1 / 15

Flexible Hardware Reduction for Elliptic Curve Cryptography in GF(2 m )

Flexible Hardware Reduction for Elliptic Curve Cryptography in GF(2 m ). Steffen Peter, Peter Langendörfer and Krzysztof Piotrowski. Flexibility for ECC implementations. = possibility to compute with other key sizes Why? - To communicate with peers that use other key sizes

tadhg
Download Presentation

Flexible Hardware Reduction for Elliptic Curve Cryptography in GF(2 m )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Flexible Hardware Reduction forElliptic Curve Cryptography in GF(2m) Steffen Peter, Peter Langendörfer and Krzysztof Piotrowski

  2. Flexibility for ECC implementations • = possibility to compute with other key sizes • Why? • - To communicate with peers that use other key sizes • - Change field in case the implemented field has a cryptoanalytical weakness • What is the problem? • Addition, Multiplication, Registers? - NO (padding zeros) • Control program? – NO (it is software) • Reduction!

  3. Modular Reduction • Correspondsto classic modular division • - In GF(11) = {0,1,2,…,9,10} • Example: 5 · 8 = 40 > 10  5 · 8 mod 11 = 40 mod 11 = 7 • In GF(2m) itis a polynomialdivisionbytheirreduciblepolynomial r(x)

  4. Classic School Division • reduce each bit starting from the left by XORing r • until overlapping part C1 is zero • r(x) is the given irreducible of the field

  5. Repeated Multiplication Reduction (RMR) • Reducemorebits per iterationbymultiplyingoverlapppingpart C1 withtheirreduciblepolynomial r • C ≡ (C – i · r) mod r foreach i •  C ≡C – C1 · r

  6. Reduction Polynomials [NIST] • Are eithertrinomialsorpentanomials • Second highestsetpositionissmaller m/2

  7. Hard-Wired Reduction (∙x233) C1∙r (∙x74) r=(x233+x74+x0) (∙x0) C1’∙r (∙x233) (∙x74) r=(x233+x74+x0) (∙x0) • Directmappingfrom C to C0‘‘ withfew XOR operations • Veryefficientcombinatoriccircuit • Reduction in GF(2233) needs 0.03mm² (0.25um CMOS) • NOT FLEXIBLE!

  8. Multiple Hard-Wired Reduction Blocks C • Fast, small • Limited flexibility Red163 Red233 Red283 MUX sel C‘‘

  9. Reduction Polynomials • Are eithertrinomialsorpentanomials • Second highestsetpositionissmaller m/2 • Havestructurexm + … + 1 • ExploitingthesepropertiesisthebasisfortheFlexible ShiftReduction

  10. Flexible Shift Reduction Example: Hardware=283 bit, m = 283 bit, r(x) = x283+x12+x7+x5+1 C1 C = 2∙283 bit multiplication result C0 C1 >>283-12 C1 XOR >>283-7 C1 >>283-5 C1 >>283 C1 C1’ C0’ C1’ >>283-12 C1’ XOR >>283-7 C1’ >>283-5 C1’ >>283 C1’ C0’’

  11. Flexible Shift Reduction Example: Hardware=283 bit, m = 163 bit, r(x) = x163+x7+x6+x3+1 2∙283 bit reduction logic C1 C0 C1 C = 2∙163 bit multiplication result >>163-7 C1 XOR >>163-6 C1 >>163-3 C1 >>163 C1 C1’ C0’ C1’ >>163-7 C1’ XOR >>163-6 C1’ >>163-3 C1’ >>163 C1’ C0’’

  12. Flexible Shift Reduction - Design

  13. Comparison of complete ECC designs Time and energy for one Elliptic Curve Point Multiplication

  14. Conclusions • Reduction is bottleneck of flexible ECC hardware accelerators • More flexiblity implies: • Less speed • More silicon area • More energy consumption • Multiple hard-wired reduction blocks (MHWR) is the best choice if supported field sizes are known • A design that support all 5 recommended NIST curves (163-571 bit) needs merely 10% more silicon area than a 571 bit single curve design. • Flexible Shift Reduction (FSR) provides more flexibility • in comparison to software (MIPS 33 MHz) it is • 500 times faster • Requires less than 1% of the energy • ECC-FSR is the fastest known implementation with such degree of flexibility

  15. Thank You Questions? peter@ihp-microelectronics.com

More Related