Arithmetic On Elliptic Curves Over: ECC Summer School 2004

Jan Pelzl, ECC Summer School 2004, 9/14/2004
Arithmetic on Elliptic Curves over GF(2

n
) p. 1
ECC Summer School 2004
Arithmetic on Elliptic Curves
over GF(2
n
)
Jan Pelzl
Communications Security Group
Ruhr-Universitt Bochum
http://www.crypto.rub.de
qContent
Introduction
Field Arithmetic
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Software Implementations
Literature
n
) p. 2
Content
1. Introduction
- Elliptic Curves
- Why GF(2
n
)?
2. Field Arithmetic
- Requirements for ECC
- Representation of Elements
- Addition and Subtraction
- Squaring
- Multiplication
- Reduktion
- Inversion
- Summary
3. Curves over GF(2
n
)
- General Case
- Special Curves, NIST Curves
- Example
4. Coordinate Systems
- Overview: Afne, Projective, LD for Curves over GF(2
n
)
- Comparison
5. Exponentiation
- Overview
6. Software Implementations
- Practical Performance
- Comparison of PK Systems
7. Literature
qContent
Introduction
qElliptic Curves
qWhy GF(2
n
)
Field Arithmetic
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 3
Elliptic Curves
Recap: Elliptic Curve E over eld K:
E : y
2
+a
1
xy + a
3
y = x
3
+a
2
x
2
+ a
4
x + a
6
(Weierstrass)
where a
1
, a
2
, a
3
, a
4
, a
6
K and discriminant = 0.
Simplied Weierstrass equations:
E : y
2
= x
3
+ax +b for elds of characteristic = 2, 3
E : y
2
+xy = x
3
+ax
2
+b for elds of characteristic 2
qContent
Introduction
qElliptic Curves
qWhy GF(2
n
)
Field Arithmetic
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 4
Why GF(2
n
)
Can consider different elds:
s
Prime elds K = F
p
where p P: arithmetic modp
s
Extension elds K = F
q
where q = p
n
: arithmetic modf(z)
where F
q
= F
p
[f(z)] and deg
z
f = n
Nice to implement: p = 2, i.e., consider E(F
2
n
) (later!)
qContent
Introduction
Field Arithmetic
qRequirements for ECC
qBinary Representation
qAddition and Subtraction
qAddition and Subtraction (2)
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
qSummary Field Arithmetic
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 5
Requirements for ECC
Recap: Group law for E(F
2
n) : y
2
+xy = x
3
+ax
2
+b
1. Addition: Let P = (x
1
, y
1
) and Q = (x
2
, y
2
) = P. Then
(x
3
, y
3
) = P + Q where
x
3
=
2
+ +x
1
+x
2
+a and
y
3
= (x
1
+ x
3
) +x
3
+y
1
with =
y
1
+y
2
x
1
+x
2
.
2. Doubling: Let P = (x
1
, y
1
) and P = P. Then (x
3
, y
3
) = 2P
where
x
3
=
2
+ +a and
y
3
= x
2
1
+x
3
+x
3
with =
x
1
+y
1
x
1
.
qContent
Introduction
Field Arithmetic
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 6
Binary Representation
a F
2
n can be expressed as polynomial modf(z) with
coefcients in F
2
where f(z) is a eld extension polynomial of
F
2
of degree n:
a =
n1
i=0
a
i
z
i
with a
i
{0, 1}.
Coefcients of a are either one or zero, thus, are easy to
represent in computers by a binary string of length n:
a (a
n1
a
n2
...a
0
)
2
.
qContent
Introduction
Field Arithmetic
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 7
Addition and Subtraction
Let a, b, c F
2
n with a =
n1
i=0
a
i
z
i
and b =
n1
i=0
b
i
z
i
. The
sum or difference c = a b is computed by bitwise XOR of the
coefcients:
c =
n1
i=0
c
i
z
i
a b
n1
i=0
(a
i
b
i
)z
i
(modf(z)).
Example: Let a, b F
2
5 = F
2
/(f(z) = z
5
+z
2
+ 1),
a = z
3
+z
2
+ 1 and b = z
4
+z
3
+ z
2
, then
a +b = (z
3
+ z
2
+ 1) + (z
4
+z
3
+z
2
)
= z
4
+ 2z
3
+ 2z
2
+ 1
z
4
+ 1
qContent
Introduction
Field Arithmetic
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 8
Addition and Subtraction (2)
In software:
Addition and Subtraction in F
2
n
can be accomplished by simple
bitwise XORs.
Example (contd.):
a 01101
b 11100
= a + b 10001
Efcient: Use word XOR of processor (e.g., 8bit, 16bit, 32bit
simultaneously).
qContent
Introduction
Field Arithmetic
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 9
Squaring
Let a, c F
2
n with a =
n1
i=0
a
i
z
i
. The square of a is then
computed as follows:
a
2
=
_
n1
i=0
c
i
z
i
_
2
n1
i=0
_
c
i
z
i
_
2
=
n1
i=0
c
i
z
2i
I.e., insert squaring can be accomplished by inserting zeros
between consecutive bits of a (upsampling by 2). The result
has to be reduced by f(z).
qContent
Introduction
Field Arithmetic
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 10
Squaring (2)
Example:
a 11101
a
2
101010001
In software:
Use table lookups facilitate computation of a square. E.g.,
s
compute a table of size 512bytes, containing (16bit) squares
of all possible 8bit polynomials (words)
s
parse operand variable word wise (8bit)
s
set 16bits in result variable accordingly
qContent
Introduction
Field Arithmetic
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 11
Multiplication
Let a, b, c F
2
n with a =
n1
i=0
a
i
z
i
and b =
n1
i=0
b
i
z
i
. The
product of a and b can be computed, e.g., with the schoolbook
method
a b =
n1
j=0
a
j
z
j
n1
i=0
a
i
z
i
=
n1
j=0
n1
i=0
a
j
b
i
z
i+j
,
which is often referred to as shift-and-add method.
Example: a (01101)
2
and b (11100)
2
01101 11100 = 010001100
01101
01101
01101
00000
00000
qContent
Introduction
Field Arithmetic
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 12
Multiplication (2)
Problem: GF(2
n
) multiplication not supported on general
purpose processors. Most popular algorithms in software:
s
(binary) shift-and-add method
x
parse one operand bit wise
x
shift intermediate results
s
(binary) shift-and-add with precomputation
x
parse operand in blocks of, e.g., 4 bits
x
look up multiples of words (table)
x
shift intermediate results by 4 bits
s
comb method
x
consider same bit position in all words of operand
x
needs less word shifts in total
s
comb method with precomputation
x
parse in blocks of, e.g., 4 bits
x
use table lookup for multiples of words
qContent
Introduction
Field Arithmetic
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 13
Multiplication (3)
Karatsuba-Offman: Improvement for numbers larger than
processor word size
Principle:
- denote a
hi
and a
lo
as higher/ lower word of a
- w as word size of the processor in bits
(a
lo
+a
hi
2
w
)(b
lo
+b
hi
2
w
) = a
lo
b
lo
+ 2
w
(a
hi
b
lo
+a
lo
b
hi
) + 2
2w
a
hi
b
hi
can be improved by susbtituting one multiplication by 3
additions. Compute
= a
lo
b
lo
,
= a
hi
b
hi
,
a
hi
b
lo
+a
lo
b
hi
= (a
lo
+a
hi
)(b
lo
+b
hi
)
to obtain coefcients of 2
0
, 2
w
and 2
2w
.
qContent
Introduction
Field Arithmetic
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 14
Reduction
Reduce resulting squares and products modf(z):
s
add/ subtract multiples of extension polynomial f(z)
s
nal result should satisfy deg < n
(convenient representation, uses less bits)
s
efciency depends on choice of extension polynomial
Example: a = z
8
+z
5
+z
2
+ 1 and f(z) = z
5
+z
2
+ 1.
a = z
8
+z
5
+z
2
+ 1
z
8
z
3
f(z) +z
5
+ z
2
+ 1
= z
8
z
8
z
5
z
3
+z
5
+z
2
+ 1
z
3
+z
2
+ 1 (modf(z))
qContent
Introduction
Field Arithmetic
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 15
Reduction (2)
In software:
s
Reduce one bit at a time
x
start with leftmost bit
x
based on observation, that
f(z) = z
n
+r(z) 0 z
n+k
+z
k
r(z) 0
x
add z
n+k
+z
k
r(z) for a 1 at position (n +k) for k 0
s
Reduce one word at a time
x
shift and add whole words
x
fast if degr(z) n (wordsize)
x
suitable for certain eld extension polynomials
qContent
Introduction
Field Arithmetic
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 16
Reduction (3)
Example: Reduce word w[6] (bits 192...221, 32bit processor)
f(z) = z
161
+z
18
+ 1 0
z
192
z
49
+ z
31
.
.
.
z
192+31
z
49+31
+ z
31+31
(modf(z))
Add shifted version of w[7] two times to the operand:
1. from position 49 to 49 + 31 = 80
2. from position 31 to 31 + 31 = 62
qContent
Introduction
Field Arithmetic
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 17
Inversion
Given a F
2
n, nd a
1
such that a a
1
1 (modf(z)).
Methods:
s
Fermats method (inversion by exponentiation):
based on a
p1
1 mod p
s
Extended Euclidean Algorithm (EEA):
compute s, t F
2
n
such that
s a +t f(z) = 1
s a 1 (modf(z))
s a
1
(modf(z))
qContent
Introduction
Field Arithmetic
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 18
Inversion (2)
In software:
s
(Binary) EEA:
x
basically repeated addition/ subtraction
s
Almost Inverse Algorithm (AIA):
x
compute b such that a b x
k
mod f(z)
x
reduce to a
1
b x
k
mod f(z)
x
requires asymptotically less steps than EEA
qContent
Introduction
Field Arithmetic
qSquaring
qSquaring (2)
qMultiplication
qMultiplication (2)
qMultiplication (3)
qReduction
qReduction (2)
qReduction (3)
qInversion
qInversion (2)
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
n
) p. 19
Summary Field Arithmetic
s
Overall performance of ECC depends mainly on the eld
arithmetic
s
Field addition, subtraction and squaring neglectible, i.e.,
very easy to accomplish
s
Speed of eld multiplication and inversion crucial
s
Inversion more expensive than multiplication
can use inversion free coordinate systems (later)!
(See [HHM00] for a detailled description of most algorithms.)
qContent
Introduction
Field Arithmetic
Curves over GF(2
n
)
qGeneral Case
qSpecial Curves and NIST Curves
qExample
Coordinate Systems
Exponentiation
Literature
n
) p. 20
General Case
The Weierstrass equation (see Slide 3) transforms to
E : y
2
+xy = x
3
+ax
2
+b,
where a, b F
2
n.
The discriminant is given by = b.
If a = 0, the curve is called supersingular.
qContent
Introduction
Field Arithmetic
Curves over GF(2
n
)
qGeneral Case
qExample
Coordinate Systems
Exponentiation
Literature
n
) p. 21
Special Curves and NIST Curves
s
acceleration of EC arithmetic with specially chosen curve
parameters
s
but: choose carefully to avoid security drawbacks
s
standard for elliptic curves is FIPS 186-2 (revised by NIST):
x
10 recommended nite elds (5 binary elds)
x
for each prime eld, one (randomly selected) EC was
selected
x
for each binary eld, one random curve and one Koblitz
curve specied
x
eld extension polynomials specied
s
Koblitz curve: coefcients F
2
Binary elds in FIPS 186-2: F
2
163, F
2
233, F
2
283, F
2
409, F
2
571.
E.g., recommended Koblitz curve over F
2
283: y
2
+ xy = x
3
+ 1
qContent
Introduction
Field Arithmetic
Curves over GF(2
n
)
qGeneral Case
qExample
Coordinate Systems
Exponentiation
Literature
n
) p. 22
Example
Consider curve E : y
2
+xy = x
3
+ (z
3
)x
2
+ (z
3
+ 1) over F
2
4.
The eld reduction polynomial is f(z) = z
4
+ z + 1.
s
order of the group: #E(F
2
4 ) = 22
s
the point P = (z
3
, 1) = (1000, 0001) has order 11
s
multiples of P:
0P = 4P = (1111, 1011) 8P = (1100, 1100)
1P = (1000, 0001) 5P = (1011, 0010) 9P = (1001, 0110)
2P = (1001, 1111) 6P = (1011, 1001) 10P = (1000, 1001)
3P = (1100, 0000) 7P = (1111, 0100)
qContent
Introduction
Field Arithmetic
Curves over GF(2
n
)
Coordinate Systems
qOverview
qOverview (2)
qComparison
Exponentiation
Literature
n
) p. 23
Overview
Group law from Slide 5 uses afne coordinates:
s
group element (point) represented by pair (x, y).
Idea: make group law more efcient by avoiding inversions.
several projective coordinates proposed. Most important:
s
Standard projective coordinates
s
Jacobian projective coordinates
s
Lpez-Dahab (LD) projective coordinates
qContent
Introduction
Field Arithmetic
Curves over GF(2
n
)
Coordinate Systems
qOverview
qOverview (2)
qComparison
Exponentiation
Literature
n
) p. 24
Overview (2)
Standard projective coordinates:
s
projective point (X : Y : Z), Z = 0 corresponds to afne
point (X/Z, Y/Z)
s
projective curve equation:
E
: Y
2
Z +XY Z = X
3
+ aX
2
Z +bZ
3
Jacobian projective coordinates:
s
(X : Y : Z), Z = 0 (X/Z
2
, Y/Z
2
)
s
E
: Y
2
+XY Z = X
3
+aX
2
Z
2
+bZ
6
Lpez-Dahab (LD) projective coordinates
s
(X : Y : Z), Z = 0 (X/Z, Y/Z
2
)
s
E
: Y
2
+XY Z = X
3
Z + aX
2
Z
2
+ bZ
4
Remark: Final conversion to afne coord. requires inversion.
qContent
Introduction
Field Arithmetic
Curves over GF(2
n
)
Coordinate Systems
qOverview
qOverview (2)
qComparison
Exponentiation
Literature
n
) p. 25
Comparison
Operation counts for point addition and doubling on
y
2
+xy = x
3
+ax
2
+b [HHM00]:
Coordinate system General addition General addition Doubling
(mixed coordinates)
Af ne I + M I + M
Standard projective 13M 12M 7M
Jacobian projective 14M 10M 5M
Lpez-Dahab projective 14M 8M 4M
I: Field inversion
M: Field multiplication
choice of projective or afne coordinates depends on
performance of eld inversion!
qContent
Introduction
Field Arithmetic
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
qOverview
Literature
n
) p. 26
Overview
Main operation of ECC:
kP = P +P +... +P
. .
k times
,
where k is an integer and P a point on the curve. Also called
point multiplication or scalar multiplication.
Several methods for efcient exponentiation, including
s
(binary) double and add (square and multiply)
s
(binary) NAF methods (non-adjacent form)
s
windowing methods
s
Montgomerys method
(more next lecture)
qContent
Introduction
Field Arithmetic
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
qSome Results from Practice
qComparison of PK Systems
Literature
n
) p. 27
Some Results from Practice
Exemplary running times for ECC scalar multiplications in
software [WPW
+
03]:
Group order Platform Scalar multiplication
ARM@50MHz 496.96ms
2
160
ColdFire@90MHz 152.1ms
Pentium@1.8GHz 2.6ms
Remark: speed-up for Koblitz curves up to a factor of 7
possible (Frobenius map), e.g., 75.29ms for the same group
order on the ARM microprocessor [WPW
+
03].
qContent
Introduction
Field Arithmetic
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
qSome Results from Practice
qComparison of PK Systems
Literature
n
) p. 28
Comparison of PK Systems
How does ECC compare to other PK systems (RSA)?
2.6E4
1.24E5
6.2E4
2.24E6
ECC160 RSA1024 ECC200 RSA2048
mid term security
long term security
#
(
i
n
t
e
g
e
r

m
u
l
t
i
p
l
i
c
a
t
i
o
n
s
)
Figure 1: Computational Efciency of ECC and RSA
Remark: RSA verication can be accelerated with short
exponents (e.g., e = 2
16
+ 1).
qContent
Introduction
Field Arithmetic
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
qFurther Reading
qLiterature
n
) p. 29
Further Reading
s
[HHM00] is a very compact paper about software
implementation of an elliptic curve cryptosystem over
GF(2
n
). It gives an overview of all essential operations to be
programmed and states NIST curves.
s
For the interested reader, more theoretical and practical
information can be found in [HMV04]. This book covers
much more aspects than the article.
qContent
Introduction
Field Arithmetic
Curves over GF(2
n
)
Coordinate Systems
Exponentiation
Literature
qFurther Reading
qLiterature
n
) p. 30
Literature
References
[HHM00] D. Hankerson, J. Lpez Hernandez, and A. Menezes. Software Implementation of Elliptic Curve Cryptography
Over Binary Fields. In . Ko and C. Paar, editors, Workshop on Cryptographic Hardware and Embedded
Systems CHES 2000, volume LNCS 1965, pages 124, Berlin, August 17-18, 2000. Springer-Verlag.
[HMV04] D. Hankerson, A. Menezes, and S. Vanstone. Guide to Elliptic Curve Cryptography. Springer-Verlag New York,
2004.
[WPW
+
03] T. Wollinger, J. Pelzl, V. Wittelsberger, C. Paar, G. Saldamli, and . K. Ko. Elliptic & hyperelliptic curves on
embedded p. ACM Transactions in Embedded Computing Systems (TECS), 2003. Special Issue on
Embedded Systems and Security.

Arithmetic On Elliptic Curves Over: ECC Summer School 2004

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Arithmetic On Elliptic Curves Over: ECC Summer School 2004

Caricato da

Copyright:

Formati disponibili

Jan Pelzl, ECC Summer School 2004, 9/14/2004

Arithmetic on Elliptic Curves over GF(2

Potrebbero piacerti anche