complete addition formulas for prime order elliptic curves
play

Complete addition formulas for prime order elliptic curves Joost - PowerPoint PPT Presentation

Mar 26, 2023 •22 likes •642 views

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla Batina 1 j.renes@cs.ru.nl 1 Radboud University, Nijmegen, The Netherlands 2 Microsoft Research, Redmond, USA 16 February 2016 16 February 2016 1 /

  1. Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla Batina 1 j.renes@cs.ru.nl 1 Radboud University, Nijmegen, The Netherlands 2 Microsoft Research, Redmond, USA 16 February 2016 16 February 2016 1 / 39

  2. About me ◮ PhD student (supervisor Lejla Batina) ◮ Digital Security Group ◮ Radboud University (Nijmegen, The Netherlands) ◮ (Academic) Interests: ◮ Efficient and secure implementations of curve-based crypto ◮ Side-channel analysis ◮ (Hyper)elliptic-curve cryptography ◮ Isogeny-based cryptography ◮ http://www.cs.ru.nl/~jrenes/ 16 February 2016 2 / 39

  3. Outline ◮ Elliptic curve intro ◮ Complete formulas & comparison ◮ Background Feel free to ask questions at any time! 16 February 2016 3 / 39

  4. Elliptic curves E ( k ): elliptic curve over a field k with char( k ) � = 2 , 3 Every elliptic curve can be written in short Weierstrass form ◮ Embedded in P 2 as E : Y 2 Z = X 3 + aXZ 2 + bZ 3 ◮ The point O = (0 : 1 : 0) is called the point at infinity ◮ Affine points ( x : y : 1) given by y 2 = x 3 + ax + b ◮ The points on E form an abelian group under point addition ⊕ (with neutral element O ) ◮ Scalar multiplication ( k , P ) �→ [ k ] P ( k ∈ Z , P ∈ E ) 16 February 2016 4 / 39

  5. Elliptic curve cryptography (ECC) Elliptic curve discrete logarithm problem (ECDLP) Given two points P , Q ∈ E such that Q ∈ � P � . Find k ∈ Z such that Q = [ k ] P . Commonly k is a secret, Q is public ◮ Key exchange: ECDH ◮ Signatures: ECDSA, EdDSA 16 February 2016 5 / 39

  6. Weierstrass model O Figure: E / R : y 2 = x 3 + ax + b 16 February 2016 6 / 39

  7. Addition O Q P P ⊕ Q Figure: E / R : y 2 = x 3 + ax + b 16 February 2016 7 / 39

  8. Addition O Q ◮ if P � = ± Q ◮ if P � = O ◮ if Q � = O P P ⊕ Q Figure: E / R : y 2 = x 3 + ax + b 16 February 2016 7 / 39

  9. Doubling O P [2] P Figure: E / R : y 2 = x 3 + ax + b 16 February 2016 8 / 39

  10. Doubling O P [2] P ◮ if P � = O Figure: E / R : y 2 = x 3 + ax + b 16 February 2016 8 / 39

  11. Implementation (Homogeneous addition) ( X 1 : Y 1 : Z 1 ) ⊕ ( X 2 : Y 2 : Z 2 ) = ( X 3 : Y 3 : Z 3 ), where: � X 3 = ( X 2 Z 1 − X 1 Z 2 ) ( Y 2 Z 1 − Y 1 Z 2 ) Z 1 Z 2 − ( X 2 Z 1 − X 1 Z 2 ) 3 − 2( X 2 Z 1 − X 1 Z 2 ) X 1 Z 2 � , � Y 3 = ( Y 2 Z 1 − Y 1 Z 2 ) 3( X 2 Z 1 − X 1 Z 2 ) X 1 Z 2 − ( Y 2 Z 1 − Y 1 Z 2 ) Z 1 Z 2 + ( X 2 Z 1 − X 1 Z 2 ) 3 � − ( X 2 Z 1 − X 1 Z 2 ) 3 Y 1 Z 2 , Z 3 = ( X 2 Z 1 − X 1 Z 2 ) 3 Z 1 Z 2 .  P = Q  ⇒ X 3 = Y 3 = Z 3 = 0 ( not in P 2 ! ) But: P = O  = Q = O 16 February 2016 9 / 39

  12. Implementation (Homogeneous doubling) [2]( X : Y : Z ) = ( X 3 : Y 3 : Z 3 ), where ( aZ 2 + 3 X 2 ) 2 − 8 XY 2 Z � � X 3 = 2 YZ , Y 3 = ( aZ 2 + 3 X 2 ) � 12 XY 2 Z − ( aZ 2 + 3 X 2 ) 2 � − 8 Y 4 Z 2 , Z 3 = 8 Y 3 Z 3 . ⇒ X 3 = Y 3 = Z 3 = 0 ( not in P 2 ! ) But: P = O = 16 February 2016 10 / 39

  13. OpenSSL code example int ec_GFp_simple_add(...) { (...) if (a == b) return EC_POINT_dbl(group, r, a, ctx); if (EC_POINT_is_at_infinity(group, a)) return EC_POINT_copy(r, b); if (EC_POINT_is_at_infinity(group, b)) return EC_POINT_copy(r, a); (...) } 16 February 2016 11 / 39

  14. OpenSSL code example int ec_GFp_simple_add(...) { (...) if (a == b) return EC_POINT_dbl(group, r, a, ctx); if (EC_POINT_is_at_infinity(group, a)) return EC_POINT_copy(r, b); if (EC_POINT_is_at_infinity(group, b)) return EC_POINT_copy(r, a); (...) } 16 February 2016 11 / 39

  15. Exceptional cases ◮ Curves implemented using formulas with exceptional cases ◮ Handled by if-statements: ◮ Code complexity ◮ Bugs ◮ Non-time-constant ◮ Potential vulnerabilities 16 February 2016 12 / 39

  16. Standardized curves need to deal with this ◮ The example curves originally specified in the working drafts of ANSI, versions X9.62 and X9.63 [Acc99a; Acc99b]. ◮ The five NIST prime curves specified in FIPS 186-4, i.e. P-192, P-224, P-256, P-384 and P-521. ◮ The seven curves specified in the German brainpool standard [ECC05], i.e., brainpoolPXXXr1 , where XXX ∈ { 160 , 192 , 224 , 256 , 320 , 384 , 512 } . ◮ The eight curves specified by the UK-based company Certivox [Cer15], i.e., ssc-XXX , where XXX ∈ { 160 , 192 , 224 , 256 , 288 , 320 , 384 , 512 } . ◮ The three curves specified (in addition to the above NIST prime curves) in the Certicom SEC 2 standard [Cer10]. This includes secp256k1 , which is the curve used in the Bitcoin protocol. 16 February 2016 13 / 39

  17. A (partial) solution ◮ In 2007 Bernstein and Lange introduce Edwards curves ◮ Efficient exception-free addition formulas ◮ Problem: the curves have a cofactor ⇒ Not possible for prime order curves ◮ Also the case for twisted Edwards and Hessian curves 16 February 2016 14 / 39

  18. Attempts for prime order curves ◮ For all NIST prime curves [BL09]: 26 M + 8 S + ... ◮ Unified formulas [BJ02]: 11 M + 6 S + ... ◮ Complete system of two addition laws [Bos+15] Goal : efficient complete addition formulas for prime order curves 16 February 2016 15 / 39

  19. The result: complete addition formulas Complete addition formulas for odd order subgroups ( X 1 : Y 1 : Z 1 ) ⊕ ( X 2 : Y 2 : Z 2 ) = ( X 3 : Y 3 : Z 3 ), where: X 3 = ( X 1 Y 2 + X 2 Y 1 )( Y 1 Y 2 − a ( X 1 Z 2 + X 2 Z 1 ) − 3 bZ 1 Z 2 ) − ( Y 1 Z 2 + Y 2 Z 1 )( aX 1 X 2 + 3 b ( X 1 Z 2 + X 2 Z 1 ) − a 2 Z 1 Z 2 ) , Y 3 = ( Y 1 Y 2 + a ( X 1 Z 2 + X 2 Z 1 ) + 3 bZ 1 Z 2 )( Y 1 Y 2 − a ( X 1 Z 2 + X 2 Z 1 ) − 3 bZ 1 Z 2 ) + (3 X 1 X 2 + aZ 1 Z 2 )( aX 1 X 2 + 3 b ( X 1 Z 2 + X 2 Z 1 ) − a 2 Z 1 Z 2 ) , Z 3 = ( Y 1 Z 2 + Y 2 Z 1 )( Y 1 Y 2 + a ( X 1 Z 2 + X 2 Z 1 ) + 3 bZ 1 Z 2 ) + ( X 1 Y 2 + X 2 Y 1 )(3 X 1 X 2 + aZ 1 Z 2 ) . In particular this would work in any prime order group, including those on Edwards and Hessian curves 16 February 2016 16 / 39

  20. Operation count � 12 M + 3 m a + 2 m 3b + 23 a P ⊕ Q any a : 8 M + 3 S + 3 m a + 2 m 3b + 15 a [2] P � 12 M + 2 m b + 29 a P ⊕ Q a = − 3: 8 M + 3 S + 2 m b + 21 a [2] P � 12 M + 2 m 3b + 19 a P ⊕ Q a = 0: 6 M + 2 S + 1 m 3b + 9 a [2] P 16 February 2016 17 / 39

  21. A comparison (any a ) ◮ This work (addition): 12 M + 3 m a + 2 m 3b + 23 a ◮ This work (doubling): 8 M + 3 S + 3 m a + 2 m 3b + 15 a ◮ For all NIST prime curves [BL09]: 26 M + 8 S + ... ◮ Unified formulas [BJ02]: 11 M + 6 S + ... ◮ Jacobian coordinates addition: 12 M + 4 S + 7 a ◮ Jacobian coordinates doubling: 3 M + 6 S + 1 m a + 13 a 16 February 2016 18 / 39

  22. A comparison (any a ) ◮ This work (addition): 12 M + 3 m a + 2 m 3b + 23 a ◮ This work (doubling): 8 M + 3 S + 3 m a + 2 m 3b + 15 a ◮ For all NIST prime curves [BL09]: 26 M + 8 S + ... ◮ Unified formulas [BJ02]: 11 M + 6 S + ... ◮ Jacobian coordinates addition: 12 M + 4 S + 7 a ◮ Jacobian coordinates doubling: 3 M + 6 S + 1 m a + 13 a 16 February 2016 18 / 39

  23. A comparison (any a ) ◮ This work (addition): 12 M + 3 m a + 2 m 3b + 23 a ◮ This work (doubling): 8 M + 3 S + 3 m a + 2 m 3b + 15 a ◮ For all NIST prime curves [BL09]: 26 M + 8 S + ... ◮ Unified formulas [BJ02]: 11 M + 6 S + ... ◮ Jacobian coordinates addition: 12 M + 4 S + 7 a ◮ Jacobian coordinates doubling: 3 M + 6 S + 1 m a + 13 a 16 February 2016 18 / 39

  24. A software comparison: OpenSSL NIST no. of ECDH operations (per 10s) factor curve complete incomplete slowdown P-192 35274 47431 1.34x P-224 24810 34313 1.38x P-256 21853 30158 1.38x P-384 10109 14252 1.41x P-521 4580 6634 1.44x Table: Number of ECDH operations in 10 seconds for the OpenSSL implementation of the five NIST prime curves. Timings were obtained by running the “ openssl speed ecdhpXXX ” command on an Intel Core i5-5300 CPU @ 2.30GHz, averaged over 100 trials of 10s each. 16 February 2016 19 / 39

  25. A hardware comparison: FPGA implementation [MRB16] For all prime order curves over prime fields of up to 522 bits ◮ A single set of formulas ◮ Built on top of Montgomery modular multiplier ◮ Additions very cheap compared to multiplications ◮ No distinction between multiplications and squarings ◮ Benefit a lot from parallelizing formulas 16 February 2016 20 / 39

  26. Parallelizing n Cost Area × Time 1 17 M + 23 a 17 M + 23 a 2 9 M 2 + 12 a 2 18 M + 24 a 3 6 M 3 + 8 a 3 18 M + 24 a 4 5 M 4 + 7 a 4 20 M + 28 a 5 4 M 5 + 6 a 5 20 M + 30 a 6 3 M 6 + 6 a 6 18 M + 36 a 16 February 2016 21 / 39

  27. Parallelizing n Cost Area × Time 1 17 M + 23 a 17 M + 23 a 2 9 M 2 + 12 a 2 18 M + 24 a 3 6 M 3 + 8 a 3 18 M + 24 a 4 5 M 4 + 7 a 4 20 M + 28 a 5 4 M 5 + 6 a 5 20 M + 30 a 6 3 M 6 + 6 a 6 18 M + 36 a 16 February 2016 21 / 39

Recommend

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla Batina 1 1 Radboud University, Digital Security, Nijmegen, The Netherlands j.renes,lejla@cs.ru.nl 2 Microsoft Research, Redmond, USA

481 views • 27 slides
Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore

Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore Guillevic C2, Dinard, France C2 2012 1/23 grid

558 views • 23 slides
Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of

Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of

Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Joint work with: Tanja Lange Technische Universiteit Eindhoven Memories of graduate school Early 1990s,

768 views • 40 slides
Complete addition laws for elliptic curves D. J. Bernstein University of Illinois at Chicago

Complete addition laws for elliptic curves D. J. Bernstein University of Illinois at Chicago

Complete addition laws for elliptic curves D. J. Bernstein University of Illinois at Chicago Tanja Lange Technische Universiteit Eindhoven Weierstrass coordinates k with 2 Fix a field 6 = 0. a; b 2 k with 4 a 3 + 27 b 2 Fix 6 = 0.

1.02k views • 50 slides
Faster formulas for elliptic curves Hseyin H sl hisil.huseyin@gmail.com

Faster formulas for elliptic curves Hseyin H sl hisil.huseyin@gmail.com

Faster formulas for elliptic curves Hseyin H sl hisil.huseyin@gmail.com www.huseyinhisil.net ECC2010, Redmond Hseyin H sl () October 19, 2010 1 / 36 Faster formulas for elliptic curves (A roadmap for formula-hunters)

825 views • 55 slides
Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman (Stanford University) 1 Elliptic curves:

1.09k views • 77 slides
ELLIPTIC CURVES By Jessica and Sushi WHAT ARE ELLIPTIC CURVES?! ADDING POINTS! Adding points

ELLIPTIC CURVES By Jessica and Sushi WHAT ARE ELLIPTIC CURVES?! ADDING POINTS! Adding points

ELLIPTIC CURVES By Jessica and Sushi WHAT ARE ELLIPTIC CURVES?! ADDING POINTS! Adding points is not the same addition as 1+1=2. The addition of points is the production of a third point using two already known points Properties of

503 views • 22 slides
The complete cost of cofactor h = 1 Implementing Weierstrass curves with complete formulas Peter

The complete cost of cofactor h = 1 Implementing Weierstrass curves with complete formulas Peter

The complete cost of cofactor h = 1 Implementing Weierstrass curves with complete formulas Peter Schwabe Daan Sprenkels 18 December 2019 Radboud University, peter@cryptojedi.org, daan@dsprenkels.com 1 Introduction Some history

1.34k views • 102 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Lecture 3 Elliptic curves over finite fields The group order Reminder from last lecture Points

Lecture 3 Elliptic curves over finite fields The group order Reminder from last lecture Points

Elliptic curves over F q F. Pappalardi Lecture 3 Elliptic curves over finite fields The group order Reminder from last lecture Points of finite order Algebraqic Structures, Cryptography, The group structure Weil Pairing Number Theory and

770 views • 25 slides
E LLIPTIC CURVES II ( THE ASSOCIATIVITY ) The algebraic proof of associativity the ring of

E LLIPTIC CURVES II ( THE ASSOCIATIVITY ) The algebraic proof of associativity the ring of

Elliptic curves over F q Formulas for Addition Computer assited proof of associativity Proof of associativity via combinatorial incidence Geometry Bezout Theorem Cayley-Bacharah Theorem Pappus Theorem Pascals Theorem Associativity E

474 views • 21 slides
Addition laws on elliptic curves D. J. Bernstein University of Illinois at Chicago Joint work

Addition laws on elliptic curves D. J. Bernstein University of Illinois at Chicago Joint work

Addition laws on elliptic curves D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven 2007.01.10, 09:00 (yikes!), Leiden University, part of Mathematics: Algorithms and

983 views • 63 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
The DLP on Elliptic Curves with the same order Marios Magioladitis University of Duisburg-Essen,

The DLP on Elliptic Curves with the same order Marios Magioladitis University of Duisburg-Essen,

The DLP on Elliptic Curves with the same order Marios Magioladitis University of Duisburg-Essen, IEM January 15, 2008 M. Magioladitis (IEM) The DLP on Elliptic Curves January 15, 2008 1 / 9 Aim of the talk Theorem of Tate Let E and E be

363 views • 9 slides
Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Elliptic curves over F q F. Pappalardi Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j -invariant Research School: Algebraic curves over finite fields Points of finite order

581 views • 29 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
Primality Proving with Elliptic Curves Laurent Thry Marelle Project 29/03/2007 p.1 Prime

Primality Proving with Elliptic Curves Laurent Thry Marelle Project 29/03/2007 p.1 Prime

Primality Proving with Elliptic Curves Laurent Thry Marelle Project 29/03/2007 p.1 Prime Number Inductive N := O: N | S ( n : N ): N Definition m + n := if m is S m then S ( m + n ) else n Definition m * n := if m is S m then

283 views • 25 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex tori E a , b : y 2 x 3 ` ax ` b , 4 a 3 ` 27 b 2 0 4 a 3 j p E a , b q 1728 4 a 3 ` 27 b 2 Theorem. The map z r p z q : 1 2 1 p

646 views • 9 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration with Adrian Barquero-Sanchez, Lindsay Cadwallader, Olivia Cannon, Riad Masri Tyler Genao Faltings Heights of CM Elliptic Curves Elliptic Curves

571 views • 41 slides
Construction of latin squares of prime order Theorem. If p is prime, then there exist p 1 MOLS

Construction of latin squares of prime order Theorem. If p is prime, then there exist p 1 MOLS

Construction of latin squares of prime order Theorem. If p is prime, then there exist p 1 MOLS of order p . Construction: The elements in the latin square will be the elements of Z p , the integers modulo p . Addition and multiplication will be

257 views • 8 slides

More recommend