Short Memory Method on Koblitz Curves - IACR · 2008. 1. 12. · Short Memory Method on Koblitz...

22
Short Memory Method on Koblitz Curves Katsuyuki Okeya Tsuyoshi Takagi Camille Vuillaume

Transcript of Short Memory Method on Koblitz Curves - IACR · 2008. 1. 12. · Short Memory Method on Koblitz...

  • Short Memory Method on Koblitz Curves

    Katsuyuki Okeya

    Tsuyoshi Takagi

    Camille Vuillaume

  • 2Short Memory Method on Koblitz Curves

    Outline

    Koblitz curvesBinary Curves τExpansions Binary vs. Koblitz

    Short MemoryNormal vs. Polynomial

    BasisShort Memory on

    Normal BasisShort Memory on Polynomial Basis

    Elliptic curvesInterest of ECC Binary Method NAF Method

  • 3Short Memory Method on Koblitz Curves

    Outline

    Elliptic curvesInterest of ECC Binary Method

    Koblitz curves

    Short Memory

    NAF Method

  • 4Short Memory Method on Koblitz Curves

    RSA vs. Elliptic Curves

    Speed ECC are 30 times faster than RSA…

    Memory …and require 6.5 less memory

  • 5Short Memory Method on Koblitz Curves

    Operations:

    Binary Method

    On average: (n-1)D+n/2A

    2P

    P 3P

    )2

    Input: P

    Output: 105P

    Scalar: d=105=( 1 0 1 0 10

    6P

    D A

    1

    D A D

    DAD D ADDD

    12P

    13P

    26P

    105P

    52P 104P

    D

  • 6Short Memory Method on Koblitz Curves

    NAFw Method

    d=105=(Scalar: 1 1 0 1 0 10 )2

    Output: 105P13P

    P

    3PInput:

    NAFw recoding, w=3

    P

    16P

    Operations: D A D ADDDDD

    On average: nD+n/(w+1)A+(2w-2-1)A

    8P4P2P

    105P

    104P26P 52P

    0 0 -3 0 100d=105= 1d=105=

    Computations Pre-computations

  • 7Short Memory Method on Koblitz Curves

    Comparison – NAFw Method

    Scalar multiplication for 160-bit EC

    0 0

    40

    120

    280

    600

    240

    213201 195 194 198

    0

    100

    200

    300

    400

    500

    600

    700

    binary NAF2 NAF3 NAF4 NAF5 NAF6

    Memory (bytes)

    0

    50

    100

    150

    200

    250

    300

    Cost (elliptic operations)

    Memory (bytes) Cost (EC op.)

    Maximal speed-up: less than 20%

    Optimal width w=5

    How to get rid of point doublings?

  • 8Short Memory Method on Koblitz Curves

    Outline

    Elliptic curves

    Koblitz curvesBinary Curves τExpansions Binary vs. Koblitz

    Short Memory

  • 9Short Memory Method on Koblitz Curves

    Binary Curves

    Binary Curvesy2�xy=x3+ax2+b, a,b∈F2m

    Can use AES acceleration hardware

    Coprocessor-less architecture

    Slow without AES hardware or fast processor

    Well-suited for mobile phone CPU (32-bit RISC)

    Re-use existing design ☺Lower production cost, cheaper design ☺

    With coprocessor, prime curves are faster

    Faster than general binary curves ☺☺

    Koblitz Curvesy2+xy=x3+ax+1, a={0,1}

  • 10Short Memory Method on Koblitz Curves

    Binary and τ-Expansions

    τ-and-add: no point doubling

    10x fasterP = (x,y) →τP = (x2,y2)

    Koblitz curves

    P = (x,y) → 2P = (x’,y’)

    Binary curves

    τ=(μ+√-1)/7

    )2d=9=( 1 0 10

    P

    2P

    9P

    4P 8P

    P

    τPd=9=( 1 1 11 )τ0 10

    τP+P

    9P*τ

    1*23 1*20+= 1*τ6= 1*τ5 1*τ4 1*τ3 1*τ0+ + + +

    2P = -τ2 P +μτ P

    P = (x,y) → 2P = (x’,y’)

  • 11Short Memory Method on Koblitz Curves

    Binary vs. Koblitz Curves163-bit Scalar Multiplication

    0

    2282

    0

    326

    978

    2282

    244

    197

    5442 36 34

    0

    500

    1000

    1500

    2000

    2500

    binary NAF5 TNAF2 TNAF3 TNAF4 TNAF5

    Memory (bits)

    0

    50

    100

    150

    200

    250

    300

    Cost (elliptic operations)

    Memory (bits) Cost (ECADD)

    Binary curves Koblitz curves

    w=5 optimal…

    …but requires a lot of memory

  • 12Short Memory Method on Koblitz Curves

    Outline

    Elliptic curves

    Koblitz curves

    Short MemoryNormal vs. Polynomial

    BasisShort Memory on

    Normal BasisShort Memory with

    Mixed Bases

  • 13Short Memory Method on Koblitz Curves

    Normal vs. Polynomial Basis

    Normal BasisPolynomial Basisp=pm-1Xm-1+…+p1X+p0, where

    pi∈{0,1}b=b0β0+b1β1 +…+bm-1βm-1, where βi2=βi+1 and βm-12=β0

    Fast reduction with trinomials or pentanomials ☺

    Fast multiplications ☺

    No reduction ☺

    Software Hardware

    Very slow multiplications

    Very fast squares ☺

    Interesting for Koblitz curves (τ)

    Mixed approach?

    Fast squares ☺Fast squares ☺

    b=b0β0+b1β1 +…+bm-2βm-2+bm-1βm-1b2=b0β02+b1β12 +…+bm-2βm-22+bm-1βm-12

    = bm-1β0 +b0β1+b1β2 +…+bm-2βm-1

  • 14Short Memory Method on Koblitz Curves

    Short Memory – Normal Basis

    0 0 3 0 100

    9PP

    -1

    3P

    Standard method

    Short memory

    P-τ8P+P

    3P9P

    τ8

    τ3

    -P

    P

    -τ8P+P

    0

    τ τ τ τ τ τ τ τ

    0 0 3 0 100-1 0

    -τ5P+3P

    τ8P

    3τ3P

  • 15Short Memory Method on Koblitz Curves

    Sequential Precomputations

    α1P=P α3P=τ2P+P α11P=-τ3P+α3P α15P=-α11P-τPα5P=τP-P α13P=-τ2α5P+P α7P=τP+P α9P=-τ4P-α7P

    Precomputations

    u αu=u modτ5 Binary representation of αu1 1 1

    3 τ-3 τ2-15 τ-1 τ-17 τ+1 τ+19 2τ-3 -τ4-τ-1 -τ4-(τ+1)=

    11 2τ-1 -τ3+τ2-1 -τ3+τ2-1=13 2τ+1 -τ3+τ2+1 -τ2(τ-1)+1=15 -3τ+1 τ3-τ2-τ+1 -(-τ3+τ2-1)-τ=

  • 16Short Memory Method on Koblitz Curves

    163-bit norm al basis

    0

    2282 2282

    0 0

    326

    2282

    326

    244

    197

    49 54 41 42 34 34

    0

    500

    1000

    1500

    2000

    2500

    binary NAF5 halvingNAF5

    TNAF2 tau/halve TNAF3 TNAF5 ShortM em ory

    Memory (bits)

    0

    50

    100

    150

    200

    250

    300

    Cost (elliptic operations)

    M em ory (bits) Cost (EC operations)

    Performance, Hardware163-bit Koblitz curve163-bit binary curve

    ☺☺

  • 17Short Memory Method on Koblitz Curves

    Short Memory - Mixed Bases

    τ3

    -τ8P+P

    0 0 3 0 100-1 0 P

    τ8P

    τ8

    P

    P

    τ8P

    P

    3P

    3P3τ3P

    -τ8P+P

    9P

    3τ3P

    0 0 3 0 100-1 0

    polynomialbasis

    PnormalbasisP

    Pτ-8

    u=1

    u=3

  • 18Short Memory Method on Koblitz Curves

    Change of Basis

    1 0 011 1

    1

    1

    0

    1

    0

    1

    0 0 111 1

    0 0 110 0⊕

    0 0 011 1⊕

    0 1 111 0⊕

    1 0 000 1⊕

    0 0 110 1⊕

    Original representation

    Change of basis matrix

    New representation 0 1 000 0

    Cyclic shift not explicitly computed

  • 19Short Memory Method on Koblitz Curves

    163-bit polynom ial basis

    0

    126 126

    0

    42

    126

    294

    84

    1317

    974

    648543

    437389 387 395

    0

    50

    100

    150

    200

    250

    300

    350

    binary NAF4 halvingNAF4

    TNAF2 TNAF3 TNAF4 TNAF5 ShortM em ory

    Memory (bytes)

    0

    200

    400

    600

    800

    1000

    1200

    1400

    Cost (multiplications)

    M em ory (bytes) Cost (M )

    Performance, Software

    163-bit binary curve 163-bit Koblitz curve

    ☺☺

  • 20Short Memory Method on Koblitz Curves

    Extensions, open problems

    Side channel & fault attacks

    Change of basis

    Other curves

  • 21Short Memory Method on Koblitz Curves

    Recap

    Beurre

    Argent du beurre

    RSA

    Binary curve, binary method

    Binary curve, NAF5 method

    Koblitz curve, TNAF5 method

    Koblitz curve, short memory

    “Le beurre et l’argent du beurre”

  • 22Short Memory Method on Koblitz Curves

    Questions & Comments