The conventional wisdom in cryptography is that for greatest security one should choose parameters as randomly as possible. In particular, in elliptic and hyperelliptic curve cryptography this means making random choices of the coefficients of the defining equation. One can often achieve greater efficiency by working with special curves, but that should be done only if one is willing to risk a possible lowering of security. Namely, the extra structure that allows for greater efficiency could also some day lead to specialized attacks that would not apply to random curves. This way of thinking is reasonable, and it is uncontroversial. However, some recent work opens up the possibility that it might sometimes be wrong. This talk is based on a joint paper with Alfred Menezes and Ann Hibner Koblitz.

Views: 185
Microsoft Research

Peter Schwabe
The traditional model of an attacker against a cryptographic primitive sees (and potentially controls) inputs and outputs of the computation. Side-channel attacks go beyond this model. The attacker now also sees some "leakage" of the internal state of the cryptographic computation. One class of leakage is timing: If the time taken by a computation depends on secret data, the attacker can measure time and obtain information about this secret data. This is not just a theoretical threat as illustrated, for example, by a 2006 attack by Osvik, Shamir, and Tromer who used a timing attack to recover the AES-256 key used in Linux hard-disk encryption in just 65 ms. A more recent example is the Lucky 13 attack against almost all implementations of AES-CBC in TLS libraries.
The timing side channel is different than other side channels (such as power consumption or electromagnetic radiation) because it can be exploited remotely and without any specialized hardware or manual interaction. It is also different because it is now well understood how to fully eliminate timing leakage. This talk is a tutorial on how to write constant-time software, i.e., software that does not leak any secret information through timing.
Peter Schwabe is a researcher in applied cryptography working at Radboud University Nijmegen in the Netherlands. He is mainly working on secure and efficient software implementations of cryptography and occasionally cryptanalysis. Examples of what he's been working on includes speed-record-setting timing-attack protected software for AES-CTR and AES-GCM, the Ed25519 signature scheme, and recently the formal verification of a hand-optimized assembly implementation of Curve25519 Diffie-Hellman key exchange. He is in the core development team of NaCl, the only cryptographic library that systematically protects against timing attacks.

Views: 178
Michail S