Cryptography
AES implementations
D. J. Bernstein and I implemented AES in Counter mode for different architectures, namely ppc32, x86, sparcv9 and amd64. For several microarchitectures this code is setting
new speed records. Details about how these speed records are achieved can be found in our joint paper "New AES software speed records" (PDF).
The software is now available as part of the
estreambench
toolkit (in the subdirectory /benchmarks/aes/aes-128/schwabe).
We have placed the software into the public domain;
feel free to integrate it into your own AES applications!
HECTOR
HECTOR is an implementation of a key exchange and a signature scheme based on a hyperelliptic curve over the binary field F2113 for the eBATS project. For details of the implementation please refer to the documentation in pdf format.
To download and build HECTOR, first install the GMP library, then do the following:
tar xjvf hector.tar.bz2
cd hector
make
This builds two binaries, hector_dh and hector_sig, both need random bytes as input, they can for example be started with
./hector_sig < /dev/urandom
respectively.
BN curves
A BN curve is an elliptic curve E: Y2=X3+b defined over Fp such that the group of Fp-rational points has prime order n. BN curves have embedding degree k=12 with respect to n. The BN family of pairing-friendly curves is parametrized by the following polynomials in the indeterminate u:
p=p(u)=36u4+36u3+24u2+6u+1,
n=n(u)=36u4+36u3+18u2+6u+1.
The trace of Frobenius over Fp is given as t(u)=6u2+1. To find a BN curve
just choose integer values of the suitable size for u until both p(u) and n(u) are prime. Then test
values for the coefficient b until the curve has the correct order. A generator of the
group E(Fp) is any nonzero Fp-rational point, but it can be chosen to be
G=(1,y) for y a square root of b+1.
For more detailed information see [1]. BN curves have sextic twists and are therefore suitable for very efficient pairing
implementation. It is also possible to compute pairings on BN curves in a compressed form, see [2].
| [1] | Paulo S. L. M. Barreto, Michael Naehrig, Pairing-Friendly Elliptic Curves of Prime Order, Selected Areas in Cryptography -- SAC'2005, Lecture Notes in Computer Science 3897, Springer-Verlag (2006), pp 319--331. Preliminary version: Cryptology ePrint Archive, Report 2005/133. |
| [2] |
Michael Naehrig, Paulo S. L. M. Barreto, Peter Schwabe: On compressible pairings and their
computation, Progress in Cryptology - AfricaCrypt 2008 , Lecture Notes in Computer Science 5023, Springer-Verlag (2008), pp 371--388. Cryptology ePrint Archive, Report 2007/429. |
Pairing computation on BN curves
bn256 is an implementation of different cryptographic pairings on a 256 bit BN curve.
In order to build it, you need the GMP library with header files, for Debian (Lenny) systems it can be installed with
For speed measurement we include cpucycles written by D. J. Bernstein.
To build bn256, do the following:
tar xjvf bn256-20080525.tar.bz2
cd bn256-20080525
make
After the build process has finished you find a binary called bn256 in the bin/ directory, whose usage should be self-explanatory.
From the corresponding source file src/bn256.c you can see how to call the functions for pairing computation.
We note, that the generation of random points is based on the GMP functions for random number generation and must not be used for cryptographic purposes.
Parts of this code have been developed in the context of a UMIC project at the Institute for Theoretical Information Technology at RWTH Aachen University.