1 / 32

Vorapong Suppakitpaisarn vorapong@mist.i.u-tokyo.ac.jp , Eng. 6 Room 363

Discrete Methods in Mathematical Informatics Lecture 4 : Elliptic Curve Cryptography Implementation(I) 27 th November 2012. Vorapong Suppakitpaisarn vorapong@mist.i.u-tokyo.ac.jp , Eng. 6 Room 363 Download Slide: http://misojiro.t.u-tokyo.ac.jp/~vorapong/.

nadda
Download Presentation

Vorapong Suppakitpaisarn vorapong@mist.i.u-tokyo.ac.jp , Eng. 6 Room 363

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Discrete Methods in Mathematical InformaticsLecture 4: Elliptic Curve Cryptography Implementation(I)27th November 2012 Vorapong Suppakitpaisarn vorapong@mist.i.u-tokyo.ac.jp, Eng. 6 Room 363 Download Slide: http://misojiro.t.u-tokyo.ac.jp/~vorapong/

  2. Course Information (Many Changes from Last Week) Schedule Grading 10/9 – Elliptic Curve I (2 Exercises) (What is Elliptic Curve?) 10/16 – Elliptic Curve II (1 Exercises) (Elliptic Curve Cryptography[1]) 10/23 – Elliptic Curve III (2 Exercises) (Elliptic Curve Cryptography[2]) 10/30 – Cancelled 11/6 – Online Algorithm I (Prof. Han) 11/13 – Online Algorithm II (Prof. Han) 11/20 – Cancelled 11/27 – Elliptic Curve IV (2 Exercises) (ECC Implementation I) 12/4 – Cancelled From 12/11 – To be Announced • For my part, you need to submit 2 Reports. • Report 1: Select 3 from 6 exercises in Elliptic Curve I – IIISubmission Deadline: 14 November • Report 2: Select 2 from 4 exercises in Elliptic Curve IV – VSubmission Deadline: TBD • Submit your report at Department of Mathematical Informatics’ office • [1st floor of this building]

  3. Report I • 48126220 • 48126228 • 48126229 • 48126230 • 48126232 • 37126946 • 37126947 • 48117204 • 48116219 • 48126202 • 48126203 • 48126206 • 48126207 • 48126210 • 48126212 • 48126219 Submitted IDs • 48126109 • 48126119 • 48126122 • 48126141 • 48126143 • 48126144

  4. Elliptic Curve Cryptography ECC Protocol P Generate P2 E(F) Generate positive integers a Receive Q = bP Compute aQ = abP Receive P Receive S = aP Generate positive integer b Compute bS = abP aP Point Addition bP Scalar Multiplication Compute rP = 14P r = 14 = (0 1 1 1 0)2 2Point Additions 3 Point Doubles P 3P 7P 14P O 2P 6P 14P Elliptic Curve Arithmetic A= -4, B= 4 Field Arithmetic

  5. Elliptic Curve Cryptography ECC Protocol P Generate P2 E(F) Generate positive integers a Receive Q = bP Compute aQ = abP Receive P Receive S = aP Generate positive integer b Compute bS = abP aP Point Addition bP Scalar Multiplication Compute rP = 14P r = 14 = (0 1 1 1 0)2 2Point Additions 3 Point Doubles P 3P 7P 14P O 2P 6P 14P Elliptic Curve Arithmetic A= -4, B= 4 Field Arithmetic

  6. Field Multiplication Montgomery Multiplication [Montgomery 1985] Slow Division Algorithm??? Classical Method: O(n2) Karatsuba’s Method (Practical): O(nlg 3) = O(n1.585…) Furer’s Method (STOC2007): O(nlogn2O(lg* n)) As Fast As Multiplication

  7. Montgomery Reduction Montgomery Reduction Example

  8. Field Squaring Montgomery Multiplication • Let the computation time of • one field multiplication be [m], • one field squaring be [s], • one field inversion be [i].

  9. Elliptic Curve Cryptography ECC Protocol P Generate P2 E(F) Generate positive integers a Receive Q = bP Compute aQ = abP Receive P Receive S = aP Generate positive integer b Compute bS = abP aP Point Addition bP Scalar Multiplication Compute rP = 14P r = 14 = (0 1 1 1 0)2 2Point Additions 3 Point Doubles P 3P 7P 14P O 2P 6P 14P Elliptic Curve Arithmetic A= -4, B= 4 Field Arithmetic

  10. Projective Coordinate [cf. Cohen, Miyaji, Ono, 1998] Affine Coordinate Projective Coordinate P 3P 7P 14P P = (x1,y1) (x1 : y1 : 1) O 2P 6P 14P Point Double in Projective Coordinate 2Point Additions > 2[i] 3 Point Doubles > 3[i] 2P = (x2,y2) (X2 : Y2 : Z2) Point Addition in Projective Coordinate 5 Point Inversions 3P = (x3,y3) (X3 : Y3 : Z3) … 2 Point Inversions (X14 : Y14 : Z14)

  11. Point Addition In Projective Coordinate Goal Projective Coordinate Affine Coordinate

  12. Efficiency Affine Coordinate Projective Coordinate [m] [m] [i]+[m] 2[m] [s] [s]+2[m] [s]+[m] [m] [m] [m] [m] [m] [m] Cost

  13. Exercise Affine Coordinate Exercise 6

  14. Other Coordinates

  15. Elliptic Curve Cryptography ECC Protocol P Generate P2 E(F) Generate positive integers a Receive Q = bP Compute aQ = abP Receive P Receive S = aP Generate positive integer b Compute bS = abP aP Point Addition bP Scalar Multiplication Compute rP = 14P r = 14 = (0 1 1 1 0)2 2Point Additions 3 Point Doubles P 3P 7P 14P O 2P 6P 14P Elliptic Curve Arithmetic A= -4, B= 4 Field Arithmetic

  16. Scalar Multiplication and Binary Representation • Scalar Multiplication on Elliptic Curve CryptographyS= P + P + … + P = rP whenr1 is positive integer, S,Pis a member of the curve • Double-and-add method • Let r = 14 = (01110)2 Compute rP = 14Pr = 14 = (0 1 1 1 0)2 r times Weight = 3 P 3P 7P 14P O 2P 6P 14P 3 – 1 =2Point Additions 4 – 1 = 3 Point Doubles Average # of Point Doubles? Average # of Point Additions? For [0,2n-1], n - 1 times? For [0,2n-1], n/2 - 1 times? (Average Weight = n/2)

  17. Redundant Binary Representation • Change Digit Set can help Scalar Multiplication faster • Represent each digit using {0, 1, -1} instead of {0,1}. • Redundant, then use Minimum Weight Conversion to find Minimum Weight Expansion (the expansion that have the minimum joint weight) Weight = 2 Compute rP = 14Pr = 14 = (1 0 0 -1 0)2 14P P 2P 4P 7P O 14P 2P 4P 8P 3 – 1 = 2Point Additions 4 – 1 = 3 Point Doubles 2 – 1 =1Point Additions 5 – 1 = 4 Point Doubles Average # of Point Doubles? Average # of Point Additions? For [0,2n-1], n - 1 times? For [0,2n-1], n/2 - 1 times? (Average Weight = n/2) Average # of Point Doubles? Average # of Point Additions? For [0,2n-1], n times? For [0,2n-1], n/3 - 1 times? (Average Weight = n/3)

  18. Non-Adjacent Form Definition S = (sn-1sn-2 … s0) is DS-Expansion of positive integer r iff Definition S = (sn-1sn-2 … s0) is Minimum Weight DS-Expansion of positive integer r iff Definition S = (sn-1sn-2 … s0) is Non-Adjacent Form of positive integer r iff Optimality S is Minimum Weight {0, ±1}-Expansionof rif S is Non-Adjacent Form of r

  19. Algorithm Algorithm Simple Fact n - 1 consecutive 1’s n - 2 consecutive 1’s Ex Example 1 0 0 0 -1 1 0 0 0 -1

  20. Average Hamming Density Definition Algorithm Pr[st= 0] = 0.5 Pr[st= 1] = 0.5 Proposition Proof 0.5 0.5 0.25 0.5 2/3 1/3 0.5 0.25 1 3 3 0.25 2/3 1/3 0.5 12/6 2 2 0 1 1 2/3 1/3 0.25 1 1 4/6 0.5

  21. Redundant Binary Representation • Change Digit Set can help Scalar Multiplication faster • Represent each digit using {0, 1, -1} instead of {0,1}. • Redundant, then use Minimum Weight Conversion to find Minimum Weight Expansion (the expansion that have the minimum joint weight) Weight = 2 Compute rP = 14Pr = 14 = (1 0 0 -1 0)2 14P P 2P 4P 7P O 14P 2P 4P 8P 3 – 1 = 2Point Additions 4 – 1 = 3 Point Doubles 2 – 1 =1Point Additions 5 – 1 = 4 Point Doubles Average # of Point Doubles? Average # of Point Additions? For [0,2n-1], n - 1 times? For [0,2n-1], n/2 - 1 times? (Average Weight = n/2) Average # of Point Doubles? Average # of Point Additions? For [0,2n-1], n times? For [0,2n-1], n/3 - 1 times? (Average Weight = n/3)

  22. Double-Base Number System [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995] Base 2 Base 3 23 22 21 20 33 32 31 30 24 34 (1 (0 0 0 1 14 = -1 0)2 14 = -1 -1 -1)2 P 2P 4P 7P 14P P 2P 5P 14P O O 2P 4P 8P 14P 3P 6P 15P 1 Point Additions 4 Point Doubles 3 Point Additions 3 Point Triples Hard to introduce to Scalar Multiplication 1 Too General 1 14 = 2330 + 2131

  23. Double-Base Chain [Dimitrov, Imbert, Mishra, Math of Computation, 2008] Double-Base Number System when and With More Restriction

  24. Double-Base Number System [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995] Double Base Number System (DBNS) Double Base Chains (DBC) 1 1 1 1 14 = 2231 + 2130 14 = 2330 + 2131 1 1 1 1 1 1 127 = 2233 + 2132+ 2130 127 = 2233 + 2132+ 2130

  25. Double-Base Chain[Dimitrov, Imbert, Mishra, Math of Computation, 2008] Double-Base Number System when and With More Restriction k = 127 = 2233 + 2132 + 2030 Digit 1 0 1 0 0 1 Base 2233 2133 2132 2032 2031 3030 Similar to Double-and-add Methods P 2P 7P 14P 42P 127P O 2P 6P 14P 42P 126P 2 Point Additions, 2 Point Doubles, 3 Point Triples Given k Given Cadd- Computation time of aPoint Addition Given Cdbl - Computation time of a Point Double Given Ctpl - Computation time of a Point Triple Find the Chain With Smallest Total Computation Time Problem

  26. Algorithms [Suppakitpaisarn, Edahiro, Imai, 2012] k = 10, Ctpl = 1, Cdbl = 1, Cadd = 1 Our Results How to compute kP = 10P Plan A Plan B Compute 5P Double the point to 10P = 2 . 5P Compute 3P Triple the point to 9P = 3 . 3P Add the point with P (9P + P = 10P) Cost Cost Optimize Computation Time of 5P + Point Double = C(5P) + Cdbl= 3 + 1 = 4 Optimize Computation Time of 3P + Point Triple + Point Addition = C(3P) + Ctpl + Cadd= 1 + 1 + 1 = 3

  27. Algorithm C(k/2) + Pdbl C(k/3) + Ptpl C(k/2) + Pdbl + Padd C(k/3) + Ptpl + Padd • C(k) =min( , ) if k mod 6 == 0 min( , ) if k mod 6 == 1 min( , ) if k mod 6 == 2 min( , ) if k mod 6 == 3 min( , ) if k mod 6 == 4 min( , ) if k mod 6 == 5 Our Results C(k/2) + Pdbl infinity C(k/3) + Ptpl C(k/2) + Pdbl+ Padd C(k/2) + Pdbl C(k/3) + Ptpl + Padd infinity C(k/2) + Pdbl + Padd 1 0 0 3 1 Dynamic Programming Time : lg2k Memory : lg2k 3

  28. Prime Field (Fp ) • Experiments on Inverted Edward Coordinates[Bernstein, Lange, AAECC 2007] • Cdbl=6.2[m], Ctpl= 12.2[m], Cadd = 9.8[m] Our Results 3.95 % 3.88 % 3.90 % 3.90 % 3.90 %

  29. Double-Base Chain[Dimitrov, Imbert, Mishra, Math of Computation, 2008] Double-Base Number System when and With More Restriction k = 127 = 2233 + 2132 + 2030 Digit 1 0 1 0 0 1 Base 2233 2133 2132 2032 2031 3030 Similar to Double-and-add Methods P 2P 7P 14P 42P 127P O 2P 6P 14P 42P 126P 2 Point Additions, 2 Point Doubles, 3 Point Triples Given k Given Cadd- Computation time of aPoint Addition Given Cdbl - Computation time of a Point Double Given Ctpl - Computation time of a Point Triple Find the Chain With Smallest Total Computation Time Given k Given Cadd= 1, Cdbl = 0, Ctpl = 0 Find the Chain With Smallest Total Computation Time Given k Given Cadd= 1, Cdbl = 0, Ctpl = 0 Find the shortest chain (the chain with smallest number of terms) Problem

  30. On-Going… DBNS Double-Base Chain [Dimitrov, Cooklev, 1995] [Our Results] [Our Results] Input: k Output:mk* Tractable??? SAT??? Input: k Output:mk* Solved by DP [Our Results]

  31. Exercise Exercise 6 Exercise 7

  32. Thank you for your attention Please feel free to ask questions or comment.

More Related