Julio López and Ricardo Dahab. Institute of Computing (IC) UNICAMP. April,

Transcription

1 Point Compression Algorithms for Binary Curves Julio López and Ricardo Dahab Institute of Computing (IC) UNICAMP April,

2 Outline Introduction to ECC over GF (2 m ) Background on: trace and halving a point Previous methods on point compression IEEE-P1363 Seroussi s method King s method New Methods Conclusions

3 Point Compression Problem Given a point P = (x, y) on an elliptic curve E defined over a finite field F 2 m, find a method for representing the point P with less than 2m bits. Compress(P ) =? and Decompress(C P ) =? Main application: for the transmission of elliptic points (Diffie-Hellman key agreement protocol)

4 Elliptic Curve Cryptography An elliptic curve E over the finite field F 2 m equation: where a, b F 2 m and b 0. E : y 2 + xy = x 3 + ax 2 + b (1) The set of rational points on E: is defined by the E(F 2 m) := {(x, y) y 2 + xy = x 3 + ax 2 + b} O, where O is the point at infinity. There is a chord-and-tangent rule for adding two points in E(F 2 m) to give a third point in E(F 2 m). R = P + Q

5 Elliptic Curve Cryptography /2 The set of points E(F 2 m), together with the + operation, forms an abelian group with O as its identity. It is this group that is used for constructing elliptic curve cryptosystems. The Point Multiplication operation is: given a point P on an elliptic curve E and an integer k, the point multiplication kp is kp := P + P + + P (k times). The Elliptic curve discrete logarithm problem is: given a point P E(F 2 m) of order n, and point Q < P >, find the integer k [0, n 1] such that Q = kp.

6 Elliptic Curve Cryptography Domain parameters D = (q, FR, S, a, b, P, n, h) are comprised of: The field order q = 2 m. The FR (field representation) (normal basis or polynomial basis). A seed S if the elliptic curve was randomly generated. Two coefficients a, b F 2 m, b 0 that define equation (1). Two field elements x P and y P in F 2 m that define a finite point P = (x P, y P ) E(F 2 m). The point P has prime order and is called the base point. The order n of P The cofactor h = #E(F 2 m)/n.

7 Group Law for Binary Curves over F 2 m 1. Identity. P + O = O + P = P for all P E(F 2 m). 2. Negatives. If P = (x, y) E(F 2 m), then P = (x, x + y). Note that P is a point in E(F 2 m). Also, O = O. 3. Point addition. Let P = (x 1, y 1 ) E(F 2 m) and Q = (x 2, y 2 ) E(F 2 m), where P ±Q. Then P + Q = (x 3, y 3 ), where x 3 = λ 2 + λ + x 1 + x 2 + a and y 3 = λ(x 1 + x 3 ) + x 3 + y 1, and λ = (y 1 + y 2 )/(x 1 + x 2 ).

8 Group Law for Binary Curves over F 2 m /2 4. Point doubling. Let P = (x 1, y 1 ) E(F 2 m), where x 1 0. Then 2P = (x 2, y 2 ), where x 2 = λ 2 + λ + a = x b x 2 1 y 2 = x λx 2 + x 2 λ = x 1 + y 1 x 1

9 The Trace Function T r : F 2 m F 2 m Tr(c) := c + c 2 + c c 2m 1. T r(c) = T r(c 2 ) = T r(c) 2 ; in particular T r(c) {0, 1}. Trace is linear: T r(c + d) = T r(c) + T r(d). T r(x(kp )) = T r(a) for generator P E(F 2 m).

10 Computing the Trace Function Normal basis: {β, β 2,..., β 2m } c = m 1 i=0 c i β 2i T r(c) = m 1 i=0 c i Polynomial basis: {1, x, x 2,..., x m 1 } c = i=0 c i x i T r(c) = m 1 i=0 c i T r(x i )

11 NIST Recommended Binary Curves In 1999, NIST releases a list of 10 binary curves over the finite fields F 2 m, m {163, 233, 283, 409, 571}. For the random curves a = 1 (Tr(a) = 1). For the Koblitz curves a = 1 for m = 163 and a = 0 for m 163. For a polynomial basis representation, the trace can be computed as follows: for m = 163, Tr(c) = c 0 + c 157 for m = 233, Tr(c) = c 0 + c 159 for m = 283, Tr(c) = c 0 + c 277 for m = 409, Tr(c) = c 0 for m = 571, Tr(c) = c 0 + c c 569.

12 Solving a Quadratic Equation over F 2 m x 2 + x = c, c F 2 m Let m be an odd integer. The half-trace function H : F 2 m F 2 m is defined by H(c) = (m 1)/2 i=0 c 22i. H(c) is a solution of the equation x 2 + x = c + T r(c). If T r(c) = 0, H(c) and H(c) + 1 are the only solutions of the equation x 2 + x = c.

13 Point Compression Algorithm First Solution P = (x, y) E(F 2 m), x 0 Compress (P ) := x T r(x + y x ) Compress(P ) = m + 1 bits y 2 + xy = x 3 + ax 2 + b (x + y x )2 + (x + y x ) = x2 + a + b x 2 λ 2 + λ = x 2 + a + b, T r(λ) {0, 1} x2

14 INPUT: C P. OUTPUT: P = (x, y). Decompress(C P ): Point Compression Algorithm First Solution /2 1. C p = x t, t = T r(x + y x ). 2. Solve λ 2 + λ = x 2 + a + b x 2 for λ. 3. If (Tr(λ) t) then λ = λ Compute y = x (λ + x). 5. Return P = (x, y). Note: y = x (λ + T r(λ) + t + x)

15 Point Compression IEEE P1363 Algorithm P = (x, y) E(F 2 m) Compress (P ) := x ỹ, ỹ : the rightmost bit of y x Compress(P ) = m + 1 bits y 2 + xy = x 3 + ax 2 + b ( y x )2 + y x = x + a + b x 2 µ 2 + µ = x 2 + a + b, µ {0, 1} x2

16 INPUT: C P OUTPUT: P = (x, y). Decompress(C P ): 1. C p = x ỹ. Point Compression IEEE P1363 Algorithm /2 2. If x = 0 then Return P = (0, b). 3. Solve µ 2 + µ = x + a + b x 2 for µ. 4. Compute y = x (x + µ + ỹ). 5. Return P = (x, y).

17 IEEE P1363 Algorithm }{{}} {{ } Y X 0x02 point compressed x P = 0 Y = 0x03 point compressed x P 0 0x04 point not compressed

18 T r(x) = T r(a) Point Compression Seroussi s Algorithm, 1998 P = (x, y) E(F 2 m) Let i be the smallest index such T r(x i ) = 1. For NIST binary fields i = 0. m 1 bits are required to represent x. x = (x m 1 x i x 0 ) ẋ := (x m 1 x i 1 x i+1 x 0 ) Compress (P ) := (x m 1 x i 1 ỹx i+1 x 0 ) Compress(P ) = m bits

19 INPUT: C P, T r(x) = T r(a). OUTPUT: P = (x, y). Decompress(C P ): Point Compression Seroussi s Algorithm /2 1. From C P obtains x 1 = (x m 1 x i 1 1 x i+1 x 0 ) and y 1 = ỹ. 2. If Tr(x 1 ) Tr(a) then x 1 = (x m 1 x i 1 0 x i+1 x 0 ). 3. If x = 0 then Return P = (0, b). 4. Solve µ 2 + µ = x + a + b x 2 for µ. 5. Compute y = x (x + µ + y 1 ). 6. Return P = (x, y).

20 Point Compression New Algorithm I, 2004 INPUT: P = (x, y), T r(x) = T r(a), m odd. OUTPUT: C P F 2 m. Compress (P ) := C P = x + T r(x + y x ) C P = m bits Note: T r(x + y x ) = T r(c P ) + T r(a).

21 Point Compression New Algorithm I /2 INPUT: C P, T r(x) = T r(a), m odd. OUTPUT: P = (x, y). Decompress(C P ): 1. x = C P + T r(c P ). 2. Solve λ 2 + λ = x 2 + a + b x 2 for λ. 3. Compute y = x (x + T r(λ) + T r(c P ) + T r(a)). 4. Return P = (x, y).

22 Point Halving for Binary Curves P = (x, y) 2P = (x 2, y 2 ) : let λ = x + y/x x 2 = λ 2 + λ + a = x 2 + b/x 2 y 2 = x 2 + λx 2 + x 2 Halving: given Q = (x 2, y 2 ) find P = (x, y) such 2P = Q x 2 = λ 2 + λ + a solve for λ y 2 = x 2 + λx 2 + x 2 solve for x E. Knudsen, 1999 and R. Schroeppel, 2000

23 Computing Point Halving INPUT: P = (x, λ), T r(a) = 1, m odd. OUTPUT: 2P = (x 2, λ 2 ). x λ x 2 λ 2 2P = (x 2, y 2 ) (x 2, λ 2 ), λ 2 = x 2 + y 2 /x 2

24 Computing Point Halving /2 x T r(a) = 1, m odd λ x 2 λ 2 1. Solve λ 2 + λ = x 2 + a for λ. 2. Compute T = x 2 (λ + λ 2 + x 2 + 1). 3. If Tr(T ) = 1 then x = T else λ = λ + x 2, x = T + x Return (x, λ).

25 Computing Point Halving /3 output: x T r(a) = 1, m odd z= x2 x 2 input: x 2 λ 2 x 4 1. Compute x 4 = λ λ 2 + a. 2. Solve z 2 + z = x 4 + x 2 2= (b/x 2 2) for z. 3. Compute T = z x If Tr(T ) = 1 then x = T, λ = z + λ 2 + x else x = T + x 2, λ = z + λ 2 + x Return (x, λ). λ

26 Point Compression New Algorithm II, 2004 INPUT: P = (x, y), T r(x) = T r(a) = 1, m odd. OUTPUT: C P F 2 m. Compress (P ) := C P = x + y x C P = m bits Note: T r(x + y x ) = T r(c P ).

27 Point Compression New Algorithm II /2 INPUT: C P, T r(x) = T r(a) = 1, m odd. OUTPUT: P = (x, y). Decompress(C P ): 1. x 2 = C 2 P + C P + a. 2. Solve z 2 + z = b x 2 2 for z. 3. Compute T = z x 2 4. If T r(t ) = 1 then x = T else x = T + x Compute y = x (x + C P x). 6. Return P = (x, y).

28 Point Compression King s Algorithm, 2004 INPUT: P = (x, y), T r(x) = T r(a), m odd. OUTPUT: C P F 2 m. Compress(P ) := C P = x if T r( y x ) = 0 b x if T r( y x ) = 1 C P = m bits Note: T r( y x ) = T r(c P ) + 1.

29 Point Compression King s Algorithm /2 INPUT: C P, T r(x) = T r(a), m odd. OUTPUT: P = (x, y). Decompress(C P ): 1. If T r(c P ) = 0 then x = C p else x = b C P 2. Solve µ 2 + µ = x + a + b x 2 for µ. 3. If T r(µ) = T r(c P ) + 1 then y = x µ else y = x µ + x. 4. Return P = (x, y).

30 Point Compression King s Algorithm /3 INPUT: P = (x, y), T r(x) = T r(a) = 0, m odd. OUTPUT: C P F 2 m. Compress(P ) := C P = ẋ if T r( y x ) = 0 x if T r( y x ) = 1 b C P = m 1 bits Note: T r(x) = T r( b x ) = 0.

31 Point Compression King s Algorithm /4 INPUT: P = (x, y), T r(x) = T r(a) = 0, m {233, 289, 409, 571}. OUTPUT: C P F 2 m. For Koblitz curves recommended by NIST Compress(P ) := C P = ẋ if T r( y x ) = 0 1 x if T r( y x ) = 1 C P = m 1 bits

32 Point Compression Algorithms Summary Compress(P ) = C P Method C P Bits IEEE P1363 x ỹ m + 1 Seroussi ẋ ỹ m x if T r( y x King ) = 0 b x if T r( y x ) = 1 m or m 1 New I x + T r(x + y x ) m New II x + y x m T r(a) = 1.

33 References IEEE P1363 Appendix A. htpp:// G. Seroussi, Compact Representation of Elliptic Curve Points over F 2 n, HP Labs Technical Reports, htpp:// B. King, A point Compression Method for Elliptic Curve Defined over GF (2 n ), PKC 2004, LNCS 2947, pp , K. Fong, D. Hankerson, J. López and A. Menezes, Field Inversion and Point Halving revisited, IEEE Transaction on Computers, Vol 53, no. 8, pp , 2004.