1 Efficient Algorithms for Elliptic Curve Cryptosystems Original article by Jorge Guajardo and Christof Paar Of WPI ECE Department Presentation by Curtis Katinas
2 Game plan What are these Algorithms? A new approach to multiplication. What’s the difference? What about inverses? Why is this important?
3 What are these Algorithms? The main problem discussed is that of point multiplication as well as an optimized inversion algorithm in composite Galois fields GF((2^n)^m). Multiplying points on an elliptic curve in analogous to exponentiation of an integer to the nth power.
4 What are these algorithms (cont.) Normally used are the “square and multiply” methods as we did in the RSA handout. The main problem in multiplying in elliptic curves (EC’s from this point) by a large number n, is the large number of inversions.
5 A New Approach to Multiplication The main operation in elliptic curve cryptosystems is multiplication of a point, P, by a large number n. As with exponentiation, this operation requires a large amount of smaller operations. In elliptic curves, we calculate 2^i * P for i from 0 to k in GF(2^k). This means we need compound doubling for any k>1. For 4*P, we normally use 2*(2*P).
6 What we had For elliptic curves in GF(2^k) y^2 + xy = x^3 + ax^2 + c 2P = R = (Xr, Yr) W = x + y/x Xr = W^2 + W + a Yr = x^2 + W*Xr + Xr This requires one *inverse*, two multiplications, five additions and two squarings.
7 What we need to do: Q = nP and n = (e t, e t-1, … e 0 ) b, the radix representation of the multiplier n in base b where b is 2^k, k>0. Input: P=(x,y) Output: Q=nP P 0 = O, the point at infinity for(int i=1; i<2^k; i++) P i = P i-1 + P, or P i = i*P Q = O for(int t=0; t>-1; t--) { Q = 2^k * Q Q = Q + P e[i] } return Q
8 The New Method of Doubling: Direct Doubling The point multiplication algorithm requires repeated doublings. Doublings are the most costly operation. We want to do it faster. Suppose we could find 4P without calculating 2P…
9 The Direct Formula for 4*P 4*P = 2^2 * P = (Xr, Yr)
10 What is the Difference? To find 4P using the original formula, we would need to apply each operation twice, once per doubling. We already know that the original doubling algorithm would require four squarings, ten additions, four multiplications and two inverses to compute 4P. This new set of formula require six squarings, ten additions, nine multiplications and one inverse.
11 What’s the difference (cont.) If we ignore squarings and additions, the new method requires five extra multiplications for 4P. You will notice that the break even point decreases for 2^k*P as k increases.
12 How much faster are we? Before the new methods were implemented, the authors predicted the time it would take using both individual doublings and direct doublings in GF((2^16)^11). They were estimating a small improvement; they were very wrong.
13 THIS IS FAST!!!
14 What about inverses? While we may be able to multiply points quickly, we still have the problem of inverting quickly. We will be inverting in the composite Galois fields GF((2^n)^m). This field is isomorphic to the field GF(2^n)/P(x). p i is in GF(2^n), and P(x) is a monic irreducible polynomial over GF(2^n).
15 What we should know: Inversion in a subfield is easy with table lookup provided that n is moderate. By moderate we mean n<17. GF(2^n) is a subfield of GF((2^n)^m).
16 What we do know: For an A in GF((2^n)^m), we can use Fermat’s Theorem to find that: mod P(x) We can obtain from that: mod P(x) How do we make this faster using what we know?
17 A Theorem About Inverses The multiplicative inverse of an element A of the composite Galois field GF((2^n)^m) and A is not 0 can be computed by: mod P(x) where is in the field GF(2^n) and r =
18 What does it mean? Using that theorem, we need four steps: exponentiation in GF((2^n)^m), multiplication in GF((2^n)^m) with AA^(r-1) in GF(2^n), inversion in GF(2^n) which we said was relatively easy, and multiplying. We will look at each of these steps individually.
19 Exponentiation r can be expressed in a power series: r-1=(2^(nm)-1)/(2^n-1) = 2^n + 2^2n + 2^3n +… + 2^(m-1)n A^(r-1) can be computed using addition chains. This requires floor[log(m-1)] + HammingWeight(m-1) – 1 multiplications, and at most m-1 exponentiations to the power of 2^n. The Hamming Weight is taken of the binary representation of m-1. In general, the complexity of an inversion algorithm is measured in the number of multiplications required.
20 Exponentiation (cont.) Let B and C be in GF((2^n)^m). We want to find where We find C(x) this way (all operations mod P(x)):
21 Exponentiation (cont.) If we assume 2^n > m-1, then there are m-1 powers that must be reduced modulo P(x). The notation from the previous slide for x^(i2^n) represents these powers. By placing the coefficients (s values) into a matrix, we can represent the exponentiations in a matrix.
22 What is the Matrix? All coefficients in S (s i, j ) are binary, adding a major computational advantage. The entire exponentiation can be simplified with matrix multiplication. Thus the process requires only (m^2 – 3m + 2)/2 additions in GF(2). If the exponent is in the form B(x) ^ (2*L*n) where L > 1, the process requires only one matrix multiplication. This type of exponentiation occurs in the algorithm.
23 Multiplication in GF((2^n)^m) We need to to find A^r = A^(r-1)*A mod P(x) H(x) = F(x)*G(x) mod P(x) H’(x) = F(x)*G(x) = ‘ H’(x) is congruent to H(x) = h o mod P(x) h o is the zero coefficient of H’(x) since all other terms disappear in the modulus. This means we only need to look at the coefficients h’ I 0<=i<=m-2 that influence h’ o. This greatly reduces the number of operations needed.
24 An Example (From the text) m=11, P(x) = x^11 + x^2 + 1 H(x) = h 0 = h’ 0 + h’ 11 + h’ 20 This requires only 12 multiplications and 11 additions as opposed to 121 multiplications and 100 additions that would be used in general multiplication.
25 Inversion in GF(2^n) and Multiplication from GF(2^n) with GF((2^n)^m) Subfield operations are generally less complex than those of the original field. Since A^r is from a subfield, its inverse can be found with two table lookups. This inverse is also an element of GF(2^n). This multiplied by A^(r-1) gives A inverse. This requires m steps. Since all arithmetic is done in GF(2^n), we need not reduce modulo P(x).
26 Why is this Important? As said earlier, multiplication in elliptic curves by a large integer n is analogous to exponentiating by n. Elliptic Curve Cryptography (ECC) may be used as an alternative to RSA. Currently, ECC has not made it into the main stream. Part of the problem is the difficulty of efficient implementations. These new methods greatly improve efficiency, surpassing RSA implementations in some instances.
27 Why is this Important? An ECC implementation is generally more secure than an RSA implementation of the same key size. With time and further improvements in implementations, ECC may become the successor to RSA.
28 Are there any questions?
29