Fast scalar multiplication on Elliptic Curves — Tanja Lange

8/13/2019 Fast scalar multiplication on Elliptic Curves — Tanja Lange

http://slidepdf.com/reader/full/fast-scalar-multiplication-on-elliptic-curves-tanja-lange 1/48

Fast scalar multiplication on elliptic

curvesTanja Lange

Technische Universiteit Eindhoven

[email protected]

08.05.2007

Tanja Lange Fast scalar multiplication on elliptic curves – p.



Overview

Why scalar multiplicationElliptic curves

Definition and group law in affine coordinates

Other coordinate systemsComparison

Side-channel attacks

Why unified group laws?Edwards coordinates

Comparison

Multi-scalar multiplication




Why scalar multiplication?




Diffie-Hellman Key exchange

Alice Bob

1. secretly generates 1. secretly generates

a < |P | b < |P |

2. computes Q1 = [a]P 2. computes Q2 = [b]P

3. transmits Q1 3. transmits Q2

✏ ✏

✏ ✏

✏

✏ ✏ ✏ ✏ ✮

4. computes 4. computes

[a]Q2 = [ab]P = [b] · Q1

Common Key: the group element k = [ab]P ∈ P can be used in symmetric encryption.




ElGamal encryption

Public parameters:Group G, generator P , ord(P ) = l, some invertibleembedding function H : m → G.Receiver has secret key sA and public key P A = [sA]P .

Encrypt message m

choose random integer k

compute R = [k]P and c = H (m) + [k]P A

Decrypt ciphertext (R, c)

compute S = [sA]R

obtain m = H −1(c − S )

(This gives m since S = [sA]R = [ksA]P = [k]P A).

Disclaimer: this is the school-book method, do notimplement as shown.




Elliptic curve Digital Signature Algorith

Elliptic curve E , point P ∈ E , ord(P ) = l, somecryptographic hash function h : m → ZZ. Point R hascoordinate xR.Sign message m:

choose random integer kcompute R = [k]P and put r = xR (mod l)

put s = k−1(h(m) + rsA) (mod l).

Verify signature (r, s):compute w = s−1 (mod l)

compute Q1 = [wr]P A, Q2 = [wh(m)]P and Q = Q1 ⊕ Q2

accept signature if and only if xQ ≡ r mod l.

This accepts valid signatures since

[s−1rsA]P ⊕[s−1h(m)]P = [(h(m)+rsA)−1k(rsA+h(m))]P = [k]P.




DL systems

These systems assume that the Discrete LogarithmProblem (DLP) is hard to solve, i.e.

given P and P A = [sA]P

it is hard to find sA.

The Computational Diffie-Hellman Problem (CDHP) is theproblem

given P , P A = [sA]P , and P B = [sB ]P

compute [sAsB ]P .

The Decisional Diffie-Hellman Problem (DDHP) is the

problem

given P , P A = [sA]P , P B = [sB ]P and R = [r]P

decide whether R = [sAsB ]P .




Elliptic curves




Elliptic curve

E : y2 + (a1x + a3)

h(x)

y = x3 + a2x2 + a4x + a6

f (x)

, h,f ∈ IFq [x].

Group: E (IFq ) = { (x, y) ∈ IF2q : y2 + h(x)y = f (x) } ∪ { P ∞ }

Often q = 2

r

or q = p, prime. Isomorphic transformationslead to

y2 = f (x) q odd,

fory2 + xy = x3 + a2x2 + a6

y2 + y = x3 + a4x + a6q = 2r,

curve non-supersingul

curve supersingular




Group Law in E (IR), h = 0

y2 = x3 − x

P

R

Tanja Lange Fast scalar multiplication on elliptic curves – p. 1




y2 = x3 − x

P

R

S





y2 = x3 − x

P

R

S

P ⊕

R




Group Law (q odd)

E : y2

= x3

+ a4x + a6, ai ∈ IFq

P

R

S

Line y = λx + µ has slope

λ = yR−yP xR−xP .

Equating gives

(λx + µ)

2

= x

3

+ a4x + a6.

This equation has 3 solutions, the x-coordinates of P , R

and S , thus(x − xP )(x − xR)(x − xS ) = x3 − λ2x2 + (a4 − 2λµ)x + a6 − µ2

xS = λ2 − xP − xR




Group Law (q odd)

E : y2

= x3


P

R

S

P +R

Point P is on line, thus

yP = λxP + µ, i.e.µ = yP − λxP ,and

yS = λxS + µ

= λxS + yP − λxP = λ(xS − xP ) + yP

Point P ⊕ R has the same x-coordinate as S but negative

y-coordinate:

xP ⊕R = λ2 − xP − xR, yP ⊕R = λ(xP − xP ⊕R) − yP




Group Law (q odd)

E : y2

= x3


P

R

S

P +R

2P

−2P

In general, for (xP , yP ) = (xR, −yR):

(xP , yP ) ⊕ (xR, yR) == (xP ⊕R, yP ⊕R) =

= (λ2 − xP − xR, λ(xP − xP ⊕R) − yP ),where

λ = (yR − yP )/(xR − xP ) if xP = xR,

(3x2P + a4)/(2yP ) else.

⇒ Addition and Doubling need1 I, 2M, 1S and 1 I, 2M, 2S, respectively




Weierstraß equation

E : y2 + (a1x + a3)

h(x)

y = x3 + a2x2 + a4x + a6

f (x)

, h,f ∈ IFq [x].

Negative of P = (xP , yP ) is given by−P = (xP , −yP − h(xP )).

(xP , yP ) ⊕ (xR, yR) = (x3, y3) =

= (λ2 + a1λ − a2 − xP − xR, λ(xP − x3) − yP − a1x3 − a3),where

λ = (yR

− yP

)/(xR

− xP

) if xP

= xR

,3x2P +2a2xP +a4−a1yP

2yP +aP xP +a3else.


j i C i



Projective Coordinates

P = (X 1 : Y 1 : Z 1), Q = (X 2 : Y 2 : Z 2), P ⊕ Q = (X 3 : Y 3 : Z 3)on E : Y 2Z = X 3 + a4XZ 2 + a6Z 3

Addition: P = ±Q Doubling P = Q = −P

A = Y 2Z 1 − Y 1Z 2, B = X 2Z 1 − X 1Z 2, A = a4Z 21 + 3X 21 , B = Y 1Z 1,

C = A2Z 1Z 2 − B3 − 2B2X 1Z 2 C = X 1Y 1B, D = A2 − 8C

X 3 = BC, Z 3 = B3Z 1Z 2 X 3 = 2BD,Z 3 = 8B3.

Y 3 = A(B2X 1Z 2 − C ) − B3Y 1Z 2, Y 3 = A(4C − D) − 8Y 21 B2

No inversion is needed and the computation times are12M + 2S for a general addition and 7M + 5S for a doubling.




Jacobian Coordinates

P = (X 1 : Y 1 : Z 1), Q = (X 2 : Y 2 : Z 2), P ⊕ Q = (X 3 : Y 3 : Z 3)on Y 2 = X 3 + a4XZ 4 + a6Z 6 by

Addition: P = ±Q Doubling P = Q = −P

A = X 1Z 22 , B = X 2Z 21 , C = Y 1Z 32 , A = 4X 1Y 21 , B = 3X 21 + a4Z 41D = Y 2Z 31 , E = B − A, F = D − C

X 3 = −E 3 − 2AE 2 + F 2, Z 3 = Z 1Z 2E , X 3 = −2A + B2, Z 3 = 2Y 1Z 1

Y 3 = −CE 3 + F (AE 2 − X 3), Y 3 = −8Y 41 + B(A − X 3).

No inversion is needed and the computation times are12M + 4S for a general addition and 4M + 6S for a doubling.


Diff t di t t



Different coordinate systems y2 = x3 + ax + b

system points correspondence

affine (A) (x, y)

projective (P ) (X , Y , Z ) (X/Z, Y /Z )

jacobian (J ) (X , Y , Z ) (X/Z 2,Y/Z 3)

Chudnovsky jacobian (J C ) (X,Y,Z,Z 2, Z 3) (X/Z 2,Y/Z 3)

modified jacobian (J m) (X,Y,Z,aZ 4) (X/Z 2,Y/Z 3)

system addition doubling

affine (A) 2M 1S 1I 2M 2S 1I

projective (P ) 12M 2S – 7M 5S –

jacobian (J ) 12M 4S – 4M 6S –

Chudnovsky jacobian (J C ) 11M 3S – 5M 6S –

modified jacobian (J m) 13M 6S – 4M 4S –


Mi d di



Mixed coordinates

(Cohen, Miyaji, Ono, Asiacrypt ’98)

affordable inversions:precomputations in A (with Montgomery),

main doublings in J m,final doublings 2J m = J ,additions A + J = J m

expensive inversions:precomputations in J C ,main doublings in J m,final doublings 2J m = J ,

additions J + J C = J m




Side-channel attacks –

Why can’t we always go for thefastest coordinate systems?


Sid Ch l



Side Channels

Attacker can measureTime to perform operations,

Power consumption during operations,

Electro-magnetic radiation during computation,Noise produced during computation.

. . .

Obviously, integer addition is cheaper than multiplication⇒ needs more clock cycles, different characteristics of

power trace.

Attacker might be able to reconstruct sequence ofoperations (power & EM) or at least learn how many ofeach kind were performed (timing).


Consequences



Consequences

If sequence of operations depends on the secret keyand this is directly translated to the observed data, one canreconstruct the key

⇒ Simple Side-ChannelAnalysis (SSCA)

(often SPA= SimplePower Analysis).

(e. g. in binary square-and-multiply one has

S M S S M ∼(1101)2 = 13).


Scalar Multiplication Double and Add



Scalar Multiplication – Double-and-Add

IN: P ∈ E (IFq ), n ∈ ZZ, n = li=0 ni2i

OUT: Q = nP

1. Q = P

2. for i = l − 1 down to 0 do

3. Q = 2Q

4. if (ni = 1) then Q = Q + P 5. output Q

If ADD = DBL one can easily determine n from the sequence

of ADD and DBL:

DBL DBL ADD DBL ADD DBL DBL ⇔ (101100)2 = 44


Weierstrass form (q odd)



Weierstrass form (q odd)

E : y2

= x3


P

R

−P

−R

P +R

[2]P

−[2]P (x1, y1) + (x2, y2) =

= (x3, y3) == (λ2 − x1 − x2, λ(x1 − x3) − y1),

where

λ = (y2

− y1

)/(x2

− x1

) if x1

= x2

,

(3x21 + a4)/(2y1) else.

⇒ Addition and Doubling differ considerably.ADD: 1 I, 2M, 1S vs. DBL: 1 I, 2M, 2S

Unprotected arithmetic prone to SSCA.


Double and always Add



Double-and-always-Add

This is the obvious countermeasure . . .IN: P ∈ E (IFq ), n ∈ ZZ, n =

li=0 ni2

i

OUT: Q = nP

1. Q = P, R = [2]P

2. for i = l − 1 down to 0 do

3. Q = [2]Q

4. if ni == 1 then Q = Q ⊕ P else R = Q ⊕ P //dummy operation

5. output Q

. . . but it is very inefficient.Caution: If an active adversary is allowed, the dummyoperations might be detected (fault attacks)


Common countermeasures




Double-and-always-addvery inefficient

Side-channel atomicity (Chevallier-Mames, Ciet, Joye)build group operation from identical blocks.

Each block consists of:

1 multiplication, 1 addition, 1 negation, 1 addition;

fill with cheap dummy additions and negationsADD (A + P ) needs 11 blocksDBL (2P ) needs 10 blocks

. . . . . .

Brier and Joye, uniform Jacobian coordinates






Double-and-always-addvery inefficient

Side-channel atomicity (Chevallier-Mames, Ciet, Joye)build group operation from identical blocks.

Each block consists of:

1 multiplication, 1 addition, 1 negation, 1 addition;

fill with cheap dummy additions and negationsADD (A + P ) needs 11 blocksDBL (2P ) needs 10 blocks

. . . . . .ADD9 ADD10ADD11DBL1 DBL2 DBL3 DBL4 DBL5

Brier and Joye, uniform Jacobian coordinates


Uniform Group Operations



Uniform Group Operations

Liardet and Smart CHES 2001: Jacobi intersection

Billet and Joye AAECC 2003: Jacobi-Model

E J : Y

2

= ǫX

4

− 2δX

2

Z

2

+ Z

4

.Joye and Quisquater suggested Hessian Curves

E H : X 3 + Y 3 + Z 3 = cXY Z.

They achieve uniformity by

[2](X 1 : Y 1 : Z 1) = (Z 1 : X 1 : Y 1) + (Y 1 : Z 1 : X 1)

and (Z 1 : X 1 : Y 1) = (Y 1 : Z 1 : X 1).




Edwards coordinates


Addition on Elliptic Curves




At Mathematics: Algorithms and Proofs in Leiden, January2007, Harold M. Edwards gave a talk on Addition on EllipticCurvesSo Dan and I expected . . .

P

R

−P − R

P +R

[2]P

−[2]P






At Mathematics: Algorithms and Proofs in Leiden, January2007, Harold M. Edwards gave a talk on Addition on EllipticCurves

But there it was – the elliptic curve:

x2 + y2 = a2(1 + x2y2).








x2 + y2 = a2(1 + x2y2).

Nonsingular if and only if a5 = a.








x2 + y2 = a2(1 + x2y2).

Nonsingular if and only if a5 = a.To see that this is indeed an elliptic curve, use

z = y(1 − a2x2)/a to obtain

z 2 = x4 − (a2 + 1/a2)x2 + 1.


Edwards’ Addition Formulae



Edwards Addition Formulae

P = (xP , yP ), Q = (xQ, yQ) on x2 + y2 = a2(1 + x2y2).

P + Q = xP yQ + yP xQ

a(1 + xP xQyP yQ)

, yP yQ − xP xQ

a(1 − xP xQyP yQ) .

[2]P = xP yP + yP xP a(1 + xP xP yP yP ) ,

yP yP − xP xP a(1 − xP xP yP yP )

=

2xP yP

a(1 + (xP yP )2),

y2P − x2P a(1 − (xP yP )2)

.

For much more information on elliptic curves in thisshape see Edwards 2007 paper in Bull. AMS.,electronic April 9.




Following results are jointwork with

Daniel J. Bernstein


Edwards form



Edwards form

Slightly generalized shape:

E E : x2 + y2 = c2(1 + dx2y2)

is elliptic curve for c, d = 0 and dc4 = 1.

Affine formulae

(x1, y1)+(x2, y2) = x1y2 + y1x2

c(1 + dx1x2y1y2)

, y1y2 − x1x2

c(1 − dx1x2y1y2) .

Projective version takes

10M + 1S + 1C + 1D + 7A,

where C is the cost of multiplying by c, D is the cost ofmultiplying by d, and A abbreviates addition.


Comparison of unified formulae



p

System Cost of unified addition-or-doublingJacobian 11M+6S+1C; see Brier/Joye ’03

Jacobian if a4 = −1 13M+3S; see Brier/Joye ’02

Jacobi intersection 13M+2S+1C; see Liardet/Smart ’01

Jacobi quartic 10M+3S+3C; see Billet/Joye ’01

Hessian 12M; see Joye/Quisquater ’01

Edwards 10M+1S+1C

Fastest unified addition-or-doubling formulae.

Exactly the same formulae for doubling (nore-arrangement like in Hessian)

No exceptional cases – affine input produces correctaffine output – if d is not a square, i.e. no points withdx1x2y1y2 = ±1.




Multi-scalar multiplication


Idea of joint doublings



j g

To compute [n1

]P 1

⊕ [n2

]P 2

⊕ · · · ⊕ [nm

]P m

compute thedoublings together, i.e. write scalars ni in binary:

n1 = n1,l−12l−1 +n1,l−22l−2 +n1,l−32l−3 . . . +n1,12 +n

n2 = n2,l−12l−1

+n2,l−22l−2

+n2,l−32l−3

. . . +n2,12 +n... = ...

... ...

... ...

nm = nm,l−12l−1 +nm,l−22l−2 +nm,l−32l−3 . . . +nm,12 +n





To compute [n1

]P 1

⊕ [n2

]P 2

⊕ · · · ⊕ [nm

]P m

compute thedoublings together, i.e. write scalars ni in binary:

n1 = n1,l−12l−1 +n1,l−22l−2 +n1,l−32l−3 . . . +n1,12 +n

n2 = n2,l−12l−1

+n2,l−22l−2

+n2,l−32l−3

. . . +n2,12 +n... = ...

... ...

... ...


Compute as[2]([n1,l−1]P 1 ⊕ [n2,l−1]P 2 ⊕ [n3,l−1]P 3 ⊕ · · · ⊕ [nm,l−1]P m

first column

)





To compute [n1]P 1 ⊕ [n2]P 2 ⊕ · · · ⊕ [nm]P m compute thedoublings together, i.e. write scalars ni in binary:

n1 = n1,l−12l−1 +n1,l−22l−2 +n1,l−32l−3 . . . +n1,12 +n

n2 = n2,l−12l−1

+n2,l−22l−2

+n2,l−32l−3

. . . +n2,12 +n... = ...

... ...

... ...


Compute as

[2]

[2]([n1,l−1]P 1 ⊕ [n2,l−1]P 2 ⊕ [n3,l−1]P 3 ⊕ · · · ⊕ [nm,l−1]P m)

([n1,l−

2]P

1⊕ [n

2,l−

2]P

2⊕ [n

3,l−

2]P

3⊕ · · · ⊕ [n

m,l−

2]P

m ⊕· · · etc.

Needs many more additions than doublings, even withprecomputations.


Applications



ECDSA verification uses 2 scalar multiplications ... justto add the results.

If base point P is fixed, precompute R = [2l/2]P andinclude in the curve parameters. Split scalar

n = n12l/2 + n0 and compute

[n1]R ⊕ [n0]P.

GLV curves split scalar in two halves to get faster scalarmultiplication.

Verification in accelerated ECDSA can be extended touse 4 or even 6 scalars. Splitting of the scalar is doneby LLL techniques

Further applications in batch verification of signatures – many scalars – by taking random linear combinations.


Comparison – 1 DBL & 0.5 mixed ADD



System Cost of 1 DBL & 0.5 mixed ADD

Projective 10.5M+6S+1C ≈ 15.3M

Edwards 10.5M+4.5S+1.5C ≈ 14.1M

Jacobi quartic 5M+10.5S+4.5C ≈ 13.4MHessian 11M+3S ≈ 13.4M

Jacobian 6M+8.5S+1C ≈ 12.8M

Jacobi intersection 9.5M+4S+0.5C ≈ 12.7MJacobian/Chudnovsky 7M+6.5S ≈ 12.2M

if a4 = −3


1 DBL & 0.75 ADD & 0.75 mixed ADD



System Cost of 1DBL & 0.75 ADD & 0.75 mixed

Projective 21.75M+8S+1C ≈ 28.15M

Jacobi intersection 22M+6S+1.5C ≈ 26.8MJacobian 16.25M+13S+1C ≈ 26.65M

Jacobian if a4 = −3 17.25M+11S ≈ 26.05M

Jacobi quartic 14.5M+13.5S+7.5C ≈ 25.3MHessian 22.5M+3S ≈ 24.9M

Chudnovsky if a4 = −3 16.5M+10.25S ≈ 24.7M

Edwards 20.25M+5.5S+2.5C ≈ 24.65M


Results



Most coordinate systems optimized for many doublings,few additions (single scalar multiplication withwindowing).

Projective Edwards formulae offer best speed foraddition and are not bad for doubling either.

Edwards coordinates are an ideal system for batchverification.


Results



Most coordinate systems optimized for many doublings,few additions (single scalar multiplication withwindowing).

Projective Edwards formulae offer best speed foraddition and are not bad for doubling either.

Edwards coordinates are an ideal system for batchverification.

Anybody need unified, SSCA resistant multi-scalarmultiplication???




The end

http://cr.yp.to/papers.html#newelliptic


Fast scalar multiplication on Elliptic Curves — Tanja Lange

Documents

Transcript of Fast scalar multiplication on Elliptic Curves — Tanja Lange