Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert - - PowerPoint PPT Presentation

Efficient Finite Field and Elliptic Curve Arithmetic

Laurent Imbert

CNRS, LIRMM, Universit´ e Montpellier 2

Summer School ECC 2011 – Nancy, September 12-16, 2011

Part 2 Elliptic curve arithmetic

1/41

The two facets of an elliptic curve

An elliptic curve is:

◮ a geometrical object: a nonsingular curve given by an equation

y2 = f(x), with deg f ∈ {3, 4}

◮ an algebraic object: one can “add” stuff! This composition

• peration has a nice geometrical interpretation.

2/41

Adding points on an elliptic curve

P Q P + Q P + Q 2(P + Q)

3/41

Weierstrass model

◮ An elliptic curve over a field K of characteristic = 2, 3 is given by an

equation of the form E : y2 = x3 + ax + b, with a, b ∈ K (1) and ∆ = −16(4a3 + 27b2) = 0

◮ The set of K-rational points of an elliptic curve is

E(K) = {(x, y) ∈ K × K ; y2 = x3 + ax + b} ∪ {O}

◮ In the general case, we consider the long Weierstrass form

y2 + a1xy + a3y = x3 + a2x2 + a4x + a6, where a1, a2, a3, a4, a6 ∈ K.

4/41

Algebraic description of the addition operation

Let P1 = (x1, y1) and P2 = (x2, y2) be two points on E : y2 = x3 + ax + b The slope of the line (P1, P2) is given by λ =          y2 − y1 x2 − x1 if P1 = ±P2 3x2

1 + a

2y1 if P1 = P2 The sum of P and Q is the point P + Q = (λ2 − x1 − x2, λ(x1 − x3) − y1).

5/41

Properties of the addition operation

For all P, Q, R ∈ E, the addition law has the following properties:

◮ P + O = O + P = P ◮ P + (−P) = O ◮ (P + Q) + R = P + (Q + R) ◮ P + Q = Q + P

Thus, (E, +) forms an Abelian group, with the properties required for group-based cryptography:

◮ the group operation is easy to implement (basic algebraic

• perations)

◮ if K is a well chosen finite field, the computation of discrete

logarithms is hard (much harder than over F∗

q)1

1Vanessa’s lecture 6/41

Elliptic curve over a finite field

2 2 4 4 6 6 8 8 10 10 12 12 14 14 16 16 18 18 20 20 22 22 24 24 26 26 28 28 30 30 32 32 34 34 36 36

P Q R −R

E : y2 = x3 − 5x + 8 defined over F37 P = (6, 3) Q = (9, 10) λ = 7/3 = 27 x3 = 272 − 6 − 9 = 11 y3 = 27(6 − 11) − 3 = 10 R = (11, 10)

7/41

What finite field should we use?

Efficiency considerations

◮ Prime fields Fp, where p is a nice prime (software implementations)

Ex: M521 = 2521 − 1, 2255 − 19

◮ Binary fields F2m = F2[X]/(f(X)), where f(X) is a nice ireducible

polynomial of degree m (hardware implementations) Ex: trinomials, pentanomials, all-one polynomials

◮ Alternatives: Fpm where both p and the irreducible polynomial have

nice properties Ex: optimal extension fields

8/41

What finite field should we use?

Security considerations

For cryptographic usage, an elliptic curve E defined over Fq, q = pm should satisfy:

◮ #E(Fq) = h × n ◮ n is prime, h is small (ideally h = 1) ◮ n > 2160 to avoid BSGS/Pollard ρ attacks in O(√n) ◮ n = p to avoid anomalous attack ◮ qt ≡ 1 (mod n) for all t ≤ 20 to avoid the MOV attack ◮ m is prime to avoid Weil descent attacks

9/41

How big should Fq be?

Hasse-Weil bounds: |#E(Fq) − (q + 1)| ≤ 2√q (#E(Fq) ≈ q) Best known attacks: O( √ N)

25 n 3,000 2,500 2,000 1,000 1,500 100 500 50 75 125

10/41

Cost estimation

We want to compute the group operation as fast as possible (*) A not-too-bad estimation of the time can be obtained by counting the number of field operations of each type:

◮ # field addition/subtraction (A) ◮ # field multiplications (M) ◮ # field squarings (S) ◮ # field inversions (I) ◮ # “small” field multiplications (e.g. (a))

Estimates:

◮ A ≪ M ◮ Over Fp: S ≈ 0.8M,

I ≫ M (I > 30M)

◮ Over F2m: S ≪ M (negligible)

11/41

Cost of the group law for E/K : y2 = x3 + ax + b

◮ Identity: P + O = P and P + (−P) = O for all P ∈ E(K) ◮ Point negation: Let P = (x1, y1) ∈ E(K). Then −P = (x, −y) ◮ Point addition: Let P = (x1, y1), Q = (x2, y2) with P = ±Q. Then

P + Q = (x3, y3), with

1I + 2M + 1S

x3 = y2 − y1 x2 − x1 2 − x1 − x2, y3 = y2 − y1 x2 − x1

• (x1 − x3) − y1

◮ Point doubling: If P = (x1, y1), where P = −P. Then

[2]P = (x3, y3) with

1I + 2M + 2S

x3 = 3x2

1 + a

2y1 2 − 2x1, y3 = 3x2

1 + a

2y1

• (x1 − x3) − y1

12/41

Projective coordinates

Let c, d > 0. Define an equivalence relation on K3 \ {(0, 0, 0)} (X, Y, Z) ∼ (λcX, λdY, λZ) for all λ ∈ K∗ A projective point, denoted (X : Y : Z), is a class of K3 \ {0, 0, 0} modulo the equivlence relation ∼ The set of projective points is called the 2-dimensional projective space

• ver K, denoted P2(K).

A2(K) ֒ − → P2(K)∗ = {(X : Y : Z) : X, Y, Z ∈ K, Z = 0} (x, y) − → (X/Zc : Y/Zd : 1)

13/41

The points at infinity

The set P2(K)0 = {(X : Y : Z) : X, Y, Z ∈ K, Z = 0} is called the line at infinity The points at infinity on E are the points of P2(K)0 which lie on E Projective form of the Weierstrass equation (c = d = 1) Y 2Z + a1XY Z + a3Y Z2 = X3 + a2X2Z + a4XZ2 + a6Z3 For Z = 0, the point (X : Y : Z) must satisfy 0 = X3 + 0, which implies X = 0, and Y = 0 (since (0, 0, 0) ∈ P2(K)) O = (0 : 1 : 0) is the only point at infinity on E

14/41

Jacobian projective coordinate

Let c = 2 and d = 3. The projective point (X : Y : Z), Z = 0 corresponds to the affine point (X/Z2, Y/Z3) Projective form of the Weierstrass equation: replace x by X/Z2 and y by Y/Z3 in y2 = x3 + ax + b and clear denominators Y 2 = X3 + aXZ4 + bZ6 Point at infinity corresponds to O = (1 : 1 : 0) The negative of (X : Y : Z) is (X : −Y : Z)

15/41

Inversions free formula

Let P = (X1 : Y1 : Z1) with P = −P. Replace x1 by X1/Z2

1 and y1 by Y1/Z3 1 in the affine doubling formula

leads to [2]P = (X′

3 : Y ′ 3 : 1), with

X′

3 = (3X2 1 + aZ4 1)2 − 8X1Y 2 1

4Y 2

1 Z2 1

, Y ′

3 = 3X2 1 + aZ4 1

2Y1Z1 X1 Z2

1

− X′

3

• − Y1

Z3

1

Use the equivalence relation to clear denominators. Set X3 = X′

3Z2 3 and

Y3 = Y ′

3Z3 3 to get (X3 : Y3 : Z3)

X3 = (3X2

1 + aZ4 1)2 − 8X1Y 2 1

Y3 = (3X2

1 + aZ4 1)(4X1Y 2 1 − X3) − 8Y 4 1

Z3 = 2Y1Z1 Implement!

16/41

Common implementation techniques

◮ Common-subexpression elimination ◮ Trade multiplication for squarings: 2XY = (X + Y )2 − X2 − Y 2 ◮ Curve parameters: If a = −3, 3X2 1 + aZ4 1 can be computed as a

difference of two squares

◮ Add redundancy: Modified Jacobian: (X : Y : Z : T), x = X/Z2,

y = Y/Z3, T = aZ4 Chudnovsky coordinates: (X : Y : Z : Z2 : Z3), x = X/Z2, y = Y/Z3

◮ Mixed formula (Z = 1) ◮ Readdition ◮ co-Z formula ◮ etc.

http://www.hyperelliptic.org/EFD/

17/41

Main computations

Scalar multiplication is the main operation k, P − → [k]P = P + · · · + P, (k times) Various situations occur: [k|r]P First step ECDH [r]P ECDSA signature [k|r]Q Second step ECDH [r]Q ECIES encryption [u]P + [u′]Q ECDSA verification

k: known scalar (domain parameter, private key) r: generated online at random u: unknown in advance, result of online computations P: point known in advance (domain parameter, private key) Q: point unknown in advance

18/41

Addition chains

An addition chain computing k is a sequence 1 = u0 < · · · < un = k such that, for all m ≥ 1, um = ui + uj with 0 ≤ i ≤ j < m Finding optimal addition chain is very difficult, but good heuristics exists to get raisonably short addition chains [k]P =    [2]([k/2]P) if k ≡ 0 (mod 2) [2]([k/2]P) + P if k ≡ 1 (mod 2) Example: 289 : 1, 2, 4, 8, 9, 18, 36, 72, 144, 288, 289 When the scalar k is known in advance, “short” addition chains can be computed offline When the scalar k is generated online at random, it may be generated directly in a non-standard, convenient representation (be careful!)

19/41

Double-and-add algorithms

Input: P ∈ E(K), k = (kn−1, . . . , k0)2, with kn−1 = 1 Output: [k]P

Right-to-left (RL)

1: R ← O 2: For i = 0 to n − 1 do 3:

If ki = 1 then

4:

R ← R + P

5:

P ← [2]P

6: return R

Left-to-right (LR)

1: R ← P 2: For i = n − 2 downto 0 do 3:

R ← [2]R

4:

If ki = 1 then

5:

R ← R + P

6: return R

RL: [k]P = [k0]P + [2k1]P + [22k2]P + · · · + [2n−1kn−1]P LR: [k]P = [2] ([k/2]P) + [k0]P LR: [k]P = [2] ([2] ([k/4]P) + [k1]P) + [k0]P = [2]([2]([2](. . . Average cost: (n − 1)DBL + (n/2)ADD (mixed additions for LR)

20/41

Signed digits representations

In the group of points of an elliptic curve, computing the inverse of an element (P → −P) is almost free. It may therefore be advantageous to consider addition/subtraction chains using signed digits (SD) representations k =

n

• i=0

ki2i, with ki ∈ {−1, 0, 1} Length: at most n + 1 digits if n is the binary length of k Canonical SD: no consecutive nonzero digits (kiki+1 = 0), also called the Non Adjacent Form (NAF) NAF properties: unique representation, minimal density: for ki ∈ {−1, 0, 1}, the average density of nonzero digits is 1/3

21/41

Computing NAF(k)

Booth’s algorithm: bits are scanned from right to left; block of consecutive 1s are replaced by a block of 0s and 1; e.g. (1, 1, 0, 1, 1, 1)2 → (1, 0, 1, 1, 0, 0, 1)SD2. Reitweitzner’s variant: ensures the NAF property when blocks of 1s are separated by an isolated 0; e.g. (1, 1, 0, 1, 1, 1)2 → (1, 0, 0, 1, 0, 0, 1)SD2

Reitweitzner’s algorithm

Input: k = (kn−1, . . . , k0)2 Output: k′ = (k′

n, k′ n−1, . . . , k′ 0)SD2

1: c0 ← 0, kn+1 ← 0, kn ← 0 2: For i = 0 to n do 3:

ci+1 ← ⌊(ci + ki + ki+1)/2⌋

4:

k′

i ← ci + ki − 2ci+1

5: Return k′ = (k′

n, k′ n−1, . . . , k′ 0)

Idea: compute 3n − n with the additional rule 0 − 1 = 1 and discard the least significant bit O(log k)

22/41

Classical NAF recoding

Input: k > 0 Output: NAF(k)

1: i ← 0 2: While k ≥ 1 do 3:

If k is odd then

4:

ki ← 2 − (k mod 4)

5:

else

6:

ki ← 0

7:

k ← (k − ki)/2, i ← i + 1

8:

Return (ki−1, . . . , k1, k0) Idea: if k is odd, ki is chosen in {−1, 1} so that (k − ki)/2 is even O(log k)

23/41

NAF left-to-right scalar multiplication

Input: k, P Output: [k]P

1: Compute NAF(k) = (kn, . . . , k0) 2: R ← P 3: For i = n − 1 downto 0 do 4:

R ← [2]R

5:

If ki = 0 then

6:

R ← R + kiP

7: Return R

NAF(k), obtained from right to left, has to be fully computed before any left-to-right scalar multiplication algorithm. Left-to-right NAF recoding variants do exist, but are more difficult to implement and require more memory Average cost: nDBL + (n/3)ADD (mixed additions for LR)

24/41

Window methods: process w digits of k at a time

Width-w NAF: k = n

i=0 ki2i, with each ki = 0 is odd, |ki| < 2w−1, at

most one of any w consecutive digits is = 0.

◮ k has a unique width-w NAF, denoted NAFw(k). ◮ NAF2(k) = NAF(k) ◮ Length: at most n + 1 digits if |k| = n ◮ Average density: 1/(w + 1)

Example: n = 314159. (d denotes −d) (n)2 = 1 0 0 1 1 0 0 1 0 1 1 0 0 1 0 1 1 1 1 NAF(n) = 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 NAF3(n) = 1 0 0 0 3 0 0 1 0 0 3 0 0 0 3 0 0 0 1 NAF4(n) = 0 0 5 0 0 0 3 0 0 0 5 0 0 0 3 0 0 0 1

25/41

Window NAF method for point multiplication

Compute NAFw(k): replace 2 − (k mod 4) in NAF by −2w−1 ≤ k mods 2w ≤ 2w−1 − 1 Precompute Pi = [i]P for i ∈ {1, 3, 5, . . . , 2w−1 − 1} Cost: PRECOMP ≤ 1DBL + (2w−2 − 1)ADD Scan digits of NAFw(k) from left to right ; add Pki or subtract P−ki whenever ki = 0 Average cost: nDBL + (n/(w + 1))ADD (mixed?) + PRECOMP Example: NAF4(314159) = 0 0 5 0 0 0 3 0 0 0 5 0 0 0 3 0 0 0 1 O, 5P, 10P, 20P, 40P, 80P, 77P, 144P, . . . , 1232P, 1227P, 2454P, . . . , 19632P, 19635P, 39270P, . . . , 314160P, 314159P Alternatives: sliding window, fractional window methods

26/41

Algorithms based on point tripling

Double-base chains: k =

m−1

• i=0

ki 2ai3bi, where ki ∈ S and (ai, bi) ց 314159 = 2439 − 2036 − 33 − 32 − 3 − 1 [314159]P = 3(3(3(33(2433P − P) − P) − P) − P Alternatives:

◮ Yao/Meloni’s algorithm ◮ Hybrid binary-ternary ◮ Tree-based approach ◮ Multi-base (see Patrick Longa’s talk at ECC) ◮ etc.

27/41

Isogenies

E1/K and E2/K are isogenous over K if there exists a rational map ϕ : E1 → E2 with coefficients in K such that ϕ(O1) = O2 For every (non constant) ℓ-isogeny ϕ : E1 → E2, there exists a unique dual ℓ-isogeny ˆ ϕ : E2 → E1 such that ˆ ϕ ◦ ϕ = [ℓ] An ℓ-isogeny can be described as a rational map involving polynomials of degree ≤ ℓ

28/41

DIK curves

DIK2: Elliptic curves family for which [2] splits into two 2-isogenies y2 = x3 + ux2 + 16ux DIK3: Elliptic curves family for which [3] splits into two 3-isogenies y2 = x3 + 3u(x + 1)2

29/41

Tripling on DIK3 curves

(x1, y1) − → (xt, yt) xt = x1 + 4u + 12u x1 + 1 x2

1

• yt = y1
• 1 − 12u

x1 + 2 x3

1

• (xt, yt) −

→ (x3, y3) = [3]P x3 = 1 32

• xt − 12u + 12u(4u − 9)

xt − 4u(4u − 9)2 x2

t

• y3 = 1

33 yt

• 1 − 12u(4u − 9)

x2

t

+ 8u(4u − 9)2 x3

t

• http://www.hyperelliptic.org/EFD/g1p/auto-3dik.html

30/41

Edwards curves

◮ H. M. Edwards, Bulletin of the AMS, 2007

x2 + y2 = a2(1 + x2y2), with a5 = a (2)

◮ D. Bernstein and T. Lange introduced parameter d to cover more

curves over K x2 + y2 = c2(1 + dx2y2), with c, d = 0 and d not a square in K

31/41

Group law on Edwards curves

◮ Addition: (x1, y1) + (x2, y2) = (x3, y3)

x3 = x1y2 + y1x2 c(1 + dx1x2y1y2), y3 = y1y2 − x1x2 c(1 − dx1x2y1y2)

◮ Neutral element: affine point of coordinates (0, c) ◮ Negative of a point: −(x, y) = (−x, y) ◮ Doubling: [2](x, y) =

• xy + yx

c(1 + dxxyy), yy − xx c(1 − dxxyy)

• ◮ Unified group operations

32/41

Unified operations

◮ If d is not a square then Edwards addition law is complete

• if (x1, y1) and (x2, y2) on the curve then dx1x2y1y2 = ±1

◮ Formula is correct for all affine point including (0, c) , P + (−P). ◮ Doubling formula is exactly identical to addition formula

• no re-arrangement like in Hessian form where

[2](X1 : Y1 : Z1) = (Z1 : X1 : Y1) + (Y1 : Z1 : X1). http://www.hyperelliptic.org/EFD/g1p/auto-edwards.html

33/41

Comparisons with other fast unified formulas

Coordinates Cost add/dbl Ref Projective 11M + 6S + 1D Brier/Joye 03 Projective (a = −1) 13M + 3S Brier/Joye 03 Jacobi intersection 13M + 2S + 1D Liardet/Smart 01 Jacobi quartic 10M + 3S + 1D Billet/Joye 01 Hessian 12M Joye/Quisquater 01 Edwards (c = 1) 10M + 1S + 1D Bernstein/Lange 07

34/41

Optimizing Edwards doubling (c = 1)

Affine: [2](x, y) xy + yx 1 + dxxyy, yy − xx 1 − dxxyy

• =
• 2xy

1 + dx2y2 , y2 − x2 1 − dx2y2

• =
• 2xy

x2 + y2 , y2 − x2 2 − x2 − y2

• =

(x + y)2 x2 + y2 − 1, y2 − x2 2 − x2 − y2

• Projective: [2](X1 : Y1 : Z1)

B = (X1 + Y1)2 C = X2

1

D = Y 2

1

E = C + D H = Z2

1

J = E − 2H X3 = (B − E)J Y3 = E(C − D) Z3 = EJ Cost: 3M + 4S + 6A

35/41

Comparisons

Doubling: System Cost Proj. 5M + 6S

• Proj. (a = −3)

7M + 3S Hessian 7M + 1S DIK 3 2M + 7S Jac. 1M + 8S

• Jac. (a = −3)

3M + 5S Jacobi quartic 2M + 6S Jacobi intersec. 3M + 4S Edwards 3M + 4S DIK 2 2M + 5S Jac-3 vs. Edwards:g Jac-3 Edwards Double 3M + 5S 3M + 4S Triple 7M + 7S 9M + 4S Add 11M + 5S 10M + 1S + 1D Re-Add 10M + 4S 10M + 1S + 1D Mixed 7M + 4S 9M + 1S + 1D http://www.hyperelliptic.org/EFD/g1p/index.html

36/41

Side channel attacks

Do we really want to compute [k]P as fast as possible? Side channel attacks:

◮ Timing attacks ◮ Simple power analysis ◮ Differential power analysis ◮ Electromagnetic analysis ◮ etc.

Algorithmic countermeasures:

◮ Unified formulæ ◮ Double-and-always-add ◮ Atomic blocks ◮ Randomization ◮ etc.

37/41

The Montgomery ladder

Input: P ∈ E, k = (kn−1 . . . k0)2 Output: [k]P ∈ E

1: P1 ← P,

P2 ← [2]P

2: For i = k − 1 downto 0 do 3:

If ni = 0 then

4:

P1 ← [2]P1, P2 ← P1 + P2

5:

else

6:

P1 ← P1 + P2, P2 ← [2]P2

7: Return P1

Note that P2 − P1 = P. Cost: (6M + 4S)(|k|2 − 1)

38/41

Montgomery curves

Montgomery curve: EM : By2 = x3 + Ax2 + x, A, B ∈ Fpk, p > 3 Differential addition: [m + n]P = [m]P + [n]P = [Xm+n : − : Zm+n] Xm+n = Zm−n ((Xm − Zm)(Xn + Zn) + (Xm + Zm)(Xn − Zn))2 Zm+n = Xm−n ((Xm − Zm)(Xn + Zn) − (Xm + Zm)(Xn − Zn))2 Doubling: 4XnZn = (Xn + Zn)2 − (Xn − Zn)2, X2n = (Xn + Zn)2(Xn − Zn)2, Z2n = 4XnZn

• (Xn − Zn)2 + ((A + 2)/4) (4XnZn)
• .

http://www.hyperelliptic.org/EFD/g1p/auto-montgom.html

39/41

Conversion to Montgomery curves

EM : By2 = x3 + Ax2 + x EW : y2 = x3 + ax + b EM − → EW : always possible a := 1/B2 − A2/3B2 b := −A3/27B3 − aA/3B EW − → EM: conditional If α ∈ Fp is a root of x3 + ax + b and 3α2 + a is a quadratic residue modulo p Then set s :=

• (3α2 + a)−1,

A := 3αs, B := s The change of variables (x, y) → (x/s + α, y/s) gives a curve EM isomorphic to E

40/41

Speed records

http://www.patricklonga.bravehost.com/speed ecc.html#speed http://www.loria.fr/∼zimmerma/ecc.html

41/41