Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
Short Memory Method on Koblitz Curves
Katsuyuki Okeya
Tsuyoshi Takagi
Camille Vuillaume
2Short Memory Method on Koblitz Curves
Outline
Koblitz curvesBinary Curves τExpansions Binary vs. Koblitz
Short MemoryNormal vs. Polynomial
BasisShort Memory on
Normal BasisShort Memory on Polynomial Basis
Elliptic curvesInterest of ECC Binary Method NAF Method
3Short Memory Method on Koblitz Curves
Outline
Elliptic curvesInterest of ECC Binary Method
Koblitz curves
Short Memory
NAF Method
4Short Memory Method on Koblitz Curves
RSA vs. Elliptic Curves
Speed ECC are 30 times faster than RSA…
Memory …and require 6.5 less memory
5Short Memory Method on Koblitz Curves
Operations:
Binary Method
On average: (n-1)D+n/2A
2P
P 3P
)2
Input: P
Output: 105P
Scalar: d=105=( 1 0 1 0 10
6P
D A
1
D A D
DAD D ADDD
12P
13P
26P
105P
52P 104P
D
6Short Memory Method on Koblitz Curves
NAFw Method
d=105=(Scalar: 1 1 0 1 0 10 )2
Output: 105P13P
P
3PInput:
NAFw recoding, w=3
P
16P
Operations: D A D ADDDDD
On average: nD+n/(w+1)A+(2w-2-1)A
8P4P2P
105P
104P26P 52P
0 0 -3 0 100d=105= 1d=105=
Computations Pre-computations
7Short Memory Method on Koblitz Curves
Comparison – NAFw Method
Scalar multiplication for 160-bit EC
0 0
40
120
280
600
240
213201 195 194 198
0
100
200
300
400
500
600
700
binary NAF2 NAF3 NAF4 NAF5 NAF6
Memory (bytes)
0
50
100
150
200
250
300
Cost (elliptic operations)
Memory (bytes) Cost (EC op.)
Maximal speed-up: less than 20%
Optimal width w=5
How to get rid of point doublings?
8Short Memory Method on Koblitz Curves
Outline
Elliptic curves
Koblitz curvesBinary Curves τExpansions Binary vs. Koblitz
Short Memory
9Short Memory Method on Koblitz Curves
Binary Curves
Binary Curvesy2�xy=x3+ax2+b, a,b∈F2m
Can use AES acceleration hardware
Coprocessor-less architecture
Slow without AES hardware or fast processor
Well-suited for mobile phone CPU (32-bit RISC)
Re-use existing design ☺Lower production cost, cheaper design ☺
With coprocessor, prime curves are faster
Faster than general binary curves ☺☺
Koblitz Curvesy2+xy=x3+ax+1, a={0,1}
10Short Memory Method on Koblitz Curves
Binary and τ-Expansions
τ-and-add: no point doubling
10x fasterP = (x,y) →τP = (x2,y2)
Koblitz curves
P = (x,y) → 2P = (x’,y’)
Binary curves
τ=(μ+√-1)/7
)2d=9=( 1 0 10
P
2P
9P
4P 8P
P
τPd=9=( 1 1 11 )τ0 10
τP+P
…
9P*τ
1*23 1*20+= 1*τ6= 1*τ5 1*τ4 1*τ3 1*τ0+ + + +
2P = -τ2 P +μτ P
P = (x,y) → 2P = (x’,y’)
11Short Memory Method on Koblitz Curves
Binary vs. Koblitz Curves163-bit Scalar Multiplication
0
2282
0
326
978
2282
244
197
5442 36 34
0
500
1000
1500
2000
2500
binary NAF5 TNAF2 TNAF3 TNAF4 TNAF5
Memory (bits)
0
50
100
150
200
250
300
Cost (elliptic operations)
Memory (bits) Cost (ECADD)
Binary curves Koblitz curves
w=5 optimal…
…but requires a lot of memory
12Short Memory Method on Koblitz Curves
Outline
Elliptic curves
Koblitz curves
Short MemoryNormal vs. Polynomial
BasisShort Memory on
Normal BasisShort Memory with
Mixed Bases
13Short Memory Method on Koblitz Curves
Normal vs. Polynomial Basis
Normal BasisPolynomial Basisp=pm-1Xm-1+…+p1X+p0, where
pi∈{0,1}b=b0β0+b1β1 +…+bm-1βm-1, where βi2=βi+1 and βm-12=β0
Fast reduction with trinomials or pentanomials ☺
Fast multiplications ☺
No reduction ☺
Software Hardware
Very slow multiplications
Very fast squares ☺
Interesting for Koblitz curves (τ)
☺
Mixed approach?
Fast squares ☺Fast squares ☺
b=b0β0+b1β1 +…+bm-2βm-2+bm-1βm-1b2=b0β02+b1β12 +…+bm-2βm-22+bm-1βm-12
= bm-1β0 +b0β1+b1β2 +…+bm-2βm-1
14Short Memory Method on Koblitz Curves
Short Memory – Normal Basis
0 0 3 0 100
9PP
-1
3P
Standard method
Short memory
P-τ8P+P
3P9P
τ8
τ3
-P
P
-τ8P+P
0
τ τ τ τ τ τ τ τ
0 0 3 0 100-1 0
-τ5P+3P
τ8P
3τ3P
15Short Memory Method on Koblitz Curves
Sequential Precomputations
α1P=P α3P=τ2P+P α11P=-τ3P+α3P α15P=-α11P-τPα5P=τP-P α13P=-τ2α5P+P α7P=τP+P α9P=-τ4P-α7P
Precomputations
u αu=u modτ5 Binary representation of αu1 1 1
3 τ-3 τ2-15 τ-1 τ-17 τ+1 τ+19 2τ-3 -τ4-τ-1 -τ4-(τ+1)=
11 2τ-1 -τ3+τ2-1 -τ3+τ2-1=13 2τ+1 -τ3+τ2+1 -τ2(τ-1)+1=15 -3τ+1 τ3-τ2-τ+1 -(-τ3+τ2-1)-τ=
16Short Memory Method on Koblitz Curves
163-bit norm al basis
0
2282 2282
0 0
326
2282
326
244
197
49 54 41 42 34 34
0
500
1000
1500
2000
2500
binary NAF5 halvingNAF5
TNAF2 tau/halve TNAF3 TNAF5 ShortM em ory
Memory (bits)
0
50
100
150
200
250
300
Cost (elliptic operations)
M em ory (bits) Cost (EC operations)
Performance, Hardware163-bit Koblitz curve163-bit binary curve
☺☺
17Short Memory Method on Koblitz Curves
Short Memory - Mixed Bases
τ3
-τ8P+P
0 0 3 0 100-1 0 P
τ8P
τ8
P
P
τ8P
P
3P
3P3τ3P
-τ8P+P
9P
3τ3P
0 0 3 0 100-1 0
polynomialbasis
PnormalbasisP
Pτ-8
u=1
u=3
18Short Memory Method on Koblitz Curves
Change of Basis
1 0 011 1
1
1
0
1
0
1
0 0 111 1
0 0 110 0⊕
0 0 011 1⊕
0 1 111 0⊕
1 0 000 1⊕
0 0 110 1⊕
Original representation
Change of basis matrix
New representation 0 1 000 0
Cyclic shift not explicitly computed
19Short Memory Method on Koblitz Curves
163-bit polynom ial basis
0
126 126
0
42
126
294
84
1317
974
648543
437389 387 395
0
50
100
150
200
250
300
350
binary NAF4 halvingNAF4
TNAF2 TNAF3 TNAF4 TNAF5 ShortM em ory
Memory (bytes)
0
200
400
600
800
1000
1200
1400
Cost (multiplications)
M em ory (bytes) Cost (M )
Performance, Software
163-bit binary curve 163-bit Koblitz curve
☺☺
20Short Memory Method on Koblitz Curves
Extensions, open problems
Side channel & fault attacks
Change of basis
Other curves
21Short Memory Method on Koblitz Curves
Recap
Beurre
Argent du beurre
RSA
Binary curve, binary method
Binary curve, NAF5 method
Koblitz curve, TNAF5 method
Koblitz curve, short memory
“Le beurre et l’argent du beurre”
22Short Memory Method on Koblitz Curves
Questions & Comments