2 1 Joppe W. Bos and Simon Friedberger Why these strange primes? - - PowerPoint PPT Presentation

Fast Arithmetic Modulo 2𝑦𝑞𝑧 ± 1

Joppe W. Bos and Simon Friedberger

Why these strange primes?

 Quantum computers  NIST call for PQC standards [1] [2]

2

Post-Quantum Cryptography

 Lattice-based  Code-based  MQ-based  Hash-based  Isogeny-based

 Little data (330 B / 10 x smaller)  Very slow (1000 x slower)  Requires more cryptanalysis (published 2011)  …but it has elliptic curves!

3

ECC vs SIDH

ECC 𝑜 𝑄 = 𝑅 SIDH 𝐹2 = Φ𝑜 ∘ ⋯ ∘ Φ1(𝐹1)

[3] [3]

4

Key exchange

[3]

5

#E(𝔾q2) = 2𝑦𝑞𝑧 2 q = 2xpy ± 1

Fast Arithmethic modulo 2𝑦𝑞𝑧 ± 1

6

#E(𝔾q2) = 2𝑦𝑞𝑧 2 q = 2xpy ± 1

Fast Arithmethic modulo 2𝑦𝑞𝑧 ± 1

6

Compared approaches

 Montgomery reduction  Barrett division  Modular simplification  Shifting  Special radix  …

7

Montgomery reduction

 Calculate Τ ෤ 𝑏෨ 𝑐 𝑆 = 𝑏𝑐𝑆 𝑛𝑝𝑒 𝑛  Montgomery multiplication

𝑑𝑆−1 = 𝑑 + 𝜈𝑏𝑐 𝑛𝑝𝑒 𝑆 𝑛 /𝑆 (𝑛𝑝𝑒 𝑛)

 Prime shape optimizations:  𝜈 = −𝑛−1 ≡ 1 for 𝑛 ≡ ±1  𝑦𝑛 = 𝑦 2𝑦𝑞𝑧 ± 1 = 𝑦𝑞𝑧 2𝑦 ± 𝑦  Costs 𝑜2 + 𝑜 optimized to 𝑜2

2 M

8

Montgomery reduction

 Calculate Τ ෤ 𝑏෨ 𝑐 𝑆 = 𝑏𝑐𝑆 𝑛𝑝𝑒 𝑛  Montgomery multiplication

𝑑𝑆−1 = 𝑑 + 𝜈𝑏𝑐 𝑛𝑝𝑒 𝑆 𝑛 /𝑆 (𝑛𝑝𝑒 𝑛)

 Prime shape optimizations:  𝜈 = −𝑛−1 ≡ 1 for 𝑛 ≡ ±1  𝑦𝑛 = 𝑦 2𝑦𝑞𝑧 ± 1 = 𝑦𝑞𝑧 2𝑦 ± 𝑦  Costs 𝑜2 + 𝑜 optimized to 𝑜2

2 M

9

Montgomery reduction

 Calculate Τ ෤ 𝑏෨ 𝑐 𝑆 = 𝑏𝑐𝑆 𝑛𝑝𝑒 𝑛  Montgomery multiplication

𝑑𝑆−1 = 𝑑 + 𝜈𝑏𝑐 𝑛𝑝𝑒 𝑆 𝑛 /𝑆 (𝑛𝑝𝑒 𝑛)

 Prime shape optimizations:  𝜈 = −𝑛−1 ≡ 1 for 𝑛 ≡ ±1  𝑦𝑛 = 𝑦 2𝑦𝑞𝑧 ± 1 = 𝑦𝑞𝑧 2𝑦 ± 𝑦  Costs 𝑜2 + 𝑜 optimized to 𝑜2

2 M

10

Barrett division

 Calculate 𝑑 𝑛𝑝𝑒 𝑛 as 𝑑 − 𝑑/𝑛 𝑛  Approximate

𝑑 𝑛 as 𝑑 𝑆 𝑆 𝑛

 Error of at most 𝑛, or at most 3𝑛 after some more optimizations  Also gives the fraction not just the remainder  Costs 𝑜2 + 4𝑜 + 1 optimized to

5 8 𝑜2 + 13 4 𝑜 + 1 𝑁

11

Barrett division

 Calculate 𝑑 𝑛𝑝𝑒 𝑛 as 𝑑 − 𝑑/𝑛 𝑛  Approximate

𝑑 𝑛 as 𝑑 𝑆 𝑆 𝑛

 Error of at most 𝑛, or at most 3𝑛 after some more optimizations  Also gives the fraction not just the remainder  Costs 𝑜2 + 4𝑜 + 1 optimized to

5 8 𝑜2 + 13 4 𝑜 + 1 𝑁

12

Simplified Modulus

 Pick 𝑆 = 𝑛 + 1 = 2𝑦𝑞𝑧  𝑑 = 𝑑1𝑆 + 𝑑0 = 𝑑1𝑛 + 𝑑1 + 𝑑0 ≡ 𝑑1 + 𝑑0  Need to divide 𝑑

𝑆 and suppose 𝑆 = 2𝑦𝑆′

 Idea: Use Barrett division with special modulus  If 𝑑 = 𝑑1

′2𝑦 + 𝑑0 ′ and 𝑑1 ′ = 𝑣𝑆′ + 𝑤 it follows that

 𝑑 = 𝑣2𝑦𝑆′ + 𝑤2𝑦 + 𝑑0′  It follows that 𝑤2𝑦 + 𝑑0

′ = 𝑑0 and 𝑣 = 𝑑1

 Cost ℬ

3 2 𝑜, 1 2 𝑜 = 5 8 𝑜2 + 13 4 𝑜 + 1 𝑁

13

Folding

 Save time on the reduction by computing a multiplication first  With precomputed 𝜈 = 𝑆 𝑛𝑝𝑒 𝑛  Transform 𝑑 = 𝑑1𝑆 + 𝑑0 it is clear that 𝑑 ≡ 𝑑1𝜈 + 𝑑0 𝑛𝑝𝑒 𝑛  Picking 𝑆 appropriately will reduce the size of the number to reduce  Costs: For 𝑆 1.5 times as long as 𝑛 we get  𝑑 is reduced in length by 25 %  Cost 𝑜2

2 𝑁

 Folding + Barrett Cost 𝑜2

2 + 5 4 𝑜 + 1 𝑁

14

Interleaved vs Non-interleaved

 Interleave multiplication and reduction

 Uses less memory

 Multiply and reduce separately

 Allows asymptotically fast multiplication algorithms

 SIDH: Arithmetic in 𝔾q2

 (𝑏 + 𝑗𝑐)(𝑑 + 𝑗𝑒)  Interleaved: 4 M&R, Non-interleaved: 4 M + 2 R  Using Karatsuba: 3 M&R vs 3 M + 2 R

 Non-interleaved is to be preferred for SIDH

15

Modulus based Radix

 Recent approach from WAIFI  Pick 𝑆 = 𝑛 and representation 𝑏 = 𝑏1𝑆 + 𝑏0 this gives  𝑏𝑐 = 𝑏1𝑐1𝑆2 + (𝑏1𝑐0 + 𝑏0𝑐1)𝑆 + 𝑏0𝑐0 = 𝑏1𝑐0 + 𝑏0𝑐1 𝑆 + 𝑏1𝑐1 + 𝑏0𝑐0  Reduce both parts again using Barrett division  Costs: 17

16 𝑜2 + 13 4 𝑜 + 2 𝑁

 Unfortunately interleaved

16

Results (interleaved)

17

(Costs for multiplication and reduction)

Results (non-interleaved)

18

(Costs for reduction only)

Shifting

 23723239 − 1  23723239 has 372 zero bits  5 words of 64 bit and another 52 bits  3239 fits into 6 words but it actually uses 7 now  We can properly align the powers of three  Costs: several shifts by 52 bits

19

SIDH friendly primes

 Conditions for our search

• 1. 𝑞 ∈ 3,5,7,11,13,17,19
• 2. 384 ≤ 𝑦 < 450 and 2300 < 𝑞𝑧 < 2450
• 3. 2740 < 2𝑦𝑞𝑧 ± 1 < 2768
• 4. 2𝑦 − 𝑞𝑧 < 240
• 5. 2𝑦𝑞𝑧 + 1 or 2𝑦𝑞𝑧 − 1 is prime

20

New prime suggestions

Prime Security 𝟑𝟒𝟗𝟔𝟒𝟑𝟑𝟖 − 𝟐 120 23945154 + 1 119 23945155 − 1 120 23967131 + 1 123 23931791 + 1 124 𝟑𝟒𝟘𝟐𝟐𝟘𝟗𝟗 − 𝟐 125

21

Benchmarking results

22

Questions?

https://github.com/sidh-arith/

23

References

• 1. https://www.technologyreview.com/s/602283/googles-quantum-dream-

may-be-just-around-the-corner/

• 2. https://bits.blogs.nytimes.com/2013/05/16/google-buys-a-quantum-

computer/?_r=0

• 3. https://www.esat.kuleuven.be/cosic/elliptic-curves-are-quantum-dead-

long-live-elliptic-curves/

24