A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m )

Size: px

Start display at page:

Download "A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m )"

Hortense Austin
5 years ago
Views:

1 A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m ) Stefan Tillich, Johann Großschädl Institute for Applied Information Processing and Communications Graz University of Technology, Austria ACSAC 04

2 Agenda Motivation - Security challenges Elliptic Curve Cryptography Proposed extensions Experimental results Conclusions 2

3 Our future environment Internet 3

4 Security challenges Ubiquitous computing -> Networked computers in everything and everywhere Limited resources (CPU, memory, bandwidth, energy, ) Hostile environment -> Need for security with cryptography at its base Goal: Zero-overhead cryptography 4

5 Elliptic Curve Cryptography (ECC) Open systems necessitate public-key cryptography (PKC) But: PKC requires considerable resources (long operands, complex computations) ECC reduces operand size (e.g. 190 bit ECC vs bit RSA) Many parameters -> Compatibility? 5

6 ECC overview (1) An elliptic curve is defined over a field K as the set of all solutions (x,y) in K x K which satisfy a special equation ECC uses finite fields GF(p m ) for K, e.g. GF(p), GF(2 m ) Points on EC over a finite field form an additive abelian group An EC point P added (k-1) times to itself defines scalar multiplication k * P, which is very hard to invert (ECDLP) -> basis for security 6

7 ECC overview (2) Finite fields elements can have different representations, e.g. polynomial vs. normal basis for GF(2 m ) EC point arithmetic is realized with finite field arithmetic -> optimizing it will increase overall performance 7

8 Our Goals Accelerate ECC for an important underlying finite field (GF(2 m )) Accommodate different algorithms, operand sizes (varying m), and parameters Negligible impact on hardware cost Easy integration into existing architectures 8

9 Coprocessor vs. Instruction Set Extension Traditional approach: Dedicated coprocessor to offload cryptographic operations Hard to design a flexible, scalable coprocessor; often requires considerable silicon area and power Instead: Small and simple changes to processor by adding new instructions 9

10 Our Approach Instruction set extension to facilitate arithmetic operations in GF(2 m ) 2 versions of a multiply-step instruction for GF(2 m ) following the SPARC V8 MULScc instruction for integers Integration into LEON-2 core (SPARC V8 compatible) Evaluation with different ECC implementations 10

11 The MULGF2 operation Important operations for GF(2 m ) arithmetic are multiplication, squaring, reduction of binary polynomials Multiplication of two word-size polynomials (MULGF2 operation) can be used to implement those operations Our custom instructions (multiply-step for binary polynomials) accelerate the MULGF2 operation significantly without the use of a hardware multiplier 11

12 MULGF2 operation: "Shift and XOR" method A (multiplicand) B (multiplier) MS word A B LS word XOR MULGF2 12

13 Multiply-step instructions for binary polynomials Process 1 bit of the multiplier in 1 clock cycle (MULGFS instruction) Partial product is added to accumulator, consisting of two registers Addition can be done with modified ALU adder (suppressed carry) or ALU XOR gates. 13

14 MULGF2 operation with multiply-step A B Accumulator (2w bits) Initialization

15 MULGF2 operation with multiply-step A B Process bit 0 of B 15

16 MULGF2 operation with multiply-step A B Process bit 1 of B 16

17 MULGF2 operation with multiply-step A B Process bit 2 of B 17

18 MULGF2 operation with multiply-step A B Process bit 3 of B 18

19 MULGF2 operation with multiply-step A B Final result: A B 3. Final shift 19

20 MULGFS2 instruction Just as the MULGFS instruction, but processes 2 bits simultaneously in 1 clock cycle Modified ALU adder can be used ALU adder slightly modified to add the accumulator value and the 2 partial products Can be used with or without the MULGFS instruction (for final shift) 20

21 Modified ALU Adder Carry can be propagated or inserted insert == 0: a + b + c in insert == 1: a b cins (integer addition) (bin. poly. addition) 21

22 Experimental Results (1) Extensions have been implemented in LEON-2 and tested on an FPGA evaluation board 2 principal implementations: one for different operand sizes and reduction polynomials (FLEX); one optimized for GF(2 191 ) with a fixed reduction polynomial (OPT) Three variants of each implementation: original ISA (1), sole use of MULGFS instruction (2), use of both MULGFS2 and MULGFS instructions (3) 22

23 Experimental Results (1) FLEX1 FLEX2 FLEX3 OPT1 OPT2 OPT3 Unit Execution time (EC scalar mult.) Code size million cycles kb Additional RAM byte Hardware cost 100 < 101 < < 101 < 101 % Energy consumption / scalar mult. high << FLEX1 < FLEX2 medium < OPT1 < OPT2-23

24 Conclusions Simple extensions for processor core to facilitate ECC in GF(2 m ) Considerable performance gain (Speed, code size, RAM usage, power) Easy to implement in embedded processors (esp. SPARC V8) 24

Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl

Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography International Workshop on Information Security & Hiding (ISH '05) Institute for Applied Information Processing and Communications