fast endomorphisms in hardware
play

FAST ENDOMORPHISMS IN HARDWARE Kimmo Jrvinen 1 , 2 1 University of - PowerPoint PPT Presentation

Apr 02, 2023 •240 likes •967 views

FAST ENDOMORPHISMS IN HARDWARE Kimmo Jrvinen 1 , 2 1 University of Helsinki, Computer Science, Helsinki, Finland kimmo.u.jarvinen@helsinki.fi 2 Xiphera Ltd., Espoo, Finland kimmo.jarvinen@xiphera.com The 21st Workshop on Elliptic Curve

  1. FAST ENDOMORPHISMS IN HARDWARE Kimmo Järvinen 1 , 2 1 University of Helsinki, Computer Science, Helsinki, Finland kimmo.u.jarvinen@helsinki.fi 2 Xiphera Ltd., Espoo, Finland kimmo.jarvinen@xiphera.com The 21st Workshop on Elliptic Curve Cryptography Nijmegen, the Netherlands, Nov. 13–15, 2017 ECC’17 November 15, 2017 1/36

  2. INTRODUCTION ◮ This talk surveys my work on hardware implementations of ECC with fast endomorphisms ◮ Particularly: Koblitz curves, Four Q , and GLV/GLS curves ◮ In software, fast endomorphisms reduce the number of operations and lead to significant speedups ◮ In hardware, simplicity is often the key to efficiency and the feasibility of fast endomorphisms is less clear ECC’17 November 15, 2017 2/36

  3. PRELIMINARIES ECC’17 November 15, 2017 3/36

  4. SCALAR MULTIPLICATION ◮ Let E be an elliptic curve defined over a finite field F q ◮ Points on E (together with O ) form an additive Abelian group ◮ Let k be an integer and P be a point on E ; then, scalar multiplication is the following operation: [ k ] P = P + P + . . . + P � �� � k times ◮ Scalar multiplication is the central operation of ECC mostly determining the efficiency of the cryptosystem ECC’17 November 15, 2017 4/36

  5. ECC HIERARCHY SCALAR MULTIPLICATION POINT POINT ADDITION DOUBLING FIELD FIELD FIELD ADD/SUB MULT INV ECC’17 November 15, 2017 5/36

  6. ECC HIERARCHY SCALAR MULTIPLICATION POINT POINT ADDITION DOUBLING FIELD FIELD FIELD ADD/SUB MULT INV ECC’17 November 15, 2017 5/36

  7. ECC HIERARCHY SCALAR MULTIPLICATION POINT POINT ADDITION DOUBLING FIELD FIELD FIELD ADD/SUB MULT INV ECC’17 November 15, 2017 5/36

  8. ANATOMY OF ECC HW Mult logic Add ALU logic Other logic ECC’17 November 15, 2017 6/36

  9. ANATOMY OF ECC HW Mult FAU logic ctrl Add ALU FAU logic Local regs Other logic ECC’17 November 15, 2017 6/36

  10. ANATOMY OF ECC HW Key storage Mult FAU ECC ctrl logic ECC Co-Processor ctrl Host Processor Add ALU FAU logic Main Local memory regs Other logic ECC’17 November 15, 2017 6/36

  11. FAST ENDOMORPHISMS ◮ GLV/GLS curves have an efficiently computable endomorphism φ ( P ) such that φ ( P ) = [ λ ] P Then, scalar multiplication can be computed as: [ k ] P = [ k 0 ] P + [ k 1 ] φ ( P ) where k 0 + k 1 λ = k If k 0 , k 1 are of the same size, Shamir’s trick for double scalar multplication saves about half of the point doublings ◮ Koblitz curves are curves over F 2 m for which φ ( x , y ) = ( x 2 , y 2 ) is an endomorphism ECC’17 November 15, 2017 7/36

  12. OVERVIEW OF CHALLENGES ◮ Fast endomorphisms require recoding of the scalars (e.g., find k 0 , k 1 ) ⇒ Logic must be added (either a separate converter or FAU instruction set extension) ◮ The size of the overhead depends on the curve and implementation architecture ◮ For binary curves, FAU supports arithmetic over F 2 m but conversions require operations over Z ◮ For prime curves, FAU supports arithmetic over Z but FAU is typically highly optimized for mod p arithmetic ECC’17 November 15, 2017 8/36

  13. SOFTWARE VS. HARDWARE Software +++ Faster scalar multiplications - Slightly larger program memory and data memory requirements ⇒ Advantages bigger than disadvantages (almost always) ECC’17 November 15, 2017 9/36

  14. SOFTWARE VS. HARDWARE Software +++ Faster scalar multiplications - Slightly larger program memory and data memory requirements ⇒ Advantages bigger than disadvantages (almost always) Hardware ++(+) Faster scalar multiplications (almost surely) - - More complex control logic - ( - ) New instructions needed in FAU - ( - - ) More memory/registers needed ⇒ ??? ECC’17 November 15, 2017 9/36

  15. PIPELINING time t 1 Scalar recoding Precomputation Main for-loop Main for-loop Inversion · · · ECC’17 November 15, 2017 10/36

  16. PIPELINING time t 1 Scalar recoding Precomputation Main for-loop Main for-loop Inversion · · · ≥ t 1 Scalar recoding Precomputation Main for-loop Main for-loop · · · Inversion ECC’17 November 15, 2017 10/36

  17. PIPELINING time t 1 Scalar recoding Precomputation Main for-loop Main for-loop Inversion · · · ≥ t 1 Scalar recoding Precomputation Main for-loop Main for-loop · · · Inversion Precomputation ≥ t 2 s.t. t 2 < t 1 Main for-loop Main for-loop Inversion · · · Scalar recoding ECC’17 November 15, 2017 10/36

  18. PARALLELISM ◮ Stages should be balanced because throughput is determined by the slowest stage ◮ For-loop is by far the slowest stage ◮ Solutions: (a) Make for-loop faster by using more area (or make other parts slower and save area) (b) Use parallel for-loop units ECC’17 November 15, 2017 11/36

  19. KOBLITZ CURVES (Joint work with J. Adikari, B.B. Brumley, V. Dimitrov, S. Sinha Roy, J. Skyttä, and I. Verbauwhede) ECC’17 November 15, 2017 12/36

  20. KOBLITZ CURVES ◮ Binary curves introduced by N. Koblitz already in 1991 and included in many standards (e.g., NIST) ECC’17 November 15, 2017 13/36

  21. KOBLITZ CURVES ◮ Binary curves introduced by N. Koblitz already in 1991 and included in many standards (e.g., NIST) ◮ Cheap Frobenius maps φ : ( x , y ) �→ ( x 2 , y 2 ) can be used instead of point doublings ECC’17 November 15, 2017 13/36

  22. KOBLITZ CURVES ◮ Binary curves introduced by N. Koblitz already in 1991 and included in many standards (e.g., NIST) ◮ Cheap Frobenius maps φ : ( x , y ) �→ ( x 2 , y 2 ) can be used instead of point doublings ◮ . . . but first the integer k needs to be given as a τ -adic √ i = 0 k i τ i where τ = ( µ + expansion k = � ℓ − 1 − 7 ) / 2 ∈ C · · · add dbl dbl add dbl add dbl dbl add dbl add · · · conversion add add add add F 2 m Z ECC’17 November 15, 2017 13/36

  23. SCALAR CONVERSIONS ◮ Many cryptosystems (e.g., signature schemes) require k also as an integer (a) Select a random integer and find its τ -adic expansion (b) Select a random τ -adic expansion and find its integer equivalent ECC’17 November 15, 2017 14/36

  24. SCALAR CONVERSIONS ◮ Many cryptosystems (e.g., signature schemes) require k also as an integer (a) Select a random integer and find its τ -adic expansion (b) Select a random τ -adic expansion and find its integer equivalent ◮ Option (a) ◮ Base- τ expansions can be found analogously to finding binary expansions except with divisions by τ instead of 2 ◮ Straightforward τ -adic expansion of k is twice as long as k ◮ Meier and Staffelbach: Because P = φ m ( P ) , then α P = β P if α ≡ β ( mod τ m − 1 ) ◮ Solinas: Reduction modulo ( τ m − 1 ) / ( τ − 1 ) gives an expansion of length m + a where a ∈ { 0 , 1 } ECC’17 November 15, 2017 14/36

  25. SCALAR CONVERSIONS ◮ Both require complex operations (e.g., divisions, large multiplications) ◮ High-speed implementations: Avoid conversions from becoming the bottleneck ⇒ HW acceleration ◮ Lightweight implementations: Conversions done over Z ⇒ How to combine efficiently with F 2 m ? ◮ Lazy reduction (repeated divisions by τ ) and its many variations (pipelined, word-wise, . . . ) are commonly used and lead to fast conversions but with an expense in area ECC’17 November 15, 2017 15/36

  26. HIGH-SPEED IMPLEMENTATION ◮ The key to high speed is to accelerate the main for-loop; other parts can be separated to different pipeline stages ◮ For-loop consists of point additions and Frobenius maps ◮ Point additions are dominated by field multiplications (in F 2 m ) ◮ Point addition with Lopez-Dahab formulas (SAC’98) ◮ Frobenius maps φ ( Q ) = ( X 2 , Y 2 , Z 2 ) are cheap and can be computed independently for all coordinates ECC’17 November 15, 2017 16/36

  27. HIGH-SPEED IMPLEMENTATION X 1 X 2 Z 1 Z 2 Point addition: Y 1 Q ← Q + P = ( X , Y , Z ) + ( x , y ) Frobenius: Y 2 Y 4 Q ← φ ( Q ) = ( X 2 , Y 2 , Z 2 ) Y 3 ECC’17 November 15, 2017 17/36

  28. HIGH-SPEED IMPLEMENTATION X 1 X 2 Z 1 Z 2 Point addition: Y 1 Y 3 Q ← Q + P = ( X , Y , Z ) + ( x , y ) Frobenius: Y 2 Y 4 Q ← φ ( Q ) = ( X 2 , Y 2 , Z 2 ) ECC’17 November 15, 2017 17/36

  29. HIGH-SPEED IMPLEMENTATION X 1 X 2 X 1 X 2 Z 1 Z 2 Z 1 Z 2 Point addition: Y 1 Y 3 Y 1 Y 3 Q ← Q + P = ( X , Y , Z ) + ( x , y ) Frobenius: Y 2 Y 4 Y 2 Y 4 Q ← φ ( Q ) = ( X 2 , Y 2 , Z 2 ) ECC’17 November 15, 2017 17/36

  30. HIGH-SPEED IMPLEMENTATION X 1 X 2 X 1 X 2 X 1 X 2 Z 1 Z 2 Z 1 Z 2 Z 1 Z 2 Point addition: Y 1 Y 3 Y 1 Y 3 Y 1 Y 3 Q ← Q + P = ( X , Y , Z ) + ( x , y ) Frobenius: Y 2 Y 4 Y 2 Y 4 Y 2 Y 4 Q ← φ ( Q ) = ( X 2 , Y 2 , Z 2 ) ECC’17 November 15, 2017 17/36

  31. HIGH-SPEED RESULTS ◮ The above technique computes the for-loop in less than 5 µ s on K-163 or 12 µ s on K-283 in a Stratix II FPGA (old) ◮ One core performs over 200,000 op/s with delay of 11.7 µ s ◮ Multiple cores fit in an FPGA and one device can reach throughputs of several millions ◮ Delay is not spectacular compared to modern SW but throughput is ECC’17 November 15, 2017 18/36

  32. COMPACT IMPLEMENTATION ◮ Koblitz curve K-283 ◮ 16-bit ALU for binary polynomial arithmetic extended with a 16-bit integer adder/subtractor ECC’17 November 15, 2017 19/36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Endomorphisms - old and not so old Joachim Cuntz Copenhagen 2019 A unique, even bizarre,

Endomorphisms - old and not so old Joachim Cuntz Copenhagen 2019 A unique, even bizarre,

Endomorphisms - old and not so old Endomorphisms - old and not so old Joachim Cuntz Copenhagen 2019 A unique, even bizarre, institution in West Philadelphia since 1950, the Divine Tracy is up for sale. The asking price for the 140-room hotel is

335 views • 29 slides
Growth and entropy for group endomorphisms Anna Giordano Bruno (joint work with Pablo Spiga) GTG

Growth and entropy for group endomorphisms Anna Giordano Bruno (joint work with Pablo Spiga) GTG

Growth and entropy for group endomorphisms Growth and entropy for group endomorphisms Anna Giordano Bruno (joint work with Pablo Spiga) GTG - Salerno, November 20th, 2015 Growth and entropy for group endomorphisms Growth of finitely generated

527 views • 13 slides
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware F LORIAN T

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware F LORIAN T

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware F LORIAN T RAMR &amp; D AN B ONEH ICLR, New Orleans May 7 th 2019 2 Securely outsourcing ML inference with hardware isolation - Intel SGX input X -

554 views • 10 slides
PyNN and the FACETS Hardware Daniel Brderle Heidelberg FACETS Hardware: Recap

PyNN and the FACETS Hardware Daniel Brderle Heidelberg FACETS Hardware: Recap

PyNN and the FACETS Hardware Daniel Brderle Heidelberg FACETS Hardware: Recap Neuromorphic Hardware: A physical model, not a simulation Intrinsically parallel, scalable, fast, ... Not an arbitrarily flexible substrate

512 views • 17 slides
Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs

Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs

Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs with low Hardware overhead on Xilinx FPGAs Michael Hbner 1 , Diana Ghringer 2 , Juanjo Noguera 3 , Jrgen Becker 1 1 Karlsruhe Institute of

370 views • 16 slides
An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for

An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for

An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for Supercomputers Workshop June 12 2018 Rob Gardner Jared Smolens Kishore Pusukuri Oracle Inc Arm Inc NetApp Inc Multicore Systems &amp;

692 views • 24 slides
CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

9/9/2012 CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven, ESAT/SCD-COSIC CHES 2012 Crypto hardware 9/9/2012 CHES Tutorial: Crypto hardware design 3 1 9/9/2012 Smart card SoC (NXP P60C080)

826 views • 54 slides
Non-density of stability for holomorphic endomorphisms of CP k Romain Dujardin Universit e

Non-density of stability for holomorphic endomorphisms of CP k Romain Dujardin Universit e

Non-density of stability for holomorphic endomorphisms of CP k Romain Dujardin Universit e Paris-Est Marne la Vall ee Parameters problems in analytic dynamics, London, June 2016 Foreword Motivation : explore the basic geography of the

829 views • 57 slides
s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require: Hardware

360 views • 24 slides
Lynx: Using OS and Hardware Support for Fast Fine-Grained Inter-Core Communication Konstantina

Lynx: Using OS and Hardware Support for Fast Fine-Grained Inter-Core Communication Konstantina

Lynx: Using OS and Hardware Support for Fast Fine-Grained Inter-Core Communication Konstantina Mitropoulou, Vasileios Porpodas, Xiaochun Zhang and Timothy M. Jones Computer Laboratory UKMAC 2016, Edinburgh slide 1 of 30

1.31k views • 77 slides
Introduction to the dynamics of holomorphic endomorphisms of P k Dimitra Tsigkari Postgraduate

Introduction to the dynamics of holomorphic endomorphisms of P k Dimitra Tsigkari Postgraduate

Definitions Elements of Pluripotential Theory The Green current of a holomorphic endomorphism Introduction to the dynamics of holomorphic endomorphisms of P k Dimitra Tsigkari Postgraduate Conference in Complex Dynamics, London, 11-13 March

805 views • 37 slides
Families of curves with nontrivial endomorphisms in their Jacobians Jerome William Hoffman

Families of curves with nontrivial endomorphisms in their Jacobians Jerome William Hoffman

Families of curves with nontrivial endomorphisms in their Jacobians Jerome William Hoffman Louisiana State University April 6, 2015 hoffman@math.lsu.edu 1 The Problem and Background 2 Shimura Varieties: Some Examples 3 g=2 4 g=3 5 Galois

965 views • 43 slides
Fast, Scalable, and Programmable Packet Scheduler in Hardware Vishal Shrivastav Cornell

Fast, Scalable, and Programmable Packet Scheduler in Hardware Vishal Shrivastav Cornell

Fast, Scalable, and Programmable Packet Scheduler in Hardware Vishal Shrivastav Cornell University Packet Scheduling 101 express enforce at runtime Packet Scheduler * focus of this work * fairness / rate-limit / To pacing etc.. Wire

1.59k views • 20 slides
Fast &amp; Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast &amp; Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast &amp; Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond Cheng, Dawn Song | UC Berkeley &amp; Oasis Labs with support from the TVM team and community! Ideal: data providers pool data to train a large, complex

1.41k views • 58 slides
Proteus: A Flexible and Fast Software supported Hardware Logging approach for NVM Seunghee Shin,

Proteus: A Flexible and Fast Software supported Hardware Logging approach for NVM Seunghee Shin,

Proteus: A Flexible and Fast Software supported Hardware Logging approach for NVM Seunghee Shin, Satish Tirukkovalluri, James Tuck, and Yan Solihin North Carolina State University The 2018 Non-Volatile Memories Workshop (NVMW 2018) 1

551 views • 17 slides
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian Tramr (joint work with Dan Boneh) Intel, Santa Clara August 30 th 2018 Trusted execution of ML: 3 motivating scenarios 1. Outsourced ML Data

781 views • 21 slides
Implementing GLS Recall the assumptions of Approach 9: E( Y | x ) = f ( x , ) , var( Y | x ) =

Implementing GLS Recall the assumptions of Approach 9: E( Y | x ) = f ( x , ) , var( Y | x ) =

ST 762 Nonlinear Statistical Models for Univariate and Multivariate Response Implementing GLS Recall the assumptions of Approach 9: E( Y | x ) = f ( x , ) , var( Y | x ) = 2 g ( , , x ) 2 . Here: is, as before, the vector of

480 views • 17 slides
Management of the Unknowable Dr. Alva L. Couch Tufts University Medford, Massachusetts, USA

Management of the Unknowable Dr. Alva L. Couch Tufts University Medford, Massachusetts, USA

Management of the Unknowable Dr. Alva L. Couch Tufts University Medford, Massachusetts, USA couch@cs.tufts.edu A counter-intuitive story about breaking well-accepted rules of practice , and getting away with it! about

689 views • 55 slides
Global Constraints Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell (based on

Global Constraints Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell (based on

Global Constraints Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell (based on materials by Javier Larrosa) March 20, 2020 Global Constraints Global constraints are classes of constraints defined by a Boolean formula of

1.03k views • 82 slides
Structured Regression for Efficient Object Detection Christoph Lampert www.christoph-lampert.org

Structured Regression for Efficient Object Detection Christoph Lampert www.christoph-lampert.org

Structured Regression for Efficient Object Detection Christoph Lampert www.christoph-lampert.org Max Planck Institute for Biological Cybernetics, Tbingen December 3rd, 2009 [ C.L. , Matthew B. Blaschko, Thomas Hofmann. CVPR 2008]

795 views • 62 slides
Action of finite groups on (generalized) cluster categories Laurent Demonet Max Planck Institut

Action of finite groups on (generalized) cluster categories Laurent Demonet Max Planck Institut

Action of finite groups on (generalized) cluster categories Laurent Demonet Max Planck Institut f ur Mathematik - Germany 1 / 19 triangulated or exact 2-Calabi-Yau category categorification cluster characters (MRZ, BMRRT, (CC,

967 views • 50 slides
Speckle Tracking Imagerie de Dformation Erwan DONAL Cardiologie CHU Rennes

Speckle Tracking Imagerie de Dformation Erwan DONAL Cardiologie CHU Rennes

Speckle Tracking Imagerie de Dformation Erwan DONAL Cardiologie CHU Rennes erwan.donal@chu-rennes.fr LTSI Dclaration de Relations Professionnelles Disclosure Statement of Financial Interest J'ai actuellement, ou j'ai eu au cours

519 views • 39 slides
The Elasticity of Formal Work in African Countries Andy McKay (University of Sussex) Jukka

The Elasticity of Formal Work in African Countries Andy McKay (University of Sussex) Jukka

The Elasticity of Formal Work in African Countries Andy McKay (University of Sussex) Jukka Pirttil (University of Tampere and UNU-WIDER) Caroline Schimanski (Hanken School of Economics and UNU-WIDER) NCDE, 12 June 2018 1 / 29 Outline

534 views • 29 slides
SNS Core Vessel Water Leak Saga Presented at the 7 th High Power Targetry Workshop June 4-8,

SNS Core Vessel Water Leak Saga Presented at the 7 th High Power Targetry Workshop June 4-8,

SNS Core Vessel Water Leak Saga Presented at the 7 th High Power Targetry Workshop June 4-8, 2018 Michael J. Dayton ORNL-SNS ORNL is managed by UT-Battelle for the US Department of Energy Introduction At approximately 6:06 am on

604 views • 28 slides

More recommend