Cetin Koc

University of California, Santa Barbara | UCSB · CCS - Department of Computer Science

Modular multiplication is the core operation in public-key cryptographic algorithms such as RSA and the Diffie-Hellman algorithm. The efficiency of the modular multiplier plays a crucial role in the performance of these cryptographic methods. In this paper, improvements to FFT-based Montgomery Modular Multiplication (FFTM3) using carry-save arithme...

The present system and method uses multiple digital devices with possibly different users operating in concert, for performing authentication and other cryptographic operations. The multiple digital devices include, for example, a mobile device such as a cellular phone, as a central building block.

A system for generating a computing system specific value comprising, a computing system not comprising any specialized hardware to generate a device specific value, a software product tangibly embodied in a machine-readable medium, comprising instructions operable to cause computing system to perform operations comprising: generating a digital val...

The Schönhage-Strassen Algorithm (SSA) is an asymptotically fast multiplication algorithm with the complexity of O(l log l log log l) where l is the operand size. It outperforms other multiplication algorithms when l is large enough. One possible usage of such long integer multiplication is for cryptography. Innovated from SSA, the Interleaved Spec...

3-D integration presents many new opportunities for architects and embedded systems designers. However, 3-D integration has not yet been explored by the cryptographic hardware community. Traditionally, crypto coprocessors have been implemented as a separate die or by utilizing one or more cores in a chip multiprocessor. These methods have their dra...

In this paper, we report the results of a comprehensive study of the security level versus the execution performance (and resource requirements) for hardware implementations of small elliptic curves, particularly targeted for lightweight applications, such as RFID tags and sensor nodes. The case study was performed for small elliptic curves (41–163...

We describe a method of carrying multiplication in the binary extension fields. The new method fully operates on the Fourier representations of the field elements by successively applying the convolution property and a reduction technique defined on the Fourier coefficients. With some careful parameter selection, the method yields highly parallel a...

As an important component of Spectral Modular Arithmetic (SMA) cryptographic co-processor, the efficient architectures of Number Theoretic Transforms (NTTs) on FPGA are discussed in this paper. We analyze characteristics of the NTTs for cryptographic applications, compare different arithmetic approaches, introduce an optimized solution for FPGA imp...

Cryptography is one of the most prominent application areas of the finite field arithmetic. Almost all public-key cryptographic algorithms including the recent algorithms such as elliptic curve and pairing-based cryptography rely heavily on finite field arithmetic, which needs to be performed efficiently to meet the execution speed and design space...

A method for polynomial multiplication over finite fields using field extensions and polynomial interpolation is introduced. The proposed method uses polynomial interpolation as Toom-Cook method together with field extensions. Furthermore, the proposed method can be used when Toom-Cook method cannot be applied directly. Explicit formulae improving...

The Spectral Hash algorithm is one of the Round 1 candidates for the SHA-3 family, and is based on spectral arithmetic over a finite field, involving multidimensional discrete Fourier transformations over a finite field, data dependent permutations, Rubic-type rotations, and affine and nonlinear functions. The underlying mathematical structures and...

This paper describes an efficient arithmetic processor for elliptic curve cryptography. The proposed processor consists of special architectural components, the most important of which is a modular multiplication unit implemented using the systolic montgomery multiplication algorithm. Another novelty of our proposed architecture is that it implemen...

Microarchitectural analysis (MA) is a fast evolving area of side-channel cryptanalysis. This new area focuses on the effects of common processor components and their functionalities on the security of software cryptosystems. The main characteristic of microarchitectural attacks, which sets them aside from classical side-channel attacks, is the simp...

• One of the field operations satisfies the general properties of the usual addition. For this operation, an identity element exists and each element has an inverse. This identity element is called additive identity or zero element. • The other field operation satisfies the general properties of the usual multiplication. For this operation, an iden...

The basic arithmetic operations (i.e. addition, multiplication, and inversion) in finite fields, GF(q), where q = pk and p is a prime integer, have several applications in cryptography, such as RSA algorithm, Diffie-Hellman key exchange algorithm [1], the US federal Digital Signature Standard [2], elliptic curve cryptography [3, 4], and also recent...

The eight papers in this special section focus on special-purpose hardware for cryptography and cryptanalysis.

Secure communication is an important issue in networks and user authentication is a very important part of the security. Several strong-password authentication protocols have been introduced, but there is no fully secure authentication scheme that can resist all known attacks. We propose enhanced secure schemes with registration and login protocols...

Novikov and Kiselev [7] proposed an authentication method of a user from a remote autonomous object. Recently, Yang et al. [12] and Awasthi [1] have pointed out that the Novikov-Kiselev scheme is insecure against the man-in-the-middle attack. In this article, we propose an improved version of the Novikov-Kiselev scheme to overcome such vulnerabilit...

We describe a new method to perform the modular exponentiation operation, i.e., the computation of c = m^e mod n, where c, m, e and n are large integers. The new method uses the discrete Fourier transform over a finite ring, and relies on new techniques to perform multiplication and reduction operations. The method yields efficient and hi...

Micro-architectural analysis, which studies the effects of common processor components on cryptosystem security, is growing as a promising and interesting security research direction. Microprocessor component functionalities generate easily observable, data-dependent effects, which depend on the operations performed during crypto algorithm's execut...

We introduce a new robust cache-based timing attack on AES. We present experiments and concrete evidence that our attack can be used to obtain secret keys of remote cryptosystems if the server under attack runs on a multitasking or simultaneous multithreading system with a large enough workload. This is an important difference to recent cache-based...

This paper announces a new software side-channel attack — enabled by the branch prediction capability common to all modern high-performance CPUs. The penalty paid (extra clock cycles) for a mispredicted branch can be used for cryptanalysis of cryptographic primitives that employ a data-dependent program flow. Analogous to the recently described cac...

Rivest and Shamir presented two simple micropayment schemes,``PayWord'' and ``MicroMint,'' for making small purchases over theInternet [14]. Recently, Adachi et al. have pointedout that the PayWord scheme has two security problems, andproposed a new micropayment scheme to overcome these problems[1]. Nevertheless, we show that their protocolis still...

Cache based side-channel attacks have recently been attracted significant attention due to the new developments in the field. In this paper, we present an efficient trace-driven cache attack on a widely used implementation of the AES cryptosystem. We also evaluate the cost of the proposed attack in detail under the assumption of a noiseless environ...

In this paper, we describe, analyze and compare various GF(2m)GF(2^m) multipliers. Particularly, we investigate the standard modular multiplication, the Montgomery multiplication, and the matrix–vector multiplication techniques.

Very recently, a new software side-channel attack, called Branch Prediction Analysis (BPA) attack, has been discovered and also demonstrated to be practically feasible on popular commodity PC platforms. While the above recent attack still had the flavor of a classical timing attack against RSA, where one uses many execution-time measurements under...

This paper announces a new software side-channel attack — enabled by the branch prediction capability common to all modern high-performance CPUs. The penalty paid (extra clock cycles) for a mispredicted branch can be used for cryptanalysis of cryptographic prim-itives that employ a data-dependent program flow. Analogous to the recently described ca...

Cache based side-channel attacks have recently been attracted significant attention due to the new developments in the field. In this paper, we present ecient trace-driven cache attacks on a widely used implementation of the AES cryptosystem. We also evaluate the cost of the proposed attacks in detail under the assumption of a noiseless envi- ronme...

Cache based side-channel attacks have recently been attracted significant attention due to the new developments in the field. In this pa- per, we present an ecient trace-driven cache attack on a widely used implementation of the AES cryptosystem. We also evaluate the cost of the proposed attack in detail under the assumption of a noiseless envi- ro...

Computation of multiplicative inverses in finite fields GF(p) and GF(2ⁿ) is the most time-consuming operation in elliptic curve cryptography, especially when affine co-ordinates are used. Since the existing algorithms based on the extended Euclidean algorithm do not permit a fast software implementation, projective co-ordinates, which el...

Modular arithmetic operations are very important in cryptography. Modular multiplication is the most common arithmetic operation used in many cryptographic algorithms such as the Elliptic Curve Cryptography and the Diffie-Helman key exchange. The Montgomery Modular Multiplication algorithm (MM) has permitted cryptographic algorithms to speed up con...

The user authentication is an important part of network security. Several strong-password authentication proto- cols have been introduced, but a secure scheme, which probably withstands to several known attacks, is not yet available. Recently, a hash-based strong-password au- thentication scheme was described in (2), which with- stands to the sever...

Since the remarkable work of Kocher [7], several papers considering different types of timing attacks have been published. In 2003, Brumley and Boneh presented a timing attack on unprotected OpenSSL implementations [2]. In this paper, we improve the efficiency of their attack by a factor of more than 10. We exploit the timing behavior of Montgomery...

Mobile ad hoc networks require specialized authentication protocols due to the mobility of users and lack of always-available trusted servers. There are a variety of mobile ad hoc authentication protocols for creating session and group keys, once a subset of individual nodes are signed in, i.e., established their shared secret keys. In this paper,...

2> c + bnq 2= n(cq 1 + bq 2 )= nQ:So (ac \Gamma bd) mod n = 0; and thus ac j bd (mod n):From the multiplication rule, we get another special case, analogous to what we see foraddition: assuming only that a j b (mod n); it follows thata2j b2(mod n);and, for any integer k;akj bk(mod n):This last fact allows us to compute remainders that would be very...

The user authentication is an important part of network security. Several strong-password authentication protocols have been introduced, but a secure scheme, which probably withstands to several known attacks, is not yet available. Recently, a hash-based strong-password authentication scheme was described in cite{KU04:A}, which withstands to the se...

This paper presents a dual-field modular division (inversion) algorithm and its hardware design. The algorithm is based on the Extended Euclidean and the Binary GCD algorithms. The use of counters to keep track of the difference between field elements in this algorithm eliminates the need for comparisons which are usually expensive and time-consumi...

We describe relay attacks on Bluetooth authentication protocol. The aim of these attacks is impersonation. The attacker does not need to guess or obtain a common secret known to both victims in order to set up these attacks, merely to relay the information it receives from one victim to the other during the authentication protocol run. Bluetooth au...

A novel technique for computing a 2n-bit modular multiplication using n-bit arithmetic was introduced at CHES 2002 by Fischer and Seifert. Their technique makes use of an Euclidean division based instruction returning not only the remainder but also the integer quotient resulting from a modular multiplication, i.e. on input x, y and z, both ⌊xy/ z⌋...

The recently proposed multiplicative masking countermeasure against power analysis attacks on AES is interesting as it does not require the costly recomputation and RAM storage of S-boxes for every run of AES. This is important for applications where the available space is very limited such as the smart card applications. Unfortunately, it is here...

This paper gives a comprehensive analysis of Montgomery powering ladder. Initially developed for fast scalar multiplication on elliptic curves, we extend the scope of Montgomery ladder to any exponentiation in an abelian group. Computationally, the Montgomery ladder has the triple advantage of presenting a Lucas chain structure, of being paralleliz...

Two new hardware architectures are proposed for performing multiplication in GF(p) and GF (2ⁿ), which are the most time-consuming operations in many cryptographic applications. The architectures provide very fast and efficient execution of multiplication in both GF(p) and GF(2ⁿ), and can be mainly used in elliptic curve crypto...

The nested certification and the corresponding subject certificate verification methods were proposed to improve certificate path verification times. It was found that the Nested public key infrastructure (NPKI) construction model was the transition from existing public key infrastructure (PKI) and the method to realize the transition was called th...

It is widely recognized that data security will play a central role in future IT systems. Providing public-key cryptographic primitives, which are the core tools for security, is often difficult on embedded processor due to computational, memory, and power constraints. This contribution appears to be the first thorough comparison of two public-key...

erkays The design of multiplication units that are reusable and scalable is of interest for cryptographic applications, where the operand size in bits is usually large, and may significantly change depending on the required level of security or the specific cryptosystem (e.g., RSA or Elliptic Curve). The use of the Montgomery multiplication (MM) me...

The state-of-the-art Galois field GF(2^m) multipliers offer advantageous space and time complexities when the field is generated by so special irreducible polynomial. To date, the best complexity results have been obtained when the irreducible polynomial is either a trinomial or an equally spaced polynomial (ESP). Unfortunately, there exi...

The multiplication operation in finite fields GF(p) and GF(2ⁿ) is the most often used and time-consuming operation in the hardware and software realizations of public-key cryptographic systems, particularly elliptic curve cryptography. We propose a new hardware architecture for fast and efficient execution of the multiplication operation...

We describe a method of construction of a composite field representation from a given binary field representation. We derive the conversion (change of basis) matrix. The special case of when the degree of the ground field is relatively prime to the extension degree, where the irreducible polynomial generating the composite field has its coefficient...

This paper presents a scalable architecture for the computation of modular multiplication, based on the Montgomery multiplication (MM) algorithm. A word-based version of MM is presented and used to explain the main concepts in the hardware design. The proposed multiplier is able to work with any precision of the input operands, limited only by memo...

We propose a new algorithm for fast multiplication of large integers having a precision of 1k computer words, where k is an integer. The algorithm is derived from the Karatsuba-Ofman Algorithm and has the same asymptotic complexity. However, the running time of the new algorithm is slightly better, and it makes one third as many recursive calls.

Not Available

We propose a new algorithm for fast multiplication of large integers having a precision of 2 computer words, where k is an integer. The algorithm is derived from the Karatsuba-Ofman Algorithm and has the same asymptotic complexity. However, the running time of the new algorithm is slightly better, and it makes one third as many recursive calls.

As networking trends move toward ubiquitous structuring schemes, the problem of security has taken on an increasingly important role. As a result, we must look to new security paradigms that address the new problems associated with these networks. This paper is a summary of research in progress on the Wintermute Project at Oregon State University,...

It is widely recognized that data security will play a central role in future IT systems. Providing public-key cryptographic primitives, which are the core tools for security, is often difficult on embedded processor due to computational, memory, and power constraints. This contribution appears to be the first thorough comparison of two public-key...

Computing the inverse of a number in finite fields GF(p) or GF(2n) is equally important for cryptographic applications. This paper proposes a novel scalable and unified architecture for a Montgomery inverse hardware that operates in both GF(p) and GF(2n) fields. We adjust and modify a GF(2n) Montgomery inverse algorithm to accommodate multi-bit shi...

We present two new inversion algorithms for binary extension and prime fields, which are slightly modified versions of the Montgomery inverse algorithm. An hardware architecture implementing these algorithms is also introduced. In our proposed architecture, the field elements are represented using a multi-word format which allows a scalable and uni...

The authors describe a novel method for obtaining fast software implementations of the arithmetic operations in the finite field GF(p) with an arbitrary prime modulus p of arbitrary length. The most important feature of the method is that it avoids bit-level operations which are slow on microprocessors and performs word-level operations which are s...

Modular inverse computation is needed in several public key cryptographic applications. In this work, we present two VLSI hardware implementations used in the calculation of Montgomery modular inverse operation. The implementations are based on the same inversion algorithm, however, one is fixed (fully parallel) and the other is scalable. The scala...

We present two new inversion algorithms for binary extension and prime fields, which are slightly modified versions of the Montgomery inverse algorithm. A hardware architecture implementing these algorithms is also introduced. In our proposed architecture, the field elements are represented using a multi-word format which allows a scalable and unif...

The security of electronic payment protocols is of interest to researchers in academia and industry. While the ultimate objective is the safest and most secure protocol, convenience and usability should not be ignored, or the protocol may not be suitable for large-scale deployment. Our aim is to design a practical electronic payment protocol which...

The results of the implementation of elliptic curve cryptography (ECC) over the field GF(p) on an 80 MHz, 32-bit ARM microprocessor are presented. A practical software library has been produced which supports variable length implementation of the elliptic curve digital signature algorithm (ECDSA). The ECDSA and a previously proposed ECC-based wirel...

A variation of the Complex Multiplication (CM) method for generating elliptic curves of known order over finite fields is proposed. We give heuristics and timing statistics in the mildly restricted setting of prime curve order. These may be seen to corroborate earlier work of Koblitz in the class number one setting. Our heuristics are based upon a...

Abstract This paper describes an algorithm and architecture based on an extension of a scalable radix - 2 architecture proposed in a previous work The algorithm is proven to be correct and the hardware design is discussed in detail Experimental results are shown to compare a radix - implementation with a radix - 2 design The scalable Montgomery mul...

This paper presents a new parallel multiplier for the Galois field GF(2^m) whose elements are represented using the optimal normal basis of type II. The proposed multiplier requires 1.5(m²-m) XOR gates, as compared to 2(m²-m) XOR gates required by the Massey-Omura multiplier. The time complexities of the proposed an...

Problems with certificate revocation status control limit the deployment of Public Key Infrastructure (PKI). Classical certificate paths require revocation control of all certificates on the path. In this paper, we show how the recently proposed NPKI (Nested certificate based PKI) system reduces the number of revocation status controls to at most t...

We present the results of our implementation of elliptic curve cryptography (ECC) over the field GF(p) on an 80-MHz, 32-bit ARM microprocessor. We have produced a practical software library which supports variable length implementation of the elliptic curve digital signature algorithm (ECDSA). We implemented the ECDSA and a recently proposed ECC-ba...

We modify an algorithm given by Kaliski to compute the Montgomery inverse of an integer modulo a prime number. We also give a new definition of the Montgomery inverse, and introduce efficient algorithms for computing the classical modular inverse, the Kaliski-Montgomery inverse, and the new Montgomery inverse. The proposed algorithms are suitable f...

We present a novel method of parallelization of the multiplication operation in GF(2k) for an arbitrary value of k and arbitrary irreducible polynomial n(x) generating the field. The parallel algorithm is based on polynomial residue arithmetic, and requires that we find L pairwise relatively prime modulim i(x) such that the degree of the product po...

We present a new formulation of the Mastrovito multiplication matrix for the field GF(2^m) generated by an arbitrary irreducible polynomial. We study in detail several specific types of irreducible polynomials, e.g., trinomials, all-one-polynomials, and equally-spaced-polynomials, and obtain the time and space complexity of these designs....

We present a new formulation of the Mastrovito multiplication matrix and an architecture for the multiplication operation in the field GF(2m) generated by an arbitrary irreducible polynomial. We study in detail several specific types of irreducible polynomials, e.g., trinomials, all-one-polynomials, and equally-spaced-polynomials, and obtain the ti...

We present a novel method of parallelization of the multiplication operation in GF (2k) for an arbitrary value of k and arbitrary irreducible polynomial n(x) generating the field. The parallel algorithm is based on polynomial residue arithmetic, and requires that we find L pairwise relatively prime moduli mi(x) such that the degree of the product p...

In this paper, we present the results of our implementation of elliptic curve cryptography (ECC) over the field GF (p) on an 80-MHz, 32-bit ARM microprocessor. We have produced a practical software library which supports variable length implementation of the elliptic curve digital signature algorithm (ECDSA). We implemented the ECDSA and a recently...

We describe a scalable and unified architecture for a Montgomery multiplication module which operates in both types of finite fields GF(p) and GF(2m). The unified architecture requires only slightly more area than that of the multiplier architecture for the field GF(p). The multiplier is scalable, which means that a fixed-area multiplication module...

We describe a scalable and unified architecture for a Montgomery multiplication module which operates in both types of finite fields GF(p) and GF(2m). The unified architecture requires only slightly more area than that of the multiplier architecture for the field GF(p). The multiplier is scalable, which means that a fixed-area multiplication module...

We present a parallelization of Parlett's algorithm for computing arbitrary functions of upper triangular matrices. The parallel algorithm preserves the numerical stability properties of the serial algorithm, and is suitable for implementation on coarse-grain parallel computers. The algorithm obtains a speedup of 9.5 for matrices of size greater th...

Elliptic curve cryptography provides a methodology for obtaining high-speed, ef-ficient, and scalable implementations of network security protocols. In this paper, we describe in detail three protocols based on elliptic curve cryptographic techniques, and the results of our implementation of the elliptic curve cryptography over the Galois field GF...

An efficient algorithm for the multiplication in GF(2^m) was introduced by Mastrovito. The space complexity of the Mastrovito multiplier for the irreducible trinomial x^m+x+1 was given as m²-1 XOR and m² AND gales. In this paper, we describe an architecture based on a new formulation of the multiplication m...

We describe an algorithm for inverting an iteration of the one-dimensional cellular automaton. The algorithm is based on the linear approximation of the updating function, and requires less than exponential time forparticular classes of updating functions and seed values. For example, an n-cell cellular automaton based on the updating function CA30...

This paper describes the methodology and design of a scalable Montgomery multiplication module. There is no limitation on the maximum number of bits manipulated by the multiplier, and the selection of the word-size is made according to the available area and/or desired performance. We describe the general view of the new architecture, analyze hardw...

This paper describes the methodology and design of a scalable Montgomery multiplication module. There is no limitation on the maximum number of bits manipulated by the multiplier, and the selection of the word-size is made according to the available area and/or desired performance. We describe the general view of the new architecture, analyze hardw...

We present a new low-complexity bit-parallel canonical basis multiplier for the #eld GF#2 byanall-one-polynomial. The proposed canonical basis multiplier requires m , 1 XOR gates and AND gates. We also extend this canonical basis multiplier to obtain a new bit-parallel normal basis multiplier.

We show that the multiplication operation c = a # b # r # can be implemented signi#cantly faster in software than the standard multiplication, where r is a special #xed element of the #eld. This operation is the #nite #eld analogue of the Montgomery multiplication for modular multiplication of integers. We give the bit-level and word-level algorith...