Elliptic Curve Cryptography. Implementation and Performance Testing of Curve Representations

Transcription

1 Elliptic Curve Cryptography Implementation and Performance Testing of Curve Representations Olav Wegner Eide Master s Thesis Spring 2017

2

3 Elliptic Curve Cryptography Implementation and Performance Testing of Curve Representations Olav Wegner Eide 30th April 2017

4 ii

5 Abstract Public-key cryptography makes it possible to create digital signatures and do key negotiation, which is inevitable for today s commercial and governmental online computer systems. Elliptic curve cryptography (ECC) is a preferred method to implement these services, due to its low computational complexity compared to other modular arithmetic systems such as the Rivest-Shamir-Adleman algorithm (RSA). This thesis investigates how the use of different curve representations impact the performance of the Elliptic Curve Discrete Signing Algorithm (ECDSA) and the Elliptic Curve Diffie-Hellman (ECDH) key-exchange. This thesis developes a point compression method for Hessian curves over both binary and odd prime characteristic fields, and an addition-subtraction formula for twisted Hessian curves. Using these mechnanisms, the thesis gives a full C implementation of twisted Hessian curves, binary Hessian curves, and binary Edwards curves as an extension to the open source library Miracl [1]. To performance test these curve representations the thesis gives several random curves and presents a detailed test methodology. This methodology lets us compare the complexity of a scalar multiplication in the different curve representations as a number of field multiplications. Applying this methodology, the thesis compares the already implemented Weierstrass curves and twisted inverted Edwards curves in Miracl with the added curve representations. From these results, twisted inverted Edwards curves over odd prime characteristic fields clearly excel as the best performing curve representation for ECDSA-signature verification. For ECDSA-signature generation and ECDH key-exchange, projective Weierstrass over binary fields using Koblitz curves stands out as the best performing. Furthermore, the thesis evaluates the implementation of these curve representations in regards of simple side-channel attack protection. iii

6 iv

7 Acknowledgments First and foremost I would like to thank my supervisor Leif Nilsen for his helpful comments and guidance in the field of cryptography. I would also like to thank him for doing a special mathematics course on elliptic curves in advance of the thesis work. Furthermore, I would like to thank Certivox for developing Miracl, the library that I have used in my thesis. More specifically, I would like to thank Mike Scott for answering complicated questions regarding Miracl. I would like to acknowledge Kjetil Birkeland and Aslak Wegner Eide for their thorough proofreading and useful comments. I would also like to show my gratitude to the people behind the magnificent services of bitbucket.com, wolframalpha.com and mobilefish.com. These served as solid tools during my thesis work. Moreover, I would like to thank the University of Oslo for providing suitable work facilities and access to literature. I also extend my gratitude to my fellow students, in particular Magnus Åsrud and Vetle Volden-Freberg who provided comments and suggestions on the thesis and the production of this document. Last, but most importantly my biggest gratitude goes to my family and my girlfriend Guro Rudberg. Without their support, kind words and early set alarm clocks this thesis would not have been possible. At last, I would like to dedicate this thesis to my brother Sindre Wegner Eide, whose life was too short. v

8 vi

9 Contents 1 Introduction ECC Hierarchy Problem Description Own Contribution Structure of the Thesis Background Material Groups Fields Finite Fields Binary Fields Prime Field Operations Addition and Subtraction in F p Multiplication and Squaring in F p Inversion in F p Finding Modular Square Roots Finding Modular Cube Roots Solving Modular Cubic Equations Binary Field Operations Addition in F 2 n Multiplication and Squaring in F 2 n Finding Square Roots in F 2 n Finding Cube Roots in F 2 n Solving Quadratic Equations Over F 2 n Solving Cubic Equations Over F 2 n Elliptic curves The Group of Points on the Elliptic Curve Negation of a Point Additon and Subtraction of a Point Counting Points on an Elliptic Curve Cofactor Twists Coordinate Systems vii

10 2.6.1 Projective Coordinates Homogeneous Polynomials Double and Add Formula for Projective Coordinates Curve Representations Over F p Types of Formulas Edwards Curves Double and Add Formula for Twisted Inverted Edwards Curves Hessian Curves Double and Add Formula for Twisted Hessian Curves Curve Representations Over F 2 n Binary Weierstrass Curves Double and Add Formula for Binary Affine Coordinates Double and Add Formula for Binary Projective Coordinates Binary Edwards Curves Double and Add Formula for Binary Edwards Curves Binary Hessian Curves Double and Add Formula for Binary Hessian Curves Point Compression Point Compression on Weierstrass Curves Point Compression on Twisted Hessian Curves Point Compression on Binary Edwards Curves Point Compression on Binary Hessian Curves Scalar Multiplication The Double-and-Add Algorithm Non-Adjacent Form (NAF) The Addition-Subtraction Method Double-Scalar Multiplication Cryptographic Primitives Confidentiality, Integrity and Availability Discrete Logarithm Problem(DLP) The Discrete Logarithm Problem for Elliptic Curves(ECDLP) ECDSA ECDH Security Generic Attacks Small Subgroup Attack Differential Fault Analysis Non-Generic Attacks Side-Channel Attacks viii

11 3 Test Criteria Performance Prime or Binary Field? Cofactor Security Key Lengths Side-channel Attacks Robustness Portability Implementation Choice of Library The Miracl Library Implementation of Curve Representations Over Finite Prime Fields Initialization of the Curve Setting the Initial Point on the Curve Overview of Implementation of Curve Representations Implementation of Doubling and Addition Formulas Implementation of Curve Representations Over Binary Fields Initialization of a Curve Overview of Binary Hessian Curves Implementation Overview of Binary Edwards Curves Implementation Addition and Doubling Formulas Test Methodology Computational Complexity Counting of Operations Counting Operations in Miracl Selection and Generation of Test Curves Over F p Short Weierstrass Curves Twisted Edwards Curves Twisted Hessian Curves Selection of Test Curves Over F 2 n Binary Weierstrass Curves Binary Edwards Curves Binary Hessian Curves Testing Cofactor Test Design Theoretical Analysis Theoretical Analysis of ECDH Theoretical Analysis of ECDSA ix

12 6 Results Theoretic Operation Count for Doubling and Addition Over F p Theoretic Operation Count for Doubling and Addition Over F 2 n Theoretic Analysis of ECDH Over F p Theoretic Analysis of ECDH Over F 2 n Theoretic Analysis of ECDSA Over F p Theoretic Analysis of ECDSA Over F 2 n Test Results for ECDH Over F p bits bits bits Test Results for ECDH Over F 2 n bits bits bits Test Results for ECDSA Over F p bit bit bit Test Results for ECDSA Over F 2 n Bits Bits Bits Discussion Performance Point Multiplication Over F p Point Multiplication Over F 2 n Double Point Multiplication Over F p Double Point Multiplication Over F 2 n Prime or Binary Field? Cofactor Security Side-channel Attacks Discussion Summary Conclusion Further Work References 83 x

13 A 89 A.1 Random Hessian Curves Over F p A bits A bits A bits A.2 Random Hessian Curves Over F 2 n A bits A bits A.3 Random Edwards Curves Over F 2 n A bits xi

14 xii

15 List of Figures 1.1 The hierarchy of ECC over binary fields, figure is created based on p. 15 [2] Adding points on an elliptic curve. The figure is generated in Geogebra with the idea from fig. 2.2 in [17] The hierarchy of ECC over finite prime fields in Miracl The hierarchy of ECC over binary fields in Miracl Chart of the estimated number of M for 1000 point multiplications for curve representations over F p Chart of the estimated number of M for 1000 point multiplications for curve representations over F 2 n. NIST K denotes Koblitz curves Chart of the estimated number of M for 1000 double point multiplications for curve representations over F p Chart of the estimated number of M for 1000 double point multiplications for curve representations over F 2 n xiii

16 xiv

17 List of Tables 2.1 Minimal cofactor Scale for fields operations in F p Scale for fields operations in F 2 n Weierstrass test curves Edwards test curves Binary Weierstrass test curves Running Specifications Operation Count for doubling, addition and addition-subtraction over F p. Est. gives an estimated number of multiplications at the given bit size level Operation Count for doubling and addition formulas over F 2 n. Est. gives an estimated number of multiplications at the given bit size level Estimated number of multiplications (M) for 1000 ecurve_mult in ECDH over F p Estimated number of multiplications (M) for 1000 ecurve2_mult in ECDH over F 2 n Estimated number of multiplications (M) for 1000 ecurve_mult2 in ECDSA over F p Estimated number of multiplications (M) for 1000 ecurve2_mult2 in ECDSA over F 2 n Results of running ecdhspeedtest.c for curves over 256 bit prime fields. Note: For Brainpool P-256r1 A Results of running ecdhspeedtest.c for curves over 384 bit prime fields Results of running ecdhspeedtest.c for curves over 512 bit prime fields Results of running ecdhspeedtest2.c for curves over 283 bit binary fields Results of running ecdhspeedtest2.c for curves over 409 bit binary fields Results of running ecdhspeedtest2.c for curves over 571 bit binary fields Results of signing running ecdsaspeedtest.c for curves over 256 bit prime fields. Note: For Brainpool P-256r1 A Results of verifying running ecdsaspeedtest.c for curves over 256 bit prime fields. Note: For Brainpool P-256r1 A Results of signing running ecdsaspeedtest.c for curves over 384 bit prime fields xv

18 6.17 Results of verifying running ecdsaspeedtest.c for curves over 384 bit prime fields Results of signing running ecdhspeedtest.c for curves over 512 bit prime fields Results of verifying running ecdhspeedtest.c for curves over 512 bit prime fields Results of signing running ecdsaspeedtest2.c for curves over 283 bit binary fields Results of verifying running ecdsaspeedtest2.c for curves over 283 bit binary fields Results of signing running ecdsaspeedtest2.c for curves over 409 bit binary fields Results of verifying running ecdsaspeedtest2.c for curves over 409 bit binary fields Results of signing running ecdhspeedtest2.c for curves over 571 bit binary fields Results of verifying running ecdhspeedtest2.c for curves over 571 bit binary fields Estimated running time for one single point multiplication using the best performing curve representation over the given field Estimated running time for one double multiplication using the best performing curve representation over the given field Estimation of the number of M for one single and double scalar multiplication over F p, where the cost of doubling is changed to cost of the addition formula Estimation of the number of M for one single and double scalar multiplication over F 2 n, where the cost of doubling is changed to cost of the addition formula A bit random Hessian curve A bit random Hessian curve A bit random Hessian curve A bit random binary Hessian curve A bit random binary Hessian curve. Note: #E (F 2 n) is composite, the given base point is of unknown order, but #E (F 2 n) (x, y) = thus the point is on the curve A bit random binary Edwards curve named Lucky Number Thirteen.. 94 xvi

19 Chapter 1 Introduction Elliptic curve cryptography (ECC) is a public-key cryptography approach that is used in both commercial and governmental computer systems. The two most prominent protocols based on ECC are the Elliptic Curve Discrete Signing Algorithm (ECDSA) for digital signatures, and the Elliptic Curve Diffie-Hellman (ECDH) for key agreement. Due to the high computational complexity of public-key cryptography, ECC is a preferred method of doing public-key cryptography compared to conventional systems based on modular arithmetic. As ECC is providing a high security level using much shorter key lengths. Several different implementation suggestions have been proposed over the years to further decrease the running time of signing and verification, and encryption and decryption. 1.1 ECC Hierarchy Due to the complexity of ECC, the implementation suggestions usually aim to improve operations of the ECC hierarchy, as exemplified in figure 1.1 below. A modification to one level of the hierarchy can affect the other levels, and it is crucial to know precisely what the modification will affect and not. Take for example the lowest level operations in the hierarchy. These are field operations and do not affect the rest of the hierarchy if modified, as long as they are correct, see section 2.2 [3]. On the contrary, if an operation of point tripling was added to the second level of the hierarchy, the point multiplication level would need to change as in [4]. Some suggestions also modify the whole hierarchy, such as the proposed eddsa scheme in [5]. The hierarchy only shows the general structure of which operations that are dependent on each other. Operations on some levels may call to a lower level operation far down the hierarchy directly, without going through an intermediate level. For that reason, the hierarchy should not be regarded as an absolute structure of ECC, but rather as a general dependency schematic. 1

20 Figure 1.1: The hierarchy of ECC over binary fields, figure is created based on p. 15 [2]. 1.2 Problem Description This master thesis aims to investigate how the use of different curve representations impact the performance and security of the ECC-protocols mentioned above. In ECC we describe curve representations as different mathematical equations to represent the points that builds the elliptic curve. Each such curve representation form a different version of the second level of the ECC hierarchy. In particular this thesis aims to implement and performance test the following curve representations: Weierstrass curves, Edwards curves and Hessian curves over both prime and binary fields. Performance first of all refers to computational complexity of the formulas for doubling and adding points on the elliptic curve. This thesis proposes that less complexity in these formulas will improve the performance further up the hierarchy. Because point addition and doubling are carried out a large amount of times during point multiplication. Point multiplication is in turn called by ECDSA during the signing and verification algorithm, or when generating a key for ECDH. Hence, by improving one level, the higher levels of the hierarchy would be affected. Security can be defined in several different ways, but in the context of cryptography it is usually interpreted as preventing unauthorized access, modification, and inspection of information. The authorization is usually based on the knowledge or possession of a key 2

21 or a token that contains the key. In this thesis, we define security to be at an acceptable level if the number of operations required to retrieve the key is practically infeasible for an attacker (I.e., given the attacker has access to the enciphered text only). Additionally, we investigate whether some of the representations can be revealing information during the execution of them that could be used for side-channel attacks. 1.3 Own Contribution This thesis develops addition-subtraction formulas for twisted Hessian curves in subsection Furthermore, it comes up with a method for point compression for twisted Hessian curves and binary Hessian curves using some general mathematical results, see and Using these results together with already published material, a full implementation for twisted Hessian curves, binary Hessian curves and binary Edwards curves is given as an extension of the Miracl library, see chapter 4. The thesis also outlines a test methodology for performance testing of curve representations and gives a few random curves that could be useful for performance testing in chapter Structure of the Thesis The thesis will start out by building a mathematical foundation for ECC. Thereafter it will present many concepts of ECC and the selected curve representations. An introduction to some notions of security are also included here. Following this, the thesis will outline some test criteria and give information on the implementation. Lastly, the thesis defines a test methodology and tests, presents and discusses results. 3

22 4

23 Chapter 2 Background Material This chapter introduces some central background material for the thesis. Firstly, it presents theory on groups and fields. Secondly, it presents the EC by the Weierstrass equation and some of its properties. Following that, will the other curve representations be introduced. Further on, this chapter illustrates how the EC can be used to build cryptographic schemes, before presenting some notions of security around ECC. 2.1 Groups This section defines groups and some important properties of them. The definitions, theorems and examples in this section have been recompiled from [6]. As they are rather general, we do not include a citation for each single point. Definition 2.1. A group is a set G, closed under a binary operation, such that the following axioms are satisfied: 1. Associativity: For all a, b, c G (a b) c = a (b c). 2. Identity element: There is an element e G such that for all x G e x = x e = x. 3. Inverse: Corresponding to each a G, there is an element a G such that a a = a a = e. Definition 2.2. A group G is called abelian or commutative if and only if: a b = b a for all a, b G. Much used examples of abelian groups are the set of integers(z), rational(q), real(r) and complex(c) numbers under addition. One example where the set and binary 5

24 operation does not form a group, is the set of positive integers(z + ) under addition. This cannot be a group because there is no identiy element, as 0 / Z +. Hence, the second axiom is not fulfilled. Definition 2.3. If G is a group, then the order G of G is is the number of elements in G. Definition 2.4. If a subset H of a group G is closed under the induced binary operation of G, then H is a subgroup of G. Theorem 2.1. Theorem of Lagrange Let H be a subgroup of a finite group G. Then the order of H is a divisor of the order of G. Definition 2.5. Let G be a group and a G. If performing the group operation a a a.. G times gives all the elements of the group G. Then a is called the generator or primitive element of G. Note that if a does not generate the whole group of G, then a is a generator of the subgroup H < G. 2.2 Fields As in the former section, this section contains citations of [6]. For the two subsections material is obtained from [3]. Definition 2.6. A field is a set F together with two binary operations + and, which we call addition and multiplication, defined on F such that the following axioms are satisfied: 1. F is an abelian group under addition. 2. Multiplication is associative. 3. For all a, b, c F, the left distributive law, a (b + c) = (a b) + (a c) and the right distributive law (a + b) c = (a c) + (b c) holds. 4. Multiplication is commutative. 5. There is an identity element of multiplication. 6. For all nonzero elements a F there exists an unique multiplicative inverse a 1 F such that aa 1 = a 1 a = 1. If only the three first axioms are fulfilled, the algebraic structure is called a ring. This is the most general algebraic structure with two binary operations. By adding the three last axioms, the algebraic structure is called a commutative division ring, which is better known as a field. The sets of rational, real and complex numbers all form fields. In comparison, integers do not form a field, as e.g. 2 does not have a multiplicative inverse. 6

25 Definition 2.7. Given a ring R, if there exists a positive integer n such that n a = 0 for all a R, then the least such positive integer is the characteristic of the ring R. If no such n exists, then R is of characteristic 0. Note that by def a field is also a ring, thus the above definition also applies to fields. Theorem 2.2. A field F is either of prime characteristic p and contains a subfield isomorphic to Z p or of characteristic 0 and contains a subfield isomorphic to Q. This theorem states the fields Z p and Q as building blocks for all fields Finite Fields Definition 2.8. Let F be a field. F is called a finite field or Galois field if and only if F has a finitely number of elements. Z p is by definition a finite field, as it includes elements {1,..., p 1}. Q on the other hand, is an infinite set and therefore an infinite field. Later on, the thesis will refer to Z p as a prime field, or in short F p. In most bibliography, p is referred to as the modulus, which is used when carrying out usual operations such as addition, subtraction, multiplication and inversion in the field. When these operations are done in the field, they are always done modulo p, hence the naming. A more detailed explanation on how these operations are carried out is given in section Binary Fields Fields can always be extended to create new fields. In the situation of a finite prime field, F p can be extended to F p n. This extension is called a finite extension of degree n. The case is summarized in the theorem below. Theorem 2.3. There exists a finite field F of order q if and only if q is a prime power, i.e., q = p n, where p is a prime and the characteristic of F and n a positive integer. 1. If n = 1, then F = F p is the prime field as before. 2. If n 2, then F p n is an extension field of degree n. Any two finite fields of order q are structurally alike, i.e. there is only one such field up to isomorphism. Definition 2.9. A finite field of order 2 n or characteristic-two finite fields are called binary fields. The term of a binary field and the number of elements in such fields are now well established. The next definition explains one way to define the elements in a binary field. 7

26 Definition Polynomial Basis Representation Each element of F 2 n is a binary polynomial, i.e. a polynomial with coefficients in F 2 = {0, 1}. These polynomials have degree of at most n 1: By letting Z 2 [x] be the polynomial ring with all binary polynomials and f (x) be an irreducible binary polynomial with degree n. F 2 n = Z 2 [x]/(f (x)) Where the division operation means working modulo the irreducible polynomial f (x), giving the elements: F 2 n = {a n 1 x n 1 + a n 2 x n a 1 x + a 0 }, where a i F 2 with degree at most n 1 In a computer the polynomial notation can be skipped and only the coefficients need to be stored, ending up with a binary number. Definition Given an element in a binary field F 2 n, the element can be expressed in binary form using only the coefficients of: a n 1 x n 1 + a n 2 x n a 1 x + a 0, where a i F 2. Thus, a field element can be represented in binary by the number: a n 1 a n 2...a 1 a 0. Naturally, the binary representation of the polynomial can be transferred back by multiplying each a i with x i. Note that it also would be possible to transfer the binary representation to the decimal or hexadecimal numeral systems. However, this would complicate the calculation of binary field operations such as addition and multiplication in section 2.4. The elements could also be represented in normal basis representation: b n 1 x 2n 1 +b n 2 x 2n b 1 x 2 +b 0. This form could simplify squaring, but complicate multiplication, p. 3 [7]. This thesis will only use polynomial bases further on. 2.3 Prime Field Operations This section presents some algorithms to realize field operations in a finite prime field. Field operations include addition, subtraction, multiplication and inversion modulus a prime p, and form the lowest level in the ECC hierarchy. For these algorithms, assume a W -bit architecture, where W can be 8 or 16 for embedded devices and 32 or 64 for most computers. To represent larger numbers than W bits, divide the n bits into t = n/w words and carry out the algorithms on each word. The three first subsections are based on section 2.2 from [3] unless other sources are mentioned. Additionally, this section includes some theorems to calculate modular square and cube roots, and solving of cubic equations, which are useful for point compression in section

27 2.3.1 Addition and Subtraction in F p Addition modulo p for two n bit numbers can be performed by simple word by word addition. This gives a n + 1 bit number at most, where the plus one is referred to as the carry bit. To return an element that is less than the modulus, check the size of the resulting number. If it is bigger than the modulus subtract the modulus from the element. Subtraction can be performed equivalently, but in this setting the carry bit is usually referred to as the borrow bit. Moreover, if the first parameter to the subtraction is less than the second, find the difference of the parameters in absolute value and subtract this from the modulus Multiplication and Squaring in F p The starting point for an algorithm to multiply two n bit numbers is school-book long multiplication. As commonly known, this method have a complexity O(n 2 ). Many improvements have followed, e.g. the Karatsuba-Ofman method. This method uses a divide and conquer approach and runs in subquadratic time. Squaring can be performed somewhat faster than multiplication and typically runs at half the time of a multiplication, [8]. Both multiplication and squaring in F p requires firstly to do the multiplication or squaring and secondly reduce the result modulo p. If performing several modular multiplications it is possible to reduce the reduction step additionally by using Montgomery form. Montgomery form is the residue class of the field element with respect to some R coprime to the modulus. Given a field element a F p, the Montgomery form is ar mod p. Additions, subtraction, multiplication etc. stays as before, but the reduction step is improved. For more details see [9]. The reduction step could also be simplified if the reduction primes have certain properties. If the prime can be written as a sum or difference of a small number of powers of 2, the exponents are multiples of common wordsizes such as 32 and 64. This property makes it possible to write any number c, where 0 c < p 2, as a sum of a few integers with the same bit size as p. To reduce c mod p simply subtract p until less than p. The primes used in the NIST curves have this property, see [10] Inversion in F p Inversion modulus a prime is the most expensive operation to do in a field. However, classic long division does not have higher complexity than multiplication. In practice it usually performs worse. The usual algorithm to calculate inverses over both finite prime fields and binary fields are the extended greatest common divisor algorithm also known as Euclid s algorithm Finding Modular Square Roots Another field operation that is useful when implementing ECC are modular square roots. These occur naturally from congruence equations like: x 2 u (mod p) for a nonzero 9

28 u F p. We denote the solutions to this equation u (mod p). For the solutions to exist u need to be congruent to a perfect square modulo p, due to the square there are two solutions in this case: x = ± u (mod p). To check this condition we check whether u is a quadratic residue using the following theorem, section [8]. Theorem 2.4. Euler s Criterion Let p be an odd prime. Let u 0 (mod p) Then u p (mod p) if and only if u is a quadratic residue of p. u p (mod p) if and only if u is a quadratic non-residue of p. This criterion makes it easy to determine if the square root exists. theorem(alg in [8]) gives a method to find the root. The next Theorem 2.5. Let u be a quadratic residue. Let p 3 (mod 4) Then u = u (p+1)/4 (mod p) Proof. Because u is a quadratic residue u p (mod p). x 2 ) (u p+1 2 p+1 4 = u 2 u u p 1 2 u (mod p) The last theorem gives a fast and easy method to calculate the square root as long as we choose a certain prime. If p 3 (mod 4) then there also exists different methods to find u, see section in [8] Finding Modular Cube Roots In the same manner as modular square roots, modular cube roots arise from the equation x 3 = u (mod p). The solution to this equation is called the cube root of u (mod p) often denoted 3 u (mod p). The following theorem explains how to find the cube root given p 2 (mod 3), p. 704 in [11]. Theorem 2.6. Let p 2 (mod 3) so all elements of the field is a cube: Then 3 u = u (2p 1) 3. Proof. x 3 ) (u 2p u 2p 1 u p u p 1 u (mod p) This proof utilizes Fermat s little theorem and a corollary(p. 184 [6]): u p 1 1 (mod p) for a nonzero u Z, not divisible by p. u p u (mod p) for any u Z, and any prime p 10

29 2.3.6 Solving Modular Cubic Equations There are many ways to solve a cubic equation. Our goal is to find a solution to the Hessian curve equation in subsection 2.7.4, hence the equation is on the form: Ay 3 + By 2 + Cy + D = 0 Where A = 1, B = 0, C = dxz, D = ax 3 + z 3. The cubic formula by Cardano [12] can be used to solve this equation. Simplified, the formula to solve the Hessian curve equation for y is the following: ( D ) 2 D y = ( ) C D 3 2 ( D ) ( ) C 3 3 Because the curve is over F p, all binary operations need to be done in the former subsections. (mod p) as described 2.4 Binary Field Operations In this section, the thesis discusses some of the algorithms to perform binary field operations. As mentioned earlier, will this section show how the binary representation of the elements leads to fast and easy addition and multiplication of two elements in a binary field. The two first subsections are based on section 2.3 from [3]. As in the former section, this section also presents some theorems to find quadratic and cube roots, and how to solve both quadratic and cubic equations in a binary field. These theorems are useful for point compression further on Addition in F 2 n To add two elements in a binary field F 2 n, add the two polynomials modulo 2. Simplifying the polynomial coefficients to only a binary number, the process becomes bitwise addition modulo 2, also known as the exclusive or operator( ). The algorithm adds two n-bit numbers using t word operations and is fast even for a large n. Note that only addition is defined for binary fields, because subtraction is equivalent to addition when working modulo 2. An easy way to prove this is to create the addition and subtraction tables for F Multiplication and Squaring in F 2 n When multiplying two elements of a binary field, the result could end up having a degree larger than n 1. This contradicts with our definition of the elements in F 2 n and breaks the algebraic closure. For that reason, the resulting polynomial needs to be reduced modulo the field polynomial f (x) of degree n as discribed earlier. This would give a polynomial with degree at most n 1. Analogous to prime fields reducing modulo a 11

30 prime, the resulting polynomial is reduced modulo the irreducible field polynomial. Such polynomials exist and are easy to find, see [13] for details. For software implementations, it is usual to do the multiplication first, e.g. using the Karatsuba-Ofman multiplication. Then the result of the multiplication is reduced giving the resulting polynomial. In hardware implementations this could be done in parallel, hence speeding up the calculation. Binary squaring on the other hand, can be done in linear time by copying each coefficient of the polynomial with degree n 1 to every second coefficient of the resulting polynomial with degree 2n 2. Note that initially the resulting polynomial has all the coefficients set to 0. After multiplying or squaring a binary polynomial, it needs to be reduced back to a polynomial with degree at most n 1. By letting the irreducible polynomial be either trinomial or pentanomial, the reduction process can be done word for word. Working modulo certain polynomials can also additionally reduce the complexity Finding Square Roots in F 2 n As with prime fields, square roots in binary fields are solutions to the equation x 2 = u and denoted by x = u. Due to the characteristic of the field, this root is a double root. Moreover, the root always exists, p. 26 in [14] gives the following solution: Theorem 2.7. Let u F 2 n for some positive n. Then u = u 2n 1. Proof. x 2 = ( u 2n 1) 2 = u 2 2 n 1 = u 2n 1+1 = u 2n = u Finding Cube Roots in F 2 n Similary, cube roots arise from the equation x 3 = u and are denoted 3 u. They can be found in the following manner using [15]: Theorem 2.8. Let u F 2 n for an odd n. Then 3 u = u 2n is the unique cube root in F 2 n. Proof. x 3 = ( ) 3 u 2n = u (2n+1 1) u (2 2n ) = u = u2 u = u The rest of the roots will be in some extension of F 2 n, hence not in F 2 n itself. Notice that the theorem only gives cube roots for odd n, this is because n should be a large prime for security reasons, thus odd. For cube roots with an even n we refer to [15]. 12

31 2.4.5 Solving Quadratic Equations Over F 2 n The IEEE 1363 standard gives a method to solve quadratic equations on the form z 2 + z = α for both a even and odd n, A.4.7 [16]. Because n should be prime and larger than 2, see section , this section only shows the method for an odd n. Theorem 2.9. Given an equation z 2 + z = α over F 2 n for an odd n. A possible solution for z can be given by the half-trace of α: z = (n 1)/2 i=0 If z 2 +z = α, then z is the solution and the other solution is z +1. Otherwise, no solution exists. α 22i Solving Cubic Equations Over F 2 n This subsection shows how to solve an equation on the form Ay 3 + By 2 + Cy + D = 0 over F 2 n, as showed in [15]. As for finite prime field, the goal is to solve the Hessian equation, but this time the binary version later introduced in subsection Again, let n be odd, and A = 1, B = 0, C = dx, D = c + x 3, so the equation becomes: Let y = z + dx z. This gives the equation: y 3 + dxy + ( c + x 3) = 0 z 6 + ( x 3 + c ) z 3 + (dx) 3 z 3 = 0 To find the solution to this equation, consider only the numerator, and let u = z 3 to get: Let u = v ( x 3 + c ) u 2 + ( x 3 + c ) u + (dx) 3 = 0 v 2 + v = (dx)3 (x 3 + c) 2 If this equation does not have a solution using the method above, the cubic does not have a solution over F 2 n. Otherwise, the equation has two solutions v 1 and v 2. Using these solutions and reversing the above substitutions, the numerator becomes: ( z 3 + e ) ( z 3 + f ) for e = v 1 ( x 3 + c ), f = v 2 ( x 3 + c ) Now the solutions of z can be obtained by finding the unique cube roots of e and f using theorem 2.8. A solution to the original equation for y is now available by substituting back with the cube roots of e and f: y = 3 e + dx 3 e 13

32 2.5 Elliptic curves Elliptic curves can be applied to many mathematical problems. This section will introduce the EC for usage in cryptography using chapter two of [17] as a main source. The elliptic curve(e) is presented as the following: E is the graph given by the equation usually named the short Weierstrass equation: y 2 = x 3 + ax 2 + b Where the variables x and y, and the constants a and b belong to a finite field K. In most cases, from a finite prime field F p, where p > 3. The case of a binary field F 2 n is treated later in section 2.8. To denote that a curve E is defined over a finite field, the notation E (K), where K is the finite field, is often used. In addition, the cubic on the right side of the equation is restricted to having distinct roots. This happens exactly when the discriminant is different from zero: 4a b 2 0 An equation with distinct roots gives a curve with no singularities or cusps, also the tangent is well defined at all points. This property makes is possible to build a group operation for the EC over finite fields The Group of Points on the Elliptic Curve Given a curve E (K) with the restriction of a nonzero discriminant from the former section, it is now possible to define an abelian group with elements that are points (x, y) on E (K). I.e., x, y fulfills the short Weierstrass equation. Rather than giving a full proof of all the group axioms, this section outline some useful results and consequences that are needed further on in the thesis. The group operation can graphically be stated as the following: Take a point P 1 and P 2 on E (K) and draw the line through them. The line intersects E in exactly one other point, P 3, now reflect this point across the x-axis and get P 3. P 3 is the result of adding the two points P 1 and P 2 together. 14

33 Figure 2.1: Adding points on an elliptic curve. The figure is generated in Geogebra with the idea from fig. 2.2 in [17]. As this method would work on a general basis, there are still many points on the curve where it will give some undefined results. Take for example, if P 1 = P 2 with y-coordinate equal zero, then the tangent line would not intersect any other point on E (K), other than the point itself. For that reason, the point at infinity( ) is added as the identity element. This point can be viewed as being the top and bottom of the y-axis. Moreover, does the point act as a zero element defining P + = P for all P E(K), and carefully defines the points that are not defined by the general group operation. A proper deriving of the formula with all cases can be found in chapter two of [17]. Below follows a restatement of the full group operation. Theorem The elliptic curve group operation Let E be the elliptic curve defined by y 2 = x 3 + Ax + B. Let P 1 = (x 1, y 1 ) and P 2 = (x 2, y 2 ) be points on E with P 1, P 2. Define P 1 + P 2 = P 3 = (x 3, y 3 ) as follows: 1. If x 1 x 2, then x 3 = m 2 x 1 x 2, y 3 = m (x 1 x 3 ) y 1, where m = y 2 y 1 x 2 x If x 1 = x 2 but y 1 y 2, then P 1 + P 2 =. 3. If P 1 = P 2 and y 1 0 then x 3 = m 2 2x 1, y 3 = m (x 1 x 3 ) y 1, where m = 3x2 1 +A 2y If P 1 = P 2 and y 1 = 0, then P 1 + P 2 =. 15

34 Additionally, define: P + = P for all points P on E Negation of a Point The negation of a point P on a Weierstrass curve E is equivalent to finding the inverse P so that P + P =. This point is also called the negative of a point, or P. By following the second case from the group operation formula above, notice that two points P 1 = (x 1, y 1 ), P 2 = (x 2, y 2 ), where x 1 = x 2 and y 1 y 2 always gives P 1 + P 2 =. Because x 1 = x 2, y 1 and y 2 are the two roots of the Weierstrass equation, so that y 2 = y 1. Hence, following the group operation P = (x 1, y 1 ) is the inverse point of P. The negative of a point is also defined for y 1 = y 2 = 0, because 0 acts as its own additive inverse. This special case of the negation formula is equivalent to the fourth case of the formula from above. The negation rule is summarized in the following theorem. Theorem Given a point P = (x, y), the inverse P of that point is P = (x, y) Notice that this formula only works for the short Weierstrass equation, for curves with other curve equations, negation of a point is handled differently Additon and Subtraction of a Point In some situations, as shown later, it is desirable to calculate both the addition of two points P 1 + P 2 and the subtraction P 1 P 2 at the same time. Naively, this is possible by two point additions, one where P 1 + P 2 as with point 1 in theorem in 2.10, and one equivalent addition only with P 2 negated. However, the negation process of a point only changes the y-coordinate. Thus, some of the intermediate calculations could be reused. In Miracl, the following formula saves one inversion: Addition and Subtraction P 1 + P 2, P 1 P 2 Let (x 1, y 1 ) + (x 2, y 2 ) = (x 3, y 3 ) and (x 1, y 1 ) (x 2, y 2 ) = (x 3, y 3 ) Then t 1 = y 2 y 1, t 2 = 1 x 2 x 1, m = t 1 t 2 x 3 = m 2 x 1 x 2, y 3 = m (x 1 x 3 ) y 1 t 1 = y 2 + y 1, m = t 1 t 2 x 3 = (m ) 2 x 1 x 2, y 3 = m (x 1 x 3 ) + y Counting Points on an Elliptic Curve After choosing parameters and finding a field to define the EC for, the number of points on that curve need to be counted. This number is usually written #E(F). Hasse s theorem(thm. 4.2 in [17]) gives an rough interval on #E(F). Theorem Hasse s theorem Let E be an elliptic curve over a finite field F q. Then the order of E (F q ) satisfies q + 1 #E (F q ) 2 q 16

35 The expanded equation becomes: q q #E (F q ) q q This interval only gives a rough guideline and the exact number of points can be calculated by an deterministic polynomial-time algorithm known as Schoof s algorithm [18]. The reason for counting the number of points is that the curve should have prime order or close to prime order. If the order of the group is prime, then no subgroups can exist, making the small subgroup attack impossible, see section Describing the advanced and time consuming process of curve parameter generation is beyond the scope of this thesis. For more on this topic, see some of the most used curve recommendations: NIST-curves [10], Brainpool-curves [19] and Nothing Up My Sleeve (NUMS) curves [20] Cofactor For some curve representations it is impossible to find a curve which has #E(K) prime. Still, these curves are used in practice, but #E(K) is then restricted to being a product of a large prime and a small factor that is named the cofactor: Definition The cofactor(h) is given by h = #E(K) n, where n is a prime and the order of the base point P = (x p, y p ). Note that a base point is the same as a generator as defined in definition 2.5. This way of presenting the curve parameters can be found in many works, e.g. [21]. Table 2.1 shows the minimal cofactor of the following curve representations. Curve Representation Cofactor(h) short Weierstrass 1 Hessian 3 Edwards 4 Table 2.1: Minimal cofactor For more on the cofactor in a specific curve representation, see their respective subsections. A further discussion on how the cofactor affects security and efficiency, is given in section Twists Given a curve with carefully selected parameters and a counted number of points that are prime or a product of the cofactor and a prime, the curve is usually safe to use. However, this curve could be highly inefficient. In some curve representations, a few operations can be saved if some of the parameters are small or constant. To achieve this, take the safe curve E (F q ) and find its quadratic, or sometimes even quartic twist, denoted E (F q ). 17

36 When calculating the twist some of its parameters can be set to optimize performance in the doubling and addition formulas, and then simply calculate the rest. After the twist of a curve is calculated, a recount of the number of points on the twist is not necessary. Given #E (F q ) = q + 1 a, the number of points on the twist will be #E (F q ) = q a. Thus, given the number of points on one curve, the number of points on the twist can easily be calculated, see p. 108 in [17]. NIST [10] and NUMS [20] among others, have exploited this property to find a short Weierstrass curve with a twist where A = 3, as this saves a few operations when adding points. There are also many security notions tied to the twist of a curve. For more on this topic, see the Twist Security section of [22]. 2.6 Coordinate Systems There are many ways to present elliptic curves and the arithmetic on them. Section 2.5 showed a classic approach to the construction of an elliptic curve. Further on, section 2.5.1, presented how to add two points together with the group operation, the coordinates used in these formulas are often called affine coordinates. This section presents an alternative coordinate system for representing the points on the curve, and how the group operation changes with respect to this coordinate system Projective Coordinates Earlier, the point at infinity was introduced as an addition to the elements in F q, but with projective coordinates this can be defined as an actual point. Projective coordinates are lines through the origin of a two-dimensional vector space, this space is called the projective space. Definition A line in a projective space is given as a triple of (x, y, z), not all zero, where x, y, z F q. Two lines (x 1, y 1, z 1 ) and (x 2, y 2, z 2 ) are equivalent if there exists a nonzero element a F q such that (x 1, y 1, z 1 ) = (ax 2, ay 2, az 2 ). Because the projective coordinates represent lines and not points, the notation (x : y : z) is commonly used, although they are still referred to as points. To go from affine coordinates (x, y) to projective coordinates (x : y : z), let z = 1 so that (x, y) (x : y : 1). Equivalently, projective coordinates can be translated to affine coordinates: (x : y : 1) (x, y). These points are the finite points in the projective plane. In the cases where z 1 and z 0, the projective point can be normalized by dividing by z: (x : y : z) = (x/z : y/z : 1). Note that the inverse of z will exist for all nonzero z F q. The projective points (x : y : 0) are called the points at infinity. These points map to the affine point. In this way, the point at infinity( ) have clearly been defined as a point in the projective plane. For a more thorough description we refer to section 2.3 of [17]. 18

37 2.6.2 Homogeneous Polynomials In order to use projective coordinates for points on the EC, the curve needs to be a polynomial F (x, y, z). Additionally, to ensure the equivalence definition of two points, the polynomial F (x, y, z) needs to be homogeneous. Definition A polynomial is homogeneous of degree n if it is a sum of terms on the form bx i y j z k with b F q and i + j + k = n. A polynomial can be made homogeneous by inserting appropriate powers of z. Take for example the short Weierstrass equation form above, this can be written as a polynomial f (x, y) = y 2 x 3 Ax B. The homogeneous version of this polynomial would be F (x, y, z) = y 2 z x 3 Axz 2 Bz Double and Add Formula for Projective Coordinates The formula for adding and doubling a point in projective coordinates can be obtained by inserting x = x z and y = y z into the affine formula. This clears the denominators and cancels out the computational expensive inversion, p. 42 [17]. There exists a huge amount of formulas for addition and doubling in projective coordinates. Below the thesis gives the addition and doubling formulas for what is called Jacobian projective coordinates for the curve: y 2 = x 3 + axz 4 + bz 6. The point (x : y : z) on this curve corresponds to the affine point ( x/z 2, y/z 3), p [23]. These are the formulas that will be used further on in this thesis. Doubling If input point is then this point is. A = 3 ( x 1 z 2 1) ( x1 + z 2 1), B = 2y1, z 3 = B z 1, C = B 2, D = C x 1, x 3 = A 2 2D, y 3 = (D x 3 ) A C2 2 Addition (Note: these are the full formulas, if one point is normalized they can easily be simplified.) If one input point is then this point is. A 1 = z1 2, B 1 = z 1 A 1, C 1 = x 2 A 1, D 1 = y 2 B 1, A 2 = z2 2, B 2 = z 2 A 2, C 2 = x 1 A 2, D 2 = y 1 B 2, E = C 1 C 2, F = D 1 D 2 If E = 0 then: if F = 0 then use the doubling formula above. else return. z 3 = z 1 z 2 E, G = E 2, H = E 3, I = C 2 G, x 3 = F 2 (H + 2I), y 3 = F (I x 3 ) D 2 H Addition and Subtraction P 1 + P 2, P 1 P 2 Miracl uses the same addition-subtraction formula as affine coordinates, but with normalized points. The normalization process adds one inversion, one squaring and three 19

38 multiplications per point. As a result, the cost of the addition-subtraction operation may be higher than two separate additions, depending on the scale of the field operations. 2.7 Curve Representations Over F p Until now the thesis have only considered the Weierstrass equation, but there are many equations which are birationally equivalent to this equation. This section will present the curve equations and their doubling and addition formulas which will be implemented further on. For these equations, only the projective versions of the formulas are presented Types of Formulas Before this section gives addition and doubling formulas for different curve representations, this subsection defines two important concepts that explains how the formulas can be used and which input they can handle. Both of the following definitions are taken from the abstract of [24]. Definition Complete Formula A formula is complete if the formula works for all inputs without change. Definition Unified Formula An addition formula is unified if the addition formula can be used to double a point without changing the formula. The formulas for addition and doubling in subsection and are complete, as they handle all types of inputs. On the contrary, the formulas are not unified. E.g. using the affine addition formula for doubling would cause division by zero Edwards Curves Edwards curves is named after Harold Edwards after his developments in [25]. These curves have later been used in ECC and many performance and security studies have followed. One such study is the Inverted Edwards form introduced by Bernstein et al. in [24]. Later the Twisted Edwards form was introduced, this form includes more curves than the original Edwards curves [26]. The same work also shows that Twisted Edwards curves are birationally equivalent to Montgomery curves. As a limitation, the twisted Edwards curve needs to have a point of order 4, i.e. minimal cofactor equal 4, and characteristic 2, for more details see [26]. The same source also gives the projective inverted twisted Edwards curve equation used in Miracl: ( x 2 + ay 2) z 2 = x 2 y 2 + dz 4 Negation of a point on this curve is found in section 2: Given a point (x : y : z), with z 0 the inverse of that point is defined: ( x : y : z :). If z = 0 then this is the point at infinity. 20

39 Note that the point (x : y : z :) on a twisted Edwards curve corresponds to the affine point (z/x, z/y) on the twisted inverted Edwards curve as shown above. This is useful when transforming a point on a Twisted Edwards curve to a point on twisted inverted Edwards curve Double and Add Formula for Twisted Inverted Edwards Curves Below are the formulas for unified addition, and doubling on an inverted twisted Edwards curve from section 6 in [26]. The addition-subtraction formulas is directly from Miracl [1]. Addition A = z 1 z 2, B = d A 2, C = x 1 x 2, D = y 1 y 2, E = C D, H = C a D, I = (x 1 + y 1 ) (x 2 + y 2 ) C D, x 3 = (E + B) H, y 3 = (E B) I, z 3 = A H I. Doubling A = x 2 1, B = y2 1, U = a B, C = A + U, D = A U, E = (x 1 + y 1 ) 2 A B, x 3 = C D, y 3 = E (C 2d z 2 1), z3 = D E. Addition and Subtraction P 1 + P 2, P 1 P 2 Let A, B, C, D, E, H be as in the addition formula. Additionally, let F = x 1 y 2, G = x 2 y 1. Then P 1 + P 2 = (x 3 : y 3 : z 3 ) is given by: x 3 = (E + B) H, y 3 = (E B) (F + G), z 3 = A H (F + G). P 1 P 2 = (x 3 : y 3 : z 3 ) is given by: H 1 = C + a D x 3 = (E B) H 1, y 3 = (E + B) (F G), z 3 = A H 1 (F G) Hessian Curves Hessian curves origin from Otto Hesse in 1844, p. 90 in [27]. In recent time, twisted Hessian curves have been suggested as a curve representation for ECC by Bernstein et al. in [28]. Assuming there is a point of order 3, i.e. cofactor 3, Weierstrass curves and Hessian curves are birationally equivalent, for a detailed explaination of this we refer to section 3 of [29]. In this thesis we will use the formulas from Bernstein et al. and the following projective representation of the curve: ax 3 + y 3 + z 3 = dxyz Equivalently as for Weierstrass curves, Hessian curves have the discriminant requirement: a ( 27a d 3) 0 The point at infinity in this curve representation will be (0 : 1 : 1). Hence, the algorithm for normalizing a point will be shifted to the following: All points with x = 0 will be points at infinity. If not, the point can be normalized by dividing with x: (1 : y/x : z/x). 21

40 Negation of a projective point P = (x : y : z) is according to theorem 3.1 in [28] done by swapping the z and y coordinate: P = (x : z : y). The point can now be normalized as just described Double and Add Formula for Twisted Hessian Curves As in the last subsection, we refer to [28] for the unified formulas: Addition A = x 1 z 2, B = z 1 z 2, C = y 1 x 2, D = y 1 y 2, E = z 1 y 2, F = a x 1 x 2, x 3 = A B C D, y 3 = D E F A, z 3 = F C B E. Doubling R = y 1 + z 1, S = y 1 z 1, T = R 2, U = S 2, V = T + 3U, W = 3T + U, C = R V, D = S W, E = 3C d x 1 (W V ), x 3 = 2x 1 D, y 3 = (D + E) z 1, z 3 = (D E) y 1. Addition and Subtraction P 1 + P 2, P 1 P 2 We derive our own addition-subtraction formula for Hessian curves: Calculate P 1 + P 2 with the addition formula from above as before. When calculating P 1 P 2, where P 1 = (x 1 : y 1 : z 1 ), P 2 = (x 2 : y 2 : z 2 ) We simply negate P 2, so that P 1 P 2 = (x 1 : y 1 : z 1 ) + (x 2 : z 2 : y 2 ). By exchanging y 2 and z 2 in the above addition formula we get: x 3 = x 1 y 2 z 1 y 2 y 1 x 2 y 1 z 2 y 3 = z 1 z 2 y 1 z 2 a x 1 x 2 x 1 y 2 z 3 = a x 1 x 2 y 1 x 2 z 1 y 2 z 1 z 2 The values of B, C, E and F are already calculated, so we can reuse them. The z- coordinate is unchanged and we end up with: x 3 = A E C B where A = x 1 y 2, B = y 1 z 2 ) y 3 = B B F A z 3 = F C E B This formula saves 4 multiplications from calculating both P 1 +P 2 and P 1 P 2 separately with the addition formula from above. 2.8 Curve Equations Over F 2 n Until now, the thesis has only examined elliptic curves over prime fields F p for a prime p, but it is also possible to implement ECC over F 2 n. The field operations over binary fields are as showed different from finite prime fields. Another aspect that need to be taken into consideration is that the characteristic of binary fields are 2. Because the Weierstrass equation presented earlier is only defined for fields with characteristics different from 2 and 3 [17], the following subsection will redefine the Weierstrass equation for characteristic 2. At the end, this section lists formulas for binary Edwards and binary 22

41 Hessian curves Binary Weierstrass Curves The short Weierstrass equation actually originates from the generalized Weierstrass equation given by: y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 For constants a 1,..., a 6. This equation can be transformed to the short Weierstrass when the characteristic is not 2 or 3, for a complete explanation we refer to page 10 of [17]. On the contrary, to understand what happens if the short Weierstrass form is used in characteristic 2, do the following: f (x, y) = y 2 x 3 Ax B, f y = 2y = 0 and f x = 3x 2 A = 0. Let x 0 be a root in f x. Because the characteristic is 2 the root will be multiple, hence a singular curve. This result contradicts with the requirement of the discriminant. See section 2.8 of [17]. Note that it would actually be impossible to transform the generalized Weierstrass to short Weierstrass in characteristic 2, as this would include inversion with factors multiplied by 2. Starting from the generalized Weierstrass form there are two ways to transform the equation depending on a 1. For a 1 0 gives the curve: y 2 + xy = x 3 + a 2 x 2 + a 6 where a 6 0 This curve is recommended by the IEEE P1363 Standard, A.9.1 in [16]. Sometimes this curve is also distinguished into two different forms, see 3 in [10]. Definition Let the E be the binary Weierstrass curve with a 1 0 as above. If a 6 = 1 and a 2 = 0 or 1 then E has the Koblitz form. Otherwise the curve E is known as a pseudo random or simply normal binary Weierstrass curve. Note that Koblitz curves has cofactor 2. In the case of a 1 = 0 in the generalized Weierstrass equation the following curve is obtained: y 2 + a 3 y = x 3 + a 4 x + a 6 For additional assumptions, and double and addition formulas on this curve, we again refer to section 2.8 of [17]. ECC can be implemented over F 2 n in both affine and projective coordinate systems. These are also birationally equivalent to binary Edwards curves and binary Hessian curves. The next two subsections give the formulas for binary Weierstrass curves Double and Add Formula for Binary Affine Coordinates We use the curve from the IEEE P1363 Standard above and follow addition and doubling formulas from Lange in [30], note that we are in characteristic 2 and a 1 = 1, a 3 = 0, a 4 = 0. A good deriving of the doubling formulas is also found on p. 49 in [17]. 23

42 Addition λ = y 2+y 1 x 2 +x 1 x 3 = λ 2 + λ + a 2 + x 1 + x 2 y 3 = λ (x 1 + x 3 ) + y 1 + x 3 Doubling λ = x 1 + y 1 x 1 x 3 = λ 2 + λ + a 2 y 3 = λ (x 1 + x 3 ) + y 1 + x Double and Add Formula for Binary Projective Coordinates Addition [30] A 1 = x 1 z 2, A 2 = x 2 z 1, C = A 1 + A 2, B 1 = A 2 1, B 2 = A 2 2, D = B 1 + B 2, E 1 = y 1 z2 2, E 2 = y 2 z1 2, F = E 1 + E 2, G = C F, z 3 = z 1 z 2 D, x 3 = A 1 (E 2 + B 2 ) + A 2 (E 1 + B 1 ), y 3 = (A 1 G + E 1 D) D + (G + z 3 ) x 3. Doubling section 4 in [30] S = x 2 1, U = S + y 1, T = x 1 z 1, z 3 = T 2, T = U T, x 3 = U 2 + T + a 2 z 3, y 3 = (z 3 + T ) x 3 + S 2 z Binary Edwards Curves We use the projective binary Edwards curve: (x + y) ( d 1 z 3 + d 2 z 2 (x + y) ) = xy (z + x) (z + y) This curve was originally proposed in [31]. Following section 3 in the same paper, the formulas for negation of a point (x : y : z) are: (x : y : z) = (y : x : z) The curve can easily be transformed to a binary Weierstrass curve using the birational equivalence relation from section 2: v 2 + uv = u 3 + ( d 2 ) 1 + d 2 u 2 + d 4 ( 1 d d d 2 ) Double and Add Formula for Binary Edwards Curves The unified double and add formulas below are the formulas EE and CC in [32], where d 1 = d 2. Doubling A = x 1 + y 1, B = A 2, C = A z 1, D = x 1 (x 1 + z 1 ), F = d 1 C, G = d 1 z 2 1, I = B + C, x 3 = (F + D) 2, y 3 = (F + I + D) 2, z 3 = (I + G) 2 Addition 24

43 A = x 1 x 2, B = y 1 y 2, C = z 1 z 2, D = d 1 C, F = D 2, L = 1 d 1 F, G = (x 1 + z 1 ) (x 2 + z 2 ), H = (y 1 + z 1 ) (y 2 + z 2 ), K = (x 1 + y 1 ) (x 2 + y 2 ), I = A + G, J = B + H, U = K (K + I + J + C), V = K (L + F + (G + D + B) (A + D + H) + (A + D) (G + D) + (B + D) (H + D)) x 3 = V + C ((A + D) (G + D) + L + F + U), y 3 = V + C ((B + D) (H + D) + L + F + U), z 3 = C (U + L) Binary Hessian Curves This thesis will implement generalized Hessian curves over F 2 n equation from sec. 2 [33]: x 3 + y 3 + cz 3 = dxyz using the projective The negation of a point (x : y : z) is given as: (x : y : z) = (y : x : z). To transfer this equation to a generalized Weierstrass equation with only coefficients a 1 and a 3, utilize remark 1 in [33]: Let c = 1 and d = 3(a 1+2δ) (a 1 δ) where δ 3 = a a 3. Then the generalized Weierstrass curve with coeffecients a 1 and a 3 is isomorphic to the binary Hessian curve above with c = Double and Add Formula for Binary Hessian Curves Below we give the unified addition(formula 13, but without extended coordinates) and doubling(formula 14) formulas from [33]. Doubling A = x 2 1, B = y2 1, C = z2 1, D = x 1 y 1, G = D z 1, H = d G, x 3 = B 2 + y 1 H, y 3 = A 2 + x 1 H, z 3 = c C 2 + z 1 H. Addition A 1 = x 2 1, B 1 = y1 2, C 1 = z1 2, D 1 = x 1 y 1, E 1 = x 1 z 1, F 1 = y 1 z 1 A 2 = x 2 2, B 2 = y2 2, C 2 = z2 2, D 2 = x 2 y 2, E 2 = x 2 z 2, F 2 = y 2 z 2 x 3 = c C 1 F 2 + D 1 A 2, y 3 = B 1 D 2 + c E 1 C 2, z 3 = A 1 E 2 + F 1 B 2, 2.9 Point Compression Before the thesis will proceed to present point multiplication and ECC-protocols, this section introduces point compression and decompression. Point compression makes it possible to store the coordinates of a normalized point on the curve by storing only one coordinate and one extra bit. Decompression recovers the original compressed input. This technique is very useful for ECDSA and ECDH, as well as for generating base points for testdata. This section introduces compression and decompression on in the different curve representations. 25

44 2.9.1 Point Compression on Weierstrass Curves The y-coordinate of a normalized point (x : y : 1) on a Weierstrass curve can be compressed by storing only the x-coordinate and the last significant bit (LSB) of the y-coordinate. To recover back the y-coordinate, calculate the right-hand side of the Weierstrass equation and take the modular square root. If the LSB of the root equals the stored LSB, then this root was the y-coordinate. Otherwise, the y-coordinate equals the modulus minus the root, A.12.8 [16]. Note, in the case where the right-hand side is a quadratic non-residue, the square root does not exist. Equivalently, the method be applied to the twisted inverted Edwards curve, thus not mentioned in this section. The case of a binary Weierstrass curve follows a similar approach: Calculate the right-hand side of the binary Weierstrass equation(α). On the left-hand side: y 2 + xy, let y = xz and divide by x 2, the equation now becomes: z 2 + z = α/x 2. If the method from subsection can solve the equation, the recovered y-coordinate is the sum of the two LSBs and the root multiplied by x. Otherwise it is not possible to recover the y-coordinate, A.12.9 [16] Point Compression on Twisted Hessian Curves We develop our own method for point compression to be used with the twisted Hessian curves, as there is no standard method to do this yet. The following method has been created only to provide the functionality to test signing and verifying of digital signatures on Hessian curves. No security implications has been considered. By following the normalization method as mentioned above, a normalized point on a Hessian curve has the coordinates: (1 : y : z). We want to store only the z-coordinate as our public key and a reference to which root we want to solve the equation for on the curve. On a Weierstrass curve this is done by simply storing one bit extra and the x-coordinate. When decompressing, the Weierstrass equation can easily be solved by finding the square root of the right-hand side of the equation. In our case we have three roots of the equation, but we will only focus on the one found by solving the cubic equation. As a result, we can compress a point on the twisted Hessian curve by: normalizing the point, storing the z-coordinate and a 0 as a reference to which to root solve for. This is done only to make the implementation be compatible with others, the extra bit could actually be omitted. To decompress a point we insert the stored z-coordinate and let x = 1 to get: y 3 dyz + a + z 3 = 0 (mod p). This equation can in most cases be solved for y using the method described in If the equation does not have a solution, the point cannot be recovered Point Compression on Binary Edwards Curves The binary Edwards curve can be compressed in the same manner as a binary Weierstrass curve. As before, compress by normalizing the projective point and storing the x- coordinate together with the LSB of y. To decompress: Insert values for x, d 1, d 2, in 26

45 our case d 1 = d 2. Because the point is normalized, we can use the affine binary Edwards curve: (x + y) (d 1 + d 2 (x + y)) = xy (1 + x) (1 + y) Expand and rearrange this equation to: ( x 2 + x + d 1 ) y 2 + ( x 2 + x + d 1 ) y = d1 ( x + x 2 ) Divide by ( x 2 + x + d 1 ) to get: y 2 + y = d ( 1 x + x 2 ) (x 2 + x + d 1 ) This solution is also explained in section of [2]. The equation can now easily be solved by using the method from above. If the solution exists, the recovered y- coordinate is obtained via the sum of the root, the LSBs of the root and y. (Note that we do not need to multiply by x as with binary Weierstrass curves, this is because we do not carry out any substitutions.) Point Compression on Binary Hessian Curves A normalized projective point on a Hessian curve can be compressed by only the x- coordinate, but we add a zero bit to be consistent with other curve compression methods. To decompress, solve the cubic Hessian equation for y over F 2 as described in subsection If the equation does not have a solution, then the point could not be recovered. Otherwise, the original y-coordinate is recovered Scalar Multiplication Exercising the group operation numerous times is normally referred to as scalar multiplication, which is written dp = T for a scalar d and points P, T. Because the group operation is a quite complex calculation to perform, it is desirable to limit the number of times it has to be exercised. For that reason, many scalar multiplication algorithms and optimizations have been suggested for ECC. This section now gives a brief introduction for the ones that will be used in our implementation The Double-and-Add Algorithm One way to carry out a scalar multiplication dp = T is simply to use what is called The binary method or The Double-and-Add algorithm, A.4.3 in [16] and section 9.2 in [34]. What this algorithm does is that it scans through the bits of d, for each bit it doubles the current point. In addition, if the bit is 1, it also adds P to the current point. On average this algorithm gives n 1 doublings and n 1 2 additions for a scalar with n bits, p [35]. 27

46 Non-Adjacent Form (NAF) Non-adjacent form is a method of representing a binary number by a signed binary number. A signed binary number consists of series of the set { 1, 0, 1}. The NAF makes it possible to represent a binary number with much fewer 1s, hence less additions when running the Double-and-Add algorithm from above. On average the number of additions is reduced to n 3, but adds an additional doubling so the number of doublings become n, p [35]. For more on NAF we refer to the original paper in [36] and a good overview in [35] The Addition-Subtraction Method To upgrade the double-and-add algorithm to support NAF, it needs to support the 1 bit condition. When this condition occurs, the point is negated and then added as before. This algorithm is called The Addition-Subtraction method. Negation of a point is as shown earlier, a simple operation in comparison with performing an addition. Thus, improving the performance. This method is used in the IEEE1363 standard, see A.10.3 in [16] Double-Scalar Multiplication As the next section will show, verification of signatures require the calculation of a doublescalar multiplication, e.g. P = u 1 A + u 2 B. In these cases the Shamir trick can improve performance from performing two point multiplications, and one point addition [37]. Using both of the scalars u 1 and u 2 in NAF, it is possible to create a similar method to the Addition-Subtraction method for two scalars. Iterating simultaneously through the bits of the two scalars and doubling the current point as before. For each nonzero bit add or subtract A and/or B to the current point. On average this method would give 5n 9 additions, but it is possible to reduce the number of additions even more by using Joint Sparse Form(JSF) [38]. JSF is a more general form of NAF which requires that of any three consecutive positions, at least one is a double zero. In addition, adjacent pairs of bits do not have opposite signs. Together with more restrictions, these rules reduce the number of additions to an average of n 2 when running the original double-scalar multiplication method from above. For more details see Solina s original paper in [38] Cryptographic Primitives This section starts out with defining important security objectives as confidentiality and integrity and so forth. Thereafter, it shows how the group of points on an elliptic curve can form cryptographic protocols that can be used for electronic signatures, providing non-repudiation, and an EC equivalent to the Diffie-Hellman Key Exchange (DHKE). 28

47 Confidentiality, Integrity and Availability Confidentiality, Integrity and Availability are often in an information security context referred to as the CIA triad. These concepts are described to be the most important objectives of information security in the literature [39]. The US National Institute for Standards and Technology (NIST) define them in the following way in [40]: Definition Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Definition Integrity Guarding against improper information modification or destruction, ensuring information non-repudiation and authenticity. and includes Definition Availability Ensuring timely and reliable access to and use of information. Often, the CIA triad is used when discussing what objectives a system fulfill or do not fulfill in regards of information security. In asymmetric cryptography, including ECC, the concept of integrity needs to be defined in more detail, because some schemes only provide parts of the above definition. An example of this for the DHKE will be showed in the next section, which require both parts to be authenticated. For that reason this thesis adds two extra definitions to elaborate on the terms of integrity, these elaborations are an excerpt from page 5 in [39]. Definition Authenticity The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. This means verifying that users are who they say they are and that each input arriving at the system came from a trusted source. Definition Non-repudiation The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity Discrete Logarithm Problem(DLP) The Discrete Logarithm Problem (DLP) is the base for many public key cryptography mechanisms. The first use of DLP in a cryptographic protocol was done by Whitfield Diffie and Martin Hellman in 1976 [41]. Diffie and Hellman proposed a model of cryptography where two communicating parts could negotiate on a common secret by each exchanging a public parameter with each other. This technique was later known as the Diffie-Hellman Key Exchange (DHKE). DHKE solves the key distribution problem that symmetric cryptography has, but adds a problem of authentication of the two parts. In an Alice and Bob familiar setting it works in the following manner: 29

48 Alice chooses a group: Z p and a generator for that group α. chooses a private key: a {2,..., p 2} computes the public key: A α a mod p sends α, p and A to Bob Bob receives parameters: α, p and A chooses private key: b {2,..., p 2} computes the public key: B α b mod p sends B to Alice Now, both Bob and Alice can compute the shared secret: B a mod p A b mod p α ab This common secret can now work as a key used for symmetric encryption [34]. For simplicity, assume that such a scheme is implemented without the possibility for a manin-the-middle attack, i.e. both users are authenticated. To find the private key x, an attacker would need to calculate the discrete logarithm: x = log α α x mod p. This problem establishes the backbone for most public key systems and also ECC The Discrete Logarithm Problem for Elliptic Curves(ECDLP) By taking a primitive element of the group of points on an elliptic curve and exercise the group operation on that element with itself numerous times, one can construct an equivalent problem to the DLP. This problem is named the Elliptic Curve Discrete Logarithm Problem (ECDLP). The problem is defined as follows: Given a primitive element P and another element T. The ECDLP is to find the integer d, such that dp = T, i.e. perform the group operation d times [34] ECDSA The Elliptic Curve Discrete Signing Algorithm or (ECDSA) is an EC analogue to the Discrete Signing Algorithm (DSA). The algorithm was released during the 1990s and later standardized in For a good introduction to this topic we recommend [42]. Below we give a familiar Alice and Bob example as an outline for how the algorithm works, and leave details such as, key generation and hash algorithms to [42]. Consider the situation below, where Bob wants to sign a message and send it to Alice, and Alice can confirm that the message origins from Bob by verifying it. This example is compiled from section 10.5 in [34] Bob choose the curve E (F p ) with parameters p = 17, a = 2, b = 2, choose a point A = (5, 1) with order q = 19 30

49 choose a private key d = 7 compute the public key B = da = 7 (5, 1) = (0, 6) send the public parameters p, a, b, q, A, B to Alice. sign: compute hash of message h (x) = 26 choose ephemeral key k E = 10 compute signature (r, s) : R = 10 (5, 1) = (7, 11), r = x R = 7 s (h (x) + d r) k 1 E mod q = ( ) 2 17 mod 19 send original message and signature to Alice (x, (r, s)) = (x, (7, 17)) Alice receive public parameters and message with signature from Bob verify: w = mod 19 u 1 = mod 19 u 2 = mod 19 P = u 1 A + u 2 B = 6 (5, 1) + 6 (0, 6) = (7, 11) x P r mod 19 = valid signature If x P r mod 19 the signature would be invalid. This scheme provides full nonrepudiation, Alice can mathematically prove that the message origins from Bob. As long as the private key of Bob is kept secret. Still, the message is sent in cleartext, not providing any confidentiality. Integrity can be noticed, but not corrected. As mentioned in section , can the verification step P = u 1 A+u 2 B be calculated more efficiently than the two point multiplications and an addition by using Shamir s trick to perform a double-scalar multiplication ECDH ECDH is the EC analogue to DHKE over finite fields. An important difference worth noticing, is that the protocol now works with the group of points on an EC over a finite field, not with the finite field itself. Hence, the elements are points on E with coordinates in the field, not elements in the field itself. Additionally, scalar multiplication has to be used instead of exponentiation. With these considerations in mind, it is possible to create the equivalent to DHKE with EC: Choose a curve E (F p ) with parameters p, a, b and a point that is primitive P = (x P, y P ). choose the private key a {2...#E 1} compute public key ap = A. Exchange and receive the parameters in the same way as before, and confirm that the the common secret T AB will be the same by calculating: T AB = ab = a (bp ) = ba = b (ap ) (example section 9.3 in [34]). 31

50 2.12 Security One of the most important characteristics of ECC, is that it can achieve a high level of security, but still keep key size small enough to gain performance. As it does not seem to be vulnerable to the Index-Calculus algorithm, 9.4 in [34]. This section explains the relation between the security level and the key size, which is set by generic attacks. It also describes some attacks on non-secure curves and other non-generic attacks Generic Attacks Generic attack algorithms are algorithms that only attack the group operation on the curve. These algorithms work for both ECDLP and DLP. The two algorithms considered here are Shank s Baby-step Giant-step [43] and Pollard-Rho [44]. These are at the time of writing the best generic attacks on ECC. The algorithms work on ECC because of the algebraic structure that the ECC is built on, and are not a result of research directed at attacking ECC. This section does not explain the algorithms in detail, but it does give an indication of the runtime and security implications they pose. Both Baby-step Giant-step and Pollard-Rho have an approximate runtime of O ( 2 n), where 2 n is the group order. Using Hasse s theorem, this gives n approximately equal to the bit size of the field, p. 252 [34]. This implies that the security level of a curve over this field is half as large as the number of bits in the field. Normally, a security level of 80 bits is considered sufficient, but a double or triple of that amount is sometimes applied to take account for increasing computing power. In the situation of the elliptic curve, this means that the finite field the curve is built over needs to have a bit size of 160 or more. These levels are still way lower than equivalent security levels for RSA and other public key algorithms, which require around a thousand bits to achieve the same security level [34] Small Subgroup Attack The small subgroup attack was first presented by Lim and Lee in [45]. This attack uses the theorem of Lagrange to exploit the fact that curves with a cofactor bigger than one has a subgroup of order equal to the cofactor. Given an ECDH situation where Alice and Bob have agreed on a common key. If one of them used a public key that was in the small subgroup, there are not many possibilities for the symmetric key. Hence, an eavesdropper of the ECDH-process could easily perform a brute-force attack. Depending on how the private key was chosen, the attack could also reduce the security of the private key of the part that received the public key from the small group, see [22]. Therefore, it is necessary to check that the generated public key is a point in the large prime subgroup and not the small cofactor group [21]. For binary curves, the requirement for a small cofactor adds an additional requirement to the bit size of the field, because prime order groups can only occur if n in F 2 n is prime, section 4.1 [46]. This restriction together with the only choices of a 2 on a Koblitz curve 32

51 being 0 or 1, makes the field sizes of the binary curves recommended in [10] somewhat bigger. In the litterature, it is debated whether curve recommendations should contain curves with cofactors larger than one. Because the implementations using these curves would be vulnerable if they do not contain a check of the public key, see cofactor in [47]. Most recommendations such as NIST in [10] permit small cofactors. In addition, cofactors equal to 4 is inevitable if recommending Montgomery or Edwards curves as in NUMS [20] Differential Fault Analysis A different attack that also can be thwarted with a simple check is differential fault analysis [48]. This attack exploits the fact that the addition formulas in projective coordinates over finite and binary fields are the same, together with the implementation not checking that a given point is actually on the curve. I.e given the coefficient for x in the short Weierstrass equation over a finite field, and the coefficient for x 2 in the general Weierstrass equation over a binary field are equal, see [21]. The first exploit is a rather general fact, but the implementation not checking that a given point is on the curve can be a vulnerability. Imagine a situation where Alice receives a public key Q with a small order l and wants to calculate wq, where w is her private key, as commonly done in ECDH. If the implementation Alice uses does not check if Q is on the curve, then wq will have a order dividing l. Further use can reveal w mod l, which repeated with different points with pairwise relatively prime orders can be put together using the Chinese Remainder Theorem to recover her private key (as examplified in [21]). An effective thwart against this attack would be to check that the point is actually on the curve. The small subgroup attack and differential fault analysis can be put together to an attack called the invalid-curve attack, which is described in section 4 in [21] Non-Generic Attacks The first curves that were used for ECC were supersingular curves as they are easy to compute with. The definition of a supersingular curve is that the number of points on the curve over a field is equivalent to 1 mod p : #E (F q ) 1 mod p, where p is a prime and q is some power of p [17]. An example of such a curve is y 2 = x 3 x over a prime field F q for p 3 mod 4. Although this curve is easy to work with for explanatory purposes, it cannot be used to achieve high security. Because the curve from above has a small embedding degree, the Weil pairing can be used to compute the DLP. Furthermore, the Weil pairing can be used to reduce the ECDLP to the DLP, which again is vulnerable to the Index Calculus algorithm [49]. This attack is also known as the MOV-attack. Similar pairings such as the Tate pairing has also been proposed to the same problem. Due to this, curves with small embedding degree now disregarded. There are many other examples of insecure curves. In practice standard curves from various sources are used. As this subject is a field of its own, this thesis do not elaborate 33

52 further into the choice of parameters when it comes to security Side-Channel Attacks Side-channel attacks are based on analyzing auxiliary information that are available when the crypto-algorithm runs. This may be running time, power consumption or electromagnetic radiation. From this information the attacker can try to gain knowledge of some secret information such as the private key [50]. We choose to concentrate on simple side attacks as these are closely tied to the doubling and addition formulas. For differential side-channel attacks we refer to [50]. Simple side-channel analysis is when only one source of side-channel information is analyzed and can be used when scalar multiplication is carried out. This could e.g. be in the situation when choosing a private key w to calculate the public key wq, where Q is our base point. In this situation, an attacker can look at the power usage when the double-and-add algorithm is running. Different power usage can signal either a 0 or 1 as the current bit and subsequently for the rest of the bits in w [50]. An effective way to thwart this attack can be to do a dummy addition when reading a 0 in the double-and-add algorithm, as this makes the algorithm behave regularly. Similarly, can the scalar multiplication algorithm be changed to one that is designed to behave regularly. Another option can be to unify the addition formula so that doubling and addition can be done by the same formula. 34

53 Chapter 3 Test Criteria Chapter two explained how the theory of an elliptic curve can be used to build cryptographic schemes with different curve representations. This chapter specifies the criteria for testing of the curve implementations with regards to performance, security, robustness and portability. 3.1 Performance This thesis primarily wants to compare the computational complexity of the adding and doubling formulas of the different curve implementations. In addition, it wants to show more practical impacts of how the complexity affects the performance of point multiplication and ECC protocols such as ECDSA and ECDH with commonly used curves. Based on these results, the thesis discusses whether some curve representations perform better than others. Furthermore, this thesis investigate whether there could be some useful tradeoffs or implementation speedsups that could apply Prime or Binary Field? Our implementation cover Weierstrass curves, Edwards curves and Hessian curves over both finite prime fields and binary fields. This thesis will investigate over which field our implementations have the best performance. Further, this thesis will determine how the curve representations over the two different fields differ in terms of performance Cofactor The NIST recommends the cofactor to be as small as possible for efficiency reasons [10]. On the contrary, Bernstein et al. claims that there could be a better security-performance tradeoff considering the cofactor [28]. The reason behind this claim is that some effective curve implementations require a higher cofactor for the group operations to work. We want to use our performance measurements to discuss these claims and determine whether or not the cofactor plays an important role, first and foremost in terms of performance, but also with respect to the security notions. 35

54 3.2 Security Section 2.12, shows how most of the security in ECC rely on the choice of the curve parameters. I.e. disregarding side-channel attacks. Since it would be out of scope for this thesis to go in depth on each curve selection in regard of security, this thesis simply select curves that are believed to be secure and commonly used. By secure, the thesis refer to the best currently known attacks as described earlier. Moreover, if there do not exist any secure curves, the thesis will give some random test parameters to test the performance. Knowing, that these curves could not be considered secure in practice Key Lengths As mentioned earlier, the bit size of the finite prime field need to be twice as large as the desired security level. Hence, for a security level of 80 bits a 160 bit curve is needed. Although it is considered impractical for an attacker to break such a scheme with the current available computing power, we take into account for future increases in computing power and start at a security level of 128 bits in the context of this thesis. I. e. prime fields of 256 bits. Such a level is recommended by NSM [51] and secure curves suggestions are available from both Brainpool, NIST and NUMS [19, 10, 20]. We also want to compare the curve representations at different security levels, so we will test curves 384 bits and 512 bits fields as well as 256 bits fields. For curves over binary fields, the key sizes are as mentioned a bit higher. We will test with curves over binary fields of 283, 409 and 571 bits Side-channel Attacks Many different measurements can give information about an implementation, which can lead to an side-channel attack. We will simply discuss whether the formulas for adding and doubling are unified in the different curve representations and if the underlaying scalar multiplication algorithm behaves regulary as described in section three of [50]. 3.3 Robustness This thesis defines robustness as how easy it is to do mistakes when implementing the different curve representations. Included here are special considerations such as how to handle the point at infinity, generation of curve parameters, and the need for both doubling and addition functions, all relative to the curve implementation. 3.4 Portability This thesis defines portability as the possibility to run our implementation on different platforms and operation systems. This thesis will investigate if some curve representations could be less or more suitable to be executed on constrained devices. This could be requirements for certain field operations, high memory usage etc. 36

55 Chapter 4 Implementation This chapter gives reasons for our library and implementation choices. Additionally, the chapter gives some code examples of how the library and implementation can be used. In addition, this chapter is expressing our experiences with implementing different curve representations in this library. 4.1 Choice of Library ECC can be implemented on many devices depending on the usage. The aim of this thesis is a high performance C-implementation that could easily be ported to different platforms and systems. By choosing C as a programming language the requirement of high portability is achieved. Furthermore, C gives good control of allocation of memory and process behavior. Both of these characteristics are closely related to performance, although bad handling of such memory allocation could result in memory leak. As many other cryptographic mechanisms, require ECC functions for handling both finite prime and binary field arithmetic on big integers. By big integers we mean binary integers on several hundred bits. Functions for field arithmetic could be developed from scratch, using the methods from section 2.3 and 2.4. However, this approach would be out of scope for this thesis, as it is aiming for implementing different curve representations. In addition, would this approach complicate the implementation process and perhaps be too time consuming. Another important aspect when choosing library, is that it would ease the development if it already contained an implementation of ECC in one or several of the selected curve representations. This implementation would also serve as a reference for implementing other curve representations that are not already implemented. Moreover, by choosing a library that contains a full implementation of ECC, ECC protocols and point multiplication functions would be included. This approach would let us focus only on implementing the curve representations, which is the main focus for this thesis. With these criteria in mind, we ended up with choosing Miracl [1]. The proceeding section will give a short introduction to this library. 37

56 4.2 The Miracl Library Miracl is a freeware library for multiprecision arithmetic containing over 100 routines [52]. Most of the library is written in C, but it also has a C++ interface. Being implemented in C, makes it possible to run Miracl on a huge range of processors and platforms. According to the manual, have all routines been thoroughly optimized for speed and efficiency. Some time critical routines also contain carefully selected assembly language alternatives. Existing for over a decade, Miracl features implementations of classic algorithms for prime factorization, DLP, public-key cryptography, hashing and symmetric encryption such as the Advanced Encryption Standard (AES) and more. To implement these algorithms it contains a large number of arithmetic functions and two data types called big and flash. Where big is a data type for large integers and flash data type for large rational numbers, both of the data types can be of arbitrary bit size. The arithmetic functions work with these two types and have most imaginable functions such as addition, subtraction, multiplication and division, but also more advanced functions, such as power, nth root, greatest common divisor, etc. Most of these functions are also implemented for use over finite prime and binary fields. By using the multiprecision arithmetic functions over finite prime and binary fields, Miracl contains a full implementation of ECC for affine and projective Weierstrass curves formulas from section and 2.6.3, and the binary field equivalent from section and In addition, it also has an implementation of twisted inverted Edwards curves as in section 2.7.2, with the doubling and addition formulas as in This was confirmed by comparing the implementation of them in the mrcurve.c file of [1] with formulas from [53]. A standard implementation of ECDSA is also available through the files ecsgen.c, ecsign.c and ecsver.c, and in [52]. A version of ECDH can be found in pk-demo.c. Miracl is licensed under the GNU Affero General Public license, which allows us to modify the available source and keep it internally, or release it to the public with the same license. For more information see [54]. 4.3 Implementation of Curve Representations Over Finite Prime Fields The former section gave us an overview of the Miracl library. This section will explain the implementation of curve representations over finite prime fields located in mrcurve.c, and more specifically our own implementation of Hessian curves over such fields in the same file. Equivalently to figure 1.1, we give a general dependency schematic for Miracl s implementation of ECC over prime fields in figure 4.1. The following subsections will introduce central functions mentioned in this figure. Thereafter it will give some details on how the Hessian curves are implemented. For further details and code we refer to the digitally attached source code. 38

57 Figure 4.1: The hierarchy of ECC over finite prime fields in Miracl. 39

58 4.3.1 Initialization of the Curve Miracl is initiated by a call to the function mirsys(nd,nb). Given nd number of digits for each variable with number base nb. We prefer to use a hexadecimal base, hence nb=16 and reserve the size of the field in bits divided by 4, digits for each variable. Note: one hexadecimal number can express four bits. Mirsys initiates the system and returns a Miracl instance pointer (mip). This pointer can be used to access the sixteen work variables of the big data type, [52]. Additional big variables can also be declared and initiated respectively by: big variablename; variablename = mirvar(initvalue); Where initvalue is an integer value of the primitive integer data type(int). To initialize the variable with a larger value, let initvalue=0 and proceed with: innum(variablename,fd); This function initializes the variable to a value from the file descriptor fd, which could be either a file or standard input. Equivalently, the value of a big can be sent to the standard output or written to a file by using: otnum(variablename,fd); The elliptic curve over F p can now initiated by calling ecurve_init(a,b,p,type). The parameters a and b corresponds to the respective curve parameters in the curve equations. These variables can be set by using the procedure from above. In Edwards and Hessian representation, b corresponds to the curve parameter d. The prime field modulus is set by the parameter p and the type of coordinates by type. There are three such types, MR_AFFINE, MR_PROJECTIVE and MR_BEST. MR_BEST tries to choose the most efficient coordinate system. Note that only short Weierstrass representation supports affine coordinates, Edwards and Hessian are only available in projective coordinates. For that reason, we do not support further use of the MR_BEST type in our implementation for Hessian curves. To choose between curve representations, Miracl uses compile directives. These directives are specified in the mirdef.h* header file, where * defines the computer architecture, for more see section 2 of [52]. We have continued the use of these directives by adding an option for Hessian curves. So to use Edwards or Hessian curves, one simply has to state either MR_EDWARDS or MR_HESSIAN in the mirdef.h* file before compiling. No directive specified means Weierstrass curves. The directive defines the current curve representation over both prime and binary fields Setting the Initial Point on the Curve Before doing any additions or doublings, an initial point need to be created and set. In Miracl, points are created as pointers to an epoint and initiated by calling epoint_init. Points are the same over all fields and contain coordinates and a marker, where the coordinates are variables of the big type. The marker specifies if the point is at infinity, 40

59 normalized or a general point. After a point is created and initiated, it needs to be set through a call to epoint_set(x,y,cb,g). The epoint_set function takes big variables x,y, checks that the point is on the curve in the given representation and sets the curve point g to this point. If x=y, the int cb is used to set g with the decompression method for the given representation from section 2.9. Naturally, the epoint_set function returns a BOOL type TRUE when the point was set correctly and FALSE if not. Note that only (x,y) coordinates are used, hence assuming a normalized point. As a summary, follows a minimal example to initialize and set coordinates to a point g on the curve: epoint *g; g=epoint_init(); epoint_set(x,y,cb,g); Overview of Implementation of Curve Representations The points on a Hessian curve can be initiated and set as just described, but by inputting the z-coordinate instead of the x-coordinate due to the normalizing process in subsection Additionally, to aid the decompression method we have added three helping functions: isprime2mod3and3mod4, nres_isquadraticresidue and nres_cuberoot. The first function is added to mrcurve.c, which checks the modulus for the two conditions of the primes as in theorem 2.5 and 2.6, and returns a boolean TRUE if they are. This is useful in epoint_set to quickly determine if it is impossible to decompress a point. The nres_isquadraticresidue function checks if the given input is a quadratic residue and returns a boolean TRUE if so. If the square root exists, it can be found through the already implemented function nres_sqroot, this uses theorem 2.5 given p 3 mod 4. The cube root can be found in the same manner, by the added nres_cuberoot function. This is an implementation of theorem 2.6. Note that we have added nres_isquadraticresidue and nres_cuberoot to the mrsroot.c file to make them available on a general basis. After initializing a curve and a point on that curve, the implementation can perform point(scalar) multiplication or double-scalar multiplication. Miracl utilizes the Addition- Subtraction method from section to do point multiplications. Point multiplication is done by calling the function ecurve_mult(k,p,pa), for an input point p, an output point pa, and a big k. On return pa=k*p. In turn ecurve_mult calls functions ecurve_padd, ecurve_double and epoint_negate for addition, doubling and negation of points. These functions corresponds to formulas for addition, doubling and negation for the curve representation set by the compile directive. For Edwards curves this means formulas from Affine Weierstrass curves formulas from section 2.5 and projective formulas from subsection In the same manner, does ecurve_mult2(e,p,ea,pa,pt) give pa=e*p and pt=ea*pa on return. This function is especially useful when performing the Shamir trick in signature verification, and uses the addition-subtraction formula implemented in ecurve_add_sub. Note that Miracl only utilizes this type of formulas for curves over F p. 41

60 Our contribution is the implementation of Hessian curves using addition and doubling formulas from Due to the use of compile directives, function names can be reused. As a result, the functions ecurve_double(), ecurve_padd() and ecurve_add_sub corresponds to the formulas from In a similar fashion, do epoint_negate and epoint_norm respond to the rules of negation and normalization of a point on a Hessian curve. Note that the ecurve_mult and other helping functions for the Hessian implementation is kept identical as the one for twisted Edwards curves and Weierstrass curves. To fully comply with Miracl s building function, we have simply added all the functions names to the MR_HESSIAN compile option of mrcurve.c. Still, some of these functions are only added, but not implemented. A full list of unimplemented functions can be found in mrcurve.c. This extensive usage of compile directives gives a lot of code repetition, but could be useful to customize parts of the code e.g. point multiplicaton for a curve representation. Additionally, it could be useful for creating standalone executables Implementation of Doubling and Addition Formulas The doubling and addition formulas use the field operations from 2.3. In Miracl these operations can be realized by using nres_modmult, nres_modadd, nres_modsub and nres_moddiv. Note that nres_modmult internally chooses squaring or multiplication. Input to these functions are given as followed: _MIPP_ var1,var2,var3. The first parameter, _MIPP_, is the instance pointer, useful for multithreading, see 2.3 in [52]. Secondly, we have three big variables. Where var3 is the result and var1 and var2 the input to the binary operator as the function name suggests. Our implementation follows Miracl s use of the mip-registers and coordinates of points to store such variables. The mip-registers can be accessed by mr_mip->wn, for a N = {0..15}. In a similar fashion, can the point coordinates (X : Y : Z) be accessed by: p->x, to get the X-coordinate of a point p and equivalently for Y and Z. Sometimes curve parameters are small and multiplication by a big can be done by additions through nres_premult to increase performance. In these cases, the curve parameter s size is compared to the value MR_TOOBIG. The example below shows how to multiply the w2-register with the curve parameter A and store the result in w2. if(mr_abs(mr_mip->asize)==mr_toobig nres_modmult(_mipp_ mr_mip->w2,mr_mip->a,mr_mip->w2); else nres_premult(_mipp_ mr_mip->w2,mr_mip->asize,mr_mip->w2); The nres naming in these functions defines that the function is working modulus the Montgomery n-residue, which is the prime set with ecurve_init transferred to Montgomery form. In ecurve_init, the n-residue get transferred automatically via a call to prepare_monty, but for the coordinates these need to transferred via the function nres(x,y). To transfer back to original form, use redc(x,y). As long as the variables used are initially in Montgomery form, all other results from nres-named functions will be. However, if printing the intermediate results to the screen, they need 42

61 to be reduced back to original form. This issue caused major confusion during debugging of our implementation, although this information is specified in the Miracl manual. Another problem we encountered during the implementation was that the mipregisters are used as storage for intermediate calculations in both the doubling and addition functions, the nres-functions, and the point multiplication functions. This caused registers used for storage of an intermediate calculation in the doubling and addition functions to be overwritten by call to a nres function, or when the point multiplication algorithm proceeded. To solve this problem, we had to go through all of the nres-functions, and the point multiplication functions that were used to find registers that was not in danger of being overwritten. For further reference, a list of which registers that are safe to use can be found as comments in mrcurve.c. 4.4 Implementation of Curve Representations Over Binary Fields The implementation of curves over binary fields share many similarities with the one over finite prime fields. For that reason, does this subsection only outline a few differences between the two. Function names are also the same, except that functions for curves over binary fields carry a number 2 after the first word in the function name, e.g. ecurve2_init, epoint2_set etc. Equivalently to the former section, we give a dependency schematic to over central files and functions in figure Initialization of a Curve As with finite prime fields, mirsys need to be called, and big variables initiated and set via mirvar and innum. Then the binary elliptic curve can be initiated by a call to ecurve2_init(n, a, b, c, a 2, a 6, check, type). This function initiates a binary curve over a field with n bits, and curve parameters a 2 and a 6. The integers a,b,c form the pentanomial basis for the binary irreducibile reduction polynomial f(t) with the equation: t n + t a + t b + t c + 1. If b=0 then only the trinomial basis t n + t a + 1 is used, for more on this see section in [52] Overview of Binary Hessian Curves Implementation A binary Hessian curve can be initiated by letting a 2 = c and a 6 = d in ecurve2_init. To support point decompression on binary Hessian curves in epoint2_set, we follow subsection To solve the quadratic equation we utilize Miracl s quad2-function. If it does not have a solution, then the y-coordinate could not be recovered and the function returns FALSE. If there exists a solution to the quadratic function we proceed to finding the cube root in the binary field. To achieve this we have added cuberoot2 and power2modf to mrgf2m.c. The function power2modf provides a exponentiation function, given three big variables w,x,z on return z = w x (mod f) for the binary reduction polynomial f(t). This function is simply an extension of Miracl s power2-function which 43

62 Figure 4.2: The hierarchy of ECC over binary fields in Miracl. 44

63 only accepts primitive integer type exponents. cuberoot2 checks the bit size of the field to be odd and builds the exponent in the equation: e 2(n+1) 1 3 and utilizes power2modf to do the exponentiation. The function returns a boolean FALSE if the bit size of the field is even, else TRUE with the cube root in z. Be advised that cuberoot2 uses Miracl s power-function which overwrites all working registers, except the input. To solve this we used the coordinates of the output point to store the intermediate results in epoint_set Overview of Binary Edwards Curves Implementation When initiating a binary Edwards curve, the implementation will check that d 1 = d 2 where a 2 = d 1, a 6 = d 2 as required by the curve representation in subsection To set the coordinates of a point use the binary field equivalent epoint2_set(x,y,cb,type). As before, decompression is supported by letting x=y. To implement this we have used Miracl s implementation of binary Weierstrass curves as a reference, but following the requirements from subsection to get the quadratic equation. This equation can be solved by the already existing quad2 function, to select the correct root from the solution in e.g. w10 we use: incr2(mr_mip->w10, cb^parity2(mr_mip->w10), p->y); incr2(big w,int x,big z) uses binary field addition to add w and x and stores the result in z. parity2(big v) takes one parameter v and returns the LSB of that parameter. Because cb and parity2 both are one bit integers, the bitwise XOR (^) operator can be used to achieve binary field addition Addition and Doubling Formulas In the same way as earlier, we have implemented the doubling and addition formulas in the binary field equivalent functions called ecurve2_double, ecurve2_padd, epoint2_negate and epoint2_norm using the formulas of subsections and These functions uses binary field arithmetic as described in section 2.4. In Miracl these are implemented as add2, modmult2, modsquare2, inverse2. Additionally, the binary Edwards formulas require sqroot2. As for finite prime fields, the binary field arithmetic functions also use the mip work registers, causing problems when we tried to debug our implementation. To solve this, we again did a check of each binary field arithmetic function and listed the safe registers as comments in the code of mrec2m.c. 45

64 46

65 Chapter 5 Test Methodology This chapter presents the test methodology, i.e. how tests can be designed to meet the test criteria. Firstly, it explains how to count and weigh the field operations in Miracl. Secondly, the chapter gives reasoning for the choice of curves, and the generation of curves were pre-generated curves do not exist. Lastly, the chapter define the tests to meet the predefined test criteria. 5.1 Computational Complexity When comparing computational complexity the literature usually refer to the order of growth of the algorithms. From a function of the order of growth, one can deduce expressions for e.g. the worst case scenario of the algorithm. In the context of this thesis, the algorithms for point multiplication and ECC protocols remain the same, but the complexity of the doubling and addition functions differs between the the curve representations. For that reason, the number of calls to field operations and the cost of those operations need to be collected. Notice that the algorithms for compressing and decompression of a point also differ between the curve representations. Still, these do not carry enough cost to greatly impact the number of the of field operations. Recall from subsection , that on average point multiplication doubles a point n times, and adds n 3 times if using the Addition-Subtraction algorithm. Compression and decompression on the other hand, are executed once for each key generation, signature or verification. As a result, we assume the cost of compression and decompression to be constant Counting of Operations To make it easy to compare our results with earlier work such as [53], we simply count multiplication of variables (M) and squarings (S). Occasionally, we also count field inversion (I). For simplicity s sake, do we omit the counting of addition and subtractions, and division with small integers as they require much less time to execute. Moreover, if a variable is needed more than once in the formula, it is only calculated once and stored in memory. In summaries we would like to count only the multiplications, hence we need 47

66 some scaling for S and I, how this is done in Miracl is explained in the next section. We distinguish between operations done over F p for a prime p and F 2 n for a n 2, as these can have different scales. This way of counting operations can found many places in the literature, e.g. [53]. We include a count example of the addition formula for affine coordinates: m = y 2 y 1 x 2 x 1 Finding inverse of denominator and multiply with numerator: 1 I + 1 M. x 3 = m 2 x 1 x 2 Square m, again subtraction is omitted: 1 S. y 3 = m (x 1 x 3 ) y 1 Multiply with m: 1 M. Total: 2 M +1 S +1 I Counting Operations in Miracl In the Miracl library it already exists methods for counting the multiplications and inversions over both finite prime fields and binary fields. To enable this feature, add the line: #define MR_COUNT_OPS to the mirdef.h*-file and recompile the library. The counters are the global ints fpc and fpx, which are increased for each call to nres_modmult and xgcd. The last function is used by nres_moddiv to finding the inverse and then nres_moddiv multiplies this inverse with numerator, causing the cost of nres_moddiv to be the sum of the scale of xgcd and one multiplication. In the same manner, do the counters fpm2 and fpi2 increase for each call to modmult2 and inverse2. inverse2 is the binary field equivalent to xgcd and finds the inverse of the denominator. To carry out a full division the numerator needs to be multiplied with the inverse of the denominator, adding an extra multiplication. Because the cost of squaring and multiplication can vary, we want to use separate counters for these functions. In F 2 n this is already implemented in the counter fps2 for the modsquare2 function. In F p on the other hand, the nres_modmult function is used for both multiplication and squaring with only a multiplication counter. To change this, we have added an additional counter(fpcsq) for squarings. The multiplication counter is now increased only if the two first parameters are not equal, otherwise the squaring counter is increased. Because multiplying with small integers can simply be done by additions and subtractions, we do not count a call to the nres_premult function as a multiplication. In addition, we omit counting square roots used in the formula for doubling on binary Edwards curves, because we will pre-compute this value, hence only performing the operation once neglecting the cost of it. By changing the benchmark program imratio.c in Miracl to fit the chosen bit sizes of the field, we have estimated the scales of squaring, inversion(xgcd) and addition compared to the cost of a multiplication for different bit sizes. These scales let us write the total count of operations as multiplications. From the data in table 5.1 we conclude that additions scale more or less 0, hence negligible. The other scales will be used as given in the next chapter. Equivalently, can we estimate the scales for operations of squaring, inversion(inverse2) and addition in F 2 n by running imratio2.c on the selected bit sizes 48

67 Operation bit size 256 bits 384 bits 512 bits Time for one M 0.27µs 0.58µs 0.85µs Squaring(S) Inversion(I) Addition Table 5.1: Scale for fields operations in F p of the field as shown in table 5.2. Again, notice that addition have minimal cost, thus can be omitted. Operation bit size 283 bits 409 bits 571 bits Time for one M 0.36µs 0.59µs 0.90µs Squaring(S) Inversion(I) Addition Table 5.2: Scale for fields operations in F 2 n 5.2 Selection and Generation of Test Curves Over F p We select curves that are suggested to have high performance, and at the same time are believed to be secure. In situations where security is not certain, we aim for performance. It is worth noticing that some curves can be used in several curve representations. Occasionally, curves over fields with fewer or higher bit sizes are given, but still in the range of being an equivalent security level. In the following subsections we give a short reasoning for the choice of curves for the different curve representations Short Weierstrass Curves The name short Weierstrass curves refer to curves given by short the Weierstrass equation and refer to curves in affine and projective coordinates. Table 5.3 shows curves from NIST, Brainpool and NUMS [10, 19, 20]. 49

68 Field size in bits Curve 256 nistp brainpoolp256r1 256 numsp256d1 384 nistp brainpoolp384r1 384 numsp384d1 512 brainpoolp numsp512d1 521 nistp521 Table 5.3: Weierstrass test curves Twisted Edwards Curves When choosing parameters and curves for our twisted inverted Edwards curve implementation we need to consider a, d small enough, so we can use nres_premult to avoid two extra multiplications. Table 5.4 list curves on the chosen bit sizes. E-curves are obtained from [55], and nums-curves are from [20]. Field size in bits Curve 251 Curve1174 [56] 256 numsp256t1 382 E numsp385t1 512 numsp512t1 521 E-521 Table 5.4: Edwards test curves Twisted Hessian Curves To our knowledge, it does not exist any pre-generated Hessian curves over F p in the literature, nor in standards, except for p [57]. However, this curve does not fit our prime condition. For that reason, we have generated some random curves at the given security levels. The curves are generated in the following manner: Find a n-bit prime which is 2 mod 3 and 3 mod 4, where n is the desired bit size of the field. In the cases where it is possible it would also be desirable to have the prime close to a power of two, as the field operations later could be optimized to fit this prime. We have used and for our 256 bit and 381 bit curves, these primes are selected from [58]. For field sizes of 500-bits, we have selected a 497-bit prime from [59], due to readability this prime is showed in appendix A.1.3. To prevent the curve from the subgroup attack and initiate the curve with a base 50

69 point that is a generator, it is necessary to count the number of points on the curve. This can be achieved through using the improved version of Schoof s algorithm, named Schoof- Elkies-Atkins(SEA) algorithm for point counting. Miracl contains an implementation of this algorithm in sea.cpp, but this only works for Weierstrass curves. So in order to count the points on the Hessian curve we need to transfer it to Weierstrass form, this can be achieved by using the equations from subsection This gives a = 1 and leaves d to be set arbitrary. We let d = 2 to utilize nres_premult. This gives the equation: 2 (a 1 δ) = 3 (a 1 + 2δ) Solving for δ we get δ = a 1 8. Insert δ into δ3 = a a 3 to get: a = a3 1 27a 3 This leads us to a family of general Weierstrass curves where 19a 3 1 = 512a 3. Because the characteristic is not 2 or 3 the general Weierstrass can be transformed to short Weierstrass required by Miracl using formulas p. 10 [17]. Simplified a and b in short Weierstrass form can be expressed: a = a 1a 3 2 a b = a3 1 a a a For all of the primes above we have used the randomly generated: a 1 = A general form of this transformation is implemented in hessiantoweierstrass.c. Finally, the number of points can be counted on the Weierstrass curve and random base points can be generated. The base points are found through generating a random z-coordinate and using the decompression method for finding the y-coordinate and checking that the point has order equal to the counted order of the curve. This procss is implemented in basepointfp.c. The resulting random curves can be found in appendix A.1. To not be vulnerable to the subgroup attack, the number of points on the curve should be 3 times a large prime factor on a Hessian curve, as the minimal cofactor is 3. The curves that we have generated do not fulfill this condition and are highly composite, they serve only as curves for testing in regards of performance. As a result, the parameter q in ECDSA from section is composite. If q is composite and the ephemeral key k E from the signing formula is not relatively prime to q, the inverse is not existing. Similarly, if the parameter s does not have an inverse, the verification of the signature cannot be calculated. In Miracl, the function to calculate inverses fails silently by returning 0. Considering the cases just mentioned, a valid signature would return invalid in our tests. For that reason, we have added some loops to generate new random parameters until k E and s are relatively prime to q. 51

70 5.3 Selection of Test Curves Over F 2 n This section presents the curves used for testing on the selected security levels in the different curve representations over binary fields. As in the last section, the aim is performance, but at the same time try to select curves which are believed to be secure. For Weierstrass curves this section gives such curves, for Edwards and Hessian random curves are generated. As mentioned in section 2.2.2, we consider only polynomial bases. Moreover, all curves have the same basis on a given security level Binary Weierstrass Curves For binary Weierstrass we test in both affine and projective coordinates. The following curves have been taken from [10]: Field size in bits Curve 283 nistb nistk nistb nistk nistb nistk571 Table 5.5: Binary Weierstrass test curves Binary Edwards Curves As for Hessian curves over prime fields, binary Edwards curves are also rarely found in the literature, the exception known to us is the BBE251-curve in [60]. Because this is a 251- bit curve, we have only used this as a proof of concept for our functions. For performance testing we have tried to generate our own curves. From the formula definition we need d1 = d2 and the value to be small so the cost of the multiplication can be neglected, additionally we note that binary Edwards curves have minimal cofactor 4. To keep d 1 small and not making the curve generation process too tedious, we have simply set n equal the desired bit size and used the basis from the NIST-curves and counted the number of points using d 1 {2...16}. To count the number of points we have used schoof2.cpp from Miracl, which is a binary field equivalent to Schoof s algorithm although not with the performance improvements as in sea.cpp. Because schoof2 require a curve on the form: y 2 + xy = x 3 + ax 2 + b, we implemented the birational equivalence from in binedtobinweierstrass.c. After selecting the curve with the largest prime factor, and the least number of small factors, we have generated a random base point for the curves using basepointf2n. For 283-bits we managed to find a curve with minimal cofactor using d 1 = 13, this can be found in A.3.1, we named this curve Lucky Number Thirteen. On the contrary, using 52

71 the above method for generating curves over fields with a bit size of 409 bits came out empty-handed. Running schoof2 for all of the 15 curves with d 1 from gave a value for #E (F 2 n) and warning that the result is probably correct. To verify the curve count the scalar multiplication #E (F 2 n) times a point on E should give, due to Lagrange s theorem section 2.1. We generated several points and multiplied with #E (F 2 n) using basepointf2n.c, none of these gave. This suggests that the counted number of points on the curve is incorrect. Due to time limitation and scope of the thesis we have not elaborated further into this issue, and omit testing binary Edwards curves over 409-bits fields. We also omit testing of curves with bit size 571, mainly due to two factors. Firstly, schoof2 crashes with input of this size. This problem could probably be fixed by increasing the allocation of memory, we did this to make it possible to count 409-bits curves after an advice from Mike Scott, one of the authors of Miracl. Secondly, even though the algorithm would run, it is extremely slow for such large inputs, it took over 24 hours before it crashed counting the first 571-bits curve. This issue makes it impractical to find curves of this size. Better algorithms exists, see [61], but we did not manage to find some ready to run implementations nor had the time to implement our own Binary Hessian Curves Again, there are few sources for pre-generated curves. The exception is the 191-bit example curve found in [29], which acts as a proof of concept for our functions. To generate curves over fields with higher bit sizes, we reuse the approach from the last section. As before, we want the curve parameters a and d to be small such that the cost of multiplication with them can neglected. To do so, let d {2...16} and a = 1 to utilize remark 1 as described in to get the curve: y 2 + a 1 xy + a 3 y = x 3 This is actually the generalized Weierstrass equation with some coefficients set to zero. Since we are in characteristic 2, the following substitutions from p. 48 in [17] applies: This gives the curve on the required form: x = a 2 1x 1 + a 3 a 1, y = a 3 1y 1 + a2 3 a 3 1 y1 2 + x 1 y 1 = x a 3 a 3 x a3 3 a3 1 + a4 3 1 a 12 1 The curve can now be counted using schoof2 and we select the curves at each security level that has the largest prime factor and least small factors. For fields with a bit size of 283 bits, the best candidate to a Hessian curve we could find has three small and one large prime factor of 274 bits. The base point for this curve has order equal to the large prime factor, for details see A.2.1. At bit size level 409, we did not manage to find a large prime subgroup. As a result, we give a random curve of 53

72 409-bits with base point of composite order. Equivalently to Hessian curves over prime fields with odd characteristic, composite order can cause ECDSA to fail. Therefore, we incorporate the same checks to only proceed for an relatively prime k E and s. The resulting curve can be found in appendix A.2.2. For the same reason as with binary Edwards curves, we could not come up with any curves of 571 bits. 5.4 Testing Cofactor By testing the aforementioned curve representations, curves of cofactor 1 to 4 will be tested. 5.5 Test Design To test the impact of the different curve representations over both F p and F 2 m on ECCprotocols: ECDSA and ECDH, we have made four tests. The first test counts the number of field operations used when signing and verifying a signature using the ECDSA scheme. This test is based on ecsgen.c, ecsign.c and ecsver.c from Miracl, but fitted in ecdsaspeedtest.c with a possibility for a fixed seed for easy re-runs. We stress that a fixed seed should not be used in practice for security reasons. The second test is a F 2 n equivalent to the first, this can be found in ecdsaspeedtest2.c. The two other tests are the files ecdhspeedtest.c and ecdhspeedtest2.c, which are based on parts of pk-demo.c in Miracl. These tests generates two key pairs and simulate an key-exchange using the ECDH scheme. Equivalently, to the ECDSA-test, this test also has the possibility for a fixed seed and easy re-runs. All tests have been fitted with Miracl s use of compile directives, to easily set the curve representation through mirdef.h*. In addition, do each curve representation have its own array of curves to easily add more curves. The tests have two functions; firstly to confirm the functionality of the implemented curve representations. Secondly, to give a detailed count of calls to the field operations of multiplication, squaring and inversion in the given field. The first functionality works out of the box, the second is activated by adding the compile directive #define MR_COUNT_OPS to mirdef.h*. For performance testing, the number of field operations are counted only when performing scalar multiplication using ecurve_mult or double-scalar multiplication using ecurve_mult2, or the binary field equivalent functions. However, we omit counting of key generation as this could be carried out beforehand. Moreover, are the field operations required for compression and decompression considered constant, hence also omitted from the count. As a result, the two ECDH-tests count the number of field operations required to calculate the common key. Because the size of the private keys on both sides of the key exchange will be the same, we limit the counting to only one side. Hence, measuring the number of field operations for one point multiplication with a scalar with size equal to the bit size of the field. 54

73 For the ECDSA-tests we only count operations in the two point multiplications used when signing and verifying the digital signature, i.e. one scalar multiplication and one double-scalar multiplication. To make our results applicable to various applications, we separate the results of signing and verifying as the performance of these may vary. To be certain that the test results are uniform depending on the random choice of private key and ephemeral key, the tests are executed 1000 times. This scale could also easily be increased. 5.6 Theoretical Analysis Before proceeding with the results of the practical tests, this section gives a theoretical analysis of the outcome of the tests Theoretical Analysis of ECDH During an ECDH-key exchange two point multiplications are carried out by calling ecurve_mult over prime field and ecurve2_mult over a binary field, but as mentioned do we limit our count to one of them. Over both fields, Miracl uses the addition-subtraction method from section This method uses on average n doublings and n 3 additions. By counting the number of operations in the formulas and using the scales from table 5.1 and 5.2, it is possible to determine an estimate for the number of multiplications needed to add or double a point in a curve representation. This is shown in table 6.2 and 6.3 in the following chapter. Multiplying these results by the average number of doublings and additions at the required bit sizes of the fields gives us an theoretic estimate of the number of multiplications needed. For comparison with the practical tests, the average values have been multiplied with Because the formulas differ between the two fields and the scale is different for each security level, we give one table for each in the results. In turn each table contains the different curve representations and the security levels as before. The results can be found in table 6.4 and Theoretical Analysis of ECDSA When using ECDSA to sign a file and verify the signature, two point multiplications are carried out. For the signing this is a normal point multiplication using either ecurve_mult, or ecurve2_mult if working over a binary field. Hence, we can reuse our work from the last subsection. For the verification on the other hand, a call to either ecurve_mult2, ecurve2_mult2 is executed depending on the field. Over finite prime fields ecurve_mult2 utilizes JSF from section , which gives n doublings and n 2 additions on average. Beforehand, this function also calls ecurve_add_sub once as part of a pre-computation. As a result, a call to ecurve_mult2 uses n doublings, n 2 additions, and 1 addition-subtraction. The theoretic estimate for doing 1000 ecurve_mult2 can be found in table 6.6. On the contrary, ecurve2_mult2 does not use any addition-subtraction formulas. Normally, this function uses JSF hence resulting in the same number doublings and 55

74 additions as for prime fields, but with the difference in field sizes as before. However, for Koblitz curves, it uses NAF resulting in 5n 9 additions. Koblitz curves are curves on the form: y 2 + xy = x 3 + ax where a = 0 or 1, see subsection As a result, we give estimates for both normal curves and Koblitz curves for ECDSA over binary fields in table

75 Chapter 6 Results This section firstly shows a theoretical count of the doubling and addition formulas of all the curve representations over both prime and binary fields. Then it gives the results of running ecdhspeedtest.c, ecdhspeedtest2.c, ecdsaspeedtest.c and ecdsaspeedtest2.c for all the implemented curve representations using the curves specified in the former chapter. All these results are obtained by compiling Miracl and our additions via running bash linux64 on: OS Red Hat Enterprise Linux Workstation release 7.2 Kernel el7.x86_64. GCC version (Red Hat ) Table 6.1: Running Specifications 6.1 Theoretic Operation Count for Doubling and Addition Over F p Table 6.2 shows an operation count for the three functions: doubling, addition and addition-subtraction in the implemented curve representations over F p. These operations are multiplied with scales as given in table 5.1 to give an estimated (Est.) number multiplications at the given bit size level. For Edwards and Hessian curves we assume a, d to be small so we can use nres_premult, thus omitting them from counting. Additionally, we assume projective Weierstrass curves with A = 3. Notice that we have added an extra multiplication to formulas containing inversions as I only count finding the inverse. For projective addition and add-sub we have assumed both points to not be normalized. 57

76 Function Curve representation M S I Est. M Est. M Est. M Source 256 bit 384 bit 512 bit doubling Affine theorem 2.10 Formula 3. doubling Hessian section doubling Projective section doubling Edwards section addition Hessian section addition Affine theorem 2.10 Formula 1. addition Projective section addition Edwards section add-sub Edwards section add-sub Hessian section add-sub Projective section add-sub Affine section Table 6.2: Operation Count for doubling, addition and addition-subtraction over F p. Est. gives an estimated number of multiplications at the given bit size level. 6.2 Theoretic Operation Count for Doubling and Addition Over F 2 n The table below shows an operation count for the two functions doubling and addition in the implemented curve representations over F 2 n. The counted field operations are multiplied with scales given in table in 5.2 to give an estimated(est.) number of multiplications at the given bit size level. Again we assume a, d to be small for the binary Hessian curve, and a small d 1 = d 2 for the binary Edwards curve. Additionally, have we added an extra multiplication for each inversion as I count for the time taking to find the inverse. Function Curve representation M S I Est. M Est. M Est. M Source 283 bit 409 bit 571 bit doubling Affine section doubling Hessian section doubling Projective section doubling Edwards section addition Affine section addition Projective section addition Hessian section addition Edwards section Table 6.3: Operation Count for doubling and addition formulas over F 2 n. Est. gives an estimated number of multiplications at the given bit size level. 58

77 6.3 Theoretic Analysis of ECDH Over F p Curve Representation field bit size 256 bits 384 bits 512 bits Affine Hessian Projective Edwards Table 6.4: Estimated number of multiplications (M) for 1000 ecurve_mult in ECDH over F p. 6.4 Theoretic Analysis of ECDH Over F 2 n Curve Representation field bit size 283 bits 409 bits 571 bits Affine Hessian Projective Edwards Table 6.5: Estimated number of multiplications (M) for 1000 ecurve2_mult in ECDH over F 2 n. 6.5 Theoretic Analysis of ECDSA Over F p Curve Representation field bit size 256 bits 384 bits 512 bits Affine Hessian Projective Edwards Table 6.6: Estimated number of multiplications (M) for 1000 ecurve_mult2 in ECDSA over F p. 59

78 6.6 Theoretic Analysis of ECDSA Over F 2 n Curve Representation field bit size 283 bits 409 bits 571 bits Normal Curves Affine Hessian Projective Edwards Koblitz Curves Affine Projective Table 6.7: Estimated number of multiplications (M) for 1000 ecurve2_mult2 in ECDSA over F 2 n. 6.7 Test Results for ECDH Over F p This section gives the results of running ecdhspeedtest.c on the selected security levels with the chosen curves as given in the last section. The column "Total estimated M" gives the estimate of total number of multiplications of the counted operations by using the scales from table bits Curve Representation Curve Total M Total S Total I Total estimated M Affine Brainpool P-256r Affine NIST P Affine NUMS P-256d Projective Brainpool P-256r Projective NUMS P-256d Projective NIST P Hessian hessiantest256.ecs Edwards NUMS P-256t Edwards curve Table 6.8: Results of running ecdhspeedtest.c for curves over 256 bit prime fields. Note: For Brainpool P-256r1 A 3. 60

79 bits Curve Representation Curve Total M Total S Total I Total estimated M Affine Brainpool P-384r Affine NUMS P-384d Affine NIST P Projective Brainpool P-384r Hessian hessiantest381.ecs Projective NIST P Projective NUMS P-384d Edwards NUMS P-384t Edwards E Table 6.9: Results of running ecdhspeedtest.c for curves over 384 bit prime fields bits Curve Representation Curve Total M Total S Total I Total estimated M Affine NIST P Affine NUMS P-512d Affine Brainpool P Projective Brainpool P Projective NIST P Projective NUMS P-512d Hessian hessiantest497.ecs Edwards E Edwards NUMS P-512t Table 6.10: Results of running ecdhspeedtest.c for curves over 512 bit prime fields. 61

80 6.8 Test Results for ECDH Over F 2 n This section gives the results of running ecdhspeedtest2.c on the selected security levels with the chosen curves as given in the last section. The column "Total estimated M" gives the estimate of total number of multiplications of the counted operations by using the scales from table bits Curve Representation Curve Total M Total S Total I Total estimated M Affine NIST B Edwards Lucky Number Thirteen Hessian binhes Projective NIST B Affine NIST K Projective NIST K Table 6.11: Results of running ecdhspeedtest2.c for curves over 283 bit binary fields bits Curve Representation Curve Total M Total S Total I Total estimated M Affine NIST B Hessian binhes Projective NIST B Affine NIST K Projective NIST K Table 6.12: Results of running ecdhspeedtest2.c for curves over 409 bit binary fields. 62

81 bits Curve Representation Curve Total M Total S Total I Total estimated M Affine NIST B Projective NIST B Affine NIST K Projective NIST K Table 6.13: Results of running ecdhspeedtest2.c for curves over 571 bit binary fields. 6.9 Test Results for ECDSA Over F p In this section we present the results of the tests from signing and verifying a signature over prime fields. For each field size, we give two tables one with the results of signing and one with the results from verifying the same signature. Again, the column "Total estimated M" gives the estimate of total number of multiplications of the counted operations by using the scales from table bit Curve Representation Curve Total M Total S Total I Total estimated M Affine NIST P Affine NUMS P-256d Affine Brainpool P-256r Projective Brainpool P-256r Projective NIST P Projective NUMS P-256d Hessian hessiantest Edwards NUMS P-256t Edwards Curve Table 6.14: Results of signing running ecdsaspeedtest.c for curves over 256 bit prime fields. Note: For Brainpool P-256r1 A 3. 63

82 Curve Representation Curve Total M Total S Total I Total estimated M Affine NUMS P-256d Affine NIST P Affine Brainpool P-256r Projective Brainpool P-256r Hessian hessiantest Projective NIST P Projective NUMS P-256d Edwards NUMS P-256t Edwards Curve Table 6.15: Results of verifying running ecdsaspeedtest.c for curves over 256 bit prime fields. Note: For Brainpool P-256r1 A bit Curve Representation Curve Total M Total S Total I Total estimated M Affine NUMS P-384d Affine NIST P Affine Brainpool P-384r Projective Brainpool P-384r Hessian hessiantest Projective NUMS P-384d Projective NIST P Edwards NUMS P-384t Edwards E Table 6.16: Results of signing running ecdsaspeedtest.c for curves over 384 bit prime fields. 64

83 Curve Representation Curve Total M Total S Total I Total estimated M Affine NUMS P-384d Affine NIST P Affine Brainpool P-384r Projective Brainpool P-384r Hessian hessiantest Projective NUMS P-384d Projective NIST P Edwards NUMS P-384t Edwards E Table 6.17: Results of verifying running ecdsaspeedtest.c for curves over 384 bit prime fields bit Curve Representation Curve Total M Total S Total I Total estimated M Affine NIST P Affine NUMS P-512d Affine Brainpool P Projective Brainpool P Projective NIST P Projective NUMS P-512d Hessian hessiantest Edwards E Edwards NUMS P-512t Table 6.18: Results of signing running ecdhspeedtest.c for curves over 512 bit prime fields. 65

84 Curve Representation Curve Total M Total S Total I Total estimated M Affine NIST P Affine NUMS P-512d Affine Brainpool P Projective Brainpool P Hessian hessiantest Projective NIST P Projective NUMS P-512d Edwards E Edwards NUMS P-512t Table 6.19: Results of verifying running ecdhspeedtest.c for curves over 512 bit prime fields Test Results for ECDSA Over F 2 n In this section we present the results of the tests from signing and verifying a signature over binary fields. As before, we give two tables per field size. One with the results of signing and one with the results from verifying the same signature. Additionally, the column "Total estimated M" gives the estimate of total number of multiplications of the counted operations by using the scales from table Bits Curve Representation Curve Total M Total S Total I Total estimated M Affine NIST B Edwards Lucky Number Thirteen Projective NIST B Hessian binhes Affine NIST K Projective NIST K Table 6.20: Results of signing running ecdsaspeedtest2.c for curves over 283 bit binary fields. 66

85 Curve Representation Curve Total M Total S Total I Total estimated M Affine NIST B Edwards Lucky Number Thirteen Affine NIST K Projective NIST B Hessian binhes Projective NIST K Table 6.21: Results of verifying running ecdsaspeedtest2.c for curves over 283 bit binary fields Bits Curve Representation Curve Total M Total S Total I Total estimated M Affine NIST B Projective NIST B Hessian binhes Affine NIST K Projective NIST K Table 6.22: Results of signing running ecdsaspeedtest2.c for curves over 409 bit binary fields. 67

86 Curve Representation Curve Total M Total S Total I Total estimated M Affine NIST B Affine NIST K Projective NIST B Hessian binhes Projective NIST K Table 6.23: Results of verifying running ecdsaspeedtest2.c for curves over 409 bit binary fields Bits Curve Representation Curve Total M Total S Total I Total estimated M Affine NIST B Projective NIST B Affine NIST K Projective NIST K Table 6.24: Results of signing running ecdhspeedtest2.c for curves over 571 bit binary fields. Curve Representation Curve Total M Total S Total I Total estimated M Affine NIST B Affine NIST K Projective NIST B Projective NIST K Table 6.25: Results of verifying running ecdhspeedtest2.c for curves over 571 bit binary fields. 68

87 Chapter 7 Discussion In this chapter we discuss our findings as presented in the previous chapter. Firstly in the sense of performance, which is the main topic. Secondly, a few security notions are discussed. Finally, we give a summary of the discussion. 7.1 Performance This section discusses the results of running the tests for ECDSA and ECDH over both prime and binary fields given in the previous chapter. Although we gave the results of both point multiplication in ECDSA and ECDH, we only discuss the results obtained in the ECDH tests because the results are more or less equal. As a result, we rather use the naming point multiplication and double point multiplication Point Multiplication Over F p Using tables from section 6.7 we have generated figure 7.1 as shown below. The first and most obvious observation from figure 7.1 is that Weierstrass curves with affine coordinates have the worst performance for curves over all bit size levels. Although they have much less multiplications and squarings than other curve representations when looking at tables in section 6.7, the number of inversions are the highest. Due to the high complexity of this field operation, affine Weierstrass curves need roughly the twice amount of total estimated multiplications compared to the other curve representations when using the scales from table 5.1. At the far end of the results, Edwards curves seem to have the best performance on all security levels. This is naturally, as it in table 6.2 had both the best double and and addition formulas. Looking at the difference with the second best performing curve representation on each security level, we see that the differences are 381, 548, 620 for security levels 256, 384, 512 per point multiplication (ppm). Considering a scale of 1000, several hundred thousand field multiplications are saved, making Edwards curves by far the fastest curve representation for ECDH over F p. 69

88 Figure 7.1: Chart of the estimated number of M for 1000 point multiplications for curve representations over F p. Turning to Hessian and projective Weierstrass curves, the results are more diverse. At 256-bits level, Hessian curves are faster with a difference of only 34M ppm compared to the fastest projective Weierstrass curve. Theoretically, this difference can be explained by quite equal complexity of doubling formulas, but with Hessian addition formulas being a bit faster than projective ones. This could fit with our theoretic analysis in table 6.4, although we would expect the difference between the two to be much larger. Also the results for projective Weierstrass has a huge deviation from the theoretic analysis, 700M ppm. The reason for this is that during point multiplication for projective Weierstrass, Miracl calls a pre-computation, which normalizes the point before the point multiplication. As a result, there is a tradeoff where 1I+1S+3M are added ppm, but the complexity of the addition and doubling formulas are reduced. The reduction seems to vary, sometimes one point or both points are normalized during addition, sometimes none. The same goes for the doubling formulas. For that reason, it is hard to anticipate the outcome of the tradeoff, other than the fact that it is reducing the total amount of operations. At 384-bit level projective Weierstrass is again faster than Hessian curves, but only with a difference of 71M ppm. This is shifted back again at 512-bit level, when Hessian curves are 9M ppm faster than projective Weierstrass. The exception from this is the Brainpool curve, this curve does not have A = 3, we include it as a proof that the doubling formulas are slower in this case. Because the differences are so small we cannot 70