Selecting elliptic curves for cryptography: an efficiency and security analysis

Bos, Joppe W.; Costello, Craig; Longa, Patrick; Naehrig, Michael

doi:10.1007/s13389-015-0097-y

Cited by 73 publications

(80 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our algorithm is generic (i.e., it does not exploit endomorphisms) and is as efficient as Hamburg's algorithm during the on-line computation but has a slightly cheaper off-line precomputation phase. The algorithm has already been exploited in the implementation of the new elliptic curves recently proposed by Bos et al in [10] and integrated to the MSR Elliptic Curve Cryptography Library (MSR ECCLib) [37].…”

Section: Introductionmentioning

confidence: 99%

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Faz-Hernández

Longa

Sánchez

2014

Topics in Cryptology – CT-RSA 2014

Self Cite

View full text Add to dashboard Cite

We propose efficient algorithms and formulas that improve the performance of side channel protected elliptic curve computations with special focus on scalar multiplication exploiting the Gallant-Lambert-Vanstone (CRYPTO 2001) and Galbraith-Lin-Scott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.'s recoding to the GLV setting, we derive new regular algorithms for variable-base scalar multiplication that offer protection against simple side-channel and timing attacks. Secondly, we propose an efficient, sidechannel protected algorithm for fixed-base scalar multiplication which combines Feng et al.'s recoding with Lim-Lee's comb method. Thirdly, we propose an efficient technique that interleaves ARM and NEON-based multiprecision operations over an extension field to improve performance of GLS curves on modern ARM processors. Finally, we showcase the efficiency of the proposed techniques by implementing a state-of-the-art GLV-GLS curve in twisted Edwards form defined over F p 2 , which supports a four dimensional decomposition of the scalar and is fully protected against timing attacks. Analysis and performance results are reported for modern x64 and ARM processors. For instance, we compute a variable-base scalar multiplication in 89,000 and 244,000 cycles on an Intel Ivy Bridge and an ARM Cortex-A15 processor (respect.); using a precomputed table of 6KB, we compute a fixed-base scalar multiplication in 49,000 and 116,000 cycles (respect.); and using a precomputed table of 3KB, we compute a double scalar multiplication in 115,000 and 285,000 cycles (respect.). The proposed techniques represent an important improvement of the state-ofthe-art performance of elliptic curve computations, and allow us to set new speed records in several modern processors. The techniques also reduce the cost of adding protection against timing attacks in the computation of GLV-based variable-base scalar multiplication to below 10%. This work is the extended version of a publication that appeared at CT-RSA 2014 [12].

show abstract

Section: Introductionmentioning

confidence: 99%

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Faz-Hernández

Longa

Sánchez

2014

Topics in Cryptology – CT-RSA 2014

Self Cite

View full text Add to dashboard Cite

show abstract

“…For the latter, the group can be embedded in the multiplicative group F × p k of F p k for a low embedding degree k. To avoid those curves, we follow the approach from [34] which ties the smallest permissible value for k to the published difficulty of finding discrete logarithms in F × p k . It would be trivial, and would have negligible effect on our performance results, to adopt the "overkill" approach favored by [9,39,13], but we see no good reason to do so.…”

Section: Security Criteriamentioning

confidence: 94%

“…In [1] they are complemented with their counterparts at approximate security levels 112, 192, and 256. In [13] the scope of [7] is broadened by allowing more curve parameterizations and more types of special primes, while handling exceptions more strictly. This leads to eight new twist-secure curves of (approximately) 128-bit security, in addition to eight and ten twist-secure curves at approximate security levels 192 and 256, respectively.…”

Section: Preliminariesmentioning

confidence: 99%

“…A variety of ECC parameters has been proposed or standardized [58,16,17,5,1,39,13,9], with or without all kinds of properties that are felt to be desirable or undesirable, and as reviewed in Section 2. All these proposals and standards contain a fixed number of possible ECC parameter choices.…”

Section: Introductionmentioning

confidence: 99%

“…Using addition where doubling should have been used may be leveraged by an attacker to learn information about the secret key [31]. Either a check must be included (while maintaining constant-time execution, as in [13]) or a "complete" addition formula must be used, i.e., one that works even if the two points are not distinct. This leads to a somewhat slower group law for our Weierstrass curve parameterizations, but if they are used along with f = 4 in Table 3 the parameterization can be converted to Edwards or Montgomery form, which are both endowed with fast complete formulae for the group law [8], [5].…”

mentioning

confidence: 99%

See 2 more Smart Citations

Efficient Ephemeral Elliptic Curve Cryptographic Keys

Miele

Lenstra

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We show how any pair of authenticated users can on-the-fly agree on an elliptic curve group that is unique to their communication session, unpredictable to outside observers, and secure against known attacks. Our proposal is suitable for deployment on constrained devices such as smartphones, allowing them to efficiently generate ephemeral parameters that are unique to any single cryptographic application such as symmetric key agreement. For such applications it thus offers an alternative to long term usage of standardized or otherwise pre-generated elliptic curve parameters, obtaining security against cryptographic attacks aimed at other users, and eliminating the need to trust elliptic curves generated by third parties.

show abstract

Computational investment in generation of elliptic curves randomly over large prime fields

Abhishek¹,

2022

Concurrency and Computation

View full text Add to dashboard Cite

Randomly computed elliptic curves over prime fields are desirable for implementation in strategic or military grade cryptosystems. A randomly computed elliptic curve eliminates the possibility of exhibiting any pre-studied value or special structure of the curve parameters which may be doubted to have intentionally non-disclosed vulnerability. However, computing elliptic curves randomly over large prime fields for cryptography is an intricate task which requires reasonably high computational resources and time. These computational resources are considered in terms of the number of CPU clock cycles and the number of attempts or searches made in the security parameter space of elliptic curve. The estimate of the number of CPU clock cycles helps in determining processor requirements whereas the number of attempts or searches help to decide the number of CPU cores for speeding up the curve generation process. We present efficient statistical estimates of computational resources to randomly compute cryptographically safe elliptic curve over desired prime field size using a standard procedure.

show abstract

Selecting elliptic curves for cryptography: an efficiency and security analysis

Cited by 73 publications

References 45 publications

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Efficient Ephemeral Elliptic Curve Cryptographic Keys

Computational investment in generation of elliptic curves randomly over large prime fields

Contact Info

Product

Resources

About