Thomas Icart

Efficient scalar multiplication by isogeny decompositions

On an elliptic curve, the degree of an isogeny corresponds essentially to the degrees of the polynomial expressions involved in its application. The multiplication–by–l map [l] has degree l2, therefore the complexity to directly evaluate [l](p) is O(l2). For a small prime l (= 2, 3) such that the additive binary representation provides no better performance, this represents the true cost of application of scalar multiplication. If an elliptic curve admits an isogeny ϕ of degree l then the costs of computing ϕ(P) should in contrast be O(l) field operations. Since we then have a product expression [l]=

Efficient indifferentiable hashing into ordinary elliptic curves

\hat{\varphi}\varphi

Supplemental access control (PACE v2): security analysis of PACE integrated mapping

, the existence of an l-isogeny ϕ on an elliptic curve yields a theoretical improvement from O(l2) to O(l) field operations for the evaluation of [l](p) by naive application of the defining polynomials. In this work we investigate actual improvements for small l of this asymptotic complexity. For this purpose, we describe the general construction of families of curves with a suitable decomposition [l]=

HIP Tags Privacy Architecture

\hat{\varphi}\varphi

Efficient zero-knowledge identification schemes which respect privacy

, and provide explicit examples of such a family of curves with simple decomposition for [3]. Finally we derive a new tripling algorithm to find complexity improvements to triplication on a curve in certain projective coordinate systems, then combine this new operation to non-adjacent forms for l-adic expansions in order to obtain an improved strategy for scalar multiplication on elliptic curves.

Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers

We provide the first construction of a hash function into ordinary elliptic curves that is indifferentiable from a random oracle, based on Icarts deterministic encoding from Crypto 2009. While almost as efficient as Icarts encoding, this hash function can be plugged into any cryptosystem that requires hashing into elliptic curves, while not compromising proofs of security in the random oracle model. We also describe a more general (but less efficient) construction that works for a large class of encodings into elliptic curves, for example the Shallue-Woestijne-Ulas (SWU) algorithm. Finally we describe the first deterministic encoding algorithm into elliptic curves in characteristic 3.

Multiplicative splits to protect cipher keys

We describe and analyze the password-based key establishment protocol PACE v2 Integrated Mapping (IM), an evolution of PACE v1 jointly proposed by Gemalto and Sagem Securite. PACE v2 IM enjoys the following properties: patent-freeness (to the best of current knowledge in the field); full resistance to dictionary attacks, secrecy and forward secrecy in the security model agreed upon by the CEN TC224 WG16 group; optimal performances. The PACE v2 IM protocol is intended to provide an alternative to the German PACE v1 protocol, which is also the German PACE v2 Generic Mapping (GM) protocol, proposed by the German Federal Office for Information Security (BSI). In this document, we provide a description of PACE v2 IM, a description of the security requirements one expects from a password-based key establishment protocol in order to support secure applications, a security proof of PACE v2 IM in the so-called Bellare-Pointcheval-Rogaway (BPR) security model.

Securing implementation of cryptographic algorithms using additional rounds

This paper describes an innovative and highly secure networking architecture, dedicated to the Internet of things (IoT). We propose an infrastructure that works with a new type of tags, supporting the recently standardized host identity protocol (HIP). Our main concern is to ensure RFID tags privacy, while enabling things to things communications.