Short Memory Method on Koblitz Curves - IACR · PDF file 2008. 1. 12. · Short Memory Method on Koblitz Curves 9 Binary Curves Binary Curves y2˜ xy=x 3+ax2+b, a,b∈F 2m Can use

• View
2

0

Embed Size (px)

Text of Short Memory Method on Koblitz Curves - IACR · PDF file 2008. 1. 12. · Short...

• Short Memory Method on Koblitz Curves

Katsuyuki Okeya

Tsuyoshi Takagi

Camille Vuillaume

• 2Short Memory Method on Koblitz Curves

Outline

Koblitz curves Binary Curves τExpansions Binary vs. Koblitz

Short Memory Normal vs. Polynomial

Basis Short Memory on

Normal Basis Short Memory on Polynomial Basis

Elliptic curves Interest of ECC Binary Method NAF Method

• 3Short Memory Method on Koblitz Curves

Outline

Elliptic curves Interest of ECC Binary Method

Koblitz curves

Short Memory

NAF Method

• 4Short Memory Method on Koblitz Curves

RSA vs. Elliptic Curves

Speed ECC are 30 times faster than RSA…

Memory …and require 6.5 less memory

• 5Short Memory Method on Koblitz Curves

Operations:

Binary Method

On average: (n-1)D+n/2A

2P

P 3P

)2

Input: P

Output: 105P

Scalar: d=105=( 1 0 1 0 10

6P

D A

1

D A D

12P

13P

26P

105P

52P 104P

D

• 6Short Memory Method on Koblitz Curves

NAFw Method

d=105=(Scalar: 1 1 0 1 0 10 )2

Output: 105P 13P

P

3P Input:

NAFw recoding, w=3

P

16P

On average: nD+n/(w+1)A+(2w-2-1)A

8P4P2P

105P

104P26P 52P

0 0 -3 0 100d=105= 1d=105=

Computations Pre-computations

• 7Short Memory Method on Koblitz Curves

Comparison – NAFw Method

Scalar multiplication for 160-bit EC

0 0

40

120

280

600

240

213 201 195 194 198

0

100

200

300

400

500

600

700

binary NAF2 NAF3 NAF4 NAF5 NAF6

M e m o ry ( by te s)

0

50

100

150

200

250

300

C o st ( e lli pt ic o pe ra ti o n s)

Memory (bytes) Cost (EC op.)

Maximal speed-up: less than 20%

Optimal width w=5

How to get rid of point doublings?

• 8Short Memory Method on Koblitz Curves

Outline

Elliptic curves

Koblitz curves Binary Curves τExpansions Binary vs. Koblitz

Short Memory

• 9Short Memory Method on Koblitz Curves

Binary Curves

Binary Curves y2�xy=x3+ax2+b, a,b∈F2m

Can use AES acceleration hardware

Coprocessor-less architecture

Slow without AES hardware or fast processor

Well-suited for mobile phone CPU (32-bit RISC)

Re-use existing design ☺Lower production cost, cheaper design ☺

With coprocessor, prime curves are faster

Faster than general binary curves ☺☺

Koblitz Curves y2+xy=x3+ax+1, a={0,1}

• 10Short Memory Method on Koblitz Curves

Binary and τ-Expansions

10x fasterP = (x,y) →τP = (x2,y2)

Koblitz curves

P = (x,y) → 2P = (x’,y’)

Binary curves

τ=(μ+√-1)/7

)2d=9=( 1 0 10

P

2P

9P

4P 8P

P

τP d=9=( 1 1 11 )τ0 10

τP+P

9P *τ

1*23 1*20+= 1*τ6= 1*τ5 1*τ4 1*τ3 1*τ0+ + + +

2P = -τ2 P +μτ P

P = (x,y) → 2P = (x’,y’)

• 11Short Memory Method on Koblitz Curves

Binary vs. Koblitz Curves 163-bit Scalar Multiplication

0

2282

0

326

978

2282

244

197

54 42 36 34

0

500

1000

1500

2000

2500

binary NAF5 TNAF2 TNAF3 TNAF4 TNAF5

M e m o ry ( bi ts )

0

50

100

150

200

250

300

C o st ( e lli pt ic o pe ra ti o n s)

Binary curves Koblitz curves

w=5 optimal…

…but requires a lot of memory

• 12Short Memory Method on Koblitz Curves

Outline

Elliptic curves

Koblitz curves

Short Memory Normal vs. Polynomial

Basis Short Memory on

Normal Basis Short Memory with

Mixed Bases

• 13Short Memory Method on Koblitz Curves

Normal vs. Polynomial Basis

Normal BasisPolynomial Basis p=pm-1Xm-1+…+p1X+p0, where

pi∈{0,1} b=b0β0+b1β1 +…+bm-1βm-1, where βi2=βi+1 and βm-12=β0

Fast reduction with trinomials or pentanomials ☺

Fast multiplications ☺

No reduction ☺

Software Hardware

Very slow multiplications

Very fast squares ☺

Interesting for Koblitz curves (τ)

Mixed approach?

Fast squares ☺Fast squares ☺

b=b0β0+b1β1 +…+bm-2βm-2+bm-1βm-1 b2=b0β02+b1β12 +…+bm-2βm-22+bm-1βm-12

= bm-1β0 +b0β1+b1β2 +…+bm-2βm-1

• 14Short Memory Method on Koblitz Curves

Short Memory – Normal Basis

0 0 3 0 100

9PP

-1

3P

Standard method

Short memory

P-τ8P+P

3P9P

τ8

τ3

-P

P

-τ8P+P

0

τ τ τ τ τ τ τ τ

0 0 3 0 100-1 0

-τ5P+3P

τ8P

3τ3P

• 15Short Memory Method on Koblitz Curves

Sequential Precomputations

α1P=P α3P=τ2P+P α11P=-τ3P+α3P α15P=-α11P-τP α5P=τP-P α13P=-τ2α5P+P α7P=τP+P α9P=-τ4P-α7P

Precomputations

u αu=u modτ5 Binary representation of αu 1 1 1

3 τ-3 τ2-1 5 τ-1 τ-1 7 τ+1 τ+1 9 2τ-3 -τ4-τ-1 -τ4-(τ+1)=

11 2τ-1 -τ3+τ2-1 -τ3+τ2-1= 13 2τ+1 -τ3+τ2+1 -τ2(τ-1)+1= 15 -3τ+1 τ3-τ2-τ+1 -(-τ3+τ2-1)-τ=

• 16Short Memory Method on Koblitz Curves

163-bit norm al basis

0

2282 2282

0 0

326

2282

326

244

197

49 54 41 42 34 34

0

500

1000

1500

2000

2500

binary NAF5 halving NAF5

TNAF2 tau/halve TNAF3 TNAF5 Short M em ory

M e m o ry ( bi ts )

0

50

100

150

200

250

300

C o st ( e lli pt ic o pe ra ti o n s)

M em ory (bits) Cost (EC operations)

Performance, Hardware 163-bit Koblitz curve163-bit binary curve

☺☺

• 17Short Memory Method on Koblitz Curves

Short Memory - Mixed Bases

τ3

-τ8P+P

0 0 3 0 100-1 0 P

τ8P

τ8

P

P

τ8P

P

3P

3P3τ3P

-τ8P+P

9P

3τ3P

0 0 3 0 100-1 0

polynomial basis

P normal basisP

P τ-8

u=1

u=3

• 18Short Memory Method on Koblitz Curves

Change of Basis

1 0 011 1

1

1

0

1

0

1

0 0 111 1

0 0 110 0 ⊕

0 0 011 1 ⊕

0 1 111 0 ⊕

1 0 000 1 ⊕

0 0 110 1 ⊕

Original representation

Change of basis matrix

New representation 0 1 000 0

Cyclic shift not explicitly computed

• 19Short Memory Method on Koblitz Curves

163-bit polynom ial basis

0

126 126

0

42

126

294

84

1317

974

648 543

437 389 387 395

0

50

100

150

200

250

300

350

binary NAF4 halving NAF4

TNAF2 TNAF3 TNAF4 TNAF5 Short M em ory

M e m o ry ( by te s)

0

200

400

600

800

1000

1200

1400

C o st ( m u lt ip lic at io n s)

M em ory (bytes) Cost (M )

Performance, Software

163-bit binary curve 163-bit Koblitz curve

☺☺

• 20Short Memory Method on Koblitz Curves

Extensions, open problems

Side channel & fault attacks

Change of basis

Other curves

• 21Short Memory Method on Koblitz Curves

Recap

Beurre

Argent du beurre

RSA

Binary curve, binary method

Binary curve, NAF5 method

Koblitz curve, TNAF5 method

Koblitz curve, short memory

“Le beurre et l’argent du beurre”

• 22Short Memory Method on Koblitz Curves

Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Design
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Education
Education
Documents
Documents
Documents
Documents
Documents
Documents
Documents