An FPGA-based Accelerator for Tate Pairing on Edwards Curves over Prime Fields

Transcription

1 . Motivation and introduction An FPGA-based Accelerator for Tate Pairing on Edwards Curves over Prime Fields Marcin Rogawski Ekawat Homsirikamol Kris Gaj Cryptographic Engineering Research Group (CERG) Department of ECE, Volgenau School of Engineering George Mason University, Fairfax, VA, USA th CryptArchi Workshop - Fréjus, June 23-26, 203 Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... / 25

2 Pairing Based Cryptography Prime fields Pairing Based Cryptography PAIRING Traditional PKC One Round Key Agreement A C A B B P TA M P TA M Encryption Cert(BOB, P E ALICE IDBOB E ALICE ) BOB TA C C BOB BOB Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj Note: An Cert FPGA-based Certificate, Accelerator TA Trust... Authority 2 / 25

3 Pairing Based Cryptography Prime fields Pairing Based Cryptography XILINX A 0 B 0 A B ADDER Cin LUT 0 LUT 0 S 0 S 8(7) B A 25() MULTIPLIER 25 x 8 43(4) M Cout Note: signed size(unsigned size) ALTERA A0 B 0 A B LUT LUT Cin FA FA Cout S 0 S 36 A B Note: M = ((A hi*b hi)*2 +(A hi*2 *B lo) (A * B )+(A *2 * B )) 8 lo lo hi lo 72 M Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 3 / 25

4 Pairing Based Cryptography Prime fields Prime Fields Pairing transformations can be defined over multiple fields: binary - GF(2 n ), ternary - GF(3 m ), and prime fields - GF(p) Binary and ternary fields are generally hardware-friendly Prime fields are generally better for software implementations and for cross-platform solutions The National Security Agency (NSA Suite B Cryptography) and ecrypt II recommend prime fields Scope of this work Efficient implementation of Pairing Based Cryptosystems over prime fields using internal resources of modern FPGAs, such as fast carry chains (carry logic) and DSP units. Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 4 / 25

5 Field operations Solinas primes and Barrett reduction Hierarchy of Operations in Pairing Based Cryptography (PBC) Cryptographic protocols and schemes Curve Operations Scalar Multiplication Bilinear Operations Pairings Group Operations Point Addition Point Doubling Extension Field Operations Multiplication Squaring Field Operations Multiplication Squaring Addition Subtraction Hardware architecture recipe: Optimizations on every level CAN NOT be conducted totally independently! Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 5 / 25

6 Field operations Solinas primes and Barrett reduction Novel Hybrid high-radix carry save adder with parallel prefix Kogge-Stone network Functionality: A + B = S + C = cout, R block N block block 0 High Radix Carry Save Form a(n*w )..a(n*(w )) w a(2*w )..a(w) a(w ),..., a(0) A = {a(n*w ),..., a(0)} B = {b(n*w ),..., b(0)} b(n*w )..b(n*(w )) w w+ b(2*w )..b(w) b(w ),..., b(0) R = {r(n*w ),..., r(0)} S = {s(n*w ),..., s(0)} s(n*w )..s(n*(w )) c(n*w) c((n )*w) w c(2*w) s(2*w )..s(w) c(w) s(w ),..., s(0) w w w C = {c(n*w), 0, c((n )*w), 0... c(w), 0 } i 0 i consecutive zeros =..? =..? Carry Projection Unit g(n ) g() g(0) g(n ) p(n ) g(n 2) g() p() g(0) p(n ) p() Kogge Stone Adder s Parallel Prefix Network pc(n) w pc(n ) w pc() w pc(n) pc(n ) pc() cout r(n*w )..r(n*(w )) r(2*w ),..., r(w) r(w ),..., r(0) Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 6 / 25

7 Field operations Solinas primes and Barrett reduction Generic modular adder B n number of bits of P B A B cout# cout#2 2 n P A cout# P cout# cout# cout#2 A 0 SUB 2 n P 0 P 0 0 R R SUB cout# cout#2 0 SUB R R = A + B mod P, R = { A + B P, if A + B 2 n A + B P 0 A + B, otherwise R = A B mod P, R = { A B + P, if A B < 0 A B, otherwise Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 7 / 25

8 Field operations Solinas primes and Barrett reduction Novel modular adder/subtractor Functionality: (A + B) mod P = R a(n ) b(n ) w w PE#(N ) ="..."? a() b() fp(n ) w fp() w ="..."? ="..."? w+ w+ w+ fg(n ) PE# PE#0 w fg() w c(2) c() c(n ) p(n ) w p() w w ip(n ) ip() sg(n ) sg() 0 sp(n ) A = {a(n ),..., a(0)}, B = {b(n ),..., b(0)}, P = {p(n ),... p(0)}, IP = two s complement of P 0 ="..."? sp() a(0) b(0) "0""" 0 80 bit: n=52 bits, N=3 words 20 bit: n=264 bits, N=75 words 28 bit: n=493 bits, N=88 words w=7 bits fg(0) p(0) ip(0) sg(0) fg(n ) fp(n ) Carry Projection Unit # Carry Projection Unit #2 fp() fg(0) fpc(n) fpc(n ) fpc() sg(n ) sp(n ) sp() sg(0) 0 sel 0 fpc(n ) spc(n ) 0 r(n ) r() 0 sel fpc() spc() 0 sel spc(n) spc(n ) spc() r(0) sel fpc(n) SUB fpc(n) spc(n) Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 8 / 25

9 Field operations Solinas primes and Barrett reduction Novel Multiply-and-Add DSP-based multiplier /3 Functionality: A * B = (RR, RC), where DSP Slice "0" 7 "0" a(n ) Radix 2 7 operations b(j) 7 a(n 2) b(j) s(n) c(n) s(n ) c(n )s(n 2) ss(m) 2 cc(m) 7 ss(m ) cc(m ) "0" "0" 2 A = {a(n ),..., a(0)}, B = {b(n,...,0}, RR = {rr(2m ),..., rr(0)}, RC = {rc(2m ),..., rc(0)} 7 7 a(0) c() s(0) "0" "0" 2 b(j) ss(0) s( ) "0" cc(0) zc(n) 7 7 Switch Radix 2 to Radix2 Carry s(n) s(n ) 7 cc(m) ss(m) 7 Switch Radix 2 to Radix2 Sum ss( ) "0" "0" 2 zc( ) cc( ) s(0) s( ) cc( ) ss( ) 5 zc(n) = 0, c(n) 5 zc(n ) = 0, c(n )... zc() = 0 5, c() zc(0) = 0 7 zc( ) = bit: N=3, M=22 20 bit: N=75, M=53 28 bit: N=88, M=62 rc(2m) Radix 2 operations rr(2m ) rc(2m ) rr(2m 2) rc(m) rr(m ) rc(m ) rr(m 2) rr(m 3) rr(0) Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 9 / 25

10 Field operations Solinas primes and Barrett reduction Novel Multiply-and-Add DSP-based multiplier 2/3 Three operational phases of the selected processing element: Phase I: clock cycle 0 Phase II: clock cycle..m 2 Phase III: clock cycle M ss(i) cc(i) ss(i) cc(i) ss(i) cc(i) "0" "0" "0" "0" "0" "0" rc(i+m) rr(i+m ) rc(i+m) rr(i+m ) rc(i+m) rr(i+m ) Protocol Xilinx Virtex-6 Altera Stratix IV & V #bits of A processed per clock cycle n n #bits of B processed per clock cycle 36 #clock cycles per multiplication n n 36 #DSP units n 7 n 36 Meaning of DSP unit DSP48E slice Half-DSP block Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 0 / 25

11 Field operations Solinas primes and Barrett reduction Novel Multiply-and-Add DSP-based multiplier 3/3 Novel double speed mode: One multiplication using two multipliers Let A, B be M w-bit numbers, and B = B H 2 w M 2 + B L, then the multiplication of A and B can be computed as follows: A B = A *(B H 2 w M 2 + B L ) = A B H 2 w M 2 + A * B L. Very similar idea to BiPartite, Kaihara et al. [CHES 05], TiPartite multiplication, Sakiyama et al. [Integration ] When to use it? When we conduct the computations of a single multiplication, but we have two multipliers available! Or two multiplications and we have four multipliers available! Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... / 25

12 Field operations Solinas primes and Barrett reduction Arithmetic for Special Primes Reductions modulo 2 n + and modulo 2 n - are very efficient. (Problem: Not every number of this form is prime!) Primes of a form (2 a ± 2 b ± and 2 a ± 2 b ± 2 c ± ) were introduced by Solinas [NSA 99], Solinas prime s arithmetic is recommended by NIST for digital signature schemes [FIPS-86]! Comment: But it is not applicable for all primes in Solinas form! (e.g.: ) Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 2 / 25

13 Field operations Solinas primes and Barrett reduction Novel solution: Barrett-based reductor for Solinas primes (ln. 2) n+ (ln. 5) q r Multiplication by constant u Multiplication by constant p r 2 (sum) r (carry) 2 const(0) addition B = 2 n+ const = {0, B, B p, B 2p, B 3p, p, 2p, 3p} Comment: (ln. 7 2) n (ln. 7 2) const(7) addition (ln. 6) (ln. 6) subtraction subtraction n+ Algorithm Barrett modular reduction [Crypto 86] Require: x = (x 2n...x, x 0 ) 2, p = (p n...p, p 0 ) 2 r (p n 0), µ = 2 2n / p Ensure: r = x mod p : q x/2 n 2: q 2 q µ 3: q 3 q 2 /2 n+ 4: r x mod 2 n+ 5: r 2 q 3 p mod 2 n+ 6: r r r 2 7: if r < 0 then 8: r r + 2 n+ 9: end if 0: while r p do : r r p 2: end while 3: return r p can be chosen in such a way, that µ = 2 a t + 2 a t a + 2 0, where t is a relatively small number. Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 3 / 25

14 Elliptic Curve Cryptography Elliptic curves cryptography Pairing Paramters generation Tate pairing on Edwards curves Definition: Elliptic curve over GF (p) is a set of points fulfilling equation of the curve and special point. Y y = x + x + mod p (p=23) P S Q 2S DBL ADD R Addition ADD P(6,9) Q=(7,2) R=P+Q=(3,7) Doubling DBL S(3,3) 2S=S+S=(7,) X P(generator) : P, 2P, 3P,...mP = Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 4 / 25

15 Edwards curves + application Elliptic curves cryptography Pairing Paramters generation Tate pairing on Edwards curves Edwards curve [AmericanMath 07] is a set of points which fulfill equation x 2 + y 2 = + dx 2 y 2 mod p generalized form ax 2 + y 2 = + dx 2 y 2 mod p - a-twisted Edwards curves proposed by Bernstein et al. [AfricaCrypt 08] Extended projective formulae defined by Hisil et al. [AsiaCrypt 08] An elliptic curve is called supersingular, if its number of points is equal to p + Edwards curves together with special prime number P-2559 were adopted to digital signatures by Bernstein et al. [CHES ] Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 5 / 25

16 What is Pairing? Motivation and introduction Elliptic curves cryptography Pairing Paramters generation Tate pairing on Edwards curves Pairing is a mathematical transformation which takes two arguments: two elliptic curve points P and Q from two algebraic groups G and G 2 and it produces an element of the third algebraic group G T. The most important properties of these G x G 2 G T functions are: bilinearity a,b Z p : e(ap, bq) = e(ap, Q) b = e(p, bq) a = e(p, Q) ab non-degeneracy ( function e(p, Q) never returns ), and efficiency in computations. Pairing on twisted supersingular k = 2 Edwards curve was defined by Das and Sarkar [Pairing 08] Pairing on ordinary Edwards curves was defined by Arene et al. [Journal of Cryptology 09] So far NO hardware architectures or software implementations for pairing on Edwards curves reported in literature Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 6 / 25

17 Elliptic curves cryptography Pairing Paramters generation Tate pairing on Edwards curves How to generate secure and computationally-friendly prime numbers? - part I Security concerns: p must be a large prime number, and p 3 (mod 4) p + must have a large prime divisor r - the discrete logarithm problem in the elliptic curves must be hard (Pollard rho) Edwards curves parameters must be a =, d = p k, so called embedding degree, is the smallest number, such that p k is divisible by r For aforementioned parameters, Edwards curve has p + points, embedding degree k = 2, and it is called supersingular curve p must be a large prime, the discrete logarithm problem in the p 2 must be hard (functional field sieve) Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 7 / 25

18 Elliptic curves cryptography Pairing Paramters generation Tate pairing on Edwards curves How to generate secure and computationally-friendly prime numbers? - part II p and r can have a special form - Menezes and Koblitz [eprint 06] recommended Solinas primes [NSA 99] (2 a ± 2 b ± ) Observation: Barrett reduction [Crypto 86] requires multiplication by constants: p and µ = 22 n p, and 2n > p, and n - number of bits of p. we search such for p such that µ = 2 at ±... ± and t is relatively a small number (t < 30). we were looking for r with a very low Hamming weight (< 5%) Comment: The GMP library-based software implementation of the parameters generation algorithm requires significant amount of time to find friendly numbers Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 8 / 25

19 Elliptic curves cryptography Pairing Paramters generation Tate pairing on Edwards curves Parameters used in our work Security Field order - p Prime divisor - r # terms of µ 80-bits bits bits bits Observations: The multiplication by p and µ can be replaced by multi-operand addition! The prime divisor r (2 a + 2 b ) has always a form of (computationally cheaper - check next slide!). Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 9 / 25

20 Elliptic curves cryptography Pairing Paramters generation Tate pairing on Edwards curves General algorithm for the modified Tate pairing Algorithm 2 Miller s algorithm for computing modified Tate pairing Require: Points P and φ(q), prime divisor r = (r l... r 0 ), field order p, and embedding degree k, h P,Q a rational function Ensure: F = e(p, φ(q)) : F =, R = P 2: for i = l 2 downto 0 do 3: G h R,R (φ(q)) and R = 2R /* Algorithm 3: 4 multiplications */ 4: F = F 2 G /* Algorithm 5 and 6: 2+4 multiplictions */ 5: if r i = then 6: G h R,P (φ(q)) and R = R + P /* Algorithm 4: multiplications */ 7: F = F G /* Algorithm 5: 2 multiplications */ 8: end if 9: end for 0: return F F pk r /* Algorithm 7: next slide */ What if for the substantial number of P and Q the result of e(p, Q) =? Distortion maps! φ(q) = (x Q i, yq ), where i 2 =. Consequently, F and G are the complex numbers. Other names: twists or operations in the extension field x 2 +, in this case. Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator / 25

21 Elliptic curves cryptography Pairing Paramters generation Tate pairing on Edwards curves Final exponentiation (Alg. 7) - novel approach Traditional optimization method, the Frobenius mapping is not applicable to supersingular curves. F (p ) and F are equally difficult! The fixed exponent e = p2 r, after Booth recoding can be represented as five term Solinas prime (e.g.: 28-bit: ) The computation of the Final exponentiation (F e = F 2a +2 a 2 2 a 3 +2 a 4 2 a 5 = F 2a F 2a2 F 2a 4 F 2a3 F 2a 5 ): a complex squarings and the three complex multiplications of five intermediate values Two modular multiplications (complex squaring) can be computed using 4 multipliers working in the double speed mode Final result reconstruction: F Ru R d xi+y vi+z (vi + z) = (v i + z ) = { v = z = v z 2 +v 2 z z 2 +v 2 Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... 2 / 25

22 Coprocessor overview The overview of novel coprocessor block diagram in 7 r(n ) 7 7 DPRAM #N a(n ) a(0) a(n )b(n ) b(n )... b(0) r(0) DPRAM #0 a(0) b(0) Number of 7 bit words: N = 3 (80 bit), 75 (20 bit), 88 (28 bit) A = {a(n ),... a(0)} B = {b(n ),...b(0)} R = {r(n ),... r(0)} A 7N PISO A 7N B 7N A B A B A B A B A B 7 out Multiplier # Multiplier #2 Multiplier #3 Multiplier #4 Modular Adder 34N Additional circuit for the double speed mode Modular Reductor 7N System Multipliexer 7N R 7N Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator / 25

23 Results Conclusions FPGA-based hardware architectures - preliminary results Stratix V 80-bit security coprocessor: logic ALM, memory - 552k, 20 DSPs, 263 MHz, latency: 33µs 20-bit security coprocessor: logic ALM, memory - 327k, 288 DSPs, 257 MHz, latency: 54µs 28-bit security coprocessor: logic ALM, memory - 432k, 336 DSPs, 2 MHz, latency: 697µs Reference software implementation results: GNU Multiple Precision Arithmetic Library Testing platform: Mac OS X 0.6.8, CPU: Intel Core i7 2.8GHz, 8GB 067 MHz DDR3 80-bit: 5.09ms, 20-bit: 29.4ms, 28-bit: 37.ms Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator / 25

24 Results Conclusions Speed records for the range of bits security for the pairing transformations over prime fields Publication Curve Type Security Type Platform Latency This work twisted supersingular Edwards 20-bit Tate Stratix V 0.54ms Cheung et al. [CHES ] Barreto-Naehring 26-bit Opt.-Ate Virtex ms This work twisted supersingular Edwards 28-bit Tate Stratix V 0.70ms This work twisted supersingular Edwards 20-bit Tate Stratix IV 0.70ms Beuchat et al. [Pairing 0] Barreto-Naehrig 26-bit Opt.-Ate Core i ms This work twisted supersingular Edwards 28-bit Tate Stratix IV 0.88ms This work twisted supersingular Edwards 20-bit Tate Virtex-6.05ms Cheung et al. [CHES ] Barreto-Naehrig 26-bit Opt.-Ate Stratix III.07ms Fan et al. [Computers ] Barreto-Naehrig 28-bit Opt.-Ate Virtex-6.36ms This work twisted supersingular Edwards 28-bit Tate Virtex-6.05ms Fan et al. [Computers ] Barreto-Naehrig 28-bit Ate Virtex-6.60ms Cheung et al. [CHES ] Barreto-Naehrig 26-bit Opt.-Ate Cyclone II.93ms Comment: The fastest reported pairing coprocessor over prime fields for security level above 20 bits! Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator... / 25

25 Major Contributions Motivation and introduction Results Conclusions Novel, low latency, generic, optimized for fast carry-chains (FPGA), hybrid adder for big numbers (thousand of bits and more) Solinas primes-based, DSP-oriented, modular arithmetic architectures for addition, subtraction and multiplication First hardware architectures for 80, 20 and 28-bit pairing on Edwards curves Our coprocessor (on Stratix V) computes 20 and 28-bit secure pairing over prime field in less than 0.54 and 0.70 ms, respectively. It is the fastest pairing implementation over prime fields in this security range Cryptoarchi 3 M.Rogawski, E.Homsirikamol, K. Gaj An FPGA-based Accelerator / 25