fast endomorphisms in hardware
play

FAST ENDOMORPHISMS IN HARDWARE Kimmo Jrvinen 1 , 2 1 University of - PowerPoint PPT Presentation

Apr 02, 2023 •240 likes •967 views

FAST ENDOMORPHISMS IN HARDWARE Kimmo Jrvinen 1 , 2 1 University of Helsinki, Computer Science, Helsinki, Finland kimmo.u.jarvinen@helsinki.fi 2 Xiphera Ltd., Espoo, Finland kimmo.jarvinen@xiphera.com The 21st Workshop on Elliptic Curve

  1. FAST ENDOMORPHISMS IN HARDWARE Kimmo Järvinen 1 , 2 1 University of Helsinki, Computer Science, Helsinki, Finland kimmo.u.jarvinen@helsinki.fi 2 Xiphera Ltd., Espoo, Finland kimmo.jarvinen@xiphera.com The 21st Workshop on Elliptic Curve Cryptography Nijmegen, the Netherlands, Nov. 13–15, 2017 ECC’17 November 15, 2017 1/36

  2. INTRODUCTION ◮ This talk surveys my work on hardware implementations of ECC with fast endomorphisms ◮ Particularly: Koblitz curves, Four Q , and GLV/GLS curves ◮ In software, fast endomorphisms reduce the number of operations and lead to significant speedups ◮ In hardware, simplicity is often the key to efficiency and the feasibility of fast endomorphisms is less clear ECC’17 November 15, 2017 2/36

  3. PRELIMINARIES ECC’17 November 15, 2017 3/36

  4. SCALAR MULTIPLICATION ◮ Let E be an elliptic curve defined over a finite field F q ◮ Points on E (together with O ) form an additive Abelian group ◮ Let k be an integer and P be a point on E ; then, scalar multiplication is the following operation: [ k ] P = P + P + . . . + P � �� � k times ◮ Scalar multiplication is the central operation of ECC mostly determining the efficiency of the cryptosystem ECC’17 November 15, 2017 4/36

  5. ECC HIERARCHY SCALAR MULTIPLICATION POINT POINT ADDITION DOUBLING FIELD FIELD FIELD ADD/SUB MULT INV ECC’17 November 15, 2017 5/36

  6. ECC HIERARCHY SCALAR MULTIPLICATION POINT POINT ADDITION DOUBLING FIELD FIELD FIELD ADD/SUB MULT INV ECC’17 November 15, 2017 5/36

  7. ECC HIERARCHY SCALAR MULTIPLICATION POINT POINT ADDITION DOUBLING FIELD FIELD FIELD ADD/SUB MULT INV ECC’17 November 15, 2017 5/36

  8. ANATOMY OF ECC HW Mult logic Add ALU logic Other logic ECC’17 November 15, 2017 6/36

  9. ANATOMY OF ECC HW Mult FAU logic ctrl Add ALU FAU logic Local regs Other logic ECC’17 November 15, 2017 6/36

  10. ANATOMY OF ECC HW Key storage Mult FAU ECC ctrl logic ECC Co-Processor ctrl Host Processor Add ALU FAU logic Main Local memory regs Other logic ECC’17 November 15, 2017 6/36

  11. FAST ENDOMORPHISMS ◮ GLV/GLS curves have an efficiently computable endomorphism φ ( P ) such that φ ( P ) = [ λ ] P Then, scalar multiplication can be computed as: [ k ] P = [ k 0 ] P + [ k 1 ] φ ( P ) where k 0 + k 1 λ = k If k 0 , k 1 are of the same size, Shamir’s trick for double scalar multplication saves about half of the point doublings ◮ Koblitz curves are curves over F 2 m for which φ ( x , y ) = ( x 2 , y 2 ) is an endomorphism ECC’17 November 15, 2017 7/36

  12. OVERVIEW OF CHALLENGES ◮ Fast endomorphisms require recoding of the scalars (e.g., find k 0 , k 1 ) ⇒ Logic must be added (either a separate converter or FAU instruction set extension) ◮ The size of the overhead depends on the curve and implementation architecture ◮ For binary curves, FAU supports arithmetic over F 2 m but conversions require operations over Z ◮ For prime curves, FAU supports arithmetic over Z but FAU is typically highly optimized for mod p arithmetic ECC’17 November 15, 2017 8/36

  13. SOFTWARE VS. HARDWARE Software +++ Faster scalar multiplications - Slightly larger program memory and data memory requirements ⇒ Advantages bigger than disadvantages (almost always) ECC’17 November 15, 2017 9/36

  14. SOFTWARE VS. HARDWARE Software +++ Faster scalar multiplications - Slightly larger program memory and data memory requirements ⇒ Advantages bigger than disadvantages (almost always) Hardware ++(+) Faster scalar multiplications (almost surely) - - More complex control logic - ( - ) New instructions needed in FAU - ( - - ) More memory/registers needed ⇒ ??? ECC’17 November 15, 2017 9/36

  15. PIPELINING time t 1 Scalar recoding Precomputation Main for-loop Main for-loop Inversion · · · ECC’17 November 15, 2017 10/36

  16. PIPELINING time t 1 Scalar recoding Precomputation Main for-loop Main for-loop Inversion · · · ≥ t 1 Scalar recoding Precomputation Main for-loop Main for-loop · · · Inversion ECC’17 November 15, 2017 10/36

  17. PIPELINING time t 1 Scalar recoding Precomputation Main for-loop Main for-loop Inversion · · · ≥ t 1 Scalar recoding Precomputation Main for-loop Main for-loop · · · Inversion Precomputation ≥ t 2 s.t. t 2 < t 1 Main for-loop Main for-loop Inversion · · · Scalar recoding ECC’17 November 15, 2017 10/36

  18. PARALLELISM ◮ Stages should be balanced because throughput is determined by the slowest stage ◮ For-loop is by far the slowest stage ◮ Solutions: (a) Make for-loop faster by using more area (or make other parts slower and save area) (b) Use parallel for-loop units ECC’17 November 15, 2017 11/36

  19. KOBLITZ CURVES (Joint work with J. Adikari, B.B. Brumley, V. Dimitrov, S. Sinha Roy, J. Skyttä, and I. Verbauwhede) ECC’17 November 15, 2017 12/36

  20. KOBLITZ CURVES ◮ Binary curves introduced by N. Koblitz already in 1991 and included in many standards (e.g., NIST) ECC’17 November 15, 2017 13/36

  21. KOBLITZ CURVES ◮ Binary curves introduced by N. Koblitz already in 1991 and included in many standards (e.g., NIST) ◮ Cheap Frobenius maps φ : ( x , y ) �→ ( x 2 , y 2 ) can be used instead of point doublings ECC’17 November 15, 2017 13/36

  22. KOBLITZ CURVES ◮ Binary curves introduced by N. Koblitz already in 1991 and included in many standards (e.g., NIST) ◮ Cheap Frobenius maps φ : ( x , y ) �→ ( x 2 , y 2 ) can be used instead of point doublings ◮ . . . but first the integer k needs to be given as a τ -adic √ i = 0 k i τ i where τ = ( µ + expansion k = � ℓ − 1 − 7 ) / 2 ∈ C · · · add dbl dbl add dbl add dbl dbl add dbl add · · · conversion add add add add F 2 m Z ECC’17 November 15, 2017 13/36

  23. SCALAR CONVERSIONS ◮ Many cryptosystems (e.g., signature schemes) require k also as an integer (a) Select a random integer and find its τ -adic expansion (b) Select a random τ -adic expansion and find its integer equivalent ECC’17 November 15, 2017 14/36

  24. SCALAR CONVERSIONS ◮ Many cryptosystems (e.g., signature schemes) require k also as an integer (a) Select a random integer and find its τ -adic expansion (b) Select a random τ -adic expansion and find its integer equivalent ◮ Option (a) ◮ Base- τ expansions can be found analogously to finding binary expansions except with divisions by τ instead of 2 ◮ Straightforward τ -adic expansion of k is twice as long as k ◮ Meier and Staffelbach: Because P = φ m ( P ) , then α P = β P if α ≡ β ( mod τ m − 1 ) ◮ Solinas: Reduction modulo ( τ m − 1 ) / ( τ − 1 ) gives an expansion of length m + a where a ∈ { 0 , 1 } ECC’17 November 15, 2017 14/36

  25. SCALAR CONVERSIONS ◮ Both require complex operations (e.g., divisions, large multiplications) ◮ High-speed implementations: Avoid conversions from becoming the bottleneck ⇒ HW acceleration ◮ Lightweight implementations: Conversions done over Z ⇒ How to combine efficiently with F 2 m ? ◮ Lazy reduction (repeated divisions by τ ) and its many variations (pipelined, word-wise, . . . ) are commonly used and lead to fast conversions but with an expense in area ECC’17 November 15, 2017 15/36

  26. HIGH-SPEED IMPLEMENTATION ◮ The key to high speed is to accelerate the main for-loop; other parts can be separated to different pipeline stages ◮ For-loop consists of point additions and Frobenius maps ◮ Point additions are dominated by field multiplications (in F 2 m ) ◮ Point addition with Lopez-Dahab formulas (SAC’98) ◮ Frobenius maps φ ( Q ) = ( X 2 , Y 2 , Z 2 ) are cheap and can be computed independently for all coordinates ECC’17 November 15, 2017 16/36

  27. HIGH-SPEED IMPLEMENTATION X 1 X 2 Z 1 Z 2 Point addition: Y 1 Q ← Q + P = ( X , Y , Z ) + ( x , y ) Frobenius: Y 2 Y 4 Q ← φ ( Q ) = ( X 2 , Y 2 , Z 2 ) Y 3 ECC’17 November 15, 2017 17/36

  28. HIGH-SPEED IMPLEMENTATION X 1 X 2 Z 1 Z 2 Point addition: Y 1 Y 3 Q ← Q + P = ( X , Y , Z ) + ( x , y ) Frobenius: Y 2 Y 4 Q ← φ ( Q ) = ( X 2 , Y 2 , Z 2 ) ECC’17 November 15, 2017 17/36

  29. HIGH-SPEED IMPLEMENTATION X 1 X 2 X 1 X 2 Z 1 Z 2 Z 1 Z 2 Point addition: Y 1 Y 3 Y 1 Y 3 Q ← Q + P = ( X , Y , Z ) + ( x , y ) Frobenius: Y 2 Y 4 Y 2 Y 4 Q ← φ ( Q ) = ( X 2 , Y 2 , Z 2 ) ECC’17 November 15, 2017 17/36

  30. HIGH-SPEED IMPLEMENTATION X 1 X 2 X 1 X 2 X 1 X 2 Z 1 Z 2 Z 1 Z 2 Z 1 Z 2 Point addition: Y 1 Y 3 Y 1 Y 3 Y 1 Y 3 Q ← Q + P = ( X , Y , Z ) + ( x , y ) Frobenius: Y 2 Y 4 Y 2 Y 4 Y 2 Y 4 Q ← φ ( Q ) = ( X 2 , Y 2 , Z 2 ) ECC’17 November 15, 2017 17/36

  31. HIGH-SPEED RESULTS ◮ The above technique computes the for-loop in less than 5 µ s on K-163 or 12 µ s on K-283 in a Stratix II FPGA (old) ◮ One core performs over 200,000 op/s with delay of 11.7 µ s ◮ Multiple cores fit in an FPGA and one device can reach throughputs of several millions ◮ Delay is not spectacular compared to modern SW but throughput is ECC’17 November 15, 2017 18/36

  32. COMPACT IMPLEMENTATION ◮ Koblitz curve K-283 ◮ 16-bit ALU for binary polynomial arithmetic extended with a 16-bit integer adder/subtractor ECC’17 November 15, 2017 19/36

Recommend

Endomorphisms - old and not so old Joachim Cuntz Copenhagen 2019 A unique, even bizarre,

Endomorphisms - old and not so old Joachim Cuntz Copenhagen 2019 A unique, even bizarre,

Endomorphisms - old and not so old Endomorphisms - old and not so old Joachim Cuntz Copenhagen 2019 A unique, even bizarre, institution in West Philadelphia since 1950, the Divine Tracy is up for sale. The asking price for the 140-room hotel is

335 views • 29 slides
Growth and entropy for group endomorphisms Anna Giordano Bruno (joint work with Pablo Spiga) GTG

Growth and entropy for group endomorphisms Anna Giordano Bruno (joint work with Pablo Spiga) GTG

Growth and entropy for group endomorphisms Growth and entropy for group endomorphisms Anna Giordano Bruno (joint work with Pablo Spiga) GTG - Salerno, November 20th, 2015 Growth and entropy for group endomorphisms Growth of finitely generated

527 views • 13 slides
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware F LORIAN T

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware F LORIAN T

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware F LORIAN T RAMR &amp; D AN B ONEH ICLR, New Orleans May 7 th 2019 2 Securely outsourcing ML inference with hardware isolation - Intel SGX input X -

554 views • 10 slides
PyNN and the FACETS Hardware Daniel Brderle Heidelberg FACETS Hardware: Recap

PyNN and the FACETS Hardware Daniel Brderle Heidelberg FACETS Hardware: Recap

PyNN and the FACETS Hardware Daniel Brderle Heidelberg FACETS Hardware: Recap Neuromorphic Hardware: A physical model, not a simulation Intrinsically parallel, scalable, fast, ... Not an arbitrarily flexible substrate

512 views • 17 slides
Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs

Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs

Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs with low Hardware overhead on Xilinx FPGAs Michael Hbner 1 , Diana Ghringer 2 , Juanjo Noguera 3 , Jrgen Becker 1 1 Karlsruhe Institute of

370 views • 16 slides
An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for

An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for

An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for Supercomputers Workshop June 12 2018 Rob Gardner Jared Smolens Kishore Pusukuri Oracle Inc Arm Inc NetApp Inc Multicore Systems &amp;

692 views • 24 slides
CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

9/9/2012 CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven, ESAT/SCD-COSIC CHES 2012 Crypto hardware 9/9/2012 CHES Tutorial: Crypto hardware design 3 1 9/9/2012 Smart card SoC (NXP P60C080)

826 views • 54 slides
Non-density of stability for holomorphic endomorphisms of CP k Romain Dujardin Universit e

Non-density of stability for holomorphic endomorphisms of CP k Romain Dujardin Universit e

Non-density of stability for holomorphic endomorphisms of CP k Romain Dujardin Universit e Paris-Est Marne la Vall ee Parameters problems in analytic dynamics, London, June 2016 Foreword Motivation : explore the basic geography of the

829 views • 57 slides
s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require: Hardware

360 views • 24 slides
Lynx: Using OS and Hardware Support for Fast Fine-Grained Inter-Core Communication Konstantina

Lynx: Using OS and Hardware Support for Fast Fine-Grained Inter-Core Communication Konstantina

Lynx: Using OS and Hardware Support for Fast Fine-Grained Inter-Core Communication Konstantina Mitropoulou, Vasileios Porpodas, Xiaochun Zhang and Timothy M. Jones Computer Laboratory UKMAC 2016, Edinburgh slide 1 of 30

1.31k views • 77 slides
Introduction to the dynamics of holomorphic endomorphisms of P k Dimitra Tsigkari Postgraduate

Introduction to the dynamics of holomorphic endomorphisms of P k Dimitra Tsigkari Postgraduate

Definitions Elements of Pluripotential Theory The Green current of a holomorphic endomorphism Introduction to the dynamics of holomorphic endomorphisms of P k Dimitra Tsigkari Postgraduate Conference in Complex Dynamics, London, 11-13 March

805 views • 37 slides
Families of curves with nontrivial endomorphisms in their Jacobians Jerome William Hoffman

Families of curves with nontrivial endomorphisms in their Jacobians Jerome William Hoffman

Families of curves with nontrivial endomorphisms in their Jacobians Jerome William Hoffman Louisiana State University April 6, 2015 hoffman@math.lsu.edu 1 The Problem and Background 2 Shimura Varieties: Some Examples 3 g=2 4 g=3 5 Galois

965 views • 43 slides
Fast, Scalable, and Programmable Packet Scheduler in Hardware Vishal Shrivastav Cornell

Fast, Scalable, and Programmable Packet Scheduler in Hardware Vishal Shrivastav Cornell

Fast, Scalable, and Programmable Packet Scheduler in Hardware Vishal Shrivastav Cornell University Packet Scheduling 101 express enforce at runtime Packet Scheduler * focus of this work * fairness / rate-limit / To pacing etc.. Wire

1.59k views • 20 slides
Fast &amp; Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast &amp; Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast &amp; Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond Cheng, Dawn Song | UC Berkeley &amp; Oasis Labs with support from the TVM team and community! Ideal: data providers pool data to train a large, complex

1.41k views • 58 slides
Proteus: A Flexible and Fast Software supported Hardware Logging approach for NVM Seunghee Shin,

Proteus: A Flexible and Fast Software supported Hardware Logging approach for NVM Seunghee Shin,

Proteus: A Flexible and Fast Software supported Hardware Logging approach for NVM Seunghee Shin, Satish Tirukkovalluri, James Tuck, and Yan Solihin North Carolina State University The 2018 Non-Volatile Memories Workshop (NVMW 2018) 1

551 views • 17 slides
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian Tramr (joint work with Dan Boneh) Intel, Santa Clara August 30 th 2018 Trusted execution of ML: 3 motivating scenarios 1. Outsourced ML Data

781 views • 21 slides
Building a Fast, Virtualized Building a Fast, Virtualized Data Plane with Data Plane with

Building a Fast, Virtualized Building a Fast, Virtualized Data Plane with Data Plane with

Building a Fast, Virtualized Building a Fast, Virtualized Data Plane with Data Plane with Programmable Hardware Programmable Hardware Bilal Anwer Nick Feamster 1 Network Virtualization Network Virtualization Network virtualization enables

299 views • 27 slides
Computing central endomorphisms of an abelian variety via reductions modulo p Edgar Costa (MIT)

Computing central endomorphisms of an abelian variety via reductions modulo p Edgar Costa (MIT)

Computing central endomorphisms of an abelian variety via reductions modulo p Edgar Costa (MIT) January 18, 2020 Joint Mathematics Meetings Joint work with Davide Lombardo and John Voight Slides available at edgarcosta.org under Research

585 views • 33 slides
Faster Compact DiffieHellman: Endomorphisms on the x -line Craig Costello H useyin H sl

Faster Compact DiffieHellman: Endomorphisms on the x -line Craig Costello H useyin H sl

Faster Compact DiffieHellman: Endomorphisms on the x -line Craig Costello H useyin H sl Benjamin Smith craigco@microsoft.com huseyin.hisil@yasar.edu.tr smith@lix.polytechnique.fr Microsoft Resesarch Computer Eng. Department INRIA,

579 views • 53 slides
VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to

VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to

The Business of Making Strategies for Success from Startup to Exit Hardware and Robotic Startup Accelerator what hardware used to be . VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to Entry Open

604 views • 32 slides
Fixed points of post-critically algebraic endomorphisms Van Tu LE Institute de Math ematiques

Fixed points of post-critically algebraic endomorphisms Van Tu LE Institute de Math ematiques

Fixed points of post-critically algebraic endomorphisms Van Tu LE Institute de Math ematiques de Toulouse March 25, 2019 Motivation Post-critically finite rational maps Let f be an endomorphism of CP 1 . The map f is called post-critically

769 views • 40 slides
Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security

Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security

SP SPACE ACE 201 2016 Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security Security: : New Front New Frontiers iers Swarup Bhunia Professor Electrical &amp; Computer Engineering SPACE | Dec 2016 1

607 views • 29 slides
Statistical properties for holomorphic endomorphisms of morphisms F. Bianchi, projective spaces

Statistical properties for holomorphic endomorphisms of morphisms F. Bianchi, projective spaces

Statistical properties for endo- Statistical properties for holomorphic endomorphisms of morphisms F. Bianchi, projective spaces T.-C. Dinh Introduction Invariant measures Tien-Cuong Dinh (joint with Fabrizio Bianchi) Statistical

296 views • 28 slides
The algebra of the parallel endomorphisms of a germ of pseudo-Riemannian metric Charles Boubel

The algebra of the parallel endomorphisms of a germ of pseudo-Riemannian metric Charles Boubel

Motivation: the title term by term Results The algebra of the parallel endomorphisms of a germ of pseudo-Riemannian metric Charles Boubel Universit e de Strasbourg August 27, 2012 PADGE, KU Leuven Charles Boubel Universit e de

793 views • 57 slides

More recommend