Discrete Methods in Mathematical Informatics Lecture 4: Elliptic Curve Cryptography Implementation(I) 27 th November 2012 Vorapong Suppakitpaisarn Eng. 6 Room 363 Download Slide:

Course Information (Many Changes from Last Week) 10/9 – Elliptic Curve I (2 Exercises) (What is Elliptic Curve?) 10/16 – Elliptic Curve II (1 Exercises) (Elliptic Curve Cryptography[1]) 10/23 – Elliptic Curve III (2 Exercises) (Elliptic Curve Cryptography[2]) 10/30 – Cancelled 11/6 – Online Algorithm I (Prof. Han) 11/13 – Online Algorithm II (Prof. Han) 11/20 – Cancelled 11/27 – Elliptic Curve IV (2 Exercises) (ECC Implementation I) 12/4 – Cancelled From 12/11 – To be Announced 10/9 – Elliptic Curve I (2 Exercises) (What is Elliptic Curve?) 10/16 – Elliptic Curve II (1 Exercises) (Elliptic Curve Cryptography[1]) 10/23 – Elliptic Curve III (2 Exercises) (Elliptic Curve Cryptography[2]) 10/30 – Cancelled 11/6 – Online Algorithm I (Prof. Han) 11/13 – Online Algorithm II (Prof. Han) 11/20 – Cancelled 11/27 – Elliptic Curve IV (2 Exercises) (ECC Implementation I) 12/4 – Cancelled From 12/11 – To be Announced Schedule For my part, you need to submit 2 Reports. - Report 1: Select 3 from 6 exercises in Elliptic Curve I – III Submission Deadline: 14 November - Report 2: Select 2 from 4 exercises in Elliptic Curve IV – V Submission Deadline: TBD - Submit your report at Department of Mathematical Informatics’ office [1 st floor of this building] For my part, you need to submit 2 Reports. - Report 1: Select 3 from 6 exercises in Elliptic Curve I – III Submission Deadline: 14 November - Report 2: Select 2 from 4 exercises in Elliptic Curve IV – V Submission Deadline: TBD - Submit your report at Department of Mathematical Informatics’ office [1 st floor of this building] Grading

Report I Submitted IDs

Elliptic Curve Cryptography Field Arithmetic Elliptic Curve Arithmetic Point Addition A = -4, B = 4 Scalar Multiplication Compute rP = 14P r = 14 = ( ) 2 P3P3P7P7P14P 6P6P2P2P O 2 Point Additions 3 Point Doubles ECC Protocol Generate P 2 E(F) Generate positive integers a Receive Q = bP Compute aQ = abP Receive P Receive S = aP Generate positive integer b Compute bS = abP P aP bP

Elliptic Curve Cryptography Field Arithmetic Elliptic Curve Arithmetic Point Addition A = -4, B = 4 Scalar Multiplication Compute rP = 14P r = 14 = ( ) 2 P3P3P7P7P14P 6P6P2P2P O 2 Point Additions 3 Point Doubles ECC Protocol Generate P 2 E(F) Generate positive integers a Receive Q = bP Compute aQ = abP Receive P Receive S = aP Generate positive integer b Compute bS = abP P aP bP

Classical Method: O(n 2 ) Karatsuba’s Method (Practical):O(n lg 3 ) = O(n 1.585… ) Furer’s Method (STOC2007):O(n logn 2 O(lg* n) ) Field Multiplication Slow Division Algorithm??? Montgomery Multiplication [Montgomery 1985] As Fast As Multiplication

Montgomery Reduction Example

Field Squaring Montgomery Multiplication Let the computation time of one field multiplication be [m], one field squaring be [s], one field inversion be [i].

Elliptic Curve Cryptography Field Arithmetic Elliptic Curve Arithmetic Point Addition A = -4, B = 4 Scalar Multiplication Compute rP = 14P r = 14 = ( ) 2 P3P3P7P7P14P 6P6P2P2P O 2 Point Additions 3 Point Doubles ECC Protocol Generate P 2 E(F) Generate positive integers a Receive Q = bP Compute aQ = abP Receive P Receive S = aP Generate positive integer b Compute bS = abP P aP bP

Projective Coordinate [cf. Cohen, Miyaji, Ono, 1998] Affine CoordinateProjective Coordinate P3P3P7P7P14P 6P6P2P2P O 2 Point Additions > 2 [i] 3 Point Doubles > 3 [i] P = (x 1,y 1 ) (x 1 : y 1 : 1) Point Double in Projective Coordinate 2P = (x 2,y 2 ) (X 2 : Y 2 : Z 2 ) Point Addition in Projective Coordinate 3P = (x 3,y 3 ) (X 3 : Y 3 : Z 3 ) … (X 14 : Y 14 : Z 14 ) 5 Point Inversions 2 Point Inversions

Point Addition In Projective Coordinate Goal Projective Coordinate Affine Coordinate

Efficiency Affine Coordinate [i]+[m] [s][s] [m][m] Projective Coordinate [m][m][m][m] 2[m] [s]+2[m][s]+[m][m][m] [m][m] [m][m][m][m] [m][m] Cost

Exercise Exercise 6 Affine Coordinate

Other Coordinates CoordinateCost for Point Addition Cost for Point Double Affine[i] + 2[m] + [s] = 102.8[m] [i] + 2[m] + 2[s] = 103.6[m] Projective(X : Y : Z)  (X/Z, Y/Z) 12[m] + 2[s] = 13.6[m] 7[m] + 5[s] = 11[m] Jacobian [Chudnovsky 1986] (X : Y : Z)  (X/Z 2, Y/Z 3 ) 12[m] + 4[s] = 15.2[m] 8[m] + 3[s] = 10.4[m] Chudnovsky Jocobian [Chudnovsky 1986] (X : Y : Z : Z 2 : Z 3 )  (X/Z 2, Y/Z 3 ) 11[m] + 3[s] = 13.4[m] 5[m] + 6[s] = 9.8[m] Modified Jocobian [Cohen, Ono, Miyaji 1998] (X : Y : Z : αZ 4 )  (X/Z 2, Y/Z 3 ) 13[m] + 6[s] = 17.8[m] 4[m] + 4[s] = 7.6[m]

Elliptic Curve Cryptography Field Arithmetic Elliptic Curve Arithmetic Point Addition A = -4, B = 4 Scalar Multiplication Compute rP = 14P r = 14 = ( ) 2 P3P3P7P7P14P 6P6P2P2P O 2 Point Additions 3 Point Doubles ECC Protocol Generate P 2 E(F) Generate positive integers a Receive Q = bP Compute aQ = abP Receive P Receive S = aP Generate positive integer b Compute bS = abP P aP bP

Scalar Multiplication and Binary Representation Scalar Multiplication on Elliptic Curve Cryptography S = P + P + … + P = rP when r1 is positive integer, S,P is a member of the curve Double-and-add method Let r = 14 = (01110)2 Compute rP = 14P r = 14 = ( )2 Weight = 3 P3P3P7P7P14P 6P6P2P2P 3 – 1 = 2 Point Additions 4 – 1 = 3 Point Doubles r times O For [0,2 n -1], n - 1 times? Average # of Point Doubles? For [0,2 n -1], n/2 - 1 times? (Average Weight = n/2) Average # of Point Additions?

Redundant Binary Representation Change Digit Set can help Scalar Multiplication faster Represent each digit using {0, 1, -1} instead of {0,1}. Redundant, then use Minimum Weight Conversion to find Minimum Weight Expansion (the expansion that have the minimum joint weight) Weight = 2 P2P2P4P4P 7P 7P 4P4P2P2P 8P O Compute rP = 14P r = 14 = ( ) 2 14P 2 – 1 = 1 Point Additions 5 – 1 = 4 Point Doubles 3 – 1 = 2 Point Additions 4 – 1 = 3 Point Doubles For [0,2 n -1], n times? Average # of Point Doubles? For [0,2 n -1], n/3 - 1 times? (Average Weight = n/3) Average # of Point Additions? For [0,2 n -1], n - 1 times? Average # of Point Doubles? For [0,2 n -1], n/2 - 1 times? (Average Weight = n/2) Average # of Point Additions?

Non-Adjacent Form S = (s n-1 s n-2 … s 0 ) is Non-Adjacent Form of positive integer r iff Definition S is Minimum Weight {0, ±1}-Expansion of r if S is Non-Adjacent Form of r Optimality S = (s n-1 s n-2 … s 0 ) is D S -Expansion of positive integer r iff Definition S = (s n-1 s n-2 … s 0 ) is Minimum Weight D S -Expansion of positive integer r iff Definition

Algorithm Simple Fact n - 1 consecutive 1’sn - 2 consecutive 1’s Ex Example Algorithm

Average Hamming Density Definition Proposition Algorithm Proof Pr[s t = 0] = 0.5 Pr[s t = 1] = /3 1/ /3 1/3 12/ /3 1/3 4/6

Redundant Binary Representation Change Digit Set can help Scalar Multiplication faster Represent each digit using {0, 1, -1} instead of {0,1}. Redundant, then use Minimum Weight Conversion to find Minimum Weight Expansion (the expansion that have the minimum joint weight) Weight = 2 P2P2P4P4P 7P 7P 4P4P2P2P 8P O Compute rP = 14P r = 14 = ( ) 2 14P 2 – 1 = 1 Point Additions 5 – 1 = 4 Point Doubles 3 – 1 = 2 Point Additions 4 – 1 = 3 Point Doubles For [0,2 n -1], n times? Average # of Point Doubles? For [0,2 n -1], n/3 - 1 times? (Average Weight = n/3) Average # of Point Additions? For [0,2 n -1], n - 1 times? Average # of Point Doubles? For [0,2 n -1], n/2 - 1 times? (Average Weight = n/2) Average # of Point Additions?

Double-Base Number System [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995] 00 0) 2 (1 14 = O P 2P2P4P4P8P8P14P 2P2P4P4P7P7P Base ) 2 (0 14 = O 3P3P6P6P15P P2P2P5P5P14P Base 3 1 Point Additions 4 Point Doubles 3 Point Additions 3 Point Triples = Hard to introduce to Scalar Multiplication Too General

Double-Base Chain [Dimitrov, Imbert, Mishra, Math of Computation, 2008] whenand Double-Base Number System With More Restriction

Double Base Number System (DBNS) Double-Base Number System [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995] = Double Base Chains (DBC) = =

Double-Base Chain [Dimitrov, Imbert, Mishra, Math of Computation, 2008] k = 127 = Digit Base O P 2P2P 2P2P 6P6P 7P7P 14P 42P 126P 127P whenand 2 Point Additions, 2 Point Doubles, 3 Point Triples Given k Given C add - Computation time of a Point Addition Given C dbl - Computation time of a Point Double Given C tpl - Computation time of a Point Triple Find the Chain With Smallest Total Computation Time Problem Double-Base Number System With More Restriction Similar to Double-and- add Methods

Algorithms [Suppakitpaisarn, Edahiro, Imai, 2012] k = 10, C tpl = 1, C dbl = 1, C add = 1 How to compute kP = 10P 1.Compute 5P 2.Double the point to 10P = 2. 5P 1.Compute 5P 2.Double the point to 10P = 2. 5P Plan A 1.Compute 3P 2.Triple the point to 9P = 3. 3P 3.Add the point with P (9P + P = 10P) 1.Compute 3P 2.Triple the point to 9P = 3. 3P 3.Add the point with P (9P + P = 10P) Plan B Optimize Computation Time of 5P + Point Double = C(5P) + C dbl = = 4 Optimize Computation Time of 5P + Point Double = C(5P) + C dbl = = 4 Cost Optimize Computation Time of 3P + Point Triple + Point Addition = C(3P) + C tpl + C add = = 3 Optimize Computation Time of 3P + Point Triple + Point Addition = C(3P) + C tpl + C add = = 3 Cost Our Results

Algorithm C(k) =min(, ) if k mod 6 == 0 min(, ) if k mod 6 == 1 min(, ) if k mod 6 == 2 min(, ) if k mod 6 == 3 min(, ) if k mod 6 == 4 min(, ) if k mod 6 == 5 C(k/2) + P dbl C(k/2) + P dbl + P add C(k/3) + P tpl C(k/3) + P tpl + P add infinity Dynamic Programming Time : lg 2 k Memory : lg 2 k Our Results

Prime Field (F p ) Experiments on Inverted Edward Coordinates [Bernstein, Lange, AAECC 2007] C dbl = 6.2[m], C tpl = 12.2[m], C add = 9.8[m] Algorithm192 bits256 bits320 bits384 bits512 bits NAF [Egecioglu, Koc, Theo. Comp. Sci., 1994] Ternary/Binary [Dimitrov, Jullien, Miller, Information Processing Letters, 1998] DB-Chain [Dimitrov, Imbert, Mishra, Math. of Comp., April 2008] Tree-Based Approach [Doche, Habsieger, ACISP 2008, July 2008] Optimized DB-Chain [Our Result] %3.88 %3.90 % Our Results

Double-Base Chain [Dimitrov, Imbert, Mishra, Math of Computation, 2008] k = 127 = Digit Base O P 2P2P 2P2P 6P6P 7P7P 14P 42P 126P 127P whenand 2 Point Additions, 2 Point Doubles, 3 Point Triples Given k Given C add - Computation time of a Point Addition Given C dbl - Computation time of a Point Double Given C tpl - Computation time of a Point Triple Find the Chain With Smallest Total Computation Time Double-Base Number System With More Restriction Similar to Double-and- add Methods Given k Given C add = 1, C dbl = 0, C tpl = 0 Find the Chain With Smallest Total Computation Time Given k Given C add = 1, C dbl = 0, C tpl = 0 Find the shortest chain (the chain with smallest number of terms) Problem

On-Going… DBNS Double-Base Chain Input: k Output: m k * Solved by DP [Our Results] Input: k Output: m k * Tractable??? SAT??? [Dimitrov, Cooklev, 1995] [Our Results]

Exercise Exercise 7 Exercise 6

Thank you for your attention Please feel free to ask questions or comment.