High-speed Define 19; prime. elliptic-curve cryptography Define - PowerPoint PPT Presentation

✄ � ✂ ✂ ✁ � ✁ ☎ ✁ ✂ ✆ ✁ ✂ ✂ ✆ ☎ = 2 255 High-speed Define 19; prime. elliptic-curve cryptography Define = 358990. Define ✁ 1 Curve : Z 0 1 by D. J. Bernstein ✄ th multiple coordinate of Thanks to: ✂ ) on the elliptic curve of (2 2 = ✆ 3 + ✆ 2 + University of Illinois at Chicago over F ✝ . NSF CCR–9983950 Main topic of this talk: Compute Alfred P. Sloan Foundation ✁ Curve( ) Curve( ) in very few CPU cycles. In particular, use floating point for fast arithmetic mod .

✂ ✁ ✁ ✆ � ✁ ✂ ✂ ✂ ✁ ✂ ✄ ✆ ☎ � ✁ ✁ ☎ = 2 255 Define 19; prime. Why cryptographers cryptography Define = 358990. Define Each user has secret ✁ 1 Curve : Z 0 1 by public key Curve( ✄ th multiple coordinate of Users with secret k ✂ ) on the elliptic curve of (2 2 = ✆ 3 + ✆ 2 + Illinois at Chicago exchange Curve( ) over F ✝ . CCR–9983950 through an authenticated Main topic of this talk: Compute Foundation compute Curve( ✁ Curve( ) Curve( ) use hash as shared in very few CPU cycles. encrypt and authenticate In particular, use floating point Curve speed is imp for fast arithmetic mod . when number of messages

☎ ✁ ✆ ✁ ✂ ✂ ✁ ✆ ☎ ✁ � ✄ ✂ ✂ ✂ � ✁ = 2 255 Define 19; prime. Why cryptographers care Define = 358990. Define Each user has secret key , ✁ 1 Curve : Z 0 1 by public key Curve( ). ✄ th multiple coordinate of Users with secret keys ✂ ) on the elliptic curve of (2 2 = ✆ 3 + ✆ 2 + ✁ Curve( ) exchange Curve( ) over F ✝ . through an authenticated channel; Main topic of this talk: Compute compute Curve( ); hash it; ✁ Curve( ) Curve( ) use hash as shared secret to in very few CPU cycles. encrypt and authenticate messages. In particular, use floating point Curve speed is important for fast arithmetic mod . when number of messages is small.

� ☎ ✁ ☎ ✁ � ✆ ✆ ✆ ✂ ✂ ✂ ✆ ✁ ✄ � ✁ ✂ ✂ ✁ ✂ ✁ ✆ 19; prime. Why cryptographers care Analogous system 358990. Define 1976 Diffie Hellman. Each user has secret key , ✁ 1 1 by public key Curve( ). Using elliptic curves ✄ th multiple rdinate of to avoid index-calculus Users with secret keys elliptic curve 1986 Miller, 1987 Koblitz. ✁ Curve( ) exchange Curve( ) over F ✝ . ✆ 3 + ✆ 2 + through an authenticated channel; Using this talk: Compute compute Curve( ); hash it; 1987 Montgomery Curve( ) use hash as shared secret to High precision from cycles. encrypt and authenticate messages. 1968 Veltkamp, 1971 floating point Curve speed is important Speedups: 1999–2005 rithmetic mod . when number of messages is small.

� ✁ ✆ Why cryptographers care Analogous system using 2 mod : 1976 Diffie Hellman. Each user has secret key , public key Curve( ). Using elliptic curves to avoid index-calculus attacks: Users with secret keys 1986 Miller, 1987 Koblitz. ✁ Curve( ) exchange Curve( ) ✆ 3 + ✆ 2 + through an authenticated channel; Using for speed: compute Curve( ); hash it; 1987 Montgomery (for ECM). use hash as shared secret to High precision from fp sums: encrypt and authenticate messages. 1968 Veltkamp, 1971 Dekker. Curve speed is important Speedups: 1999–2005 Bernstein. when number of messages is small.

✆ � ✁ cryptographers care Analogous system using 2 mod : Understanding CPU 1976 Diffie Hellman. secret key , Computers are designed Curve( ). Using elliptic curves music, movies, Photoshop, to avoid index-calculus attacks: etc. Heavy use of secret keys 1986 Miller, 1987 Koblitz. i.e., approximate real ✁ Curve( ) ) ✆ 3 + ✆ 2 + authenticated channel; Using for speed: Example: Athlon, ); hash it; 1987 Montgomery (for ECM). does one add and red secret to of high-precision fp High precision from fp sums: authenticate messages. 1968 Veltkamp, 1971 Dekker. Programmer paying important Speedups: 1999–2005 Bernstein. to these CPU features messages is small. can use them for cryptography

✆ � Analogous system using 2 mod : Understanding CPU design 1976 Diffie Hellman. Computers are designed for Using elliptic curves music, movies, Photoshop, Doom 3, to avoid index-calculus attacks: etc. Heavy use of fp arithmetic, 1986 Miller, 1987 Koblitz. i.e., approximate real arithmetic. ✆ 3 + ✆ 2 + Using for speed: Example: Athlon, every cycle, 1987 Montgomery (for ECM). does one add and one multiply of high-precision fp numbers. High precision from fp sums: 1968 Veltkamp, 1971 Dekker. Programmer paying attention Speedups: 1999–2005 Bernstein. to these CPU features can use them for cryptography.

✂ � ✂ ✁ ✁ � ✄ ✄ ✆ ✆ � ✆ system using 2 mod : Understanding CPU design A 53-bit fp numb Hellman. is a real number 2 Computers are designed for with Z and curves music, movies, Photoshop, Doom 3, index-calculus attacks: etc. Heavy use of fp arithmetic, Round each real numb 1987 Koblitz. i.e., approximate real arithmetic. closest 53-bit fp numb Round halves to even. + for speed: Example: Athlon, every cycle, Montgomery (for ECM). does one add and one multiply Examples: of high-precision fp numbers. fp 53 (8675309) = 8675309; from fp sums: fp 53 (2 127 + 8675309) 1971 Dekker. Programmer paying attention fp 53 (2 127 8675309) 1999–2005 Bernstein. to these CPU features can use them for cryptography.

✁ � � ✄ ✂ ✂ ✁ Understanding CPU design A 53-bit fp number is a real number 2 Computers are designed for 2 53 . with Z and music, movies, Photoshop, Doom 3, etc. Heavy use of fp arithmetic, Round each real number to i.e., approximate real arithmetic. closest 53-bit fp number, fp 53 ✄ . Round halves to even. Example: Athlon, every cycle, does one add and one multiply Examples: of high-precision fp numbers. fp 53 (8675309) = 8675309; fp 53 (2 127 + 8675309) = 2 127 ; Programmer paying attention fp 53 (2 127 8675309) = 2 127 . to these CPU features can use them for cryptography.

� � � ☎ � ☎ � ✂ ✂ ✁ ✁ ✄ ✁ CPU design A 53-bit fp number Typical CPU: UltraSP is a real number 2 designed for Every cycle, UltraSP 2 53 . with Z and Photoshop, Doom 3, one fp multiplication ✁ ) of fp arithmetic, Round each real number to fp 53 ( ✁ ✂✁ real arithmetic. closest 53-bit fp number, fp 53 ✄ . and one fp addition � + ✁ ), Round halves to even. fp 53 ( thlon, every cycle, ✁ ✂✁ subject to limits on and one multiply Examples: fp numbers. fp 53 (8675309) = 8675309; “4-cycle fp-operation fp 53 (2 127 + 8675309) = 2 127 ; Results available after ying attention fp 53 (2 127 8675309) = 2 127 . features Can substitute subtraction r cryptography. for addition. I’ll count subtractions as additions.

� � ☎ ✁ ✁ � ✂ ✂ � ☎ ✄ � A 53-bit fp number Typical CPU: UltraSPARC III. is a real number 2 Every cycle, UltraSPARC III can do 2 53 . with Z and one fp multiplication ✁ ) Round each real number to fp 53 ( ✁ ✂✁ closest 53-bit fp number, fp 53 ✄ . and one fp addition � + ✁ ), Round halves to even. fp 53 ( ✁ ✂✁ subject to limits on ✁ . Examples: fp 53 (8675309) = 8675309; “4-cycle fp-operation latency”: fp 53 (2 127 + 8675309) = 2 127 ; Results available after 4 cycles. fp 53 (2 127 8675309) = 2 127 . Can substitute subtraction for addition. I’ll count subtractions as additions.

� ✄ � ☎ � � ☎ ✁ � ☎ � ✂ ✂ ✁ ✁ � � Typical CPU: UltraSPARC III. Some variation among number 2 Every cycle, UltraSPARC III can do PowerPC RS64 IV: 2 53 . and one fp multiplication or one multiplication ✁ ) number to fp 53 ( “fused” fp ✁ ✂✁ ✁ ✂✁ ✁ ✁� number, fp 53 ✄ . and one fp addition Results available after � + ✁ ), even. fp 53 ( Athlon: fp 64 instead ✁ ✂✁ subject to limits on ✁ . one multiplication 8675309; “4-cycle fp-operation latency”: Results available after 8675309) = 2 127 ; Results available after 4 cycles. I’ll focus on UltraSP 8675309) = 2 127 . Can substitute subtraction Not the most impo for addition. I’ll count but it’s a good warmup. subtractions as additions.

� � ☎ ☎ � � � ☎ Typical CPU: UltraSPARC III. Some variation among CPUs. Every cycle, UltraSPARC III can do PowerPC RS64 IV: One addition one fp multiplication or one multiplication or one ✁ ) ✁ + � ). fp 53 ( “fused” fp 53 ( ✁ ✂✁ ✁ ✂✁ ✁ ✁� and one fp addition Results available after 4 cycles. � + ✁ ), fp 53 ( Athlon: fp 64 instead of fp 53 ; ✁ ✂✁ subject to limits on ✁ . one multiplication and one addition. “4-cycle fp-operation latency”: Results available after 4 cycles. Results available after 4 cycles. I’ll focus on UltraSPARC III. Can substitute subtraction Not the most important CPU, for addition. I’ll count but it’s a good warmup. subtractions as additions.