Discrete Methods in Mathematical Informatics Lecture 4: Elliptic Curve Cryptography Implementation(I) 27 th November 2012 Vorapong Suppakitpaisarn [email protected],

Discrete Methods in Mathematical InformaticsLecture 4: Elliptic Curve Cryptography

Implementation(I)27th November 2012

Vorapong [email protected], Eng. 6 Room 363

Download Slide: http://misojiro.t.u-tokyo.ac.jp/~vorapong/

Course Information (Many Changes from Last Week)

10/9 – Elliptic Curve I (2 Exercises)

(What is Elliptic Curve?)

10/16 – Elliptic Curve II (1 Exercises)

(Elliptic Curve Cryptography[1])

10/23 – Elliptic Curve III (2 Exercises)

(Elliptic Curve Cryptography[2])

10/30 – Cancelled

11/6 – Online Algorithm I (Prof. Han)

11/13 – Online Algorithm II (Prof. Han)

11/20 – Cancelled

11/27 – Elliptic Curve IV (2 Exercises)

(ECC Implementation I)

12/4 – Cancelled

From 12/11 – To be Announced

Schedule

For my part, you need to submit 2 Reports.

- Report 1: Select 3 from 6 exercises in Elliptic Curve I – III

Submission Deadline: 14 November

- Report 2: Select 2 from 4 exercises in Elliptic Curve IV – V

Submission Deadline: TBD

- Submit your report at Department of Mathematical Informatics’

office

[1st

floor of this building]

Grading

Report ISubmitted IDs• 48126109• 48126119• 48126122• 48126141• 48126143• 48126144

•48117204

•48116219

•48126202

•48126203

•48126206

•48126207

•48126210

•48126212

•48126219

•48126220

•48126228

•48126229

•48126230

•48126232

•37126946

•37126947

Elliptic Curve Cryptography

Field Arithmetic

Inversion Field Compute

Squaring Field Compute

tionMultiplica Field Compute

1

2 mod

mod

-

p

a

pa

pab a,b Z

Elliptic Curve Arithmetic

1133

212

3

12

12

33

2211

)(

),(

),(),,(

yxxmy

xxmx

xx

yym

yxQP

yxQyxP

where

Point Addition

A = -4, B = 4

Scalar Multiplication

Compute rP = 14P

r = 14 = (0 1 1 1 0)2

P 3P 7P 14P

6P2P 14P

O

2 Point Additions

3 Point Doubles

ECC Protocol

Generate P 2 E(F)

Generate positive integers a

Receive Q = bP

Compute aQ = abP

Receive P

Receive S = aP

Generate positive integer b

Compute bS = abP

P

aP

bP

Elliptic Curve Cryptography

Field Arithmetic

Inversion Field Compute

Squaring Field Compute

tionMultiplica Field Compute

1

2 mod

mod

-

p

a

pa

pab a,b Z

Elliptic Curve Arithmetic

1133

212

3

12

12

33

2211

)(

),(

),(),,(

yxxmy

xxmx

xx

yym

yxQP

yxQyxP

where

Point Addition

A = -4, B = 4

Scalar Multiplication

Compute rP = 14P

r = 14 = (0 1 1 1 0)2

P 3P 7P 14P

6P2P 14P

O

2 Point Additions

3 Point Doubles

ECC Protocol

Generate P 2 E(F)

Generate positive integers a

Receive Q = bP

Compute aQ = abP

Receive P

Receive S = aP

Generate positive integer b

Compute bS = abP

P

aP

bP

Classical Method: O(n2)

Karatsuba’s Method (Practical): O(nlg 3

) = O(n1.585…

)

Furer’s Method (STOC2007): O(n logn 2O(lg* n)

)

Field Multiplication Compute pab a,b p modZ

pn lg

Slow Division

Algorithm???p RR'

pxRxMR n

mod

mod)(, 1

2

1

:Precompute

2 Let

Montgomery Multiplication [Montgomery 1985]

paR

pRaR)M(aRx

mod

mod'.1 12

Compute

pbR

pRbR)M(bR y

mod

mod'.2 12

Compute

pabRpRpbRpaR

pabRxyM z

modmod)mod)(mod(

mod)(.31

Compute

pab

pabRRz M

mod

mod)(.4 1

Compute

32R

13 3, 5, pba

1013mod32' 2 R

4)50( Mx

5)30( My

3)20( Mz

2)3( M

As Fast As Multiplication

Montgomery Reduction pn lg

Compute ,2 1 paR a Rp

n mod12

Z

Montgomery Reduction

Rp p' mod)( 1 :Precompute

Rapk mod'.1 Compute

R

kpat

Compute .2

)( Rappapapakpa mod0' 1

Example

32,13,50 R p a

27)32mod5(

32mod)13(' 1

p

6)32mod1350(

32mod)2750(

k

432

128

32

13650

t

kpatR

pkpaptR mod)(mod

paptR modmod

)mod1 paRt (

pppR

pRp

R

kpat 2

2

Field Squaring) ( Compute paaa a p mod2 Z

p RR'

pxRxMR n

mod

mod)(, 1

2

1

:Precompute

2 Let

Montgomery Multiplication

paR

pRaR)M(aRx

mod

mod'.1 12

Compute

pbR

pRbR)M(bR y

mod

mod'.2 12

Compute

pabRpRpbRpaR

pabRxyM z

modmod)mod)(mod(

mod)(.31

Compute

pab

pabRRz M

mod

mod)(.4 1

Compute

),()( aaMulaSqr

x)M(aRy '

Let the computation time of

• one field multiplication be [m],

• one field squaring be [s],

• one field inversion be [i].

][8.0][ ms ][100][ mi

Elliptic Curve Cryptography

Field Arithmetic

Inversion Field Compute

Squaring Field Compute

tionMultiplica Field Compute

1

2 mod

mod

-

p

a

pa

pab a,b Z

Elliptic Curve Arithmetic

1133

212

3

12

12

33

2211

)(

),(

),(),,(

yxxmy

xxmx

xx

yym

yxQP

yxQyxP

where

Point Addition

A = -4, B = 4

Scalar Multiplication

Compute rP = 14P

r = 14 = (0 1 1 1 0)2

P 3P 7P 14P

6P2P 14P

O

2 Point Additions

3 Point Doubles

ECC Protocol

Generate P 2 E(F)

Generate positive integers a

Receive Q = bP

Compute aQ = abP

Receive P

Receive S = aP

Generate positive integer b

Compute bS = abP

P

aP

bP

Projective Coordinate [cf. Cohen, Miyaji, Ono, 1998]

}xx{(x,y)|y}{E 32

Affine Coordinate Projective Coordinate

}ZXZXZZ)|YY{(XE 3232::

P 3P 7P 14P

6P2P 14P

O

2 Point Additions > 2[i]

3 Point Doubles > 3[i]

P = (x1,y1) (x1 : y1 : 1)

Point Double

in Projective Coordinate

2P = (x2,y2) (X2 : Y2 : Z2)

2

2

2

2 ,Z

Y

Z

XPoint Addition

in Projective Coordinate

3P = (x3,y3) (X3 : Y3 : Z3)

3

3

3

3 ,Z

Y

Z

X

…

(X14 : Y14 : Z14)

14

14

14

14 ,14Z

Y

Z

XP

5 Point Inversions

2 Point Inversions

Point Addition In Projective Coordinate

),::(),:: 22211 ZYXZYX1( GivenGoal

)::()::():: 22211133 ZYXZYXZYX 3( Compute

i

i

i

i

Z

Yy

Z

Xxyxyxyx ii221133 wherecoordinate Affinein ),(),(),( that such ,

Projective Coordinate

213

3

213

212

3

3

2123

212

2112

2112

,)(

,

.2

,

,

ZZBZ

ZYBCZXBAY

BCX

ZXBBZZAC

ZXZXB

ZYZYA

1133

212

3

12

12

)( yxxmy

xxmx

xx

yym

Affine Coordinate

121

1

2

2

21

yyZ

Y

Z

Y

ZZ

A 12

1

1

2

2

21

xxZ

X

Z

X

ZZ

B

1

1

212

2

212

2123

212

213

3

3 22

Z

X

ZZ

B

B

A

ZZB

ZXBBZZA

ZZB

BC

Z

X

122

112

2

12

12 2)( xxmxxxxx

yy

1

1

213

1

1

213

213

212

3

3 )(

Z

Y

ZZB

BC

B

A

BZ

AX

ZZB

ZYBCZXBA

Z

Y

131 ymxmx

Efficiency

1133

212

3

12

12

)( yxxky

xxkx

xx

yyk

Affine Coordinate

[i]+[m]

[s]

[m]

][8.102

][8.0][2][100

][][2][

m

mmm

smi

Projective Coordinate

213

3

213

212

3

3

2123

212

2112

2112

,)(

,

.2

,

,

ZZBZ

ZYBCZXBAY

BCX

ZXBBZZAC

ZXZXB

ZYZYA

[m][m]

2[m]

[s]+2[m] [s]+[m] [m]

[m][m] [m]

[m]

][6.13

][6.1][12

][2][12

m

mm

sm

][8.0][ ms ][100][ mi

Cost

Exercise

-3 if ncomputatio the improve can wethatShow (c)

].5[ ]7[ is

coordinate projective in double point of time ncomputatio the thatShow (b)

coordinate affine in 2 thatShow (a)

and

wherecoordinate Projective in 2( Let

1

3

1

3

1

1

1

1

121

1

sm

Z

Y

Z

X

Z

Y

Z

X

BZBYDCAYBDX

CADBYXCZYBXZA

ZYXZYX

.,,

.8,8)4(,2

,8,,,3

)::()::

33

22133

2111

21

33311

Exercise 6

}xx{(x,y)|y}{E 32

Affine Coordinate

Other Coordinates

Coordinate Cost for Point Addition

Cost for Point Double

Affine [i] + 2[m] + [s]

= 102.8[m][i] + 2[m] + 2[s]

= 103.6[m]Projective (X : Y : Z)

(X/Z, Y/Z)12[m] + 2[s]

= 13.6[m]7[m] + 5[s]

= 11[m]Jacobian[Chudnovsky 1986]

(X : Y : Z) (X/Z2, Y/Z3)

12[m] + 4[s]

= 15.2[m]8[m] + 3[s]

= 10.4[m]Chudnovsky Jocobian[Chudnovsky 1986]

(X : Y : Z : Z2 : Z3 ) (X/Z2, Y/Z3)

11[m] + 3[s]

= 13.4[m]5[m] + 6[s]

= 9.8[m]

Modified Jocobian[Cohen, Ono, Miyaji 1998]

(X : Y : Z : αZ4) (X/Z2, Y/Z3)

13[m] + 6[s]

= 17.8[m]4[m] + 4[s]

= 7.6[m]

Elliptic Curve Cryptography

Field Arithmetic

Inversion Field Compute

Squaring Field Compute

tionMultiplica Field Compute

1

2 mod

mod

-

p

a

pa

pab a,b Z

Elliptic Curve Arithmetic

1133

212

3

12

12

33

2211

)(

),(

),(),,(

yxxmy

xxmx

xx

yym

yxQP

yxQyxP

where

Point Addition

A = -4, B = 4

Scalar Multiplication

Compute rP = 14P

r = 14 = (0 1 1 1 0)2

P 3P 7P 14P

6P2P 14P

O

2 Point Additions

3 Point Doubles

ECC Protocol

Generate P 2 E(F)

Generate positive integers a

Receive Q = bP

Compute aQ = abP

Receive P

Receive S = aP

Generate positive integer b

Compute bS = abP

P

aP

bP

Scalar Multiplication and Binary Representation

• Scalar Multiplication on Elliptic Curve Cryptography

S = P + P + … + P = rP

when r1 is positive integer, S,P is a member of the curve• Double-and-add method• Let r = 14 = (01110)2

Compute rP = 14P r = 14 = (0 1 1 1 0)2Weight = 3

P 3P 7P 14P

6P2P 14P

3 – 1 = 2 Point Additions

4 – 1 = 3 Point Doubles

r times

O

For [0,2n

-1],

n - 1 times?

Average # of Point Doubles?

For [0,2n

-1],

n/2 - 1 times?

(Average Weight = n/2)

Average # of Point Additions?

Redundant Binary Representation• Change Digit Set can help Scalar Multiplication faster• Represent each digit using {0, 1, -1} instead of {0,1}. • Redundant, then use Minimum Weight Conversion to find

Minimum Weight Expansion (the expansion that have the minimum joint weight)

Weight = 2

P 2P 4P 7P

4P2P 8PO

Compute rP = 14P r = 14 = (1 0 0 -1 0)2

14P

14P

2 – 1 = 1 Point Additions

5 – 1 = 4 Point Doubles

3 – 1 = 2 Point Additions

4 – 1 = 3 Point Doubles

For [0,2n

-1],

n times?

Average # of Point Doubles?

For [0,2n

-1],

n/3 - 1 times?

(Average Weight = n/3)

Average # of Point Additions?

For [0,2n

-1],

n - 1 times?

Average # of Point Doubles?

For [0,2n

-1],

n/2 - 1 times?

(Average Weight = n/2)

Average # of Point Additions?

Non-Adjacent Form

S = (sn-1 sn-2 … s0) is Non-Adjacent Form of positive integer r iff

Definition

2.-0 for niss ii 01

S is Minimum Weight {0, ±1}-Expansion of r if S is Non-Adjacent Form of r

Optimality

S = (sn-1 sn-2 … s0) is DS-Expansion of positive integer r iff

Definition

1,- 0 for ntDs St ,0

1

2n

t

ttsr

S = (sn-1 sn-2 … s0) is Minimum Weight DS-Expansion of positive integer r iff

Definition

)()'( ,' ,of Expansion- all for SWSWS rDS

14 of Expansion-1}{0, is 0) 1 1 1 (0 14 of Expansion-1}{0, is 0) 1- 0 0 (1 14 of Expansion-1}{0, is 0) 1 1- 0 (1

and , of Expansion-1} {0, is rS

AlgorithmSimple Fact

122...8421 1 nn

22 1)- 0 0 (11) 1 1 (0

22 1)- 0 ... 0 (11) ... 1 1 (0 n - 1 consecutive 1’s n - 2 consecutive 1’s

Ex

Example

20) 1 1 1 1 0 1 1 1 (0 478 1 0 0 0 -11 0 0 0 -1

Algorithm

)...(

)...0(

021

021

rrrrR

r

sssS

r

nnn

nn

Integer of Form Adjacent-Non :

Integer of Expansion-{0,1} :

Output

Input

0.1 t do While nt .2

trs tt then If ,00

2

0,1

01

1

1

tt

rr

ss

tt

tt

then and If

}0|sup{

11 1

c

tt

stcck

ss

and

then and If

1ts

kctsc for 0

ktsk ,1

Average Hamming DensityDefinition

rSr of form adjacent-non a be Let

12

0 2

)(lim

r

rnr

nNAF n

SWAD

Proposition

3

1NAFAD

Algorithm

)...(

)...0(

021

021

rrrrR

r

sssS

r

nnn

nn

Integer of Form Adjacent-Non :

Integer of Expansion-{0,1} :

Output

Input

0.1 t do While nt .2

trs tt then If ,00

2

0,1

01

1

1

tt

rr

ss

tt

tt

then and If Else

}0|sup{

11 1

c

tt

stcck

ss

and

then and If Else

1ts

kctsc for 0

ktsk ,1

Proof

Pr[st = 0] = 0.5

Pr[st = 1] = 0.5

0.5

0.25

0.25

0.5

0.5

0.5

0.25

0.25

0.5

0.5

2/3 1/3

1

2

3

3

2

2/3 1/3

12/6

0

1

11

1

2/3 1/3

4/6

Redundant Binary Representation• Change Digit Set can help Scalar Multiplication faster• Represent each digit using {0, 1, -1} instead of {0,1}. • Redundant, then use Minimum Weight Conversion to find

Minimum Weight Expansion (the expansion that have the minimum joint weight)

Weight = 2

P 2P 4P 7P

4P2P 8PO

Compute rP = 14P r = 14 = (1 0 0 -1 0)2

14P

14P

2 – 1 = 1 Point Additions

5 – 1 = 4 Point Doubles

3 – 1 = 2 Point Additions

4 – 1 = 3 Point Doubles

For [0,2n

-1],

n times?

Average # of Point Doubles?

For [0,2n

-1],

n/3 - 1 times?

(Average Weight = n/3)

Average # of Point Additions?

For [0,2n

-1],

n - 1 times?

Average # of Point Doubles?

For [0,2n

-1],

n/2 - 1 times?

(Average Weight = n/2)

Average # of Point Additions?

Double-Base Number System [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995]

0 0 -1 0)2(114 =

O

P

2P 4P 8P 14P

2P 4P 7P 14P

24

23

22

21

20

Base 2

1 -1 -1 -1)2(014 =

O3P 6P 15P

P 2P 5P 14P

34

33

32

31

30

Base 3

1 Point Additions

4 Point Doubles

3 Point Additions

3 Point Triples

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 2030

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 20301

1

14 = 23

30

+ 21

31

Hard to introduce to Scalar

Multiplication

Too General

Double-Base Chain [Dimitrov, Imbert, Mishra, Math of Computation, 2008]

mm1100 jijiji 323232 k ...

when m10 i...ii and m10 j...jj

Double-Base Number System

With More Restriction

Double Base Number System (DBNS)

Double-Base Number System [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995]

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 20301

1

14 = 23

30

+ 21

31

Double Base Chains (DBC)

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 2030

1

1

14 = 22

31

+ 21

30

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 2030

1

1

127 = 22

33

+ 21

32

+ 21

30

1

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 2030

1

1

127 = 22

33

+ 21

32

+ 21

30

1

Double-Base Chain [Dimitrov, Imbert, Mishra, Math of Computation, 2008]

k = 127 = 22

33

+ 21

32

+ 20

30

Digit 1 0 1 0 0 1

Base 22

33

21

33

21

32

20

32

20

31

30

30

O

P

2P

2P

6P

7P

14P

14P

42P

42P

126P

127P

mm1100 jijiji 323232 k ...

when m10 i...ii and m10 j...jj

2 Point Additions, 2 Point Doubles, 3 Point Triples

Given k

Given Cadd - Computation time of a Point Addition

Given Cdbl - Computation time of a Point Double

Given Ctpl - Computation time of a Point Triple

Find the Chain With Smallest Total Computation Time

Problem

Double-Base Number System

With More Restriction

Similar to Double-and-

add Methods

Algorithms [Suppakitpaisarn, Edahiro, Imai, 2012]

k = 10, Ctpl = 1, Cdbl = 1, Cadd = 1

How to compute kP = 10P

1. Compute 5P

2. Double the point to 10P = 2 . 5P

Plan A

1. Compute 3P

2. Triple the point to 9P = 3 . 3P

3. Add the point with P (9P + P = 10P)

Plan B

Optimize Computation Time of 5P

+ Point Double

= C(5P) + Cdbl = 3 + 1 = 4

Cost

Optimize Computation Time of 3P

+ Point Triple + Point Addition

= C(3P) + Ctpl + Cadd = 1 + 1 + 1 = 3

Cost

2

105

3

103

Ou

r Resu

lts

Algorithm

0032

1010

0132

105

1032

103

0232

102

1132

101

2032

101

• C(k) =min( , ) if k mod 6 == 0

min( , ) if k mod 6 == 1 min( , ) if k mod 6 == 2 min( , ) if k mod 6 == 3

min( , ) if k mod 6 == 4

min( , ) if k mod 6 == 5

C(k/2) + Pdbl

C(k/2) + Pdbl

C(k/2) + Pdbl

C(k/2) + Pdbl + Padd

C(k/2) + Pdbl + Padd

C(k/2) + Pdbl + Padd

C(k/3) + Ptpl

C(k/3) + Ptpl

C(k/3) + Ptpl + Padd

C(k/3) + Ptpl + Padd

infinity

infinity

Dynamic Programming

Time : lg2

k

Memory : lg2

k

1 0 0

3 1

3

Ou

r Resu

lts

Prime Field (Fp )• Experiments on Inverted Edward Coordinates

[Bernstein, Lange, AAECC 2007]

• Cdbl = 6.2[m], Ctpl = 12.2[m], Cadd = 9.8[m]

Algorithm 192 bits 256 bits 320 bits 384 bits 512 bits

NAF[Egecioglu, Koc, Theo. Comp. Sci., 1994]

1817.6 2423.5 3029.3 3635.2 4241.1

Ternary/Binary[Dimitrov, Jullien, Miller, Information Processing Letters, 1998]

1761.2 2353.6 2944.9 3537.2 4129.6

DB-Chain[Dimitrov, Imbert, Mishra, Math. of Comp., April 2008]

1725.5 2302.0 2879.1 3455.2 4032.4

Tree-Based Approach[Doche, Habsieger, ACISP 2008, July 2008]

1691.3 2255.8 2821.0 3386.0 3950.3

Optimized DB-Chain[Our Result]

1624.5 2168.2 2710.9 3254.1 3796.3

3.95 % 3.88 % 3.90 % 3.90 % 3.90 %

Ou

r Resu

lts

Double-Base Chain [Dimitrov, Imbert, Mishra, Math of Computation, 2008]

k = 127 = 22

33

+ 21

32

+ 20

30

Digit 1 0 1 0 0 1

Base 22

33

21

33

21

32

20

32

20

31

30

30

O

P

2P

2P

6P

7P

14P

14P

42P

42P

126P

127P

mm1100 jijiji 323232 k ...

when m10 i...ii and m10 j...jj

2 Point Additions, 2 Point Doubles, 3 Point Triples

Given k

Given Cadd - Computation time of a Point Addition

Given Cdbl - Computation time of a Point Double

Given Ctpl - Computation time of a Point Triple

Find the Chain With Smallest Total Computation Time

Double-Base Number System

With More Restriction

Similar to Double-and-

add Methods

Given k

Given Cadd = 1, Cdbl = 0, Ctpl = 0

Find the Chain With Smallest Total Computation Time

Given k

Given Cadd = 1, Cdbl = 0, Ctpl = 0

Find the shortest chain

(the chain with smallest number of terms)

Problem

On-Going…DBNS

n

nOmkk n

lgmax *

20

Double-Base Chain

Input: k

Output: mk*

Solved by DP [Our Results]

Input: k

Output: mk*

Tractable??? SAT???

kmmm

i

yxk

ii

1

* 32|sup

[Dimitrov,

Cooklev, 1995]

n

nmkk n

lgmax *

20 [Our Results]

and

11

1*

32|sup

jjjj

m

i

yx

k

yyxx

kmm

ii

nmkk n

*

20max

[Our Results]

?2

12

0

*

nm

nk

k

n

?lg2

12

0

*

n

nm

nk

k

n

Exercise

Exercise 7

and , , Let

11

1

* 32|sup jjjj

m

i

yxk yyxxkmm ii

5) and when12 to algorithm our Apply :(Hint

thatShow (b)

chains) base-double are tionsrepresentabinary All:(Hint

thatShow (a)

0

FiFF

nOm

nm

ii

kk

kk

n

n

0

max

max

1

*

20

*

20

-3 if ncomputatio the improve can wethatShow (c)

].5[ ]7[ iscoordinate projective in double point of time ncomputatio the thatShow (b)

coordinate affine in 2 thatShow (a)

and

wherecoordinate Projective in 2( Let

1

3

1

3

1

1

1

1

121

1

sm

Z

Y

Z

X

Z

Y

Z

X

BZBYDCAYBDX

CADBYXCZYBXZA

ZYXZYX

.,,

.8,8)4(,2

,8,,,3

)::()::

33

22133

2111

21

33311

Exercise 6

Thank you for your attention

Please feel free to ask questions or comment.