Représentation RNS des nombres et calcul de couplages

Size: px

Start display at page:

Download "Représentation RNS des nombres et calcul de couplages"

Ambrose Anderson
6 years ago
Views:

1 Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29

2 Outline Standard prime eld arithmetic RNS (Residue Number System) arithmetic Application to standard elliptic curve arithmetic (Joint work with JC. Bajard and M. Ercegovac) RNS arithmetic in extension elds Application to pairing computations Practical implementation (FPGA) (Joint work with N. Guillermin and Cheung-Fan-Verbauwhede-Yao) Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 2 / 29

3 Basic arithmetic over large prime elds Context p a large prime of size β n with β the size of a word (β = 2 32 ) A, B in [0, p 1] All numbers are represented in base β We want to compute A B modulo p Usual method Multiplication Reduction : Schoolbook method (quadratic) or better if n large : Euclidean division Advanced methods for reduction Use Mersenne or pseudo-mersenne primes, p = β n c with c small Use Montgomery reduction Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 3 / 29

4 Montgomery reduction algorithm Assume that integers are given in Montgomery representation, i.e. an integer A is represented by Aβ n mod p. Algorithm Data Compute Result R = AB < β 2n and p 1 mod β n (precomputed) q= R p 1 mod β n r=(r + q p)/β n r < 2p and r = Rβ n mod p Either r or r p is the reduction of R modulo p in Montgomery representation Finally, we replace a computation modulo p by a computation modulo β n Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 4 / 29

5 Practical use of Montgomery reduction Example : compute x 5 mod p 1 Compute x = xβ n modulo p 2 Compute y = x 2 and "reduce" it modulo β n 3 Compute z = y 2 and "reduce" it modulo β n 4 Compute t = z x and "reduce" it modulo β n 5 Recover x 5 = t β n mod p Use in cryptography : RSA-1024 decryption requires 1200 to 1500 modular multiplications time for changing the representation is negligible. Complexity of Montgomery modular multiplication Operations : q = R p 1 mod β n and r = (R + q p)/β n. The cost of each multiplication is n 2 /2 because we are only interested by a part of the result n 2 + n. Overall cost of modular multiplication : 2n 2 + n Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 5 / 29

6 The Residue Number System representation First approach Let m 1, m 2,..., m n 1, m n relatively prime numbers and M = We can represent X [0, M] with (x 1, x 2,..., x n ) such that : n i=1 m i x 1 = X mod m 1. x n = X mod m n (m 1, m 2,..., m n ) is named RNS base, we denote it B n. Operations X RNS + Y RNS = ((x 1 + y 1 ) mod m 1,..., (x n + y n ) mod m n ) RNS X RNS Y RNS = ((x 1 y 1 ) mod m 1,..., (x n y n ) mod m n ) RNS Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 6 / 29

7 Advantages Advantages No carry propagation Multiplication becomes linear in n If the m i are chosen like pseudo-mersenne primes i.e. m i = β c i with c i small, reducing modulo m i is very fast Easy parallelization with n processors Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 7 / 29

8 Advantages and disadvantages Advantages No carry propagation Multiplication becomes linear in n If the m i are chosen like pseudo-mersenne primes i.e. m i = β c i with c i small, reducing modulo m i is very fast Easy parallelization with n processors Drawback p prime, so p n i=1 m i Question : is it possible to perform prime eld arithmetic using RNS? Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 7 / 29

9 From Montgomery reduction to RNS reduction Representation A is represented by Aβ n mod p Algorithm Data Compute Result R = AB < β 2n p 1 mod β n q= R p 1 mod β n r=(r + q p)/β n r < 2p r = Rβ n mod p Computation modulo p replaced by computation modulo β n Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 8 / 29

10 From Montgomery reduction to RNS reduction Representation A is represented by Aβ n mod p A is represented by AM mod p Algorithm Data R = AB < β 2n Data R = AB in B n p 1 mod β n p 1 in B n Compute q= R p 1 mod β n Compute q= R p 1 in B n r=(r + q p)/β n r=(r + q p)m 1 in B n Result r < 2p Result r < 2p r = Rβ n mod p r = RM 1 mod p Computation modulo p replaced by computation modulo β n computation modulo M Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 8 / 29

11 From Montgomery reduction to RNS reduction Representation A is represented by Aβ n mod p A is represented by AM mod p Algorithm Data R = AB < β 2n Data R = AB in B n p 1 mod β n p 1 in B n Compute q= R p 1 mod β n Compute q= R p 1 in B n r=(r + q p)/β n r=(r + q p)m 1 in B n Result r < 2p Result r < 2p r = Rβ n mod p r = RM 1 mod p Computation modulo p replaced by computation modulo β n computation modulo M Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 8 / 29

12 RNS reduction Introduce a new RNS basis to handle M 1 (Bajard, Didier, Kornerup, 2001) Algorithm Data Two coprime RNS basis B n and B n R = AB in B n and B n p 1 in B n and M 1 in B n (precomputations) Compute q= R p 1 in B n q in B n ˆq in B n (change of basis) ˆr=(R + ˆq p)m 1 in B n ˆr in B n r in B n (change of basis) Result r < 2p r = RM 1 mod p Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 9 / 29

13 Complexity The RNS reduction requires 2n 2 + 3n small (word size) operations. Overall cost of modular RNS multiplication : 2n 2 + 5n Is RNS really interesting? (2n 2 + n for Montgomery arithmetic...) Other advantages of the RNS Easy to parallelize High exibility Leak-resistant arithmetic A B + C D require only 2n 2 + 7n operations Gap between complexity of multiplication and complexity of reduction. Try to optimize ECC formulas to take advantage of this. Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 10 / 29

14 Elliptic curve cryptography Group law An elliptic curves is dened over F p by an equation y 2 = x 3 + ax + b. It has an explicit group law given by the chord and tangent rule Cryptography based on discrete logarithm Security parameters Best discrete log algorithms in O( p). 80 bits security 160 bits elliptic curve (RSA 1024) 128 bits security 256 bits elliptic curve (RSA 3072) Scalar multiplication (computation of np) T P for each bit of n do T 2T if the bit is 1 do T T + P Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 11 / 29

15 Application to standard elliptic curve arithmetic Doubling formulas in Jacobian coordinates We want to compute 2T if T = (X T, Y T, Z T ) is a point on the elliptic curve dened by the equation Y 2 = X 3 + axz 4 + bz 6. Let A = 3X 2 + az 4 and C = 4X T T T Y 2, then T X 2T = A 2 2C, Y 2T = A(C X 2T ) 8Y 4 T, Z 2T = 2Y T Z T This requires 4M and 6S but 2 reductions can be saved (in A and Y 2T ) Assuming (for simplicity) that S=M, usual Montgomery arithmetic requires 20n n operations. But RNS arithmetic requires only 10 2n + 8 (2n 2 + 3n) = 16n n Better asymptotical complexity but not interesting for cryptographic sizes. Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 12 / 29

16 F p k arithmetic Usually quadratic (schoolbook) or subquadratic (Karatsuba,...) in k but Example of F p 3 linear in k in RNS representation arithmetic Assume F p 3 = F p [z]/(z 3 β) with β small. let f = f 0 + f 1 z + f 2 z 2 and g = g 0 + g 1 z + g 2 z 2 in F p 3, then fg = (f 0 g 0 + f 1 g 2 β + f 2 g 1 β) + (f 0 g 1 + f 1 g 0 + f 2 g 2 β)z + (f 0 g 2 + f 2 g 0 + f 1 g 1 )z 2 requires 9 multiplications in F p but only 3 reductions. This can be reduced to 6M and 3R using Karatsuba's method. The gain is less important if computing f 2 since ecient methods (Chung-Hasan) require 5M and 3R. Devegili, O heigeartaigh, Scott and Dahab study in full details F p k arithmetic for k 6 detailed comparison. Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 13 / 29

17 F p 6 arithmetic F p 6 is seen as a cubic extension of a quadratic one so that f.g requires 18M and 6R f 2 requires 12M and 6R RNS Montgomery Word-complexity for f.g 12n n 36n n n= n= Word-complexity for f 2 12n n 24n n n= n= Security level r p k p n Better asymptotical complexity and interesting for cryptographic sizes. Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 14 / 29

18 Let us be a little more objective Lazy reduction The accumulation of product before reduction can also be done in Montgomery arithmetic. f.g requires 18 multiplications (18n 2 ) and 6 reductions (6n 2 + 6n) overall complexity : 24n 2 + 6n (630 for n = 5) Cost of basic operation Most expensive in RNS (word-multiplication and reduction) than in Montgomery (word-multiplication). Additional cost estimated to 10% in the literature 627 for n = 5 More advantageous for RNS if n = 16, but less for f 2. Improvement of RNS complexity Bajard et al. recently prove that RNS change of basis can be done in only 7 5 n n 9n2 + 50n for f.g F p 6(475 for n = 5) Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 15 / 29

19 Size of the basis Lazy reduction larger input in the reduction step. Example 1 : AB + CD has size 2p 2. Example 2 : In f.g F p 6, each component has size 372p 2. Montgomery reduction Use an additional word to handle this factor costly especially in cryptography. RNS reduction Choose RNS basis such that m i suciently large same remark In some cases (FPGA), cryptographic sizes are less disadvantaged. Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 16 / 29

20 Pairings in cryptography Denition Let (G 1, +), (G 2, +) and (G 3, ) be 3 groups. A pairing is an application e : G 1 G 2 G 3 which is bilinear, ie e(p + P, Q) = e(p, Q)e(P, Q) non degenerate, ie P G 1, Q G 2 s.t. e(p, Q) 1 easily computable Use in cryptography Destructive : Decisionnal Die-Hellman is easy, transfer of discrete log Constructive : Tripartite key-exchange, short signature, ID-based cryptography Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 17 / 29

21 Realization of pairings Context E elliptic curve dened over F p (p prime). P E(F p ) of prime order r. k = 2d the embedding degree (smallest integer such that r p k 1). Q = (x, yα) E(F p k ) with x, y F p d and F p k = F p d [α] Denition Let f P be the function on the curve such that Div(f P ) = rp r. e(p, Q) = f P (Q) p k 1 r F p k Examples Supersingular curves (k 2 in large characteristic) MNT curves (k = 6), optimal for 80 bits security Barreto-Naherig curves (k = 12), optimal for 128 bits security Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 18 / 29

22 Fast Tate pairing computation The Miller loop (computation of f P (Q)) T P, f 1 for each bit of r do f f 2.l T,T (Q) and T 2T if the bit is 1 do f f.l T,P (Q) and T T + P where l A,B is the equation of the line passing through A and B. The nal exponentiation (computation of f p k 1 r ) Split in an easy part (use of Frobenius) and a dicult part. Dicult part is roughtly f s with s p and even p 1 2 (MNT) or p 3 4 (BN). Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 19 / 29

23 Computation of l T,T (Q) in Jacobian coordinates Let A = 3X 2 T + az 4 T and C = 4X T Y 2 T. Computation of 2T requires 10M and 8R. X 2T = A 2 2C, Y 2T = A(C X 2T ) 8Y 4 T, Z 2T = 2Y T Z T It is easy to prove that l T,T (Q) = 2Y T Z T.Z 2 T.y Qα A.Z 2 T.x Q + A.X T 2Y 2 T and that its computation requires k + 3 multiplications in F p k + 2 reductions (accumulate AX T before reducing) and the constant term of AZ 2 T x Q No more exciting than standard elliptic curve arithmetic for RNS. Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 20 / 29

24 Application to MNT curves with k = 6 Miller loop : step complexity if the bit of r is zero 10M and 8R for the computation of 2T 9M and 8R for the computation of l T,T (Q) 12M and 6R for the squaring of f 18M and 6R for the multiplication of f 2 and l T,T (Q) RNS Montgomery Gain Word-complexity 43n n 77n n n= % n= % Final exponentiation : step complexity if the bit is zero RNS Montgomery Gain Word-complexity 9n n 18n 2 + 6n n= % n= % Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 21 / 29

25 F p 12 arithmetic F p 12 is seen as a quadratic extension of a cubic extension of a quadratic one so that f.g requires 54M and 12R f 2 requires 36M and 12R RNS Montgomery Word-complexity for f.g 18.5n n 66n n n= Word-complexity for f n n 48n n n= Security level r p k p n Better asymptotical complexity and interesting for cryptographic sizes. Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 22 / 29

26 Application to BN curves (k = 12) Miller loop : step complexity if the bit of r is zero 10M and 8R for the computation of 2T 9M and 8R for the computation of l T,T (Q) 36M and 12R for the squaring of f 39M and 12R for the multiplication of f 2 and l T,T (Q) RNS Montgomery Gain Word-complexity 61.5n n 134n n n= % Final exponentiation : step complexity if the bit is zero RNS Montgomery Gain Word-complexity 18.5n n 48n n n= % Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 23 / 29

27 Some remarks RNS gain is essentially on F p k arithmetic, then Choosing other systems of coordinate (ane, projective,...) Using Ate pairing or other way to have shorter Miller loop will not change our conclusion that RNS arithmetic is interesting for pairing computations. Using curves with ρ > 1 will benet to RNS since n takes larger values. Similar results are expected with Freeman curves (k = 10). Supersingular curves (k = 2) take also advantage of RNS arithmetic since n = 16 for 80 bits security level. Remember advantages of the RNS arithmetic become evident when a parallel architecture is used. A practical implementation is missing to take into account the neglected operations (important because n an k are small), to eectively compare with other implementations in the BN case. Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 24 / 29

28 Practical implementation FPGA Programmable hardware device Xilinx and Altera 2 categories : "low cost" and "high end" Includes many logic modules containing LUT (Look-Up-Table) and some additional functions (allowing fast carry propagation or shift register for instance) An interconnecting array between logic modules DSP block for multiplication (9 bit words) Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 25 / 29

The Cox-Rower architecture Used in mot of RNS FPGA implementation based on parallelism Well adapted to RNS change of basis Need adjustments depending

29 The Cox-Rower architecture Used in mot of RNS FPGA implementation based on parallelism Well adapted to RNS change of basis Need adjustments depending on the goal (RSA, ECC, pairings) The Cox computes λ A Rower computes modulo m i Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 26 / 29

30 Our choices Optimal Ate pairing on BN curves dened by x = ( ) 126 bits of security x = ( ) 128 bits of security x = ( ) 192 bits of security with almost all recent algorithmic improvements. Projective coordinates 36 bits words (allowing more than 192p 2 as input of the reduction) No Karatsuba methods (addition have essentially the same cost as multiplications) Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 27 / 29

31 Results Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 28 / 29

32 Thank you Thank you for your attention Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 29 / 29

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Junfeng Fan, Frederik Vercauteren and Ingrid Verbauwhede Katholieke Universiteit Leuven, COSIC May 18, 2009 1 Outline What is