel attacks (SCA). The algorithm improves both on an addition chain and an addition formula in the scalar multiplication. Our addition chain requires no table look-up (or a very small number of pre-computed points) and a prominent property is that it can be implemented in parallel. The computing time for n-bit scalar multiplication is one ECDBL + (n − 1) ECADDs in the parallel case and (n − 1) ECDBLs + (n − 1) ECADDs in the single case. We also propose faster addition formulas which only use the x-coordinates of the points. By combination of our addition chain and addition formulas, we establish a faster scalar multiplication resistant against the SCA in both single and parallel computation. The improvement of our scalar multiplications over the previous method is about 37% for two processors and 5.7% for a single processor. Our scalar multiplication is suitable for the implementation on smart cards.

show abstract

Fast RSA-type cryptosystem modulo p k q

Takagi

1998

130

View full text Add to dashboard Cite

Abstract. We propose a cryptosystem modulo pkq based on the RSA cryptosystem. We choose an appropriate modulus pkq which resists two of the fastest factoring algorithms, namely the number field sieve and the elliptic curve method. We also apply the fast decryption algorithm modulo pk proposed in [22]. The decryption process of the proposed cryptosystems is faster than the RSA cryptosystem using Chinese remainder theorem, known as the Quisquater-Couvreur method [17]. For example, if we choose the ?68-bit modulus p2q for 256-bit primes p and q, then the decryption process of the proposed cryptosystem is about 3 times faster than that of RSA cryptosystem using Quisquater-Couvreur method.Key words: RSA cryptosystem, Quisquater-Couvreur method, fast decryption, factoring algorithm IntroductionThe RSA cryptosystem is one of the most practical public key cryptosystems and is used throughout the world [19]. Let n be a public key, which is the product of two appropriate primes, e be an encryption key, and d be a decryption key. The algorithms of encryption and decryption consist of exponentiation to the e th and d th powers modulo n, respectively. We can make e small, but must consider low exponent attacks [3] [4] [6]. The encryption process takes less computation and is fast. On the other hand, the decryption key d must have more than one fourth the number of bits of the public key n to preclude Wiener's attack [24] and its extension [23]. Therefore, the cost of the decryption process is dominant for the RSA cryptosystem.In this paper, we propose an RSA-type cryptosystem modulo n = pkq. Even though the modulus is not of the form pq, we choose appropriate sizes for the secret primes p and q to preclude both the number field sieve and the elliptic curve method. Using this modulus pkq, we construct a fast decryption public-key cryptosystem. In the key generation, we generate the public key e and secret key d using the relation ed =_ 1 (rood L), where L = LCM (p-1, q-1). Note that L is not the same as r = pk-1 (p_ 1) (q-1) or even ~(n) = LCM(p k-x (p-1), q-1).Thus, the secret exponent d becomes much smaller than n = pkq. Moreover, for decrypting M r -M (mod pk) we show that it is possible to apply the fast

show abstract

Securing the Internet of Things in a Quantum World

et al. 2017

View full text Add to dashboard Cite

Zero-Value Point Attacks on Elliptic Curve Cryptosystem

Akishita

Takagi

2003

View full text Add to dashboard Cite

Abstract. Several experimental results ensure that the differential power analysis (DPA) breaks the implementation of elliptic curve cryptosystem (ECC) on memory constraint devices. In order to resist the DPA, the parameters of the underlying curve must be randomized. We usually randomize the base point in the projective coordinate, or we transform all parameters to the random isomorphic curve. However, Goubin pointed out the point (0, y) can not be randomized by these countermeasures. This point is often contained in the standard curves, and we have to care this attack. In this paper, we propose a novel attack, called the zero-value point attack. On the contrary to Goubin's attack, we use the zero-value registers in the addition formulae. Even if a point has no zero-value coordinate, the auxiliary registers might take zero-value. We investigate these zerovalue registers that cannot be randomized by the above randomization. Indeed on elliptic curves over prime fields, we have found several points P = (x, y) which cause the zero-value registers, e.g., (1)3x 2 + a = 0, (2)5x 4 + 2ax 2 − 4bx + a 2 = 0, (3)P is y-coordinate self-collision point, etc. We demonstrate the standard curves that have these points. Interestingly, some conditions required for the zero-value attack depend on the explicit implementation of the addition formulae -in order to resist this type of attacks, we have to care how to assemble the multiplications and the additions in the addition formulae. Moreover, we show zero-value points for Montgomery-type method and elliptic curves over binary fields.

show abstract

Parallel Gauss Sieve Algorithm: Solving the SVP Challenge over a 128-Dimensional Ideal Lattice

Ishiguro

Kiyomoto

Miyake

et al. 2014

View full text Add to dashboard Cite

Abstract. In this paper, we report that we have solved the SVP Challenge over a 128-dimensional lattice in Ideal Lattice Challenge from TU Darmstadt, which is currently the highest dimension in the challenge that has ever been solved. The security of lattice-based cryptography is based on the hardness of solving the shortest vector problem (SVP) in lattices. In 2010, Micciancio and Voulgaris proposed a Gauss Sieve algorithm for heuristically solving the SVP using a list L of Gaussreduced vectors. Milde and Schneider proposed a parallel implementation method for the Gauss Sieve algorithm. However, the efficiency of the more than 10 threads in their implementation decreased due to the large number of non-Gauss-reduced vectors appearing in the distributed list of each thread. In this paper, we propose a more practical parallelized Gauss Sieve algorithm. Our algorithm deploys an additional Gauss-reduced list V of sample vectors assigned to each thread, and all vectors in list L remain Gauss-reduced by mutually reducing them using all sample vectors in V . Therefore, our algorithm allows the Gauss Sieve algorithm to run for large dimensions with a small communication overhead. Finally, we succeeded in solving the SVP Challenge over a 128-dimensional ideal lattice generated by the cyclotomic polynomial x 128 + 1 using about 30,000 CPU hours.

show abstract

(Short Paper) A Faster Constant-Time Algorithm of CSIDH Keeping Two Points

Onuki

Aikawa

Yamazaki

et al. 2019

View full text Add to dashboard Cite

Signed Binary Representations Revisited

Okeya

Schmidt-Samoa

Spahn

et al. 2004

View full text Add to dashboard Cite

Abstract. The most common method for computing exponentiation of random elements in Abelian groups are sliding window schemes, which enhance the efficiency of the binary method at the expense of some precomputation. In groups where inversion is easy (e.g. elliptic curves), signed representations of the exponent are meaningful because they decrease the amount of required precomputation. The asymptotic best signed method is wNAF, because it minimizes the precomputation effort whilst the non-zero density is nearly optimal. Unfortunately, wNAF can be computed only from the least significant bit, i.e. right-to-left. However, in connection with memory constraint devices left-to-right recoding schemes are by far more valuable. In this paper we define the MOF (Mutual Opposite Form), a new canonical representation of signed binary strings, which can be computed in any order. Therefore we obtain the first left-to-right signed exponentrecoding scheme for general width w by applying the width w sliding window conversion on MOF left-to-right. Moreover, the analogue rightto-left conversion on MOF yields wNAF, which indicates that the new class is the natural left-to-right analogue to the useful wNAF. Indeed, the new class inherits the outstanding properties of wNAF, namely the required precomputation and the achieved non-zero density are exactly the same.

show abstract

Improved Progressive BKZ Algorithms and Their Precise Cost Estimation by Sharp Simulator

Aono

Wang

Hayashi

et al. 2016

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

334 Leonard St

Brooklyn, NY 11211

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Tsuyoshi Takagi

A Fast Parallel Elliptic Curve Multiplication Resistant against Side Channel Attacks

Fast RSA-type cryptosystem modulo p k q

Securing the Internet of Things in a Quantum World

Zero-Value Point Attacks on Elliptic Curve Cryptosystem

Parallel Gauss Sieve Algorithm: Solving the SVP Challenge over a 128-Dimensional Ideal Lattice

(Short Paper) A Faster Constant-Time Algorithm of CSIDH Keeping Two Points

Signed Binary Representations Revisited

Improved Progressive BKZ Algorithms and Their Precise Cost Estimation by Sharp Simulator

Contact Info

Product

Resources

About