Arithmetic Operators for Pairing-Based Cryptography

Size: px

Start display at page:

Download "Arithmetic Operators for Pairing-Based Cryptography"

Blaze Kevin Ward
6 years ago
Views:

1 Arithmetic Operators for Pairing-Based Cryptography J.-L. Beuchat 1 N. Brisebarre 2 J. Detrey 3 E. Okamoto 1 1 University of Tsukuba, Japan 2 École Normale Supérieure de Lyon, France 3 Cosec, b-it, Bonn, Germany CHES 2007 Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

2 Outline of the Talk 1 Example: BLS Short Signature Scheme 2 Computation of the Full η T Pairing 3 A Coprocessor for the Full Pairing Computation 4 Results and Conclusion Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

3 Example: BLS Short Signature Scheme Key generation G 1 = P : additively-written group of prime order q H : {0, 1} G 1 : map-to-point hash function Secret key: x {1, 2,..., q 1} Public key: xp G 1 Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

4 Example: BLS Short Signature Scheme Sign Private key x Message m Map-to-point hash function H(m) Signature xh(m) Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

5 Example: BLS Short Signature Scheme Verify Public key xp Message m Map-to-point hash function H(m) xp, H(m) Signature xh(m) P, xh(m) P Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

6 Example: BLS Short Signature Scheme Bilinear pairing G 1 = P : additively-written group G 2 : multiplicatively-written group with identity 1 A bilinear pairing on (G 1, G 2 ) is a map ê : G 1 G 1 G 2 that satisfies the following conditions: 1 Bilinearity. For all Q, R, S G 1, ê(q + R, S) = ê(q, S)ê(R, S) and ê(q, R + S) = ê(q, R)ê(Q, S). 2 Non-degeneracy. ê(p, P) 1. 3 Computability. ê can be efficiently computed. Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

7 Example: BLS Short Signature Scheme Verify Public key xp Message m Map-to-point hash function H(m) Pairing ê(p, xh(m)) Signature xh(m) Pairing ê(xp, H(m)) P ê(xp, H(m)) = ê(p, xh(m)) = ê(p, H(m)) x Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

8 Example: BLS Short Signature Scheme Examples of cryptographic bilinear maps Weil pairing Tate pairing η T pairing (Barreto et al.) Ate pairing (Hess et al.) Applications Identity based encryption Short signature Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

9 Computation of the Full η T Pairing Elliptic curve over F 3 m P Q Q = (x q, y q ) η T pairing calculation P = (x p, y p ) η T (P, Q) (F 3 6m) Exponentiation η T (P, Q) W F 3 6m Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

10 Computation of the Full η T Pairing Tower Field 1 ρ ρ 2 F 3 6m = F 3 2m[ρ]/(ρ 3 ρ 1) 1 σ F 3 2m = F 3 m[σ]/(σ 2 + 1) 1 x x 2 x m 3 x m 2 x m 1 F 3 m = F 3 [x]/(f (x)) F 3 = Z/3Z = {0, 1, 2} Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

11 Computation of the Full η T Pairing Tower Field F 3 2m F 3 2m F 32m 1 σ ρ σρ ρ 2 σρ 2 F 3 6m 12m bits 1 x x 2 x m 3 x m 2 x m 1 F 3 m 2m bits F 3 2 bits Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

12 Computation of the Full η T Pairing η T (P, Q) Addition Multiplication Cubing Cube root Bilinearity of η T (P, Q) W ( ([ η T (P, Q) W = 3m η T η T (P, Q) 3 m m 1 2 Addition Multiplication Cubing ] P, Q (Arith 18) ) m+1 ) W 3 2 Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

13 A Coprocessor for the Full Pairing Computation Operations over F 3 m Additions 51 m 1 2 Multiplications 15 m 1 2 Cubings 10m + 2 Inversion Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

14 A Coprocessor for the Full Pairing Computation Addition, subtraction, and accumulation over F 3 m Enable Add/Accumulate c 2 c 3 c s(x) a(x) b(x) +/ +/ Addition of 3 operands c 5 Enable c 0 c 1 Enable Multiplication by 1 or 2 2b(x) b(x) (mod 3) Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

15 A Coprocessor for the Full Pairing Computation Multiplication over F 3 m Array multiplier ( m/3 clock cycles) Most significant coefficient first (Horner s rule) Enable c 0 x 3 mod f b(x) PPG p(x) a 3i c 3 c 4 a(x) Shift register a 3i+1 PPG PPG x x 2 mod f mod f Addition of 4 operands Enable and reset c 1 c 2 a 3i+2 Load and shift Multiplication by 0, 1, or 2 Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

16 A Coprocessor for the Full Pairing Computation Cubing over F 3 [x]/(x 97 + x ) a 96 a 95 a 94 a 2 a 1 a 0 ν 0 (x) ν 1 (x) ν 2 (x) a 32 a 64 a 65 a 93 0 a 60 a 61 a 89 0 a 60 a 61 a 0 Addition of 3 operands a(x) 3 Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

17 A Coprocessor for the Full Pairing Computation Arithmetic operators over F 3 97 Operation Area [LEs] Control [bits] Add./sub Mult Cubing ALU on a Cyclone II FPGA Ctrl a(x) b(x) Addition Multiplication p(x) Cubing Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

18 A Coprocessor for the Full Pairing Computation Unified arithmetic operator Operations Addition Subtraction Accumulation Multiplication Cubing Area (Cyclone II): 2676 LEs (instead of 3308) Control bits: 11 (instead of 17) Inversion: Fermat s little theorem (96 cubings and 9 multiplications) a 3m 2 = a 1, where a F 3 m Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

19 A Coprocessor for the Full Pairing Computation Results (CHES 2007) FPGA: Xilinx Virtex-II Pro 4 F 3 [x]/(x 97 + x ) Area: 1888 slices + 6 memory blocks Clock frequency: 147 MHz Clock cycles for a full pairing: Calculation time: 222 µs Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

20 A Coprocessor for the Full Pairing Computation Results (CHES 2007) FPGA: Xilinx Virtex-II Pro 4 F 3 [x]/(x 97 + x ) Area: 1888 slices + 6 memory blocks Clock frequency: 147 MHz Clock cycles for a full pairing: Calculation time: 222 µs Extended Euclidean algorithm (EEA) Area: 2210 additional slices Clock cycles for a full pairing: instead of Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

21 A Coprocessor for the Full Pairing Computation Results (new software for the CHES 2007 processor) FPGA: Xilinx Virtex-II Pro 4 F 3 [x]/(x 97 + x ) Area: 1888 slices + 6 memory blocks Clock frequency: 147 MHz Clock cycles for a full pairing: Calculation time: 192 µs Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

22 Results and Conclusion Comparisons Architecture Area Calculation time FPGA CHES slices 222 µs Virtex-II Pro CHES 2007 (new software) 1888 slices 192 µs Virtex-II Pro Grabher and Page (CHES 2005) 4481 slices 432 µs Virtex-II Pro Ronan et al. (ITNG 2007) slices 178 µs Virtex-II Pro Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

23 Results and Conclusion Comparisons Architecture Area Calculation time FPGA CHES 2007 (new software) 1888 slices 192 µs Virtex-II Pro CHES 2007 (new software) 1857 slices 141 µs Virtex-4 LX Kerins et al. (CHES 2005) slices 850 µs Virtex-II Pro η T Pairing IP Core (synthesis) slices 8 µs Virtex-4 LX (PAR) 20 µs Virtex-4 LX Arith 18 & Waifi LEs 33 µs Cyclone II (1 slice 2 LEs) Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

24 Results and Conclusion VHDL code generator Automatic generation of a unified operator according to F p m = F p /(f ), where f is an irreducible degree-m polynomial Support for the following operations: Addition Multiplication Frobenius (a(x) p mod f (x)) Inverse Frobenius ( p a(x) mod f (x)) Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

25 Results and Conclusion VHDL code generator Automatic generation of a unified operator according to F p m = F p /(f ), where f is an irreducible degree-m polynomial Support for the following operations: Addition Multiplication Frobenius (a(x) p mod f (x)) Inverse Frobenius ( p a(x) mod f (x)) Estimated area, frequency, and computation time (Virtex-II Pro) Polynomial D = 3 D = 7 x 97 + x slices 147 MHz 222 µs 2189 slices 117 MHz 146 µs x 97 + x slices 151 MHz 216 µs 2246 slices 116 MHz 148 µs x x slices 126 MHz 877 µs 4450 slices 108 MHz 495 µs Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

26 Results and Conclusion Future work Automatic generation of the control unit New version of the software Application (e.g. short signature) Genus 2 curves Side-channel Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

27 A Coprocessor for the Full Pairing Computation Unified arithmetic operator c0 c1 c7 c8 d2(x) d1(x) d0(x) c2 Shift register R2 R1 c3 Load R0 d03i PPG PPG PPG d03i+1 ν0(x) ν1(x) x 2 ν2(x) mod f(x) x 1 0 mod f(x) 1 0 Enable c6 d03i+2 x 3 mod f(x) 1 p(x) c4 c5 0 Shift Load c9 c10 Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

28 A Coprocessor for the Full Pairing Computation P, Q Select Addr Wen 7 bits 198 bits 7 bits Data Addr Wen Wen Addr Data Port B Port A RAM QA QB 194 bits 194 bits 198 bits d2(x) p(x) d1(x) Unified d0(x) operator 11 bits Control 194 bits ηt (P, Q) W ROM Addr Q 10 bits 32 bits Finite State Machine Start Done Port B Port A Processing element c 31 c 30 c 29 c 28 c 27 c 26 c 25 c 24 c 23 c 22 c 21 c 20 c 19 c 18 c 17 c 16 c 15 c 14 c 13 c 12 c 11 c 10 c 9 c 8 c 7 c 6 c 5 c 4 c 3 c 2 c 1 c 0 Counter Wen Address Address Jean-Luc Beuchat (University of Tsukuba) Pairing-Based Cryptography CHES / 26

Arithmetic Operators for Pairing-Based Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1