Arithmetic operators for pairing-based cryptography

Size: px

Start display at page:

Download "Arithmetic operators for pairing-based cryptography"

Jayson Short
5 years ago
Views:

1 7. Kryptotag November 9 th, 2007 Arithmetic operators for pairing-based cryptography Jérémie Detrey Cosec, B-IT, Bonn, Germany jdetrey@bit.uni-bonn.de Joint work with: Jean-Luc Beuchat Nicolas Brisebarre Eiji Okamoto Masaaki Shirase Tsuyoshi Takagi LCIS, University of Tsukuba, Japan LIP, École Normale Supérieure de Lyon, Lyon, France LCIS, University of Tsukuba, Japan IST Lab., Future University, Hakodate, Japan IST Lab., Future University, Hakodate, Japan

2 Outline of the talk 1 Pairings? Arithmetic over F 3 m Unified operator Results Final thoughts Jérémie Detrey Arithmetic operators for pairing-based cryptography 1 / 21

3 Elliptic curves 2 E defined by an equation of the form y 2 = x 3 + Ax + B E Jérémie Detrey Arithmetic operators for pairing-based cryptography 2 / 21

4 Elliptic curves 2 E defined by an equation of the form y 2 = x 3 + Ax + B E(K) set of rational points over a field K E Q P Jérémie Detrey Arithmetic operators for pairing-based cryptography 2 / 21

5 Elliptic curves 2 E defined by an equation of the form y 2 = x 3 + Ax + B E(K) set of rational points over a field K E Additive group law over E(K) Q P P + Q Jérémie Detrey Arithmetic operators for pairing-based cryptography 2 / 21

6 Elliptic curves 2 E defined by an equation of the form y 2 = x 3 + Ax + B E(K) set of rational points over a field K E Additive group law over E(K) Q Many applications in cryptography P EC-based Diffie-Hellman key exchange EC-based Digital Signature Algorithm... P + Q Jérémie Detrey Arithmetic operators for pairing-based cryptography 2 / 21

7 Elliptic curves 2 E defined by an equation of the form y 2 = x 3 + Ax + B E(K) set of rational points over a field K E Additive group law over E(K) Q Many applications in cryptography P EC-based Diffie-Hellman key exchange EC-based Digital Signature Algorithm... P + Q But there s more: bilinear pairings Jérémie Detrey Arithmetic operators for pairing-based cryptography 2 / 21

8 Bilinear pairings 3 G 1 = P an additively-written group G 2 a multiplicatively-written group Jérémie Detrey Arithmetic operators for pairing-based cryptography 3 / 21

9 Bilinear pairings 3 G 1 = P an additively-written group G 2 a multiplicatively-written group A bilinear pairing on (G 1, G 2 ) is a map that satisfies the following conditions: ê : G 1 G 1 G 2 computability: ê can be efficiently computed non-degeneracy: ê(p, P) 1 G2 bilinearity: for all Q 1, Q 2 and R G 1, ê(q 1 + Q 2, R) = ê(q 1, R)ê(Q 2, R) and ê(r, Q 1 + Q 2 ) = ê(r, Q 1 )ê(r, Q 2 ) Jérémie Detrey Arithmetic operators for pairing-based cryptography 3 / 21

10 Bilinear pairings 3 G 1 = P an additively-written group G 2 a multiplicatively-written group A bilinear pairing on (G 1, G 2 ) is a map that satisfies the following conditions: ê : G 1 G 1 G 2 computability: ê can be efficiently computed non-degeneracy: ê(p, P) 1 G2 bilinearity: for all Q 1, Q 2 and R G 1, ê(q 1 + Q 2, R) = ê(q 1, R)ê(Q 2, R) and ê(r, Q 1 + Q 2 ) = ê(r, Q 1 )ê(r, Q 2 ) Immediate property: for any integer a, ê(ap, P) = ê(p, ap) = ê(p, P) a Jérémie Detrey Arithmetic operators for pairing-based cryptography 3 / 21

11 Pairings in cryptography 4 At first, used to reduce discrete logarithm problems to simpler instances Menezes-Okamoto-Vanstone (MOV) attack, 1993 Jérémie Detrey Arithmetic operators for pairing-based cryptography 4 / 21

12 Pairings in cryptography 4 At first, used to reduce discrete logarithm problems to simpler instances Menezes-Okamoto-Vanstone (MOV) attack, 1993 One-round three-party key agreement (Joux, 2000) Identity-based encryption Boneh-Franklin, 2001 Sakai-Kasahara, Short signatures Boneh-Lynn-Shacham (BLS), 2001 Zang-Safavi-Naini-Susilo (ZSS), Jérémie Detrey Arithmetic operators for pairing-based cryptography 4 / 21

13 Pairings over elliptic curves 5 E defined over a finite field F p m, with p prime and m 1 An integer l not divisible by p Jérémie Detrey Arithmetic operators for pairing-based cryptography 5 / 21

14 Pairings over elliptic curves 5 E defined over a finite field F p m, with p prime and m 1 An integer l not divisible by p Additive group, F p m-rational l-torsion points: G 1 = E(F p m)[l] Multiplicative group, l-th roots of unity: G 2 = µ l F p km k is the embedding degree of the curve E Jérémie Detrey Arithmetic operators for pairing-based cryptography 5 / 21

15 Pairings over elliptic curves 5 E defined over a finite field F p m, with p prime and m 1 An integer l not divisible by p Additive group, F p m-rational l-torsion points: G 1 = E(F p m)[l] Multiplicative group, l-th roots of unity: G 2 = µ l F p km k is the embedding degree of the curve E ê : E(F p m)[l] E(F p m)[l] µ l Jérémie Detrey Arithmetic operators for pairing-based cryptography 5 / 21

16 Pairings over elliptic curves 6 Which embedding degree? Jérémie Detrey Arithmetic operators for pairing-based cryptography 6 / 21

17 Pairings over elliptic curves 6 Which embedding degree? ordinary curves? usually very large k Jérémie Detrey Arithmetic operators for pairing-based cryptography 6 / 21

18 Pairings over elliptic curves 6 Which embedding degree? ordinary curves? usually very large k supersingular curves? Finite field F p m Maximal k m even 3 m odd, p = 2 4 m odd, p = 3 6 m odd, p > 3 2 Jérémie Detrey Arithmetic operators for pairing-based cryptography 6 / 21

19 Pairings over elliptic curves 6 Which embedding degree? ordinary curves? usually very large k supersingular curves? Finite field F p m Maximal k m even 3 m odd, p = 2 4 m odd, p = 3 6 m odd, p > 3 2 Jérémie Detrey Arithmetic operators for pairing-based cryptography 6 / 21

20 Pairings over elliptic curves 6 Which embedding degree? ordinary curves? usually very large k supersingular curves? Finite field F p m Maximal k m even 3 m odd, p = 2 4 m odd, p = 3 6 m odd, p > 3 2 Which pairing? Weil pairing Tate pairing η T pairing Ate pairing Jérémie Detrey Arithmetic operators for pairing-based cryptography 6 / 21

21 Pairings over elliptic curves 6 Which embedding degree? ordinary curves? usually very large k supersingular curves? Finite field F p m Maximal k m even 3 m odd, p = 2 4 m odd, p = 3 6 m odd, p > 3 2 Which pairing? Weil pairing Tate pairing η T pairing Ate pairing Jérémie Detrey Arithmetic operators for pairing-based cryptography 6 / 21

22 η T pairing in characteristic 3 7 Need for arithmetic over: F 3 m F 3 6m ηˆ T : E(F 3 m)[l] E(F 3 m)[l] µ l F 3 6m Jérémie Detrey Arithmetic operators for pairing-based cryptography 7 / 21

23 η T pairing in characteristic 3 7 Need for arithmetic over: ηˆ T : E(F 3 m)[l] E(F 3 m)[l] µ l F 3 6m F 3 m F 3 6m arithmetic on the underlying field F 3 m Jérémie Detrey Arithmetic operators for pairing-based cryptography 7 / 21

24 η T pairing in characteristic 3 7 Need for arithmetic over: ηˆ T : E(F 3 m)[l] E(F 3 m)[l] µ l F 3 6m F 3 m F 3 6m arithmetic on the underlying field F 3 m Operations over F 3 m: Operation Count m = 97 +/ 121 m m a 3 17 m a Jérémie Detrey Arithmetic operators for pairing-based cryptography 7 / 21

25 η T pairing in characteristic 3 7 Need for arithmetic over: ηˆ T : E(F 3 m)[l] E(F 3 m)[l] µ l F 3 6m F 3 m F 3 6m arithmetic on the underlying field F 3 m Operations over F 3 m: Arithmetic over F 3 m: Operation Count m = 97 +/ 121 m m a 3 17 m a Polynomial basis: F 3 m = F 3 [x]/(f (x)) Degree-m irreducible polynomial f (x) carefully chosen Jérémie Detrey Arithmetic operators for pairing-based cryptography 7 / 21

26 8 Addition over F 3 m a(x) b(x) a(x) + b(x) Jérémie Detrey Arithmetic operators for pairing-based cryptography 8 / 21

27 8 Addition over F 3 m a(x) b(x) a m 1 b m 1 a 1 b 1 a 0 b 0 a(x) + b(x) (a m 1 + b m 1 ) mod 3 (a 1 + b 1 ) mod 3 (a 0 + b 0 ) mod 3 coefficient-wise addition over F 3 Jérémie Detrey Arithmetic operators for pairing-based cryptography 8 / 21

28 8 Addition over F 3 m a(x) b(x) a(x) + b(x) a m 1 b m 1 (a m 1 + b m 1 ) mod 3 a 1 b 1 (a 1 + b 1 ) mod 3 a 0 b 0 (a 0 + b 0 ) mod coefficient-wise addition over F 3 addition over F 3 : small look-up table Jérémie Detrey Arithmetic operators for pairing-based cryptography 8 / 21

29 9 Addition, subtraction and accumulation over F 3 m load c 0 add/sub c 2 enable c 5 a(x) b(x) +/ +/ 0 r(x) c 1 load c 3 add/sub c 4 accumulate sign selection: multiplication by 1 or 2 feedback loop for accumulation a(x) 2a(x) (mod 3) Jérémie Detrey Arithmetic operators for pairing-based cryptography 9 / 21

30 10 Multiplication over F 3 m Parallel-serial multiplication multiplicand loaded in a parallel register multiplier loaded in a shift register Most significant coefficients first D coefficients processed at each iteration: m D iterations per multiplication Jérémie Detrey Arithmetic operators for pairing-based cryptography 10 / 21

31 11 Multiplication over F 3 m load c 0 a(x) PPG PPG x mod f (x) enable clear c 3 c 4 b(x) shift register PPG x 2 mod f (x) r(x) c 1 load c 2 shift x 3 mod f (x) partial product generator (PPG): m multiplications over F 3 multiplication by x i : only wiring simple modular reductions Jérémie Detrey Arithmetic operators for pairing-based cryptography 11 / 21

32 12 Cubing over F 3 m Cubing in characteristic 3 is the Frobenius map We compute the normal form of a(x) 3 mod f (x) Jérémie Detrey Arithmetic operators for pairing-based cryptography 12 / 21

33 12 Cubing over F 3 m Cubing in characteristic 3 is the Frobenius map We compute the normal form of a(x) 3 mod f (x) Example: m = 97 and f (x) = x 97 + x a(x) 3 mod f (x) = (a 32 x 96 + a 64 x 95 + a 96 x a 33 x 2 + a 65 x + a 0 ) 1 + ( 0 + a 60 x 95 + a 88 x a 61 x + a 89 ) 1 + ( 0 + a 60 x 95 + a 92 x a 61 x + a 93 ) 1 Jérémie Detrey Arithmetic operators for pairing-based cryptography 12 / 21

34 12 Cubing over F 3 m Cubing in characteristic 3 is the Frobenius map We compute the normal form of a(x) 3 mod f (x) Example: m = 97 and f (x) = x 97 + x a(x) 3 mod f (x) = (a 32 x 96 + a 64 x 95 + a 96 x a 33 x 2 + a 65 x + a 0 ) 1 + ( 0 + a 60 x 95 + a 88 x a 61 x + a 89 ) 1 + ( 0 + a 60 x 95 + a 92 x a 61 x + a 93 ) 1 = w 1 ν 1 (x) + w 2 ν 2 (x) + w 3 ν 3 (x) Required hardware: only wires to compute the ν i (x) s possibly multiplications over F 3 multi-operand addition over F 3 m Jérémie Detrey Arithmetic operators for pairing-based cryptography 12 / 21

35 13 Cubing over F 3 m select load c 0 c 1 sign c 2 a(x) ±w3 ±w2 ±w1 ν 1 (x) ν 2 (x) ν 3 (x) enable c 3 r(x) feedback loop for successive cubings sign selection for computing either a(x) 3 or a(x) 3 Jérémie Detrey Arithmetic operators for pairing-based cryptography 13 / 21

36 14 Inversion over F 3 m Extended Euclidean algorithm? Jérémie Detrey Arithmetic operators for pairing-based cryptography 14 / 21

37 14 Inversion over F 3 m Extended Euclidean algorithm? fast computation... but need for additional hardware Jérémie Detrey Arithmetic operators for pairing-based cryptography 14 / 21

38 14 Inversion over F 3 m Extended Euclidean algorithm? fast computation... but need for additional hardware Preferred solution: Fermat s little theorem a(x) 1 = a(x) 3m 2 on F 3 m Jérémie Detrey Arithmetic operators for pairing-based cryptography 14 / 21

39 14 Inversion over F 3 m Extended Euclidean algorithm? fast computation... but need for additional hardware Preferred solution: Fermat s little theorem a(x) 1 = a(x) 3m 2 on F 3 m algorithm by Itoh and Tsujii requires only multiplications and cubings over F 3 m Jérémie Detrey Arithmetic operators for pairing-based cryptography 14 / 21

40 14 Inversion over F 3 m Extended Euclidean algorithm? fast computation... but need for additional hardware Preferred solution: Fermat s little theorem a(x) 1 = a(x) 3m 2 on F 3 m algorithm by Itoh and Tsujii requires only multiplications and cubings over F 3 m only one inversion for the full pairing: delay overhead is negligible (< 1%) Jérémie Detrey Arithmetic operators for pairing-based cryptography 14 / 21

41 The full processing element 15 a(x) b(x) addition multiplication r(x) cubing control Jérémie Detrey Arithmetic operators for pairing-based cryptography 15 / 21

42 The full processing element 15 a(x) b(x) addition multiplication r(x) cubing control For the η T pairing: almost no parallelism between additions, multiplications and cubings Can we share hardware resources between the three operators? Jérémie Detrey Arithmetic operators for pairing-based cryptography 15 / 21

43 Unified operator 16 select c 0 load c 1 cubing c 6 multiplication c 8 a(x) b(x) c 2 c 3 select load shift register PPG PPG PPG ν 1 (x) ν 2 (x) x 2 ν 3 (x) mod f (x) x mod f (x) enable c 10 r(x) d(x) c 4 c 5 x 3 mod f (x) 0 load shift c 7 c 9 multiplication accumulate Jérémie Detrey Arithmetic operators for pairing-based cryptography 16 / 21

44 Unified operator 16 select load cubing multiplication c 0 c 1 c 6 c 8 a(x) b(x) c 2 c 3 select load shift register PPG PPG PPG ν 1 (x) ν 2 (x) x 2 ν 3 (x) mod f (x) x mod f (x) enable c 10 r(x) d(x) c 4 c 5 x 3 mod f (x) 0 load shift c 7 c 9 multiplication accumulate Jérémie Detrey Arithmetic operators for pairing-based cryptography 16 / 21

45 Unified operator 16 select load cubing multiplication c 0 c 1 c 6 c 8 a(x) b(x) c 2 c 3 select load shift register PPG PPG PPG ν 1 (x) ν 2 (x) x 2 ν 3 (x) mod f (x) x mod f (x) enable c 10 r(x) d(x) c 4 c 5 x 3 mod f (x) 0 load shift c 7 c 9 multiplication accumulate Jérémie Detrey Arithmetic operators for pairing-based cryptography 16 / 21

46 Unified operator 16 select load cubing multiplication c 0 c 1 c 6 c 8 a(x) b(x) c 2 c 3 select load shift register PPG PPG PPG ν 1 (x) ν 2 (x) x 2 ν 3 (x) mod f (x) x mod f (x) enable c 10 r(x) d(x) c 4 c 5 x 3 mod f (x) 0 load shift c 7 c 9 multiplication accumulate Jérémie Detrey Arithmetic operators for pairing-based cryptography 16 / 21

47 Results 17 Full co-processor for computation of the η T pairing field: F 3 97 with f (x) = x 97 + x processing element: unified operator with D = 3 prototype on a Xilinx Virtex-II Pro 4 FPGA Jérémie Detrey Arithmetic operators for pairing-based cryptography 17 / 21

48 Results 17 Full co-processor for computation of the η T pairing field: F 3 97 with f (x) = x 97 + x processing element: unified operator with D = 3 prototype on a Xilinx Virtex-II Pro 4 FPGA Area: 1833 slices (63% of the FPGA) and 6 memory blocks (21%) Clock frequency: 145 MHz Full η T pairing: clock cycles Computation time: 192 µs Jérémie Detrey Arithmetic operators for pairing-based cryptography 17 / 21

49 Comparisons 18 Architecture Area Time FPGA Proposed solution 1833 slices 192 µs Virtex-II Pro (CHES 07) Grabher and Page 4481 slices 432 µs Virtex-II Pro (CHES 05) Kerins et al slices 850 µs Virtex-II Pro (CHES 05) Ronan et al slices 178 µs Virtex-II Pro (ITNG 07) Beuchat et al LEs 33 µs Cyclone II (Arith 07 & WAIFI 07) ( 9000 slices) Jiang slices 21 µs Virtex-4 LX (Univ. Honk Kong, 2007) Jérémie Detrey Arithmetic operators for pairing-based cryptography 18 / 21

50 Conclusion 19 Unified operator generator Arithmetic over F p m = F p [x]/(f (x)) for given p, m and f (x) Support for the following operations: addition multiplication Frobenius map (a(x) p mod f (x)) inverse Frobenius map ( p a(x) mod f (x)) Jérémie Detrey Arithmetic operators for pairing-based cryptography 19 / 21

51 Future work 20 Characteristic 2 simpler arithmetic better suited to FPGAs (fast multiplication) Jérémie Detrey Arithmetic operators for pairing-based cryptography 20 / 21

52 Future work 20 Characteristic 2 simpler arithmetic better suited to FPGAs (fast multiplication) Pairing on hyperelliptic curves Jérémie Detrey Arithmetic operators for pairing-based cryptography 20 / 21

53 Future work 20 Characteristic 2 simpler arithmetic better suited to FPGAs (fast multiplication) Pairing on hyperelliptic curves Ate pairing Side-channel Jérémie Detrey Arithmetic operators for pairing-based cryptography 20 / 21

54 Thank you for your attention 21 Questions? Jérémie Detrey Arithmetic operators for pairing-based cryptography 21 / 21

Arithmetic Operators for Pairing-Based Cryptography

Arithmetic Operators for Pairing-Based Cryptography J.-L. Beuchat 1 N. Brisebarre 2 J. Detrey 3 E. Okamoto 1 1 University of Tsukuba, Japan 2 École Normale Supérieure de Lyon, France 3 Cosec, b-it, Bonn,