recent advances in parallel implementations of scalar
play

Recent Advances in Parallel Implementations of Scalar Multiplication - PowerPoint PPT Presentation

Mar 15, 2023 •31 likes •781 views

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves C. Negre and J.M. Robert april 8, 2015 1 / 39 Outline Overview of elliptic curve cryptography 1 Implementation of F 2 m arithmetic 2 Elliptic

  1. Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves C. Negre and J.M. Robert april 8, 2015 1 / 39

  2. Outline Overview of elliptic curve cryptography 1 Implementation of F 2 m arithmetic 2 Elliptic curve arithmetic 3 Scalar multiplication 4 2 / 39

  3. Outline Overview of elliptic curve cryptography 1 Implementation of F 2 m arithmetic 2 Elliptic curve arithmetic 3 Scalar multiplication 4 3 / 39

  4. Diffie-Hellmann key exchange Alice and Bob agree on a group ( G , + , O ) and a generating point of the group P . Alice Bob 4 / 39

  5. Diffie-Hellmann key exchange Alice and Bob agree on a group ( G , + , O ) and a generating point of the group P . Alice Bob a ← random () b ← random () 4 / 39

  6. Diffie-Hellmann key exchange Alice and Bob agree on a group ( G , + , O ) and a generating point of the group P . Alice Bob a ← random () b ← random () Computes A = a · P Computes B = b · P 4 / 39

  7. Diffie-Hellmann key exchange Alice and Bob agree on a group ( G , + , O ) and a generating point of the group P . Alice Bob sends A a ← random () b ← random () Computes A = a · P Computes B = b · P sends B 4 / 39

  8. Diffie-Hellmann key exchange Alice and Bob agree on a group ( G , + , O ) and a generating point of the group P . Alice Bob sends A a ← random () b ← random () Computes A = a · P Computes B = b · P sends B Computes K = a · B Computes K = b · A Shared secret key K = a · b · P 4 / 39

  9. Diffie-Hellmann key exchange Alice and Bob agree on a group ( G , + , O ) and a generating point of the group P . Alice Bob sends A a ← random () b ← random () Computes A = a · P Computes B = b · P sends B Computes K = a · B Computes K = b · A Shared secret key K = a · b · P The main operation is the scalar multiplication a · P . 4 / 39

  10. Group law for an elliptic curve y 2 = x 3 − 2 x + 1 P = ( x P , y P ) x Q = ( x Q , y Q ) 5 / 39

  11. Group law for an elliptic curve y 2 = x 3 − 2 x + 1 R = P + Q P = ( x P , y P ) x Q = ( x Q , y Q ) Addition (chord): � x R = λ − x P − x Q y R = y P − λ ( x R − x P ) with λ = y P − y Q x P − x Q 5 / 39

  12. Group law for an elliptic curve y 2 = x 3 − 2 x + 1 R = P + Q P = ( x P , y P ) P = ( x P , y P ) x x Q = ( x Q , y Q ) R = 2 P Doubling (tangent): Addition (chord): � x R � x R = λ − 2 x P = λ − x P − x Q y R = y P − λ ( x R − x P ) y R = y P − λ ( x R − x P ) with λ = y P − y Q with λ = 3 x 2 P + a x P − x Q 2 y P 5 / 39

  13. Scalar multiplication : k · P P Scalar multiplication: 7 P 2 · P x 3 P = (2 P ) + P 6 P = 2 · (3 P ) 7 P = (6 P ) + P 2 P 6 / 39

  14. Scalar multiplication : k · P P Scalar multiplication: 7 P 2 · P 3 P x 3 P = (2 P ) + P 6 P = 2 · (3 P ) 7 P = (6 P ) + P 2 P 6 / 39

  15. Scalar multiplication : k · P 6 P P Scalar multiplication: 7 P 2 · P 3 P 3 P = (2 P ) + P x 6 P = 2 · (3 P ) 7 P = (6 P ) + P 6 / 39

  16. Scalar multiplication : k · P 6 P P Scalar multiplication: 7 P 2 · P 3 P = (2 P ) + P x 6 P = 2 · (3 P ) 7 P = (6 P ) + P 7 P 6 / 39

  17. Hierarchy of operations ECDSA Diffie-Hellman ← Protocols (sign) (key exchange) ← Scalar multiplication Double-and-add Halve-and-add Point Point Point ← Curve operation doubling addition halving Field Field Field Quadratic ← Field operation addition multiplication inversion solver 7 / 39

  18. The considered elliptic curves E ( F 2 m ) Binary field: F 2 = Z / 2 Z . Extended binary field: F 2 m = F 2 [ t ] / ( f ( t )) where f ( t ) is irreducible. For A = � m − 1 i =0 a i t i and B = � m − 1 i =0 b i t i in F 2 m m − 1 � ( a i + b i ) · t i , addition : A + B = i =0 multiplication : A × B = A · B mod f ( t ) . Binary elliptic curve: the set of points P = ( x , y ) ∈ F 2 2 m satisfying E : y 2 + xy = x 3 + ax 2 + b , a , b ∈ F 2 m . 8 / 39

  19. Curve and field implemented NIST curve B233: defined over F 2 [ t ] / ( t 233 + t 74 + 1) with equation E : y 2 + xy = x 3 + x 2 + b where b =0 x 066647 ede 6 c 332 c 7 f 8 c 0923 bb 58213 b 333 b 20 e 9 ce 4281 fe 115 f 7 d 8 f 90 ad , N =6901746346790563787434755862277025555839812737345013555379383634485463 . GHS curve E ( F 2 2 · 127 ): defined over the field F 2 2 · 127 constructed as F [ t ] / ( t 127 + t 63 + 1) = F 2 127 F 2 127 [ u ] / ( u 2 + u + 1) = F 2 2 · 127 with curve equation E : y 2 + xy = x 3 + ux 2 + b √ b = 0 xE 2 DA 921 E 91 E 38 DD 1 and admitting an endomorphism. 9 / 39

  20. Outline Overview of elliptic curve cryptography 1 Implementation of F 2 m arithmetic 2 Elliptic curve arithmetic 3 Scalar multiplication 4 10 / 39

  21. F 2 m arithmetic over Intel Cores Intel Core i3,i5 and i7 offer: Logical instructions XOR, AND over 128 and 256 bits. PCLMUL instruction computing the product of two degree 64 binary polynomials. PSHUFB a byte shuffling instructions . Shifting instruction (vector 64 bit shifts and full 128 bit shifts). 11 / 39

  22. F 2 m arithmetic over Intel Cores Intel Core i3,i5 and i7 offer: Logical instructions XOR, AND over 128 and 256 bits. PCLMUL instruction computing the product of two degree 64 binary polynomials. PSHUFB a byte shuffling instructions . Shifting instruction (vector 64 bit shifts and full 128 bit shifts). We will see how to implement arithmetic over F 2 233 : 1 Polynomial multiplication with PCLMUL. 2 Polynomial squaring with PSHUFB. 3 Reduction with shift, 128-bit XOR and AND. 4 Look up table for quadratic-solver. 11 / 39

  23. Multiplication in F 2 233 with Karatsuba Karatsuba formula For A ( x ) = A h + t m / 2 A l and B ( x ) = B h + t m / 2 B l A × B = A h B h t m + (( A h + A l )( B h + B l ) + A h B h + A l B l ) t m / 2 + A l B l 12 / 39

  24. Multiplication in F 2 233 with Karatsuba Karatsuba formula For A ( x ) = A h + t m / 2 A l and B ( x ) = B h + t m / 2 B l A × B = A h B h t m + (( A h + A l )( B h + B l ) + A h B h + A l B l ) t m / 2 + A l B l Two recursions for degree m = 233: 128 bits A [3] A [2] A [1] A [0] × B [3] B [2] B [1] B [0] PCLMUL PCLMUL PCLMUL PCLMUL PCLMUL PCLMUL PCLMUL PCLMUL PCLMUL C [7] C [6] C [5] C [4] C [3] C [2] C [1] C [0] 12 / 39

  25. Squaring with PSHUFB Let a and b be two 128-bits data = 16 bytes. The PSHUFB instruction permute the bytes of a as specified by b b = 14 15 12 13 10 11 8 9 6 7 4 5 2 3 0 1 a = a[15] a[14] a[13] a[12] a[11] a[10] a[9] a[8] a[7] a[6] a[5] a[4] a[3] a[2] a[1] a[0] PSHUFB( b , a ) outputs c = a[14] a[15] a[12] a[13] a[10] a[11] a[8] a[9] a[6] a[7] a[4] a[5] a[2] a[3] a[0] a[1] In other words c [ i ] = a [ b [ i ]] 13 / 39

  26. Squaring with PSHUFB Squaring a polynomial b ( t ) = � m − 1 i =0 b i t i ∈ F 2 [ t ]: m − 1 � b ( t ) 2 = b i t 2 i . i =0 Aranha et al. 2010: Use PSHUFB for simultaneous look-up table: ◮ We store in a [ j ] the squaring of j (seen as an element of F 2 [ t ]) a [ j ] = j 2 for j = 0 , . . . , 16 . ◮ PSHUFB( b , a ) computes c [ i ] = a [ b [ i ]] = ( b [ i ]) 2 . Squaring 128 bits = 2 PSHUFB + 1 Masking + 3 shifts. 14 / 39

  27. Square root We express the square root of A ( t ) = � m − 1 i =0 a i t i as: even degree odd degree � �� � � �� � m − 1 m − 1 2 2 � � a 2 i t 2 i + a 2 i +1 t 2 i +1 )) 1 / 2 ( A ( t )) 1 / 2 = ( ( i =0 i =0 �� m − 1 � �� m − 1 � + √ x i =0 a 2 i t i i =0 a 2 i +1 t i 2 2 = Masking: We separate A as A odd and A even . PSHUB: We suppress zeros in A odd and A even . Shift and XOR: we multiply A odd by √ x = and XOR it to A even . 15 / 39

  28. Reduction modulo f ( t ) = t 233 + t 74 + 1 c 464 · · · c 384 c 383 · · · · · · c 256 c 255 · · · · · · c 128 c 127 · · · · · · c 1 c 0 0 · · · · · · 0 16 / 39

  29. Reduction modulo f ( t ) = t 233 + t 74 + 1 c 464 · · · c 384 c 383 · · · · · · c 256 c 255 · · · · · · c 128 c 127 · · · · · · c 1 c 0 0 · · · · · · 0 t 384 = t 225 + t 151 c 464 · · · c 384 0 · · · · · · 0 c 464 · · · c 384 0 · · · · · · 0 16 / 39

  30. Reduction modulo f ( t ) = t 233 + t 74 + 1 c 383 · · · · · · c 256 c 255 · · · · · · c 128 c 127 · · · · · · c 1 c 0 c 464 · · · c 384 0 · · · · · · 0 c 464 · · · c 384 0 · · · · · · 0 c r , 383 · · · · · · c r , 256 c r , 255 · · · · · · c r , 128 c r , 127 · · · · · · c r , 1 c r , 0 16 / 39

  31. Reduction modulo f ( t ) = t 233 + t 74 + 1 c 383 · · · · · · c 256 c 255 · · · · · · c 128 c 127 · · · · · · c 1 c 0 c 464 · · · c 384 0 · · · · · · 0 c 464 · · · c 384 0 · · · · · · 0 c r , 383 · · · · · · c r , 256 c r , 255 · · · · · · c r , 128 c r , 127 · · · · · · c r , 1 c r , 0 t 256 = t 97 + t 23 c r , 383 · · · · · · c r , 256 c r , 383 · · · · · · c r , 256 16 / 39

  32. Reduction modulo f ( t ) = t 233 + t 74 + 1 c 383 · · · · · · c 256 c 255 · · · · · · c 128 c 127 · · · · · · c 1 c 0 c 464 · · · c 384 0 · · · · · · 0 c 464 · · · c 384 0 · · · · · · 0 c r , 255 · · · · · · c r , 128 c r , 127 · · · · · · c r , 1 c r , 0 c r , 383 · · · · · · c r , 256 c r , 383 · · · · · · c r , 256 c r , 255 .. c r , 233 · · · c r , 128 c r , 127 · · · · · · c r , 1 c r , 0 16 / 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Recent Advances in Photonic Recent Advances in Photonic effect employing IP- based distributed

Recent Advances in Photonic Recent Advances in Photonic effect employing IP- based distributed

Development of Photonic Network Optical burst switching Next Generation Enhancement of Networks Dynamic (Adaptive) Optical Path Control statistical >10Tb/s multiplexing Photonic MPLS Network Recent Advances in Photonic Recent Advances

762 views • 8 slides
Recent Advances in Biomolecular NMR Lucia Banci CERM University of Florence Recent Advances

Recent Advances in Biomolecular NMR Lucia Banci CERM University of Florence Recent Advances

Recent Advances in Biomolecular NMR Lucia Banci CERM University of Florence Recent Advances in Biomolecular NMR Protonless NMR for the characterization of Unfolded proteins, Large protein assemblies, Paramagnetic systems I n cell

635 views • 42 slides
Recent Advances in Biomolecular NMR Lucia Banci CERM University of Florence Recent Advances

Recent Advances in Biomolecular NMR Lucia Banci CERM University of Florence Recent Advances

Recent Advances in Biomolecular NMR Lucia Banci CERM University of Florence Recent Advances in Biomolecular NMR Protonless NMR for the characterization of Unfolded proteins, Large protein assemblies, Paramagnetic systems I n cell

1.23k views • 70 slides
Confl flict and Development: Recent Advances and Future Agendas Professor Patricia Justino

Confl flict and Development: Recent Advances and Future Agendas Professor Patricia Justino

Confl flict and Development: Recent Advances and Future Agendas Professor Patricia Justino Institute of Development Studies, UK Where we are Three main advances in recent research on conflict and violence: shift from state-level to more

323 views • 9 slides
On Parallel Processing of Aggregate and Scalar Functions in Object-Relational DBMS Michael

On Parallel Processing of Aggregate and Scalar Functions in Object-Relational DBMS Michael

On Parallel Processing of Aggregate and Scalar Functions in Object-Relational DBMS Michael Jaedicke, Bernhard Mitschang ACM SIGMOD 1998, 06/04/1998 Overview: Introduction to user-defined functions Parallel processing of UDFs a

505 views • 18 slides
Recent Advances Aly Khawaja Outline STAR- CCM+: a complete simulation workflow Emphasis on

Recent Advances Aly Khawaja Outline STAR- CCM+: a complete simulation workflow Emphasis on

Meshing in STAR-CCM+: Recent Advances Aly Khawaja Outline STAR- CCM+: a complete simulation workflow Emphasis on pre-processing technology Recent advances in surface preparation and meshing Continue to enhance flexibility, control,

1.13k views • 30 slides
Performance Issues for Parallel Implementations of Bootstrap Simulation Algorithm 22 nd

Performance Issues for Parallel Implementations of Bootstrap Simulation Algorithm 22 nd

Performance Issues for Parallel Implementations of Bootstrap Simulation Algorithm 22 nd International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD 2010) Ricardo M. Czekster, Paulo Fernandes, Afonso Sales and Thais

964 views • 37 slides
Parallel Programming Libraries and Implementations Reusing this material This work is licensed

Parallel Programming Libraries and Implementations Reusing this material This work is licensed

Parallel Programming Libraries and Implementations Reusing this material This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. http://creativecommons.org/licenses/by-nc-sa/4.0/deed.en_US

589 views • 28 slides
Parallel Programming Libraries and implementations Reusing this material This work is licensed

Parallel Programming Libraries and implementations Reusing this material This work is licensed

Parallel Programming Libraries and implementations Reusing this material This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. http://creativecommons.org/licenses/by-nc-sa/4.0/deed.en_US

612 views • 30 slides
Parallel Programming Libraries and implementations Funding Partners bioexcel.eu Reusing this

Parallel Programming Libraries and implementations Funding Partners bioexcel.eu Reusing this

Parallel Programming Libraries and implementations Funding Partners bioexcel.eu Reusing this material This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License.

411 views • 23 slides
Recent advances in Mandelbrot martingales theory Julien Barral, Universit e Paris Nord

Recent advances in Mandelbrot martingales theory Julien Barral, Universit e Paris Nord

Recent advances in Mandelbrot martingales theory Julien Barral, Universit e Paris Nord Advances in Fractals and Related Topics, CUHK, September 2012 J. Barral Recent advances in Mandelbrot martingales theory Mandelbrot martingales Let = {

736 views • 54 slides
Recent Advances in Adap.ve Sampling and Reconstruc.on for Monte

Recent Advances in Adap.ve Sampling and Reconstruc.on for Monte

Recent Advances in Adap.ve Sampling and Reconstruc.on for Monte Carlo Rendering Deriva've Analysis Wojciech Jarosz wjarosz@disneyresearch.com Thursday, July 16, 15 Path tracing -

1.36k views • 99 slides
Recent Advances in Adaptive Sampling and Reconstruction for Monte

Recent Advances in Adaptive Sampling and Reconstruction for Monte

Recent Advances in Adaptive Sampling and Reconstruction for Monte Carlo Rendering M. Zwicker W. Jarosz J. Lehtinen B. Moon R. Ramamoorthi Univ. of Bern Disney Research Aalto

543 views • 13 slides
Recent Advances in Two-loop Superstrings Eric DHoker Institut des Hautes Etudes Scientifiques,

Recent Advances in Two-loop Superstrings Eric DHoker Institut des Hautes Etudes Scientifiques,

Recent Advances in Two-loop Superstrings Eric DHoker Institut des Hautes Etudes Scientifiques, 2014 May 6 Eric DHoker Recent Advances in Two-loop Superstrings Outline 1. Overview of two-loop superstring methods, including global issues;

627 views • 31 slides
Distributed Aggregation for Data- Parallel Computing Interfaces and Implementations Yuan Yu

Distributed Aggregation for Data- Parallel Computing Interfaces and Implementations Yuan Yu

Distributed Aggregation for Data- Parallel Computing Interfaces and Implementations Yuan Yu Pradeep Kumar Gunda Michael Isard Microsoft Research Silicon Valley Dryad and DryadLINQ Automatic query plan generation by DryadLINQ Automatic

721 views • 30 slides
Recent Advances in Adversarial Machine Learning Nicholas Carlini Google Research Recent

Recent Advances in Adversarial Machine Learning Nicholas Carlini Google Research Recent

Recent Advances in Adversarial Machine Learning Nicholas Carlini Google Research Recent Advances in Adversarial (Examples in) Machine Learning Nicholas Carlini Google Research The Year is 2014 Someone tells you they have a new algorithm to

1.52k views • 139 slides
Structure Preserving Smooth Projective Hashing Olivier Blazy , Cline Chevalier O. Blazy (Xlim)

Structure Preserving Smooth Projective Hashing Olivier Blazy , Cline Chevalier O. Blazy (Xlim)

Structure Preserving Smooth Projective Hashing Olivier Blazy , Cline Chevalier O. Blazy (Xlim) (SP)2H 1 / 25 Global Framework 1 Cryptographic Tools 2 Structure-Preserving SPHF 3 Applications 4 O. Blazy (Xlim) (SP)2H 2 / 25 Global

940 views • 46 slides
HMS Luminosity Scan Ryan Ambrose University of Regina April 26, 2018 1 / 8 Procedure Using

HMS Luminosity Scan Ryan Ambrose University of Regina April 26, 2018 1 / 8 Procedure Using

HMS Luminosity Scan Ryan Ambrose University of Regina April 26, 2018 1 / 8 Procedure Using the TSelector framework, I applied several cuts to the data: | 1 . 0 | < 0 . 2 2 /N < 25 . 0 E Cal,Norm > 0 . 8 |

230 views • 8 slides
Math 233 Warm Up Problems August 28, 2009 1. Find the equation of the sphere in R 3 with radius

Math 233 Warm Up Problems August 28, 2009 1. Find the equation of the sphere in R 3 with radius

Math 233 Warm Up Problems August 28, 2009 1. Find the equation of the sphere in R 3 with radius and center at 2 , 7 , ). ( 2. Find the unit vector in the direction of the given vector V = (4 , 2 , 7) U = 1. Find the

315 views • 9 slides
Slow-Roll Dark Energy J. Richard Gott, III and Zachary Slepian arXiv.org/abs/1011.2528 The

Slow-Roll Dark Energy J. Richard Gott, III and Zachary Slepian arXiv.org/abs/1011.2528 The

Slow-Roll Dark Energy J. Richard Gott, III and Zachary Slepian arXiv.org/abs/1011.2528 The Standard Picture V 0 we are sitting at the bottom of a potential well Linde: chaotic inflation scalar field slow-rolls down potential Predicts n s

636 views • 25 slides
Wavelets and Multiresolution Processing Thinh Nguyen Multiresolution Analysis (MRA) Analysis

Wavelets and Multiresolution Processing Thinh Nguyen Multiresolution Analysis (MRA) Analysis

Wavelets and Multiresolution Processing Thinh Nguyen Multiresolution Analysis (MRA) Analysis (MRA) Multiresolution A scaling function scaling function is used to create a series of approximations of a function or image, each differing by

906 views • 26 slides
Disclaimer The opinions expressed during this presentation are those of the speakers, and not

Disclaimer The opinions expressed during this presentation are those of the speakers, and not

The importance of D-E-R characterisation in dose selection, labelling and B/R - children EMA EFPIA workshop on the importance of dose finding and dose selection for the successful development, licensing and lifecycle management of medicinal

594 views • 13 slides
PERFORMANCE OF PERFORMANCE OF OPTIMIZATION OPTIMIZATION ALGORITHMS ALGORITHMS FOR DERIVING

PERFORMANCE OF PERFORMANCE OF OPTIMIZATION OPTIMIZATION ALGORITHMS ALGORITHMS FOR DERIVING

PERFORMANCE OF PERFORMANCE OF OPTIMIZATION OPTIMIZATION ALGORITHMS ALGORITHMS FOR DERIVING MATERIAL DATA FROM BENCH SCALE TESTS Patrick Lauer University of Wuppertal lauer@uni-wuppertal.de Content 1. Content 2. Introduction 3. Method

490 views • 31 slides
Auto-Scaling in NFV Using Tacker Conference Paper January 2017 CITATIONS READS 0 2,084 3

Auto-Scaling in NFV Using Tacker Conference Paper January 2017 CITATIONS READS 0 2,084 3

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/312531599 Auto-Scaling in NFV Using Tacker Conference Paper January 2017 CITATIONS READS 0 2,084 3 authors , including: Emanuel

314 views • 9 slides

More recommend