DOCSLIB.ORG

Four Dimensional Decompositions on a Q-Curve Over the Mersenne

Four Dimensional Decompositions on a Q-Curve Over the Mersenne

Four-dimensional decompositions on a -curve Joint work with Patrick Longa http://research.microsoft.com/pubs/246916/main.pdf “NIST should generate a new set of elliptic curves […] and should incorporate the latest knowledge…” [Edward Felten, VCAT document, page 9]. “NIST should generate a new set of elliptic curves […] and should incorporate the latest knowledge…” [Edward Felten, VCAT document, page 9]. Some 21st century ECC milestones 2001: CM endomorphisms [GLV01] 2007: Edwards curves [Edw07,BL07] 2008: Twisted Edwards coordinates [BBJ+08,HCWD08] 2009: Frobenius endomorphisms [GLS09] 2013: Q-curve endomorphisms [Smi13] “NIST should generate a new set of elliptic curves […] and should incorporate the latest knowledge…” [Edward Felten, VCAT document, page 9]. Some 21st century ECC milestones 2001: CM endomorphisms [GLV01] 2007: Edwards curves [Edw07,BL07] 2008: Twisted Edwards coordinates [BBJ+08,HCWD08] 2009: Frobenius endomorphisms [GLS09] 2013: Q-curve endomorphisms [Smi13] “I don't care about a performance difference unless it is at least a factor of two.” [Phillip Hallam-Baker, CFRG mailing list, 12 Mar 2015, 3 Feb 2015,…]. “I don't care about a performance difference unless it is at least a factor of two.” [Phillip Hallam-Baker, CFRG mailing list, 12 Mar 2015, 3 Feb 2015,…]. #cycles(NUMS,curve25519,etc) #cycles( ) ≫ 2.5 #cycles(NIST Curvep256) #cycles( ) ≫ 4.5 “Minimize tensions between speed, simplicity, & security.” [Daniel J. Bernstein, CFRG mailing list, 1 Aug 2014, 21 Nov 2014, …]. “Minimize tensions between speed, simplicity, & security.” [Daniel J. Bernstein, CFRG mailing list, 1 Aug 2014, 21 Nov 2014, …]. speed 3 speed 푇3 푇1 푇푖 = 0 푖=1 simplicity 푇2 security The curve 2 2 2 2 퐸/ 픽푝2: −푥 + 푦 = 1 + 푑푥 푦 , 푑 = 125317048443780598345676279555970305165 ⋅ 푖 + 4205857648805777768770 #퐸 = 392 ⋅ 푁 , where 푁 is a 246-bit prime The curve 2 2 2 2 퐸/ 픽푝2: −푥 + 푦 = 1 + 푑푥 푦 , 푑 = 125317048443780598345676279555970305165 ⋅ 푖 + 4205857648805777768770 #퐸 = 392 ⋅ 푁 , where 푁 is a 246-bit prime • Fastest (large char) ECC addition laws are complete on 퐸 • 퐸 is a degree-2 Q-curve: endomorphism 휓 • 퐸 has CM by order of 퐷 = −40: endomorphism 휙 256 • 휓 푃 = 휆휓 푃 and 휙 푃 = 휆휙 푃 for all 푃 ∈ 퐸[푁] and 푚 ∈ [0,2 ) 푚 ↦ 푎1, 푎2, 푎3, 푎4 푚 푃 = 푎1 푃 + 푎2 휙 푃 + 푎3 휓 푃 + 푎4 휓(휙(푃)) Security aspects • Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁 Security aspects • Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁 • Unlike typical GLV and GLS endomorphisms, no speedup in rho from 휓 and 휙 Security aspects • Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁 • Unlike typical GLV and GLS endomorphisms, no speedup in rho from 휓 and 휙 • 픽푝2 safe against index calculus/Weil descent Security aspects • Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁 • Unlike typical GLV and GLS endomorphisms, no speedup in rho from 휓 and 휙 • 픽푝2 safe against index calculus/Weil descent • Large MOV degree and trace of Frobenius Security aspects • Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁 • Unlike typical GLV and GLS endomorphisms, no speedup in rho from 휓 and 휙 • 픽푝2 safe against index calculus/Weil descent • Large MOV degree and trace of Frobenius • Yes, small discriminant (퐷 = −40), just like other standardized curves 푠푒푐푝192푘1, 푠푒푐푝224푘1, 푠푒푐푝256푘1 (Bitcoin’s curve) Optimal Scalar Decompositions 푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd. Optimal Scalar Decompositions 푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd. 푚 = 64840569332679984426672436340494668739430332089137885001096300239355695153788 푎1 = 14445124749170047041 푎2 = 11638376461179115075 푎3 = 5032911711680286358 푎4 = 881092582828842431 Optimal Scalar Decompositions 푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd. 푚 = 64840569332679984426672436340494668739430332089137885001096300239355695153788 푎1 = 14445124749170047041 푎2 = 11638376461179115075 푎3 = 5032911711680286358 푎4 = 881092582828842431 푎1 = 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1 푃 푎2 = 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1 휙(푃) 푎3 = 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0 휓(푃) 푎4 = 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0 휙 휓 푃 Optimal Scalar Decompositions 푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd. 푚 = 64840569332679984426672436340494668739430332089137885001096300239355695153788 푎1 = 14445124749170047041 푎2 = 11638376461179115075 푎3 = 5032911711680286358 푎4 = 881092582828842431 푎1 = 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1 푃 푎2 = 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1 휙(푃) 푎3 = 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0 휓(푃) 푎4 = 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0 휙 휓 푃 do nothings can leak info! Optimal Scalar Decompositions 푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd. 푚 = 64840569332679984426672436340494668739430332089137885001096300239355695153788 푎1 = 14445124749170047041 푎2 = 11638376461179115075 푎3 = 5032911711680286358 푎4 = 881092582828842431 푎1 = 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1 푃 푎2 = 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1 휙(푃) 푎3 = 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0 휓(푃) 푎4 = 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0 휙 휓 푃 0, 1 1, −1 Optimal Scalar Decompositions 푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd. 푚 = 64840569332679984426672436340494668739430332089137885001096300239355695153788 푎1 = 14445124749170047041 푎2 = 11638376461179115075 푎3 = 5032911711680286358 푎4 = 881092582828842431 푎1 = 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1,-1 푃 푎2 = 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1 휙(푃) 푎3 = 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0 휓(푃) 푎4 = 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0 휙 휓 푃 0, 1 1, −1 Optimal Scalar Decompositions 푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    31 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us