High-performance Elliptic Curve Cryptography by Using the CIOS - - PowerPoint PPT Presentation

▶

Mar 24, 2023 472 likes •926 views

High-performance Elliptic Curve Cryptography by Using the CIOS Method for Modular Multiplication A mine Mrabet , Nadia El-Mrabet, Ronan Lashermes , Jean-Baptiste Rigaud, Belgacem Bouallegue, Sihem Mesnager and Mohsen Machhout September 2016

SLIDE 1

High-performance Elliptic Curve Cryptography by Using the CIOS Method for Modular Multiplication

Amine Mrabet, Nadia El-Mrabet, Ronan Lashermes, Jean-Baptiste Rigaud, Belgacem Bouallegue, Sihem Mesnager and Mohsen Machhout September 2016

Efficient MMM for ECC Mrabet et al. September 2016 1/37

SLIDE 2

Arithmetic Our architecture Results

Introduction

Public key cryptography is still costly (computing resources). Elliptic Curve Cryptography has a better cost/security trade-off w.r.t. RSA. We can still reduce the cost with better hardware architectures.

Efficient MMM for ECC Mrabet et al. September 2016 2/37

SLIDE 3

Arithmetic Our architecture Results

1

Arithmetic ECC Montgomery Modular Multiplication

2

Our architecture Basics PEs Scheduling Resources

3

Results Results Conclusion

Efficient MMM for ECC Mrabet et al. September 2016 3/37

SLIDE 4

Arithmetic Our architecture Results ECC

Elliptic Curve Cryptography (ECC)

Why? Elliptic curves allow to define groups with a hard Discrete Logarithm Problem. In the general case, cracking methods are far less efficient than for RSA.

Efficient MMM for ECC Mrabet et al. September 2016 4/37

SLIDE 5

Arithmetic Our architecture Results ECC

Elliptic Curve Cryptography (ECC)

Why? Elliptic curves allow to define groups with a hard Discrete Logarithm Problem. In the general case, cracking methods are far less efficient than for RSA. How? (simplified) Let p > 3 a big prime, E(Fp) is the (short Weierstrass) elliptic curve E(Fp) : y2 = x3 + ax + b, where x, y, a, b ∈ Fp with 4a3 + 27b2 = 0.

Efficient MMM for ECC Mrabet et al. September 2016 4/37

SLIDE 6

Arithmetic Our architecture Results ECC

EC Group

The points (x, y) on the curve define an abelian group together with the point at infinity 0∞, the neutral element for addition.

Efficient MMM for ECC Mrabet et al. September 2016 5/37

SLIDE 7

Arithmetic Our architecture Results ECC

EC Group

The points (x, y) on the curve define an abelian group together with the point at infinity 0∞, the neutral element for addition. Jacobian coordinates The triple (x : y : z) can be mapped to (x/z2, y/z3) if z = 0. If z = 0 it is 0∞. The curve becomes: y2 = x3 + axz4 + bz6.

Efficient MMM for ECC Mrabet et al. September 2016 5/37

SLIDE 8

Arithmetic Our architecture Results ECC

Operations in Jacobian coordinates (a = 0, points = 0∞)

Doubling (7S+5M+13A) T(XT : YT : ZT) = 2 · Q(XQ : YQ : ZQ). XT = 9X 4

Q − 8XQY 2 Q,

YT = 3X 2

Q(4XQYQ − XT) − 8Y 4 Q,

ZT = 2YQZQ.

Efficient MMM for ECC Mrabet et al. September 2016 6/37

SLIDE 9

Arithmetic Our architecture Results ECC

Operations in Jacobian coordinates (a = 0, points = 0∞)

Doubling (7S+5M+13A) T(XT : YT : ZT) = 2 · Q(XQ : YQ : ZQ). XT = 9X 4

Q − 8XQY 2 Q,

YT = 3X 2

Q(4XQYQ − XT) − 8Y 4 Q,

ZT = 2YQZQ. Addition (4S + 14M + 6A) R = T + Q. XR = (2YQZ 3

T − 2YT)2 − 4(XQZ 2 T − XT)3 − 8(XQZ 2 T − XT)2XT,

YR = (2YQZ 3

T − 2YT)(4XT(XQZ 2 T − XT) − XR) − 8YT(XQZ 2 T − XT)3,

ZR = 2ZT(XQZ 2

T − XT).

Efficient MMM for ECC Mrabet et al. September 2016 6/37

SLIDE 10

Arithmetic Our architecture Results Montgomery Modular Multiplication

Montgomery Modular Multiplication (MMM)

MMM MMM provides an efficient way for modular multiplication mod p (noted ·): there is no division by p.

Efficient MMM for ECC Mrabet et al. September 2016 7/37

SLIDE 11

Arithmetic Our architecture Results Montgomery Modular Multiplication

Montgomery Modular Multiplication (MMM)

MMM MMM provides an efficient way for modular multiplication mod p (noted ·): there is no division by p. Residue Let a, b, R ∈ Fp where R is Montgomery’s residue. a′ = aR mod p is said to be a in Montgomery’s form. a · b = abR−1 mod p, as a consequence a′ · b′ = aRbRR−1 mod p = abR mod p = (ab)′.

Efficient MMM for ECC Mrabet et al. September 2016 7/37

SLIDE 12

Arithmetic Our architecture Results Montgomery Modular Multiplication

Montgomery Modular Multiplication (MMM)

MMM MMM provides an efficient way for modular multiplication mod p (noted ·): there is no division by p. Residue Let a, b, R ∈ Fp where R is Montgomery’s residue. a′ = aR mod p is said to be a in Montgomery’s form. a · b = abR−1 mod p, as a consequence a′ · b′ = aRbRR−1 mod p = abR mod p = (ab)′. Conversion Field values are converted in Montgomery’s form at the beginning

f the computation and back to normal at the end.

Efficient MMM for ECC Mrabet et al. September 2016 7/37

SLIDE 13

Arithmetic Our architecture Results Montgomery Modular Multiplication

How to compute MMM?

Koç’s multiword CIOS algorithm

Efficient MMM for ECC Mrabet et al. September 2016 8/37

SLIDE 14

Arithmetic Our architecture Results Montgomery Modular Multiplication

CIOS details

Efficient MMM for ECC Mrabet et al. September 2016 9/37

SLIDE 15

Arithmetic Our architecture Results Montgomery Modular Multiplication

Benefits

Low memory footprint, apart from some precomputations (p′, R...), easy to change p and operand sizes, neat structure, without divisions, easy to implement in hardware.

Efficient MMM for ECC Mrabet et al. September 2016 10/37

SLIDE 16

Arithmetic Our architecture Results Basics

Basics

Here, each operation takes 1 unit of time. Let’s compute r = a · b + b + c. Sequential Time · + Operations 1 x t1 = a · b 2 x t2 = b + c 3 x r = t1 + t2

Efficient MMM for ECC Mrabet et al. September 2016 11/37

SLIDE 17

Arithmetic Our architecture Results Basics

Basics

Here, each operation takes 1 unit of time. Let’s compute r = a · b + b + c. Sequential Time · + Operations 1 x t1 = a · b 2 x t2 = b + c 3 x r = t1 + t2 Parallel Time · + Operations 1 x x t1 = a · b, t2 = b + c 2 x r = t1 + t2

Efficient MMM for ECC Mrabet et al. September 2016 11/37

SLIDE 18

Arithmetic Our architecture Results Basics

Basics - 2

Here, each operation takes 1 unit of time. Let’s compute r = a · b + b + c. Atomic Latency Throughput · + Operations 2 0.5 1 2 r = a · b + b + c The choice of operations and how they are chained together is called scheduling.

Efficient MMM for ECC Mrabet et al. September 2016 12/37

SLIDE 19

Arithmetic Our architecture Results Basics

Basics - 2

Here, each operation takes 1 unit of time. Let’s compute r = a · b + b + c. Atomic Latency Throughput · + Operations 2 0.5 1 2 r = a · b + b + c Pipelined Latency Throughput · + Operations 2 + ǫ 0.5 1 1

1 : t1 = a · b, t2 = b + c, 2 : r = t1 + t2

2 + ǫ 1 1 2

1 : t1 = a · b, t2 = b + c, 2 : r = t1 + t2

The choice of operations and how they are chained together is called scheduling.

Efficient MMM for ECC Mrabet et al. September 2016 12/37

SLIDE 20

Arithmetic Our architecture Results Basics

Systolic arrays

A systolic array is an architecture both parallel and pipelined. To create such an architecture, we have to identify small Processing Elements (PEs) (no control flow logic).

Efficient MMM for ECC Mrabet et al. September 2016 13/37

SLIDE 21

Arithmetic Our architecture Results PEs

Where is Waldo the PE?

Efficient MMM for ECC Mrabet et al. September 2016 14/37

SLIDE 22

Arithmetic Our architecture Results PEs

α

Efficient MMM for ECC Mrabet et al. September 2016 15/37

SLIDE 23

Arithmetic Our architecture Results PEs

αf

Efficient MMM for ECC Mrabet et al. September 2016 16/37

SLIDE 24

Arithmetic Our architecture Results PEs

β

Efficient MMM for ECC Mrabet et al. September 2016 17/37

SLIDE 25

Arithmetic Our architecture Results PEs

γ

Efficient MMM for ECC Mrabet et al. September 2016 18/37

SLIDE 26

Arithmetic Our architecture Results PEs