Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert - PowerPoint PPT Presentation

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit´ e Montpellier 2 Summer School ECC 2011 – Nancy, September 12-16, 2011

Part 2 Elliptic curve arithmetic 1/41

The two facets of an elliptic curve An elliptic curve is: ◮ a geometrical object: a nonsingular curve given by an equation y 2 = f ( x ) , with deg f ∈ { 3 , 4 } ◮ an algebraic object: one can “add” stuff! This composition operation has a nice geometrical interpretation. 2/41

Adding points on an elliptic curve Q P P + Q P + Q 2( P + Q ) 3/41

Weierstrass model ◮ An elliptic curve over a field K of characteristic � = 2 , 3 is given by an equation of the form E : y 2 = x 3 + ax + b, with a, b ∈ K (1) and ∆ = − 16(4 a 3 + 27 b 2 ) � = 0 ◮ The set of K -rational points of an elliptic curve is E ( K ) = { ( x, y ) ∈ K × K ; y 2 = x 3 + ax + b } ∪ {O} ◮ In the general case, we consider the long Weierstrass form y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 , where a 1 , a 2 , a 3 , a 4 , a 6 ∈ K . 4/41

Algebraic description of the addition operation Let P 1 = ( x 1 , y 1 ) and P 2 = ( x 2 , y 2 ) be two points on E : y 2 = x 3 + ax + b The slope of the line ( P 1 , P 2 ) is given by  y 2 − y 1 if P 1 � = ± P 2   x 2 − x 1   λ = 3 x 2 1 + a  if P 1 = P 2   2 y 1  The sum of P and Q is the point P + Q = ( λ 2 − x 1 − x 2 , λ ( x 1 − x 3 ) − y 1 ) . 5/41

Properties of the addition operation For all P, Q, R ∈ E , the addition law has the following properties: ◮ P + O = O + P = P ◮ P + ( − P ) = O ◮ ( P + Q ) + R = P + ( Q + R ) ◮ P + Q = Q + P Thus, ( E, +) forms an Abelian group, with the properties required for group-based cryptography: ◮ the group operation is easy to implement (basic algebraic operations) ◮ if K is a well chosen finite field, the computation of discrete q ) 1 logarithms is hard (much harder than over F ∗ 1 Vanessa’s lecture 6/41

Elliptic curve over a finite field 36 E : y 2 = x 3 − 5 x + 8 34 defined over F 37 32 30 28 − R 26 24 P = (6 , 3) 22 Q = (9 , 10) 20 18 16 λ = 7 / 3 = 27 14 12 x 3 = 27 2 − 6 − 9 = 11 Q R 10 8 y 3 = 27(6 − 11) − 3 = 10 6 4 P 2 R = (11 , 10) 0 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 7/41

What finite field should we use? Efficiency considerations ◮ Prime fields F p , where p is a nice prime (software implementations) Ex: M 521 = 2 521 − 1 , 2 255 − 19 ◮ Binary fields F 2 m = F 2 [ X ] / ( f ( X )) , where f ( X ) is a nice ireducible polynomial of degree m (hardware implementations) Ex: trinomials, pentanomials, all-one polynomials ◮ Alternatives: F p m where both p and the irreducible polynomial have nice properties Ex: optimal extension fields 8/41

What finite field should we use? Security considerations For cryptographic usage, an elliptic curve E defined over F q , q = p m should satisfy: ◮ # E ( F q ) = h × n ◮ n is prime, h is small (ideally h = 1 ) ◮ n > 2 160 to avoid BSGS/Pollard ρ attacks in O ( √ n ) ◮ n � = p to avoid anomalous attack ◮ q t �≡ 1 (mod n ) for all t ≤ 20 to avoid the MOV attack ◮ m is prime to avoid Weil descent attacks 9/41

How big should F q be? Hasse-Weil bounds: | # E ( F q ) − ( q + 1) | ≤ 2 √ q (# E ( F q ) ≈ q ) √ Best known attacks: O ( N ) 125 100 75 50 25 0 500 1,000 1,500 2,000 2,500 3,000 n 10/41

Cost estimation We want to compute the group operation as fast as possible (*) A not-too-bad estimation of the time can be obtained by counting the number of field operations of each type: ◮ # field addition/subtraction ( A ) ◮ # field multiplications ( M ) ◮ # field squarings ( S ) ◮ # field inversions ( I ) ◮ # “small” field multiplications (e.g. ( a ) ) Estimates: ◮ A ≪ M ◮ Over F p : S ≈ 0 . 8 M , I ≫ M ( I > 30 M ) ◮ Over F 2 m : S ≪ M (negligible) 11/41

Cost of the group law for E/K : y 2 = x 3 + ax + b ◮ Identity: P + O = P and P + ( − P ) = O for all P ∈ E ( K ) ◮ Point negation: Let P = ( x 1 , y 1 ) ∈ E ( K ) . Then − P = ( x, − y ) ◮ Point addition: Let P = ( x 1 , y 1 ) , Q = ( x 2 , y 2 ) with P � = ± Q . Then P + Q = ( x 3 , y 3 ) , with 1 I + 2 M + 1 S � y 2 − y 1 � y 2 − y 1 � 2 � x 3 = − x 1 − x 2 , y 3 = ( x 1 − x 3 ) − y 1 x 2 − x 1 x 2 − x 1 ◮ Point doubling: If P = ( x 1 , y 1 ) , where P � = − P . Then [2] P = ( x 3 , y 3 ) with 1 I + 2 M + 2 S � 2 � 3 x 2 � 3 x 2 1 + a 1 + a � x 3 = − 2 x 1 , y 3 = ( x 1 − x 3 ) − y 1 2 y 1 2 y 1 12/41

Projective coordinates Let c, d > 0 . Define an equivalence relation on K 3 \ { (0 , 0 , 0) } ( X, Y, Z ) ∼ ( λ c X, λ d Y, λZ ) for all λ ∈ K ∗ A projective point, denoted ( X : Y : Z ) , is a class of K 3 \ { 0 , 0 , 0 } modulo the equivlence relation ∼ The set of projective points is called the 2-dimensional projective space over K , denoted P 2 ( K ) . → P 2 ( K ) ∗ = { ( X : Y : Z ) : X, Y, Z ∈ K, Z � = 0 } A 2 ( K ) ֒ − → ( X/Z c : Y/Z d : 1) ( x, y ) �− 13/41

The points at infinity The set P 2 ( K ) 0 = { ( X : Y : Z ) : X, Y, Z ∈ K, Z = 0 } is called the line at infinity The points at infinity on E are the points of P 2 ( K ) 0 which lie on E Projective form of the Weierstrass equation ( c = d = 1 ) Y 2 Z + a 1 XY Z + a 3 Y Z 2 = X 3 + a 2 X 2 Z + a 4 XZ 2 + a 6 Z 3 For Z = 0 , the point ( X : Y : Z ) must satisfy 0 = X 3 + 0 , which implies X = 0 , and Y � = 0 (since (0 , 0 , 0) �∈ P 2 ( K ) ) O = (0 : 1 : 0) is the only point at infinity on E 14/41

Jacobian projective coordinate Let c = 2 and d = 3 . The projective point ( X : Y : Z ) , Z � = 0 corresponds to the affine point ( X/Z 2 , Y/Z 3 ) Projective form of the Weierstrass equation: replace x by X/Z 2 and y by Y/Z 3 in y 2 = x 3 + ax + b and clear denominators Y 2 = X 3 + aXZ 4 + bZ 6 Point at infinity corresponds to O = (1 : 1 : 0) The negative of ( X : Y : Z ) is ( X : − Y : Z ) 15/41

Inversions free formula Let P = ( X 1 : Y 1 : Z 1 ) with P � = − P . Replace x 1 by X 1 /Z 2 1 and y 1 by Y 1 /Z 3 1 in the affine doubling formula leads to [2] P = ( X ′ 3 : Y ′ 3 : 1) , with 1 ) 2 − 8 X 1 Y 2 3 = (3 X 2 1 + aZ 4 3 = 3 X 2 1 + aZ 4 � X 1 � − Y 1 X ′ 1 Y ′ 1 − X ′ , 3 4 Y 2 1 Z 2 Z 2 Z 3 2 Y 1 Z 1 1 1 1 3 Z 2 Use the equivalence relation to clear denominators. Set X 3 = X ′ 3 and 3 Z 3 Y 3 = Y ′ 3 to get ( X 3 : Y 3 : Z 3 ) 1 ) 2 − 8 X 1 Y 2 X 3 = (3 X 2 1 + aZ 4 1 Y 3 = (3 X 2 1 + aZ 4 1 )(4 X 1 Y 2 1 − X 3 ) − 8 Y 4 1 Z 3 = 2 Y 1 Z 1 Implement! 16/41

Common implementation techniques ◮ Common-subexpression elimination ◮ Trade multiplication for squarings: 2 XY = ( X + Y ) 2 − X 2 − Y 2 ◮ Curve parameters: If a = − 3 , 3 X 2 1 + aZ 4 1 can be computed as a difference of two squares ◮ Add redundancy: Modified Jacobian: ( X : Y : Z : T ), x = X/Z 2 , y = Y/Z 3 , T = aZ 4 Chudnovsky coordinates: ( X : Y : Z : Z 2 : Z 3 ), x = X/Z 2 , y = Y/Z 3 ◮ Mixed formula ( Z = 1 ) ◮ Readdition ◮ co- Z formula ◮ etc. http://www.hyperelliptic.org/EFD/ 17/41

Main computations Scalar multiplication is the main operation k, P − → [ k ] P = P + · · · + P, ( k times ) Various situations occur: [ k | r ] P First step ECDH [ r ] P ECDSA signature [ k | r ] Q Second step ECDH [ r ] Q ECIES encryption [ u ] P + [ u ′ ] Q ECDSA verification k : known scalar (domain parameter, private key) r : generated online at random u : unknown in advance, result of online computations P : point known in advance (domain parameter, private key) Q : point unknown in advance 18/41

Addition chains An addition chain computing k is a sequence 1 = u 0 < · · · < u n = k such that, for all m ≥ 1 , u m = u i + u j with 0 ≤ i ≤ j < m Finding optimal addition chain is very difficult, but good heuristics exists to get raisonably short addition chains  [2]([ k/ 2] P ) if k ≡ 0 (mod 2)  [ k ] P = [2]([ k/ 2] P ) + P if k ≡ 1 (mod 2)  Example: 289 : 1 , 2 , 4 , 8 , 9 , 18 , 36 , 72 , 144 , 288 , 289 When the scalar k is known in advance, “short” addition chains can be computed offline When the scalar k is generated online at random, it may be generated directly in a non-standard, convenient representation (be careful!) 19/41

Double-and-add algorithms Input: P ∈ E ( K ) , k = ( k n − 1 , . . . , k 0 ) 2 , with k n − 1 = 1 Output: [ k ] P Right-to-left (RL) Left-to-right (LR) 1: R ← O 1: R ← P 2: For i = 0 to n − 1 do 2: For i = n − 2 downto 0 do If k i = 1 then R ← [2] R 3: 3: R ← R + P If k i = 1 then 4: 4: P ← [2] P R ← R + P 5: 5: 6: return R 6: return R RL: [ k ] P = [ k 0 ] P + [2 k 1 ] P + [2 2 k 2 ] P + · · · + [2 n − 1 k n − 1 ] P LR: [ k ] P = [2] ([ k/ 2] P ) + [ k 0 ] P LR: [ k ] P = [2] ([2] ([ k/ 4] P ) + [ k 1 ] P ) + [ k 0 ] P = [2]([2]([2]( . . . Average cost: ( n − 1) DBL + ( n/ 2) ADD (mixed additions for LR) 20/41