ECC_even

7/29/2019 ECC_even

1/30

Jan Pelzl, ECC Summer School 2004, 9/14/2004 Arithmetic on Elliptic Curves over GF(2n) p. 1

ECC Summer School 2004

Arithmetic on Elliptic Curves

overGF

(2

n

)Jan Pelzl

Communications Security Group

Ruhr-Universitt Bochum

http://www.crypto.rub.de
http://www.crypto.rub.de/http://www.crypto.rub.de/

7/29/2019 ECC_even

2/30

qContent

Introduction

Field Arithmetic

Curves overGF(2n)

Coordinate Systems

Exponentiation

Software Implementations

Literature


Content

1. Introduction

- Elliptic Curves

- Why GF(2n)?

2. Field Arithmetic

- Requirements for ECC

- Representation of Elements

- Addition and Subtraction

- Squaring

- Multiplication

- Reduktion

- Inversion

- Summary

3. Curves overGF(2n)

- General Case

- Special Curves, NIST Curves

- Example

4. Coordinate Systems

- Overview: Affine, Projective, LD for Curves over GF(2n)- Comparison

5. Exponentiation

- Overview

6. Software Implementations

- Practical Performance

- Comparison of PK Systems

7. Literature

7/29/2019 ECC_even

3/30

qContent

Introduction

qElliptic Curves

qWhyGF(2n)

Field Arithmetic

Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Elliptic Curves

Recap: Elliptic Curve E over field K:

E : y2 + a1xy + a3y = x3 + a2x

2 + a4x + a6 (Weierstrass)

where a1, a2, a3, a4, a6 K and discriminant = 0.

Simplified Weierstrass equations:

E : y2 = x3 + ax + b for fields of characteristic = 2, 3

E : y2 + xy = x3 + ax2 + b for fields of characteristic 2

7/29/2019 ECC_even

4/30

qContent

Introduction

qElliptic Curves

qWhyGF(2n)

Field Arithmetic

Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Why GF(2n)

Can consider different fields:

s Prime fields K = Fp where p P: arithmetic modp

s Extension fields K = Fq where q = pn: arithmetic modf(z)

where Fq = Fp[f(z)] and degz f = n

Nice to implement: p = 2, i.e., consider E(F2n) (later!)

7/29/2019 ECC_even

5/30

qContent

Introduction

Field Arithmetic

qRequirements for ECC

qBinary Representation

qAddition and Subtraction

qAddition and Subtraction (2)

qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

qReduction

qReduction (2)

qReduction (3)

q Inversion

q Inversion (2)

qSummary Field Arithmetic

Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Requirements for ECC

Recap: Group law for E(F2n) : y2 + xy = x3 + ax2 + b

1. Addition: Let P = (x1, y1) and Q = (x2, y2) = P. Then(x3, y3) = P + Q where

x3 = 2 + + x1 + x2 + a and

y3 = (x1 + x3) + x3 + y1 with =y1 + y2

x1 + x2.

2. Doubling: Let P = (x1, y1) and P = P. Then (x3, y3) = 2Pwhere

x3 = 2

+ + a andy3 = x

21 + x3 + x3 with =

x1 + y1x1

.

7/29/2019 ECC_even

6/30

qContent

Introduction

Field Arithmetic


qBinary Representation

qAddition and Subtraction


qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

qReduction

qReduction (2)

qReduction (3)

q Inversion

q Inversion (2)


Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Binary Representation

a F2n can be expressed as polynomial modf(z) withcoefficients in F2 where f(z) is a field extension polynomial ofF2 of degree n:

a =n1i=0

aizi with ai {0, 1}.

Coefficients of a are either one or zero, thus, are easy torepresent in computers by a binary string of length n:

a (an1an2...a0)2 .

7/29/2019 ECC_even

7/30

qContent

Introduction

Field Arithmetic


qBinary RepresentationqAddition and Subtraction


qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

q

ReductionqReduction (2)

qReduction (3)

q Inversion

q Inversion (2)


Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Addition and Subtraction

Let a,b,c F2n with a =n1

i=0 aizi and b =

n1i=0 biz

i. Thesum or difference c = a b is computed by bitwise XOR of thecoefficients:

c =n1

i=0ciz

i a b n1

i=0(ai bi)z

i (modf(z)).

Example: Let a, b F25 = F2/(f(z) = z5 + z2 + 1),

a = z3 + z2 + 1 and b = z4 + z3 + z2, then

a + b = (z3 + z2 + 1) + (z4 + z3 + z2)

= z4 + 2z3 + 2z2 + 1

z4 + 1

7/29/2019 ECC_even

8/30

qContent

Introduction

Field Arithmetic




qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

qReduction

qReduction (2)

qReduction (3)

q Inversion

q Inversion (2)


Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Addition and Subtraction (2)

In software:

Addition and Subtraction in F2n can be accomplished by simple

bitwise XORs.

Example (contd.):a 01101

b 11100= a + b 10001

Efficient: Use word XOR of processor (e.g., 8bit, 16bit, 32bit

simultaneously).

7/29/2019 ECC_even

9/30

qContent

Introduction

Field Arithmetic




qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

qReduction

qReduction (2)

qReduction (3)

q Inversion

q Inversion (2)


Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Squaring

Let a, c F2n with a =n1

i=0 aizi. The square of a is then

computed as follows:

a2 =n1

i=0

cizi2

n1

i=0

cizi2

=n1

i=0ciz

2i

I.e., insert squaring can be accomplished by inserting zerosbetween consecutive bits of a (upsampling by 2). The resulthas to be reduced by f(z).

7/29/2019 ECC_even

10/30

qContent

Introduction

Field Arithmetic




qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

qReduction

qReduction (2)

qReduction (3)

q Inversion

q Inversion (2)


Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Squaring (2)

Example:a 11101a2 101010001

In software:

Use table lookups facilitate computation of a square. E.g.,s compute a table of size 512bytes, containing (16bit) squares

of all possible 8bit polynomials (words)

s parse operand variable word wise (8bit)

s set 16bits in result variable accordingly

7/29/2019 ECC_even

11/30

qContent

Introduction

Field Arithmetic




qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

qReduction

qReduction (2)

qReduction (3)

q Inversion

q Inversion (2)


Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Multiplication

Let a,b,c F2n with a =n1

i=0 aizi and b =

n1i=0 biz

i. Theproduct of a and b can be computed, e.g., with the schoolbookmethod

a b =n1j=0

ajzj

n1i=0

aizi =

n1j=0

n1i=0

aj bizi+j,

which is often referred to as shift-and-add method.

Example: a (01101)2 and b (11100)201101 11100 = 010001100

0110101101 01101 00000 00000

7/29/2019 ECC_even

12/30

qContent

Introduction

Field Arithmetic




qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

qReduction

qReduction (2)

qReduction (3)

q Inversion

q Inversion (2)


Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Multiplication (2)

Problem: GF(2n) multiplication not supported on generalpurpose processors. Most popular algorithms in software:

s

(binary) shift-and-add methodx parse one operand bit wisex shift intermediate results

s (binary) shift-and-add with precomputationx

parse operand in blocks of, e.g., 4 bitsx look up multiples of words (table)x shift intermediate results by 4 bits

s comb methodx

consider same bit position in all words of operandx needs less word shifts in total

s comb method with precomputationx parse in blocks of, e.g., 4 bitsx use table lookup for multiples of words

7/29/2019 ECC_even

13/30

qContent

Introduction

Field Arithmetic




qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

qReduction

qReduction (2)

qReduction (3)

q Inversion

q Inversion (2)


Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Multiplication (3)

Karatsuba-Offman: Improvement for numbers larger thanprocessor word size

Principle:

- denote ahi and alo as higher/ lower word of a- w as word size of the processor in bits

(alo + ahi2w)(blo + bhi2w) = aloblo + 2w(ahiblo + alobhi) + 22wahibhi

can be improved by susbtituting one multiplication by 3additions. Compute

= aloblo, = ahibhi,

ahiblo + alobhi = (alo + ahi)(blo + bhi)

to obtain coefficients of 20

, 2w and 22w.

7/29/2019 ECC_even

14/30

qContent

Introduction

Field Arithmetic




qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

qReduction

qReduction (2)

qReduction (3)

q Inversion

q Inversion (2)


Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Reduction

Reduce resulting squares and products modf(z):

s add/ subtract multiples of extension polynomial f(z)

s final result should satisfy deg < n(convenient representation, uses less bits)

s efficiency depends on choice of extension polynomial

Example: a = z8 + z5 + z2 + 1 and f(z) = z5 + z2 + 1.

a = z8 + z5 + z2 + 1

z8z3 f(z) + z5 + z2 + 1

= z8 z8 z5 z3 + z5 + z2 + 1 z3 + z2 + 1 (modf(z))

7/29/2019 ECC_even

15/30

qContent

Introduction

Field Arithmetic




qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

qReduction

qReduction (2)

qReduction (3)

q Inversion

q Inversion (2)


Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Reduction (2)

In software:

s Reduce one bit at a timex start with leftmost bitx based on observation, that

f(z) = zn + r(z) 0 zn+k + zkr(z) 0x add zn+k + zkr(z) for a 1 at position (n + k) for k 0

s Reduce one word at a timex shift and add whole wordsx fast if degr(z) n (wordsize)x suitable for certain field extension polynomials

7/29/2019 ECC_even

16/30

qContent

Introduction

Field Arithmetic




qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

qReduction

qReduction (2)

qReduction (3)

q Inversion

q Inversion (2)


Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Reduction (3)

Example: Reduce word w[6] (bits 192...221, 32bit processor)

f(z) = z161 + z18 + 1 0

z192

z49

+ z31

...

z192+31 z49+31 + z31+31 (modf(z))

Add shifted version of w[7] two times to the operand:

1. from position 49 to 49 + 31 = 80

2. from position 31 to 31 + 31 = 62

7/29/2019 ECC_even

17/30

qContent

Introduction

Field Arithmetic




qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

qReduction

qReduction (2)

qReduction (3)

q Inversion

q Inversion (2)


Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Inversion

Given a F2n , find a1 such that a a1 1 (modf(z)).

Methods:

s Fermats method (inversion by exponentiation):

based on ap1 1 mod p

s Extended Euclidean Algorithm (EEA):

compute s, t F2n such that

s a + t f(z) = 1 s a 1 (modf(z))

s a1 (modf(z))

7/29/2019 ECC_even

18/30

qContent

Introduction

Field Arithmetic




qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

qReduction

qReduction (2)

qReduction (3)

q Inversion

q Inversion (2)


Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Inversion (2)

In software:

s (Binary) EEA:x basically repeated addition/ subtraction

s Almost Inverse Algorithm (AIA):x compute b such that a b xk mod f(z)x reduce to a1 b xk mod f(z)x requires asymptotically less steps than EEA

7/29/2019 ECC_even

19/30

qContent

Introduction

Field Arithmetic




qSquaring

qSquaring (2)

qMultiplication

qMultiplication (2)

qMultiplication (3)

qReduction

qReduction (2)

qReduction (3)

q Inversion

q Inversion (2)


Curves overGF(2n)

Coordinate Systems

Exponentiation


Literature


Summary Field Arithmetic

s Overall performance of ECC depends mainly on the fieldarithmetic

s Field addition, subtraction and squaring neglectible, i.e.,

very easy to accomplishs Speed of field multiplication and inversion crucial

s Inversion more expensive than multiplication can use inversion free coordinate systems (later)!

(See [HHM00] for a detailled description of most algorithms.)

7/29/2019 ECC_even

20/30

qContent

Introduction

Field Arithmetic

Curves overGF(2n)

qGeneral Case

qSpecial Curves and NIST Curves

qExample

Coordinate Systems

Exponentiation


Literature


General Case

The Weierstrass equation (see Slide 3) transforms to

E : y2 + xy = x3 + ax2 + b,

where a, b F2n .

The discriminant is given by = b.

If a = 0, the curve is called supersingular.

7/29/2019 ECC_even

21/30

qContent

Introduction

Field Arithmetic

Curves overGF(2n)

qGeneral Case


qExample

Coordinate Systems

Exponentiation


Literature


Special Curves and NIST Curves

s acceleration of EC arithmetic with specially chosen curveparameters

s but: choose carefully to avoid security drawbacks

s standard for elliptic curves is FIPS 186-2 (revised by NIST):x 10 recommended finite fields (5 binary fields)x for each prime field, one (randomly selected) EC was

selected

x for each binary field, one random curve and one Koblitzcurve specified

x field extension polynomials specified

s Koblitz curve: coefficients F2

Binary fields in FIPS 186-2: F2163 ,F2233 ,F2283 ,F2409 ,F2571.

E.g., recommended Koblitz curve over F2283 : y2 + xy = x3 + 1

7/29/2019 ECC_even

22/30

qContent

Introduction

Field Arithmetic

Curves overGF(2n

)qGeneral Case


qExample

Coordinate Systems

Exponentiation


Literature


Example

Consider curve E : y2 + xy = x3 + (z3)x2 + (z3 + 1) over F24 .The field reduction polynomial is f(z) = z4 + z + 1.

s order of the group: #E(F24) = 22s the point P = (z3, 1) = (1000, 0001) has order 11

s multiples of P:

0P = 4P = (1111, 1011) 8P = (1100, 1100)1P = (1000, 0001) 5P = (1011, 0010) 9P = (1001, 0110)

2P = (1001, 1111) 6P = (1011, 1001) 10P = (1000, 1001)

3P = (1100, 0000) 7P = (1111, 0100)

7/29/2019 ECC_even

23/30

qContent

Introduction

Field Arithmetic

Curves overGF(2n

)

Coordinate Systems

qOverview

qOverview (2)

qComparison

Exponentiation


Literature


Overview

Group law from Slide 5 uses affine coordinates:s group element (point) represented by pair (x, y).

Idea: make group law more efficient by avoiding inversions.

several projective coordinates proposed. Most important:

s Standard projective coordinatess Jacobian projective coordinates

s Lpez-Dahab (LD) projective coordinates

7/29/2019 ECC_even

24/30

qContent

Introduction

Field Arithmetic

Curves overGF(2n

)

Coordinate Systems

qOverview

qOverview (2)

qComparison

Exponentiation


Literature


Overview (2)

Standard projective coordinates:

s projective point (X : Y : Z), Z= 0 corresponds to affinepoint (X/Z, Y /Z)

s projective curve equation:E : Y2Z+ XY Z = X3 + aX2Z+ bZ3

Jacobian projective coordinates:

s (X : Y : Z), Z= 0 (X/Z2,Y/Z2)

s E : Y2 + XY Z = X3 + aX2Z2 + bZ6

Lpez-Dahab (LD) projective coordinates

s (X : Y : Z), Z= 0 (X/Z, Y /Z2)

s E : Y2 + XY Z = X3Z+ aX2Z2 + bZ4

Remark: Final conversion to affine coord. requires inversion.

7/29/2019 ECC_even

25/30

qContent

Introduction

Field Arithmetic

Curves overGF(2

n

)

Coordinate Systems

qOverview

qOverview (2)

qComparison

Exponentiation


Literature


Comparison

Operation counts for point addition and doubling ony2 + xy = x3 + ax2 + b [HHM00]:

Coordinate system General addition General addition Doubling

(mixed coordinates)

Affi ne I+M I+M

Standard projective 13M 12M 7M

Jacobian projective 14M 10M 5M

Lpez-Dahab projective 14M 8M 4M

I: Field inversionM: Field multiplication

choice of projective or affine coordinates depends on

performance of field inversion!

7/29/2019 ECC_even

26/30

qContent

Introduction

Field Arithmetic

Curves overGF(2

n

)

Coordinate Systems

Exponentiation

qOverview


Literature


Overview

Main operation of ECC:

kP = P + P + ... + P

k times,

where k is an integer and P a point on the curve. Also calledpoint multiplication or scalar multiplication.

Several methods for efficient exponentiation, including

s (binary) double and add (square and multiply)

s (binary) NAF methods (non-adjacent form)

s

windowing methodss Montgomerys method

(more next lecture)

7/29/2019 ECC_even

27/30

qContent

Introduction

Field Arithmetic

Curves overGF(2

n

)

Coordinate Systems

Exponentiation


qSome Results from Practice

qComparison of PK Systems

Literature


Some Results from Practice

Exemplary running times for ECC scalar multiplications insoftware [WPW+03]:

Group order Platform Scalar multiplication

ARM@50MHz 496.96ms

2160 ColdFire@90MHz 152.1ms

[email protected] 2.6ms

Remark: speed-up for Koblitz curves up to a factor of 7possible (Frobenius map), e.g., 75.29ms for the same group

order on the ARM microprocessor [WPW

+

03].

7/29/2019 ECC_even

28/30

qContent

Introduction

Field Arithmetic

Curves overGF(2

n

)

Coordinate Systems

Exponentiation


qSome Results from Practice

qComparison of PK Systems

Literature


Comparison of PK Systems

How does ECC compare to other PK systems (RSA)?

2.6E4

1.24E5

6.2E4

2.24E6

ECC160 RSA1024 ECC200 RSA2048

mid term security

long term security

#(integermultiplications)

Figure 1: Computational Efficiency of ECC and RSA

Remark: RSA verification can be accelerated with short

exponents (e.g., e = 216 + 1).

7/29/2019 ECC_even

29/30

qContent

Introduction

Field Arithmetic

Curves overGF(2

n

)

Coordinate Systems

Exponentiation


Literature

qFurther Reading

qLiterature


Further Reading

s [HHM00] is a very compact paper about softwareimplementation of an elliptic curve cryptosystem overGF(2n). It gives an overview of all essential operations to be

programmed and states NIST curves.s For the interested reader, more theoretical and practical

information can be found in [HMV04]. This book coversmuch more aspects than the article.

Li

7/29/2019 ECC_even

30/30

qContent

Introduction

Field Arithmetic

Curves overGF(2

n

)

Coordinate Systems

Exponentiation


Literature

qFurther Reading

qLiterature


Literature

References

[HHM00] D. Hankerson, J. Lpez Hernandez, and A. Menezes. Software Implementation of Elliptic Curve Cryptography

Over Binary Fields. In . Ko and C. Paar, editors, Workshop on Cryptographic Hardware and Embedded

Systems CHES 2000, volume LNCS 1965, pages 124, Berlin, August 17-18, 2000. Springer-Verlag.

[HMV04] D. Hankerson, A. Menezes, and S. Vanstone. Guide to Elliptic Curve Cryptography. Springer-Verlag New York,

2004.

[WPW+03] T. Wollinger, J. Pelzl, V. Wittelsberger, C. Paar, G. Saldamli, and . K. Ko. Elliptic & hyperelliptic curves on

embeddedp. ACM Transactions in Embedded Computing Systems (TECS), 2003. Special Issue on

Embedded Systems and Security.

ECC_even

Documents