Cryptographie ` a base de courbes elliptiques : algorithmes et impl - PowerPoint PPT Presentation

Cryptographie ` a base de courbes elliptiques : algorithmes et impl´ ementation Sorina Ionica IMB, Universit´ e de Bordeaux Sorina Ionica (IMB) Elliptic Curve Cryptography 1 / 23

Public key cryptography Sharing a common secret over an insecure channel Sorina Ionica (IMB) Elliptic Curve Cryptography 2 / 23

Public key cryptography and groups Diffie-Hellman Key Exchange : ( G , + , P ) public P A Alice Bob P B a , P A = aP b , P B = bP K = aP B K = bP B K = abP Security: the Discrete Logarithm Problem (DLP) in G Given P , Q ∈ G find (if it exists) λ such that Q = λ P Sorina Ionica (IMB) Elliptic Curve Cryptography 3 / 23

Elliptic Curve Cryptography 10 R 5 Consider F q , char ( F q ) � = 2 , 3 P Q Weierstrass form − 2 2 4 y 2 = x 3 + ax + b ⊖ R = P ⊕ Q − 5 − 10 Secure implementation : DLP is hard if r = # G is a large prime number. Shorter keys (compared to RSA, group cryptography over finite fields) Sorina Ionica (IMB) Elliptic Curve Cryptography 4 / 23

Security Table : Complexity of generic attacks method Fastest known attack 1 2 Number Field Sieve exp ( 1 3 ( log log N ) 3 ) RSA 2 ( logN ) Pollard-rho √ r = exp ( 1 ECC 2 log r ) Table : Key sizes Security level RSA ECC 80 bits 1024 160 128 bits 3072 256 256 bits 15360 512 Sorina Ionica (IMB) Elliptic Curve Cryptography 5 / 23

ECC in the real world key exchange, signatures, identification Sorina Ionica (IMB) Elliptic Curve Cryptography 6 / 23

Elliptic versus genus 2 curves Genus 2 addition Genus 1 addition C 1 ( F q ) : y 2 = x 5 − 3 x 3 + x , E ( F q ) : y 2 = x 3 − 3 x + 1 10 10 5 R 5 P Q − 2 2 4 − 2 2 4 ⊖ R = P ⊕ Q − 5 − 5 − 10 − 10 # J C ( F q ) ∼ q 2 # E ( F q ) ∼ q Sorina Ionica (IMB) Elliptic Curve Cryptography 7 / 23

Scalar multiplication multiplication-by- m map: P �→ [ m ] P on E ( F q ), D �→ [ m ] D on J C ( F q ) optimized binary double-and-add scalar multiplication: 1 write m in binary rep. m = � log m − 1 m i 2 i , m i ∈ { 0 , 1 } i =0 2 R ← P 3 for i from log m − 1 to 0 do R ← 2 R (Doubling) 1 if m i = 1 then R ← R + P (Addition) 2 4 return R cost: log m doublings + ∼ 1 2 log m additions in average Sorina Ionica (IMB) Elliptic Curve Cryptography 8 / 23

Multi-scalar multiplication [ m ] P + [ ℓ ] Q ∈ G ⊂ E ( F q ) 1 write m � ℓ in binary rep. m = � log m − 1 m i 2 i , i =0 ℓ = � log ℓ − 1 ℓ i 2 i , m i , ℓ i ∈ { 0 , 1 } i =0 2 precompute T = P + Q 3 if log ℓ > log m then R ← Q 4 else R ← T 5 for i from log ℓ − 1 to 0 do R ← 2 R (Doubling) 1 if m i = ℓ i = 1 then R ← R + T (Addition) 2 else if m i = 1 and ℓ i = 0 then R ← R + P (Addition) 3 else if m i = 0 and ℓ i = 1 then R ← R + Q (Addition) 4 6 return R cost: log ℓ doublings + ∼ 3 4 log ℓ additions in average Sorina Ionica (IMB) Elliptic Curve Cryptography 9 / 23

Algorithme GLV pour la multiplication scalaire Assume there is an efficient (almost free) endomorphism φ : G → G , φ ( P ) = λ φ P λ φ is large → decompose m = m 0 + λ φ m 1 mod r with log m 0 ∼ log m 1 ∼ log m / 2 Multi-exponentiation m 0 Compute mP = m 0 P + m 1 φ ( P ) in m 1 (log m ) / 2 operations. Save half doublings for a cost of a quarter of additions. Sorina Ionica (IMB) Elliptic Curve Cryptography 10 / 23

Endomorphisms: an example √ E α ( F q ) : y 2 = x 3 + α x , j ( E α ) = 1728 ( i . e . CM by − 1 , D = 4) q ≡ 1 mod 4, let i ∈ F q s.t. i 2 = − 1 ∈ F q φ : ( x , y ) �→ ( − x , iy ) is an endomorphism φ ◦ φ ( x , y ) = ( x , − y ) φ 2 + Id = 0 on E ( F q ) eigenvalue: λ φ ≡ √− 1 mod # E ( F q ) this means for P of prime-order r , φ ( P ) = [ λ φ mod r ] P Sorina Ionica (IMB) Elliptic Curve Cryptography 11 / 23

Endomorphism: Frobenius map Frobenius map, E ( F q ), ( x , y ) ∈ E ( F q n ) �→ ( x q , y q ) ∈ E ( F q n ). Why ? E ( F q ) : y 2 = x 3 + a 4 x + a 6 , a 4 , a 6 ∈ F q Not directly useful in this way. Used with twisted curves (Galbraith-Lin-Scott GLS curves) → φ = √− 1 , √− 2 , 1+ √− 7 j ( E ) = 1728 , 8000 , − 3375 ← . 2 → φ = − 1+ √− 3 , √− 3 , 1+ √− 11 j ( E ) = 0 , 54000 , − 32768 ← . 2 2 Galbraith-Lin-Scott (GLS) curves (2009): defined over F q 2 instead of F q , j ∈ F q , one endomorphism φ : φ 2 = − Id on E ( F q 2 ). but still j ∈ F q These are all available fast endomorphisms. Sorina Ionica (IMB) Elliptic Curve Cryptography 12 / 23

Implementation Fast algorithms for scalar multiplication: GLV Fast group law computation Fast modular arithmetic : special primes (ex. p = 2 127 − 1) Example: No curve E / F q 2 with p = 2 127 − 1 and GLV of dimension 4. Challenge: the fastest implementation for a given security level Sorina Ionica (IMB) Elliptic Curve Cryptography 13 / 23

Our contribution Four dimensional GLV via the Weil restriction joint work with Aurore Guillevic Sorina Ionica (IMB) Elliptic Curve Cryptography 14 / 23

GLV friendly curve zoo Genus 1 Genus 2 Mestre, Kohel-Smith, GLV 2001 : complex Takashima : explicit real multiplication by √ √ √− 1 , √− 2 , 1+ √− 7 multiplication by 2, 5 , 2 √− 3 , 1+ √− 11 4-dim. : Buhler-Koblitz, . 2 Furukawa-Takahashi Galbraith-Lin-Scott 2009: curves curves/ F q 2 , j ∈ F q . Longa-Sica 2012: 4-dim GLV+GLS Sorina Ionica (IMB) Elliptic Curve Cryptography 15 / 23

GLV friendly curve zoo Genus 1 Genus 2 Mestre, Kohel-Smith, GLV 2001 : complex Takashima : explicit real multiplication by √ √ √− 1 , √− 2 , 1+ √− 7 multiplication by 2, 5 , 2 √− 3 , 1+ √− 11 4-dim. : Buhler-Koblitz, . 2 Furukawa-Takahashi Galbraith-Lin-Scott 2009: curves curves/ F q 2 , j ∈ F q . This work: 4-dim.-GLV on Longa-Sica 2012: 4-dim Satoh/Satoh-Freeman GLV+GLS curves 2009 Sorina Ionica (IMB) Elliptic Curve Cryptography 15 / 23

GLV friendly curve zoo Genus 1 Genus 2 Mestre, Kohel-Smith, GLV 2001 : complex Takashima : explicit real multiplication by √ √ √− 1 , √− 2 , 1+ √− 7 multiplication by 2, 5 , 2 √− 3 , 1+ √− 11 4-dim. : Buhler-Koblitz, . 2 Furukawa-Takahashi Galbraith-Lin-Scott 2009: curves curves/ F q 2 , j ∈ F q . This work: 4-dim.-GLV on Longa-Sica 2012: 4-dim Satoh/Satoh-Freeman GLV+GLS curves 2009 This work: 4 dim.-GLV on two families of curves/ F q 2 , but j ∈ F q 2 . Sorina Ionica (IMB) Elliptic Curve Cryptography 15 / 23

4-GLV, . . . , 2 i -GLV: time-memory trade-off We would like a 4-dimensional decomposition of m when computing mP 2 endomophisms φ, ψ of eigenvalues λ φ , λ ψ decompose m ≡ m 1 + m 2 λ φ + m 3 λ ψ + m 4 λ φ λ ψ mod r with log m i ∼ 1 4 log m Store P , φ ( P ) , ψ ( P ) , φψ ( P ) , . . . ⇒ 16 points 4-dim. multiexponentiation → Save 3 4 log m doublings and ∼ 17 32 log m additions. Sorina Ionica (IMB) Elliptic Curve Cryptography 16 / 23

Dimension 4 - Longa and Sica 2012 Curves are ordinary, i.e. endomorphisms form a lattice of dimension 2 ⇒ [1 , φ ] we need ψ s.t. λ ψ ≡ α + βλ φ mod r and α, β > r 1 / 4 to have a decomposition How to construct ψ efficiently computable? Longa-Sica curves (2012) Consider GLS curves with small D → 2 endomorphisms ψ : ψ 2 + 1 = 0, φ : φ 2 + D = 0 for points over F q 2 . Sorina Ionica (IMB) Elliptic Curve Cryptography 17 / 23

Satoh’s curves I J C 1 ( F q 8 ) E c × E c ( F q 8 ) ˆ I E c × E c ( F q 2 ) J C 1 ( F q ) C 1 : y 2 = x 5 + ax 3 + bx , a , b ∈ F q J C 1 is the Weil restriction of √ E c / F q 2 : y 2 = x 3 + 27(3 c − 10) x + 108(14 − 9 c ) , c = a / b Sorina Ionica (IMB) Elliptic Curve Cryptography 18 / 23

Satoh’s Jacobians I J C 1 ( F q 8 ) E c × E c ( F q 8 ) ˆ I E c × E c ( F q 2 ) J C 1 ( F q ) D = 2 D ′ − → E c ? I 2 We start by computing a degree 2 isogeny (i.e. a map between curves) I 2 from E c . Sorina Ionica (IMB) Elliptic Curve Cryptography 19 / 23

4-dim GLV on elliptic curves We computed with V´ elu’s formulas this 2-isogeny I 2 : E c → E − c � � �� 2 + 162+81 c − y 1 − 162+81 c − x ( x , y ) �→ − 2( x − 12) , 2 √− 2 ( x − 12) 2 I 2 E c E − c E c / F q 2 : y 2 = x 3 + 27(3 c − 10) x + 108(14 − 9 c ) E − c / F q 2 : y 2 = x 3 + 27( − 3 c − 10) x + 108(14 + 9 c ) Sorina Ionica (IMB) Elliptic Curve Cryptography 20 / 23

4-dim GLV on elliptic curves We computed with V´ elu’s formulas this 2-isogeny I 2 : E c → E − c � � �� 2 + 162+81 c − y 1 − 162+81 c − x ( x , y ) �→ − 2( x − 12) , 2 √− 2 ( x − 12) 2 I 2 E c E − c E c / F q 2 : y 2 = x 3 + 27(3 c − 10) x + 108(14 − 9 c ) E − c / F q 2 : y 2 = x 3 + 27( − 3 c − 10) x + 108(14 + 9 c ) In F q 2 , π q ( c ) = − c Go back from E − c to E c with the Frobenius map Sorina Ionica (IMB) Elliptic Curve Cryptography 20 / 23

4-dim GLV on elliptic curves We computed with V´ elu’s formulas this 2-isogeny I 2 : E c → E − c � � �� 2 + 162+81 c − y 1 − 162+81 c − x ( x , y ) �→ − 2( x − 12) , 2 √− 2 ( x − 12) 2 π q ◦ I 2 I 2 = φ 2 E c E − c ≡ [ √± 2] π q E c / F q 2 : y 2 = x 3 + 27(3 c − 10) x + 108(14 − 9 c ) E − c / F q 2 : y 2 = x 3 + 27( − 3 c − 10) x + 108(14 + 9 c ) In F q 2 , π q ( c ) = − c Go back from E − c to E c with the Frobenius map Sorina Ionica (IMB) Elliptic Curve Cryptography 20 / 23