Fast Cryptography in Genus 2

Similar documents
High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition

High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition

High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition

Fast Cryptography in Genus 2

Elliptic and Hyperelliptic Curves: a Practical Security Comparison"

Hyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago

(which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography)

Software implementation of ECC

Constructing genus 2 curves over finite fields

Four-Dimensional GLV Scalar Multiplication

Hyperelliptic Curve Cryptography

Fast, twist-secure elliptic curve cryptography from Q-curves

Selecting Elliptic Curves for Cryptography Real World Issues

Hyperelliptic curves

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Fast point multiplication algorithms for binary elliptic curves with and without precomputation

Software implementation of Koblitz curves over quadratic fields

Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products

Faster Compact DiffieHellman: Endomorphisms on the x-line

Post-Snowden Elliptic Curve Cryptography. Patrick Longa Microsoft Research

Advanced Constructions in Curve-based Cryptography

Non-generic attacks on elliptic curve DLPs

An Analysis of Affine Coordinates for Pairing Computation

qdsa: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs

Definition of a finite group

µkummer: efficient hyperelliptic signatures and key exchange on microcontrollers

ECM at Work. Joppe W. Bos 1 and Thorsten Kleinjung 2. 1 Microsoft Research, Redmond, USA

A gentle introduction to elliptic curve cryptography

Connecting Legendre with Kummer and Edwards

An introduction to supersingular isogeny-based cryptography

Fast arithmetic and pairing evaluation on genus 2 curves

Cover and Decomposition Index Calculus on Elliptic Curves made practical

On hybrid SIDH schemes using Edwards and Montgomery curve arithmetic

Kummer strikes back: new DH speed records

On the complexity of computing discrete logarithms in the field F

A gentle introduction to elliptic curve cryptography

FourQNEON: Faster Elliptic Curve Scalar Multiplications on ARM Processors

Genus 2 Curves of p-rank 1 via CM method

Ate Pairing on Hyperelliptic Curves

Class polynomials for abelian surfaces

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Exponentiating in Pairing Groups

Elliptic Curve Cryptography and Security of Embedded Devices

Counting Points on Genus 2 Curves with Real Multiplication

Fast Formulas for Computing Cryptographic Pairings

Edwards coordinates for elliptic curves, part 1

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography

ECM at Work. Joppe W. Bos and Thorsten Kleinjung. Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 14

Polynomial arithmetic and applications in number theory

Edwards Curves and the ECM Factorisation Method

You could have invented Supersingular Isogeny Diffie-Hellman

The Montgomery ladder on binary elliptic curves

Faster Group Operations on Elliptic Curves

Families of fast elliptic curves from Q-curves

COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS

Elliptic and Hyperelliptic Curve Cryptography

Fast FPGA implementations of Diffie-Hellman on the Kummer surface of a genus-2 curve

Selecting Elliptic Curves for Cryptography: An Eciency and Security Analysis

CPSC 467b: Cryptography and Computer Security

Generation Methods of Elliptic Curves

Cyclic Groups in Cryptography

Modular polynomials and isogeny volcanoes

Two is the fastest prime: lambda coordinates for binary elliptic curves

Scalar multiplication in compressed coordinates in the trace-zero subgroup

An Analysis of Affine Coordinates for Pairing Computation

Four-Dimensional Gallant-Lambert-Vanstone Scalar Multiplication

Pairings at High Security Levels

Skew-Frobenius maps on hyperelliptic curves

Jacobian Coordinates on Genus 2 Curves

Isogeny graphs, modular polynomials, and point counting for higher genus curves

Elliptic Curve Cryptosystems and Scalar Multiplication

Julio López and Ricardo Dahab. Institute of Computing (IC) UNICAMP. April,

Explicit Complex Multiplication

COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS

Problème du logarithme discret sur courbes elliptiques

Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves. Raveen Goundar Marc Joye Atsuko Miyaji

CPSC 467: Cryptography and Computer Security

An Alternate Decomposition of an Integer for Faster Point Multiplication on Certain Elliptic Curves

Constructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography

Igusa Class Polynomials

ACCELERATING THE SCALAR MULTIPLICATION ON GENUS 2 HYPERELLIPTIC CURVE CRYPTOSYSTEMS

Class invariants for quartic CM-fields

Montgomery curves and their arithmetic

Models of Elliptic Curves

Aspects of Pairing Inversion

Two Topics in Hyperelliptic Cryptography

Speeding Up the Fixed-Base Comb Method for Faster Scalar Multiplication on Koblitz Curves

A Remark on Implementing the Weil Pairing

Counting points on genus 2 curves over finite

Curve41417: Karatsuba revisited

Pairing computation on Edwards curves with high-degree twists

An improved compression technique for signatures based on learning with errors

Faster ECC over F 2. School of Computer and Communication Sciences EPFL, Switzerland 2 CertiVox Labs.

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Computing modular polynomials with the Chinese Remainder Theorem

Constructing Abelian Varieties for Pairing-Based Cryptography. David Stephen Freeman. A.B. (Harvard University) 2002

FACTORIZATION WITH GENUS 2 CURVES

Affine Precomputation with Sole Inversion in Elliptic Curve Cryptography

The point decomposition problem in Jacobian varieties

Pairing Computation on Elliptic Curves of Jacobi Quartic Form

Transcription:

Fast Cryptography in Genus 2 Joppe W. Bos, Craig Costello, Huseyin Hisil and Kristin Lauter EUROCRYPT 2013 Athens, Greece May 27, 2013 Fast Cryptography in Genus 2

Recall that curves are much better than F q 76 F q (today q 3072 bits) 85 E/F q (today q 256 bits) 89 Jac(C g /F q ) (today, g = 2, q 128 bits)

Why fields of half the size? y 2 = x 3 +a 2 x 2 +a 1 x +a 0 y 2 = x 5 +b 4 x 4 + +b 0 Both curves have around q points over F q

Why fields of half the size? y 2 = x 3 +a 2 x 2 +a 1 x +a 0 y 2 = x 5 +b 4 x 4 + +b 0 l P Q R l P Q R? R? R? Can t do chord-and-tangent in genus 2

Why fields of half the size? y 2 = x 3 +a 2 x 2 +a 1 x +a 0 y 2 = x 5 +b 4 x 4 + +b 0 Q P 1 Q 1 R 1 l P R P 2 l Q 2 R 2 Roughly speaking: group elements are pairs of points #E(F q ) q vs. #Jac(C)(F q ) q 2

This work/talk 1 Finding cryptographically suitable curves 2 Arithmetic of general genus 2 curves 3 GLV decompositions 4 The Kummer surface 5 Results / Open Question

1. Finding cryptographically suitable genus 2 curves

Finding genus 2 curves 1 Point Counting (Schoof-Pila) Until < 5 years ago, 128-bit security still far out of reach Gaudry-Schost 12 state-of-the-art 1,000 CPU hours to find group order of any curve 1,000,000+ CPU hours to find Kummer (used in this work) 2 Real Multiplication (RM) Gaudry-Kohel-Smith 12 Accelerated Schoof-Pila for genus 2 curves with efficiently computable RM (endomorphism) Finds 2-GLV curves 3 Complex Multiplication (CM) Very practical for low-discriminant CM fields Fix a prime p, fix quartic CM field K = Q[x]/(x 4 + Ax 2 + B) If p splits (nicely) in O K, can write down #Jac(C/F p ) Input F p -roots of Igusa Class Polynomials into Mestre to get C Igusas are the hard part (although Kohel/Thomé databases)

Finding genus 2 curves with CM over fast primes Picky with prime p flexible with CM field Mersenne prime p = 2 127 1 performs fastest at this level Search many CM fields to find good curves Can t hope to find secure curve for particular family (CM field) Picky with CM field flexible with prime p Sometimes need particular CM field (e.g. if you want endomorphisms) Montgomery-friendly primes: p = 2 64 (2 63 c) + 1 NIST-friendly primes: p = 2 128 c Both take c 2 63 (more than enough flexibility)

2. Arithmetic of general genus 2 curves

Mumford coordinates P 1 Q 1 R 1 P 2 Q 2 l R 2 sextic = (x x P1 )(x x P2 )(x x Q1 )(x x Q2 )(x x R1 )(x x R2 ) = 0 quadratic = (x x R1 )(x x R2 ) = 0 Computing with actual points means root finding in F q

Mumford coordinates P 1 Q 1 R 1 P 2 Q 2 l R 2 sextic = (x 2 + α P x + β P )(x 2 + α Q x + β Q )(x 2 + α R x + β R ) = 0 quadratic = (x 2 + α R x + β R ) = 0 Mumford coordinates avoid root finding

The cost of genus 2 group operations Based on C-Lauter 11, we optimized genus 2 formulas for 128-bit fields op. Divisor doubling Divisor addition Divisor mix add. g = 2 34M + 6S + 34a 44M + 4S + 29a 37M + 5S + 29a F p operations for common divisor operations in genus 2 implementation prime p cycles/scalar mult. generic128 2 128 173 364,000 generic127 2 127 1 248,000 Timings on Intel Core i7-3520m (Ivy Bridge) at 2893.484 MHz

3. GLV scalar decomposition

4-GLV: e.g. Buhler-Koblitz curves Let p = 2 64 (2 63 27443) + 1, and let C/F p : y 2 = x 5 + 17 #Jac = 28948022309328876595115567994214488524823328209723866335483563634241778912751 Notice that (x,y) C = (ξ 5 x,y) C, where ξ 5 5 = 1, = easy to compute map φ on Jac(C) For D Jac(C), we get the scalar multiples φ(d) = [λ]d, φ 2 (D) = [λ 2 ]D and φ 3 (D) = [λ 3 ]D for free [k]d as [k]d = [k 0 ]D + [k 1 ]φ(d) + [k 2 ]φ 2 (D) + [k 3 ]φ 3 (D) eg. k = 23477399837278936923599493713286470955314785798347519197199578120259089016680 (k 0,k 1,k 2,k 3 ) = ( 6344646642321980551, 3170471730617986668, 4387949940648063094, 3721725683392112311)

4-GLV: e.g. Buhler-Koblitz curves k was 254 bits, but instead we multiexponentiate by D k 0 = [1,0,1,1,0,0,0,0,0,0, 0, 1,... ] (63 bits) φ(d) k 1 = [0,1,0,1,0,1,1,1,1,1, 1, 1,... ] (63 bits) φ 2 (D) k 2 = [0,1,1,1,1,0,0,1,1,1, 0, 0,... ] (63 bits) φ 3 (D) k 3 = [0,1,1,0,0,1,1,1,0,1, 0, 0,... ] (63 bits) 254 DBL + 127 ADD 63 DBL + 80 ADD (Straus-Shamir) implementation prime p cycles/scalar mult. generic128 2 128 173 364,000 4GLV-BK 2 128 24935 164,000 4GLV-BK 2 64 (2 63 27443) + 1 156,000 Timings on Intel Core i7-3520m (Ivy Bridge) at 2893.484 MHz

4. The Kummer surface

Montgomery ladder for elliptic curves... Can compute P + Q from {P, Q, P Q} without y-coords Key: to compute [k]p, have [n + 1]P and [n]p at each stage Q l P R vs. same difference same result different difference different result

Genus 2 analogue: the Kummer surface K Montgomery identified P = (P x,p y ) and P = (P x, P y ) Smart-Siksek 99: g = 2 analogue...jac(c) K is 2-to-1 Gaudry 07: much better Kummer surface from theta theory The Squares-only Kummer is best (Cosset 10) K : Exyzt = ((x 2 +y 2 +z 2 +t 2 ) F(xt+yz) G(xz+yt) H(xy+zt)) 2 No longer a group, but enough to do secure crypto (e.g. DH) Each ladder step needs DBL K + ADD K only 25 F p muls!!! Compare to non-kummer DBL 40 and ADD 50

The Kummer surface implementation prime p cycles/scalar mult. generic128 2 128 173 364,000 generic127 2 127 1 248,000 4GLV-BK 2 128 24935 164,000 4GLV-BK 2 64 (2 63 27443) + 1 156,000 Kummer 2 128 237 166,000 Kummer 2 127 1 117,000 Timings on Intel Core i7-3520m (Ivy Bridge) at 2893.484 MHz See ebacs for more performance numbers... http://bench.cr.yp.to

5. Results / Open Question

Results: genus 1 and 2 implementations over prime fields who primitive g constant 10 3 time cycles OpenSSL NISTp256 1? 658 Hisil ecfp256e 1 X 227 Bernstein curve25519 1 182 Longa-Sica GLV-2 1 X 145 generic-p1271 2 X 248 this work GLV-4-BK-Mont 2 X 156 Kummer-p1271 2 117 Kummer offers fastest Diffie-Hellman over prime fields Bonus: Kummer also runs in constant-time Kummer chameleons: curves which can be Kummer or 4GLV, depending on scenario (see full version)

Open question Using endomorphisms (GLV) gives big speedups: 364,000 156,000 Using Kummer surface gives big speedups: 248,000 117,000 Question: can we do GLV on the Kummer surface? Gaudry also noticed that certain Kummers can have an endomorphism φ We found some cryptographically sized examples But GLV on pseudo-groups is harder (several caveats) Nevertheless, big speedups possible See the full version - eprint 2012/670

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback