Preliminaries Algorithms and Implementation Results and Discussion FPGA Design of Self-certified Signature Verification on Koblitz Curves Kimmo J¨ Jorma Skytt¨ arvinen Juha Forsten a Helsinki University of Technology Signal Processing Laboratory Otakaari 5A, FIN-02150, Finland {Kimmo.Jarvinen,Juha.Forsten,Jorma.Skytta}@tkk.fi September 12, 2007 K. J¨ arvinen, J. Forsten and J. Skytt¨ a CHES 2007, September 11-13, 2007, Vienna, Austria
Preliminaries Algorithms and Implementation Results and Discussion Outline Preliminaries 1 Introduction Koblitz curves Signatures Algorithms and Implementation 2 Point multiplication Precomputation Implementation Results and Discussion 3 Results on an FPGA Conclusions and future work K. J¨ arvinen, J. Forsten and J. Skytt¨ a CHES 2007, September 11-13, 2007, Vienna, Austria
Preliminaries Introduction Algorithms and Implementation Koblitz curves Results and Discussion Signatures Introduction Packet Level Authentication (PLA) 1 Enormous speed requirements! Elliptic curve cryptography because short signatures and fast performance are needed Koblitz curve, NIST K-163, used to maximize speed Self-certified ID based signatures because they are short and computationally less complex 1 See http://www.tcs.hut.fi/Software/PLA/new/index.shtml K. J¨ arvinen, J. Forsten and J. Skytt¨ a CHES 2007, September 11-13, 2007, Vienna, Austria
Preliminaries Introduction Algorithms and Implementation Koblitz curves Results and Discussion Signatures Introduction Packet Level Authentication (PLA) 1 Enormous speed requirements! Elliptic curve cryptography because short signatures and fast performance are needed Koblitz curve, NIST K-163, used to maximize speed Self-certified ID based signatures because they are short and computationally less complex Development in FPGA technology Growth in resources enables massive parallelization Point multiplication times < 100 µ s have been reported We focus on maximizing operations per second instead of minimizing computation time of a single operation 1 See http://www.tcs.hut.fi/Software/PLA/new/index.shtml K. J¨ arvinen, J. Forsten and J. Skytt¨ a CHES 2007, September 11-13, 2007, Vienna, Austria
Preliminaries Introduction Algorithms and Implementation Koblitz curves Results and Discussion Signatures Koblitz curves Koblitz curves have the form E K : y 2 + xy = x 3 + ax 2 + 1 If P = ( x , y ) is a point on E K , then its Frobenius endomorphism, φ ( P ) = ( x 2 , y 2 ) , is also on E K . Very efficient point multiplication Integer presented in τ -adic non-adjacent form (NAF) 2 Point doublings replaced by Frobenius maps Only m / 3 point additions 2 Solinas, Des. Codes Cryptogr. 19(2-3), 2000 K. J¨ arvinen, J. Forsten and J. Skytt¨ a CHES 2007, September 11-13, 2007, Vienna, Austria
Preliminaries Introduction Algorithms and Implementation Koblitz curves Results and Discussion Signatures Self-certified identity based signatures Used in the current version of the PLA Signature verification is the most critical operation K. J¨ arvinen, J. Forsten and J. Skytt¨ a CHES 2007, September 11-13, 2007, Vienna, Austria
Preliminaries Introduction Algorithms and Implementation Koblitz curves Results and Discussion Signatures Self-certified identity based signatures Used in the current version of the PLA Signature verification is the most critical operation Signature verification A signature is verified by computing: W A = DECOMPRESS ( r A − HASH ( ID A ) , b A ) − r A W D , and HASH ( M ) = c − [ dG + cW A ] x ( mod r ) K. J¨ arvinen, J. Forsten and J. Skytt¨ a CHES 2007, September 11-13, 2007, Vienna, Austria
Preliminaries Introduction Algorithms and Implementation Koblitz curves Results and Discussion Signatures Self-certified identity based signatures Used in the current version of the PLA Signature verification is the most critical operation Signature verification A signature is verified by computing: W A = DECOMPRESS ( r A − HASH ( ID A ) , b A ) − r A W D , and HASH ( M ) = c − [ dG + cW A ] x ( mod r ) which simplify into the 3-term point multiplication: dG + c ( uG ) − cr A W D K. J¨ arvinen, J. Forsten and J. Skytt¨ a CHES 2007, September 11-13, 2007, Vienna, Austria
Preliminaries Introduction Algorithms and Implementation Koblitz curves Results and Discussion Signatures Self-certified identity based signatures Used in the current version of the PLA Signature verification is the most critical operation Signature verification A signature is verified by computing: W A = DECOMPRESS ( r A − HASH ( ID A ) , b A ) − r A W D , and HASH ( M ) = c − [ dG + cW A ] x ( mod r ) which simplify into the 3-term point multiplication: dG + c ( uG ) − cr A W D = k 1 P 1 + k 2 P 2 + k 3 P 3 K. J¨ arvinen, J. Forsten and J. Skytt¨ a CHES 2007, September 11-13, 2007, Vienna, Austria
Preliminaries Point multiplication Algorithms and Implementation Precomputation Results and Discussion Implementation Point multiplication Q = k 1 P 1 + k 2 P 2 + k 3 P 3 Shamir’s trick ⇒ 3-term double-and-add algorithm 3-term τ -adic joint sparse form 3 Simplified algorithm Precompute all possible combinations 1 R k 1 , k 2 , k 3 = k 1 , j P 1 + k 2 , j P 2 + k 3 , j P 3 Perform φ ( P ) for all bits 2 If k 1 , j , k 2 , j , k 3 , j � = 000, add R k 1 , k 2 , k 3 to Q using mixed 3 coordinate point addition a a Al-Daoud et al. IEEE Tran. Comp. 51(8), 2002 3 Brumley, ICICS 2006, LNCS 4307 K. J¨ arvinen, J. Forsten and J. Skytt¨ a CHES 2007, September 11-13, 2007, Vienna, Austria
Preliminaries Point multiplication Algorithms and Implementation Precomputation Results and Discussion Implementation Precomputed points k 3 k 2 k 1 Point k 3 k 2 k 1 Point k 3 k 2 k 1 Point k 3 k 2 k 1 Point 10 ¯ ¯ 000 R 0 = O 1 R 7 = R 3 − R 1 n/a 101 − R 7 00 ¯ ¯ 1 ¯ 001 R 1 = P 1 110 R 8 = R 3 + R 2 1 − R 1 10 − R 8 1 ¯ 0 ¯ ¯ 010 R 2 = P 2 10 R 9 = R 3 − R 2 10 − R 2 110 − R 9 ¯ ¯ 1 ¯ 1 ¯ 100 R 3 = P 3 111 R 10 = R 8 + R 1 100 − R 3 1 − R 10 11 ¯ 0 ¯ 1 ¯ ¯ 1 ¯ 011 R 4 = R 2 + R 1 1 R 11 = R 8 − R 1 1 − R 4 11 − R 11 01 ¯ 1 ¯ 0 ¯ ¯ 11 ¯ 1 R 5 = R 2 − R 1 11 R 12 = R 9 + R 1 11 − R 5 1 − R 12 1 ¯ 1 ¯ ¯ 10 ¯ ¯ 101 R 6 = R 3 + R 1 1 R 13 = R 9 − R 1 1 − R 6 111 − R 13 Precomputations require 10 point additions(/subtractions) K. J¨ arvinen, J. Forsten and J. Skytt¨ a CHES 2007, September 11-13, 2007, Vienna, Austria
Preliminaries Point multiplication Algorithms and Implementation Precomputation Results and Discussion Implementation Precomputed points k 3 k 2 k 1 Point k 3 k 2 k 1 Point k 3 k 2 k 1 Point k 3 k 2 k 1 Point 10 ¯ ¯ 000 R 0 = O 1 R 7 = R 3 − R 1 n/a 101 − R 7 00 ¯ ¯ 1 ¯ 001 R 1 = P 1 110 R 8 = R 3 + R 2 1 − R 1 10 − R 8 1 ¯ 0 ¯ ¯ 010 R 2 = P 2 10 R 9 = R 3 − R 2 10 − R 2 110 − R 9 ¯ ¯ 1 ¯ 1 ¯ 100 R 3 = P 3 111 R 10 = R 8 + R 1 100 − R 3 1 − R 10 11 ¯ 0 ¯ 1 ¯ ¯ 1 ¯ 011 R 4 = R 2 + R 1 1 R 11 = R 8 − R 1 1 − R 4 11 − R 11 01 ¯ 1 ¯ 0 ¯ ¯ 11 ¯ 1 R 5 = R 2 − R 1 11 R 12 = R 9 + R 1 11 − R 5 1 − R 12 1 ¯ 1 ¯ ¯ 10 ¯ ¯ 101 R 6 = R 3 + R 1 1 R 13 = R 9 − R 1 1 − R 6 111 − R 13 Precomputations require 10 point additions(/subtractions) Pairs ( R k , R k + 1 ) are computed so that R k = R i + R j , and 1 R k + 1 = R i − R j 2 K. J¨ arvinen, J. Forsten and J. Skytt¨ a CHES 2007, September 11-13, 2007, Vienna, Austria
Preliminaries Point multiplication Algorithms and Implementation Precomputation Results and Discussion Implementation Precomputed points k 3 k 2 k 1 Point k 3 k 2 k 1 Point k 3 k 2 k 1 Point k 3 k 2 k 1 Point 10 ¯ ¯ 000 R 0 = O 1 R 7 = R 3 − R 1 n/a 101 − R 7 00 ¯ ¯ 1 ¯ 001 R 1 = P 1 110 R 8 = R 3 + R 2 1 − R 1 10 − R 8 1 ¯ 0 ¯ ¯ 010 R 2 = P 2 10 R 9 = R 3 − R 2 10 − R 2 110 − R 9 ¯ ¯ 1 ¯ 1 ¯ 100 R 3 = P 3 111 R 10 = R 8 + R 1 100 − R 3 1 − R 10 11 ¯ 0 ¯ 1 ¯ ¯ 1 ¯ 011 R 4 = R 2 + R 1 1 R 11 = R 8 − R 1 1 − R 4 11 − R 11 01 ¯ 1 ¯ 0 ¯ ¯ 11 ¯ 1 R 5 = R 2 − R 1 11 R 12 = R 9 + R 1 11 − R 5 1 − R 12 1 ¯ 1 ¯ ¯ 10 ¯ ¯ 101 R 6 = R 3 + R 1 1 R 13 = R 9 − R 1 1 − R 6 111 − R 13 Precomputations require 10 point additions(/subtractions) Pairs ( R k , R k + 1 ) are computed so that R k = R i + R j , and 1 R k + 1 = R i − R j 2 K. J¨ arvinen, J. Forsten and J. Skytt¨ a CHES 2007, September 11-13, 2007, Vienna, Austria
Preliminaries Point multiplication Algorithms and Implementation Precomputation Results and Discussion Implementation Precomputed points k 3 k 2 k 1 Point k 3 k 2 k 1 Point k 3 k 2 k 1 Point k 3 k 2 k 1 Point 10 ¯ ¯ 000 R 0 = O 1 R 7 = R 3 − R 1 n/a 101 − R 7 00 ¯ ¯ 1 ¯ 001 R 1 = P 1 110 R 8 = R 3 + R 2 1 − R 1 10 − R 8 1 ¯ 0 ¯ ¯ 010 R 2 = P 2 10 R 9 = R 3 − R 2 10 − R 2 110 − R 9 ¯ ¯ 1 ¯ 1 ¯ 100 R 3 = P 3 111 R 10 = R 8 + R 1 100 − R 3 1 − R 10 11 ¯ 0 ¯ 1 ¯ ¯ 1 ¯ 011 R 4 = R 2 + R 1 1 R 11 = R 8 − R 1 1 − R 4 11 − R 11 01 ¯ 1 ¯ 0 ¯ ¯ 11 ¯ 1 R 5 = R 2 − R 1 11 R 12 = R 9 + R 1 11 − R 5 1 − R 12 1 ¯ 1 ¯ ¯ 10 ¯ ¯ 101 R 6 = R 3 + R 1 1 R 13 = R 9 − R 1 1 − R 6 111 − R 13 Precomputations require 10 point additions(/subtractions) Pairs ( R k , R k + 1 ) are computed so that R k = R i + R j , and 1 R k + 1 = R i − R j 2 K. J¨ arvinen, J. Forsten and J. Skytt¨ a CHES 2007, September 11-13, 2007, Vienna, Austria
Recommend
More recommend