A New Encoding Algorithm for a Multidimensional Version of the Montgomery Ladder Aaron Hutchinson 1 Koray Karabina 2,3 1 University of Waterloo a5hutchinson@uwaterloo.ca 2 Florida Atlantic University kkarabina@fau.edu 3 National Research Council Canada koray.karabina@nrc-cnrc.gc.ca July 21, 2020 Aaron Hutchinson, Koray Karabina July 21, 2020 1 / 32
Background This work builds on that of two previous works: [2] A. Hutchinson and K. Karabina. Constructing Multidimensional Differential Addition Chains and Their Applications. Journal of Cryptographic Engineering , 9(1):1–19, 2019 [1] H. Hisil, A. Hutchinson, and K. Karabina. d -MUL: Optimizing and Implementing a Multidimensional Scalar Multiplication Algorithm over Elliptic Curves. 8th International Conference on Security, Privacy, and Applied Cryptography Engineering - SPACE 2018, Lecture Notes in Computer Science , 11348:198–217, 2018 In all three works the topic of interest is the multidimensional scalar multiplication algorithm d -MUL . Aaron Hutchinson, Koray Karabina Background July 21, 2020 2 / 32
Scalar Multiplication Algorithms Let G be an abelian group. A d - dimensional scalar multiplication algorithm for G takes input a 1 , . . . , a d ∈ N and P 1 , . . . , P d ∈ G and outputs the element a 1 P 1 + · · · + a d P d . Such algorithms often see use in cryptography: 1 dimension: Elliptic Curve Diffie-Hellman, Elliptic Curve Digital Signature Generation, Isogeny-based cryptography 2 or 3 dimensions: Elliptic Curve Digital Signature Verification d dimensions: batch signature verification Aaron Hutchinson, Koray Karabina Background July 21, 2020 3 / 32
Cryptographically Secure Scalar Multiplication For use in a cryptographic setting the following properties are desired: Uniformity: the algorithm performs the same sequence of operations during each execution Isochronous: the algorithm always takes the same amount of time to execute independent of the input Differential additions: computing P + Q can sometimes be done much more efficiently if P − Q is already known. Parallelizability of operations Aaron Hutchinson, Koray Karabina Background July 21, 2020 4 / 32
Example: Montgomery Chain To compute 10 P with the Montgomery Chain: 10 = (1010) 2 = 1 · 2 3 + 0 · 2 2 + 1 · 2 1 + 0 · 2 0 . Initialize variables R 1 ← 1 P and R 0 ← 0 P = 0. If the i -th bit of a is x , replace R 1 − x with R 1 + R 0 and double the value of R x . Initial 3 2 1 0 R 1 : P 2 P → 3 P → 6 P → 11 P R 0 : 0 → 2 P → 5 P → 10 P P Montgomery Chain uses ⌈ log 2 ( a ) ⌉ iterations, each uniformly performing 1 doubling and 1 addition. Every difference is P . Total cost: ⌈ log 2 ( a ) ⌉ ( D + A ). Aaron Hutchinson, Koray Karabina Background July 21, 2020 5 / 32
Example: Bernstein Chain (2006) Bernstein proposed a 2 dimensional differential addition chain. If a, b are ℓ -bit integers, the algorithm computes aP + bQ using an operation count of ℓ (2 A + D ). For every point addition, the corresponding difference is in the set { 0 , P, Q, P + Q, P − Q } . Highly parallelizable. The Bernstein Chain generalizes the Montgomery Chain to 2 dimensions. Aaron Hutchinson, Koray Karabina Background July 21, 2020 6 / 32
Example: Bernstein Chain Aaron Hutchinson, Koray Karabina Background July 21, 2020 7 / 32
d -MUL Overview The d -MUL algorithm generalizes the Montgomery and Bernstein Chains to d dimensions for general d ≥ 1. Based on an algorithm of Dan Brown (2006). Properties: Given a 1 , . . . , a d ∈ Z and P 1 , . . . , P d ∈ G , outputs � a i P i . Performs ℓ := max(log 2 | a i | ) iterations, each performing 1 doubling and d additions. Total cost: ℓ ( D + d A ) In each iteration, the doubling and additions are independent, so highly parallelizable. Differences are fixed in the set { � c i P i : c i ∈ { 0 , 1 , − 1 }} . Aaron Hutchinson, Koray Karabina Background July 21, 2020 8 / 32
d -MUL Version 1 First version of d -MUL [2] uses state matrices to construct a differential addition chain: Definition A state matrix is a ( d + 1) × d integer-valued matrix A such that: every row A i has i − 1 odd entries. A i +1 − A i has a single nonzero entry which is ± 1. Aaron Hutchinson, Koray Karabina Background July 21, 2020 9 / 32
d -MUL Version 1 First version of d -MUL [2] uses state matrices to construct a differential addition chain: Definition A state matrix is a ( d + 1) × d integer-valued matrix A such that: every row A i has i − 1 odd entries. A i +1 − A i has a single nonzero entry which is ± 1. Algorithm is a 3 step process: 1 Initialization : construct a (any) state matrix A ( ℓ ) having ( a 1 , . . . , a d ) as a row. 2 Recoding : construct a sequence of state matrices { A ( i ) } such that every row in A ( i +1) is the sum of two rows from A ( i ) . 3 Evaluation : use row relationships between consecutive A ( i ) to add points P j together. Aaron Hutchinson, Koray Karabina Background July 21, 2020 9 / 32
d -MUL Version 1: Example Example: compute 10 P 1 + 14 P 2 + 9 P 3 + 11 P 4 . 10 14 10 12 10 14 10 11 10 14 9 11 10 15 9 11 11 15 9 11 Aaron Hutchinson, Koray Karabina Background July 21, 2020 10 / 32
d -MUL Version 1: Example Example: compute 10 P 1 + 14 P 2 + 9 P 3 + 11 P 4 . 10 14 10 12 10 14 10 11 10 14 9 11 → 5 10 15 9 11 7 5 6 11 15 9 11 Aaron Hutchinson, Koray Karabina Background July 21, 2020 11 / 32
d -MUL Version 1: Example Example: compute 10 P 1 + 14 P 2 + 9 P 3 + 11 P 4 . 10 14 10 12 10 14 10 11 10 14 9 11 → 5 10 15 9 11 7 5 6 11 15 9 11 5 7 5 5 Aaron Hutchinson, Koray Karabina Background July 21, 2020 11 / 32
d -MUL Version 1: Example Example: compute 10 P 1 + 14 P 2 + 9 P 3 + 11 P 4 . 10 14 10 12 10 14 10 11 10 14 9 11 → 5 7 4 6 10 15 9 11 5 7 5 6 11 15 9 11 5 7 5 5 Aaron Hutchinson, Koray Karabina Background July 21, 2020 11 / 32
d -MUL Version 1: Example Example: compute 10 P 1 + 14 P 2 + 9 P 3 + 11 P 4 . 10 14 10 12 10 14 10 11 5 8 4 6 10 14 9 11 → 5 7 4 6 10 15 9 11 5 7 5 6 11 15 9 11 5 7 5 5 Aaron Hutchinson, Koray Karabina Background July 21, 2020 11 / 32
d -MUL Version 1: Example Example: compute 10 P 1 + 14 P 2 + 9 P 3 + 11 P 4 . 10 14 10 12 6 8 4 6 10 14 10 11 5 8 4 6 10 14 9 11 → 5 7 4 6 10 15 9 11 5 7 5 6 11 15 9 11 5 7 5 5 Aaron Hutchinson, Koray Karabina Background July 21, 2020 11 / 32
d -MUL Version 1: Example Example: compute 10 P 1 + 14 P 2 + 9 P 3 + 11 P 4 . 10 14 10 12 6 8 4 6 2 4 2 2 10 14 10 11 5 8 4 6 2 4 2 3 10 14 9 11 → 5 7 4 6 → 3 4 2 3 10 15 9 11 5 7 5 6 3 3 2 3 11 15 9 11 5 7 5 5 3 3 3 3 A (5) A (4) A (3) 2 2 2 2 0 0 0 0 2 2 1 2 0 1 0 0 1 2 1 2 → 0 1 0 1 1 2 1 1 1 1 0 1 1 1 1 1 1 1 1 1 A (2) A (1) Aaron Hutchinson, Koray Karabina Background July 21, 2020 11 / 32
d -MUL Version 1: Example Q 1 0 0 0 0 1 = 0 Q 1 0 1 0 0 2 = P 2 Q 1 0 1 0 1 3 = + P 4 = ⇒ P 2 Q 1 1 1 0 1 4 = P 1 + P 2 + P 4 Q 1 1 1 1 1 5 = P 1 + P 2 + P 3 + P 4 Aaron Hutchinson, Koray Karabina Background July 21, 2020 12 / 32
d -MUL Version 1: Example Q 1 0 0 0 0 1 = 0 Q 1 0 1 0 0 2 = P 2 Q 1 0 1 0 1 3 = + P 4 = ⇒ P 2 Q 1 1 1 0 1 4 = P 1 + P 2 + P 4 Q 1 1 1 1 1 5 = P 1 + P 2 + P 3 + P 4 ↓ ↓ Q 2 1 = 2 Q 1 2 2 2 2 (= 2 P 1 + 2 P 2 + 2 P 3 + 2 P 4 ) 5 Q 2 2 = Q 1 4 + Q 1 2 2 1 2 (= 2 P 1 + 2 P 2 + 1 P 3 + 2 P 4 ) 5 Q 2 3 = Q 1 3 + Q 1 1 2 1 2 = ⇒ (= 1 P 1 + 1 P 2 + 1 P 3 + 2 P 4 ) 5 Q 2 4 = Q 1 2 + Q 1 1 2 1 1 (= 1 P 1 + 2 P 2 + 1 P 3 + 1 P 4 ) 5 Q 2 5 = Q 1 1 + Q 1 1 1 1 1 (= 1 P 1 + 1 P 2 + 1 P 3 + 1 P 4 ) 5 Aaron Hutchinson, Koray Karabina Background July 21, 2020 12 / 32
Recommend
More recommend
