1 / 33

Vorapong Suppakitpaisarn vorapong@mist.i.u-tokyo.ac.jp , Eng. 6 Room 363

Discrete Methods in Mathematical Informatics Lecture 5 : Elliptic Curve Cryptography Implementation(I) 8 th January 2012. Vorapong Suppakitpaisarn vorapong@mist.i.u-tokyo.ac.jp , Eng. 6 Room 363 Download Slide: http://misojiro.t.u-tokyo.ac.jp/~vorapong/. Course Information . Grading.

jersey
Télécharger la présentation

Vorapong Suppakitpaisarn vorapong@mist.i.u-tokyo.ac.jp , Eng. 6 Room 363

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Discrete Methods in Mathematical InformaticsLecture 5: Elliptic Curve Cryptography Implementation(I)8th January 2012 Vorapong Suppakitpaisarn vorapong@mist.i.u-tokyo.ac.jp, Eng. 6 Room 363 Download Slide: http://misojiro.t.u-tokyo.ac.jp/~vorapong/

  2. Course Information Grading Schedule 10/9 – Elliptic Curve I (2 Exercises) (What is Elliptic Curve?) 10/16 – Elliptic Curve II (1 Exercises) (Elliptic Curve Cryptography[1]) 10/23 – Elliptic Curve III (2 Exercises) (Elliptic Curve Cryptography[2]) 10/30 – Cancelled 11/6 – Online Algorithm I (Prof. Han) 11/13 – Online Algorithm II (Prof. Han) 11/20 – Cancelled 11/27 – Elliptic Curve IV (1 Exercises) (ECC Implementation I) 12/4 – Cancelled 12/11 – Computational Game Theory I (Prof. Gurvich) 12/18 – Computational Game Theory II (Prof. Elbassioni) 1/8 – Elliptic Curve V (3 Exercises) (ECC Implementation II) 1/15 – Cancelled (Monday Schedule) 1/22~ – SAT Problem (Prof. Makino) • For my part, you need to submit 2 Reports. • Report 1: Select 3 from 6 exercises in Elliptic Curve I – IIISubmission Deadline: 14 November • Report 2: Select 2 from 4 exercises in Elliptic Curve IV – VSubmission Deadline: January 22nd • Submit your report in this lecture room before the class begins.

  3. Elliptic Curve Cryptography ECC Protocol P Generate P2 E(F) Generate positive integers a Receive Q = bP Compute aQ = abP Receive P Receive S = aP Generate positive integer b Compute bS = abP aP Point Addition bP This Time Scalar Multiplication Last Time Compute rP = 14P r = 14 = (0 1 1 1 0)2 2Point Additions 3 Point Doubles P 3P 7P 14P O 2P 6P 14P Elliptic Curve Arithmetic A= -4, B= 4 Field Arithmetic

  4. Scalar Multiplication and Binary Representation • Scalar Multiplication on Elliptic Curve CryptographyS= P + P + … + P = rP whenr1 is positive integer, S,Pis a member of the curve • Double-and-add method • Let r = 14 = (01110)2 Compute rP = 14Pr = 14 = (0 1 1 1 0)2 r times Weight = 3 P 3P 7P 14P O 2P 6P 14P 3 – 1 =2Point Additions 4 – 1 = 3 Point Doubles Average # of Point Doubles? Average # of Point Additions? For [0,2n-1], n - 1 times. For [0,2n-1], n/2 - 1 times. (Average Weight = n/2)

  5. Redundant Binary Representation • Change Digit Set can help Scalar Multiplication faster • Represent each digit using {0, 1, -1} instead of {0,1}. • Redundant, then use Minimum Weight Conversion to find Minimum Weight Expansion (the expansion that have the minimum joint weight) Weight = 2 Compute rP = 14Pr = 14 = (1 0 0 -1 0)2 14P P 2P 4P 7P O 14P 2P 4P 8P 3 – 1 = 2Point Additions 4 – 1 = 3 Point Doubles 2 – 1 =1Point Additions 5 – 1 = 4 Point Doubles Average # of Point Doubles? Average # of Point Additions? For [0,2n-1], n - 1 times? For [0,2n-1], n/2 - 1 times? (Average Weight = n/2) Average # of Point Doubles? Average # of Point Additions? For [0,2n-1], n + o(n)times. For [0,2n-1], n/3 + o(n)times. (Average Weight = n/3 + o(n))

  6. Non-Adjacent Form Definition S = (sn-1sn-2 … s0) is DS-Expansion of positive integer r iff Definition S = (sn-1sn-2 … s0) is Minimum Weight DS-Expansion of positive integer r iff Definition S = (sn-1sn-2 … s0) is Non-Adjacent Form (NAF) of positive integer r iff Optimality S is Minimum Weight {0, ±1}-Expansionof rif S is Non-Adjacent Form of r

  7. Algorithm Algorithm Simple Fact n - 1 consecutive 1’s n - 2 consecutive 0’s Ex Example 1 0 0 0 -1 1 0 0 0 -1 Markov Chain Average # of Point Additions? For [0,2n-1], n/3 + o(n)times. (Average Weight = n/3 + o(n))

  8. w-NAF Definition Definition S = (sn-1sn-2 … s0) is DS-Expansion of positive integer r iff S = (sn-1sn-2 … s0) is w-NAF of positive integer r iff Definition S = (sn-1sn-2 … s0) is Minimum Weight DS-Expansion of positive integer r iff w-NAF of positive integer ris also NAF of rwhen w = 1 Definition S = (sn-1sn-2 … s0) is Non-Adjacent Form (NAF) of positive integer r iff Optimality Optimality S is Minimum Weight {0, ±1}-Expansionof rif S is Non-Adjacent Form of r S is Minimum Weight {0, ±1, … , (2w-1)}-Expansionof rif S is w-NAF of r

  9. Exercise 7 Algorithm Exercise 7 Memory and Speed Compute rP = 14P r = 14 = (0 1 1 1 0)2 P 3P 7P 14P O 2P 6P 14P

  10. Average Weight {0, ±1, ±3, … , ±(2h+1)} Theorem [Muir 04] Average Number of Additions (Average Weight) of r in [0,2n-1] representing using digit set {0, ±1, ±3, … , ±(2w-1)} is n tends to infinite Theorem [Moller 05] Average Number of Additions (Average Weight) of r in [0,2n-1] representing using digit set {0, ±1, ±3, … , ±(2h+1)} is when n tends to infinite

  11. r-radix Representation Base 2 Base 3 23 22 21 20 33 32 31 30 24 34 (1 (0 0 0 1 14 = -1 0)2 14 = -1 -1 -1)2 P 2P 4P 7P 14P P 2P 5P 14P O O 2P 4P 8P 14P 3P 6P 15P 1 Point Additions 4 Point Doubles 3 Point Additions 3 Point Triples Field with characteristic 3 (eg. F397) is used in fast Pairing implementation.[Barreto, Kim, Lynn, Scott CRYPTO2002] [Galbraith, Harrison, Soldera ANTS, 2002] [Granger, Page, Stam 2004] In the field, point triple is very fast operation. [Takagi, Reis, Yen, Wu, IEICE Trans., 2006]

  12. Average Weight for 3-radix {0, ±1, ±2, … , ±h} Theorem [Joye, Yen 04] Our Observation Average Number of Additions (Average Weight) of r in [0,2n-1] representing using digit set {0, ±1, ±2, … , ±(3w-1)} – 3Z is We also found the relation for 4-radix and 6-radix!!! Average Number of Additions (Average Weight) of r in [0,2n-1] representing using digit set {0, ±1, ±2, … , ±h} – 3Z is when when when n tends to infinite Theorem [Takagi, Jeis, Yen, Wu 06] Average Number of Additions (Average Weight) of r in [0,2n-1] representing using digit set {0, ±1, ±3, … , ±(3w-1)/2} – 3Z is n tends to infinite

  13. Double-Base Number System [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995] Base 2 Base 3 23 22 21 20 33 32 31 30 24 34 (1 (0 0 0 1 14 = -1 0)2 14 = -1 -1 -1)3 P 2P 4P 7P 14P P 2P 5P 14P O O 2P 4P 8P 14P 3P 6P 15P 1 Point Additions 4 Point Doubles 3 Point Additions 3 Point Triples 1 1 14 = 2330 + 2131

  14. Double-Base Number System (DBNS) [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995] Definition is DS-DBNS of positive integer r iff Example 1 1 1 1 14 = 2231 + 2130 14 = 2330 + 2131

  15. Double-Base Number System (DBNS) [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995] Definition is Minimum Weight DS-DBNS of positive integer r iff Note In this state, there exists no polynomial-time algorithm to compute Minimum Weight DS-DBNS. Hard to introduce to Scalar Multiplication Theorem Too General Note For Single-Base (Base 2,3,…), the weight is in for the average case. For Double-Base, the weight is in , even for the worst case.

  16. Scalar Multiplication with DBNS[Meloni, Hasan, CHES2009] 127 = 2233 + 2132+ 2130 1 Need memory to store l elliptic points 1 Algorithm 1

  17. Double-Base Chain [Dimitrov, Imbert, Mishra, Math of Computation, 2008] Double-Base Number System when and With More Restriction

  18. Double-Base Number System [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995] Double Base Number System (DBNS) Double Base Chains (DBC) 1 1 1 1 14 = 2231 + 2130 14 = 2330 + 2131 1 1 1 1 1 1 127 = 2233 + 2132+ 2130 127 = 2233 + 2132+ 2130

  19. Double-Base Chain[Dimitrov, Imbert, Mishra, Math of Computation, 2008] Double-Base Number System when and With More Restriction k = 127 = 2233 + 2132 + 2030 Digit 1 0 1 0 0 1 Base 2233 2133 2132 2032 2031 3030 Similar to Double-and-add Methods P 2P 7P 14P 42P 127P O 2P 6P 14P 42P 126P 2 Point Additions, 2 Point Doubles, 3 Point Triples Given k Given Cadd- Computation time of aPoint Addition Given Cdbl - Computation time of a Point Double Given Ctpl - Computation time of a Point Triple Find the Chain With Smallest Total Computation Time Problem

  20. Algorithms [Suppakitpaisarn, Edahiro, Imai, 2012] k = 10, Ctpl = 1, Cdbl = 1, Cadd = 1 Our Results How to compute kP = 10P Plan A Plan B Compute 5P Double the point to 10P = 2 . 5P Compute 3P Triple the point to 9P = 3 . 3P Add the point with P (9P + P = 10P) Cost Cost Optimize Computation Time of 5P + Point Double = C(5P) + Cdbl= 3 + 1 = 4 Optimize Computation Time of 3P + Point Triple + Point Addition = C(3P) + Ctpl + Cadd= 1 + 1 + 1 = 3

  21. Algorithm C(k/2) + Pdbl C(k/3) + Ptpl C(k/2) + Pdbl + Padd C(k/3) + Ptpl + Padd • C(k) =min( , ) if k mod 6 == 0 min( , ) if k mod 6 == 1 min( , ) if k mod 6 == 2 min( , ) if k mod 6 == 3 min( , ) if k mod 6 == 4 min( , ) if k mod 6 == 5 Our Results C(k/2) + Pdbl infinity C(k/3) + Ptpl C(k/2) + Pdbl+ Padd C(k/2) + Pdbl C(k/3) + Ptpl + Padd infinity C(k/2) + Pdbl + Padd 1 0 0 3 1 Dynamic Programming Time : lg2k Memory : lg2k 3

  22. Prime Field (Fp ) • Experiments on Inverted Edward Coordinates[Bernstein, Lange, AAECC 2007] • Cdbl= 6.2[m], Ctpl= 12.2[m], Cadd = 9.8[m] Our Results 3.95 % 3.88 % 3.90 % 3.90 % 3.90 %

  23. Double-Base Chain[Dimitrov, Imbert, Mishra, Math of Computation, 2008] Double-Base Number System when and With More Restriction k = 127 = 2233 + 2132 + 2030 Digit 1 0 1 0 0 1 Base 2233 2133 2132 2032 2031 3030 Similar to Double-and-add Methods P 2P 7P 14P 42P 127P O 2P 6P 14P 42P 126P 2 Point Additions, 2 Point Doubles, 3 Point Triples Given k Given Cadd- Computation time of aPoint Addition Given Cdbl - Computation time of a Point Double Given Ctpl - Computation time of a Point Triple Find the Chain With Smallest Total Computation Time Given k Given Cadd= 1, Cdbl = 0, Ctpl = 0 Find the Chain With Smallest Total Computation Time Given k Given Cadd= 1, Cdbl = 0, Ctpl = 0 Find the shortest chain (the chain with smallest number of terms) Problem

  24. On-Going… DBNS Double-Base Chain [Dimitrov, Cooklev, 1995] [Our Results] Input: k Output:mk* Tractable??? Approximation Algorithm??? Input: k Output:mk* Solved by DP [Our Results]

  25. Exercise 8 Exercise 8

  26. Efficiency of Multi-Scalar Multiplication • Multi-Scalar Multiplication on Elliptic Curve CryptographyS = P + P + … + P + Q + Q + … + Q = r1P + r2Q when r1, r2 is positive integer, S,P,Q is a member of the curve • General Technique -Double-and-add method • Let r1 = 12 = (01100)2, r2 = 21 = (10101)2 Compute r1P = 12Pr1= 12 = (0 1 1 0 0)2 Compute r2Q = 21Qr2 = 21 = (1 0 1 0 1)2 r1 times r2 times Horner’s Method Weight = 2 P 3P 6P 12P O 2P 6P 12P 5Q Q 2Q 10Q 21Q O 2Q 4Q 10Q 20Q Weight = 3 4Point Additions 7Point Doubles

  27. Shamir’s Trick + Binary Representation[ElGamal, IEEE Trans. on Info. Theory, 1986] Joint Weight = 4 • Compute two number together to reduce the redundant task. • Pre-compute P + Qr1 = 12 = ( 0 1 1 0 0 )2r2 = 21 = ( 1 0 1 0 1 )2 Q P+2Q 3P+5Q 6P+10Q 12P+21Q O 2Q 2P+4Q 6P+10Q 12P+20Q 3Point Additions 4Point Doubles 4Point Additions 7Point Doubles Average # of Point Additions? For [0,2n-1], 0.75n - 1 times. (Average Weight = 0.75n)

  28. Shamir’s Trick + Joint Sparse Form (JSF) [Solinas, Combinatorics and Optimization Research, 2001] • Represent each digit using {0, ±1} instead of {0,1}. r1 = 12 = ( 1 0 -1 0 0 )2 r2 = 21 = ( 1 0 1 0 1 )2 Joint Weight = 3 P+Q 2P+2Q 3P+5Q 6P+10Q 12P+21Q 2P+2Q 4P+4Q 6P+10Q 12P+20Q 2Point Additions 4Point Doubles Average # of Point Additions? For [0,2n-1], 0.5n - 1 times. (Average Weight = 0.5n) Dahmen, Okeya and Takagi expands digit over {-3,-1,0,1,3} [DOT08] Adikari and Dimitrov expands digit over Hybrid Binary-Ternary representation [AD08]

  29. Average Joint Weight of {0, ±1, ±3} Solinas, Comb. and Opt. Report, 2001 Open Problem 0.3750 Avanzi, Crypto. e-Print Achieve, 2002 0.3712 Kuang, Zhu, Zhang, ACNS 2004, 2004 0.3636 Moller, ICISC 2004, 2004 Dahmen, Okeya, Takagi, IEICE Trans., 2007 0.3615 0.3575 Our Result We prove that 0.3575 is the least number and solve the open problem

  30. Other Results {0, ±1, ±3, … , ±(2h+1)} Match existing works Improve existing works New Results

  31. Exercise 9 Exercise 9 Let P, Q be points in elliptic curve, and assume that P + Q can be computed much faster if P – Q is known. (even much faster than point double) Let T be a computation time for fast addition (that P – Q is known), and n = max(lgr1, lgr2). 1. Develop an algorithm for computing S = r1Pin 2nTwith constant number of points stored in memory. 2. Develop an algorithm for computing S = r1P + r2Qin 3nT with constant number of points stored in memory. Additional score will be given if you can find algorithm faster than 3nT.

  32. Course Information Grading Schedule 10/9 – Elliptic Curve I (2 Exercises) (What is Elliptic Curve?) 10/16 – Elliptic Curve II (1 Exercises) (Elliptic Curve Cryptography[1]) 10/23 – Elliptic Curve III (2 Exercises) (Elliptic Curve Cryptography[2]) 10/30 – Cancelled 11/6 – Online Algorithm I (Prof. Han) 11/13 – Online Algorithm II (Prof. Han) 11/20 – Cancelled (Friday Schedule) 11/27 – Elliptic Curve IV (1 Exercises) (ECC Implementation I) 12/4 – Cancelled 12/11 – Computational Game Theory I (Prof. Gurvich) 12/18 – Computational Game Theory II (Prof. Elbassioni) 1/8 – Elliptic Curve V (3 Exercises) (ECC Implementation II) 1/15 – Cancelled (Monday Schedule) 1/22~ – SAT Problem (Prof. Makino) • For my part, you need to submit 2 Reports. • Report 1: Select 3 from 6 exercises in Elliptic Curve I – IIISubmission Deadline: 14 November • Report 2: Select 2 from 4 exercises in Elliptic Curve IV – VSubmission Deadline: January 22nd • Submit your report in this lecture room before the class begins.

  33. Thank you for your attention Please feel free to ask questions or comment.

More Related