Use of Residue Number System for ECC Residue Number System

Use of Residue Number System for ECC Residue Number System

RNS for ECC Karim Bigou Elliptic Curves Use of Residue Number System for ECC Residue Number System Modular Arithmetic Karim Bigou with RNS Current Work INRIA DGA IRISA CAIRN References Journ´eesC2 2012: 8 au 12 octobre 1/17 RNS for ECC Karim Bigou Context and Objectives Elliptic Curves Residue Number System • Elliptic Curve Cryptography (ECC) over Fp Modular Arithmetic with RNS • Residue Number System (RNS) −! high performances Current Work References • Efficient implementation by N. Guillermin in [2] on FPGA • My Ph. D. objectives • Speed (parallelism) • Protections against some side-channel attacks (randomization) 2/17 RNS for ECC Karim Bigou Elliptic Curve Cryptography Elliptic Curves • Elliptic curve E over Fp (p prime, 160-500 bits) : Residue Number 2 3 System y = x + a x + b Modular Arithmetic 3 2 with RNS with −16(4a + 27b ) 6= 0 mod p Current Work References 2 3 Figure: y = x + 4x + 20 over F1009 3/17 RNS for ECC Karim Bigou • A group law + is defined over E: the chord-and-tangent Elliptic Curves rule Residue Number System Modular • Scalar multiplication: [k]P = P + P + ::: + P Arithmetic | {z } with RNS k times Current Work References • Knowing P and [k]P, k cannot be recovered (ECDLP) • [k]P must be fast and robust • Required many operations at field level: +; −; × and inversions 4/17 −!x : 20 { 40 mod m1 mod m2 mod m3 mod mn ··· + − × = + − × = + − × = + − × = • RNS Base: (m1;:::; mn) co-primes Qn −! • If 0 6 x < i=1 mi then x is determined by −! x = (x1;:::; xn) = (x mod m1;:::; x mod mn) • Carry-free between blocks • Fast Parallel Addition, Substraction, Multiplication and Exact Division • Non-positional System • Comparison, Modular Reduction, Division are hard RNS for ECC Karim Bigou Residue Number System x : 160 { 521 Elliptic Curves Residue Number System Modular Arithmetic with RNS Current Work References 5/17 x : 160 { 521 • Carry-free between blocks • Fast Parallel Addition, Substraction, Multiplication and Exact Division • Non-positional System • Comparison, Modular Reduction, Division are hard RNS for ECC Karim Bigou Residue Number System −! 20 { 40 Elliptic Curves x : Residue Number System mod m1 mod m2 mod m3 mod mn ··· Modular + − × = + − × = + − × = + − × = Arithmetic with RNS Current Work References • RNS Base: (m1;:::; mn) co-primes Qn −! • If 0 6 x < i=1 mi then x is determined by −! x = (x1;:::; xn) = (x mod m1;:::; x mod mn) 5/17 x : 160 { 521 • Fast Parallel Addition, Substraction, Multiplication and Exact Division • Non-positional System • Comparison, Modular Reduction, Division are hard RNS for ECC Karim Bigou Residue Number System −! 20 { 40 Elliptic Curves x : Residue Number System mod m1 mod m2 mod m3 mod mn ··· Modular + − × = + − × = + − × = + − × = Arithmetic with RNS Current Work References • RNS Base: (m1;:::; mn) co-primes Qn −! • If 0 6 x < i=1 mi then x is determined by −! x = (x1;:::; xn) = (x mod m1;:::; x mod mn) • Carry-free between blocks 5/17 x : 160 { 521 • Non-positional System • Comparison, Modular Reduction, Division are hard RNS for ECC Karim Bigou Residue Number System −! 20 { 40 Elliptic Curves x : Residue Number System mod m1 mod m2 mod m3 mod mn ··· Modular + − × = + − × = + − × = + − × = Arithmetic with RNS Current Work References • RNS Base: (m1;:::; mn) co-primes Qn −! • If 0 6 x < i=1 mi then x is determined by −! x = (x1;:::; xn) = (x mod m1;:::; x mod mn) • Carry-free between blocks • Fast Parallel Addition, Substraction, Multiplication and Exact Division 5/17 x : 160 { 521 • Comparison, Modular Reduction, Division are hard RNS for ECC Karim Bigou Residue Number System −! 20 { 40 Elliptic Curves x : Residue Number System mod m1 mod m2 mod m3 mod mn ··· Modular + − × = + − × = + − × = + − × = Arithmetic with RNS Current Work References • RNS Base: (m1;:::; mn) co-primes Qn −! • If 0 6 x < i=1 mi then x is determined by −! x = (x1;:::; xn) = (x mod m1;:::; x mod mn) • Carry-free between blocks • Fast Parallel Addition, Substraction, Multiplication and Exact Division • Non-positional System 5/17 x : 160 { 521 RNS for ECC Karim Bigou Residue Number System −! 20 { 40 Elliptic Curves x : Residue Number System mod m1 mod m2 mod m3 mod mn ··· Modular + − × = + − × = + − × = + − × = Arithmetic with RNS Current Work References • RNS Base: (m1;:::; mn) co-primes Qn −! • If 0 6 x < i=1 mi then x is determined by −! x = (x1;:::; xn) = (x mod m1;:::; x mod mn) • Carry-free between blocks • Fast Parallel Addition, Substraction, Multiplication and Exact Division • Non-positional System • Comparison, Modular Reduction, Division are hard 5/17 RNS for ECC Karim Bigou Base Extension Elliptic Curves • Idea for modular reduction: add redundancy using 2 bases Residue Number System 0 0 0 Modular • B = (m1;:::; mn) and B = (m1;:::; mn) are coprime Arithmetic with RNS RNS bases Current Work −! −! References • x is x in B and x 0 in B0 • The base extension (BE) is defined by: BE(−!x ; B; B0) = −!x 0 • Some operations become possible after a base extension Qn 0 • M = i=1 mi is invertible in B • Exact Division by M can be done easily 6/17 RNS for ECC Karim Bigou Kawamura's Base Extension [4] Elliptic Curves It is based on the chinese remainder theorem (CRT) : Residue Number n System X −1 x = x mod M = jxi · M jm · Mi Modular i i Arithmetic i=1 M with RNS Current Work n X −1 References jxj 0 = jxi · M jm · Mi − k · M mi i i i=1 0 mi Qn M where M = mi , Mi = and k < n. i=1 mi • Sum done over each channel of B0 • Operation cost is n2 word multiplications −1 • Precomputations are needed (jM jm , jMi j 0 , jMj 0 ) i i mi mi 7/17 RNS for ECC Karim Bigou Kawamura's base extension [4] Elliptic Curves n Residue x jx · M−1j Number X i i mi System + k = M mi Modular i=1 Arithmetic with RNS $ n % $ n % Current Work −1 −1 X jxi · Mi jmi X trunc(jxi · Mi jmi ) References k = = α + r mi 2 i=1 i=1 r • mi pseudo-Mersenne number mi = 2 − "i • trunc(y) sets the r − t last bits of y to 0 • α is a correction term • a simple accumulator can be used in parallel 8/17 RNS for ECC Karim Bigou Montgomery Modular Reduction Elliptic Curves Algorithm 1: Montgomery Reduction [5] Residue 2 Number Data: x < 4 p and p < R with gcd(p; R) = 1 System Result: MM(x,p) = ! ≡ x · R−1 mod p, 0 ! < 2p Modular 6 Arithmetic begin with RNS q − (x · (−p−1)) mod R Current Work s − x + q · p References ! − s · R−1 • Classical case: R = 2w to have easy division and modular reduction • Introduce Montgomery representation • RNS: easy reduction modulo M but division impossible in B 9/17 RNS for ECC Karim Bigou Modular Reduction in RNS Elliptic Curves Residue Number Algorithm 2: RNS Montgomery Reduction [1] System Data: −!x , −!x 0 with x < αp2 Modular 0 Arithmetic Data: M > αp and M > 2 · p with RNS Result: RNSMM(x, p, B, B0) = −!! ≡ x · M−1 mod p in both Current Work References bases, 0 6 ! < 2p begin −!q − −!x · (−−!p −1) in base B and B0 −!q 0 − BE(−!q ; B; B0) −!s 0 − −!x 0 + −!q 0−!p 0 in base B0 −! −!! 0 − −!s 0 × M −1 in base B0 −!! 0 − BE(−!!; B0; B) 10/17 RNS for ECC Karim Bigou Costs for RNS Modular Operations Elliptic Curves a; b; p : n words of w bits Residue Number System Operation RNS Standard Modular Arithmetic 2 with RNS ab 2 n mult. n mult. Current Work a mod p 2 n2 + 3 n mult. n2 + n mult. References ab mod p 2 n2 + 5n mult. 2 n2 + n mult. (ab + cd) mod p 2 n2 + 7 n mult. 3 n2 + n mult. Pk 2 2 i=1 ai bi mod p 2 n + (3 + 2k)n mult. (1 + k) n + n mult. Factor 2 in multiplication is due to the use of 2 bases for BE. This was implemented on FPGA by Guillermin [2] and is called lazy reduction. 11/17 RNS for ECC Karim Bigou Ph. D. Objectives • Elliptic Curves Improve ECC with RNS performances Residue • Modular Reduction Number • Modular Inversion System Modular Arithmetic with RNS • Introduce new protections Current Work • Use natural RNS properties against SCA References • Randomization • Use redundancy with 2 bases • Hardware implementation • Implementation of RNS arithmetic units • FPGA implementation of the new inversion • Implementation of randomization • Study costs • Speed • Area 12/17 RNS for ECC Karim Bigou Modular Inversion in RNS Elliptic Curves Residue Number System Modular • Comparison and Division hard −! Euclidean Algorithm Arithmetic with RNS hard Current Work • Binary Euclidean algorithm: needs for modulo reduction References and division by 2 • Implemented algorithm: Fermat's Little Theorem • very costly • a lot of wait cycles • Proposed solution: Adaptation of Plus-Minus algorithm 13/17 RNS for ECC Algorithm 3: Plus Minus Karim Bigou Data: a; p 2 N with gcd(a; p) = 1, k = dlog2 pe Result: PM(a,p,k) = a−1 mod p Elliptic Curves begin Residue (U1; U3) − (0; p),(V1; V3) − (1; a),α − k , β − k Number System while β > 0 do if V3 ≡ 0 mod 4 then Modular Arithmetic V3 − V3=4, V1 := divideBy4(V1; p), β = β − 2 with RNS else if V3 ≡ 0 mod 2 then Current Work V3 − V3=2, V1 := divideBy2(V1; p), β = β − 1 References else 0 0 0 0 V3 − V3, V1 − V1, α − α, β − β if U3 + V3 ≡ 0 mod 4 then V3 − (V3 + U3)=4, V1 − divideBy4(V1 + U1; p) else V3 − (V3 − U3)=4, V1 − divideBy4(V1 − U1; p) if β < α then 0 0 0 0 U3 − V3 , U1 − V1 , α − β , β − α − 1 else β − β − 1 if U1 < 0 then U1 − U1 + p if U3 = 1 then return U1 else return p − U1 14/17 RNS for ECC Algorithm 4: RNS Plus Minus −! −! Karim Bigou Data: a ; p ; p > 2 with gcd(a; p) = 1 begin −! −! −! −! −! −! −! −! −! −! −! −! −! u1 − c , u3 − p · µ + c , v1 − µ + c , v3 − a · µ + c , α = β = 0 −! −! bv1 − 1, bu1 − 0, bu3 − p mod 4, bv3 − ComputeMod4(v3 ) −! −! −! −! −! −! −! −! −! −! −! −! Elliptic Curves while v3 6= µ + c and u3 6= µ + c and v3 6= − µ + c and u3 6= − µ + c do while bv3

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    22 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us