Embed Size (px)
Citation preview
Fast Multi-Scalar Multiplication Methods on Elliptic Curves with Precomputation Strategy using Montgomery Tri
ck
Hitachi Ltd.Katsuyuki Okeya
Kouichi Sakurai Kyushu Univ.
2/22
Abstract
The use of multi-scalar multiplication
in the verification of ECDSA
Speeding up the multi-scalar multiplication
The transformation from scalar multiplication to multi-scalar
multiplication
Motivation
Problem
Result Efficient Precomputation provides speedup for multi-scalar multiplication
3 times faster
[GLV01]
[ANSI]
3/22
Contents
Multi-Scalar Multiplication
Target of Speedup
Proposed Method
Comparison
4/22
What isMulti-Scalar Multiplication?
Scalar multiplication
P
lQkP Multi-scalar multiplication
Multi-scalar multiplication
k an integeran elliptic
point
timesk
PPPkP Scalar
multiplication
QP,lk, integer
selliptic points
timesk
PPP
timesl
QQQ
5/22Two Computation Methodsfor Multi-Scalar Multiplication
QPQP ,,
Compute separatelytwo scalar multiplications
Separate Method
Compute simultaneously two scalar multiplications
Pk,
Ql,
kP
lQlQkP
Scalar multiplicati
onScalar multiplicati
on
addition
Pk,
Ql,
lQkP Multi-scalar multiplication
Simultaneous Method
[Aki01, Moe01]
[Elg85, HHM00]
Shamir’s trick
Improvement
Window method
Comb method
[Knu81, CMO98]
[LL94]
tQsP addition
6/22
Computation Process
Precomputa-tion stage
Evaluation stageInpu
tOutpu
tPreparation of a table
Actual computation
Pk,Ql,
lQkP QPQPQPQ
QPQPQPQ
QPQPQPQ
PPPO
333233
232222
32
32
tQsP
QP 32
Table
addition
Precomputation table
7/22
Target of Speedup
Precomputation Stage
Evaluation Stage
Separate Method
Simultaneous Method
Slow
SlowFast
Fast
Many researches exist
Controversial !
Not so much studies as evaluation stage
[Aki01, Moe01, Sol01]
[CC87, MO90, LL94, CMO98, …]
[CMO98]
8/22
What are Obstacles to Speed upthe Precomputation Stage?
Many precomputation points
Inversions are required (1 per
point)
Some points are not used in evaluation
stage
Obstacles
Multi-scalar multiplication only
9/22
What are Obstacles to Speed upthe Precomputation Stage?
Points are computed in affine coordinates
Reason
Table should be saved points in affine
coordinates for speeding up evaluation stage
The operation in affine coordinates requires
inversion
Inversions are required (1 per
point)
Obstacles
Many precomputation points
Some points are not used in evaluation
stageMulti-scalar multiplication
only
10/22
What are Obstacles to Speed upthe Precomputation Stage?
Reason
2 dimensions
vQuP ,1,0, vu
QPQPQPQ
QPQPQPQ
QPQPQPQ
PPPO
333233
232222
32
32
Inversions are required (1 per
point)
Obstacles
Multi-scalar multiplication only
Some points are not used in evaluation
stage
Many precomputation points
11/22
What are Obstacles to Speed upthe Precomputation Stage?
Reason
Precomputation stagePoints to compute: 64 points
Evaluation stagePoints to use: 54 points
160 bits, window width 3
Inversions are required (1 per
point)
Obstacles
Multi-scalar multiplication only
Many precomputation points
Some points are not used in evaluation
stage
12/22
Contents
Multi-Scalar Multiplication
Target of Speedup
Proposed Method
Comparison
13/22
Simple Improvements
has same x-coordinates
),(),( yxPyxP
QP
QPQP
Simultaneous inversion
Negate the y-coordinateOmit computation
Q
14/22
MM
MM
I
MM
MM
M M
Montgomery Trickof Simultaneous Inversions
naaaa ,,,, 321
21aa 321 aaa
1321aaa
2a 3a
1a
121aa1
1a
12a 1
3a
113
12
11 ,,,,
naaaa
IMn 13Input
Output
Cost
M M
I
M: multiplication
I: inversion
[Coh93]
It speeds up the ECM of
factorization
[Coh93]
15/22
Use of Montgomery Trick(Scalar Multiplication)
Montgomery trick reduces from plural inversions to 1 inversion
P2 P3P doubling
doubling
Compute inversion using Montgomery trick
P4additio
n
Preparation of precomputation table
addition
addition
addition
[CMO98]
P7
P5
P8doubling
Use of Montgomery trick
16/22
Use of Montgomery Trick(Multi-Scalar Multiplication)
QP
P2 QP 3
Q2
P
Q
doubling
doubling
addition
Compute inversion using Montgomery trick
QP 22
addition
Preparation of precomputation table
addition
addition
addition
Complicated because of 2 dimensions
Montgomery trick reduces from plural inversions to 1 inversion
17/22
Preparation of Precomputation Table
P
Q
Q2
Q3
P2 P3
QP
QP 2
QP 3
QP 2 QP 3
QP 22
QP 32
QP 23
QP 33
O Step 0
Step 1
Step 2
Step 3
Precomputation Table
Each step uses Montgomery trick of simultaneous inversion
18/22
They cannot be computed in Step 2
Some Points Do Not Needto be Computed
P
Q
Q2
Q3
P2 P3
QP
QP 2
QP 3
QP 2 QP 3
QP 22
QP 32
QP 23
QP 33
O
Precomputation Table
Consider how the points are computed!
Step 0
Step 1
Step 2
Step 3
19/22
Proposed Method
P
Q
Q2
Q3
P2 P3
QP
QP 2
QP 3
QP 2 QP 3
QP 22
QP 32
QP 23
QP 33
O Step 0
Step 1
Step 2
Step 3
Precomputation Table
are first, the middles are lastvQuP,
20/22
Some Points Do Not Needto be Computed
P
Q
Q2
Q3
P2 P3
QP
QP 2
QP 3
QP 2 QP 3
QP 22
QP 32
QP 23
QP 33
O Step 0
Step 1
Step 2
Step 3
Precomputation Table
It does not affect the computationfor the other points
21/22
Comparison
Precompu-tation stage
Evaluation stage
Separate Method
Simultaneous Method
336.8M
Total
2809.8M 3146.6M
279.2M 1655.5M 1934.7MProposed method
160 bits
[CMO98]
1011.6M 1655.5M 2667.1MConventional Method[HHM00]
[Moe01]
22/22
Conclusion
Speeding up the verification of ECDSA
Speeding up the Multi-scalar multiplication
Speeding up the scalar multiplication using multi-scalar multiplication
Application
Problem
Result
Points Montgomery trick of simultaneous inversions
Simplification of precomputation procedures
Efficient Precomputation provides speedup for multi-scalar multiplication3 times faster
![CS291A Spring2020 Lecture 06lingqi/teaching/resources/CS...Basic idea of PRT [Sloan 02] Approximate lighting using basis functions Precomputation stage compute light transport, and](https://img.pdfslide.net/doc/110x75/5ea414583d985e6861545f96/cs291a-spring2020-lecture-06-lingqiteachingresourcescs-basic-idea-of-prt-sloan.jpg)
