Comparison of Algorithms for Elliptic Curve Cryptography over Finite Fields of GF(2 m )

Transcription

1 Comparison of Algorithms for Elliptic Curve Cryptography over Finite Fields of GF( m ) The IASTED International Conference on Communication, Network, and Information Security CNIS 003, December -1, 003 New York, USA Dirk Timmermann Slide 1

2 Contents Motivation Elliptic Curve Cryptography Finite fields Point addition and point doubling Difference between affine and projective coordinates Algorithms for Scalar Multiplication Double-and-Add (DaA) Double-and-Add/Subtract (DaAS) Improvement for DaAS Montgomery algorithm Comparing the Algorithms Results Conclusion Slide

3 Motivation Elliptic Curve Cryptography (ECC) uses smaller key length than other public key algorithms at the same level of security ECC uses today 10 bit RSA uses today 4 bit ECC can be used for authentication, encryption, digital signatures, key exchange and so forth Because of the short key length ECC is interesting for small and embedded devices For ECC the scalar multiplication k*p must be computed There exist several algorithms for the scalar multiplication What algorithm is the best for a software or hardware computation? Slide 3

4 Elliptic Curves f( x) y gx ( ) x x Weierstrass equation: E: y + a 1 xy + a 3 y = x 3 + a x + a 4 x + a x, y, a i GF(q) E is the set of solutions of the Weierstrass equation in the affine plane Elliptic curves used in cryptography will be mapped on finite fields GF(q) The curve may not be singular Discriminant 0 Slide 4

5 Finite Fields GF(q) For finite fields there exist two possible notations GF(q) = F q Where q = p m with p a prime number and m a nonnegative integer For cryptography there only the special cases m = 1 or p = are from interest For hardware computation the special case p = is very interesting char( GF( m ) ) = E: y + xy = x 3 + ax + b GF(p m ) m = 1 p = GF(p) GF( m ) polynomial base normal base Slide 5

6 Point Operations Point addition P Q A line through P and Q λ = (x 1 + x )/(y 1 + y ) Point doubling P = Q A tangent at P λ = x 1 + y 1 /x 1 f( x) y gx ( ) 3 8 -R 4 Q 0 4 P 4 R 8 8 x x -R Computing the coordinates of R x 3 = λ + λ + x 1 + x + a y 3 = λ(x 1 + x 3 ) + x 3 + y 1 y 3 = λx 3 + x 3 + x 1 if P Q if P = Q f( x) y gx ( ) 3 P R 8 x x Slide

7 Affine vs. Projective Coordinates Affine Coordinates (x, y) Advantage: Less finite field operations Easy equations for point operations Disadvantage: One inversion per point operation Projective Coordinates (X, Y, Z) Advantage: No inversion for point operations Disadvantage: Many finite field operations Conversion/Back conversion from/to affine coordinates Add Mult Sqr Inv Add Mult Sqr Adding Adding Doubling 5 1 Doubling Slide 7

8 Scalar Multiplication k*p Scalar Multiplikation k * P Scalar Multiplikation Point Addition P + Q = R Point Doubling P = R Point Operations on Ellitpc Curve Addition x + y Multiplication x * y Squaring x Inversion x -1 Finite Field Operations Slide 8

9 Algorithms for Scalar Multiplication k*p Double and Add (DaA) Simplest algorithm Input: An integer k > 0 and a point P Output: Q = k * P 1. k = (k n-1,..., k 1, k 0 ). Q = P 3. for i in (n ) downto 0 do 4. Q = * Q 5. if k i = "1" then. Q = Q + P 7. return Q Needs (n 1) point doublings The number of point aditions depends on the Hamming weight Hw(k) (Hw(k) 1) point additions on average Hw(k) = n / Slide 9

10 Algorithms for Scalar Multiplication k*p Reducing the Hamming weight Signed Digit Representation Elements are 0, 1, 1 on average Hw(k) = n / 3 Conversion algorithms Canonical Recoding Algorithm Modified Booth Additionally the point subtraction is needed P = (x, y + x) Double and Add/Subtract (DaAS) Input: An integer k > 0 and a point P Output: Q = k * P 1. k = (k n-1,..., k 1, k 0 ) SD k i {0,1, 1}. Q = P 3. for i in (n ) downto 0 do 4. Q = * Q 5. if k i = "1" then. Q = Q + P 7. else if k i = " 1" then 8. Q = Q P 9. return Q Slide

11 Improvement for DaAS Algorithm If a point addition is faster to compute than a point doubling, then a speed up is possible Q i = Q i-1 + P = (Q i-1 + P) + Q i-1 Method of K. Eisenträger, K. Lauter and P. L. Montgomery At the computation of successive point additions the computation of the y-coordinate can be saved λ = 3 y x + y + x 1 1 x = λ + λ + x + x + a = λ ( + ) + + λ ( ) y x x x y ( ) λ = 4 y x + y + x 3 3 x = λ + λ + x + x + a y = x + x + x + y y + y λ x + x + x + y + y x λ = = = λ x3 + x x3 + x x3+ x Slide 11

12 Montgomery Algorithm Input: An integer k > 0 and a point P Output: Q = k * P 1. k = (k n-1,..., k 1, k 0 ). P 1 = P; P = P 3. for i in (n ) downto 0 do 4. if k i = "1" then 5. P 1 = P 1 + P ; P = P. else 7. P 1 = P 1 ; P = P 1 + P 8. return (Q = P 1 ) Publication of P. L. Montgomery Independent of the Hamming weight Hw(k) Computing of the y-coordinates can be saved y-coordinates of the sum of two points whose difference is known can be computed in terms of the x-coordinates of the involved points Slide 1

13 Comparing the Algorithms (Software) Algorithms tested with two software library s for ellitpic curve cryptography LiDIA Field Width m 13 Add. Mult. 71 Sqr. 45 Inv. 944 Cryptix Elliptix Measured the time of the finite field operations 0000 iterations per finite field operations Example: LiDIA GF( 13 ) Coordinates Affine Projective Algorithm DaAS DaAS Imp. Montgomery DaAS Men. DaAS IEEE DaAS LD Time (ms) Montgomery.74 Slide 13

14 Comparing the Algorithms (Hardware) Addition and squaring can be computed in one clock cycle Only XOR combinations A serial multiplications need m clock cycles Field Width m 13 Coordinates Add. Mult. 1 m Algorithm Sqr. Inv. 1 m Clock Cycles For inversion there exist a fast solution from H. Brunner, A. Curiger and M. Hofstetter Serial implementation Needs only m clock cycles For projective coordinates Fermat s theorem can be used Affine Projective DaAS DaAS Imp. Montgomery DaAS Men. DaAS IEEE DaAS LD Montgomery Slide 14

15 Conclusion Overview about known algorithms for scalar multiplication The time for the finite field inversion is deciding, what coordinate system is the best Comparing the algorithms for software and hardware computation Software: Montgomery Algorithm in projective coordinates Hardware: DaAS Algorithm and Improvement in affine coordinates Fastest hardware solution uses other algorithm, so a speed up of up to 40% with DaAS + Improvement is possible Slide 15

16 Thank you! Slide 1