Camille Vuillaume

Merkle Signatures with Virtually Unlimited Signature Capacity

We propose GMSS, a new variant of the Merkle signature scheme. GMSS is the first Merkle-type signature scheme that allows a cryptographically unlimited(280) number of documents to be signed with one key pair. Compared to recent improvements of the Merkle signature scheme, GMSS reduces the signature size as well as the signature generation cost.

Digital Signatures Out of Second-Preimage Resistant Hash Functions

We propose a new construction for Merkle authentication trees which does not require collision resistant hash functions; in contrast with previous constructions that attempted to avoid the dependency on collision resistance, our technique enjoys provable security assuming the well-understood notion of second-preimage resistance. The resulting signature scheme is existentially unforgeable when the underlying hash function is second-preimage resistant, yields shorter signatures, and is affected neither by birthday attacks nor by the recent progresses in collision-finding algorithms.

Efficient representations on koblitz curves with resistance to side channel attacks

Koblitz curves belong to a special class of binary curves on which the scalar multiplication can be computed very efficiently. For this reason, they are suitable candidates for implementations on low-end processors. However, such devices are often vulnerable to side channel attacks. In this paper, we propose two countermeasures against side channel attacks on Koblitz curves. Both of them utilize a fixed-pattern recoding to defeat simple power analysis. Our first technique extends a known countermeasure to the special case of Koblitz curves. In our second technique, the scalar is recoded from left to right, and can be easily stored or even randomly generated.

Short-Memory Scalar Multiplication for Koblitz Curves

This paper presents a scalar multiplication method for Koblitz curves. Koblitz curves are elliptic curves where the scalar multiplication can be computed in a much faster way than with other curves, allowing designs and implementations without arithmetic coprocessor. The new method is as fast as the fastest known techniques on Koblitz curves but requires much less memory; therefore, it is of particular interest for environments with low resources. Our technique is well suited for both hardware and software implementations. In hardware, we show that a normal basis implementation reduces memory consumption by 85 percent compared to conventional methods, but this still has exactly the same computational cost. In software, thanks to a mixed normal-polynomial bases approach, our technique allows memory savings up to 70 percent and, depending on the instruction set of the CPU, can be as fast as the fastest known scalar multiplication methods or can even beat them by a large margin. Therefore, in software and in hardware, our scalar multiplication technique offers high performance without sacrifice in view of memory.

Short memory scalar multiplication on koblitz curves

We present a new method for computing the scalar multiplication on Koblitz curves. Our method is as fast as the fastest known technique but requires much less memory. We propose two settings for our method. In the first setting, well-suited for hardware implementations, memory requirements are reduced by 85%. In the second setting, well-suited for software implementations, our technique reduces the memory consumption by 70%. Thus, with much smaller memory usage, the proposed method yields the same efficiency as the fastest scalar multiplication schemes on Koblitz curves.

Flexible exponentiation with resistance to side channel attacks

We present a countermeasure for protecting modular exponentiations against side-channel attacks such as power, timing or cache analysis. Our countermeasure is well-suited for tamper-resistant implementations of RSA or DSA, without significant penalty in terms of speed compared to commonly implemented methods. Thanks to its high efficiency and flexibility, our method can be implemented on various platforms, from smartcards with low-end processors to high-performance servers.

Unbridle the bit-length of a crypto-coprocessor with montgomery multiplication

We present a novel approach for computing 2n-bit Montgomery multiplications with n-bit hardware Montgomery multipliers. Smartcards are usually equipped with such hardware Montgomery multipliers; however, due to progresses in factoring algorithms, the recommended bit length of public-key schemes such as RSA is steadily increasing, making the hardware quickly obsolete. Thanks to our doublesize technique, one can re-use the existing hardware while keeping pace with the latest security requirements. Unlike the other double-size techniques which rely on classical n-bit modular multipliers, our idea is tailored to take advantage of n-bit Montgomery multipliers. Thus, our technique increases the perenniality of existing products without compromises in terms of security.

Double-size bipartite modular multiplication

This paper proposes new techniques of double-size bipartite multiplications with single-size bipartite modular multiplication units. Smartcards are usually equipped with crypto-coprocessors for accelerating the computation of modular multiplications, however, their operand size is limited. Security institutes such as NIST and standards such as EMV have recommended or forced to increase the bit-length of RSA cryptography over years. Therefore, techniques to compute double-size modular multiplications with single-size modular multiplication units has been studied this decade to extend the life expectancy of the low-end devices. We propose new double-size techniques based on multipliers implementing either classical or Montgomery modular multiplications, or even both simultaneously (bipartite modular multiplication), in which case one can potentially compute modular multiplications twice faster.

Defeating Simple Power Analysis on Koblitz Curves*The preliminary version of this paper was presented at the 10th Australasian Conference on Information Security and Privacy, ACISP'05.

Koblitz curves belong to a special class of binary curves on which the scalar multiplication can be computed very efficiently. For this reason, they are suitable candidates for implementations on low-end processors. However, such devices are often vulnerable to side channel attacks. In this paper, we propose a new countermeasure against side channel attacks on Koblitz curves, which utilizes a fixed-pattern recoding to defeat simple power analysis. We show that in practical cases, the recoding can be performed from left to right, and can be easily stored or even randomly generated.

Public Key Authentication with Memory Tokens

We propose a very low-cost authentication scheme based on Merkle signatures, which does not require any computation on the prover side, but instead, has moderate memory requirements. Our technique is particularly attractive on platforms where memory is already available, since it can be implemented at practically no cost, without any CPU, and with an extremely simple memory access control mechanism.