Curve25519: New Diffie-Hellman Speed Records

This paper explains the design and implementation of a high-security elliptic-curve-Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and state-of-the-art timing-attack protection), more than twice as fast as other authors' results at the same conjectured security level (with or without the side benefits).

[1]  A. Youssef,et al.  Selected Areas in Cryptography, 8th Annual International Workshop, SAC 2001 Toronto, Ontario, Canada, August 16-17, 2001, Revised Papers , 2001, Selected Areas in Cryptography.

[2]  Edlyn Teske Square-root algorithms for the discrete logarithm problem (a survey) , 2001 .

[3]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[4]  Alfred Menezes,et al.  Another Look at "Provable Security". II , 2006, INDOCRYPT.

[5]  Alfred Menezes,et al.  Validation of Elliptic Curve Public Keys , 2003, Public Key Cryptography.

[6]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[7]  17th Annual Symposium on Foundations of Computer Science, Houston, Texas, USA, 25-27 October 1976 , 1976, FOCS.

[8]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[9]  Helena Handschuh,et al.  Fast Software Encryption: 12th International Workshop, FSE 2005, Paris, France, February 21-23, 2005, Revised Selected Papers , 2005, FSE.

[10]  Edlyn Teske Computing discrete logarithms with the parallelized kangaroo method, , 2003, Discret. Appl. Math..

[11]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.

[12]  Nicholas Pippenger,et al.  On the Evaluation of Powers and Monomials , 1980, SIAM J. Comput..

[13]  Nicholas Pippenger The minimum number of edges in graphs with prescribed paths , 2005, Mathematical systems theory.

[14]  Ernest F. Brickell,et al.  Fast Exponentiation with Precomputation (Extended Abstract) , 1992, EUROCRYPT.

[15]  Scott A. Vanstone,et al.  Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[16]  Tanja Lange,et al.  Arithmetic of Special Curves , 2005, Handbook of Elliptic and Hyperelliptic Curve Cryptography.

[17]  Alfred Menezes,et al.  Another Look at "Provable Security" , 2005, Journal of Cryptology.

[18]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[19]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings , 2006, CHES.

[20]  Chae Hoon Lim,et al.  More Flexible Exponentiation with Precomputation , 1994, CRYPTO.

[21]  Mihir Bellare Advances in Cryptology — CRYPTO 2000 , 2000, Lecture Notes in Computer Science.

[22]  Mitsuru Matsui,et al.  Selected Areas in Cryptography , 2003, Lecture Notes in Computer Science.

[23]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[24]  Alfred Menezes,et al.  Another look at HMQV , 2007, J. Math. Cryptol..

[25]  Tanja Lange,et al.  Transfer of Discrete Logarithms , 2005, Handbook of Elliptic and Hyperelliptic Curve Cryptography.

[26]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[27]  Alfred Menezes,et al.  Field inversion and point halving revisited , 2004, IEEE Transactions on Computers.

[28]  Roberto Maria Avanzi Generic Algorithms for Computing Discrete Logarithms , 2005, Handbook of Elliptic and Hyperelliptic Curve Cryptography.

[29]  Ingrid Biehl,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems ( Extended Abstract ) , 2000 .

[30]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[31]  Marc Joye,et al.  Cryptographic Hardware and Embedded Systems - CHES 2004 , 2004, Lecture Notes in Computer Science.

[32]  Roberto Maria Avanzi,et al.  Aspects of Hyperelliptic Curves over Large Prime Fields in Software Implementations , 2004, CHES.

[33]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97, 17th Annual International Cryptology Conference, Santa Barbara, California, USA, August 17-21, 1997, Proceedings , 1997, CRYPTO 1997.

[34]  Christof Paar,et al.  Area-time efficient hardware architecture for factoring integers with the elliptic curve method , 2005 .

[35]  C. Diem The GHS-attack in odd characteristic , 2003 .

[36]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[37]  Christof Paar,et al.  An Efficient Hardware Architecture for Factoring Integers with the Elliptic Curve Method , 2005 .

[38]  Andrew Chi-Chih Yao,et al.  On the Evaluation of Powers , 1976, SIAM J. Comput..

[39]  Arjen K. Lenstra,et al.  Speeding Up XTR , 2001, ASIACRYPT.

[40]  Berk Sunar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2005, 7th International Workshop, Edinburgh, UK, August 29 - September 1, 2005, Proceedings , 2005, CHES.

[41]  Alfred Menezes,et al.  Software Implementation of Elliptic Curve Cryptography over Binary Fields , 2000, CHES.

[42]  Nigel P. Smart,et al.  A comparison of different finite fields for use in elliptic curve cryptosystems , 2000 .

[43]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[44]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[45]  Ueli Maurer,et al.  Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing Discrete Logarithms , 1994, CRYPTO.

[46]  Rainer A. Rueppel Advances in Cryptology — EUROCRYPT’ 92 , 2001, Lecture Notes in Computer Science.

[47]  Tibor Juhas The use of elliptic curves in cryptography , 2007 .

[48]  Alfred Menezes,et al.  Software Implementation of the NIST Elliptic Curves Over Prime Fields , 2001, CT-RSA.

[49]  Nicholas Pippenger,et al.  On the evaluation of powers and related problems , 1976, 17th Annual Symposium on Foundations of Computer Science (sfcs 1976).

[50]  David Naccache,et al.  Topics in Cryptology — CT-RSA 2001 , 2001, Lecture Notes in Computer Science.

[51]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[52]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[53]  Marc Joye,et al.  Cryptographic hardware and embedded systems - CHES 2004 : 6th International Workshop, Cambridge, MA, USA, August 11-13, 2004 : proceedings , 2004 .

[54]  Kamel Bentahar,et al.  The Equivalence Between the DHP and DLP for Elliptic Curves Used in Practical Applications, Revisited , 2005, IMACC.

[55]  Andreas Bender,et al.  On the Implementation of Elliptic Curve Cryptosystems , 1989, CRYPTO.

[56]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[57]  Roberto Maria Avanzi,et al.  Generic Efficient Arithmetic Algorithms for PAFFs (Processor Adequate Finite Fields) and Related Algebraic Structures (Extended Abstract) , 2003, Selected Areas in Cryptography.

[58]  Carl Pomerance,et al.  Advances in Cryptology — CRYPTO ’87 , 2000, Lecture Notes in Computer Science.

[59]  E. Brickell,et al.  Fast Exponentiation with Precomputation: Algorithms and Lower Bounds , 1993 .

[60]  N. Smart,et al.  The equivalence between the DHP and DLP for elliptic curves used in practical applications , 2004 .

[61]  Joos Vandewalle,et al.  Advances in Cryptology - CRYPTO 1994 , 1994 .

[62]  Yvo Desmedt Public Key Cryptography — PKC 2003 , 2002, Lecture Notes in Computer Science.

[63]  Christof Zalka,et al.  Shor's discrete logarithm quantum algorithm for elliptic curves , 2003, Quantum Inf. Comput..

[64]  Mitsuru Matsui,et al.  Selected Areas In Cryptography: 10th Annual International Workshop, Sac 2003, Ottawa, Canada, August 14-15, 2003 (LECTURE NOTES IN COMPUTER SCIENCE) , 2004 .

[65]  Fabian Kuhn,et al.  Random Walks Revisited: Extensions of Pollard's Rho Algorithm for Computing Multiple Discrete Logarithms , 2001, Selected Areas in Cryptography.