Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography

Size: px

Start display at page:

Download "Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography"

Hilary Morgan
5 years ago
Views:

1 Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography Angshuman Karmakar 1 Sujoy Sinha Roy 1 Frederik Vercauteren 1,2 Ingrid Verbauwhede 1 1 COSIC, ESAT KU Leuven and iminds 2 Open Security Research China WAIFI, 2016 Elsewhere) / 25

2 Outline 1 Introduction Classical Cryptosystems Post-quantum cryptography 2 Isogeny Based Cryptography Isogeny in Elliptic curves Special prime structure 3 Efficient modular arithmetic Representation of field elements Comparison with other methods Hardware Implementation Results Elsewhere) / 25

3 Outline 1 Introduction Classical Cryptosystems Post-quantum cryptography 2 Isogeny Based Cryptography Isogeny in Elliptic curves Special prime structure 3 Efficient modular arithmetic Representation of field elements Comparison with other methods Hardware Implementation Results Elsewhere) / 25

4 Introduction Classical cryptosystems Widely used public key cryptosystems and protocols are based on RSA and ECC. No known classical algorithm to solve them easily. Elsewhere) / 25

Classical cryptosystems Shor s 1 2 algorithm can solve them easily on quantum computers Research in this field is advancing rapidly. 1 Shor, Peter W.

5 Classical cryptosystems Shor s 1 2 algorithm can solve them easily on quantum computers Research in this field is advancing rapidly. 1 Shor, Peter W., Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer 2 J. Proos and C. Zalka. Shor s discrete logarithm quantum algorithm for elliptic curves Elsewhere) / 25

6 Outline 1 Introduction Classical Cryptosystems Post-quantum cryptography 2 Isogeny Based Cryptography Isogeny in Elliptic curves Special prime structure 3 Efficient modular arithmetic Representation of field elements Comparison with other methods Hardware Implementation Results Elsewhere) / 25

7 Post quantum cryptography We need post quantum cryptography schemes to provide privacy and security even in the presence of practical quantum computers. Many schemes proposed that is presumed to offer such security. I Lattice based cryptography. II Multivariate cryptography. III Hash-based cryptography. IV Code-based cryptography. V Supersingular elliptic curve isogeny cryptography Elsewhere) / 25

8 Outline 1 Introduction Classical Cryptosystems Post-quantum cryptography 2 Isogeny Based Cryptography Isogeny in Elliptic curves Special prime structure 3 Efficient modular arithmetic Representation of field elements Comparison with other methods Hardware Implementation Results Elsewhere) / 25

9 Isogeny in Elliptic curves An Isogeny φ : E 1 E 2 is morphism between two elliptic curves (E 1 & E 2 ) Basepoint preserving i.e φ(o) O Was presumed a hard problem. First quantum secure cryptosystem based on this problem was proposed by Stolbunov et al. 3 Later Childs et.al showed this problem has sub-exponential quantum complexity. 4 3 Alexander Rostovtsev, Anton Stolbunov Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves 4 Andrew Childs, David Jao, and Vladimir Soukharev. Constructing elliptic curve isogenies in quantum subexponential time Elsewhere) / 25

10 Isogeny in Elliptic curves De Feo et. al(2011) proposed a new cryptosystem based on the hardness of computing isogenies 5 Used supersingular ellptic curves instead of ordinary elliptic curves. Complexity : 4 p on classical and 6 p on a quantum computer(p : characteristic of base field). 5 Luca De Feo, David Jao & Jerome Plut, Towards quantum resistant cryptosystems from supersingular elliptic curve Angshuman isogenies Karmakar, Sujoy Sinha Roy Frederik Efficient Vercauteren, Finite Field Ingrid Multiplication Verbauwhede for (Universities Isogeny Based ofpost Somewhere Quantum WAIFI, andcryptography 2016 Elsewhere) 10 / 25

11 Outline 1 Introduction Classical Cryptosystems Post-quantum cryptography 2 Isogeny Based Cryptography Isogeny in Elliptic curves Special prime structure 3 Efficient modular arithmetic Representation of field elements Comparison with other methods Hardware Implementation Results 2016 Elsewhere) 11 / 25

12 Special prime structure Computation of isogney is a series of finite field operations over the base field. Efficient field arithmetic Faster isogeny computation The supersingular curves used in isogeny based cryptosystems are defined over F p 2 p = f 2 a 3 b 1, f is a small co-factor. And log 2 a log 3 b. In our case f = 2. Earlier methods used Montgomery reduction and Barrett reduction for efficient modular reduction. Unable to exploit the special structure of the characteristic prime. Fields defined over Mersenne prime or Pseudo-Mersenne primes offer very fast modular reduction due to their special structure. The possibility of exploiting the special structure of p is very intriguing Elsewhere) 12 / 25

13 Outline 1 Introduction Classical Cryptosystems Post-quantum cryptography 2 Isogeny Based Cryptography Isogeny in Elliptic curves Special prime structure 3 Efficient modular arithmetic Representation of field elements Comparison with other methods Hardware Implementation Results 2016 Elsewhere) 13 / 25

14 Field element representation Representation of field elements are very crucial in our method. We take our prime p = 2 2 a 3 b 1 with b even and 2N bits. An element A F p is written as : A = a 1 2 a 3 b + a 2 2 a/2 3 b/2 + a 3 a 1 [0, 1] and a 2, a 3 [0, 2 a/2 3 b/2 ) Multiply A(a 1, a 2, a 3 ), B(b 1, b 2, b 3 ) F p Multiply a 2,3 with b 2,3 4 NxN multiplications. Product C = AxB = c 1 2 a 3 b + c 2 2 a/2 3 b/2 + c 3 Problem : c 2, c 3 [0, 2 a 3 b ) not compatible with our representation 2016 Elsewhere) 14 / 25

15 Efficient reduction Solution : We need to divide c 2,3 by 2 a/2 3 b/2 We used a modified Barrett division to perform these two divisions Elsewhere) 15 / 25

16 Efficient Reduction Modified Barrett division Division by 2 a/2 3 b/2 can be made efficient due to the special structure of the divisor. Fundamentally we have to perform Barrett division for 3 b/2 only. But we have to perform two of these Elsewhere) 16 / 25

17 Outline 1 Introduction Classical Cryptosystems Post-quantum cryptography 2 Isogeny Based Cryptography Isogeny in Elliptic curves Special prime structure 3 Efficient modular arithmetic Representation of field elements Comparison with other methods Hardware Implementation Results 2016 Elsewhere) 17 / 25

18 Complexity Barrett Montgomery Ours Input Size 4N 4N 4N Reductions Multiplications 4N x 2N 2N x 2N 3N/2 x N 2N x 2N 4N x 2N N x N/2 (last 2N bits required) Total 12N 2 6N 2 4N 2 Table: Complexity comparison 2016 Elsewhere) 18 / 25

19 Parallelization Two Barrett divisions can be run in parallel. Figure: Serial and Parallel execution of Barrett divisions 2016 Elsewhere) 19 / 25

20 Outline 1 Introduction Classical Cryptosystems Post-quantum cryptography 2 Isogeny Based Cryptography Isogeny in Elliptic curves Special prime structure 3 Efficient modular arithmetic Representation of field elements Comparison with other methods Hardware Implementation Results 2016 Elsewhere) 20 / 25

21 Hardware implementation Figure: Hardware Architecture 2016 Elsewhere) 21 / 25

22 Outline 1 Introduction Classical Cryptosystems Post-quantum cryptography 2 Isogeny Based Cryptography Isogeny in Elliptic curves Special prime structure 3 Efficient modular arithmetic Representation of field elements Comparison with other methods Hardware Implementation Results 2016 Elsewhere) 22 / 25

23 Results Proof of concept implementation Using C in a 32 bit multi-precision format. Time is measured on a core-i5 cpu running CentOS. 62% speed up in reduction and 43% speed up in modular multiplication. Operation running time (µ s) Normal multiplication Our Multiplication Table: Comparison of Our algorithm with normal Barrett reduction algorithm 2016 Elsewhere) 23 / 25

24 HW Results Target FPGA Virtex 6 FPGA xc6vcx240t-2ff784 Registers 11,924 LUTs 12,790 Frequency 31 MHz Cycles 236 Time 7.6 µs 2016 Elsewhere) 24 / 25

25 Thank you!!

Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography

Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography Angshuman Karmakar 1, Sujoy Sinha Roy 1, Frederik Vercauteren 1,2, and Ingrid Verbauwhede 1 1 KU Leuven ESAT/COSIC and