Tolga Acar

Analyzing and comparing Montgomery multiplication algorithms

Montgomery multiplication methods constitute the core of modular exponentiation, the most popular operation for encrypting and signing digital data in public-key cryptography. In this article, we study the operations involved in computing the Montgomery product, describe several high-speed, space-efficient algorithms for computing MonPro(a, b), and analyze their time and space requirements. Our focus is to collect several alternatives for Montgomery multiplication, three of which are new. However, we do not compare the Montgomery techniques to other modular multiplication approaches.

Montgomery Multiplication in GF(2 ^k

We show that the multiplication operation c=a · b · r-1 in the field GF(2k can be implemented significantly faster in software than the standard multiplication, where r is a special fixed element of the field. This operation is the finite field analogue of the Montgomery multiplication for modular multiplication of integers. We give the bit-level and word-level algorithms for computing the product, perform a thorough performance analysis, and compare the algorithm to the standard multiplication algorithm in GF(2k. The Montgomery multiplication can be used to obtain fast software implementations of the discrete exponentiation operation, and is particularly suitable for cryptographic applications where k is large.

Cryptographic agility and its relation to circular encryption

We initiate a provable-security treatment of cryptographic agility. A primitive (for example PRFs, authenticated encryption schemes or digital signatures) is agile when multiple, individually secure schemes can securely share the same key. We provide a surprising connection between two seemingly unrelated but challenging questions. The first, new to this paper, is whether wPRFs (weak-PRFs) are agile. The second, already posed several times in the literature, is whether every secure (IND-R) encryption scheme is secure when encrypting cycles. We resolve the second question in the negative and thereby the first as well. We go on to provide a comprehensive treatment of agility, with definitions for various different primitives. We explain the practical motivations for agility. We provide foundational results that show to what extent it is achievable and practical constructions to achieve it to the best extent possible. On the theoretical side our work uncovers new notions and relations and settles stated open questions, and on the practical side it serves to guide developers.

Single password authentication

Users frequently reuse their passwords when authenticating to various online services. Combined with the use of weak passwords or honeypot/phishing attacks, this brings high risks to the security of the users account information. In this paper, we propose several protocols that can allow a user to use a single password to authenticate to multiple services securely. All our constructions provably protect the user from dictionary attacks on the password, and cross-site impersonation or honeypot attacks by the online service providers. Our solutions assume the user has access to either an untrusted online cloud storage service (as per Boyen [16]), or a mobile storage device that is trusted until stolen. In the cloud storage scenario, we consider schemes that optimize for either storage server or online service performance, as well as anonymity and unlinkability of the users actions. In the mobile storage scenario, we minimize the assumptions we make about the capabilities of the mobile device: we donotassume synchronization, tamper resistance, special or expensive hardware, or extensive cryptographic capabilities. Most importantly, the users password remains secure even after the mobile device is stolen. Our protocols provide another layer of security against malware and phishing. To the best of our knowledge, we are the first to propose such various and provably secure password-based authentication schemes. Lastly, we argue that our constructions are relatively easy to deploy, especially if a few single sign-on services (e.g., Microsoft, Google, and Facebook) adopt our proposal.

Fast software exponentiation in GF(2/sup k/)

The authors present a new algorithm for computing a/sup e/ where a/spl isin/GF(2/sup k/) and e is a positive integer. The proposed algorithm is more suitable for implementation in software, and relies on the Montgomery multiplication in GF(2/sup k/). The speed of the exponentiation algorithm largely depends on the availability of a fast method for multiplying two polynomials of length w defined over GF(2). The theoretical analysis and experiments indicate that the proposed exponentiation method is at least 6 times faster than the exponentiation method using the standard multiplication when w=8. Furthermore, the availability of a 32-bit GF(2) polynomial multiplication instruction on the underlying processor would make the new exponentiation algorithm up to 37 times faster.

Accumulators and U-Prove Revocation

This work introduces the most efficient universal accumulator known today. For the first time, we have an accumulator which does not depend on hidden order groups, does not require any exponentiations in the target group associated with the pairing function, and only requires two pairings to verify a proof-of-knowledge of a witness.

Managing system and active-content integrity

In a shared, multiuser environment, protecting data from damage or misappropriation by unauthorized users is a major concern. The widespread use of active (executable) content such as Microsoft ActiveX controls and Javascripts has given rise to a dangerous, common practice: executing unknown, untrusted code. Security-minded users typically address this problem by executing only signed content that a familiar entity has verified. However, code signing does not protect against bugs already present in the signed code. Patched or new versions of the code can be issued, but the loader (which verifies and loads the executable content, and then transfers the execution control to the module) will still accept the old version, unless the newer version is installed over it. We propose a method that addresses the executable content management problem. Our method employs an executable content loader (which we call a strong loader) and a short-lived configuration management file to address the software aging problem. The loader is tightly integrated to the operating system. It downloads the configuration file from an integrity server; then it verifies and loads executable modules by applying the policy in this configuration file.

Affine pairings on ARM

We report on relative performance numbers for affine and projective pairings on a dual-core Cortex A9 ARM processor. Using a fast inversion in the base field and doing inversion in extension fields by using the norm map to reduce to inversions in smaller fields, we find a very low ratio of inversion-to-multiplication costs. In our implementation, this favors using affine coordinates, even for the current 128-bit minimum security level specified by NIST. We use Barreto-Naehrig (BN) curves and report on the performance of an optimal ate pairing for curves covering security levels between 128 and 192 bits. We compare with other reported performance numbers for pairing computation on ARM CPUs.

A distributed edge detection and surface reconstruction algorithm

A scalable parallel algorithm for edge detection and surface reconstruction is presented. The algorithm is based on fitting a weak membrane to the pixel gray valves by minimizing the associated energy functional. The edge detection process is modeled as a line process and used as a constraint in minimizing the energy functional of the image. The optimal edge assignment cannot be obtained directly as the energy function is non-convex. Using graduated non-convexity (GNC) approach, the energy is minimized. The proposed parallel algorithm has been implemented on a cluster of workstations using the PVM communication library. The results of parallel implementation on synthetic and natural images are presented. The speedup is observed to be near-linear, thus providing scalability with the problem size. The parallel processing approach presented here can be extended to solve similar problems (e.g., image restoration, and image compression) which use regularization techniques.

Security Domains: Key Management in Large-Scale Systems

In large-scale systems, partitioning keys among higher-level structures becomes necessary. Establishing and managing these structures as security domains requires an underlying infrastructure to securely provide local services.