MPHELL: A fast and robust library with unified and versatile arithmetics for elliptic curves cryptography (extended version) Titouan Coladon, Philippe Elbaz-Vincent, Cyril Hugounenq To cite this version: Titouan Coladon, Philippe Elbaz-Vincent, Cyril Hugounenq. MPHELL: A fast and robust library with unified and versatile arithmetics for elliptic curves cryptography (extended version). ARITH 2021, Jun 2021, Torino, Italy. hal-03284677 HAL Id: hal-03284677 https://hal.archives-ouvertes.fr/hal-03284677 Submitted on 12 Jul 2021 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. MPHELL: A fast and robust library with unified and versatile arithmetics for elliptic curves cryptography (extended version) Titouan Coladon Philippe Elbaz-Vincent Cyril Hugounenq Univ. Grenoble Alpes Univ. Grenoble Alpes Univ. Grenoble Alpes Institut Fourier Institut Fourier Institut Fourier Grenoble, France Grenoble, France Grenoble, France [email protected] [email protected] [email protected] Abstract—We propose a new versatile elliptic curves cryptog- gives also the possibility to use curves in different settings raphy library based on unified arithmetics and various low-level such as Weierstrass form in co-Z coordinates, Jacobi quartic arithmetics with a focus on protection against simple power anal- or Edwards forms (as well as their associated conversion ysis and an abstract layer for easy customisations. The implemen- 2 tations are oriented toward industrial applications and embedded functions) . The number arithmetic used is inherited from devices. The number arithmetic used in the library is partly GMP [16] and has some improvement using Montgomery inherited from GMP with several improvements using adapted representation [17] and windowing techniques. It also has a Montgomery representation and windowing techniques. We also “Modular Number System” module [18] with a focus on the present an improved AMNS (Adapted Modular Number System) “Adapted Modular Number System” (AMNS) for which we arithmetic with competitive running time. The abstraction layer allows for the integration of external arithmetics (e.g., other extend and improve the results of [19]. Part of the mathematics libraries or hardware co-processor), general number systems and behind the elliptic curves arithmetics were described in [20]. randomization of arithmetics. The library has the advantage of Our contribution intends to better address the needs of a proposing standard elliptic curves but gives also the possibility fast arithmetic library for elliptic curves with the following to use curves in different settings such as Weierstrass form in features: co-Z coordinates, Jacobi quartic or Edwards forms (as well as their associated conversions functions). It has been extensively • Secure against simple power analysis, tested on x86-64, ARM 32/64 bits, STM32 architectures and also • Easy to customize (e.g. usable with several types of in real-world applications. We present some comparative elliptic curves signatures timings for different curves without taking into curves or versatile number arithmetics such as AMNS), account the specificity of the curves in our library (as opposed • Using optimized number arithmetic, to OpenSSL for instance). • Usable in industrial context, Index Terms—elliptic curves cryptography, unified arithmetics, • Usable on microcontrollers (e.g., STM32), ARM 32 bits adapted modular number system and 64 bits, and x86 architectures (32 bits and 64 bits) • Competitive against other ECC libraries. I. INTRODUCTION Creating secure implementations for elliptic curves cryptog- The library has been designed with GNU/Linux systems as raphy (ECC) while preserving performances is not an easy task main targets (frequent on embedded systems) and for curves as shown by the attacks [1]–[4] on OpenSSL [5] and GnuPG over prime fields. [6]. Unified formula for elliptic curves cryptography was This work is organized as follows: in section II, we present introduced in the early 2000s [7]–[9] in order to prevent simple an improved AMNS, following the works of Didier, Dosso power analysis (SPA) or even differential power analysis and Véron [19] and Dosso [21] and show optimality results (DPA) and have been extended to a wide family of coordinate for some family of elliptic curves. In section III, we detail the systems [10]–[14]. Building on previous works and the need design of a new library, called MPHELL , for the arithmetic for robust implementations, we propose a new versatile ECC of elliptic curves with different types of low-level arithmetics library, called MPHELL 1 , based on unified arithmetics with (e.g., AMNS) and unified arithmetics for elliptic curves in a focus on protection against simple power analysis and an order to be SPA resistant. In section IV, we give detailled abstract layer for easy customisations. It has been extensively timings for MPHELL on different types of architectures and tested on x86-64, ARM 32/64 bits, STM32 architectures and compare it to common libraries. In section V we present our also in real-world applications. Our library has the advantage conclusions. to propose standard elliptic curves (all those from [15]) but 2The formulae used are mainly available in the Elliptic Curve Formula 1https://www-fourier.univ-grenoble-alpes.fr/mphell/ Database http://www.hyperelliptic.org/EFD. In the following, for a prime number p, we denote by Fp out that we can improve these conditions. Set M = m0 + n−1 the finite field with p elements (represented as Z=pZ). We will m1X + ::: + mn−1X . The accurate limit is kT k16 φ × α also denote by log the logarithm in base 2. with α = jm0j + jλj × (jm1j + jm2j + ::: + jmn−1j). We remind the definition of ! : ! = 1 + (n − 1)jλj. II. IMPROVING AMNS To get kSk16 ρ we need : This section proposes several improvements on the work of Didier, Dosso and Véron [19] and Dosso [21]. Let us first ! × (ρ − 1)2 + α × φ introduce some notations: p will denote a prime number. For < ρ, φ an arbitrary integer n > 1, we denote by [X] the set of (1) Z n ! × (ρ − 1)2 integers polynomials of degree less (or equal) than n. Given < φ. ρ − α a polynomial Q in Z[X]n we denote by kQkk the real k- norm of n+1 restricted to [X] (the polynomials being seen R Z n This equation gives the condition ρ > α. In order to find a as vectors). The positive integer φ will be either 232 or 264 suitable ρ, we study the minimum of the real function f(x) = depending on the targeted architecture (32 bits or 64 bits). Let 2 j!|×(x−1) which is well defined and derivable on its domain A 2 Z[X]n, we denote by A mod (E; φ) the polynomial x−α 0 j!|×(x−1)×(x−2α+1) reduction A mod E where the coefficients of the result are Rnfαg. Its derivative is given by f (x) = (x−α)2 computed modulo φ. We note A the polynomial A with its and the minimum of f happens when x = 2α − 1. coefficients reduced modulo 2. If f(2α − 1) < φ then the internal reduction polynomial M can be used to create an AMNS. In practice, because we want A. A reminder on AMNS ρ to be a power of 2, we need f(2log(2α−1)) < φ. We can A Modular Number System (MNS), introduced by Bajard set ρ = 2log(2α−1). This gives a smaller value for f(ρ) than log(2!kMk1) et al [18], allows to represent elements of Fp as polynomials. taking ρ = 2 . Then, we can deduce new limits. 2 Such MNS is defined by a 4-tuple (p; n; γ; ρ) such that for all We replace : ρ 2!kMk1, 2!ρ φ and kV k1 !ρ from > 2 6 6 x 2 there exists V 2 [X] such that V (γ) = x (mod p) !×(ρ−1) 2 Fp Z [21] by ρ > α, ρ−α < φ and kV k16 !(ρ − 1) . with deg(V ) < n and kV k1< ρ. In order to represent all We notice that ρ > α kBk > 1 kBk , with B the matrix n > 1 2 1 the elements of Fp, we need p < (2ρ − 1) . An Adapted defined in [21](Theorem 2.2). The theorem’s condition is n Modular Number System (AMNS) is an MNS such that γ = satisfied. This calculation for ρ does not improve significantly λ (mod p) with jλj 6= 0 “small” (often lower than 10). γ is a the AMNS generation process, but it can help to find better n root modulo p of the polynomial E = X − λ. E is called the AMNS in several cases. Two points have been improved: external reduction polynomial. We use it to reduce the degree Xn • The limit: It is now y = f(ρ) which have to be lower of AMNS polynomials after multiplication by replacing 64 by λ in the computation. An AMNS is defined by a 5-tuple than φ = 2 , and not anymore y = 2!ρ, (p; n; γ; ρ, E) • The calculation of ρ: to get f(ρ) as small as possible and . log(2α−1) Another reduction is needed to keep polynomials of the keep ρ as a power of 2 we use ρ = 2 instead of ρ = 2log(2!kMk1). AMNS such that kV k1< ρ. We need an algorithm called "internal reduction" acting on the size of the polynomial We can see on Figure 1 below the function f and its coefficients.