1 / 14

Elliptic curve point multiplication

Elliptic curve point multiplication. Alexander Rostovtsev, Elena Makhovenko St. Petersburg State Politechnic University www.ssl.stu.neva.ru. Elliptic curves in cryptology. Elliptic curve cryptosystems provide: the best possible strength;

tallulah
Télécharger la présentation

Elliptic curve point multiplication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Elliptic curve point multiplication Alexander Rostovtsev, Elena Makhovenko St. Petersburg State Politechnic University www.ssl.stu.neva.ru

  2. Elliptic curves in cryptology Elliptic curve cryptosystems provide: • the best possible strength; • wide range of cryptographic functions (digital signature, public key encryption, zero-knowledge proofs, etc.); • low rate of strength decrease; • possibility of independent key change (DSS-type cryptosystems, based on discrete logarithms modulo prime, do not provide it).

  3. Elliptic curve Elliptic curve (EC) E(Fp): Fp3 \ (0, 0, 0): Y2Z = X3 + AXZ2 + BZ3, (X, Y, Z) = (uX, uY, uZ), u  0. E(Fp) is finite Abelian group of points (X,Y,Z). Point of infinity (0, 1, 0) is neutral element.

  4. EC discrete logarithm problem Given Q, PE(Fp), find integer l such that P = l Q ECDLP is hard if: • E(Fp) contains subgroup of prime order r ; • r  p ; • pk 1 (mod r) for k = 1, …, 31 .

  5. ECDLP solution (1) Hom Lift E(Fp)  {Ei(Fp)}  {Ei(K)} K = Q[D1, …, Dk] {|Di|} = {Small primes} {-1}, Di Fp ECDLP = (Compute Mordell – Weil group) & (Lift a point)

  6. ECDLP solution (2) 1. Find {Ei(Fp)} using algebraic homomorphisms. 2. Choose K = Q[D1, …, Dk], |Di| are small primes, represented in Fp. 3. Choose subset of curves {Ei(K)} of large rank, using Birch and Swinnerton-Dyer conjecture. 4. Compute Mordell – Weil groups of {Ei(K)} and lift points. 5. Find linear relations between the points of {Ei(K)} and compute discrete logarithm.

  7. Elliptic curve arithmetic The main operation is point multiplication: [m]: P mP Isogeny : E1(Fp)  E2(Fp), (0,1,0)  (0,1,0). If E1 = E2 then (imaginary quadratic order OD): isogeny gives complex multiplication by OD. Norm N()>1: isogeny is not invertible and defines large automorphism group of points of order r.

  8. Traditional point multiplication [m]P(4-bit window size) 1. Precompute points 2P, 3P, …, 15P. 2. Represent m = m0+16m1+162m2+…+16kmk. 3. Pk = mkP, Pk-1 = 2(2(2(2Pk))) + mk-1P, Pk-2 = 2(2(2(2Pk-1))) + mk-2P, ………………………… Complexity: 4k point doublings, k point additions

  9. Point multiplication (1) The main idea: complex multiplication by  = (-2) or  = (1 + (-7))/2 is used instead of doubling For 4-bit window size: 4 = 2 * 2, point multiplication takes 2k point doublings, k point additions The rate increases 1.6 times for  = (-2); 1.5 times for  = (1+(-7))/2. For large window size the rate increases ~2 times

  10. Point multiplication (2) Algorithm: • Factor r = , where elementOD is prime;  0 (mod r); and represent: Fr = OD/(). • Represent exponent m as an element of OD/() with N(m)<r. • Represent m in -adic or ( and)-adic notation. • Find [m]P using complex multiplication and point addition.

  11. Exponent representation Precomputation: r =  by extended Euclidean algorithm in OD (according to Pollard and Schnorr). Reduction m m (mod ) = m0+m1: N(m)  min.Two steps: in real and imaginary directions.Find integers n0, n1: N((n0 + n1)) N(m);m0 + m1 = m - (n0 + n1). Algorithm gives bijection between Fr and the set of points of parallelogram in a lattice (1, ) with norm < r.

  12. Complex multiplication formula (-2) * (X,Y,Z) = (-Y2Z, Y(U2 + Z2)/(-2), 2U2Z); U = X + 4/3*(3/10)(p+1)/4. (1 + (-7))/2 * (X,Y,Z)=(Z(Y2 + X2), Y(X2 + Z2), X2Z);  = ((1 + (-7))/2)2/4,  = -((1 + (-7))/2)3/8,  = -((1 +(-7))/2)6/36.

  13. Elliptic curve equation For  = (-2): p = a2 + 2b2, a 1 (mod 6), b 1 (mod 6), 2r = p + 1  2a  2 (mod 4) y2 = x3 + ((-3/10)/p)x (4/15)(2/15)(p+1)/4 For  = (1 + (-7))/2: p = a2 + ab + 2b2, 4r = p + 1  2a  0 (mod 4) y2 = x3 + ((-7/5)/p)x (2/5)(-7/5)(p+1)/4

  14. Conclusion If operator [] generates large subgroup of Fr* then cryptosystem strength does not decrease. Point multiplication algorithm is the fastest for the large class of elliptic curves over prime fields; its rate does not depend on special kind of field characteristic. EC isogenies are good structures for public-key cryptology. They allow to construct public-key cryptosystems, resistant to quantum computer. The basic problem is to find isogeny between given elliptic curves.

More Related