Cryptography in small-characteristic finite fieldstikhonov.fciencias.unam.mx › presentaciones ›...

Cryptography in small-characteristic finite fields... and a brief introduction to cryptology

Thomaz OliveiraComputer Science Department, Cinvestav, Mexico

Ciudad de Mexico, MexicoMay 19, 2016

Outline

A Brief Introduction to CryptologyMathematical Background

I High-Speed Elliptic Curve CryptographyLambda CoordinatesGalbraith-Lin-Scott CurvesKoblitz Curves

II The Discrete Logarithm ProblemFinite FieldsElliptic and Hyperelliptic Curves

Cryptography in small-characteristic finite fields Thomaz Oliveira

A Brief Introduction to Cryptology

What is cryptology?

Cryptologykryptos (hidden, secret) + logia (study)It is the study of techniques for secure communication in the presence of thirdparties called adversaries.

source: Wikipedia

What about other goals?

• Privacy or confidentiality

• Data integrity

• Autentication

• Anonymity

• Non-repudiation

• ...

What is cryptology?

Cryptologykryptos (hidden, secret) + logia (study)It is the study of techniques for secure communication in the presence of thirdparties called adversaries.

source: Wikipedia

What about other goals?

• Privacy or confidentiality

• Data integrity

• Autentication

• Anonymity

• Non-repudiation

• ...

What is cryptology?Another definition

Cryptologykryptos (hidden, secret) + logia (study)The study of mathematical techniques related to aspects of information security.

source: Handbook of Applied Cryptography

Important: Information security lies in a higher level. Cryptography is anecessary tool to provide information security in modern communications, but it isnot the same area of study.

What is cryptology?Another definition

Cryptologykryptos (hidden, secret) + logia (study)The study of mathematical techniques related to aspects of information security.

source: Handbook of Applied Cryptography

Important: Information security lies in a higher level. Cryptography is anecessary tool to provide information security in modern communications, but it isnot the same area of study.

Applications?

Applications?Authentication

Applications?Anonymity

Applications?Access control

Classification

Asymmetric cryptographySimplified Elliptic Curve Diffie-Hellman for key agreement

Mathematical Background

Groups

Definition. A group is a set G together with a binary operation ? on G such thatthe following properties hold:

� Closure. For any a, b ∈ G , (a ? b) ∈ G .

� Associativity. For any a, b, c ∈ G , a ? (b ? c) = (a ? b) ? c .

� Identity. There is an element e in G such that for all a ∈ G , a ? e = e ? a = a.

� Inverse. For each a ∈ G , there is an element b ∈ G such that a ? b = b ? a = e.

If the group also satisfies,

� Commutativity. For all a, b ∈ G , a ? b = b ? a,

then it is called an abelian group.

Groups

Definition. A multiplicative group G is said to be cyclic if there is an elementa ∈ G such that for any b ∈ G there is some integer i with b = ai . The element ais called a generator of the cyclic group G , and we write G = 〈a〉.

Definition. A group is called finite if it contains finitely many objects. Thenumber of elements in a finite group is called its order. We write |G | for the orderof the finite group G .

Groups

Definition. A multiplicative group G is said to be cyclic if there is an elementa ∈ G such that for any b ∈ G there is some integer i with b = ai . The element ais called a generator of the cyclic group G , and we write G = 〈a〉.

Definition. A group is called finite if it contains finitely many objects. Thenumber of elements in a finite group is called its order. We write |G | for the orderof the finite group G .

Finite Fields

Definition. A finite field is a field whose order is finite. Finite fields are alsoreferred to as Galois fields.

Theorem. For any prime p and any positive integer k there exists a finite fieldwith q = pk elements. This field is unique up to isomorphism and is denoted byFq or GF (q).

Definition. The multiplicative group of nonzero elements of Fq is denoted by F∗q.

Theorem. Let Fq be a finite field. The group F∗q is cyclic.

Definition. For a given finite field Fq, the least positive integer n such thatnr = 0 for every r ∈ Fq is called the characteristic of Fq.

Finite Fields

Finite FieldsRepresentation

An element of a prime field Fp can be represented as an integer between 0 andp − 1 and computations are done modulo p.

Let g(X ) be an irreducible polynomial, then an element α ∈ Fpk can berepresented as a polynomial with coefficients in Fp modulo g(X ).

Finite FieldsRepresentation

An element of a prime field Fp can be represented as an integer between 0 andp − 1 and computations are done modulo p.

Let g(X ) be an irreducible polynomial, then an element α ∈ Fpk can berepresented as a polynomial with coefficients in Fp modulo g(X ).

Finite FieldsExample

Example. Let F2 be a finite field. Then F2 has the elements 0, 1.

Operations. 0 + 0 = 0, 0 + 1 = 1 + 0 = 1, 1 + 1 = 2 (mod 2) = 0.0 · 0 = 0, 0 · 1 = 1 · 0 = 0, 1 · 1 = 1

Example. Since g(X ) = X 2 + X + 1 is an irreducible polynomial in F2[X ], thenF2[X ]/(g(X )) ∼= F22 has the pk = 22 elements (residue classes) [0], [1], [X],[X+1]. As a result, we have the following operation tables.

+ [0] [1] [X ] [X+1][0] [0] [1] [X ] [X+1][1] [1] [0] [X+1] [X ][X ] [X ] [X+1] [0] [1]

[X+1] [X+1] [X ] [1] [0]

· [0] [1] [X ] [X+1][0] [0] [0] [0] [0][1] [0] [1] [X ] [X+1][X ] [0] [X ] [X+1] [1]

[X+1] [0] [X+1] [1] [X ]

Operations. 0 + 0 = 0, 0 + 1 = 1 + 0 = 1, 1 + 1 = 2 (mod 2) = 0.0 · 0 = 0, 0 · 1 = 1 · 0 = 0, 1 · 1 = 1

+ [0] [1] [X ] [X+1][0] [0] [1] [X ] [X+1][1] [1] [0] [X+1] [X ][X ] [X ] [X+1] [0] [1]

[X+1] [X+1] [X ] [1] [0]

· [0] [1] [X ] [X+1][0] [0] [0] [0] [0][1] [0] [1] [X ] [X+1][X ] [0] [X ] [X+1] [1]

[X+1] [0] [X+1] [1] [X ]

Operations. 0 + 0 = 0, 0 + 1 = 1 + 0 = 1, 1 + 1 = 2 (mod 2) = 0.0 · 0 = 0, 0 · 1 = 1 · 0 = 0, 1 · 1 = 1

+ [0] [1] [X ] [X+1][0] [0] [1] [X ] [X+1][1] [1] [0] [X+1] [X ][X ] [X ] [X+1] [0] [1]

[X+1] [X+1] [X ] [1] [0]

· [0] [1] [X ] [X+1][0] [0] [0] [0] [0][1] [0] [1] [X ] [X+1][X ] [0] [X ] [X+1] [1]

[X+1] [0] [X+1] [1] [X ]

Finite FieldsDiscrete Logarithm Problem

Let p be a prime and k a positive integer, q = pk .

F∗q is a multiplicative cyclic group of order q − 1, therefore has a generator g ∈ F∗qsuch that,

F∗q ∼= {g i : 0 ≤ i ≤ q − 2}.

Definition. The discrete logarithm problem is stated as follows. Given F∗q, g and

h ≡ g i (mod q), find i .

Definition. The value i is the discrete logarithm of h in base g , denoted as loggh.

The discrete logarithm problem (DLP) is considered a hard problem, that is, thereis no known polynomial-time algorithms to solve it.

F∗q ∼= {g i : 0 ≤ i ≤ q − 2}.

Elliptic Curves

Definition. An elliptic curve E can be defined as a graph of an equation of theform

y 2 + a1xy + a3y = x3 + a2x2 + a4x + a6

where a1, . . . a6 are constants. This form is referred as a generalized Weierstrassequation of an elliptic curve.

In the cryptographic context, a1, . . . a6, x and y belong to a finite field Fq, withq = pk .

Definition. In this case, the curve E is said to be defined over Fq and denoted byE/Fq.

Definition. The set of points on the curve E/Fq is defined as

E (Fq) = {(x , y) ∈ Fq × Fq|y 2 + a1xy + a3y = x3 + a2x2 + a4x + a6} ∪ {P∞}.

Elliptic Curves

y 2 + a1xy + a3y = x3 + a2x2 + a4x + a6

Elliptic Curves

y 2 + a1xy + a3y = x3 + a2x2 + a4x + a6

Elliptic CurvesAddition Law

Let us consider an elliptic curve E/Fq = y 2 + xy = x3 + ax2 + b, with Fq a finitefield of characteristic two. Then we can define the following addition law for theset of points in E (K ). Given the points P = (x1, y1), Q = (x2, y2) andP + Q = R = (x3, y3) in E (K ),

if P 6= Q,

x3 = λ2 + λ+ x1 + x2 + ay3 = λ(x1 + x3) + x3 + y1,

with λ = (y1 + y2)/(x1 + x2).

if P 6= Q,

x3 = λ2 + λ+ x1 + x2 + ay3 = λ(x1 + x3) + x3 + y1,

with λ = (y1 + y2)/(x1 + x2).

if P = Q,

x3 = λ2 + λ+ a = x21 + b/x2

y3 = x21 + λx3 + x3,

with λ = x1 + y1/x1.

Moreover, we define P + P∞ = P for all points in E (Fq).

Theorem. The addition of points on an elliptic curve E satisfies the followingproperties,

� Closure. For any P,Q ∈ E (Fq), (P + Q) ∈ E (Fq).

� Associativity. (P + Q) + R = P + (Q + R) for all P,Q,R ∈ E (Fq).

� Identity. P + P∞ = P for all P ∈ E (Fq).

� Inverse. For each P ∈ E (Fq), there is a point Q ∈ E (Fq) such thatP + Q = P∞.

� Commutativity. P + Q = Q + P for all P,Q ∈ E (Fq).

As a result, the points in E (Fq) form an additive abelian group with P∞ as theidentity element.

Elliptic CurvesElliptic Curve Discrete Logarithm Problem

Definition. The elliptic curve discrete logarithm problem is stated as follows.Given E (Fp), the generator P and Q = kP, find k .

Definition. The value kP is referred as a point multiplication or scalarmultiplication and corresponds to adding the point to itself k − 1 times.

Q = kP = P + P + · · ·+ P︸︷︷︸k−1 additions

The elliptic curve discrete logarithm problem (ECDLP) is considered a hardproblem. The most efficient known method for solving the ECDLP for genericcurves is the Pollard rho, with complexity O(

√|E (Fp)|).

Motivation

Considering the advantage, in terms of efficiency, of the small-characteristic fields,one could ask: why aren’t those fields prevalent in real-world cryptographicprotocols? The reason is that, in terms of security, the structure inherent tocryptographic primitives constructed over small-characteristic fields allows a widerand more powerful range of attacks.

We have currently the following scenario.

• On the one hand, there exist different options for selecting efficient andelegant small-characteristic field primitives which are well-suited forimplementation.

• On the other hand, effective approaches for solving the mathematicalproblems beneath those structures were proposed recently.

Motivation

Part I:High-Speed Elliptic Curve Cryptography

Where are we?

Lambda Coordinates

Introduction

From the algorithmic point of view, one of the most effective approaches toaccelerate the computation of the scalar multiplication is the improvement of thepoint arithmetic formulas.

The projective coordinates represents the points in an elliptic curve in such waythat their arithmetic does not require field inversions. The inversion is one of themost costly operations in the finite field arithmetic.

Given an affine point P = (x , y), we have the following projective coordinatesystems for binary elliptic curves:

• Homogeneous coordinates. P = (X ,Y ,Z ), with x = XZ and y = Y

• Jacobian coordinates. P = (X ,Y ,Z ), with x = XZ 2 and y = Y

• Lopez-Dahab coordinates. P = (X ,Y ,Z ), with x = XZ and y = Y

Introduction

The λ representation

The λ-affine representation was introduced independently by Knudsen andSchroeppel. It can accelerate the point doubling and point halving operations andalso can be used as a technique for point compression.

Let E be a binary elliptic curve given by the Weierstrass equation

E/F2m : y 2 + xy = x3 + ax2 + b.

Also, let P be a point in E (F2m) represented by affine coordinates as P = (x , y).The λ-affine representation of P is given by

P = (x , λ) = (x , x +y

With the λ representation, the curve E equation becomes

E/F2m : x2(λ2 + λ) = x4 + ax2 + b.

E/F2m : y 2 + xy = x3 + ax2 + b.

P = (x , λ) = (x , x +y

E/F2m : x2(λ2 + λ) = x4 + ax2 + b.

E/F2m : y 2 + xy = x3 + ax2 + b.

P = (x , λ) = (x , x +y

E/F2m : x2(λ2 + λ) = x4 + ax2 + b.

E/F2m : y 2 + xy = x3 + ax2 + b.

P = (x , λ) = (x , x +y

E/F2m : x2(λ2 + λ) = x4 + ax2 + b.

The λ-projective coordinates

Given a point P ∈ E (F2m) represented in λ-affine coordinates asP = (x , λ = x + y

x ), the λ-projective representation of P is given by

P = (X , L,Z ), with x =X

Zand λ =

The λ-projective equation form of the Weierstrass equation of E is,

E/F2m : (L2 + LZ + aZ 2)X 2 = X 4 + bZ 4.

Note: The condition x = 0 does not pose a limitation in practice, since the onlypoint P with x = 0 that satisfies the equation of the curve E is (0,

√b), which is

usually confined to a subgroup of no cryptographic interest.

Zand λ =

E/F2m : (L2 + LZ + aZ 2)X 2 = X 4 + bZ 4.

√b), which is

Zand λ =

E/F2m : (L2 + LZ + aZ 2)X 2 = X 4 + bZ 4.

√b), which is

Comparison: operations

Table Binary coordinate systems comparison: field operations

Coordinatesystem

Point doubling Point fulladdition

Affine 1i + 2m + s 1i + 2m + 1sHomogeneous 6m + 1mb + 5s 15m + 1ma + 1sJacobian 4m + 1mb + 5s 14m + 1ma + 5sLopez-Dahab 4m + 1ma + 5s 13m + 4s

Lambda 4m + 1ma + 4s 11m + 2s

i : inversion m : multiplication s : squaringma, mb : multiplication by the curve parameters a and b

Table A cost comparison of the point arithmetic using Lopez-Dahab vs. the λ-projective coordinate system

OperationsCoordinate systems

Lopez-Dahab Lambda

Full addition 13m + 4s 11m + 2sMixed addition 8m + ma + 5s 8m + 2s

Doubling 3m + ma + mb + 5s4m + ma + 4s

or 3m + ma + mb + 4sDoubling and mixed

11m + 2ma + mb + 10s 10m + ma + 6s (atomic)addition

Comparison: operations

Table Binary coordinate systems comparison: field operations

Coordinatesystem

Point doubling Point fulladdition

Affine 1i + 2m + s 1i + 2m + 1sHomogeneous 6m + 1mb + 5s 15m + 1ma + 1sJacobian 4m + 1mb + 5s 14m + 1ma + 5sLopez-Dahab 4m + 1ma + 5s 13m + 4s

Lambda 4m + 1ma + 4s 11m + 2s

i : inversion m : multiplication s : squaringma, mb : multiplication by the curve parameters a and b

Table A cost comparison of the point arithmetic using Lopez-Dahab vs. the λ-projective coordinate system

OperationsCoordinate systems

Lopez-Dahab Lambda

Full addition 13m + 4s 11m + 2sMixed addition 8m + ma + 5s 8m + 2s

Doubling 3m + ma + mb + 5s4m + ma + 4s

or 3m + ma + mb + 4sDoubling and mixed

11m + 2ma + mb + 10s 10m + ma + 6s (atomic)addition

Galbraith-Lin-Scott Curves

IntroductionThe scalar multiplication

Given a point P ∈ E (F2m) of order r , with |r | ≈ n bits and a n-bit scalar k, theoperation Q = kP is called point or scalar multiplication. It is defined as theprocess of adding a point P to itself k − 1 times.

The average cost of computing the above operation using the double-and-addmethod is

IntroductionThe scalar multiplication

Given a point P ∈ E (F2m) of order r , with |r | ≈ n bits and a n-bit scalar k, theoperation Q = kP is called point or scalar multiplication. It is defined as theprocess of adding a point P to itself k − 1 times.

The average cost of computing the above operation using the double-and-addmethod is

The double-and-add method

Algorithm The right-to-left double-and-add scalar multiplication

Require: A point P ∈ E (F2m) of order r with |r | ≈ n bits, a n-bit scalar kEnsure: The point Q = kP

/* initialization */Q ← O

/* main loop */for i ← 0 to n − 1 do

if ki = 1 then Q ← Q + P end ifP ← 2P

end for

return Q

IntroductionThe GLV method

In 2001, Gallant, Lambert and Vanstone (GLV) presented a method to acceleratethe computation of the point multiplication using efficiently computableendomorphisms.

If the curve is equipped with a efficiently computable endomorphism ψ such thatψ(P) = δP ∈ 〈P〉, for some δ ∈ {2, . . . , r − 1}, then the the point multiplicationcan be computed through the GLV method as,

Q = kP = k1P + k2 · δP = k1P + k2ψ(P).

The subscalars k1, k2 are of size approximately n/2 and the w-NAF 2-GLVdouble-and-add scalar multiplication has an average cost of

w + 1A.

Q = kP = k1P + k2 · δP = k1P + k2ψ(P).

w + 1A.

Q = kP = k1P + k2 · δP = k1P + k2ψ(P).

w + 1A.

IntroductionThe 2-GLV double-and-add method

Algorithm The right-to-left 2-GLV double-and-add scalar multiplication

Require: A point P ∈ E (F2m) of order r with |r | ≈ n bits, a n-bit scalar kEnsure: The point Q = kP

/* initialization */Q ← OFind k1 and k2 such that k = k1 + δ · k2 mod n.

/* main loop */for i ← 0 to n−1

2 doif k0,i = 1 then Q ← Q + P end ifif k1,i = 1 then Q ← Q + ψ(P) end ifP ← 2P

end for

return Q

The GLS curves

In 2009, Galbraith, Lin and Scott (GLS) constructed efficient endormorphisms fora broader class of elliptic curves defined over Fp2 , where p is a prime number.

Subsequently, Hankerson, Karabina and Menezes demonstrated that the GLScurves can be also implemented over fields F22m .

Given a quadratic binary field F22m∼= F2m [u]/(g(u)), a GLS curve E/F22m and a

point P ∈ E (F22m) represented in lambda-affine coordinates as,

P = (x0 + x1u, λ0 + λ1u),

the GLS endomorphism ψ can be computed with only three additions in F2m as,

ψ(P) 7→ ((x0 + x1) + x1u, (λ0 + λ1) + (λ1 + 1)u).

The GLS curves

P = (x0 + x1u, λ0 + λ1u),

ψ(P) 7→ ((x0 + x1) + x1u, (λ0 + λ1) + (λ1 + 1)u).

The GLS curves

P = (x0 + x1u, λ0 + λ1u),

ψ(P) 7→ ((x0 + x1) + x1u, (λ0 + λ1) + (λ1 + 1)u).

The GLS curves

P = (x0 + x1u, λ0 + λ1u),

ψ(P) 7→ ((x0 + x1) + x1u, (λ0 + λ1) + (λ1 + 1)u).

Field arithmetic implementation

In this work, we developed an efficient field arithmetic library for the fields F2m

and its quadratic extension F22m , with m = 127, which were constructed by themeans of the irreducible trinomials f (x) = x127 + x63 + 1 and g(u) = u2 + u + 1,respectively.

Table Timings (in clock cycles) for the field arithmetic in the Sandy Bridge platform

Field operationF2127 F2254

cycles op/ma cycles op/m

Multiplication 42 1.00 94 1.00

Mod. reductionb 6 0.14 11 0.12Square root 8 0.19 15 0.16Squaring 9 0.21 13 0.14Multi-squaring 55 1.31 n/ac n/aInversion 765 18.21 969 10.30Half-trace 42 1.00 60 0.64Trace ≈ 0 0 ≈ 0 0a Ratio to multiplication.b This cost is included in all operations that require modular reduction.c Multi-squaring is computed only in F2127 .

Field arithmetic implementation

In this work, we developed an efficient field arithmetic library for the fields F2m

and its quadratic extension F22m , with m = 127, which were constructed by themeans of the irreducible trinomials f (x) = x127 + x63 + 1 and g(u) = u2 + u + 1,respectively.

Table Timings (in clock cycles) for the field arithmetic in the Sandy Bridge platform

Field operationF2127 F2254

cycles op/ma cycles op/m

Multiplication 42 1.00 94 1.00

Mod. reductionb 6 0.14 11 0.12Square root 8 0.19 15 0.16Squaring 9 0.21 13 0.14Multi-squaring 55 1.31 n/ac n/aInversion 765 18.21 969 10.30Half-trace 42 1.00 60 0.64Trace ≈ 0 0 ≈ 0 0a Ratio to multiplication.b This cost is included in all operations that require modular reduction.c Multi-squaring is computed only in F2127 .

GLS scalar multiplication

Algorithm 2-GLV Right-to-Left Halve-and-Add Scalar Multiplication

Require: P ∈ E(F22m ), scalars k1, k2 of bitlength n ≈ |r |/2, NAF width wEnsure: Q = kP

Calculate w -NAF(ki ) for i ∈ {1, 2}for i ∈ {1, . . . , 2w−1 − 1} do Initialize Qi ← O end for

for i = n − 1 downto 0 doif k1,i > 0 then Qk1,i

← Qk1,i+ P

if k1,i < 0 then Qk1,i← Qk1,i

if k2,i > 0 then Qk2,i← Qk2,i

+ ψ(P)

if k2,i < 0 then Qk2,i← Qk2,i

− ψ(P)

P ← P/2end for

Q ←∑

i∈{1,...,2w−1−1} iQi

Recode k1, k2 → k.

return Q

GLS scalar multiplication : TimingsOur GLS curve E/F22·127 is defined as E/F22·127 : y 2 + xy = x3 + ax2 + bwith parameters a = u and b = 0x59C8202CB9E6E0AE2E6D944FA54DE7E5.

Table Timings (in clock cycles) for scalar multiplication with or without timing-attack resistance (TAR) in theIntel Sandy Bridge platform. Here, (B) and (P) mean that the curve is binary and prime, respectively.

Scalarmultiplication

Curve Sec. Method TAR Cycles

Aranha et al. NIST-K283 (B) 128 2-GLV ♦ no 99,200Longa and Sica GLV-GLS (P) 128 4-GLV ♣ no 91,000Faz-H. et al. GLV-GLS (P) 128 4-GLV ♣ no 87,000Longa and Sica GLV-GLS (P) 128 4-GLV (4 cores) no 61,000Bernstein Curve25519 (P) 128 Mont. ladder yes 194,000Longa and Sica GLV-GLS (P) 128 4-GLV ♣ yes 137,000Bos et al. Kummer (P) 128 Mont. ladder yes 117,000Faz-H. et al. GLV-GLS (P) 128 4-GLV ♣ yes 96,000

This work GLS (B) 127

2-GLV ♣ (LD) no 116,7002-GLV ♣ (λ) no 92,8002-GLV ♥ (LD) no 82,8002-GLV ♥ (λ) no 69,5002-GLV (2 cores, λ) no 47,9002-GLV ♣ (λ) yes 114,800

♣ Double-and-add ♦ τ -and-add ♥ Halve-and-add

GLS scalar multiplication : TimingsOur GLS curve E/F22·127 is defined as E/F22·127 : y 2 + xy = x3 + ax2 + bwith parameters a = u and b = 0x59C8202CB9E6E0AE2E6D944FA54DE7E5.

Table Timings (in clock cycles) for scalar multiplication with or without timing-attack resistance (TAR) in theIntel Sandy Bridge platform. Here, (B) and (P) mean that the curve is binary and prime, respectively.

Scalarmultiplication

Curve Sec. Method TAR Cycles

Aranha et al. NIST-K283 (B) 128 2-GLV ♦ no 99,200Longa and Sica GLV-GLS (P) 128 4-GLV ♣ no 91,000Faz-H. et al. GLV-GLS (P) 128 4-GLV ♣ no 87,000Longa and Sica GLV-GLS (P) 128 4-GLV (4 cores) no 61,000Bernstein Curve25519 (P) 128 Mont. ladder yes 194,000Longa and Sica GLV-GLS (P) 128 4-GLV ♣ yes 137,000Bos et al. Kummer (P) 128 Mont. ladder yes 117,000Faz-H. et al. GLV-GLS (P) 128 4-GLV ♣ yes 96,000

This work GLS (B) 127

2-GLV ♣ (LD) no 116,7002-GLV ♣ (λ) no 92,8002-GLV ♥ (LD) no 82,8002-GLV ♥ (λ) no 69,5002-GLV (2 cores, λ) no 47,9002-GLV ♣ (λ) yes 114,800

♣ Double-and-add ♦ τ -and-add ♥ Halve-and-add

The Montgomery ladderThe Montgomery ladder method was introduced in 1987 by Peter Montgomery. In1999 Lopez and Dahab presented an optimized version of this approach for binarycurves.

Algorithm Montgomery-LD double-and-add scalar multiplication (right-to-left)

Require: P = (x, y), k = (kn−1, kn−2, . . . , k1, k0)Ensure: Q = kP

R0 ← P; R1 ← P2 ; R2 ← P

2 = (R0 − R1);for i ← 0 to n − 1 do

if ki = 1 thenR1 ← R1 + R0;

elseR2 ← R2 + R0;

end ifR0 ← 2R0;

end forreturn Q = R1 − P

The Montgomery ladder scalar multiplication allows a constant-timeimplementation, since in every iteration a point doubling and a point addition arerequired, independently of the digit ki .

R0 ← P; R1 ← P2 ; R2 ← P

2 = (R0 − R1);for i ← 0 to n − 1 do

elseR2 ← R2 + R0;

end ifR0 ← 2R0;

R0 ← P; R1 ← P2 ; R2 ← P

2 = (R0 − R1);for i ← 0 to n − 1 do

elseR2 ← R2 + R0;

end ifR0 ← 2R0;

Montgomery-LD halve-and-add point multiplication

We proposed a new approach for performing efficiently the Montgomery ladderwith the halve-and-add operation. In this approach, the points to be halved areprecomputed and further used in the main loop.

Algorithm Montgomery-LD halve-and-add scalar multiplication (right-to-left)

Require: P = (x, y), k′ = (k′n−1, k′n−2, . . . , k

′1, k′0)

Ensure: Q = kPPrecomputation: x(Pi ), where Pi = P

2i, for i = 0, . . . , n

R1 ← Pn; R2 ← Pn;for i = 0 to n − 1 do

R0 ← Pn−1−i ;if k′i = 1 then

R1 ← R0 + R1;else

R2 ← R0 + R2;end if

end forR1 ← R1 − Pn

Recover λ coordinate of R1

return R1

Montgomery-LD halve-and-add point multiplication

We proposed a new approach for performing efficiently the Montgomery ladderwith the halve-and-add operation. In this approach, the points to be halved areprecomputed and further used in the main loop.

Algorithm Montgomery-LD halve-and-add scalar multiplication (right-to-left)

Require: P = (x, y), k′ = (k′n−1, k′n−2, . . . , k

′1, k′0)

Ensure: Q = kPPrecomputation: x(Pi ), where Pi = P

2i, for i = 0, . . . , n

R1 ← Pn; R2 ← Pn;for i = 0 to n − 1 do

R0 ← Pn−1−i ;if k′i = 1 then

R1 ← R0 + R1;else

R2 ← R0 + R2;end if

end forR1 ← R1 − Pn

Recover λ coordinate of R1

return R1

The GLS-Montgomery-LD point multiplicationTimings

Our GLS curve E/F22·127 is defined as E/F22·127 : y 2 + xy = x3 + ax2 + bwith parameters a = u and b = 0x54045144410401544101540540515101

b = 0xE2DA921E91E38DD1).

Table Timings (in clock cycles) for 128-bit level scalar multiplication with timing-attack resistance in the IntelIvy Bridge (I) and Haswell (H) architectures

Method Cycles Arch

s Montgomery-DJB-chain (P) [Costello et al.] 148,000 IRandom-Montgomery-LD ladder (B) [Bluhm and Gueron] 135,000 HGenus-2-Kummer (P) [Bos et al.] 122,000 IKoblitz-Montgomery-LD ladder (B) [Bluhm and Gueron] 118,000 HTwisted-Edwards-4-GLV (P) [Faz-Hernandez et al.] 92,000 IGenus-2-Kummer Montgomery ladder (P) [Bernstein et al.] 72,200 HGLS-2-GLV double-and-add (B, λ) [Oliveira et al.] 60,000 H

GLS-Montgomery-LD halve-and-add 80,800 HGLS-Montgomery-LD double-and-add 70,800 H2-core GLS-Montgomery-LD-2-GLVhalve-and-add/double-and-add

52,000 H

4-core GLS-Montgomery-LD-2-GLVhalve-and-add/double-and-add

34,800 H

The GLS-Montgomery-LD point multiplicationTimings

Our GLS curve E/F22·127 is defined as E/F22·127 : y 2 + xy = x3 + ax2 + bwith parameters a = u and b = 0x54045144410401544101540540515101

b = 0xE2DA921E91E38DD1).

Table Timings (in clock cycles) for 128-bit level scalar multiplication with timing-attack resistance in the IntelIvy Bridge (I) and Haswell (H) architectures

Method Cycles Arch

s Montgomery-DJB-chain (P) [Costello et al.] 148,000 IRandom-Montgomery-LD ladder (B) [Bluhm and Gueron] 135,000 HGenus-2-Kummer (P) [Bos et al.] 122,000 IKoblitz-Montgomery-LD ladder (B) [Bluhm and Gueron] 118,000 HTwisted-Edwards-4-GLV (P) [Faz-Hernandez et al.] 92,000 IGenus-2-Kummer Montgomery ladder (P) [Bernstein et al.] 72,200 HGLS-2-GLV double-and-add (B, λ) [Oliveira et al.] 60,000 H

GLS-Montgomery-LD halve-and-add 80,800 HGLS-Montgomery-LD double-and-add 70,800 H2-core GLS-Montgomery-LD-2-GLVhalve-and-add/double-and-add

52,000 H

4-core GLS-Montgomery-LD-2-GLVhalve-and-add/double-and-add

34,800 H

Koblitz Curves

Introduction

The anomalous binary curves, generally referred to as Koblitz curves, are binaryelliptic curves proposed by Neal Koblitz which satisfies the following equation

Ea/F2m : y 2 + xy = x3 + ax2 + 1 with a ∈ {0, 1}.

The Frobenius map τ : Ea(F2m)→ Ea(F2m) is a curve automorphism which can beused on Koblitz curves. It is defined by τ(O) = O, τ(x , y) = (x2, y 2).

We can convert a n-bit scalar k to its τ -representation as k =∑l−1

i=0 uiτi , with

ui ∈ Z.

Since the Frobenius map is computationally cheap, its action can be exploited in apoint multiplication by adding multiples uiτ

i (P). This approach was designed bySolinas in 2000.

Introduction

i=0 uiτi , with

ui ∈ Z.

Introduction

i=0 uiτi , with

ui ∈ Z.

Introduction

i=0 uiτi , with

ui ∈ Z.

τ -and-add scalar multiplicationGiven a Koblitz curve Ea/F2m , a point P ∈ E (F2m) of order r , with |r | ≈ n bits,and a scalar k ∈ [1, r − 1], the τ -and-add scalar multiplication is described in thefollowing algorithm,

Algorithm τ -and-add Right-to-Left scalar multiplication

Require: A point P ∈ Ea(F2m ), scalar k ∈ [1, r − 1]Ensure: Q = kP

Represent k as k =∑l−1

i=0 uiτi

Q ← Ofor i ← 0 to l − 1 do

if ui = 1 then Q ← Q + P end ifif ui = −1 then Q ← Q − P end ifP ← τ(P)

end forreturn Q

The density of the τ -adic representation of k (τNAF) is 1/3, then the total cost is

lτ +l

i=0 uiτi

end forreturn Q

lτ +l

i=0 uiτi

end forreturn Q

lτ +l

Protected scalar multiplicationTimings

We proposed, for the first time, a timing-resistant scalar multiplication on Koblitz curves based on the regularrecoding method from Joye and Tunstall. Next, we implemented it on a curve E1/F2283 (NIST K-283).

Table Timings (in clock cycles) for the NIST K-283 elliptic curve operations

Elliptic curveoperation

Koblitz E/F2283

cycles op/m1

Frobenius 70 1.235Integer τ -adic recoding (w = 5) 8,900 156.863

Point addition 602 10.5881 Ratio to multiplication in F2283 .

Table Timings (in clock cycles) for different 128-bit secure scalar multiplication implementations withtiming-attack resistance in the Intel Ivy Bridge (I) and Haswell (H) architectures

Method Cycles Arch

State-of-the-artimplementations

Genus-2-Kummer (P) [Bos et al.] 122,000 IKoblitz-Montgomery-LD ladder (B) [Bluhm and Gueron] 118,000 HTwisted-Edwards-4-GLV (P) [Faz-Hernandez] 92,000 IGenus-2-Kummer Montgomery ladder (P) [Bernstein et al.] 72,200 HGLS-2-GLV double-and-add (B, λ) [Oliveira et al.] 60,000 H

Our WorkKoblitz-Montgomery-LD (left-to-right) 122,000 HKoblitz-regular τ -and-add (left-to-right, w = 5) 99,000 H

Koblitz E/F2283

cycles op/m1

Method Cycles Arch

Koblitz E/F2283

cycles op/m1

Method Cycles Arch

Koblitz curves over F4Koblitz curves over F4 were introduced by Neal Koblitz in 1991. However, implementations ofscalar multiplication on these curves were never reported.

On the other hand, recent works on curves (prime and binary) defined over quadratic extensionsshowed that these extensions are efficient when implemented in software.

This is because we execute the same operation in each base element of the quadratic fieldelement. For instance, given the quadratic field elements a = a0 + a1u and b = b0 + b1u, theaddition c = a + b can be performed as

c = (a0 + b0) + (a1 + b1)u.

Figure Latency and Throughput of the mm xor si128 instruction

c = (a0 + b0) + (a1 + b1)u.

Koblitz curves over F4

Koblitz curves over F4 are defined by the following equation

Ea/F4m : y 2 + xy = x3 + aγx2 + γ,

where γ ∈ F4 satisfies γ2 = γ + 1 and a ∈ {0, 1}.

The Frobenius map τ : Ea(F4m)→ Ea(F4m) is defined by

τ(O) = O, τ(x , y) = (x4, y 4).

In order to implement a 128-bit secure scalar multiplication, we chose the curveE1/F4149 . The order of the group E1(F4149 ) factorizes as

#E(F4149 ) = 6 · 1886501744269·44991476563317830182537451551889394335850807098205993761800530540007335546409.

Our group of interest is of size of approximately 254 bits.

Ea/F4m : y 2 + xy = x3 + aγx2 + γ,

τ(O) = O, τ(x , y) = (x4, y 4).

#E(F4149 ) = 6 · 1886501744269·44991476563317830182537451551889394335850807098205993761800530540007335546409.

Ea/F4m : y 2 + xy = x3 + aγx2 + γ,

τ(O) = O, τ(x , y) = (x4, y 4).

#E(F4149 ) = 6 · 1886501744269·44991476563317830182537451551889394335850807098205993761800530540007335546409.

Ea/F4m : y 2 + xy = x3 + aγx2 + γ,

τ(O) = O, τ(x , y) = (x4, y 4).

#E(F4149 ) = 6 · 1886501744269·44991476563317830182537451551889394335850807098205993761800530540007335546409.

Koblitz curves over F4Field arithmetic

In order to implement an efficient field F2149 arithmetic, we must construct ourfield with an irreducible polynomial which allows a fast modular reduction.

We do not have degree-149 trinomials that are irreducible over F2.

As a result, we considered redundant trinomials.

Given a non-irreducible trinomial g(x) of degree n that factorizes into anirreducible polynomial f (x) of degree m < n, the idea is to perform the fieldreduction modulo g(x) throughout the algorithm and, at the end, reduce thepoint coordinates modulo f (x).

We selected the trinomial g(x) = x192 + x19 + 1 which factorizes into a 69-term irreducible polynomial f (x) ofdegree 149 defined by,

f (x) =x149 + x146 + x143 + x141 + x140 + x139 + x138 + x137 + x129 + x123 + x122 + x121 + x119 + x117 + x114+

x113 + x111 + x108 + x107 + x106 + x105 + x99 + x94 + x92 + x91 + x90 + x86 + x85 + x83 + x81 + x80+

x78 + x77 + x75 + x71 + x70 + x68 + x67 + x65 + x64 + x63 + x54 + x53 + x51 + x49 + x48 + x43 + x42+

x3 + x2 + x + 1.

Algorithm Modular reduction by the trinomial g(x) = x192 + x19 + 1

Require: A 384-bit polynomial r(x) = F · x320 + E · x256 + D · x192 + C · x128 + B · x64 + A in F2[x] storedinto six 64-bit registers (A - F).

Ensure: A 192-bit polynomial s(x) = r(x) mod g(x) = I · x128 +H · x64 +G stored into three 64-bit registers(G - I).

G ← A⊕ D ⊕ (F � 45)⊕ ((D ⊕ (F � 45))� 19)H ← B ⊕ E ⊕ (E � 19)⊕ (D � 45)I ← C ⊕ F ⊕ (F � 19)⊕ (E � 45)

We selected the trinomial g(x) = x192 + x19 + 1 which factorizes into a 69-term irreducible polynomial f (x) ofdegree 149 defined by,

f (x) =x149 + x146 + x143 + x141 + x140 + x139 + x138 + x137 + x129 + x123 + x122 + x121 + x119 + x117 + x114+

x113 + x111 + x108 + x107 + x106 + x105 + x99 + x94 + x92 + x91 + x90 + x86 + x85 + x83 + x81 + x80+

x3 + x2 + x + 1.

Algorithm Modular reduction by the trinomial g(x) = x192 + x19 + 1

Require: A 384-bit polynomial r(x) = F · x320 + E · x256 + D · x192 + C · x128 + B · x64 + A in F2[x] storedinto six 64-bit registers (A - F).

Ensure: A 192-bit polynomial s(x) = r(x) mod g(x) = I · x128 +H · x64 +G stored into three 64-bit registers(G - I).

G ← A⊕ D ⊕ (F � 45)⊕ ((D ⊕ (F � 45))� 19)H ← B ⊕ E ⊕ (E � 19)⊕ (D � 45)I ← C ⊕ F ⊕ (F � 19)⊕ (E � 45)

Koblitz curves over F4Timings

Table Timing-resistant scalar multiplication timings (in clock cycles) on 128-bit secureelliptic curves

Curve/Method Architecture Timings

Koblitz over F2283 (NIST K-283)Haswell 99,000

τ -and-add, 5-τNAF [Oliveira et al.]Twisted Edwards over F(2127−1)2

Haswell 59,000double-and-add [Costello and Longa]Kummer genus-2 over F2127−1 Haswell 54,389Kummer ladder [Bernstein et al.]

Koblitz over F4149Haswell 96,822

τ -and-add, 2-τNAF (our work)Koblitz over F4149

Haswell 69,656τ -and-add, 3-τNAF (our work)

Part II:The Discrete Logarithm Problem

Finite Fields

IntroductionDiscrete Logarithm Problem

F∗q ∼= {g i : 0 ≤ i ≤ q − 2}.

The discrete logarithm problem is stated as follows.Given F∗q, g and h ≡ g i (mod q), find i .

The value i is the discrete logarithm of h in base g , denoted as loggh.

F∗q ∼= {g i : 0 ≤ i ≤ q − 2}.

Weakness of F36·509 for discrete logarithm cryptographyLet us assume that one wants to compute discrete logarithms in the field Fq3n ,with q = 32, n = 509, Notice that the group size of that field is,|F32·3·509 | = dlog2(3) · 2 · 3 · 509e = 4841 bits.

Algorithm Time complexity Equiv. bit security level

Hellman-Reyneri 1982 Lq3n [ 12 , 1.414] 337

Coppersmith 1984 Lq3n [ 13 , 1.526] 134

Joux-Lercier 2006 Lq3n [ 13 , 1.442] 126

Joux-Lercier 2006 Lq3n [ 13 , 1.270] 111

(as revised by Shinohara et al. 2012)

Joux 2012 Lq3n [ 13 , 1.175] 103

(personal estimation)

Joux 2013 Lq3n [ 14 , 1.530] 58.9

(as analyzed by Adj et al. 2013)

Lq[α, c] = ec(log q)α(log log q)1−α

Weakness of F36·509 for discrete logarithm cryptographyLet us assume that one wants to compute discrete logarithms in the field Fq3n ,with q = 32, n = 509, Notice that the group size of that field is,|F32·3·509 | = dlog2(3) · 2 · 3 · 509e = 4841 bits.

Algorithm Time complexity Equiv. bit security level

Hellman-Reyneri 1982 Lq3n [ 12 , 1.414] 337

Coppersmith 1984 Lq3n [ 13 , 1.526] 134

Joux-Lercier 2006 Lq3n [ 13 , 1.442] 126

Joux-Lercier 2006 Lq3n [ 13 , 1.270] 111

(as revised by Shinohara et al. 2012)

Joux 2012 Lq3n [ 13 , 1.175] 103

(personal estimation)

Joux 2013 Lq3n [ 14 , 1.530] 58.9

(as analyzed by Adj et al. 2013)

Lq[α, c] = ec(log q)α(log log q)1−α

Computing discrete logarithms in F36·137

Field selection

The last record on solving the DLP over small characteristic fields was fromHayashi et al. in 2012 which broke the 923-bit field F36·97 in 148.2 days by usingPCs with 252 CPU cores.

Our goal is to break the 1303-bit field F36·137 using Joux’s new algorithm.Coppersmith’s alg. for DLP in F36·137 takes ≈ 276.

Field selection

The last record on solving the DLP over small characteristic fields was fromHayashi et al. in 2012 which broke the 923-bit field F36·97 in 148.2 days by usingPCs with 252 CPU cores.

Our goal is to break the 1303-bit field F36·137 using Joux’s new algorithm.Coppersmith’s alg. for DLP in F36·137 takes ≈ 276.

The path

Furthermore,I Relation generation: 1.05 CPU hours (Sandy Bridge, 1 core).I Linear algebra: Using the Magma implementation of the Lanczos algorithm,556.8 CPU hours (Sandy Bridge, 4 cores).

Total time: 888 CPU hoursCryptography in small-characteristic finite fields Thomaz Oliveira

After our first record, we worked over the 1551-bit finite field F36·163 . Wesucceeded in finding a logarithm of a randomly generated degree-162 polynomialafter 1201 CPU hours.

The discrete logarithm problem in this group is of cryptographic interest, as it wasproposed for paring-based protocols by different authors [Boneh et al., 2004;Granger et al., 2006].

Our analysis and our practical attacks added further weight over the claim thatthe protocols based on the finite fields F3k are unsuitable for cryptography.

Elliptic and Hyperelliptic Curves

Introduction

The theoretical security of an elliptic curve is given by the complexity of solvingthe DLP on its group of points.

Given an elliptic curve E over a field Fq, a generator point P ∈ E (Fq) of order rand a challenge point Q ∈ 〈P〉, the DLP on E consists in computing the integerδ ∈ Zr such that Q = δP.

We have different approaches for solving the DLP on elliptic curves:

• Baby Step Giant Step and Pollard’s Rho algorithms (classical)

• Index-calculus algorithms

• Isomorphism attacks• MOV attack, reducing the DLP on E(Fq) to the DLP on F∗

• Weil-descent based algorithms. Gaudry-Hess-Smart (generalized, extended).

Introduction

The Enge-Gaudry algorithm

Algorithm The Enge-Gaudry method for solving the DLP on hyperelliptic curves

Require: A divisor D1 ∈ JH(Fq) of order n, a divisor D2 ∈ 〈D1〉, a positive integer rEnsure: An integer δ such that D2 = δD1

/* Build the factor basis G */For each linear polynomial ui , find vi such that [ui , vi ] is a divisor of the curve H.Store gi = [ui , vi ] in G./* Initialization of the random walk */For j ← 1 to r , select α(j) and β(j) at random in {1 . . . n} and compute T (j) ← α(j)D1 +β(j)D2.

/* Main loop */Select j at random in {1 . . . r}. Compute R0 = [u0, v0]← R0 + T (j).if u0 is 1-smooth then

Factor u0 and determine the positions of the factors in the basis G . Store result as a row.Rk =

∑mikgi of a matrix M = (mik ). Store the coefficients αk = α0 and βk = β0.

if k < #G + 1, then proceed to linear algebra.

/* Linear algebra */Find a non zero vector (γk ) of the kernel of the transpose of the matrix M.return δ = −(

∑αkγk )/(

∑βkγk ) mod n.

A practical attack on the GLS curve E/F262

Let E be a binary GLS curve given by the following equation

E/F262 : y2 + xy = x3 + ax2 + b, with a ∈ F262 , b ∈ F∗231

The GHS attack can construct the following genus-32 hyperelliptic curve with the Weil descentprocedure:

H(F22 ) : y2 + (z2x32 + x16 + z2x8 + z2x2 + x)y =

x65 + x64 + z2x33 + zx32 + x17 + z2x16 + x8 + x5 + x4 + z2x3 + zx2 + zx .

We selected a dynamic factor base containing irreducible polynomials up to degree 7.

At the end of the relations collection phase, our factor basis had 1458 elements, which is 44.12%of the total number of irreducible polynomials up to degree 7.

Random walk initialization 3.00 sRelations collection 284.52 s

Linear Algebra (Lanczos) 0.11 s

H(F22 ) : y2 + (z2x32 + x16 + z2x8 + z2x2 + x)y =

Gracias!

Cryptography in small-characteristic finite fieldstikhonov.fciencias.unam.mx › presentaciones ›...

Documents

Transcript of Cryptography in small-characteristic finite fieldstikhonov.fciencias.unam.mx › presentaciones ›...