2 1 Joppe W. Bos and Simon Friedberger Why these strange primes? - PowerPoint PPT Presentation

Fast Arithmetic Modulo 2 𝑦 𝑞 𝑧 ± 1 Joppe W. Bos and Simon Friedberger

Why these strange primes? 2  Quantum computers  NIST call for PQC standards [1] [2]

Post-Quantum Cryptography 3  Lattice-based  Code-based  MQ-based  Hash-based  Isogeny-based  Little data (330 B / 10 x smaller)  Very slow (1000 x slower)  Requires more cryptanalysis (published 2011)  …but it has elliptic curves!

ECC vs SIDH 4 ECC 𝑜 𝑄 = 𝑅 SIDH 𝐹 2 = Φ 𝑜 ∘ ⋯ ∘ Φ 1 (𝐹 1 ) [3] [3]

Key exchange 5 [3]

Fast Arithmethic modulo 2 𝑦 𝑞 𝑧 ± 1 6 #E(𝔾 q 2 ) = 2 𝑦 𝑞 𝑧 2 q = 2 x p y ± 1

Fast Arithmethic modulo 2 𝑦 𝑞 𝑧 ± 1 6 #E(𝔾 q 2 ) = 2 𝑦 𝑞 𝑧 2 q = 2 x p y ± 1

Compared approaches 7  Montgomery reduction  Barrett division  Modular simplification  Shifting  Special radix  …

Montgomery reduction 8  Calculate 𝑏෨ Τ ෤ 𝑐 𝑆 = 𝑏𝑐𝑆 𝑛𝑝𝑒 𝑛  Montgomery multiplication 𝑑𝑆 −1 = 𝑑 + 𝜈𝑏𝑐 𝑛𝑝𝑒 𝑆 𝑛 /𝑆 (𝑛𝑝𝑒 𝑛)  Prime shape optimizations:  𝜈 = −𝑛 −1 ≡ 1 for 𝑛 ≡ ±1  𝑦𝑛 = 𝑦 2 𝑦 𝑞 𝑧 ± 1 = 𝑦𝑞 𝑧 2 𝑦 ± 𝑦  Costs 𝑜 2 + 𝑜 optimized to 𝑜 2 2 M

Montgomery reduction 9  Calculate 𝑏෨ Τ ෤ 𝑐 𝑆 = 𝑏𝑐𝑆 𝑛𝑝𝑒 𝑛  Montgomery multiplication 𝑑𝑆 −1 = 𝑑 + 𝜈𝑏𝑐 𝑛𝑝𝑒 𝑆 𝑛 /𝑆 (𝑛𝑝𝑒 𝑛)  Prime shape optimizations:  𝜈 = −𝑛 −1 ≡ 1 for 𝑛 ≡ ±1  𝑦𝑛 = 𝑦 2 𝑦 𝑞 𝑧 ± 1 = 𝑦𝑞 𝑧 2 𝑦 ± 𝑦  Costs 𝑜 2 + 𝑜 optimized to 𝑜 2 2 M

Montgomery reduction 10  Calculate 𝑏෨ Τ ෤ 𝑐 𝑆 = 𝑏𝑐𝑆 𝑛𝑝𝑒 𝑛  Montgomery multiplication 𝑑𝑆 −1 = 𝑑 + 𝜈𝑏𝑐 𝑛𝑝𝑒 𝑆 𝑛 /𝑆 (𝑛𝑝𝑒 𝑛)  Prime shape optimizations:  𝜈 = −𝑛 −1 ≡ 1 for 𝑛 ≡ ±1  𝑦𝑛 = 𝑦 2 𝑦 𝑞 𝑧 ± 1 = 𝑦𝑞 𝑧 2 𝑦 ± 𝑦  Costs 𝑜 2 + 𝑜 optimized to 𝑜 2 2 M

Barrett division 11  Calculate 𝑑 𝑛𝑝𝑒 𝑛 as 𝑑 − 𝑑/𝑛 𝑛 𝑛 as 𝑑 𝑑 𝑆  Approximate 𝑆 𝑛  Error of at most 𝑛 , or at most 3𝑛 after some more optimizations  Also gives the fraction not just the remainder  Costs 𝑜 2 + 4𝑜 + 1 optimized to 5 8 𝑜 2 + 13 4 𝑜 + 1 𝑁

Barrett division 12  Calculate 𝑑 𝑛𝑝𝑒 𝑛 as 𝑑 − 𝑑/𝑛 𝑛 𝑛 as 𝑑 𝑑 𝑆  Approximate 𝑆 𝑛  Error of at most 𝑛 , or at most 3𝑛 after some more optimizations  Also gives the fraction not just the remainder  Costs 𝑜 2 + 4𝑜 + 1 optimized to 5 8 𝑜 2 + 13 4 𝑜 + 1 𝑁

Simplified Modulus 13  Pick 𝑆 = 𝑛 + 1 = 2 𝑦 𝑞 𝑧  𝑑 = 𝑑 1 𝑆 + 𝑑 0 = 𝑑 1 𝑛 + 𝑑 1 + 𝑑 0 ≡ 𝑑 1 + 𝑑 0  Need to divide 𝑑 𝑆 and suppose 𝑆 = 2 𝑦 𝑆′  Idea: Use Barrett division with special modulus ′ and 𝑑 1 ′ 2 𝑦 + 𝑑 0 ′ = 𝑣𝑆′ + 𝑤 it follows that  If 𝑑 = 𝑑 1  𝑑 = 𝑣2 𝑦 𝑆′ + 𝑤2 𝑦 + 𝑑 0 ′  It follows that 𝑤2 𝑦 + 𝑑 0 ′ = 𝑑 0 and 𝑣 = 𝑑 1 3 1 5 8 𝑜 2 + 13  Cost ℬ 2 𝑜, 2 𝑜 = 4 𝑜 + 1 𝑁

Folding 14  Save time on the reduction by computing a multiplication first  With precomputed 𝜈 = 𝑆 𝑛𝑝𝑒 𝑛  Transform 𝑑 = 𝑑 1 𝑆 + 𝑑 0 it is clear that 𝑑 ≡ 𝑑 1 𝜈 + 𝑑 0 𝑛𝑝𝑒 𝑛  Picking 𝑆 appropriately will reduce the size of the number to reduce  Costs: For 𝑆 1.5 times as long as 𝑛 we get  𝑑 is reduced in length by 25 %  Cost 𝑜 2 2 𝑁  Folding + Barrett Cost 𝑜 2 2 + 5 4 𝑜 + 1 𝑁

Interleaved vs Non-interleaved 15  Interleave multiplication and reduction  Uses less memory  Multiply and reduce separately  Allows asymptotically fast multiplication algorithms  SIDH: Arithmetic in 𝔾 q 2  (𝑏 + 𝑗𝑐)(𝑑 + 𝑗𝑒)  Interleaved: 4 M&R, Non-interleaved: 4 M + 2 R  Using Karatsuba: 3 M&R vs 3 M + 2 R  Non-interleaved is to be preferred for SIDH

Modulus based Radix 16  Recent approach from WAIFI  Pick 𝑆 = 𝑛 and representation 𝑏 = 𝑏 1 𝑆 + 𝑏 0 this gives  𝑏𝑐 = 𝑏 1 𝑐 1 𝑆 2 + (𝑏 1 𝑐 0 + 𝑏 0 𝑐 1 )𝑆 + 𝑏 0 𝑐 0 = 𝑏 1 𝑐 0 + 𝑏 0 𝑐 1 𝑆 + 𝑏 1 𝑐 1 + 𝑏 0 𝑐 0  Reduce both parts again using Barrett division  Costs: 17 16 𝑜 2 + 13 4 𝑜 + 2 𝑁  Unfortunately interleaved

Results (interleaved) 17 (Costs for multiplication and reduction)

Results (non-interleaved) 18 (Costs for reduction only)

Shifting 19  2 372 3 239 − 1  2 372 3 239 has 372 zero bits  5 words of 64 bit and another 52 bits  3 239 fits into 6 words but it actually uses 7 now  We can properly align the powers of three  Costs: several shifts by 52 bits

SIDH friendly primes 20  Conditions for our search 1. 𝑞 ∈ 3,5,7,11,13,17,19 2. 384 ≤ 𝑦 < 450 and 2 300 < 𝑞 𝑧 < 2 450 3. 2 740 < 2 𝑦 𝑞 𝑧 ± 1 < 2 768 4. 2 𝑦 − 𝑞 𝑧 < 2 40 5. 2 𝑦 𝑞 𝑧 + 1 or 2 𝑦 𝑞 𝑧 − 1 is prime

New prime suggestions 21 Prime Security 𝟑 𝟒𝟗𝟔 𝟒 𝟑𝟑𝟖 − 𝟐 120 2 394 5 154 + 1 119 2 394 5 155 − 1 120 2 396 7 131 + 1 123 2 393 17 91 + 1 124 𝟑 𝟒𝟘𝟐 𝟐𝟘 𝟗𝟗 − 𝟐 125

Benchmarking results 22

Questions? 23 https://github.com/sidh-arith/

References 24 1. https://www.technologyreview.com/s/602283/googles-quantum-dream- may-be-just-around-the-corner/ 2. https://bits.blogs.nytimes.com/2013/05/16/google-buys-a-quantum- computer/?_r=0 3. https://www.esat.kuleuven.be/cosic/elliptic-curves-are-quantum-dead- long-live-elliptic-curves/