Complete addition formulas for prime order elliptic curvesjrenes/talks/complete.pdf · Complete...

Complete addition formulas for prime order ellipticcurves

Joost Renes1 Craig Costello2 Lejla Batina1

1Radboud University, Digital Security, Nijmegen, The Netherlandsj.renes,[email protected]

2Microsoft Research, Redmond, [email protected]

9th May 2016

Joost Renes 9th May 2016 Complete formulas 1 / 21

j.renes, [email protected]

[email protected]

Outline

I Elliptic curve preliminaries

I Problem of exceptional cases

I Complete addition formulas

I Comparison of results


Elliptic curves

E (k): elliptic curve over a field k with char(k) 6= 2, 3

Every elliptic curve can be written in short Weierstrass form

I Embedded in P2(k) as E : Y 2Z = X 3 + aXZ 2 + bZ 3

I The point O = (0 : 1 : 0) is called the point at infinity

I Affine points (x : y : 1) given by y2 = x3 + ax + b

I The points on E form an abelian group under point addition⊕ (with neutral element O)

I Scalar multiplication (k ,P) 7→ [k]P (k ∈ Z,P ∈ E )

I The order of E is its order as a group


Elliptic curve cryptography (ECC)

Elliptic curve discrete logarithm problem (ECDLP)

Given two points P,Q ∈ E such that Q ∈ 〈P〉. Find k ∈ Z suchthat Q = [k]P.

Commonly k is a secret, Q is public

I Key exchange: ECDH

I Signatures: ECDSA, EdDSA


Weierstrass model

Figure: E/R : y2 = x3 + ax + b


Chord and tangent addition

I if P 6= ±QI if P 6= OI if Q 6= O



Weierstrass model doubling

I if P 6= O



Implementation (Homogeneous addition)

(X1 : Y1 : Z1)⊕ (X2 : Y2 : Z2) = (X3 : Y3 : Z3), where:

X3 = (X2Z1 − X1Z2)[(Y2Z1 − Y1Z2)Z1Z2

− (X2Z1 − X1Z2)3 − 2(X2Z1 − X1Z2)X1Z2

],

Y3 = (Y2Z1 − Y1Z2)[3(X2Z1 − X1Z2)X1Z2 − (Y2Z1 − Y1Z2)Z1Z2

+ (X2Z1 − X1Z2)3]− (X2Z1 − X1Z2)3Y1Z2,

Z3 = (X2Z1 − X1Z2)3Z1Z2.

But:P = QP = OQ = O

=⇒ X3 = Y3 = Z3 = 0 (not in P2!)


Implementation (Homogeneous doubling)

[2](X : Y : Z ) = (X3 : Y3 : Z3), where

X3 = 2[(aZ 2 + 3X 2)2 − 8XY 2Z

]YZ ,

Y3 = (aZ 2 + 3X 2)[12XY 2Z − (aZ 2 + 3X 2)2

]− 8Y 4Z 2,

Z3 = 8Y 3Z 3.

But: P = O =⇒ X3 = Y3 = Z3 = 0 (not in P2!)


Exceptional cases

I Curves implemented using formulas with exceptional casesI Handled by if-statements:

I Code complexityI BugsI Non-time-constantI Potential vulnerabilities


Curve model

I Problems appear for curves in short Weierstrass formI Can deal with the exceptions by changing the model

I (twisted) EdwardsI (twisted) Hessian

I Not possible for prime order curves


Prime order curves

I The example curves originally specified in the working drafts ofANSI, versions X9.62 and X9.63 [1, 2].

I The five NIST prime curves specified in FIPS 186-4, i.e. P-192,P-224, P-256, P-384 and P-521.

I The seven curves specified in the German brainpool standard [9],i.e., brainpoolPXXXr1, whereXXX ∈ {160, 192, 224, 256, 320, 384, 512}.

I The eight curves specified by the UK-based company Certivox [8],i.e., ssc-XXX, whereXXX ∈ {160, 192, 224, 256, 288, 320, 384, 512}.

I The three curves specified (in addition to the above NIST primecurves) in the Certicom SEC 2 standard [7]. This includessecp256k1, which is the curve used in the Bitcoin protocol.


Complete addition formulas

Addition formulas [5]

Tuple of bihomogeneous polynomials (X3 : Y3 : Z3) such that forall (P,Q) ∈ E × E either

1 (X3(P,Q) : Y3(P,Q) : Z3(P,Q)) = P ⊕ Q, or

2 (X3(P,Q) : Y3(P,Q) : Z3(P,Q)) = (0 : 0 : 0).

I If 2 holds for a pair (P,Q), it is called exceptional

I If 2 holds for none of the pairs (P,Q), the addition formulas(X3 : Y3 : Z3) are called complete


Limitations and possibilities

Known results by Bosma and Lenstra [5] for (equivalence classesof) addition formulas of bidegree (2,2):

Theorem: over an algebraically closed field k̄ there are

always exceptional pairs

Consequence: for complete addition formulas over Fp we have

to make sure the exceptional pairs lie in

extension fields (Note that this is what is done

for Edwards curves as well)

Theorem: the set is a 3-dimensional k-vector space

Consequence: there are ≈ q3 addition formulas


Choosing the optimal one

For a basis (A0,A1,A2) of the 3-dimensional space, every additionlaw can be written as

aA0 + bA1 + cA2,

for a, b, c ∈ Fq.

Some intuitive arguments:

I Bosma and Lenstra give a basis in which almost nocross-cancelation occurs, so simply choosing one of their basiselements seems optimal

I One of the basis elements is the only addition law which iscomplete independent of curve coefficients and base field

Choose this addition law, and heavily optimize it!


The formulas

Complete addition formulas for odd order elliptic curves. For anytwo points P = (X1 : Y1 : Z1) and Q = (X2 : Y2 : Z2) we cancompute P + Q = (X3 : Y3 : Z3) where

X3 = (X1Y2 + X2Y1)(Y1Y2 − a(X1Z2 + X2Z1)− 3bZ1Z2)

− (Y1Z2 + Y2Z1)(aX1X2 + 3b(X1Z2 + X2Z1)− a2Z1Z2),

Y3 = (Y1Y2 + a(X1Z2 + X2Z1) + 3bZ1Z2)(Y1Y2 − a(X1Z2 + X2Z1)− 3bZ1Z2)

+ (3X1X2 + aZ1Z2)(aX1X2 + 3b(X1Z2 + X2Z1)− a2Z1Z2),

Z3 = (Y1Z2 + Y2Z1)(Y1Y2 + a(X1Z2 + X2Z1) + 3bZ1Z2)

+ (X1Y2 + X2Y1)(3X1X2 + aZ1Z2).

Exceptional pairs are induced by points of order 2, which byassumption only exist over extension fields.


Operation count

any a:

12M + 3ma + 2m3b + 23a P ⊕ Q11M + 3ma + 2m3b + 17a P ⊕ Q,ZQ = 18M + 3S + 3ma + 2m3b + 15a [2]P

a = −3:

12M + 2mb + 29a P ⊕ Q11M + 2mb + 23a P ⊕ Q,ZQ = 18M + 3S + 2mb + 21a [2]P

a = 0:

12M + 2m3b + 19a P ⊕ Q11M + 2m3b + 13a P ⊕ Q,ZQ = 16M + 2S + 1m3b + 9a [2]P


A comparison

I This work (addition): 12M + 3ma + 2m3b + 23a

I This work (doubling): 8M + 3S + 3ma + 2m3b + 15a

I Bernstein and Lange [3] attempt an addition law which worksfor all NIST prime curves: 26M + 8S + ...

I Brier and Joye [6] develop unified formulas, still withexceptions: 11M + 6S + ...

I Bos et al. [4] study a complete system of two addition laws

I Chord-and-tangent Jacobian coordinates addition:≈ 12M + 4S + ...

I Chord-and-tangent Jacobian coordinates doubling:≈ 4M + 4S + ...


Another comparison: OpenSSL

NIST no. of ECDH operations (per 10s) factor

curve complete incomplete slowdown

P-192 35274 47431 1.34x

P-224 24810 34313 1.38x

P-256 21853 30158 1.38x

P-384 10109 14252 1.41x

P-521 4580 6634 1.44x

Table: Number of ECDH operations in 10 seconds for the OpenSSLimplementation of the five NIST prime curves. Timings were obtained byrunning the “openssl speed ecdhpXXX” command on an Intel Corei5-5300 CPU @ 2.30GHz, averaged over 100 trials of 10s each.


Hardware implementation

Built on top of Mongomery modular multiplier:I Uses redundant representation, making additions very fast

– Great for our formulas, since we have many

I No distinction between multiplications and squarings

– No negative effect, unlike other formulas

I Multiplications by constants are cheap (if predefined)

– Good for us, since we have a couple

I Can use multiple multipliers

– Formulas well parallelizable, so benefit from this


Thanks

Thanks for your attention!


References I

[1] Accredited Standards Committee X9. American National StandardX9.62-1999, Public key cryptography for the financial services industry:the elliptic curve digital signature algorithm (ECDSA). Draft athttp://grouper.ieee.org/groups/1363/Research/Other.html. 1999.

[2] Accredited Standards Committee X9. American National StandardX9.63-2001, Public key cryptography for the financial services industry:key agreement and key transport using elliptic curve cryptography. Draftat http://grouper.ieee.org/groups/1363/Research/Other.html.1999.

[3] D. J. Bernstein and T. Lange. Complete addition laws for elliptic curves.Talk at Algebra and Number Theory Seminar (Universidad Autonomo deMadrid). Slides at http://cr.yp.to/talks/2009.04.17/slides.pdf.2009.

[4] Joppe W. Bos et al. “Selecting Elliptic Curves for Cryptography: AnEfficiency and Security Analysis”. In: J. Cryptographic Engineering(2015). http://dx.doi.org/10.1007/s13389-015-0097-y. doi:10.1007/s13389-015-0097-y.


http://grouper.ieee.org/groups/1363/Research/Other.html

http://grouper.ieee.org/groups/1363/Research/Other.html

http://cr.yp.to/talks/2009.04.17/slides.pdf

http://dx.doi.org/10.1007/s13389-015-0097-y

http://dx.doi.org/10.1007/s13389-015-0097-y

References II

[5] W. Bosma and H. W. Lenstra. “Complete systems of two addition laws forelliptic curves”. In: Journal of Number theory 53.2 (1995), pp. 229–240.

[6] E. Brier and M. Joye. “Weierstraß Elliptic Curves and Side-ChannelAttacks”. In: Public Key Cryptography, 5th International Workshop onPractice and Theory in Public Key Cryptosystems, PKC 2002, Paris,France, February 12-14, 2002, Proceedings. Ed. by D. Naccache andP. Paillier. Vol. 2274. Lecture Notes in Computer Science. Springer, 2002,pp. 335–345. isbn: 3-540-43168-3. doi: 10.1007/3-540-45664-3_24.url: http://dx.doi.org/10.1007/3-540-45664-3_24.

[7] Certicom Research. SEC 2: Recommended Elliptic Curve DomainParameters, Version 2.0. http://www.secg.org/sec2-v2.pdf. 2010.

[8] Certivox UK, Ltd. CertiVox Standard Curves. http:

//docs.certivox.com/docs/miracl/certivox-standard-curves.Date accessed: September 9, 2015.

[9] ECC Brainpool. ECC Brainpool Standard Curves and Curve Generation.http://www.ecc-brainpool.org/download/Domain-parameters.pdf.2005.


http://dx.doi.org/10.1007/3-540-45664-3_24

http://dx.doi.org/10.1007/3-540-45664-3_24

http://www.secg.org/sec2-v2.pdf

http://docs.certivox.com/docs/miracl/certivox-standard-curves

http://docs.certivox.com/docs/miracl/certivox-standard-curves

http://www.ecc-brainpool.org/download/Domain-parameters.pdf

Complete addition formulas for prime order elliptic curvesjrenes/talks/complete.pdf · Complete...

Documents

Transcript of Complete addition formulas for prime order elliptic curvesjrenes/talks/complete.pdf · Complete...