Flexible Hardware Reduction for Elliptic Curve Cryptography in GF(2 m )

IHPIm Technologiepark 2515236 Frankfurt (Oder)

Germany

IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 - All rights reserved

Flexible Hardware Reduction forElliptic Curve Cryptography in GF(2m)

Steffen Peter, Peter Langendörfer and Krzysztof Piotrowski


Flexibility for ECC implementations

= possibility to compute with other key sizes

Why?- To communicate with peers that use other key sizes- Change field in case the implemented field has a cryptoanalytical weakness

What is the problem?Addition, Multiplication, Registers? - NO (padding zeros)Control program? – NO (it is software)Reduction!


Modular Reduction

• Corresponds to classic modular division- In GF(11) = {0,1,2,…,9,10}- Example: 5 · 8 = 40 > 10 5 · 8 mod 11 = 40 mod 11

= 7

• In GF(2m) it is a polynomial division by the irreducible polynomial r(x)


Classic School Division

- reduce each bit starting from the left by XORing runtil overlapping part C1 is zero

- r(x) is the given irreducible of the field


Repeated Multiplication Reduction (RMR)

• Reduce more bits per iteration by multiplying overlappping part C1 with the irreducible polynomial r

C ≡ (C – i · r) mod r for each i C ≡ C – C1 · r


Reduction Polynomials [NIST]

field Irreducible polynomial

163 Bit x163+x7+x6+x3+1

233 Bit x233+x74+1

283 Bit x283+x12+x7+x5+1

409 Bit x409+x87+1

571 Bit x571+x10+x5+x2+1

• Are either trinomials or pentanomials

• Second highest set position is smaller m/2


Hard-Wired Reduction

Direct mapping from C to C0‘‘ with few XOR operations-Very efficient combinatoric circuit- Reduction in GF(2233) needs 0.03mm² (0.25um CMOS)NOT FLEXIBLE!

C1’∙r

(∙x233)

(∙x74)(∙x0)

(∙x233)(∙x74)

(∙x0)

C1∙r r=(x233+x74+x0)

r=(x233+x74+x0)


Multiple Hard-Wired Reduction Blocks

• Fast, small

• Limited flexibility

C

MUX

C‘‘

sel

Configuration mm²

163+233+283 0,18

163+233+283+409+571 0,44

Red163 Red233 Red283


Reduction Polynomials

• Are either trinomials or pentanomials

• Second highest set position is smaller m/2

• Have structure xm + … + 1

Exploiting these properties is the basis for the Flexible Shift Reduction

field Irreducible polynomial

163 Bit x163+x7+x6+x3+1

233 Bit x233+x74+1

283 Bit x283+x12+x7+x5+1

409 Bit x409+x87+1

571 Bit x571+x10+x5+x2+1


C = 2∙283 bit multiplication result

Flexible Shift Reduction

C0C1

C1C1

C1C1

C1

C0’C1’

C1’C1’

C1’C1’

C1’

C0’’

>>283-12>>283-7>>283-5>>283

>>283-12>>283-7>>283-5>>283

Example: Hardware=283 bit, m = 283 bit, r(x) = x283+x12+x7+x5+1


Flexible Shift Reduction

C0C1

C1C1

C1C1

C1

C0’C1’

C1’C1’

C1’C1’

C1’

C0’’

>>163-7>>163-6>>163-3>>163

>>163-7>>163-6>>163-3>>163

Example: Hardware=283 bit, m = 163 bit, r(x) = x163+x7+x6+x3+1

2∙283 bit reduction logic

C = 2∙163 bit multiplication result


Flexible Shift Reduction - Design


Comparison of complete ECC designsTime and energy for one Elliptic Curve Point Multiplication


Conclusions

• Reduction is bottleneck of flexible ECC hardware accelerators

• More flexiblity implies:–Less speed–More silicon area–More energy consumption

• Multiple hard-wired reduction blocks (MHWR) is the best choice if supported field sizes are known–A design that support all 5 recommended NIST curves (163-571 bit) needs merely 10% more silicon area than a 571 bit single curve design.

• Flexible Shift Reduction (FSR) provides more flexibility– in comparison to software (MIPS 33 MHz) it is

•500 times faster•Requires less than 1% of the energy

• ECC-FSR is the fastest known implementation with such degree of flexibility


Thank You

Questions?

[email protected]

Documents

Flexible Hardware Reduction for Elliptic Curve Cryptography in GF(2 m )