Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla Batina 1 1 Radboud University, Digital Security, Nijmegen, The Netherlands j.renes,lejla@cs.ru.nl 2 Microsoft Research, Redmond, USA craigco@microsoft.com 9th May 2016 Joost Renes 9th May 2016 Complete formulas 1 / 21
Outline ◮ Elliptic curve preliminaries ◮ Problem of exceptional cases ◮ Complete addition formulas ◮ Comparison of results Joost Renes 9th May 2016 Complete formulas 2 / 21
Elliptic curves E ( k ): elliptic curve over a field k with char( k ) � = 2 , 3 Every elliptic curve can be written in short Weierstrass form ◮ Embedded in P 2 ( k ) as E : Y 2 Z = X 3 + aXZ 2 + bZ 3 ◮ The point O = (0 : 1 : 0) is called the point at infinity ◮ Affine points ( x : y : 1) given by y 2 = x 3 + ax + b ◮ The points on E form an abelian group under point addition ⊕ (with neutral element O ) ◮ Scalar multiplication ( k , P ) �→ [ k ] P ( k ∈ Z , P ∈ E ) ◮ The order of E is its order as a group Joost Renes 9th May 2016 Complete formulas 3 / 21
Elliptic curve cryptography (ECC) Elliptic curve discrete logarithm problem (ECDLP) Given two points P , Q ∈ E such that Q ∈ � P � . Find k ∈ Z such that Q = [ k ] P . Commonly k is a secret, Q is public ◮ Key exchange: ECDH ◮ Signatures: ECDSA, EdDSA Joost Renes 9th May 2016 Complete formulas 4 / 21
Weierstrass model Figure: E / R : y 2 = x 3 + ax + b Joost Renes 9th May 2016 Complete formulas 5 / 21
Chord and tangent addition Figure: E / R : y 2 = x 3 + ax + b Joost Renes 9th May 2016 Complete formulas 6 / 21
Chord and tangent addition ◮ if P � = ± Q ◮ if P � = O ◮ if Q � = O Figure: E / R : y 2 = x 3 + ax + b Joost Renes 9th May 2016 Complete formulas 6 / 21
Weierstrass model doubling Figure: E / R : y 2 = x 3 + ax + b Joost Renes 9th May 2016 Complete formulas 7 / 21
Weierstrass model doubling ◮ if P � = O Figure: E / R : y 2 = x 3 + ax + b Joost Renes 9th May 2016 Complete formulas 7 / 21
Implementation (Homogeneous addition) ( X 1 : Y 1 : Z 1 ) ⊕ ( X 2 : Y 2 : Z 2 ) = ( X 3 : Y 3 : Z 3 ), where: � X 3 = ( X 2 Z 1 − X 1 Z 2 ) ( Y 2 Z 1 − Y 1 Z 2 ) Z 1 Z 2 − ( X 2 Z 1 − X 1 Z 2 ) 3 − 2( X 2 Z 1 − X 1 Z 2 ) X 1 Z 2 � , � Y 3 = ( Y 2 Z 1 − Y 1 Z 2 ) 3( X 2 Z 1 − X 1 Z 2 ) X 1 Z 2 − ( Y 2 Z 1 − Y 1 Z 2 ) Z 1 Z 2 + ( X 2 Z 1 − X 1 Z 2 ) 3 � − ( X 2 Z 1 − X 1 Z 2 ) 3 Y 1 Z 2 , Z 3 = ( X 2 Z 1 − X 1 Z 2 ) 3 Z 1 Z 2 . P = Q ⇒ X 3 = Y 3 = Z 3 = 0 ( not in P 2 ! ) But: P = O = Q = O Joost Renes 9th May 2016 Complete formulas 8 / 21
Implementation (Homogeneous doubling) [2]( X : Y : Z ) = ( X 3 : Y 3 : Z 3 ), where ( aZ 2 + 3 X 2 ) 2 − 8 XY 2 Z � � X 3 = 2 YZ , Y 3 = ( aZ 2 + 3 X 2 ) � 12 XY 2 Z − ( aZ 2 + 3 X 2 ) 2 � − 8 Y 4 Z 2 , Z 3 = 8 Y 3 Z 3 . ⇒ X 3 = Y 3 = Z 3 = 0 ( not in P 2 ! ) But: P = O = Joost Renes 9th May 2016 Complete formulas 9 / 21
Exceptional cases ◮ Curves implemented using formulas with exceptional cases ◮ Handled by if-statements: ◮ Code complexity ◮ Bugs ◮ Non-time-constant ◮ Potential vulnerabilities Joost Renes 9th May 2016 Complete formulas 10 / 21
Curve model ◮ Problems appear for curves in short Weierstrass form ◮ Can deal with the exceptions by changing the model ◮ (twisted) Edwards ◮ (twisted) Hessian ◮ Not possible for prime order curves Joost Renes 9th May 2016 Complete formulas 11 / 21
Prime order curves ◮ The example curves originally specified in the working drafts of ANSI, versions X9.62 and X9.63 [1, 2]. ◮ The five NIST prime curves specified in FIPS 186-4, i.e. P-192, P-224, P-256, P-384 and P-521. ◮ The seven curves specified in the German brainpool standard [9], i.e., brainpoolPXXXr1 , where XXX ∈ { 160 , 192 , 224 , 256 , 320 , 384 , 512 } . ◮ The eight curves specified by the UK-based company Certivox [8], i.e., ssc-XXX , where XXX ∈ { 160 , 192 , 224 , 256 , 288 , 320 , 384 , 512 } . ◮ The three curves specified (in addition to the above NIST prime curves) in the Certicom SEC 2 standard [7]. This includes secp256k1 , which is the curve used in the Bitcoin protocol. Joost Renes 9th May 2016 Complete formulas 12 / 21
Complete addition formulas Addition formulas [5] Tuple of bihomogeneous polynomials ( X 3 : Y 3 : Z 3 ) such that for all ( P , Q ) ∈ E × E either 1 ( X 3 ( P , Q ) : Y 3 ( P , Q ) : Z 3 ( P , Q )) = P ⊕ Q , or 2 ( X 3 ( P , Q ) : Y 3 ( P , Q ) : Z 3 ( P , Q )) = (0 : 0 : 0). ◮ If 2 holds for a pair ( P , Q ), it is called exceptional ◮ If 2 holds for none of the pairs ( P , Q ), the addition formulas ( X 3 : Y 3 : Z 3 ) are called complete Joost Renes 9th May 2016 Complete formulas 13 / 21
Limitations and possibilities Known results by Bosma and Lenstra [5] for (equivalence classes of) addition formulas of bidegree (2,2): over an algebraically closed field ¯ Theorem: k there are always exceptional pairs Consequence: for complete addition formulas over F p we have to make sure the exceptional pairs lie in extension fields (Note that this is what is done for Edwards curves as well) Theorem: the set is a 3-dimensional k -vector space Consequence: there are ≈ q 3 addition formulas Joost Renes 9th May 2016 Complete formulas 14 / 21
Choosing the optimal one For a basis ( A 0 , A 1 , A 2 ) of the 3-dimensional space, every addition law can be written as aA 0 + bA 1 + cA 2 , for a , b , c ∈ F q . Some intuitive arguments: ◮ Bosma and Lenstra give a basis in which almost no cross-cancelation occurs, so simply choosing one of their basis elements seems optimal ◮ One of the basis elements is the only addition law which is complete independent of curve coefficients and base field Choose this addition law, and heavily optimize it! Joost Renes 9th May 2016 Complete formulas 15 / 21
The formulas Complete addition formulas for odd order elliptic curves. For any two points P = ( X 1 : Y 1 : Z 1 ) and Q = ( X 2 : Y 2 : Z 2 ) we can compute P + Q = ( X 3 : Y 3 : Z 3 ) where X 3 = ( X 1 Y 2 + X 2 Y 1 )( Y 1 Y 2 − a ( X 1 Z 2 + X 2 Z 1 ) − 3 bZ 1 Z 2 ) − ( Y 1 Z 2 + Y 2 Z 1 )( aX 1 X 2 + 3 b ( X 1 Z 2 + X 2 Z 1 ) − a 2 Z 1 Z 2 ) , Y 3 = ( Y 1 Y 2 + a ( X 1 Z 2 + X 2 Z 1 ) + 3 bZ 1 Z 2 )( Y 1 Y 2 − a ( X 1 Z 2 + X 2 Z 1 ) − 3 bZ 1 Z 2 ) + (3 X 1 X 2 + aZ 1 Z 2 )( aX 1 X 2 + 3 b ( X 1 Z 2 + X 2 Z 1 ) − a 2 Z 1 Z 2 ) , Z 3 = ( Y 1 Z 2 + Y 2 Z 1 )( Y 1 Y 2 + a ( X 1 Z 2 + X 2 Z 1 ) + 3 bZ 1 Z 2 ) + ( X 1 Y 2 + X 2 Y 1 )(3 X 1 X 2 + aZ 1 Z 2 ) . Exceptional pairs are induced by points of order 2, which by assumption only exist over extension fields. Joost Renes 9th May 2016 Complete formulas 16 / 21
Operation count 12 M + 3 m a + 2 m 3b + 23 a P ⊕ Q any a : 11 M + 3 m a + 2 m 3b + 17 a P ⊕ Q , Z Q = 1 8 M + 3 S + 3 m a + 2 m 3b + 15 a [2] P 12 M + 2 m b + 29 a P ⊕ Q a = − 3: 11 M + 2 m b + 23 a P ⊕ Q , Z Q = 1 8 M + 3 S + 2 m b + 21 a [2] P 12 M + 2 m 3b + 19 a P ⊕ Q a = 0: 11 M + 2 m 3b + 13 a P ⊕ Q , Z Q = 1 6 M + 2 S + 1 m 3b + 9 a [2] P Joost Renes 9th May 2016 Complete formulas 17 / 21
A comparison ◮ This work (addition): 12 M + 3 m a + 2 m 3b + 23 a ◮ This work (doubling): 8 M + 3 S + 3 m a + 2 m 3b + 15 a ◮ Bernstein and Lange [3] attempt an addition law which works for all NIST prime curves: 26 M + 8 S + ... ◮ Brier and Joye [6] develop unified formulas, still with exceptions: 11 M + 6 S + ... ◮ Bos et al. [4] study a complete system of two addition laws ◮ Chord-and-tangent Jacobian coordinates addition: ≈ 12 M + 4 S + ... ◮ Chord-and-tangent Jacobian coordinates doubling: ≈ 4 M + 4 S + ... Joost Renes 9th May 2016 Complete formulas 18 / 21
A comparison ◮ This work (addition): 12 M + 3 m a + 2 m 3b + 23 a ◮ This work (doubling): 8 M + 3 S + 3 m a + 2 m 3b + 15 a ◮ Bernstein and Lange [3] attempt an addition law which works for all NIST prime curves: 26 M + 8 S + ... ◮ Brier and Joye [6] develop unified formulas, still with exceptions: 11 M + 6 S + ... ◮ Bos et al. [4] study a complete system of two addition laws ◮ Chord-and-tangent Jacobian coordinates addition: ≈ 12 M + 4 S + ... ◮ Chord-and-tangent Jacobian coordinates doubling: ≈ 4 M + 4 S + ... Joost Renes 9th May 2016 Complete formulas 18 / 21
A comparison ◮ This work (addition): 12 M + 3 m a + 2 m 3b + 23 a ◮ This work (doubling): 8 M + 3 S + 3 m a + 2 m 3b + 15 a ◮ Bernstein and Lange [3] attempt an addition law which works for all NIST prime curves: 26 M + 8 S + ... ◮ Brier and Joye [6] develop unified formulas, still with exceptions: 11 M + 6 S + ... ◮ Bos et al. [4] study a complete system of two addition laws ◮ Chord-and-tangent Jacobian coordinates addition: ≈ 12 M + 4 S + ... ◮ Chord-and-tangent Jacobian coordinates doubling: ≈ 4 M + 4 S + ... Joost Renes 9th May 2016 Complete formulas 18 / 21
Another comparison: OpenSSL NIST no. of ECDH operations (per 10s) factor curve complete incomplete slowdown P-192 35274 47431 1.34x P-224 24810 34313 1.38x P-256 21853 30158 1.38x P-384 10109 14252 1.41x P-521 4580 6634 1.44x Table: Number of ECDH operations in 10 seconds for the OpenSSL implementation of the five NIST prime curves. Timings were obtained by running the “ openssl speed ecdhpXXX ” command on an Intel Core i5-5300 CPU @ 2.30GHz, averaged over 100 trials of 10s each. Joost Renes 9th May 2016 Complete formulas 19 / 21
Recommend
More recommend