论文信息 - Selecting elliptic curves for cryptography: an efficiency and security analysis

Selecting elliptic curves for cryptography: an efficiency and security analysis

We select a set of elliptic curves for cryptography and analyze our selection from a performance and security perspective. This analysis complements recent curve proposals that suggest (twisted) Edwards curves by also considering the Weierstrass model. Working with both Montgomery-friendly and pseudo-Mersenne primes allows us to consider more possibilities which help to improve the overall efficiency of base field arithmetic. Our Weierstrass curves are backwards compatible with current implementations of prime order NIST curves, while providing improved efficiency and stronger security properties. We choose algorithms and explicit formulas to demonstrate that our curves support constant-time, exception-free scalar multiplications, thereby offering high practical security in cryptographic applications. Our implementation shows that variable-base scalar multiplication on the new Weierstrass curves at the 128-bit security level is about 1.4 times faster than the recent implementation record on the corresponding NIST curve. For practitioners who are willing to use a different curve model and sacrifice a few bits of security, we present a collection of twisted Edwards curves with particularly efficient arithmetic that are up to 1.42, 1.26 and 1.24 times faster than the new Weierstrass curves at the 128-, 192- and 256-bit security levels, respectively. Finally, we discuss how these curves behave in a real-world protocol by considering different scalar multiplication scenarios in the transport layer security protocol. The proposed curves and the results of the analysis are intended to contribute to the recent efforts towards recommending new elliptic curves for Internet standards.

[1] Frederik Vercauteren,et al. Speeding Up Bipartite Modular Multiplication , 2010, WAIFI.

[2] Jean-Charles Faugère,et al. Improving the Complexity of Index Calculus Algorithms in Elliptic Curves over Binary Fields , 2012, EUROCRYPT.

[3] John J. Cannon,et al. The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[4] David Brumley,et al. Remote timing attacks are practical , 2003, Comput. Networks.

[5] Michael Hamburg. Twisting Edwards curves with isogenies , 2014, IACR Cryptol. ePrint Arch..

[6] Paul C. Kocher,et al. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[7] Bodo Möller,et al. Network Working Group Elliptic Curve Cryptography (ecc) Cipher Suites for Transport Layer Security (tls) , 2006 .

[8] Robert Granger,et al. On isogeny classes of Edwards curves over finite fields , 2011, IACR Cryptol. ePrint Arch..

[9] H. Edwards. A normal form for elliptic curves , 2007 .

[10] J. Solinas. CORR 99-39 Generalized Mersenne Numbers , 1999 .

[11] Johannes Merkle,et al. Elliptic Curve Cryptography (ecc) Brainpool Standard Curves and Curve Generation , 2010 .

[12] Tsuyoshi Takagi,et al. The Width-w NAF Method Provides Small Memory and Fast Elliptic Scalar Multiplications Secure against Side Channel Attacks , 2003, CT-RSA.

[13] Chae Hoon Lim,et al. More Flexible Exponentiation with Precomputation , 1994, CRYPTO.

[14] Marc Joye,et al. Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity , 2004, IEEE Transactions on Computers.

[15] Tanja Lange,et al. ECM using Edwards curves , 2012, Math. Comput..

[16] Risto M. Hakala,et al. Cache-Timing Template Attacks , 2009, ASIACRYPT.

[17] Patrick Longa,et al. Efficient Techniques for High-Speed Elliptic Curve Cryptography , 2010, CHES.

[18] Shay Gueron,et al. Fast prime field elliptic-curve cryptography with 256-bit primes , 2014, Journal of Cryptographic Engineering.

[19] P. L. Montgomery. Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[20] Elaine B. Barker. Digital Signature Standard (DSS) [includes Change Notice 1 from 12/30/1996] | NIST , 1994 .

[21] F. Mestre,et al. Journal de Theorie des Nombres de Bordeaux 7 (1995), 219{254 , 2022 .

[22] Tanja Lange,et al. High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[23] Tanja Lange,et al. Twisted Edwards Curves , 2008, AFRICACRYPT.

[24] Ed Dawson,et al. Twisted Edwards Curves Revisited , 2008, IACR Cryptol. ePrint Arch..

[25] C. D. Walter,et al. Montgomery exponentiation needs no final subtractions , 1999 .

[26] Adi Shamir,et al. Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[27] D. Chudnovsky,et al. Sequences of numbers generated by addition in formal groups and new primality and factorization tests , 1986 .

[28] Scott A. Vanstone,et al. Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[29] Patrick Longa,et al. Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV–GLS curves (extended version) , 2014, Journal of Cryptographic Engineering.

[30] Arjen K. Lenstra,et al. Generating RSA Moduli with a Predetermined Portion , 1998, ASIACRYPT.

[31] Marc Joye,et al. Exponent Recoding and Regular Exponentiation Algorithms , 2009, AFRICACRYPT.

[32] P. L. Montgomery. Modular multiplication without trial division , 1985 .

[33] Daniel J. Bernstein,et al. Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[34] Shipeng Li,et al. Efficient Comb Elliptic Curve Multiplication Methods Resistant to Power Analysis , 2005, IACR Cryptol. ePrint Arch..

[35] Jerome A. Solinas,et al. Efficient Arithmetic on Koblitz Curves , 2000, Des. Codes Cryptogr..

[36] Craig Costello,et al. Fast Cryptography in Genus 2 , 2013, Journal of Cryptology.

[37] Alfred Menezes,et al. Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[38] Anatolij A. Karatsuba,et al. Multiplication of Multidigit Numbers on Automata , 1963 .

[39] Paulo S. L. M. Barreto,et al. A note on high-security general-purpose elliptic curves , 2013, IACR Cryptol. ePrint Arch..

[40] Michael Naehrig,et al. Elliptic Curve Cryptography in Practice , 2014, Financial Cryptography.

[41] Daniel J. Bernstein,et al. Elligator: elliptic-curve points indistinguishable from uniform random strings , 2013, IACR Cryptol. ePrint Arch..

[42] Nicolas Meloni,et al. New Point Addition Formulae for ECC Applications , 2007, WAIFI.

[43] Mehdi Tibouchi. Elligator Squared: Uniform Points on Elliptic Curves of Prime Order as Uniform Random Strings , 2014, Financial Cryptography.

[44] Michael Hamburg,et al. Fast and compact elliptic-curve cryptography , 2012, IACR Cryptol. ePrint Arch..

[45] Antoine Joux,et al. Injective Encodings to Elliptic Curves , 2013, ACISP.

[46] Bodo Möller. Algorithms for Multi-exponentiation , 2001, Selected Areas in Cryptography.

[47] Daniel J. Bernstein,et al. Can we avoid tests for zero in fast elliptic-curve arithmetic ? , 2006 .

[48] Tanja Lange,et al. Faster Addition and Doubling on Elliptic Curves , 2007, ASIACRYPT.

[49] OURNAL DE T HÉORIE DES N OMBRES DE B ORDEAUX R ENÉ S CHOOF,et al. Journal de Theorie des Nombres de Bordeaux 7 (1995), 219{254 , 2022 .

[50] T. Acar,et al. Modular Reduction without Pre-computation for Special Moduli , 2010 .

[51] Patrick Longa,et al. New Composite Operations and Precomputation Scheme for Elliptic Curve Cryptosystems over Prime Fields , 2008, Public Key Cryptography.

[52] H. Lenstra,et al. Complete Systems of Two Addition Laws for Elliptic Curves , 1995 .