Fast point multiplication algorithms for binary elliptic curves with and without precomputation

Size: px

Start display at page:

Download "Fast point multiplication algorithms for binary elliptic curves with and without precomputation"

Patrick Baldwin
5 years ago
Views:

Aranha 2 Julio López 2 Francisco Rodríguez-Henríquez 1 1

1 Fast point multiplication algorithms for binary elliptic curves with and without precomputation Thomaz Oliveira 1 Diego F. Aranha 2 Julio López 2 Francisco Rodríguez-Henríquez 1 1 CINVESTAV-IPN, Mexico 2 University of Campinas, Brazil SAC - Montréal, Canada August 14th 2014

2 Outline Introduction Point Multiplication GLS curves and Montgomery ladder Montgomery ladder variants, multi-core approach Koblitz curves A novel τ-adic approach Results

3 Introduction

4 Introduction Point Multiplication Let E a,b (F 2 m) denote the abelian group formed by the point at infinity O and the set of affine points P = (x, y) with x, y F 2 m that satisfy the ordinary binary elliptic curve Weierstrass equation given as, E : y 2 + xy = x 3 + ax 2 + b. Also, let us assume that E a,b (F 2 m) includes a subgroup P of prime order r.

5 Introduction Point Multiplication Let E a,b (F 2 m) denote the abelian group formed by the point at infinity O and the set of affine points P = (x, y) with x, y F 2 m that satisfy the ordinary binary elliptic curve Weierstrass equation given as, E : y 2 + xy = x 3 + ax 2 + b. Also, let us assume that E a,b (F 2 m) includes a subgroup P of prime order r. Given a scalar k [0, r 1], the point multiplication operation, denoted by Q = kp corresponds to adding the point P to itself k 1 times. Q = kp = P + P + + P }{{} k 1 additions

6 GLS curves and Montgomery Ladder

7 GLS binary curves Introduction In 2009, Galbraith et al. introduced the GLS curves, a large family of elliptic curves defined over F q 2 which admits a two-dimensional efficiently computable endomorphism ψ. In the same year, Hankerson et al. presented an analysis of the GLS curves defined over binary fields F 2 2m.

8 GLS binary curves Introduction In 2009, Galbraith et al. introduced the GLS curves, a large family of elliptic curves defined over F q 2 which admits a two-dimensional efficiently computable endomorphism ψ. In the same year, Hankerson et al. presented an analysis of the GLS curves defined over binary fields F 2 2m. The GLS endomorphism is defined as, with s F 2 4m\F 2 2m. ψ : (x, y) (x 2m, y 2m + s 2m x 2m + sx 2m ), In addition, there is an integer δ satisfying δ (mod r) such that ψ(q) = δq for all Q P.

9 GLS binary curves GLV method Given that r = n, The average cost of computing Q = kp using the traditional double-and-add method is about nd + n 2 A.

10 GLS binary curves GLV method Given that r = n, The average cost of computing Q = kp using the traditional double-and-add method is about nd + n 2 A. However, we can take advantage of the ψ endomorphism by splitting the scalar k into two parts and compute Q = kp = k 1 P + k 2 δp = k 1 P + k 2 ψ(p). As a result, the average cost of computing Q = kp is about n 2 D + n 2 A + n 4 ψ.

11 GLS binary curves Quadratic field arithmetic Since the GLS curves are defined over a quadratic field F 2 2m, the point operations (2P, P + Q, P 2 ) are realized through a quadratic field arithmetic.

12 GLS binary curves Quadratic field arithmetic Since the GLS curves are defined over a quadratic field F 2 2m, the point operations (2P, P + Q, P 2 ) are realized through a quadratic field arithmetic. Operations in F 2 2m can be realized by combining operations in F 2 m (towering). This approach permits a much better usage of the processor pipelined execution units. Table: Quadratic field Operations. The timings, given in clock cycles, were measured in a Intel Core i7-4700mq (Haswell). Base field (F ) Quadratic field (F ) observed operations expected observed operation timing in F 2 m timing timing multiplication ( m) 29 3 m squaring ( s) 15 2 s half-trace ( h) 35 2 h 70 63

13 Montgomery Ladder Introduction The Montgomery ladder method was introduced in 1987 by Peter Montgomery. Algorithm Left-to-right Montgomery ladder Require: P = (x, y), k = (1, k n 2,..., k 1, k 0) Ensure: Q = kp R 0 P; R 1 2P; for i = n 2 downto 0 do if k i = 1 then R 0 R 0 + R 1; R 1 2R 1 else R 1 R 0 + R 1; R 0 2R 0 end if end for return Q = R 0 Throughout the main loop, the difference R 0 R 1 = P is maintained. As a consequence, we can compute all point operations using only the x-coordinates of the points R 0, R 1 and P.

14 Montgomery Ladder Introduction The Montgomery ladder method was introduced in 1987 by Peter Montgomery. Algorithm Left-to-right Montgomery ladder Require: P = (x, y), k = (1, k n 2,..., k 1, k 0) Ensure: Q = kp R 0 P; R 1 2P; for i = n 2 downto 0 do if k i = 1 then R 0 R 0 + R 1; R 1 2R 1 else R 1 R 0 + R 1; R 0 2R 0 end if end for return Q = R 0 The method was proposed originally for prime curves, in the context of factorization. For that reason, it was not necessary to compute the point Q y-coordinate.

15 Montgomery Ladder Introduction The Montgomery ladder method was introduced in 1987 by Peter Montgomery. Algorithm Left-to-right Montgomery ladder Require: P = (x, y), k = (1, k n 2,..., k 1, k 0) Ensure: Q = kp R 0 P; R 1 2P; for i = n 2 downto 0 do if k i = 1 then R 0 R 0 + R 1; R 1 2R 1 else R 1 R 0 + R 1; R 0 2R 0 end if end for return Q = R 0 The Montgomery ladder scalar multiplication allows a constant-time implementation, since in every iteration we must perform a point doubling and point addition, independently of the digit of k i.

16 Montgomery Ladder Introduction In 1999, López and Dahab presented an optimized version of the Montgomery ladder for binary curves using projective coordinates.

17 Montgomery Ladder Introduction In 1999, López and Dahab presented an optimized version of the Montgomery ladder for binary curves using projective coordinates. Let us denote the point P = (x, y) and the projective representation of the points R 0, R 1 and R 0 + R 1, as R 0 = (X 0,, Z 0 ), R 1 = (X 1,, Z 1 ) and R 0 + R 1 = (X 3,, Z 3 ). The y-coordinate of P is now used for recovering the Q = kp y-coordinate.

18 Montgomery Ladder Introduction In 1999, López and Dahab presented an optimized version of the Montgomery ladder for binary curves using projective coordinates. Let us denote the point P = (x, y) and the projective representation of the points R 0, R 1 and R 0 + R 1, as R 0 = (X 0,, Z 0 ), R 1 = (X 1,, Z 1 ) and R 0 + R 1 = (X 3,, Z 3 ). The y-coordinate of P is now used for recovering the Q = kp y-coordinate. For the case R 0 = R 1 (point doubling) we have, X 3 = (X b Z 2 0 ) 2 Z 3 = X 2 0 Z 2 0. Furthermore, for the case R 0 ±R 1, (point addition) one has that, Z 3 = (X 0 Z 1 + X 1 Z 0 ) 2 X 3 = x Z 3 + (X 0 Z 1 ) (X 1 Z 0 ). From the above results, the cost of each loop iteration is of 5 multiplications, 1 multiplication by the curve b-constant, 4 squarings and 3 additions.

19 Montgomery Ladder Point Halving The point halving, proposed independently in 1999 by Knudsen and Schroeppel, is a point operation defined over binary curves. Given a point P, find a point Q such that 2P = Q. The point halving operation is efficiently performed in affine coordinates, requiring one half-trace, one multiplication and one square-root.

20 Montgomery Ladder Point Halving The point halving, proposed independently in 1999 by Knudsen and Schroeppel, is a point operation defined over binary curves. Given a point P, find a point Q such that 2P = Q. The point halving operation is efficiently performed in affine coordinates, requiring one half-trace, one multiplication and one square-root. Challenge: How to efficiently implement Montgomery ladder using point halving combined with the GLS endomorphism?

21 Montgomery Ladder Halve-and-add right-to-left approach Algorithm Montgomery-López-Dahab halve-and-add (right-to-left) Require: P = (x, y), k = (k n 1, k n 2,..., k 1, k 0 ) Ensure: Q = kp Precomputation: x(p i ), where P i = P 2i, for i = 0,..., n R 1 P n; R 2 P n; for i = 0 to n 1 do R 0 P n 1 i ; if k i = 1 then R 1 R 0 + R 1; else R 2 R 0 + R 2; end if end for R 1 R 1 P n return R 1 Our Solution: Precompute the halved points and consider the algorithm as a double-and-add right-to-left Montgomery ladder. Instead of doing point doublings, we recover the points from the memory.

22 Montgomery Ladder Halve-and-add right-to-left approach Algorithm Montgomery-López-Dahab halve-and-add (right-to-left) Require: P = (x, y), k = (k n 1, k n 2,..., k 1, k 0 ) Ensure: Q = kp Precomputation: x(p i ), where P i = P 2i, for i = 0,..., n R 1 P n; R 2 P n; for i = 0 to n 1 do R 0 P n 1 i ; if k i = 1 then R 1 R 0 + R 1; else R 2 R 0 + R 2; end if end for R 1 R 1 P n return R 1 Remark #1: The R 2 variable maintains the difference R 2 = R 0 R 1, which can change in each iteration.

23 Montgomery Ladder Halve-and-add right-to-left approach Algorithm Montgomery-López-Dahab halve-and-add (right-to-left) Require: P = (x, y), k = (k n 1, k n 2,..., k 1, k 0 ) Ensure: Q = kp Precomputation: x(p i ), where P i = P 2i, for i = 0,..., n R 1 P n; R 2 P n; for i = 0 to n 1 do R 0 P n 1 i ; if k i = 1 then R 1 R 0 + R 1; else R 2 R 0 + R 2; end if end for R 1 R 1 P n return R 1 Remark #2: If k i = 1, the x-coordinate of R 0 + R 1 is a function of the x-coordinates of R 0, R 1 and R 2, because R 2 = R 0 R 1.

24 Montgomery Ladder Halve-and-add right-to-left approach Algorithm Montgomery-López-Dahab halve-and-add (right-to-left) Require: P = (x, y), k = (k n 1, k n 2,..., k 1, k 0 ) Ensure: Q = kp Precomputation: x(p i ), where P i = P 2i, for i = 0,..., n R 1 P n; R 2 P n; for i = 0 to n 1 do R 0 P n 1 i ; if k i = 1 then R 1 R 0 + R 1; else R 2 R 0 + R 2; end if end for R 1 R 1 P n return R 1 Remark #3: If k i = 0, the x-coordinate of R 2 + R 0 is a function of the x-coordinates of R 0, R 1 and R 2, because R 0 R 2 = R 0 (R 0 R 1 ) = R 1.

25 Montgomery Ladder Halve-and-add right-to-left approach Algorithm Montgomery-López-Dahab halve-and-add (right-to-left) Require: P = (x, y), k = (k n 1, k n 2,..., k 1, k 0 ) Ensure: Q = kp Precomputation: x(p i ), where P i = P 2i, for i = 0,..., n R 1 P n; R 2 P n; for i = 0 to n 1 do R 0 P n 1 i ; if k i = 1 then R 1 R 0 + R 1; else R 2 R 0 + R 2; end if end for R 1 R 1 P n return R 1 Remark #4: The R 1 and R 0 is initialized as P n to avoid R 1, R 2 to be equal to R 0.

26 Montgomery Ladder Halve-and-add right-to-left approach Algorithm Montgomery-López-Dahab halve-and-add (right-to-left) Require: P = (x, y), k = (k n 1, k n 2,..., k 1, k 0 ) Ensure: Q = kp Precomputation: x(p i ), where P i = P 2i, for i = 0,..., n R 1 P n; R 2 P n; for i = 0 to n 1 do R 0 P n 1 i ; if k i = 1 then R 1 R 0 + R 1; else R 2 R 0 + R 2; end if end for R 1 R 1 P n return R 1 Remark #5: At the end of the Algorithm, R 2 + R 1 = R 0 = P. As a consequence, we recover the y-coordinate of R 1 efficiently.

27 Montgomery Ladder Halve-and-add right-to-left approach Considering the projective representation of the points R 0 = (X 0,, 1), R 1 = (X 1,, Z 1 ), R 2 = (X 2,, Z 2 ) and R 0 + R 1 = (X 3,, Z 3 ), and assuming R 0 ±R 1, T = (X 0 Z 1 + X 1 ) 2 Z 3 = Z 2 T X 3 = X 2 T + Z 2 (X 0 Z 1 ) (X 1 ) From the above results, the cost of each loop iteration is of 5 multiplications, 1 squaring, 2 additions and 1 point halving. Using the GLS endomorphism (ψ) with the GLV method we have, 5 multiplications, 1 squaring, 2 additions and 1 2 point halving.

28 Montgomery Ladder Timings Table: Timings (in clock cycles) for the elliptic curve operations in the Intel Haswell platform. Elliptic curve operation GLS E/F cycles op/m 1 Halving Montgomery-LD D&A (left-to-right) Addition Montgomery-LD H&A (right-to-left) Addition Montgomery-LD Doubling Ratio to multiplication.

29 Montgomery Ladder Multi-core setting We can recode the scalar k by computing k = 2 t scalar multiplication in two cores. (mod r) to process the k = k 0 2 t + k 1 2 t k t 1 }{{ k t } k t k t (n 1) t k n 1 }{{} halve and add double and add Two core setting: Core I : Process Montgomery-LD left-to-right double-and-add. Core II : Process Montgomery-LD-2-GLV right-to-left halve-and-add (the number of precomputed points reduces to n 4 ).

30 Montgomery Ladder Multi-core setting We can recode the scalar k by computing k = 2 t scalar multiplication in two cores. (mod r) to process the k = k 0 2 t + k 1 2 t k t 1 }{{ k t } k t k t (n 1) t k n 1 }{{} halve and add double and add Four core setting: Cores I and II : Process Montgomery-LD-2-GLV left-to-right double-and-add. The ψ endomorphism is used to distribute the workload between the two cores). Cores III and IV : Process Montgomery-LD-2-GLV right-to-left halve-and-add.

31 Koblitz curves

32 Koblitz curves Introduction The Koblitz curves, also known as Anomalous Binary Curves, were proposed for cryptographic use by Neal Koblitz in These curves are defined as over F 2 m, with a {0, 1}. E : y 2 + xy = x 3 + ax 2 + 1,

33 Koblitz curves Introduction The Koblitz curves, also known as Anomalous Binary Curves, were proposed for cryptographic use by Neal Koblitz in These curves are defined as over F 2 m, with a {0, 1}. E : y 2 + xy = x 3 + ax 2 + 1, The Koblitz curves admits the 2 m -dimension Frobenius endomorphism defined as, τ : (x, y) (x 2, y 2 ). It is known that, (τ 2 + 2)P = µτ(p). As a result, we can convert the integer scalar k to its τ-representation k = n 1 i=0 k iτ i and substitute the point doubling operations for cheaper τ endomorphisms.

34 Koblitz curves Recoding The recoding of the scalar k in τ-adic form is an important step for performing the point multiplication over Koblitz curves, once it will determine the length and the density of the recoded scalar. 1 To achieve a compact scalar recoding with a non-zero density of w+1, Solinas proposed, in 2000, a non-regular approach, To compute a partial reduction procedure ρ = k partmod τ m 1 τ 1. Next, repeatedly divide ρ by τ w and assign the reminders to the digit set {0, ±α 1, ±α 3,..., ±α 2 w 1 1}, for α i = i mod τ w. This step is called width-w τ-naf expansion.

Koblitz curves Recoding The recoding of the scalar k in τ-adic form is an important step for performing the point multiplication over Koblitz curves, once it will determine the length and the density

35 Koblitz curves Recoding The recoding of the scalar k in τ-adic form is an important step for performing the point multiplication over Koblitz curves, once it will determine the length and the density of the recoded scalar. 1 To achieve a compact scalar recoding with a non-zero density of w+1, Solinas proposed, in 2000, a non-regular approach, To compute a partial reduction procedure ρ = k partmod τ m 1 τ 1. Next, repeatedly divide ρ by τ w and assign the reminders to the digit set {0, ±α 1, ±α 3,..., ±α 2 w 1 1}, for α i = i mod τ w. This step is called width-w τ-naf expansion. Challenge: How to derive an efficient regular recoding version of the width-w τ-naf expansion?

36 Koblitz curves A novel regular τ-adic approach Algorithm Regular width-w τ-recoding for n-bit scalar Require: w, t w, α u = β u + γ uτ for u = {±1, ±3, ±5,..., ±2 w 1 1}, ρ = r 0 + r 1τ Z[τ] with odd r 0, r 1 n+2 w 1 Ensure: ρ = i=0 u i τ i(w 1) for i 0 to n+2 w 1-1 do if w = 2 then u i ((r 0 2r 1) mod 4) 2 r 0 r 0 u i else u (r 0 + r 1t w mod 2 w ) 2 w 1 if u > 0 then s 1 else s 1 r 0 r 0 sβ u, r 1 r 1 sγ u, u i sα u end if for j 0 to (w 2) do t r 0, r 0 r 1µr 0/2, r 1 t/2 end for end for if r 0 0 and r 1 1 then u i r 0 + r 1τ else if r 1 0 then u i r 1 else u i r 0 end if end if Let φ w : Z[τ] Z 2 w be a surjective ring homomorphism induced by τ t w, for tw µt w (mod 2 w ).

37 Koblitz curves A novel regular τ-adic approach Algorithm Regular width-w τ-recoding for n-bit scalar Require: w, t w, α u = β u + γ uτ for u = {±1, ±3, ±5,..., ±2 w 1 1}, ρ = r 0 + r 1τ Z[τ] with odd r 0, r 1 n+2 w 1 Ensure: ρ = i=0 u i τ i(w 1) for i 0 to n+2 w 1-1 do if w = 2 then u i ((r 0 2r 1) mod 4) 2 r 0 r 0 u i else u (r 0 + r 1t w mod 2 w ) 2 w 1 if u > 0 then s 1 else s 1 r 0 r 0 sβ u, r 1 r 1 sγ u, u i sα u end if for j 0 to (w 2) do t r 0, r 0 r 1µr 0/2, r 1 t/2 end for end for if r 0 0 and r 1 1 then u i r 0 + r 1τ else if r 1 0 then u i r 1 else u i r 0 end if end if An element i = i 0 + i 1 τ from Z[τ] with odd integers i 0, i 1 [0, 2 w ) satisfies the property φ w (i) = 2 w 1 + ( (2 w 1 φ w (i)))

38 Koblitz curves A novel regular τ-adic approach Algorithm Regular width-w τ-recoding for n-bit scalar Require: w, t w, α u = β u + γ uτ for u = {±1, ±3, ±5,..., ±2 w 1 1}, ρ = r 0 + r 1τ Z[τ] with odd r 0, r 1 n+2 w 1 Ensure: ρ = i=0 u i τ i(w 1) for i 0 to n+2 w 1-1 do if w = 2 then u i ((r 0 2r 1) mod 4) 2 r 0 r 0 u i else u (r 0 + r 1t w mod 2 w ) 2 w 1 if u > 0 then s 1 else s 1 r 0 r 0 sβ u, r 1 r 1 sγ u, u i sα u end if for j 0 to (w 2) do t r 0, r 0 r 1µr 0/2, r 1 t/2 end for end for if r 0 0 and r 1 1 then u i r 0 + r 1τ else if r 1 0 then u i r 1 else u i r 0 end if end if Repeated division of (r 0 + r 1 τ) (((r 0 + r 1 τ) mod τ w ) τ w 1 ) by τ w 1, correspondingly of φ w (ρ ) = (r 0 + r 1 t w ) ((r 0 + r 1 t w mod 2 w ) 2 w 1 ) by 2 w 1, obtains remainders that belong to the set {0, ±α 1, ±α 3,..., ±α 2 w 1 1 }.

39 Koblitz curves Left-to-right regular approach Algorithm Protected scalar multiplication Require: P = (x, λ), k Z, width w Ensure: Q = kp ( ) Compute ρ = r 0 + r 1τ = k partmod τ m 1 τ 1 if 2 r 0 then r 0 = r0 + 1 if 2 r 1 then r 1 = r1 + 1 Compute width-w length-l regular τ-adic of r 0 +r 1 for i {1,..., 2 w 1 1} do Compute P u = α up Q O for i = l 1 downto 0 do Q τ w 1 (Q) Perform a linear pass to recover P ui Q Q + P ui end for return Q = Q (r 0 r0)p (r 1 r1)τ(p). τ as 1+ m+2 w 1 i=0 u i τ i(w 1) (previous Algorithm)

40 Koblitz curves Timings Table: Timings (in clock cycles) for the elliptic curve operations in the Intel Haswell platform. Elliptic curve operation Koblitz E/F cycles op/m 1 Frobenius Integer τ-adic recoding (w = 5) 8, Point addition Ratio to multiplication.

41 Results

42 Results Table: Timings (in clock cycles) for 128-bit level scalar multiplication with timing-attack resistance in the Intel Sandy Bridge (S), Ivy Bridge (I) and Haswell (H) architectures. State-of-the-art implementations Our Work Method Cycles Arch ed-254-mont (prime) [Bos et al.] 196,000 S Curve25519 (prime) [Bernstein] 162,000 H Random-Montgomery-LD ladder (binary) [Gueron et al.] 135,000 H Koblitz-Montgomery-LD double-and-add (binary) [Gueron et al.] 118,000 H Twisted-Edwards-4-GLV (prime) [Faz-Hernández et al.] 92,000 I Genus-2-Kummer Montgomery ladder (prime) [Bernstein et al.] 72,200 H GLS-2-GLV double-and-add (binary, λ) [Oliveira et al.] 60,000 H Koblitz-Montgomery-LD double-and-add (left-to-right) 122,000 H Koblitz-regular τ-and-add (left-to-right, w = 5) 99,000 H GLS-Montgomery-LD-2-GLV halve-and-add 80,800 H GLS-Montgomery-LD double-and-add 70,800 H 2-core GLS-Montgomery-LD-2-GLV hlv-and-add/dbl-and-add 52,000 H 4-core GLS-Montgomery-LD-2-GLV hlv-and-add/dbl-and-add 34,800 H Our GLS-Montgomery-LD double-and-add, surpasses [Gueron et al., Random] by 48%, [Gueron et al., Koblitz] by 40% and [Bernstein et al.] by 2%.

43 Results Table: Timings (in clock cycles) for 128-bit level scalar multiplication with timing-attack resistance in the Intel Sandy Bridge (S), Ivy Bridge (I) and Haswell (H) architectures. State-of-the-art implementations Our Work Method Cycles Arch ed-254-mont (prime) [Bos et al.] 196,000 S Curve25519 (prime) [Bernstein] 162,000 H Random-Montgomery-LD ladder (binary) [Gueron et al.] 135,000 H Koblitz-Montgomery-LD double-and-add (binary) [Gueron et al.] 118,000 H Twisted-Edwards-4-GLV (prime) [Faz-Hernández et al.] 92,000 I Genus-2-Kummer Montgomery ladder (prime) [Bernstein et al.] 72,200 H GLS-2-GLV double-and-add (binary, λ) [Oliveira et al.] 60,000 H Koblitz-Montgomery-LD double-and-add (left-to-right) 122,000 H Koblitz-regular τ-and-add (left-to-right, w = 5) 99,000 H GLS-Montgomery-LD-2-GLV halve-and-add 80,800 H GLS-Montgomery-LD double-and-add 70,800 H 2-core GLS-Montgomery-LD-2-GLV hlv-and-add/dbl-and-add 52,000 H 4-core GLS-Montgomery-LD-2-GLV hlv-and-add/dbl-and-add 34,800 H Our Koblitz-regular τ-and-add surpasses [Gueron et al., Koblitz] by 16% (with [Gueron et al.] without TurboBoost, 26%), a speed record on single-core time-constant standardized binary curves.

44 Thank you!

Software implementation of Koblitz curves over quadratic fields

Software implementation of Koblitz curves over quadratic fields Thomaz Oliveira 1, Julio López 2 and Francisco Rodríguez-Henríquez 1 1 Computer Science Department, Cinvestav-IPN 2 Institute of Computing,