Click here to load reader

Short Memory Method on Koblitz Curves - IACR · PDF file 2008. 1. 12. · Short Memory Method on Koblitz Curves 9 Binary Curves Binary Curves y2˜ xy=x 3+ax2+b, a,b∈F 2m Can use

  • View
    2

  • Download
    0

Embed Size (px)

Text of Short Memory Method on Koblitz Curves - IACR · PDF file 2008. 1. 12. · Short...

  • Short Memory Method on Koblitz Curves

    Katsuyuki Okeya

    Tsuyoshi Takagi

    Camille Vuillaume

  • 2Short Memory Method on Koblitz Curves

    Outline

    Koblitz curves Binary Curves τExpansions Binary vs. Koblitz

    Short Memory Normal vs. Polynomial

    Basis Short Memory on

    Normal Basis Short Memory on Polynomial Basis

    Elliptic curves Interest of ECC Binary Method NAF Method

  • 3Short Memory Method on Koblitz Curves

    Outline

    Elliptic curves Interest of ECC Binary Method

    Koblitz curves

    Short Memory

    NAF Method

  • 4Short Memory Method on Koblitz Curves

    RSA vs. Elliptic Curves

    Speed ECC are 30 times faster than RSA…

    Memory …and require 6.5 less memory

  • 5Short Memory Method on Koblitz Curves

    Operations:

    Binary Method

    On average: (n-1)D+n/2A

    2P

    P 3P

    )2

    Input: P

    Output: 105P

    Scalar: d=105=( 1 0 1 0 10

    6P

    D A

    1

    D A D

    DAD D ADDD

    12P

    13P

    26P

    105P

    52P 104P

    D

  • 6Short Memory Method on Koblitz Curves

    NAFw Method

    d=105=(Scalar: 1 1 0 1 0 10 )2

    Output: 105P 13P

    P

    3P Input:

    NAFw recoding, w=3

    P

    16P

    Operations: D A D ADDDDD

    On average: nD+n/(w+1)A+(2w-2-1)A

    8P4P2P

    105P

    104P26P 52P

    0 0 -3 0 100d=105= 1d=105=

    Computations Pre-computations

  • 7Short Memory Method on Koblitz Curves

    Comparison – NAFw Method

    Scalar multiplication for 160-bit EC

    0 0

    40

    120

    280

    600

    240

    213 201 195 194 198

    0

    100

    200

    300

    400

    500

    600

    700

    binary NAF2 NAF3 NAF4 NAF5 NAF6

    M e m o ry ( by te s)

    0

    50

    100

    150

    200

    250

    300

    C o st ( e lli pt ic o pe ra ti o n s)

    Memory (bytes) Cost (EC op.)

    Maximal speed-up: less than 20%

    Optimal width w=5

    How to get rid of point doublings?

  • 8Short Memory Method on Koblitz Curves

    Outline

    Elliptic curves

    Koblitz curves Binary Curves τExpansions Binary vs. Koblitz

    Short Memory

  • 9Short Memory Method on Koblitz Curves

    Binary Curves

    Binary Curves y2�xy=x3+ax2+b, a,b∈F2m

    Can use AES acceleration hardware

    Coprocessor-less architecture

    Slow without AES hardware or fast processor

    Well-suited for mobile phone CPU (32-bit RISC)

    Re-use existing design ☺Lower production cost, cheaper design ☺

    With coprocessor, prime curves are faster

    Faster than general binary curves ☺☺

    Koblitz Curves y2+xy=x3+ax+1, a={0,1}

  • 10Short Memory Method on Koblitz Curves

    Binary and τ-Expansions

    τ-and-add: no point doubling

    10x fasterP = (x,y) →τP = (x2,y2)

    Koblitz curves

    P = (x,y) → 2P = (x’,y’)

    Binary curves

    τ=(μ+√-1)/7

    )2d=9=( 1 0 10

    P

    2P

    9P

    4P 8P

    P

    τP d=9=( 1 1 11 )τ0 10

    τP+P

    9P *τ

    1*23 1*20+= 1*τ6= 1*τ5 1*τ4 1*τ3 1*τ0+ + + +

    2P = -τ2 P +μτ P

    P = (x,y) → 2P = (x’,y’)

  • 11Short Memory Method on Koblitz Curves

    Binary vs. Koblitz Curves 163-bit Scalar Multiplication

    0

    2282

    0

    326

    978

    2282

    244

    197

    54 42 36 34

    0

    500

    1000

    1500

    2000

    2500

    binary NAF5 TNAF2 TNAF3 TNAF4 TNAF5

    M e m o ry ( bi ts )

    0

    50

    100

    150

    200

    250

    300

    C o st ( e lli pt ic o pe ra ti o n s)

    Memory (bits) Cost (ECADD)

    Binary curves Koblitz curves

    w=5 optimal…

    …but requires a lot of memory

  • 12Short Memory Method on Koblitz Curves

    Outline

    Elliptic curves

    Koblitz curves

    Short Memory Normal vs. Polynomial

    Basis Short Memory on

    Normal Basis Short Memory with

    Mixed Bases

  • 13Short Memory Method on Koblitz Curves

    Normal vs. Polynomial Basis

    Normal BasisPolynomial Basis p=pm-1Xm-1+…+p1X+p0, where

    pi∈{0,1} b=b0β0+b1β1 +…+bm-1βm-1, where βi2=βi+1 and βm-12=β0

    Fast reduction with trinomials or pentanomials ☺

    Fast multiplications ☺

    No reduction ☺

    Software Hardware

    Very slow multiplications

    Very fast squares ☺

    Interesting for Koblitz curves (τ)

    Mixed approach?

    Fast squares ☺Fast squares ☺

    b=b0β0+b1β1 +…+bm-2βm-2+bm-1βm-1 b2=b0β02+b1β12 +…+bm-2βm-22+bm-1βm-12

    = bm-1β0 +b0β1+b1β2 +…+bm-2βm-1

  • 14Short Memory Method on Koblitz Curves

    Short Memory – Normal Basis

    0 0 3 0 100

    9PP

    -1

    3P

    Standard method

    Short memory

    P-τ8P+P

    3P9P

    τ8

    τ3

    -P

    P

    -τ8P+P

    0

    τ τ τ τ τ τ τ τ

    0 0 3 0 100-1 0

    -τ5P+3P

    τ8P

    3τ3P

  • 15Short Memory Method on Koblitz Curves

    Sequential Precomputations

    α1P=P α3P=τ2P+P α11P=-τ3P+α3P α15P=-α11P-τP α5P=τP-P α13P=-τ2α5P+P α7P=τP+P α9P=-τ4P-α7P

    Precomputations

    u αu=u modτ5 Binary representation of αu 1 1 1

    3 τ-3 τ2-1 5 τ-1 τ-1 7 τ+1 τ+1 9 2τ-3 -τ4-τ-1 -τ4-(τ+1)=

    11 2τ-1 -τ3+τ2-1 -τ3+τ2-1= 13 2τ+1 -τ3+τ2+1 -τ2(τ-1)+1= 15 -3τ+1 τ3-τ2-τ+1 -(-τ3+τ2-1)-τ=

  • 16Short Memory Method on Koblitz Curves

    163-bit norm al basis

    0

    2282 2282

    0 0

    326

    2282

    326

    244

    197

    49 54 41 42 34 34

    0

    500

    1000

    1500

    2000

    2500

    binary NAF5 halving NAF5

    TNAF2 tau/halve TNAF3 TNAF5 Short M em ory

    M e m o ry ( bi ts )

    0

    50

    100

    150

    200

    250

    300

    C o st ( e lli pt ic o pe ra ti o n s)

    M em ory (bits) Cost (EC operations)

    Performance, Hardware 163-bit Koblitz curve163-bit binary curve

    ☺☺

  • 17Short Memory Method on Koblitz Curves

    Short Memory - Mixed Bases

    τ3

    -τ8P+P

    0 0 3 0 100-1 0 P

    τ8P

    τ8

    P

    P

    τ8P

    P

    3P

    3P3τ3P

    -τ8P+P

    9P

    3τ3P

    0 0 3 0 100-1 0

    polynomial basis

    P normal basisP

    P τ-8

    u=1

    u=3

  • 18Short Memory Method on Koblitz Curves

    Change of Basis

    1 0 011 1

    1

    1

    0

    1

    0

    1

    0 0 111 1

    0 0 110 0 ⊕

    0 0 011 1 ⊕

    0 1 111 0 ⊕

    1 0 000 1 ⊕

    0 0 110 1 ⊕

    Original representation

    Change of basis matrix

    New representation 0 1 000 0

    Cyclic shift not explicitly computed

  • 19Short Memory Method on Koblitz Curves

    163-bit polynom ial basis

    0

    126 126

    0

    42

    126

    294

    84

    1317

    974

    648 543

    437 389 387 395

    0

    50

    100

    150

    200

    250

    300

    350

    binary NAF4 halving NAF4

    TNAF2 TNAF3 TNAF4 TNAF5 Short M em ory

    M e m o ry ( by te s)

    0

    200

    400

    600

    800

    1000

    1200

    1400

    C o st ( m u lt ip lic at io n s)

    M em ory (bytes) Cost (M )

    Performance, Software

    163-bit binary curve 163-bit Koblitz curve

    ☺☺

  • 20Short Memory Method on Koblitz Curves

    Extensions, open problems

    Side channel & fault attacks

    Change of basis

    Other curves

  • 21Short Memory Method on Koblitz Curves

    Recap

    Beurre

    Argent du beurre

    RSA

    Binary curve, binary method

    Binary curve, NAF5 method

    Koblitz curve, TNAF5 method

    Koblitz curve, short memory

    “Le beurre et l’argent du beurre”

  • 22Short Memory Method on Koblitz Curves

    Questions & Comments

Search related