[crypto] Fwd: PROGRAM Crypto Working Group, April 12, 2019
R. Hirschfeld
ray at unipay.nl
Mon Apr 8 17:20:16 CEST 2019
-------- Original Message --------
Subject: PROGRAM Crypto Working Group, April 12, 2019
Date: 2019-04-08 16:59
From: Secretariaat DM <secdm at tue.nl>
To: Secretariaat DM <secdm at tue.nl>
Dear all,
Herewith I send you the program of the CWG-meeting on Friday, April 12,
2019.
With kind regards / Met vriendelijke groeten,
Anita Klooster
secretary of the section Discrete Mathematics
[cid:image001.gif at 01CB8FB5.88A9C0F0]
Dept. of Mathematics and Computer Science
MF 4.058
Office hours: Monday and Friday 08.30-12.30 h / Tuesday and Wednesday
08.30-17.00 h
Telephone: +31 (0)40 2472254
Email: secdm at tue.nl<mailto:secdm at tue.nl>
CRYPTO WORKING GROUP
Friday, April 12, 2019
De Kargadoor (http://www.kargadoor.nl/utrecht/zaalverhuur.html)
Oudegracht 36, Utrecht
Program
10.45 – 11.30 hrs. Michael Meyer (Hochschule
RheinMain),
On Lions and Elligators: An efficient constant-time
implementation of CSIDH
11.30 - 11.45 hrs. Coffee / tea break
11.45 - 12.30 hrs. Tobias Oder (Ruhr Univ.
Bochum),
Masking NewHope at Arbitrary Orders
12.30 - 14.00 hrs. Lunch break (lunch not included)
14.00 - 14.45 hrs. Thom Wiggers (RU
Nijmegen),
Solving LPN using Large Covering Codes
14.45 - 15.00 hrs. Coffee / tea break
15.00 - 15.45 hrs Richard Petri (SIT
Fraunhofer),
Implementing Side-Channel Protections for ARX Ciphers
Abstract talk Michael Meyer: On Lions and Elligators: An efficient
constant-time implementation of CSIDH
CSIDH is a new and promising candidate for a post-quantum key exchange.
However, its proof-of-concept implementations are variable-time and
hence vulnerable to timing attacks. Therefore, efficient constant-time
implementations are required. This talk gives an overview of
isogeny-based cryptography, the algorithmic design of CSIDH, and
techniques for efficient constant-time implementations.
Abstract talk Tobias Oder: Masking NewHope at Arbitrary Orders
During the last years key exchange schemes based on the hardness of
ring-LWE, like NewHope, have gained significant popularity. For
real-world security applications assuming strong adversary models, a
number of practical issues still need to be addressed. Protection
against side-channel attacks is one of these issues. In this talk we
present potential countermeasures to protect the NewHope key exchange
against timing attacks and higher-order power analysis.
Abstract talk Thom Wiggers: Solving LPN using Large Covering Codes
Learning Parity with Noise (LPN) is mathematical problem that we can
base cryptographic schemes on, and it is supposed to be hard for both
classical and quantum computers. We will be looking at how hard this
problem actually is, by studying existing attacks on the LPN problem.
Most attacks on LPN use enormous amounts of memory. We aim to improve
that situation.
More concretely, we study composing a reduction based on covering codes
with a solving algorithm called Gauss. Both the reduction and the Gauss
algorithm use little memory, but by itself Gauss is slower than attacks
that use more memory.
Unfortunately, we determine that this combination will not work. We also
look at improving the codes used by the reduction by applying StGen
codes, which was proposed by Simona Samardjiska at a RU-DS lunch talk in
March 2017. While this improves run-time performance in theory, the
real-world performance is much less positive.
We will also be looking ahead at some of our ongoing efforts in finding
new attacks that fit in constrained memory.
Finally, we developed software that we hope allows people to easily work
with the LPN problem and the algorithms that aim to solve it.
Abstract talk Richard Petri: Implementing Side-Channel Protections for
ARX Ciphers
Boolean masking for the modular addition operation in software has a
very high performance overhead concerning two aspects: the instruction
count is very high compared to a normal addition operation and the
amount of entropy consumed is quite high.
This work improves on these aspects by applying the Threshold
Implementation (TI) methodology with two shares and by reusing internal
values as randomness source in such a way that the uniformity is always
preserved.
This approach performs faster compared to the previously known masked
addition and subtraction algorithms if we only consider the number of
ARM assembly instructions. Furthermore the amount of randomness is
significantly reduced to just one bit additional entroy per addition,
which is a good trade-off for the improved performance.
This work was previously presented at CHES and this presentation
provides extended information on the process and tools used during
development, including our extended version of the MAPS power simulator
for Cortex-M4 microcontrollers.
More information about the crypto
mailing list