lightweight coprocessor for koblitz curves 283 bit ecc
play

Lightweight Coprocessor for Koblitz Curves: 283-bit ECC Including - PowerPoint PPT Presentation

Jul 13, 2023 •149 likes •691 views

Lightweight Coprocessor for Koblitz Curves: 283-bit ECC Including Scalar Conversion with only 4300 Gates S. Sinha Roy, K. Jrvinen , I. Verbauwhede KU Leuven ESAT/COSIC Leuven, Belgium K. Jrvinen, CHES 2015, Sept. 14, 2015 Introduction

  1. Lightweight Coprocessor for Koblitz Curves: 283-bit ECC Including Scalar Conversion with only 4300 Gates S. Sinha Roy, K. Järvinen , I. Verbauwhede KU Leuven ESAT/COSIC Leuven, Belgium K. Järvinen, CHES 2015, Sept. 14, 2015

  2. Introduction 2/17 We present a lightweight coprocessor for the 283-bit Koblitz curve The first lightweight implementation of a high security curve The first to include on-the-fly lightweight conversion One of the smallest ECC coprocessors A large set of side-channel countermeasures K. Järvinen, CHES 2015, Sept. 14, 2015

  3. High-level Architecture 3/17 Point multiplication Q = kP : CPU RAM K. Järvinen, CHES 2015, Sept. 14, 2015

  4. High-level Architecture 3/17 Point multiplication Q = kP : CPU RAM ECC RAM K. Järvinen, CHES 2015, Sept. 14, 2015

  5. High-level Architecture 3/17 Point multiplication Q = kP : CPU RAM k, P ECC RAM Q intermediate values K. Järvinen, CHES 2015, Sept. 14, 2015

  6. High-level Architecture 3/17 Point multiplication Q = kP : CPU RAM ECC K. Järvinen, CHES 2015, Sept. 14, 2015

  7. High-level Architecture 3/17 Point multiplication Q = kP : CPU RAM k , P ECC K. Järvinen, CHES 2015, Sept. 14, 2015

  8. High-level Architecture 3/17 Point multiplication Q = kP : CPU RAM intermediate values ECC K. Järvinen, CHES 2015, Sept. 14, 2015

  9. High-level Architecture 3/17 Point multiplication Q = kP : CPU RAM Q ECC K. Järvinen, CHES 2015, Sept. 14, 2015

  10. Koblitz Curves 4/17 Binary curves which are included in many standards (e.g., NIST) Example (Point multiplication Q = kP ) · · · add dbl dbl add dbl add dbl dbl add dbl add K. Järvinen, CHES 2015, Sept. 14, 2015

  11. Koblitz Curves 4/17 Binary curves which are included in many standards (e.g., NIST) Point doublings can be replaced with cheap Frobenius maps: φ : ( x, y ) �→ ( x 2 , y 2 ) Example (Point multiplication Q = kP ) · · · add dbl dbl add dbl add dbl dbl add dbl add · · · add add add add K. Järvinen, CHES 2015, Sept. 14, 2015

  12. Koblitz Curves 4/17 Binary curves which are included in many standards (e.g., NIST) Point doublings can be replaced with cheap Frobenius maps: φ : ( x, y ) �→ ( x 2 , y 2 ) . . . but first the integer k needs to be converted to a τ -adic i =0 k i τ i where τ = ( µ + √− 7) / 2 ∈ C expansion k = � ℓ − 1 Example (Point multiplication Q = kP ) · · · add dbl dbl add dbl add dbl dbl add dbl add · · · conversion add add add add K. Järvinen, CHES 2015, Sept. 14, 2015

  13. Koblitz Curves 4/17 Binary curves which are included in many standards (e.g., NIST) Point doublings can be replaced with cheap Frobenius maps: φ : ( x, y ) �→ ( x 2 , y 2 ) . . . but first the integer k needs to be converted to a τ -adic i =0 k i τ i where τ = ( µ + √− 7) / 2 ∈ C expansion k = � ℓ − 1 Example (Point multiplication Q = kP ) · · · add dbl dbl add dbl add dbl dbl add dbl add · · · conversion add add add add F 2 m Z K. Järvinen, CHES 2015, Sept. 14, 2015

  14. Secure Lightweight Conversion K. Järvinen, CHES 2015, Sept. 14, 2015

  15. Conversions Algorithms 6/17 Our conversion algorithms are based on: (1) the lazy reduction by Brumley and Järvinen (2) the zero-free expansion by Okeya, Takagi, and Vuillaume K. Järvinen, CHES 2015, Sept. 14, 2015

  16. Conversions Algorithms 6/17 Our conversion algorithms are based on: (1) the lazy reduction by Brumley and Järvinen (2) the zero-free expansion by Okeya, Takagi, and Vuillaume ⇒ Only (multiprecision) additions and subtractions (1): Integer k to ρ = b 0 + b 1 τ (2): ρ to τ -adic exp. ( a 0 , a 1 ) ← (1 , 0) , ( b 0 , b 1 ) ← (0 , 0) , i ← 0 ( d 0 , d 1 ) ← ( k, 0) while | b 0 | � = 1 or b 1 � = 0 do for i = 0 to m − 1 do u ← Ψ( b 0 + b 1 τ ) u ← d 0 mod 2 b 0 ← b 0 − u d 0 ← d 0 − u ( b 0 , b 1 ) ← ( b 1 − b 0 / 2 , − b 0 / 2) ( b 0 , b 1 ) ← ( b 0 + u · a 0 , b 1 + u · a 1 ) t i ← u ( d 0 , d 1 ) ← ( d 1 − d 0 / 2 , − d 0 / 2) i ← i + 1 ( a 0 , a 1 ) ← ( − 2 a 1 , a 0 − a 1 ) t i ← b 0 ρ = ( b 0 , b 1 ) ← ( b 0 + d 0 , b 1 + d 1 ) K. Järvinen, CHES 2015, Sept. 14, 2015

  17. Modifications for Efficiency and Improved Security 7/17 m a m ± c m b K. Järvinen, CHES 2015, Sept. 14, 2015

  18. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b K. Järvinen, CHES 2015, Sept. 14, 2015

  19. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b K. Järvinen, CHES 2015, Sept. 14, 2015

  20. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b K. Järvinen, CHES 2015, Sept. 14, 2015

  21. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b K. Järvinen, CHES 2015, Sept. 14, 2015

  22. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b K. Järvinen, CHES 2015, Sept. 14, 2015

  23. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b K. Järvinen, CHES 2015, Sept. 14, 2015

  24. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b K. Järvinen, CHES 2015, Sept. 14, 2015

  25. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b Negations (e.g., − d 0 / 2 ) take about 1/3 of cycles 1 K. Järvinen, CHES 2015, Sept. 14, 2015

  26. Modifications for Efficiency and Improved Security 7/17 16 a 16 ± c 16 b Negations (e.g., − d 0 / 2 ) take about 1/3 of cycles 1 ⇒ We use the modification ( d 0 / 2 − d 1 , d 0 / 2) instead of ( d 1 − d 0 / 2 , − d 0 / 2) ⇒ The signs will be incorrect but can be corrected K. Järvinen, CHES 2015, Sept. 14, 2015

  27. Modifications for Efficiency and Improved Security (cont.) 8/17 b i + u · a i , where u = d 0 mod 2 ∈ { 0 , 1 } d 0 K. Järvinen, CHES 2015, Sept. 14, 2015

  28. Modifications for Efficiency and Improved Security (cont.) 8/17 b i + u · a i , where u = d 0 mod 2 ∈ { 0 , 1 } d 0 u = 1 ⇒ b 0 + a 0 and b 1 + a 1 u = 0 ⇒ do nothing K. Järvinen, CHES 2015, Sept. 14, 2015

  29. Modifications for Efficiency and Improved Security (cont.) 8/17 b i + u · a i , where u = d 0 mod 2 ∈ { 0 , 1 } d 0 u = 1 ⇒ b 0 + a 0 and b 1 + a 1 u = 0 ⇒ do nothing Bad SPA leakage! K. Järvinen, CHES 2015, Sept. 14, 2015

  30. Modifications for Efficiency and Improved Security (cont.) 8/17 b i + u · a i , where u = d 0 mod 2 ∈ { 0 , 1 } d 0 u = 1 ⇒ b 0 + a 0 and b 1 + a 1 u = 0 ⇒ do nothing Bad SPA leakage! We select u ∈ {− 1 , 1 } by using Ψ( d 0 + d 1 τ ) 2 K. Järvinen, CHES 2015, Sept. 14, 2015

  31. Modifications for Efficiency and Improved Security (cont.) 8/17 b i + u · a i , where u = d 0 mod 2 ∈ { 0 , 1 } d 0 u = 1 ⇒ b 0 + a 0 and b 1 + a 1 u = 0 ⇒ do nothing Bad SPA leakage! We select u ∈ {− 1 , 1 } by using Ψ( d 0 + d 1 τ ) 2 u = +1 ⇒ b 0 + a 0 and b 1 + a 1 u = − 1 ⇒ b 0 − a 0 and b 1 − a 1 K. Järvinen, CHES 2015, Sept. 14, 2015

  32. Modifications for Efficiency and Improved Security (cont.) 8/17 b i + u · a i , where u = d 0 mod 2 ∈ { 0 , 1 } d 0 u = 1 ⇒ b 0 + a 0 and b 1 + a 1 u = 0 ⇒ do nothing Bad SPA leakage! We select u ∈ {− 1 , 1 } by using Ψ( d 0 + d 1 τ ) 2 u = +1 ⇒ b 0 + a 0 and b 1 + a 1 u = − 1 ⇒ b 0 − a 0 and b 1 − a 1 Similar operations ⇒ Improved SPA resistance! K. Järvinen, CHES 2015, Sept. 14, 2015

  33. Point Multiplication K. Järvinen, CHES 2015, Sept. 14, 2015

  34. Point Multiplication with Zero-free Expansions 10/17 Zero-free τ -adic expansion [Okeya et al, 2005] A τ -adic representation that represents k with k i ∈ {− 1 , 1 } Example 1¯ 1¯ 11111¯ 1111¯ 1¯ 1¯ 1 . . . 1¯ 111 K. Järvinen, CHES 2015, Sept. 14, 2015

  35. Point Multiplication with Zero-free Expansions 10/17 Zero-free τ -adic expansion [Okeya et al, 2005] A τ -adic representation that represents k with k i ∈ {− 1 , 1 } Combined with w -bit windows and precomputations ⇒ Fast point multiplication of only ℓ/w point additions ⇒ Constant pattern of point operations Example w = 2 : 1¯ 1¯ 11111¯ 1111¯ 1¯ 1¯ 1 . . . 1¯ P +1 = φ ( P ) + P 111 P − 1 = φ ( P ) − P K. Järvinen, CHES 2015, Sept. 14, 2015

  36. Point Multiplication with Zero-free Expansions 10/17 Zero-free τ -adic expansion [Okeya et al, 2005] A τ -adic representation that represents k with k i ∈ {− 1 , 1 } Combined with w -bit windows and precomputations ⇒ Fast point multiplication of only ℓ/w point additions ⇒ Constant pattern of point operations Example w = 2 : 1¯ 1¯ 11111¯ 1111¯ 1¯ 1¯ 1 . . . 1¯ P +1 = φ ( P ) + P 111 P − 1 = φ ( P ) − P + P − 1 K. Järvinen, CHES 2015, Sept. 14, 2015

  37. Point Multiplication with Zero-free Expansions 10/17 Zero-free τ -adic expansion [Okeya et al, 2005] A τ -adic representation that represents k with k i ∈ {− 1 , 1 } Combined with w -bit windows and precomputations ⇒ Fast point multiplication of only ℓ/w point additions ⇒ Constant pattern of point operations Example φ 2 w = 2 : 1¯ 1¯ 11111¯ 1111¯ 1¯ 1¯ 1 . . . 1¯ P +1 = φ ( P ) + P 111 P − 1 = φ ( P ) − P + P − 1 K. Järvinen, CHES 2015, Sept. 14, 2015

Recommend

FPGA Design of Self-certified Signature Verification on Koblitz Curves Kimmo J Jorma Skytt

FPGA Design of Self-certified Signature Verification on Koblitz Curves Kimmo J Jorma Skytt

Preliminaries Algorithms and Implementation Results and Discussion FPGA Design of Self-certified Signature Verification on Koblitz Curves Kimmo J Jorma Skytt arvinen Juha Forsten a Helsinki University of Technology Signal Processing

478 views • 44 slides
High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

Preliminaries FPGA Implementation Results, Comparisons and Conclusions High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma Skytt a Helsinki University of Technology Department of Signal

528 views • 36 slides
Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is not wholly affected by a bug in one aspect of it. ) General-purpose computational environments. Secure temper responsive physical package.

366 views • 14 slides
Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Twenty-Three Years of Elliptic Curve Cryptography Alfred Menezes University of Waterloo September 3 2008 1 Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm

300 views • 18 slides
Floating Point Coprocessor Instructions Systems Design & Programming CMPE 310 Coprocessor

Floating Point Coprocessor Instructions Systems Design & Programming CMPE 310 Coprocessor

Floating Point Coprocessor Instructions Systems Design & Programming CMPE 310 Coprocessor Basics The 80x87 is able to multiply, divide, add, subtract, find the sqrt and calculate transcenden- tal functions and logarithms. Data types

361 views • 12 slides
Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at Chicago (Joint work with Tanja Lange) Cohen Schoof ECPC Lenstra ECM Miller Bosma Koblitz Goldwasser/Kilian ECC

294 views • 27 slides
Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking ECC2K-130, joint work by many authors: ECDL attack in progress against Koblitz curve over F 2 131 using many CPUs, GPUs, FPGAs. Vertically

288 views • 17 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (Mar. 1, 2002) I E S R C E O

UMBC A B M A L T F O U M B C I M Y O R T 1 (Mar. 1, 2002) I E S R C E O

Systems Design & Programming Coprocessor CMPE 310 Coprocessor Basics The 80x87 is able to multiply, divide, add, subtract, find the sqrt and calculate transcendental functions and logarithms. Data types include 16-, 32- and 64-bit signed

441 views • 12 slides
Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1. About Think Lightweight 2. What are Lightweight Structures? 3. Industry Applications 4. Product Line Review 5. Think Lightweight Component

832 views • 43 slides
Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and Paul Wolfger Graz University of Technology WECC 2014, Chennai, India We solved the discrete logarithm of a 113-bit Koblitz Curve.

572 views • 34 slides
lecture 12 MIPS assembly language 5 - coprocessor 1 (floating point unit FPU) -

lecture 12 MIPS assembly language 5 - coprocessor 1 (floating point unit FPU) -

lecture 12 MIPS assembly language 5 - coprocessor 1 (floating point unit FPU) - coprocessor 0 (kernel use, exception handing) February 17, 2016 lecture 12 MIPS assembly language 5 - coprocessor 1 (floating point unit FPU) -

344 views • 5 slides
The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will revolutionise the international high-rise construction industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight

417 views • 12 slides
1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

Topics Parametric curves and surfaces Polynomial curves Advanced Modeling 2 Rational curves Katja Bhler, Andrej Varchola, Eduard Tensor product surfaces Grller Triangular surfaces Institute of Computer Graphics and Algorithms Vienna

78 views • 6 slides
Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd

Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd

University of British Columbia CPSC 314 Computer Graphics Jan-Apr 2013 Tamara Munzner Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd edition 2 Curves 3 Parametric Curves parametric form

615 views • 32 slides
The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept will revolutionise the aviation industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight applications Patent Applied For

479 views • 12 slides
Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves

Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves

Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves Physical tools, used to model curves French Curves Smoothly connect pre-determined curve points French Curves French Curves Digital French

845 views • 42 slides
parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape

parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape

parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape modeling (3D) different representation implicit curves parametric curves (mostly used) 2D and 3D curves are mostly the same use vector notation

724 views • 35 slides
New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K. Schramm Workshop on Fast Software Encryption 2007 Outline Introduction Why lightweight? Why choose DES? DESL: DES Lightweight Why change DES?

364 views • 12 slides
BEZIER CURVES 1 OUTLINE Introduce types of curves and surfaces Introduce the types of

BEZIER CURVES 1 OUTLINE Introduce types of curves and surfaces Introduce the types of

BEZIER CURVES 1 OUTLINE Introduce types of curves and surfaces Introduce the types of curves Interpolating Hermite Bezier B-spline Quadratic Bezier Curves Cubic Bezier Curves 2 ESCAPING FLATLAND

991 views • 38 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Evaluation of Classifiers Evaluation of Classifiers ROC Curves ROC Curves Reject Curves Reject

Evaluation of Classifiers Evaluation of Classifiers ROC Curves ROC Curves Reject Curves Reject

Evaluation of Classifiers Evaluation of Classifiers ROC Curves ROC Curves Reject Curves Reject Curves Precision- -Recall Curves Recall Curves Precision Statistical Tests Statistical Tests Estimating the error rate of a classifier

565 views • 32 slides
Programming the Adapteva Epiphany 64-core Network-on-chip Coprocessor Anish Varghese, Robert

Programming the Adapteva Epiphany 64-core Network-on-chip Coprocessor Anish Varghese, Robert

Introduction Architecture Performance Experiments Heat Stencil Conclusions Programming the Adapteva Epiphany 64-core Network-on-chip Coprocessor Anish Varghese, Robert Edwards, Gaurav Mitra and Alistair Rendell Research School of Computer

514 views • 27 slides
The IBM 4758 Secure Cryptographic Coprocessor Hardware Architecture and Physical Security Steve

The IBM 4758 Secure Cryptographic Coprocessor Hardware Architecture and Physical Security Steve

The IBM 4758 Secure Cryptographic Coprocessor Hardware Architecture and Physical Security Steve Weingart Senior Engineer (561) 392 6100 c1shw@us.ibm.com Secure Systems and Smart Cards IBM T.J. Watson Research Center Hawthorne, NY 4758 PCI

386 views • 11 slides
DYNAMIC PRECISION NUMERICS USING A VARIABLE-PRECISION UNUM TYPE I HW COPROCESSOR ARITH26 |

DYNAMIC PRECISION NUMERICS USING A VARIABLE-PRECISION UNUM TYPE I HW COPROCESSOR ARITH26 |

DYNAMIC PRECISION NUMERICS USING A VARIABLE-PRECISION UNUM TYPE I HW COPROCESSOR ARITH26 | BOCCO Andrea | 11 June 2019 INTRODUCTION: STATE OF THE ART Variable Precision (VP) computing has been investigated to improve convergence of

476 views • 20 slides

More recommend