[crypto] [secdm at tue.nl: Program Crypto Working Group, February 27, 2015]

[R. Hirschfeld]

------- Start of forwarded message -------
From: Secretariaat DM <secdm at tue.nl>
Subject: Program Crypto Working Group, February 27, 2015
Date: Sat, 21 Feb 2015 12:35:31 +0000

Dear all,

Herewith I send you the program of the CWG-meeting on Friday, February 27, 2015.

With kind regards / Met vriendelijke groeten,
Anita Klooster
secretary of the section Discrete Mathematics

[cid:image001.gif at 01CB8FB5.88A9C0F0]

Dept. of Mathematics and Computer Science
MF 4.058
Office hours: Monday and Friday 08.30-12.30 h / Tuesday and Wednesday 08.30-17.00 h
Telephone: +31 (0)40 2472254
Email: secdm at tue.nl<mailto:secdm at tue.nl>


CRYPTO WORKING GROUP


Friday, February 27, 2015

                                                De Kargadoor (http://www.kargadoor.nl/utrecht/zaalverhuur.html)
                                                Oudegracht 36, Utrecht



Program

10.45 - 11.30 hrs.   Dan Bernstein & Tanja Lange (TU/e),
                                               Batch NFS

11.30 -  11.45 hrs.   Coffee / tea break

11.45 - 12.30 hrs.    Christiane Peters (ENCS),
                                               Weaknesses in Smart Metering Cryptography

12.30 -  14.00 hrs.   Lunch break (lunch not included)


14.00 - 14.45 hrs.    Chitchanok Chuengsatiansup (TU/e),

                                   New Diffie-Hellman Speed Records


14.45 - 15.00 hrs.    Coffee / tea break

15.00 - 15.45 hrs.    Pedro Massolino (RU Nijmegen),
                                               Design and Evaluation of a Post-Quantum Cryptographic Co-Processor


Abstract talk Christiane Peters: Weaknesses in Smart Metering Cryptography
Discussion of structural weaknesses in communication protocols for smart metering such as the Open Smart Grid Protocol (OSGP).


Abstract talk Chitchanok Chuengsatiansup: New Diffie-Hellman Speed Records

The Diffie-Hellman (DH) key-exchange protocol is commonly and widely used to establish a shared secret. In elliptic-curve and hyperelliptic-curve cryptography, the speed of DH relies on the speed of scalar multiplication, i.e., computing nP for a scalar n and a point P. Scalar multiplication is a very time-consuming operation. There has been a lot of research to improve the computational time.

We have two recent papers "Curve41417: Karatsuba revisited" and "Kummer strikes back: new DH speed records" in CHES'2014 and ASIACRYPT'2014 respectively, which introduced speed-record constant-time software to compute scalar multiplication for two different security levels. In this talk, I will explain how those speedups were achieved.

The first part of the talk will focus on a hyperelliptic curve at a popular choice of security level, $2^{128}$. The second part of the talk will focus on Curve41417, an elliptic curve at a very high security level, beyond $2^{200}$.

State-of-the-art formulas for genus-2 hyperelliptic curves play an important role in the former case, while Karatsuba's method is crucial in the latter case. Both implementations utilize the CPU's vector unit and choose a radix smaller than the CPU word size to represent numbers.


Abstract talk Pedro Massolino: Design and Evaluation of a Post-Quantum Cryptographic Co-Processor

Asymmetric cryptographic primitives are essential to enable secure communications in public networks or public mediums. Such primitives can be deployed as software libraries or hardware coprocessors, the latter being more commonly employed in Systems on Chip (SoC) scenarios, embedded devices, or application-specific servers. Unfortunately, the most commonly available solutions, based on RSA or Elliptic Curve Cryptography (ECC), are highly processing-intensive due to the underlying extended-precision modular arithmetic. Consequently, they are not available on highly constrained platforms. Aiming to tackle this issue, we here investigate an alternative asymmetric encryption scheme that relies on lightweight arithmetic: McEliece. This scheme is especially appealing because, being based on error correction codes, it displays a simpler arithmetic and leads to better performance when compared to RSA or ECC. To evaluate the implementation of this scheme in hardware, we propose and analyze a flexible architecture whose security level and time vs. area usage characteristics can be reconfigured as desired. Namely, the proposed architecture is suitable for all usual security levels, ranging from 80 to 256 bits.

It is also very efficient, being able to perform data decryption with binary Goppa codes in 56 µs with 3402 Slices on a Xilinx Spartan-3AN FPGA, while the best known result in the literature for the same FPGA is 115 µs with

7331 Slices. Alternatively, the architecture can operate with Quasi-Dyadic Goppa (QD-Goppa) codes, which involves smaller keys than traditional binary Goppa codes. In the latter case, for an 80-bit security level, the decryption operation can take from 1.1 ms with 1129 Slices to 68 µs with 8268 Slices. By choosing a more hardware-friendly decoding algorithm, focusing hardware resources on most bottleneck operations and sharing hardware resource for two different algorithms, better results than the literature were obtained.
------- End of forwarded message -------