Fast, twist-secure elliptic curve cryptography from Q-curves

Transcription

1 Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16, 2013 Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

2 Scalar multiplication General ECC situation: We have a cryptosystem based on a cyclic subgroup G E(F q ), #G = N prime #E(F q ) q. To implement the system: want to construct a curve E/F q with 1 a very strong group structure: prime/almost-prime order, 2 fast cryptographic operations:, [2], and [m], 3 fast finite field arithmetic: eg. q = 2 n e with tiny e We want all three of these improvements simultaneously......but in practice, the three properties are not orthogonal. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

3 Schnorr signatures: Key Generation algorithm System parameters G = P of prime order N, cryptographic hash function H : {0, 1} Z/NZ Output A public/private-key pair (Q, x) G Z/NZ 1 Set x := random(z/nz); // x is the private key 2 Set Q := [x]p; // Q is the public key 3 Return (Q, x). All of the hard work is in computing Q = [x]p. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

4 Schnorr signatures: Sign algorithm System parameters G = P of prime order N, cryptographic hash function H : {0, 1} Z/NZ Input A message m {0, 1} and a private key x Z/NZ. Output A Schnorr signature (s, e) (Z/NZ) 2. 1 Set k := random(z/nz); 2 Set R := [k]p; 3 Set e := H(m R); // is bitstring concatenation 4 Let s := k xe (mod N); 5 Return (s, e). All of the hard work is in computing R = [k]p. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

5 Generic binary exponentiation Input m [0..2 β ) and P G Output [m]p // β-bit m, gen. β = log 2 N 1 Compute binary representation m = β 1 i=0 m i2 i (with m i {0, 1}); // normally this is for free 2 Set R := 0 G ; 3 For i in β 1 down to 0, // β iterations 3a Set R := [2]R; 3b Set R := R [m i ]P; // [m i ]P = 0 or P 4 Return R. Optimizations/variations: windows, combs, NAF,... But the bigger the β, the longer it takes. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

6 Schnorr signatures: Verify algorithm System parameters G = P of prime order N, cryptographic hash function H : {0, 1} Z/NZ Input A signature (s, e) (Z/NZ) 2, a message m {0, 1}, and a public key Q G. Output True if (s, e) is a valid signature on the message m for the user with public key Q, otherwise False. 1 Let R := [s]p [e]q; //= R if s k xe (mod N) 2 Let e := H(m R ); 3 If e = e, then Return True; else Return False. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

7 Generic binary multiexponentiation Input (a, b) in [0..2 β ) 2, P, Q in G Output [a]p [b]q // eg. β = log 2 N 1 Compute binary reps a = β 1 i=0 a i2 i and b = β 1 i=0 b i2 i 2 Set T 0,0 := 0 G, T 1,0 := P, T 0,1 := Q, T 1,1 := P Q; 3 Set R := 0 G ; 4 For i = β 1 down to 0, // β iterations 4a Set R := [2]R; 4b Set R := R T ai,b i ; 5 Return R. #group ops same as plain exponentiation by max( a, b ). Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

8 Eigenvalues of endomorphisms In practice: G = Z/NZ is embedded in an ordinary elliptic curve E, which has a much richer structure than Z/NZ : End(G) = Z/NZ but End(E) Z[π], where π : (x, y) (x q, y q ) is Frobenius. If ψ End(E) restricts to an endomorphism of G (that is, ψ(g) G; this happens pretty much all the time): ψ(p) = [λ ψ ]P for all P G We call λ ψ the eigenvalue of ψ on G. Convention: N/2 < λ ψ < N/2. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

9 Scalar multiplication with an endomorphism Binary exponentiation: can compute [m]p with log 2 m doubles. If ψ has eigenvalue λ ψ on G and (a, b) satisfies m a + bλ ψ (mod N), then for any P in G we have [m]p = [a]p [b]ψ(p) and we can compute the RHS using multiexponentation. Multiexponentiation by (a, b) will beat exponentiation by m if ψ can be evaluated fast (time/space < a few doubles), and we can find a and b significantly shorter than m. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

10 Scalar multiplication with an endomorphism Lemma: If λ ψ > N 1/2, then we can quickly find a and b such that a + bλ ψ m (mod N) with log 2 max ( a, b ) 1 2 log 2 N + ɛ. (The constant ɛ is easily bounded; constant-length (a, b) are possible.) Great! Now all we need is a source of good E equipped with fast ψ but this turns out to be highly nontrivial. Note: integer multiplications and Frobenius do not make good ψ. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

11 GLV Curves (Gallant Lambert Vanstone, CRYPTO 2001) Start with an explicit CM curve over Q and reduce mod p. Example (CM by 1) Let p 1 (mod 4); let i be a square root of 1 in F p. Then the curves E a : y 2 = x 3 + ax have an explicit (and extremely efficient) endomorphism ψ : (x, y) ( x, iy). Short scalar decompositions: large eigenvalue λ ψ 1 (mod N). Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

12 Limitations of GLV The curves E a /F p : y 2 = x 3 + ax look perfect......but we are not always free to choose our own (fast) prime p! Example The 256-bit prime p = offers very fast field arithmetic. The F p -isomorphism classes of E a /F p are represented by a = 1, 2, 4, bits if a = bits if a = 2 Largest prime factor of #E a (F p ) = 175 bits if a = bits if a = 8 So we pay for fast arithmetic with at least 17 (/256) bits of group order, which is about 9 (/128) bits of security. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

13 Other GLV curves We can try other explicit CM curves... But there are hardly any of them! ψ fast generally implies deg ψ very small deg ψ small, ψ / Z = Z[ψ] has small discriminant curves with CM by discriminant have j-invariant classified by Hilbert polynomials H H has very small degree, typically 1 for tiny = only one j-invariant per Only 2, 4, or 6 twists (curves) per j-invariant = a handful of suitable curves, none of which might have (almost)-prime reduction mod p Only 18 GLV curves with endomorphisms faster than doubling. No guarantee any of them have good cryptographic group orders mod p. Curve rarity is a critical weakness of the GLV technique. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

14 GLS Curves (Galbraith Lin Scott, EUROCRYPT 2009) Start with any curve over F p, extend to F p 2, and use p-th powering on the quadratic twist. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

15 GLS Curves (Galbraith Lin Scott, EUROCRYPT 2009) Start with any curve over F p, extend to F p 2, and use p-th powering on the quadratic twist. Example Let p 5 (mod 8), take A, B, in F p, take µ in F p 2 with µ nonsquare: E/F p 2 : y 2 = x 3 + µ 2 Ax + µ 3 B has an efficient endomorphism ψ : (x, y) ( x p, iy p ) where i 2 = 1. p-th powering in F p 2 = F p ( D) almost free: (a 0 + a 1 D) p = a 0 a 1 D Good scalar decompositions: λ ψ 1 (mod N). Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

16 Twist security: the problem with GLS GLS offers p different j-invariants with an extremely fast endomorphism. Some of these j-invariants should give prime/secure order curves. Solves the secure curve choice problem for fixed p! Weak point: built-in twist-insecurity. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

17 Diffie Hellman key exchange An overly abstract point of view of Diffie Hellman: 1 A and B public fix a group G and a generator X 0 G. G can be a set, not a group 2 A and B choose secret multipliers s A, s B Z/(#G). scalars s A and s B an abelian semigroup acting on G. 3 A computes X A := [s A ]X 0 and makes it public; B computes X B := [s B ]X 0 and makes it public. 4 A and B compute the shared secret [s A s B ]X 0 = [s A ]X B = [s B ]X A. DHP in G (given X 0, [s A ]X 0, [s B ]X 0, find [s A s B ]X 0 ) should be hard. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

18 Dropping y-coordinates Implementing Diffie Hellman on E : y 2 = x 3 + Ax + B over F q : Working without y-coordinates saves time and a bit of space. We can compute [m] x(p) := x([m]p) in terms of x(p) (and A, B). Similarly, with an endomorphism ψ: Can compute (a + bψ) (x(p)) := x([a]p [b]ψ(p)) in terms of x(p). Algorithmically, no need for y-coordinates Solve x(q) = [s] x(p) = solve Q = [s]p on E Cryptographically, no need for y-coordinates The x-coordinate maps [m] and (a + bψ) work, compose, and commute for any input x, not just x(p) for P E(F q )! Garbage In = Garbage Out. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

19 Diffie Hellman / Montgomery Curve over F q : E : y 2 = x(x 2 + Ax + 1) Quadratic twist: E : By 2 = x(x 2 + Ax + B), where B is a nonsquare Every α in F q satisfies one of: (α, 0) E[2](F q ) and (α, 0) E [2](F q ) α = x(p) for some P E(F q ) \ E[2](F q ) α = x(p ) for some P E (F q ) \ E [2](F q ) Fault attack (Bernstein, Fouque Réal Lercier Vallette): Sneak in α = x(p E (F q )), then solve the DHP on the twist. = We need almost-prime order for both E and E. GLS curves: twists are (by construction) subfield curves. Largest prime factor in O(p), not O(p 2 ) = built-in weakness. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

20 Another look at GLS Consider a pair of Galois-conjugate curves over F p 2: E : y 2 = x 3 + Ax + B and (p) E : y 2 = x 3 + A p x + B p. We always have a p-th power Frobenius isogeny π 0 : (p) E E. If E is a GLS curve, then an isomorphism φ : E (p) E, and the GLS endomorphism is ψ := π 0 φ. But existence of an isomorphism = j(e) F p = twist-insecurity! Idea: Let s replace φ with a low degree separable isogeny. Easy source of pairs of separably isogenous Galois-conjugate curves: (mod p reductions of) quadratic Q-curves. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

21 Q-curves Definition: A quadratic Q-curve of degree d is an elliptic curve Ẽ : y 2 = x 3 + Ax + B over a quadratic field Q( ), without complex multiplication, with a d-isogeny φ : Ẽ σ Ẽ : y 2 = x 3 + σ(a)x + σ(b), where σ is conjugation on Q( ). Where do we find quadratic Q-curves of degree d? Look at the map X 0 (d) X (d) := X 0 (d)/ Atkin Lehners. Q-curves irrational preimages of points in X (d)(q). We want small d for efficiency, and X 0 (d) = P 1 for small d; = one-parameter families of Q-curves Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

22 Endomorphism recipe Preheat a fast prime p and a nice with ( /p) = 1. Choose a degree-d Q-curve /Q( ) with good reduction at p. = d-isogeny φ : Ẽ σ Ẽ over Q(, d). Reduce φ modulo p (which is inert in Q( ), since ( /p) = 1) = d-isogeny φ : E (p) E over F p ( ). Compose φ with p-powering isogeny π 0 : (p) E E = dp-endomorphism ψ := π 0 φ in End(E), and σ φ φ = [±d] (since Ẽ has no CM), so ψ 2 = [±d]π. Serve hot d small = ψ fast, with big eigenvalue ± ±d (mod N). Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

23 Hasegawa s universal quadratic Q-curve of degree 2 For any squarefree discriminant and any t in Q, define conjugate curves Ẽ t /Q( ) : y 2 = (x 4)(x 2 + 4x t ), σ Ẽ t /Q( ) : y 2 = (x 4)(x 2 + 4x 14 18t ). Good reduction at every prime p > 3 inert in Q( )! φ : (x, y) There exists a 2-isogeny φ : Ẽt σ Ẽ t, defined by ( ) y f (x), f (x) 2 where f (x) = x 2 9(1 + t ) x 4. Hasegawa: Every degree-2 Q-curve over Q( ) is = Ẽt for some t Q. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

24 A family of degree-2p endomorphisms Applying the recipe to the whole Hasegawa degree-2 family at once: Take any F p 2 = F p ( ). For every t F p, the curve E t /F p 2 : y 2 = x 3 6(5 3t )x + 8(7 9t ) has an efficient (faster than doubling) endomorphism ( ψ : (x, y) f (x p y p ) ), f (x p ) where f (x p ) = x p 2 2 9(1 t ) (x p 4). We have ψ 2 = [±2]π, so λ ψ = ± ±2 on cryptographic subgroups. Lots of choice: p ɛ different j-invariants in F p 2 (+ codomains) Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

25 Example Take F p 2 = F p (i) where p = (Mersenne prime) and i 2 = 1. After a quick search, we find the 254-bit curve E 9245 /F p 2 : y 2 = x 3 30(5 5547i)x + 8( i) Looking at the curve and its twist, we find E 9245 (F p 2) = Z/2Z Z/NZ and E 9245(F p 2) = Z/2Z Z/N Z, where N and N are 253-bit primes. On either curve, 253-bit scalar multiplications 127-bit multiexponentiations. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

26 Producing more curves and endomorphisms g(x 0 (d)) = 0 = family of degree-dp endomorphisms Applying the recipe: d = 1: degenerate case, recover twist-insecure GLS curves d = 3: construct prime-order twist-secure curves Hasegawa: one-parameter universal curve family d = 5: construct prime-order twist-prime-order curves Hasegawa = one-parameter family for fixed d = 7: More prime-order twist-prime-order curves Hasegawa: one-parameter universal curve family d 7: Even more curves... But slower and less interesting. Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27

27 Go forth and scalar multiply 1-parameter families of elliptic curves over any F p 2 with efficient endomorphisms of degree 2p, 3p, 5p, 7p yielding half-length scalar decompositions. Ready to use: plenty of secure parameters. Details: ASIACRYPT 2013, Full version with d = 5 curves coming soon Work in progress (with Costello & Hisil): A fast, open, constant-time implementation Smith (INRIA/LIX) Fast, twist-secure ECC from Q-curves ECC Leuven, 16/09/ / 27