160 likes | 685 Views
Elliptic curve point multiplication. Alexander Rostovtsev, Elena Makhovenko St. Petersburg State Politechnic University www.ssl.stu.neva.ru. Elliptic curves in cryptology. Elliptic curve cryptosystems provide: the best possible strength;
E N D
Elliptic curve point multiplication Alexander Rostovtsev, Elena Makhovenko St. Petersburg State Politechnic University www.ssl.stu.neva.ru
Elliptic curves in cryptology Elliptic curve cryptosystems provide: • the best possible strength; • wide range of cryptographic functions (digital signature, public key encryption, zero-knowledge proofs, etc.); • low rate of strength decrease; • possibility of independent key change (DSS-type cryptosystems, based on discrete logarithms modulo prime, do not provide it).
Elliptic curve Elliptic curve (EC) E(Fp): Fp3 \ (0, 0, 0): Y2Z = X3 + AXZ2 + BZ3, (X, Y, Z) = (uX, uY, uZ), u 0. E(Fp) is finite Abelian group of points (X,Y,Z). Point of infinity (0, 1, 0) is neutral element.
EC discrete logarithm problem Given Q, PE(Fp), find integer l such that P = l Q ECDLP is hard if: • E(Fp) contains subgroup of prime order r ; • r p ; • pk 1 (mod r) for k = 1, …, 31 .
ECDLP solution (1) Hom Lift E(Fp) {Ei(Fp)} {Ei(K)} K = Q[D1, …, Dk] {|Di|} = {Small primes} {-1}, Di Fp ECDLP = (Compute Mordell – Weil group) & (Lift a point)
ECDLP solution (2) 1. Find {Ei(Fp)} using algebraic homomorphisms. 2. Choose K = Q[D1, …, Dk], |Di| are small primes, represented in Fp. 3. Choose subset of curves {Ei(K)} of large rank, using Birch and Swinnerton-Dyer conjecture. 4. Compute Mordell – Weil groups of {Ei(K)} and lift points. 5. Find linear relations between the points of {Ei(K)} and compute discrete logarithm.
Elliptic curve arithmetic The main operation is point multiplication: [m]: P mP Isogeny : E1(Fp) E2(Fp), (0,1,0) (0,1,0). If E1 = E2 then (imaginary quadratic order OD): isogeny gives complex multiplication by OD. Norm N()>1: isogeny is not invertible and defines large automorphism group of points of order r.
Traditional point multiplication [m]P(4-bit window size) 1. Precompute points 2P, 3P, …, 15P. 2. Represent m = m0+16m1+162m2+…+16kmk. 3. Pk = mkP, Pk-1 = 2(2(2(2Pk))) + mk-1P, Pk-2 = 2(2(2(2Pk-1))) + mk-2P, ………………………… Complexity: 4k point doublings, k point additions
Point multiplication (1) The main idea: complex multiplication by = (-2) or = (1 + (-7))/2 is used instead of doubling For 4-bit window size: 4 = 2 * 2, point multiplication takes 2k point doublings, k point additions The rate increases 1.6 times for = (-2); 1.5 times for = (1+(-7))/2. For large window size the rate increases ~2 times
Point multiplication (2) Algorithm: • Factor r = , where elementOD is prime; 0 (mod r); and represent: Fr = OD/(). • Represent exponent m as an element of OD/() with N(m)<r. • Represent m in -adic or ( and)-adic notation. • Find [m]P using complex multiplication and point addition.
Exponent representation Precomputation: r = by extended Euclidean algorithm in OD (according to Pollard and Schnorr). Reduction m m (mod ) = m0+m1: N(m) min.Two steps: in real and imaginary directions.Find integers n0, n1: N((n0 + n1)) N(m);m0 + m1 = m - (n0 + n1). Algorithm gives bijection between Fr and the set of points of parallelogram in a lattice (1, ) with norm < r.
Complex multiplication formula (-2) * (X,Y,Z) = (-Y2Z, Y(U2 + Z2)/(-2), 2U2Z); U = X + 4/3*(3/10)(p+1)/4. (1 + (-7))/2 * (X,Y,Z)=(Z(Y2 + X2), Y(X2 + Z2), X2Z); = ((1 + (-7))/2)2/4, = -((1 + (-7))/2)3/8, = -((1 +(-7))/2)6/36.
Elliptic curve equation For = (-2): p = a2 + 2b2, a 1 (mod 6), b 1 (mod 6), 2r = p + 1 2a 2 (mod 4) y2 = x3 + ((-3/10)/p)x (4/15)(2/15)(p+1)/4 For = (1 + (-7))/2: p = a2 + ab + 2b2, 4r = p + 1 2a 0 (mod 4) y2 = x3 + ((-7/5)/p)x (2/5)(-7/5)(p+1)/4
Conclusion If operator [] generates large subgroup of Fr* then cryptosystem strength does not decrease. Point multiplication algorithm is the fastest for the large class of elliptic curves over prime fields; its rate does not depend on special kind of field characteristic. EC isogenies are good structures for public-key cryptology. They allow to construct public-key cryptosystems, resistant to quantum computer. The basic problem is to find isogeny between given elliptic curves.