High-performance Elliptic Curve Cryptography by Using the CIOS Method for Modular Multiplication

Size: px

Start display at page:

Download "High-performance Elliptic Curve Cryptography by Using the CIOS Method for Modular Multiplication"

Dwayne Blankenship
5 years ago
Views:

1 High-performance Elliptic Curve Cryptography by Using the CIOS Method for Modular Multiplication Amine Mrabet, Nadia El-Mrabet, Ronan Lashermes, Jean-Baptiste Rigaud, Belgacem Bouallegue, Sihem Mesnager and Mohsen Machhout September 2016 Efficient MMM for ECC Mrabet et al. September /37

2 Introduction Public key cryptography is still costly (computing resources). Elliptic Curve Cryptography has a better cost/security trade-off w.r.t. RSA. We can still reduce the cost with better hardware architectures. Efficient MMM for ECC Mrabet et al. September /37

3 1 Arithmetic ECC Montgomery Modular Multiplication 2 Our architecture Basics PEs Scheduling Resources 3 Results Results Conclusion Efficient MMM for ECC Mrabet et al. September /37

4 ECC Elliptic Curve Cryptography (ECC) Why? Elliptic curves allow to define groups with a hard Discrete Logarithm Problem. In the general case, cracking methods are far less efficient than for RSA. Efficient MMM for ECC Mrabet et al. September /37

5 ECC Elliptic Curve Cryptography (ECC) Why? Elliptic curves allow to define groups with a hard Discrete Logarithm Problem. In the general case, cracking methods are far less efficient than for RSA. How? (simplified) Let p > 3 a big prime, E(F p ) is the (short Weierstrass) elliptic curve E(F p ) : y 2 = x 3 + ax + b, where x, y, a, b F p with 4a b 2 0. Efficient MMM for ECC Mrabet et al. September /37

6 ECC EC Group The points (x, y) on the curve define an abelian group together with the point at infinity 0, the neutral element for addition. Efficient MMM for ECC Mrabet et al. September /37

7 ECC EC Group The points (x, y) on the curve define an abelian group together with the point at infinity 0, the neutral element for addition. Jacobian coordinates The triple (x : y : z) can be mapped to (x/z 2, y/z 3 ) if z 0. If z = 0 it is 0. The curve becomes: y 2 = x 3 + axz 4 + bz 6. Efficient MMM for ECC Mrabet et al. September /37

8 ECC Operations in Jacobian coordinates (a = 0, points 0 ) Doubling (7S+5M+13A) T (X T : Y T : Z T ) = 2 Q(X Q : Y Q : Z Q ). X T = 9X 4 Q 8X QY 2 Q, Y T = 3X 2 Q (4X QY Q X T ) 8Y 4 Q, Z T = 2Y Q Z Q. Efficient MMM for ECC Mrabet et al. September /37

9 ECC Operations in Jacobian coordinates (a = 0, points 0 ) Doubling (7S+5M+13A) T (X T : Y T : Z T ) = 2 Q(X Q : Y Q : Z Q ). X T = 9X 4 Q 8X QY 2 Q, Y T = 3X 2 Q (4X QY Q X T ) 8Y 4 Q, Z T = 2Y Q Z Q. Addition (4S + 14M + 6A) R = T + Q. X R = (2Y Q Z 3 T 2Y T ) 2 4(X Q Z 2 T X T ) 3 8(X Q Z 2 T X T ) 2 X T, Y R = (2Y Q Z 3 T 2Y T )(4X T (X Q Z 2 T X T ) X R ) 8Y T (X Q Z 2 T X T ) 3, Z R = 2Z T (X Q Z 2 T X T ). Efficient MMM for ECC Mrabet et al. September /37

10 Montgomery Modular Multiplication Montgomery Modular Multiplication (MMM) MMM MMM provides an efficient way for modular multiplication (noted ): there is no division by p. mod p Efficient MMM for ECC Mrabet et al. September /37

11 Montgomery Modular Multiplication Montgomery Modular Multiplication (MMM) MMM MMM provides an efficient way for modular multiplication (noted ): there is no division by p. mod p Residue Let a, b, R F p where R is Montgomery s residue. a = ar mod p is said to be a in Montgomery s form. a b = abr 1 mod p, as a consequence a b = arbrr 1 mod p = abr mod p = (ab). Efficient MMM for ECC Mrabet et al. September /37

12 Montgomery Modular Multiplication Montgomery Modular Multiplication (MMM) MMM MMM provides an efficient way for modular multiplication (noted ): there is no division by p. mod p Residue Let a, b, R F p where R is Montgomery s residue. a = ar mod p is said to be a in Montgomery s form. a b = abr 1 mod p, as a consequence a b = arbrr 1 mod p = abr mod p = (ab). Conversion Field values are converted in Montgomery s form at the beginning of the computation and back to normal at the end. Efficient MMM for ECC Mrabet et al. September /37

13 Montgomery Modular Multiplication How to compute MMM? Koç s multiword CIOS algorithm Efficient MMM for ECC Mrabet et al. September /37

14 Montgomery Modular Multiplication CIOS details Efficient MMM for ECC Mrabet et al. September /37

15 Montgomery Modular Multiplication Benefits Low memory footprint, apart from some precomputations (p, R...), easy to change p and operand sizes, neat structure, without divisions, easy to implement in hardware. Efficient MMM for ECC Mrabet et al. September /37

16 Basics Basics Here, each operation takes 1 unit of time. Let s compute r = a b + b + c. Sequential Time + Operations 1 x t1 = a b 2 x t2 = b + c 3 x r = t1 + t2 Efficient MMM for ECC Mrabet et al. September /37

17 Basics Basics Here, each operation takes 1 unit of time. Let s compute r = a b + b + c. Sequential Time + Operations 1 x t1 = a b 2 x t2 = b + c 3 x r = t1 + t2 Parallel Time + Operations 1 x x t1 = a b, t2 = b + c 2 x r = t1 + t2 Efficient MMM for ECC Mrabet et al. September /37

18 Basics Basics - 2 Here, each operation takes 1 unit of time. Let s compute r = a b + b + c. Atomic Latency Throughput + Operations r = a b + b + c The choice of operations and how they are chained together is called scheduling. Efficient MMM for ECC Mrabet et al. September /37

19 Basics Basics - 2 Here, each operation takes 1 unit of time. Let s compute r = a b + b + c. Atomic Latency Throughput + Operations r = a b + b + c Pipelined Latency Throughput + Operations 2 + ɛ : t1 = a b, t2 = b + c, 2 : r = t1 + t2 2 + ɛ : t1 = a b, t2 = b + c, 2 : r = t1 + t2 The choice of operations and how they are chained together is called scheduling. Efficient MMM for ECC Mrabet et al. September /37

20 Basics Systolic arrays A systolic array is an architecture both parallel and pipelined. To create such an architecture, we have to identify small Processing Elements (PEs) (no control flow logic). Efficient MMM for ECC Mrabet et al. September /37

21 PEs Where is Waldo the PE? Efficient MMM for ECC Mrabet et al. September /37

22 PEs α Efficient MMM for ECC Mrabet et al. September /37

23 PEs α f Efficient MMM for ECC Mrabet et al. September /37

24 PEs β Efficient MMM for ECC Mrabet et al. September /37

25 PEs γ Efficient MMM for ECC Mrabet et al. September /37

26 PEs γ f Efficient MMM for ECC Mrabet et al. September /37

27 Scheduling S=8, Time=1 Efficient MMM for ECC Mrabet et al. September /37

28 Scheduling S=8, Time=2 Efficient MMM for ECC Mrabet et al. September /37

29 Scheduling S=8, Time=3 Efficient MMM for ECC Mrabet et al. September /37

30 Scheduling S=8, Time=4 Efficient MMM for ECC Mrabet et al. September /37

31 Scheduling S=8, Time=10 Efficient MMM for ECC Mrabet et al. September /37

32 Scheduling S=8, Time=10 Efficient MMM for ECC Mrabet et al. September /37

33 Scheduling S=8, Time=13 Efficient MMM for ECC Mrabet et al. September /37

34 Scheduling S=8, All Efficient MMM for ECC Mrabet et al. September /37

35 Resources Alpha Efficient MMM for ECC Mrabet et al. September /37

36 Resources Gamma Efficient MMM for ECC Mrabet et al. September /37

37 Resources Resources Our architecture requires: 3 α, 3 γ, 1 β, 1 α f, 1 γ f. Efficient MMM for ECC Mrabet et al. September /37

38 Resources Regrouping Efficient MMM for ECC Mrabet et al. September /37

39 Resources Block diagram Efficient MMM for ECC Mrabet et al. September /37

40 Results MMM architecture variants CIOS (bits per word) s=8 s=16 s=32 s=64 K= K= K= K= Clock cycles= 3 (s + nb) Number of cells Efficient MMM for ECC Mrabet et al. September /37

41 Results ECC results (Artix-7) Slice DSPs BRAM Freq Slice FF Slice LUT NW-8 (256) NW-16 (256) NW-8 (512) NW-16 (512) Efficient MMM for ECC Mrabet et al. September /37

42 Conclusion Conclusion Very efficient Montgomery Modular Multiplication with low latency. Give mixed results for a straightforward ECC implementation. Yet improvements are still possible: we should not wait the complete ending of an MMM to start the next. Should be particularly interesting for latency and throughput. Efficient MMM for ECC Mrabet et al. September /37

43 Conclusion Thank you! Any questions? Efficient MMM for ECC Mrabet et al. September /37

44 Conclusion ECC results... et al. Curve Device Lut Reg Size (DSP) Freq. Bajard any Kintex slices (46) 281 Bajard any Kintex slices (91) 266 Bajard classic 256 any slices (46) Guillermin 256 any Stratix ALM (96) 157 Guillermin 512 any Stratix ALM (244) 145 Güneysu 256 NIST Virtex slices (32) 490 Yuan Ma 256 any Virtex slices (37) 250 Yuan Ma 256 any Virtex slices (37) 291 McIvor 256 any Virtex-II slice 39 Us NW any Artix slices (33) 98 Us NW any Artix slices (92) 59 Us NW any Artix slices (34) 130 Us NW any Artix slices (60) 74 Efficient MMM for ECC Mrabet et al. September /37

al.. High-performance Elliptic Curve Cryptography by Using the CIOS Method for Modular Multiplication.

al.. High-performance Elliptic Curve Cryptography by Using the CIOS Method for Modular Multiplication. High-performance Elliptic Curve Cryptography by Using the CIOS Method for Modular Multiplication Amine Mrabet, Nadia El-Mrabet, Ronan Lashermes, Jean-Baptiste Rigaud, Belgacem Bouallegue, Sihem Mesnager,