pushing the limits of high speed gf 2 m elliptic curve
play

Pushing the Limits of High-Speed GF (2 m ) Elliptic Curve Scalar - PowerPoint PPT Presentation

Dec 01, 2023 •253 likes •720 views

Pushing the Limits of High-Speed GF (2 m ) Elliptic Curve Scalar Multiplier on FPGAs Chester Rebeiro, Sujoy Sinha Roy, and Debdeep Mukhopadhyay Secured Embedded Architecture Lab Indian Institute of Technology Kharagpur India 9/12/2012 CHES

  1. Pushing the Limits of High-Speed GF (2 m ) Elliptic Curve Scalar Multiplier on FPGAs Chester Rebeiro, Sujoy Sinha Roy, and Debdeep Mukhopadhyay Secured Embedded Architecture Lab Indian Institute of Technology Kharagpur India 9/12/2012 CHES 2012, Leuven Belgium

  2. Elliptic Curve Scalar Multiplication • An elliptic curve over GF (2 m ) is a set of points which satisfies the equation y 2 + xy = x 3 + ax 2 + b , where a , b ∈ GF (2 m ) and b � = 0. The points on the elliptic curve form an additive group. • The projective coordinate representation of the curve is Y 2 + XYZ = X 3 + aX 2 Z 2 + bZ 4 • Scalar Multiplication : Given a base point P = ( X P , Y P , Z P ) on the elliptic curve and a scalar s compute Q = sP ( i.e. Q = P + P + P + · · · ( stimes )) 9/12/2012 CHES 2012, Leuven Belgium 2

  3. Montgomery Ladder for Scalar Multiplication Inputs : scalar s = ( s t − 1 s t − 2 · · · s 1 s 0 ) 2 basepoint P Output : Scalar Product Q = sP 1 P 1 = ( X 1 , Y 1 , Z 1 ) ← P and P 2 = ( X 2 , Y 2 , Z 2 ) ← 2 · P 2 For each bit s k (for k = t − 2 , t − 3 , · · · , 0) • if s k = 1 then P 1 ← P 1 + P 2 ; P 2 = 2 · P 2 • if s k = 0 then P 2 ← P 1 + P 2 ; P 1 = 2 · P 1 3 Q = Projective 2 Affine ( P 1 ) 9/12/2012 CHES 2012, Leuven Belgium 3

  4. Montgomery Ladder for Scalar Multiplication Inputs : scalar s = ( s t − 1 s t − 2 · · · s 1 s 0 ) 2 basepoint P Output : Scalar Product Q = sP 1 P 1 = ( X 1 , Y 1 , Z 1 ) ← P and P 2 = ( X 2 , Y 2 , Z 2 ) ← 2 · P 2 For each bit s k (for k = t − 2 , t − 3 , · · · , 0) • if s k = 1 then P 1 ← P 1 + P 2 ; P 2 = 2 · P 2 • if s k = 0 then P 2 ← P 1 + P 2 ; P 1 = 2 · P 1 3 Q = Projective 2 Affine ( P 1 ) Performing P i ← P i + P j and P j ← 2 · P i X i ← X i · Z j ; Z i ← X j · Z i ; T ← X j ; X j ← X 4 j + b · Z 4 j Z j ← ( T · Z j ) 2 ; T ← X i · Z i ; Z i ← ( X i + Z i ) 2 ; X i ← x · Z i + T . . . all operations are in GF (2 m ) 9/12/2012 CHES 2012, Leuven Belgium 3

  5. Engineering the Montgomery Ladder for Scalar Multiplication Scalar Multiplication Arithmetic Regbank Unit Elliptic Curve sP Group Operations Finite Field Operations ROM Control Unit s (a) The ECC Pyramid (b) Block Diagram 9/12/2012 CHES 2012, Leuven Belgium 4

  6. Engineering the Montgomery Ladder for Scalar Multiplication Scalar Multiplication Arithmetic Regbank Unit Elliptic Curve sP Group Operations Finite Field Operations ROM Control Unit s (a) The ECC Pyramid (b) Block Diagram High-speed scalar multiplication on FPGAs • Minimize area by maximizing utilization of available resources • Optimal Pipelining • Efficient Scheduling of Operations 9/12/2012 CHES 2012, Leuven Belgium 4

  7. Field Programmable Gate Arrays • Provides the speed of hardware and the reconfigurablitity of software • FPGA Architecture Programmable Routing Switches Programmable Connection Switch Logic Block (a) FPGA Island 9/12/2012 CHES 2012, Leuven Belgium 5

  8. Field Programmable Gate Arrays • Provides the speed of hardware and the reconfigurablitity of software • FPGA Architecture COUT Programmable Routing Switches F4 PRE F3 Control LUT & D Q F2 Carry CE Logic Programmable F1 Connection Switch Logic Block CLK CLR SR CE CLK BY CIN (a) FPGA Island (b) Lookup Table 9/12/2012 CHES 2012, Leuven Belgium 5

  9. LUT Utilization LUT • Four (or six) input → one output • Can implement any four (or six) input truth table • y 1 = x 1 ⊕ x 2 ⊕ x 3 ⊕ x 4 Requires one LUT. • y 2 = x 1 ⊕ x 2 Still requires one LUT. 9/12/2012 CHES 2012, Leuven Belgium 6

  10. LUT Utilization LUT • Four (or six) input → one output • Can implement any four (or six) input truth table • y 1 = x 1 ⊕ x 2 ⊕ x 3 ⊕ x 4 Requires one LUT. • y 2 = x 1 ⊕ x 2 Still requires one LUT. • y 2 results in an under utilized LUT. . . . need to maximize LUT utilization to minimize area. 9/12/2012 CHES 2012, Leuven Belgium 6

  11. Finite field Multiplier for Best LUT utilization 233 Karatusba Multiplier 117 116 58 59 58 58 29 29 29 29 29 29 29 30 14 15 14 15 14 15 14 15 14 15 14 15 14 15 15 15 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 8 5 6 (a) Karatsuba-Ofman Multiplication 9/12/2012 [VLSID 2008] CHES 2012, Leuven Belgium 7

  12. Finite field Multiplier for Best LUT utilization 233 Karatusba Multiplier 233 Karatusba Multiplier 117 117 116 116 58 59 58 59 58 58 58 58 29 29 29 29 29 29 29 30 29 29 29 30 29 29 29 29 14 15 14 15 14 15 14 15 14 15 14 15 14 15 15 15 14 15 14 15 14 15 14 15 14 15 14 15 14 15 15 15 77 78 7778 7778 7778 7778 777 8 77 78 7856 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 8 5 6 Classical Multiplier (a) Karatsuba-Ofman Multiplication (b) Hybrid Karatsuba Multiplication 9/12/2012 [VLSID 2008] CHES 2012, Leuven Belgium 7

  13. Finite field Multiplier for Best LUT utilization 233 Karatusba Multiplier 233 Karatusba Multiplier 117 117 116 116 58 59 58 59 58 58 58 58 29 29 29 29 29 29 29 30 29 29 29 30 29 29 29 29 14 15 14 15 14 15 14 15 14 15 14 15 14 15 15 15 14 15 14 15 14 15 14 15 14 15 14 15 14 15 15 15 77 78 7778 7778 7778 7778 777 8 77 78 7856 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 8 5 6 Classical Multiplier (a) Karatsuba-Ofman Multiplication (b) Hybrid Karatsuba Multiplication 9600 LUTs 8800 4 6 8 10 12 14 16 18 20 22 Threshold (c) Finding the Right Threshold 9/12/2012 [VLSID 2008] CHES 2012, Leuven Belgium 7

  14. Finite field Multiplier for Best LUT utilization 233 Karatusba Multiplier 233 Karatusba Multiplier 117 117 116 116 58 59 58 59 58 58 58 58 29 29 29 29 29 29 29 30 29 29 29 30 29 29 29 29 14 15 14 15 14 15 14 15 14 15 14 15 14 15 15 15 14 15 14 15 14 15 14 15 14 15 14 15 14 15 15 15 77 78 7778 7778 7778 7778 777 8 77 78 7856 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 7 7 8 7 8 5 6 Classical Multiplier (a) Karatsuba-Ofman Multiplication (b) Hybrid Karatsuba Multiplication 1.1e+06 1e+06 900000 9600 800000 LUTs 700000 Area * Time 600000 500000 400000 8800 300000 200000 4 6 8 10 12 14 16 18 20 22 100000 Karatsuba-Ofman Hybrid Karatsuba 0 90 180 270 360 450 540 Threshold Number of bits (c) Finding the Right Threshold (d) Comparing Multipliers 9/12/2012 [VLSID 2008] CHES 2012, Leuven Belgium 7

  15. Finite Field Inversion Using Itoh-Tsujii Algorithm • Given a ∈ GF (2 m ), find a − 1 ∈ GF (2 m ) such that a · a − 1 = 1 • Fermat’s Little Theorem : a − 1 = a 2 m − 2 • Itoh-Tsujii Algorithm 1 Define the addition chain for m − 1 (for example m = 233 : (1 , 2 , 3 , 6 , 7 , 14 , 28 , 58 , 116 , 232)) 2 Compute a → a 2 2 − 1 → a 2 3 − 1 → a 2 6 − 1 → a 2 7 − 1 → a 2 14 − 1 · · · → a 2 232 − 1 3 Square to get a 2 233 − 2 9/12/2012 CHES 2012, Leuven Belgium 8

  16. Finite Field Inversion Using Itoh-Tsujii Algorithm • Given a ∈ GF (2 m ), find a − 1 ∈ GF (2 m ) such that a · a − 1 = 1 • Fermat’s Little Theorem : a − 1 = a 2 m − 2 • Itoh-Tsujii Algorithm 1 Define the addition chain for m − 1 (for example m = 233 : (1 , 2 , 3 , 6 , 7 , 14 , 28 , 58 , 116 , 232)) 2 Compute a → a 2 2 − 1 → a 2 3 − 1 → a 2 6 − 1 → a 2 7 − 1 → a 2 14 − 1 · · · → a 2 232 − 1 3 Square to get a 2 233 − 2 • Exponentiation requires a series of cascaded squarers called powerblock along with a finite field multiplier Input Square Square Square Square Circuit−1 Circuit−2 Circuit−3 Circuit−11 qsel Multiplexer Output 9/12/2012 CHES 2012, Leuven Belgium 8

  17. Using Higher Exponents in the Itoh-Tsujii Algorithm Consider using a quad circuit instead of a square. • This requires an addition chain to m − 1 instead of m − 1 thus 2 finishes faster. [IEEE TVLSI 2011, DATE 2011] 9/12/2012 CHES 2012, Leuven Belgium 9

  18. Using Higher Exponents in the Itoh-Tsujii Algorithm Consider using a quad circuit instead of a square. • This requires an addition chain to m − 1 instead of m − 1 thus 2 finishes faster. • The frequency of operation is not affected and area used is less due to better LUT utilization. Table: Comparison of Squarer and Quad Circuits on Xilinx Virtex 4 FPGA Field Squarer Circuit Quad Circuit Size ratio # LUTq # LUT s Delay (ns) # LUT q Delay (ns) 2(# LUTs ) GF (2 193 ) 96 1.48 145 1.48 0.75 GF (2 233 ) 153 1.48 230 1.48 0.75 [IEEE TVLSI 2011, DATE 2011] 9/12/2012 CHES 2012, Leuven Belgium 9

  19. Using Higher Exponents in the Itoh-Tsujii Algorithm Consider using a quad circuit instead of a square. • This requires an addition chain to m − 1 instead of m − 1 thus 2 finishes faster. • The frequency of operation is not affected and area used is less due to better LUT utilization. Table: Comparison of Squarer and Quad Circuits on Xilinx Virtex 4 FPGA Field Squarer Circuit Quad Circuit Size ratio # LUTq # LUT s Delay (ns) # LUT q Delay (ns) 2(# LUTs ) GF (2 193 ) 96 1.48 145 1.48 0.75 GF (2 233 ) 153 1.48 230 1.48 0.75 • Larger exponent circuits can similarly be used to obtain faster results. [IEEE TVLSI 2011, DATE 2011] 9/12/2012 CHES 2012, Leuven Belgium 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

High-speed Define 19; prime. elliptic-curve cryptography Define = 358990. Define 1 Curve :

High-speed Define 19; prime. elliptic-curve cryptography Define = 358990. Define 1 Curve :

= 2 255 High-speed Define 19; prime. elliptic-curve cryptography Define = 358990. Define 1 Curve : Z 0 1 by D. J. Bernstein th multiple coordinate of

606 views • 45 slides
High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

Preliminaries FPGA Implementation Results, Comparisons and Conclusions High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma Skytt a Helsinki University of Technology Department of Signal

528 views • 36 slides
Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime

Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime

Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime Characteristic Fields K. Jrvinen 1 , A. Miele 2 , R. Azarderakhsh 3 , and P . Longa 4 1 Aalto University 2 Intel Corporation 3 Rochester Institute of

831 views • 81 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363 more elliptic-curve formulas; uses Weierstrass curves field arithmetic in Jacobian coordinates Daniel J. Bernstein to provide the fastest

2.15k views • 187 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views • 76 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point counting David R. Kohel School of Mathematics and Statistics University of Sydney I Elliptic Curves in Cryptography An elliptic curve E/ F p r for

415 views • 18 slides
Pushing the limits with spectroscopy: High-redshift overdensities at 2<z<6 in zCOSMOS

Pushing the limits with spectroscopy: High-redshift overdensities at 2<z<6 in zCOSMOS

Pushing the limits with spectroscopy: High-redshift overdensities at 2<z<6 in zCOSMOS and MUSE-Wide Catrina Diener + Simon Lilly (ETH Zurich), the zCOSMOS team Lutz Wisotzki (AIP Potsdam), the MUSE-Wide team We cant find

381 views • 25 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
High-performance Elliptic Curve Cryptography by Using the CIOS Method for Modular Multiplication A

High-performance Elliptic Curve Cryptography by Using the CIOS Method for Modular Multiplication A

High-performance Elliptic Curve Cryptography by Using the CIOS Method for Modular Multiplication A mine Mrabet , Nadia El-Mrabet, Ronan Lashermes , Jean-Baptiste Rigaud, Belgacem Bouallegue, Sihem Mesnager and Mohsen Machhout September 2016

920 views • 44 slides
Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography 16 September 2008 What is an elliptic curve? (1) An elliptic curve E over a field k in Weierstra

298 views • 25 slides
High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce elliptic-curve formulas cryptographic security levels or give up on cryptography. Daniel J. Bernstein University of Illinois at Chicago & Example 1

1.55k views • 138 slides
By Shervin Daneshpajouh Computer Arithmetic Computer Arithmetic p Computer Computer Arithmetic

By Shervin Daneshpajouh Computer Arithmetic Computer Arithmetic p Computer Computer Arithmetic

By Shervin Daneshpajouh Computer Arithmetic Computer Arithmetic p Computer Computer Arithmetic Computer Computer Arithmetic Arithmetic Arithmetic CPU combines of ALU and Control Unit, CPU combines of ALU and Control Unit, The Arithmetic

356 views • 35 slides
Integers Today ! Numeric Encodings ! Programming Implications ! Basic operations ! Programming

Integers Today ! Numeric Encodings ! Programming Implications ! Basic operations ! Programming

Integers Today ! Numeric Encodings ! Programming Implications ! Basic operations ! Programming Implications Next time ! Floats Tuesday, September 27, 2011 Checkpoint Tuesday, September 27, 2011 Encoding integers in binary Positive integers,

423 views • 41 slides
CDA 4253/CIS 6930 FPGA System Design Modeling of Combinational Circuits Hao Zheng Dept of Comp

CDA 4253/CIS 6930 FPGA System Design Modeling of Combinational Circuits Hao Zheng Dept of Comp

CDA 4253/CIS 6930 FPGA System Design Modeling of Combinational Circuits Hao Zheng Dept of Comp Sci & Eng USF Reading P. Chu, FPGA Prototyping by VHDL Examples Chapter 3, RT-level combinational circuit Sections 3.1 - 3.2, 3.5 -

1.39k views • 99 slides
1 0 1 1 = 1 x 2 3 + 0 x 2 2 + 1 x 2 1 + 1 x 2 0 8 4 2 1 weight Representing Data with Bits

1 0 1 1 = 1 x 2 3 + 0 x 2 2 + 1 x 2 1 + 1 x 2 0 8 4 2 1 weight Representing Data with Bits

binary = base 2 1 0 1 1 = 1 x 2 3 + 0 x 2 2 + 1 x 2 1 + 1 x 2 0 8 4 2 1 weight Representing Data with Bits 2 3 2 2 2 1 2 0 position 3 2 1 0 bits, bytes, numbers, and notation When ambiguous, subscript with base: 101 10 Dalmatians

279 views • 4 slides
Smartphone/tablet CPUs iPad 1 (2010) was the first popular tablet: more than 15 million sold.

Smartphone/tablet CPUs iPad 1 (2010) was the first popular tablet: more than 15 million sold.

1 Smartphone/tablet CPUs iPad 1 (2010) was the first popular tablet: more than 15 million sold. iPad 1 contains 45nm Apple A4 system-on-chip. Apple A4 contains 1GHz ARM Cortex-A8 CPU core + PowerVR SGX 535 GPU. Cortex-A8 CPU core (2005)

747 views • 38 slides
Pipeline Control unit (highly abstracted) Control ID/EX EX/Mem Unit Mem/WB IF/ID IF ID EX

Pipeline Control unit (highly abstracted) Control ID/EX EX/Mem Unit Mem/WB IF/ID IF ID EX

Pipeline Control unit (highly abstracted) Control ID/EX EX/Mem Unit Mem/WB IF/ID IF ID EX Mem WB 2/15/99 CSE378 Pipelining Control unit and 1 hazards Where are the control signals needed? Very much like in multiple cycle

296 views • 8 slides
CS4403 - CS9535: An Overview of Parallel Computing Marc Moreno Maza University of Western

CS4403 - CS9535: An Overview of Parallel Computing Marc Moreno Maza University of Western

CS4403 - CS9535: An Overview of Parallel Computing Marc Moreno Maza University of Western Ontario, London, Ontario (Canada) January 10, 2017 Plan 1 Hardware 2 Types of Parallelism 3 Concurrency Platforms: Three Examples Julia Cilk CUDA MPI

914 views • 75 slides
Operators Lecture 4 COP 3014 Spring 2017 January 19, 2017 Operators Special built-in

Operators Lecture 4 COP 3014 Spring 2017 January 19, 2017 Operators Special built-in

Operators Lecture 4 COP 3014 Spring 2017 January 19, 2017 Operators Special built-in symbols that have functionality, and work on operands operand an input to an operator Arity - how many operands an operator takes unary

422 views • 14 slides

More recommend