lightweight coprocessor for koblitz curves 283 bit ecc
play

Lightweight Coprocessor for Koblitz Curves: 283-bit ECC Including - PowerPoint PPT Presentation

Jul 13, 2023 •149 likes •691 views

Lightweight Coprocessor for Koblitz Curves: 283-bit ECC Including Scalar Conversion with only 4300 Gates S. Sinha Roy, K. Jrvinen , I. Verbauwhede KU Leuven ESAT/COSIC Leuven, Belgium K. Jrvinen, CHES 2015, Sept. 14, 2015 Introduction

  1. Lightweight Coprocessor for Koblitz Curves: 283-bit ECC Including Scalar Conversion with only 4300 Gates S. Sinha Roy, K. Järvinen , I. Verbauwhede KU Leuven ESAT/COSIC Leuven, Belgium K. Järvinen, CHES 2015, Sept. 14, 2015

  2. Introduction 2/17 We present a lightweight coprocessor for the 283-bit Koblitz curve The first lightweight implementation of a high security curve The first to include on-the-fly lightweight conversion One of the smallest ECC coprocessors A large set of side-channel countermeasures K. Järvinen, CHES 2015, Sept. 14, 2015

  3. High-level Architecture 3/17 Point multiplication Q = kP : CPU RAM K. Järvinen, CHES 2015, Sept. 14, 2015

  4. High-level Architecture 3/17 Point multiplication Q = kP : CPU RAM ECC RAM K. Järvinen, CHES 2015, Sept. 14, 2015

  5. High-level Architecture 3/17 Point multiplication Q = kP : CPU RAM k, P ECC RAM Q intermediate values K. Järvinen, CHES 2015, Sept. 14, 2015

  6. High-level Architecture 3/17 Point multiplication Q = kP : CPU RAM ECC K. Järvinen, CHES 2015, Sept. 14, 2015

  7. High-level Architecture 3/17 Point multiplication Q = kP : CPU RAM k , P ECC K. Järvinen, CHES 2015, Sept. 14, 2015

  8. High-level Architecture 3/17 Point multiplication Q = kP : CPU RAM intermediate values ECC K. Järvinen, CHES 2015, Sept. 14, 2015

  9. High-level Architecture 3/17 Point multiplication Q = kP : CPU RAM Q ECC K. Järvinen, CHES 2015, Sept. 14, 2015

  10. Koblitz Curves 4/17 Binary curves which are included in many standards (e.g., NIST) Example (Point multiplication Q = kP ) · · · add dbl dbl add dbl add dbl dbl add dbl add K. Järvinen, CHES 2015, Sept. 14, 2015

  11. Koblitz Curves 4/17 Binary curves which are included in many standards (e.g., NIST) Point doublings can be replaced with cheap Frobenius maps: φ : ( x, y ) �→ ( x 2 , y 2 ) Example (Point multiplication Q = kP ) · · · add dbl dbl add dbl add dbl dbl add dbl add · · · add add add add K. Järvinen, CHES 2015, Sept. 14, 2015

  12. Koblitz Curves 4/17 Binary curves which are included in many standards (e.g., NIST) Point doublings can be replaced with cheap Frobenius maps: φ : ( x, y ) �→ ( x 2 , y 2 ) . . . but first the integer k needs to be converted to a τ -adic i =0 k i τ i where τ = ( µ + √− 7) / 2 ∈ C expansion k = � ℓ − 1 Example (Point multiplication Q = kP ) · · · add dbl dbl add dbl add dbl dbl add dbl add · · · conversion add add add add K. Järvinen, CHES 2015, Sept. 14, 2015

  13. Koblitz Curves 4/17 Binary curves which are included in many standards (e.g., NIST) Point doublings can be replaced with cheap Frobenius maps: φ : ( x, y ) �→ ( x 2 , y 2 ) . . . but first the integer k needs to be converted to a τ -adic i =0 k i τ i where τ = ( µ + √− 7) / 2 ∈ C expansion k = � ℓ − 1 Example (Point multiplication Q = kP ) · · · add dbl dbl add dbl add dbl dbl add dbl add · · · conversion add add add add F 2 m Z K. Järvinen, CHES 2015, Sept. 14, 2015

  14. Secure Lightweight Conversion K. Järvinen, CHES 2015, Sept. 14, 2015

  15. Conversions Algorithms 6/17 Our conversion algorithms are based on: (1) the lazy reduction by Brumley and Järvinen (2) the zero-free expansion by Okeya, Takagi, and Vuillaume K. Järvinen, CHES 2015, Sept. 14, 2015

  16. Conversions Algorithms 6/17 Our conversion algorithms are based on: (1) the lazy reduction by Brumley and Järvinen (2) the zero-free expansion by Okeya, Takagi, and Vuillaume ⇒ Only (multiprecision) additions and subtractions (1): Integer k to ρ = b 0 + b 1 τ (2): ρ to τ -adic exp. ( a 0 , a 1 ) ← (1 , 0) , ( b 0 , b 1 ) ← (0 , 0) , i ← 0 ( d 0 , d 1 ) ← ( k, 0) while | b 0 | � = 1 or b 1 � = 0 do for i = 0 to m − 1 do u ← Ψ( b 0 + b 1 τ ) u ← d 0 mod 2 b 0 ← b 0 − u d 0 ← d 0 − u ( b 0 , b 1 ) ← ( b 1 − b 0 / 2 , − b 0 / 2) ( b 0 , b 1 ) ← ( b 0 + u · a 0 , b 1 + u · a 1 ) t i ← u ( d 0 , d 1 ) ← ( d 1 − d 0 / 2 , − d 0 / 2) i ← i + 1 ( a 0 , a 1 ) ← ( − 2 a 1 , a 0 − a 1 ) t i ← b 0 ρ = ( b 0 , b 1 ) ← ( b 0 + d 0 , b 1 + d 1 ) K. Järvinen, CHES 2015, Sept. 14, 2015

  17. Modifications for Efficiency and Improved Security 7/17 m a m ± c m b K. Järvinen, CHES 2015, Sept. 14, 2015

  18. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b K. Järvinen, CHES 2015, Sept. 14, 2015

  19. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b K. Järvinen, CHES 2015, Sept. 14, 2015

  20. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b K. Järvinen, CHES 2015, Sept. 14, 2015

  21. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b K. Järvinen, CHES 2015, Sept. 14, 2015

  22. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b K. Järvinen, CHES 2015, Sept. 14, 2015

  23. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b K. Järvinen, CHES 2015, Sept. 14, 2015

  24. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b K. Järvinen, CHES 2015, Sept. 14, 2015

  25. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b Negations (e.g., − d 0 / 2 ) take about 1/3 of cycles 1 K. Järvinen, CHES 2015, Sept. 14, 2015

  26. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b Negations (e.g., − d 0 / 2 ) take about 1/3 of cycles 1 ⇒ We use the modification ( d 0 / 2 − d 1 , d 0 / 2) instead of ( d 1 − d 0 / 2 , − d 0 / 2) ⇒ The signs will be incorrect but can be corrected K. Järvinen, CHES 2015, Sept. 14, 2015

  27. Modifications for Efficiency and Improved Security (cont.) 8/17 b i + u · a i , where u = d 0 mod 2 ∈ { 0 , 1 } d 0 K. Järvinen, CHES 2015, Sept. 14, 2015

  28. Modifications for Efficiency and Improved Security (cont.) 8/17 b i + u · a i , where u = d 0 mod 2 ∈ { 0 , 1 } d 0 u = 1 ⇒ b 0 + a 0 and b 1 + a 1 u = 0 ⇒ do nothing K. Järvinen, CHES 2015, Sept. 14, 2015

  29. Modifications for Efficiency and Improved Security (cont.) 8/17 b i + u · a i , where u = d 0 mod 2 ∈ { 0 , 1 } d 0 u = 1 ⇒ b 0 + a 0 and b 1 + a 1 u = 0 ⇒ do nothing Bad SPA leakage! K. Järvinen, CHES 2015, Sept. 14, 2015

  30. Modifications for Efficiency and Improved Security (cont.) 8/17 b i + u · a i , where u = d 0 mod 2 ∈ { 0 , 1 } d 0 u = 1 ⇒ b 0 + a 0 and b 1 + a 1 u = 0 ⇒ do nothing Bad SPA leakage! We select u ∈ {− 1 , 1 } by using Ψ( d 0 + d 1 τ ) 2 K. Järvinen, CHES 2015, Sept. 14, 2015

  31. Modifications for Efficiency and Improved Security (cont.) 8/17 b i + u · a i , where u = d 0 mod 2 ∈ { 0 , 1 } d 0 u = 1 ⇒ b 0 + a 0 and b 1 + a 1 u = 0 ⇒ do nothing Bad SPA leakage! We select u ∈ {− 1 , 1 } by using Ψ( d 0 + d 1 τ ) 2 u = +1 ⇒ b 0 + a 0 and b 1 + a 1 u = − 1 ⇒ b 0 − a 0 and b 1 − a 1 K. Järvinen, CHES 2015, Sept. 14, 2015

  32. Modifications for Efficiency and Improved Security (cont.) 8/17 b i + u · a i , where u = d 0 mod 2 ∈ { 0 , 1 } d 0 u = 1 ⇒ b 0 + a 0 and b 1 + a 1 u = 0 ⇒ do nothing Bad SPA leakage! We select u ∈ {− 1 , 1 } by using Ψ( d 0 + d 1 τ ) 2 u = +1 ⇒ b 0 + a 0 and b 1 + a 1 u = − 1 ⇒ b 0 − a 0 and b 1 − a 1 Similar operations ⇒ Improved SPA resistance! K. Järvinen, CHES 2015, Sept. 14, 2015

  33. Point Multiplication K. Järvinen, CHES 2015, Sept. 14, 2015

  34. Point Multiplication with Zero-free Expansions 10/17 Zero-free τ -adic expansion [Okeya et al, 2005] A τ -adic representation that represents k with k i ∈ {− 1 , 1 } Example 1¯ 1¯ 11111¯ 1111¯ 1¯ 1¯ 1 . . . 1¯ 111 K. Järvinen, CHES 2015, Sept. 14, 2015

  35. Point Multiplication with Zero-free Expansions 10/17 Zero-free τ -adic expansion [Okeya et al, 2005] A τ -adic representation that represents k with k i ∈ {− 1 , 1 } Combined with w -bit windows and precomputations ⇒ Fast point multiplication of only ℓ/w point additions ⇒ Constant pattern of point operations Example w = 2 : 1¯ 1¯ 11111¯ 1111¯ 1¯ 1¯ 1 . . . 1¯ P +1 = φ ( P ) + P 111 P − 1 = φ ( P ) − P K. Järvinen, CHES 2015, Sept. 14, 2015

  36. Point Multiplication with Zero-free Expansions 10/17 Zero-free τ -adic expansion [Okeya et al, 2005] A τ -adic representation that represents k with k i ∈ {− 1 , 1 } Combined with w -bit windows and precomputations ⇒ Fast point multiplication of only ℓ/w point additions ⇒ Constant pattern of point operations Example w = 2 : 1¯ 1¯ 11111¯ 1111¯ 1¯ 1¯ 1 . . . 1¯ P +1 = φ ( P ) + P 111 P − 1 = φ ( P ) − P + P − 1 K. Järvinen, CHES 2015, Sept. 14, 2015

  37. Point Multiplication with Zero-free Expansions 10/17 Zero-free τ -adic expansion [Okeya et al, 2005] A τ -adic representation that represents k with k i ∈ {− 1 , 1 } Combined with w -bit windows and precomputations ⇒ Fast point multiplication of only ℓ/w point additions ⇒ Constant pattern of point operations Example φ 2 w = 2 : 1¯ 1¯ 11111¯ 1111¯ 1¯ 1¯ 1 . . . 1¯ P +1 = φ ( P ) + P 111 P − 1 = φ ( P ) − P + P − 1 K. Järvinen, CHES 2015, Sept. 14, 2015

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FPGA Design of Self-certified Signature Verification on Koblitz Curves Kimmo J Jorma Skytt

FPGA Design of Self-certified Signature Verification on Koblitz Curves Kimmo J Jorma Skytt

Preliminaries Algorithms and Implementation Results and Discussion FPGA Design of Self-certified Signature Verification on Koblitz Curves Kimmo J Jorma Skytt arvinen Juha Forsten a Helsinki University of Technology Signal Processing

478 views • 44 slides
High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

Preliminaries FPGA Implementation Results, Comparisons and Conclusions High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma Skytt a Helsinki University of Technology Department of Signal

528 views • 36 slides
Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is not wholly affected by a bug in one aspect of it. ) General-purpose computational environments. Secure temper responsive physical package.

366 views • 14 slides
Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Twenty-Three Years of Elliptic Curve Cryptography Alfred Menezes University of Waterloo September 3 2008 1 Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm

300 views • 18 slides
Floating Point Coprocessor Instructions Systems Design & Programming CMPE 310 Coprocessor

Floating Point Coprocessor Instructions Systems Design & Programming CMPE 310 Coprocessor

Floating Point Coprocessor Instructions Systems Design & Programming CMPE 310 Coprocessor Basics The 80x87 is able to multiply, divide, add, subtract, find the sqrt and calculate transcenden- tal functions and logarithms. Data types

361 views • 12 slides
Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at Chicago (Joint work with Tanja Lange) Cohen Schoof ECPC Lenstra ECM Miller Bosma Koblitz Goldwasser/Kilian ECC

294 views • 27 slides
Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking ECC2K-130, joint work by many authors: ECDL attack in progress against Koblitz curve over F 2 131 using many CPUs, GPUs, FPGAs. Vertically

288 views • 17 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (Mar. 1, 2002) I E S R C E O

UMBC A B M A L T F O U M B C I M Y O R T 1 (Mar. 1, 2002) I E S R C E O

Systems Design & Programming Coprocessor CMPE 310 Coprocessor Basics The 80x87 is able to multiply, divide, add, subtract, find the sqrt and calculate transcendental functions and logarithms. Data types include 16-, 32- and 64-bit signed

441 views • 12 slides
Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1. About Think Lightweight 2. What are Lightweight Structures? 3. Industry Applications 4. Product Line Review 5. Think Lightweight Component

832 views • 43 slides
Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and Paul Wolfger Graz University of Technology WECC 2014, Chennai, India We solved the discrete logarithm of a 113-bit Koblitz Curve.

572 views • 34 slides
lecture 12 MIPS assembly language 5 - coprocessor 1 (floating point unit FPU) -

lecture 12 MIPS assembly language 5 - coprocessor 1 (floating point unit FPU) -

lecture 12 MIPS assembly language 5 - coprocessor 1 (floating point unit FPU) - coprocessor 0 (kernel use, exception handing) February 17, 2016 lecture 12 MIPS assembly language 5 - coprocessor 1 (floating point unit FPU) -

344 views • 5 slides
The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will revolutionise the international high-rise construction industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight

417 views • 12 slides
1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

Topics Parametric curves and surfaces Polynomial curves Advanced Modeling 2 Rational curves Katja Bhler, Andrej Varchola, Eduard Tensor product surfaces Grller Triangular surfaces Institute of Computer Graphics and Algorithms Vienna

78 views • 6 slides
Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd

Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd

University of British Columbia CPSC 314 Computer Graphics Jan-Apr 2013 Tamara Munzner Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd edition 2 Curves 3 Parametric Curves parametric form

615 views • 32 slides
The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept will revolutionise the aviation industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight applications Patent Applied For

479 views • 12 slides
Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves

Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves

Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves Physical tools, used to model curves French Curves Smoothly connect pre-determined curve points French Curves French Curves Digital French

845 views • 42 slides
From C/C++11 to POWER and ARM: What is Shared-Memory Concurrency, Anyway? Susmit Sarkar

From C/C++11 to POWER and ARM: What is Shared-Memory Concurrency, Anyway? Susmit Sarkar

From C/C++11 to POWER and ARM: What is Shared-Memory Concurrency, Anyway? Susmit Sarkar University of St Andrews MMnet, Heriot Watt May, 2013 Shared Memory Concurrency: Since 1962 Burroughs D825 (first multiprocessing computer) Outstanding

670 views • 50 slides
Breadth first search Uniform cost search Robert Platt Northeastern University Some images and

Breadth first search Uniform cost search Robert Platt Northeastern University Some images and

Breadth first search Uniform cost search Robert Platt Northeastern University Some images and slides are used from: 1. CS188 UC Berkeley 2. RN, AIMA What is graph search? Goal state Start state What is a graph? Graph: Vertices: Edges:

916 views • 65 slides
B013 Muon Trigger 402.06.04 Darin Acosta, L3 Manager, Muon Trigger, 402.06.04 2-3 February

B013 Muon Trigger 402.06.04 Darin Acosta, L3 Manager, Muon Trigger, 402.06.04 2-3 February

B013 Muon Trigger 402.06.04 Darin Acosta, L3 Manager, Muon Trigger, 402.06.04 2-3 February 2016 D. Acosta, 2-Feb-2016 Director's Review -- HL LHC Muon Trigger 1 Outline

534 views • 35 slides
CPSC 410/ 611: Week 7 Vir t ual Memor y Reading: Silber shat z, Chapt er 9 Vir

CPSC 410/ 611: Week 7 Vir t ual Memor y Reading: Silber shat z, Chapt er 9 Vir

CPSC 410 / 611 : Operating Systems CPSC 410/ 611: Week 7 Vir t ual Memor y Reading: Silber shat z, Chapt er 9 Vir t ual Memor y, MI PS-St yle pr epar at ion f or MP3 Virt ual Memory Over view / Mot ivat ion

624 views • 20 slides
Informed Search [RN2] Sec. 4.1, 4.2 [RN3] Sec. 3.5, 3.6 CS 486/686 University of Waterloo

Informed Search [RN2] Sec. 4.1, 4.2 [RN3] Sec. 3.5, 3.6 CS 486/686 University of Waterloo

Informed Search [RN2] Sec. 4.1, 4.2 [RN3] Sec. 3.5, 3.6 CS 486/686 University of Waterloo Lecture 3: January 14, 2014 1 CS486/686 Lecture Slides 2014 (c) P. Poupart Outline Using knowledge Heuristics Best-first search

219 views • 17 slides
Announcements Wednesday, October 24 You should already have the link to view your graded

Announcements Wednesday, October 24 You should already have the link to view your graded

Announcements Wednesday, October 24 You should already have the link to view your graded midterm online. You wont get the hard copy back. Print the PDF if you want one. WeBWorK 4.5 is due today at 11:59pm. No quiz on Friday!

430 views • 19 slides
Fast computation of the N th term of an algebraic series in positive characteristic Philippe

Fast computation of the N th term of an algebraic series in positive characteristic Philippe

Fast computation of the N th term of an algebraic series in positive characteristic Philippe Dumas JNCF 2015, Cluny Joint work with Alin Bostan and Gilles Christol Introduction Special case of rational series Algorithms with low complexity

890 views • 65 slides
Recursively defined cpo algebras Ohad Kammar and Paul Blain Levy July 13, 2018 Ohad Kammar and

Recursively defined cpo algebras Ohad Kammar and Paul Blain Levy July 13, 2018 Ohad Kammar and

Recursively defined cpo algebras Ohad Kammar and Paul Blain Levy July 13, 2018 Ohad Kammar and Paul Blain Levy Recursively defined cpo algebras July 13, 2018 1 / 16 Outline Bilimit compact categories 1 Modelling recursive types 2

601 views • 23 slides

More recommend