Preliminaries FPGA Implementation Results, Comparisons and Conclusions High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J¨ arvinen Jorma Skytt¨ a Helsinki University of Technology Department of Signal Processing and Acoustics Otakaari 5A, FIN-02150, Finland {Kimmo.Jarvinen,Jorma.Skytta}@tkk.fi April 14, 2008 FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Outline Preliminaries 1 Elliptic Curve Cryptography Koblitz Curves Window Method and Multiple Point Multiplication FPGA Implementation 2 Design Specifications Architecture of the Implementation Results, Comparisons and Conclusions 3 Results Comparisons Conclusions and Future Work FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Introduction to Elliptic Curve Cryptography Public-key cryptography method which uses a group of points on an elliptic curve, E , defined over a finite field, F q Faster and shorter keys than, e.g., RSA FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Introduction to Elliptic Curve Cryptography Public-key cryptography method which uses a group of points on an elliptic curve, E , defined over a finite field, F q Faster and shorter keys than, e.g., RSA Elliptic Curve Point Multiplication Q = kP where k is a positive integer and P = ( x , y ) is a point on E Computed with point additions, P 1 + P 2 , and point doublings, 2 P 1 FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Point Multiplication on Koblitz Curves Koblitz curves Frobenius maps, φ ( P 1 ) , instead of point doublings ⇒ faster computation k must be converter to τ -adic representation FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Point Multiplication on Koblitz Curves Koblitz curves Frobenius maps, φ ( P 1 ) , instead of point doublings ⇒ faster computation k must be converter to τ -adic representation Point multiplication Frobenius map for all bits of k Point addition if the bit is 1 FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Point Multiplication on Koblitz Curves Koblitz curves Frobenius maps, φ ( P 1 ) , instead of point doublings ⇒ faster computation k must be converter to τ -adic representation Point multiplication Frobenius map for all bits of k Point addition if the bit is 1 Example 1001110001001111001 10 A AAA A AAAA A FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Point Multiplication on Koblitz Curves Koblitz curves Frobenius maps, φ ( P 1 ) , instead of point doublings ⇒ faster computation k must be converter to τ -adic representation Point multiplication Frobenius map for all bits of k Point addition if the bit is 1 , point subtraction if ¯ 1 Example 10100¯ 1000101000¯ 1001110001001111001 1001 10 7 A AAA A AAAA A A A S A A S A FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Window Method Windowing further reduces the number of point additions FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Window Method Windowing further reduces the number of point additions Idea of windowing Instead of computing AAA several times: Precompute AAA Use the precomputed value every time for the string 111 ! We precompute values for the strings 10¯ 1 , 101 , and 1001 FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Window Method Windowing further reduces the number of point additions Idea of windowing Instead of computing AAA several times: Precompute AAA Use the precomputed value every time for the string 111 ! We precompute values for the strings 10¯ 1 , 101 , and 1001 Example τ NAF Width-4 τ NAF 10¯ 10100010010010100¯ 10¯ 301000000¯ 7000050000¯ 1 5 9 5 A S A S A A A S S A A S A S 3 Precomputations: FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Multiple Point Multiplication Sum of n point multiplications Q = k ( 1 ) P ( 1 ) + k ( 2 ) P ( 2 ) + . . . + k ( n ) P ( n ) FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Multiple Point Multiplication Sum of n point multiplications Q = k ( 1 ) P ( 1 ) + k ( 2 ) P ( 2 ) + . . . + k ( n ) P ( n ) Efficient computation with Shamir’s trick Precompute all combinations of P ( 1 ) . . . P ( n ) , e.g. P ( 1 ) + P ( 2 ) and P ( 1 ) − P ( 2 ) Interpret k ( 1 ) . . . k ( n ) as n -row table, e.g. 100100 ¯ 101001010 10 ¯ 10010010100 ¯ 10 Frobenius map for all columns Point addition with precomputed point if column is nonzero FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Multiple Point Multiplication Sum of n point multiplications Q = k ( 1 ) P ( 1 ) + k ( 2 ) P ( 2 ) + . . . + k ( n ) P ( n ) Efficient computation with Shamir’s trick Precompute all combinations of P ( 1 ) . . . P ( n ) , e.g. P ( 1 ) + P ( 2 ) and P ( 1 ) − P ( 2 ) Interpret k ( 1 ) . . . k ( n ) as n -row table, e.g. 100100 ¯ 101001010 10 ¯ 10010010100 ¯ 10 Frobenius map for all columns Point addition with precomputed point if column is nonzero τ -adic joint sparse form ( τ JSF) τ JSF maximizes the number of zero columns in the table FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Algorithmic Comparison Window method Multiple point multiplication Input: n integers k ( i ) , n points P ( i ) Input: Integer k , point P Output: Result point Q = � n i = 1 k ( i ) P ( i ) Output: Result point Q = kP � k ℓ − 1 ... k 0 � ← τ JSF ( k ( 1 ) , ..., k ( n ) ) � k ℓ − 1 ... k 0 � ← w - τ NAF ( k ) P 1 , P 2 , ..., P ( 3 n − 1 ) / 2 ← PreC ( P ( 1 ) , ..., P ( n ) ) P 1 , P 3 , ..., P 2 w − 1 − 1 ← PreC ( P ) Q ← O Q ← O for i = ℓ − 1 down to 0 do for i = ℓ − 1 down to 0 do Q ← φ ( Q ) Q ← φ ( Q ) if k i � = 0 then if k i � = 0 then Q ← Q + sign ( k i ) P | k i | Q ← Q + sign ( k i ) P | k i | end if end if end for end for Q ← xy ( Q ) Q ← xy ( Q ) FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Preliminaries FPGA Implementation Results, Comparisons and Conclusions Algorithmic Comparison Window method Multiple point multiplication Input: n integers k ( i ) , n points P ( i ) Input: Integer k , point P Output: Result point Q = � n i = 1 k ( i ) P ( i ) Output: Result point Q = kP � k ℓ − 1 ... k 0 � ← τ JSF ( k ( 1 ) , ..., k ( n ) ) � k ℓ − 1 ... k 0 � ← w - τ NAF ( k ) P 1 , P 2 , ..., P ( 3 n − 1 ) / 2 ← PreC ( P ( 1 ) , ..., P ( n ) ) P 1 , P 3 , ..., P 2 w − 1 − 1 ← PreC ( P ) Q ← O Q ← O for i = ℓ − 1 down to 0 do for i = ℓ − 1 down to 0 do Q ← φ ( Q ) Q ← φ ( Q ) if k i � = 0 then if k i � = 0 then Q ← Q + sign ( k i ) P | k i | Q ← Q + sign ( k i ) P | k i | end if end if end for end for Q ← xy ( Q ) Q ← xy ( Q ) FCCM 2008, April 14–15, 2008, Palo Alto, CA, USA K. J¨ arvinen, J. Skytt¨ a — Helsinki University of Technology
Recommend
More recommend