Four-Dimensional GLV Scalar Multiplication

Transcription

1 Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University

2 Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic curve over a field K is given by E K y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 where a 1, a 2, a 3, a 4, a 6 K and discriminant E 0. Given a point P E(K) of prime order n and an integer k [1, n 1], elliptic curve scalar multiplication consists in computing k P. This operation is central to protocols based on elliptic curves. In this talk, we focus on the variable-point scenario on curves over large prime characteristic fields to achieve: - Highest performance possible - Full protection against timing-type side-channel attacks Implications also extend to other scenarios (e.g., fixed-point and double-scalar scenarios). P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

3 Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic curve over a field K is given by E K y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 where a 1, a 2, a 3, a 4, a 6 K and discriminant E 0. Given a point P E(K) of prime order n and an integer k [1, n 1], elliptic curve scalar multiplication consists in computing k P. This operation is central to protocols based on elliptic curves. In this talk, we focus on the variable-point scenario on curves over large prime characteristic fields to achieve: - Highest performance possible - Full protection against timing-type side-channel attacks Implications also extend to other scenarios (e.g., fixed-point and double-scalar scenarios). P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

4 GLV Method

5 GLV Scalar Multiplication Given a point P E(F q ) of prime order n, an integer k [1, n 1] and an efficiently computable endomorphism, the GLV method computes where max( k 0, k 1 ) = O ( n). k P = k 0 P + k 1 (P) P = P, where 1, n 1 is a root of the char polynomial of modulo n By solving a closest vector problem in a lattice, one can get values k 0, k 1 s.t. k = k 0 + k 1 (mod n), or equivalently, k P = k 0 P + k 1 (P) Using simultaneous multi-scalar multiplication (a.k.a. Strauss-Shamir trick), the number of doublings is cut to half P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

6 GLV Scalar Multiplication Given a point P E(F q ) of prime order n, an integer k [1, n 1] and an efficiently computable endomorphism, the GLV method computes where max( k 0, k 1 ) = O ( n). k P = k 0 P + k 1 (P) P = P, where 1, n 1 is a root of the char polynomial of modulo n By solving a closest vector problem in a lattice, one can get values k 0, k 1 s.t. k = k 0 + k 1 (mod n), or equivalently, k P = k 0 P + k 1 (P) Using simultaneous multi-scalar multiplication (a.k.a. Strauss-Shamir trick), the number of doublings is cut to half P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

7 GLV Extensions Use curves over F p 2 instead of F p (Galbraith et al., Eurocrypt 2009): Galbraith-Lin-Scott, 2-dimensional GLV (GLS curves) Use the Frobenius endomorphism ª x, y = (x p, y p ), satisfying X = 0 in E F p 2 Galbraith-Lin-Scott, 4-dimensional GLV (GLS curves, #Aut(E) > 2) Use the Frobenius endomorphism ª x, y = (x p, y p ), satisfying X 4 X = 0, ª 2, satisfying X 2 + X + 1 = 0 and, ª 3, satisfying X = 0 This work: 4-dimensional GLV (GLV-GLS curves) Combine Frobenius and on GLV curves over F p 2 P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

8 4-GLV Scalar Multiplication

9 4-Dimensional GLV Method using GLV-GLS curves Extending work by Galbraith, Lin and Scott, to the GLV setting over F p 2 using the p-power Frobenius endomorphism ª and. Theorem (4-GLV) If E is a quadratic twist of a GLV curve by a quadratic nonresidue of F p 2, then assuming P generates a large subgroup of prime order n of E (F p 2), given k [1, n 1], we can find a decomposition k P = k 0 P + k 1 (P) + k 2 ª (P) + k 3 ª (P) where max i ( k i ) < C 4 n 1 4 and C 4 = r + s. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

10 4-Dimensional GLV Method using GLV-GLS curves Relatively easy to show a weaker form of (4-GLV) with a value of C 4 = Ω(s 3 2). However, our form of (4-GLV), with C 4 = O ( s), allows to deduce that the relative improvement from (2-GLV) to (4-GLV) is at least log n 1 2 s 2 log 103n r + s which is practically independent of the curve (true independence would be achieved if we could show that C 4 = O(s 1 4)). P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

11 GLV-GLS Curves in Twisted Edwards Form

12 GLV-GLS using the Twisted Edwards Model In Weierstrass form, j-invariant 0 and 1728 GLV curves are very efficient. However, several other GLV curves are not. The idea: Use the Twisted Edwards model (TEM) instead to make all of them highly efficient. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

13 Example: GLV-GLS + TEM Let p > 3 be a prime s.t. 2 is quadratic residue modulo p. Let u F p 2 be a nonsquare in F p 2. The curve E 3 F p 2 : y 2 = x u2 x 7u 3 is isomorphic to the quadratic twist of the GLV curve E 3 F p : y 2 = 4x 3 30x 28. Then, E 3 F p 2 written down in TEM form is given by ax 2 + y 2 = 1 + dx 2 y 2, where a = 27u and d = 27u Let u = 1 + i F p 2, with i 2 = 1, and ζ 8 = u 2, where ζ 8 is a primitive 8 th root of unity. After ensuring that a be a square in F p 2, use the map (x, y) x a, y to finally obtain E T3 F p 2 : x 2 + y 2 = 1 + d x 2 y 2 with d 3 = d/a, a = 54 ζ ζ + and d = 54 ζ + ζ P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

14 Example: GLV-GLS + TEM Let p > 3 be a prime s.t. 2 is quadratic residue modulo p. Let u F p 2 be a nonsquare in F p 2. The curve E 3 F p 2 : y 2 = x u2 x 7u 3 is isomorphic to the quadratic twist of the GLV curve E 3 F p : y 2 = 4x 3 30x 28. Then, E 3 F p 2 written down in TEM form is given by ax 2 + y 2 = 1 + dx 2 y 2, where a = 27u and d = 27u Let u = 1 + i F p 2, with i 2 = 1, and ζ 8 = u 2, where ζ 8 is a primitive 8 th root of unity. After ensuring that a be a square in F p 2, use the map (x, y) x a, y to finally obtain E T3 F p 2 : x 2 + y 2 = 1 + d x 2 y 2 with d 3 = d/a, a = 54 ζ ζ + and d = 54 ζ + ζ P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

15 Example: GLV-GLS + TEM Let p > 3 be a prime s.t. 2 is quadratic residue modulo p. Let u F p 2 be a nonsquare in F p 2. The curve E 3 F p 2 : y 2 = x u2 x 7u 3 is isomorphic to the quadratic twist of the GLV curve E 3 F p : y 2 = 4x 3 30x 28. Then, E 3 F p 2 written down in TEM form is given by ax 2 + y 2 = 1 + dx 2 y 2, where a = 27u and d = 27u Let u = 1 + i F p 2, with i 2 = 1, and ζ 8 = u 2, where ζ 8 is a primitive 8 th root of unity. After ensuring that a be a square in F p 2, use the map (x, y) x a, y to finally obtain E T3 F p 2 : x 2 + y 2 = 1 + d x 2 y 2 with d 3 = d/a, a = 54 ζ ζ + and d = 54 ζ + ζ P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

16 GLV and Side-Channel Attacks

17 GLV Method and Side-Channel Attacks There are innumerable types of side-channel attacks in the literature. On server and desktop computers, the main risk is posed by timing attacks, cache attacks and variants. Main approach: constant-time execution independent of the secret key. In particular: No secret-dependent conditional branches No secret-dependent look-up table accesses P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

18 GLV Method and Side-Channel Attacks There are five key parts especially vulnerable in the computation of elliptic curve scalar multiplication: Modular inversion: compute a 1 mod p as a regular-pattern exponentiation a p 2 mod p using a short addition chain for p 2. Reduction during field operations: exploit conditional move instructions with constant-time execution (e.g., cmove on x86 and x64 processors). Access to precomputed tables: run through whole table and extract required data by using conditional move instructions. Scalar recoding and exponentiation: use algorithms with regular-pattern execution. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

19 GLV Method and Side-Channel Attacks Scalar recoding and exponentiation: We need a regular-pattern representation with fixed length. Adapting Joye-Tunstall regular recoding to obtain fixed length: INPUT: scalar k odd, dimension d of l-bit GLV scalar mult and window width w OUTPUT: k T, k (T 1),, k 0 where k t ±1, ±3, ±5,, ± 2 w T = l d (w 1) 2. for i = 0 to (T 1) do 3. k i = k mod 2 w 2 w 1 4. k = k k i 2 w 1 5. end for 6. k T = k In scalar multiplication, easy to treat odd/even k during initialization in constanttime. Requires a constant-time final correction after main computation. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

20 GLV Method and Side-Channel Attacks Scalar recoding and exponentiation The modified algorithm: Executes in constant-time Produces fixed-length representations for scalars k i Produces regular representations for k i that enable regular-pattern double-andadd execution: (w 1) DBLs, d ADDs,, (w 1) DBLs, d ADDs, repeated T times INPUT: k i = k (i,t), k (i,t 1),, k (i,0) for 0 i < d, point P E(F p ), window w d 1 OUTPUT: Q = [k]p = i=0 k i à i (P) (assuming à 0 P = P by abuse of notation) 1. Q = [k 0,T ] à 0 P + + [k (d 1,T) ] à (d 1) (P) 2. for j = T 1 downto 0 do 3. Q = 2 (w 1) Q 4. for i = 0 to (d 1) do 5. Q = Q + [k (i,j) ] à i (P) 6. end for 7. end for Some performance loss: nonzero density increases from 1 (w + 1) to 1 (w 1). P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

21 Multicore Execution and its Protection In addition: GLV scalar multiplication is easy to parallelize. Previously described side-channel countermeasures can be extended to the multicore setting. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

22 Implementation

23 Setup I For our experiments, we consider the five curves below: two GLV curves in Weierstrass form with and without nontrivial automorphisms, their corresponding GLV-GLS counterparts and one curve in Twisted Edwards form isomorphic to the GLV-GLS curve E 3 (see below). GLV-GLS curve with j-invariant 0 in Weierstrass form E 1 /F p1 2 y 2 = x 3 + 9u, where p 1 = and #E 1(F p1 2) is a 254-bit prime. We use F p1 2 = F p1 i /(i 2 + 1) and u = 1 + i F p1 2. We have that = 0 and ª = 0. GLV curve with j-invariant 0 in Weierstrass form E 2 F p2 : y 2 = x 3 + 2, where p 2 = and #E 2 F p2 is a 256-bit prime. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

24 Setup II GLV-GLS curve in Weierstrass form E 3 /F p3 2 y 2 = x u 2 x 7u 3, where p 3 = and #E 3(F p3 2) = 8r, where r is a 251-bit prime. We use F p3 2 = F p3 i /(i 2 + 1) and u = 1 + i F p3 2. We have that = 0 and ª = 0. GLV-GLS curve in Twisted Edwards form E T3 F p3 2 : x 2 + y 2 = 1 + dx 2 y 2, where p 3 = , d = i and #E T3(F p3 2) = 8r, where r is a 251-bit prime. We use again F p3 2 = F p3 i /(i 2 + 1) and u = 1 + i F p3 2. We have that = 0 and ª = 0. E T3 is isomorphic to curve E 3 above. GLV curve E 4 F p4 : y 2 = x x 7, where p 4 = and #E 4 F p4 = 2r, where r is a 256-bit prime. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

25 Results I: single-core, no protection Operation count and performance of scalar multiplication ( 128 bits of security). Theoretical estimates and actual results based on tests on a single core of a 3.4GHz Intel Core i (Sandy Bridge) processor. Curve Method Total Cost Gain Performance Gain E 1(F p1 2), Weierstrass 4-GLV-GLS 1209m 51% 99,000cc 53% E 2 F p2, Weierstrass 2-GLV 2004M 1824m - 151,000cc - E T3(F p3 2), Twisted Edwards 4-GLV-GLS 1117m 97% 91,000cc 102% E 3(F p3 2), Weierstrass 4-GLV-GLS 1468m 50% 121,000cc 52% E 4 F p4, Weierstrass 2-GLV 2416M 2199m - 184,000cc - About 50% speed-up when moving from 2-GLV to 4-GLV-GLS. Twisted Edwards injects a further 30% speed-up to curve E 3. * m, s and a stand for costs of multiplication, squaring and addition over F p 2, and M for cost of multiplication over F p. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

26 Results II: single and multi-core, unprotected and protected Performance of scalar multiplication ( 128 bits of security). Results based on tests on a single core of a 3.4GHz Intel Core i (Sandy Bridge) processor. Curve Method Protection #Cores Performance E T3(F p3 2), Twisted Edwards 4-GLV-GLS 91,000cc E T3(F p3 2), Twisted Edwards 4-GLV-GLS 137,000cc E T3(F p3 2), Twisted Edwards 4-GLV-GLS 61,000cc E T3(F p3 2), Twisted Edwards 4-GLV-GLS 78,000cc E 1(F p1 2), Weierstrass 4-GLV-GLS 99,000cc E 1(F p1 2), Weierstrass 4-GLV-GLS 145,000cc E 1(F p1 2), Weierstrass 4-GLV-GLS 70,000cc E 1(F p1 2), Weierstrass 4-GLV-GLS 89,000cc E 1(F p1 2), Weierstrass non-glv 201,000cc E 2 (F p2 ), Weierstrass 2-GLV 151,000cc E 2 (F p2 ), Weierstrass 2-GLV 127,000cc P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

27 Results III: single and multi-core, unprotected and protected 2x speed-up when moving from non-glv to 4-GLV-GLS on curve E 1 (sequential/ unprotected version) Up to 76% speed-up when using multicore execution (protected version) 46%-50% overhead for protecting sequential implementations Only 28% overhead for protecting multicore implementations As before, 50% speed-up when moving from 2-GLV to 4-GLV-GLS (curve E 1). Twisted Edwards curve E T3 is 6%-15% faster than Weierstrass curve E 1. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

28 Conclusions I Extending work by Galbraith, Lin and Scott, we have shown how to enable a 4- dimensional GLV method using the p-power Frobenius endomorphism ª and on GLV curves over F p 2. We have provided first rigorous bound on the 4-dimensional GLV method that represents a theoretical argument justifying the use of the method when possible, for any GLV curve. We have shown how to achieve a further speed-up by using the Twisted Edwards model. We have shown how to apply strong countermeasures to protect GLV-based implementations against timing-type side-channel attacks. We have shown how to achieve a further speed-up by using multiple cores and how to protect multicore execution against targeted side-channel attacks. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

29 Conclusions I Extending work by Galbraith, Lin and Scott, we have shown how to enable a 4- dimensional GLV method using the p-power Frobenius endomorphism ª and on GLV curves over F p 2. We have provided first rigorous bound on the 4-dimensional GLV method that represents a theoretical argument justifying the use of the method when possible, for any GLV curve. We have shown how to achieve a further speed-up by using the Twisted Edwards model. We have shown how to apply strong countermeasures to protect GLV-based implementations against timing-type side-channel attacks. We have shown how to achieve a further speed-up by using multiple cores and how to protect multicore execution against targeted side-channel attacks. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

30 Conclusions I Extending work by Galbraith, Lin and Scott, we have shown how to enable a 4- dimensional GLV method using the p-power Frobenius endomorphism ª and on GLV curves over F p 2. We have provided first rigorous bound on the 4-dimensional GLV method that represents a theoretical argument justifying the use of the method when possible, for any GLV curve. We have shown how to achieve a further speed-up by using the Twisted Edwards model. We have shown how to apply strong countermeasures to protect GLV-based implementations against timing-type side-channel attacks. We have shown how to achieve a further speed-up by using multiple cores and how to protect multicore execution against targeted side-channel attacks. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

31 Conclusions I Extending work by Galbraith, Lin and Scott, we have shown how to enable a 4- dimensional GLV method using the p-power Frobenius endomorphism ª and on GLV curves over F p 2. We have provided first rigorous bound on the 4-dimensional GLV method that represents a theoretical argument justifying the use of the method when possible, for any GLV curve. We have shown how to achieve a further speed-up by using the Twisted Edwards model. We have shown how to apply strong countermeasures to protect GLV-based implementations against timing-type side-channel attacks. We have shown how to achieve a further speed-up by using multiple cores and how to protect multicore execution against targeted side-channel attacks. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

32 Conclusions I Extending work by Galbraith, Lin and Scott, we have shown how to enable a 4- dimensional GLV method using the p-power Frobenius endomorphism ª and on GLV curves over F p 2. We have provided first rigorous bound on the 4-dimensional GLV method that represents a theoretical argument justifying the use of the method when possible, for any GLV curve. We have shown how to achieve a further speed-up by using the Twisted Edwards model. We have shown how to apply strong countermeasures to protect GLV-based implementations against timing-type side-channel attacks. We have shown how to achieve a further speed-up by using multiple cores and how to protect multicore execution against targeted side-channel attacks. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

33 Conclusions II Our implementations using the new GLV-GLS curves have set new speed records for elliptic curves over large prime characteristic fields for several scenarios (x64 processors) - Unprotected versions: Sequential: 91,000 cycles, 34% speedup over Hu-Longa-Xu 2011 (122,000 cycles) Multicore: 61,000 cycles (no previous record) - Versions fully protected against timing-type side-channel attacks: Sequential: 137,000 cycles, 42% speedup over Bernstein et al (194,000 cycles) Multicore: 78,000 cycles (no previous record) * Figures on a 3.4GHz Intel Core i (Sandy Bridge) processor. P. Longa and F. Sica 4-GLV Scalar Multiplication ASIACRYPT / 19

34 Four-Dimensional GLV Scalar Multiplication Q & A Patrick Longa Microsoft Research Francesco Sica Nazarbayev University