2.2 About the random generation of Euclidean addition chains in GLV-like context.
The idea of the random generation of chains is intro- duced in (Herbaut et al., 2010) when the base point P is fixed. The scope is extended to the context of variable-base **scalar** **multiplication** on a curve en- dowed with an endomorphism in (Dosso et al., 2018). The Proposition 4 of the latter paper is the result we want to improve and exploit in this work. Namely, this proposition states that under some assumptions 2 ` different chains of length ` compute 2 ` different points when applying the Algorithm 2 of (Dosso et al., 2018) and starting from (P, φ(P)). Let us recall what it means.

En savoir plus
In [6], Brumley and Tuveri presented a successful timing attack on an OpenSSL im- plementation of the signature phase of ECDSA, in particular a **scalar** **multiplication** [k]P , where nonce k is selected uniformly at random. The attack exploits the dependency be- tween the computation time and the bitlength of k. It operates in two phases: first, using the time dependency, a certain amount of signatures coming from “short” scalars are col- lected. Then, the missing bits are recovered using lattice based techniques. The attack works because the first phase is effective. The filtered signatures correspond to scalars shorter than some fixed threshold with very high probability. As mentioned in [6], the at- tack success rate decreases dramatically with the increase of false positives. The proposed countermeasure consists in replacing k by an equivalent value ˆ k of fixed bitlength. This

En savoir plus
VI. C ONCLUSION
In this paper, we proposed a simple multi-base recoding al- gorithm for ECC **scalar** **multiplication** in hardware without any pre-computations. The **scalar** recoding is performed on-the- fly and in parallel to curve-level operations without additional latency. The proposed recoding circuit uses cheap divisibility test by multi-base elements and exact division using very small dedicated hardware units. Our MBNS recoding and **scalar** **multiplication** method is a little less competitive compared to other DBNS/MBNS methods when pre-computations or off- line recoding can be used. But our method leads to more efficient solutions in embedded applications fully integrated in hardware without resources for costly recoding and limited storage. As future work, we plan to deal with more advanced recoding schemes to reduce the number of produced terms and improved randomization schemes to increase robustness against side-channel attacks.

En savoir plus
This paper deals with parallel implementation of **scalar** **multiplication** over an elliptic curve. We present parallel approaches which split the **scalar** into two parts for E(F p ) or three parts for
E(F 2 m ) and perform in parallel the **scalar** **multiplication** with each part of the **scalar**. We present
timing results of these approaches implemented over an Intel Core i7 for NIST binary curves B233, B409 and for the twisted Edwards curve Curve25519 (Bernstein, 2006). For the curves B409 and Curve25519 the proposed approaches improve by at least 10% the computation time of the **scalar** **multiplication**.

En savoir plus
In this paper we investigate two new directions for the parallelization of the **scalar** **multiplication**. The first direction concerns the parallelization of Montgomery point **multiplication** on curves E(F 2 m ). The
method of Montgomery for **scalar** **multiplication** is very regular : the same set of field operations are performed at each iteration of the main loop. This increases the resistance to timing attack and simple power analysis (SPA). We propose a halving version of the approach of Montgomery, the Montgomery- halving, which replaces the point doublings with point halvings in the main loop of the algorithm. This leads to a parallelization of the Montgomery point **multiplication** into two threads: one thread performing the original Montgomery point **multiplication** and a second thread performing the Montgomery-halving approach.

En savoir plus
tified in [9]. Notice that in this case the recomposition of k from k 1 and k 2 is no more injective. In Table 6, we
made comparisons with two versions of GLV: one with the encoding of k, and the other one without encoding. It turns out that on an Android platform, the EAC **scalar** **multiplication** algorithm performs well as com- pared to the classical GLV algorithm (only 3% slower) and can even be faster (2%) in the context where k and P both vary. The most significant gain is obtained when taking into account the resistance to side chan- nel attacks since our scheme is at least 25% faster than the protected version of GLV. For the x64 platform, our execution time is 2% faster than the secure version of GLV (this result should be carefully considered as explained in Remark 1). We obtain a more significant gain if we target x-coordinate-only system (see Section 9 and [9]).

En savoir plus
9 A TTACKING OTHER C RYPTOGRAPHIC IMPLE - MENTATIONS
9.1 Template Attack on Curve25519
In this section, we extend our attack description to the **scalar** **multiplication** computation on the Montgomery Curve25519. An efficient way for performing **scalar** mul- tiplication on Curve25519 is to use homogeneous projec- tive coordinates. A more efficient implementation further uses the x-coordinate-only representation of points as de- scribed in [22]. We target a MSB-first Montgomery powering ladder algorithm realizing the **scalar** **multiplication** imple- mentation. The target implementation involves a sequence of point swappings based on the secret bit followed by point additions and point doublings. We have adapted the Montgomery ladder algorithm for Curve25519 using the set of addition doubling formula on projective coordinates as shown in Algorithm 1 in the paper [23]. The iterative algorithm as in [23], computes same set of equation on every iteration. First, based on the secret **scalar** bit a conditional swap of the input is performed, then it is followed by addition and doubling equations. The implementation has no secret dependent branching for performing addition and doubling steps and the conditional swapping is realized using constant time swap as in Algorithm 7 in [24].

En savoir plus
Z 2
1 and (Y 1 + Z 1 ) 2 (lines 2, 4 and 10 respectively in Tab. III).
We selected 2 common curve level patterns: 2DBL+mADD and TPL+2DBL+mADD for **scalar** **multiplication**. The top sub-figure shows that considering the global cost (EMM × EMW), our method is more efficient for n > 5. For bases with n > 16, one obtain more than 25 % global cost improvement using our method. Moreover, SPRR requires less EMMs than RNS-MM with n > 16. For instance, for the binary **scalar** **multiplication**, it leads to 4.5% and 9.5% of reduction for n = 20 and n = 34, respectively (for GPU implementations with w = 16 for instance, see [19]).

En savoir plus
The value of the external charge for which partially screened solutions, with charge Q &Z, start having a lower energy than the pure Coulomb solution is indeed given by Z =Zp Q Z„, w[r]

CNRS, URA 2306, F-91191 Gif-sur-Yvette, C´ edex, France
(Dated: December 14, 2017)
We describe **scalar**-bimetric theories where the dynamics of the Universe are governed by two separate metrics, each with an Einstein-Hilbert term. In this setting, the baryonic and dark matter components of the Universe couple to metrics which are constructed as functions of these two gravitational metrics. More precisely, the two metrics coupled to matter are obtained by a linear combination of their vierbeins, with **scalar**-dependent coefficients. The **scalar** field, contrary to dark energy models, does not have a potential whose role is to mimic a late-time cosmological constant. The late-time acceleration of the expansion of the Universe can be easily obtained at the background level in these models by appropriately choosing the coupling functions appearing in the decomposition of the vierbeins for the baryonic and dark matter metrics. We explicitly show how the concordance model can be retrieved with negligible **scalar** kinetic energy. This requires the **scalar** coupling functions to show variations of order unity during the accelerated expansion era. This leads in turn to deviations of order unity for the effective Newton constants and a fifth force that is of the same order as Newtonian gravity, with peculiar features. The baryonic and dark matter self-gravities are amplified although the gravitational force between baryons and dark matter is reduced and even becomes repulsive at low redshift. This slows down the growth of baryonic density perturbations on cosmological scales, while dark matter perturbations are enhanced. In our local environment, the upper bound on the time evolution of Newton’s constant requires an efficient screening mechanism that both damps the fifth force on small scales and decouples the local value of Newton constant from its cosmological value. This cannot be achieved by a quasi-static chameleon mechanism, and requires going beyond the quasi-static regime and probably using derivative screenings, such as Kmouflage or Vainshtein screening, on small scales.

En savoir plus
Yet the unitary gauge is not renormalizable, and thus it is inappropriate for studies of Higgs-sector dynamics far above the symmetry-breaking scale. To study inflationary dynamics in ‘‘Higgs inflation,’’ one must instead use a renormalizable gauge, in which the Goldstone **scalar** fields remain explicit [ 21 ]. We are forced, in other words, to consider a multifield model involving four real **scalar** fields (the Higgs **scalar** plus three Goldstone scalars), each of which is nonminimally coupled to the Ricci curvature **scalar**. As recently noted [ 16 , 17 ], for the model of ‘‘Higgs inflation,’’ no combination of conformal transfor- mation and rescaling of the **scalar** fields exists that could bring both the gravitational portion of the Lagrangian and the kinetic terms for each **scalar** field into canonical form. Building on this important observation, we consider under what conditions a combination of conformal trans- formation and field rescalings could bring both the gravi- tational and kinetic terms of a Lagrangian into canonical form, for arbitrary numbers of nonminimally coupled sca- lar fields. (See also [ 22 ] on post-Newtonian parameters for tensor-multiscalar models.) Because nonminimal cou- plings are generic for **scalar** fields in curved space- times—and because realistic models of particle physics (including generalizations of the standard model) contain many **scalar** fields that could play important roles in the early universe [ 23 ]—it is important to understand the trans- formation properties of arbitrary models.

En savoir plus
philippe.theveny@ens-lyon.fr
Abstract
Two main and not necessarily compatible objectives when implement- ing the product of two dense matrices with interval coefficients are ac- curacy and efficiency. In this work, we focus on an implementation on multicore architectures. One direction successfully explored to gain per- formance in execution time is the representation of intervals by their mid- points and radii rather than the classical representation by endpoints. Computing with the midpoint-radius representation enables the use of op- timized floating-point BLAS and, consequently, the performances benefit from the performances of the BLAS routines. Several variants of interval matrix **multiplication** have been proposed, which correspond to various trade-offs between accuracy and efficiency, including some efficient ones proposed by Rump in 2012. However, in order to guarantee that the com- puted result encloses the exact one, these efficient algorithms rely on an assumption on the order of execution of floating-point operations, which is not verified by most implementations of BLAS. In this paper, an algorithm for interval matrix product is proposed that verifies this assumption. Fur- thermore, several optimizations are proposed and the implementation on a multicore architecture compares reasonably well with a non-guaranteed implementation based on MKL, the optimized BLAS of Intel: the over- head is less than 2 for matrix size up to 3,500. This implementation also exhibits a good scalability.

En savoir plus
tension, has several motivations. First, under our assumption
of 1-D FFT black-box (which may be a serial program) this trick creates concurrent execution for FFT-based univariate **multiplication**. Secondly, when the base field K does not possess primitive roots of unity of sufficiently large orders for performing a Cooley-Tukey radix-2 FFT, this trick can reduce the computations to a case where this latter algorithm can be applied. Finally, this technique of extension, together with that of contraction studied in Section IV, is the basis of dense multivariate **multiplication** via balanced bivariate

En savoir plus
that R(𝜎(𝑥)) = R(𝑥) for every 𝜎 ∈ 𝐺 𝜅 ;
• we write R : Q[𝐸(Q) tors ] → Q for the Q-linear extension of R : 𝐸(Q) tors → Q, and we observe that it
descends to a Q-linear map R : Q[𝐺 Q \𝐸 (Q) tors ] → Q.
Finally, let us recall a result proved recently by Campagna and the author which concerns division fields of elliptic curves with complex **multiplication**. This will be used in Section 3.2 to construct suitable functions on an elliptic curve with potential complex **multiplication**.

liptique à **multiplication** complexe par On suppose que E est définie
sur une extension L de Il et qu’elle a pa,rtout bonne réduction. Soient 9R un idéal de 0/( et G le groupe des points de 9R division de E. Par
raison de simplicité on suppose 9R = ’n où p est un idéal premier prin-

où σ : D 3 → GL 2 (Z) est l’unique représentation irréductible de degré 2 du groupe D 3 (voir [15, §3.4]) et où la dernière flèche est l’application de réduction modulo 23.
On explicite à présent la forme à **multiplication** complexe dont l’exis- tence est garantie par le théorème 1.1 . Soit δ un Größencharakter de K de type à l’infini (11, 0) et conducteur √ −23O K tel que, avec les notations

This approach renders efficient the DFT and FFT computation for polynomial **multiplication** in F p [T ] since the **multiplication** by the considered root unity is really cheap.
We also studied subquadratic methods for **multiplication** in F 2 n (cf. Chapter 3). These
works started with the collaboration with Anwar Hasan in two articles extending the TMVP approach initiated by Fan and Hasan in [46] to **multiplication** modulo a NAOP [1] and field represented in a Dickson basis [2]. At this time parallel multipliers based on TMVP were the best ones among parallel multipliers for field F 2 n of cryptographic size. Our work extends the

En savoir plus
2 Harbin Institute of Technology, China
radu.ciucanu@insa-cvl.fr, {matthieu.giraud, pascal.lafourcade}@uca.fr, 16s003041@stu.hit.edu.cn
Keywords: Matrix **multiplication**, Strassen-Winograd algorithm, MapReduce, Security
Abstract: Matrix **multiplication** is a mathematical brick for solving many real life problems. We consider the Strassen- Winograd algorithm (SW), one of the most efficient matrix **multiplication** algorithm. Our first contribution is to redesign SW algorithm MapReduce programming model that allows to process big data sets in parallel on a cluster. Moreover, our main contribution is to address the inherent security and privacy concerns that occur when outsourcing data to a public cloud. We propose a secure approach of SW with MapReduce called S2M3, for Secure Strassen-Winograd Matrix **Multiplication** with Mapreduce. We prove the security of our protocol in a standard security model and provide a proof-of-concept empirical evaluation suggesting its efficiency.

En savoir plus
Unité de recherche INRIA Rhône-Alpes 655, avenue de l’Europe - 38334 Montbonnot Saint-Ismier France Unité de recherche INRIA Futurs : Parc Club Orsay Université - ZAC des Vignes 4, rue J[r]

Une recherche qui porte sur le travail des professeurs nécessite d'observer des classes En demandant à des collègues de nous ouvrir leur porte, nous avons constaté d'abord des réticences[r]

519 En savoir plus