ebook img

UNIVERSITY OF CALGARY Fast Algorithms for Arithmetic on Elliptic Curves over Prime Fields by ... PDF

232 Pages·2007·0.71 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview UNIVERSITY OF CALGARY Fast Algorithms for Arithmetic on Elliptic Curves over Prime Fields by ...

UNIVERSITY OF CALGARY Fast Algorithms for Arithmetic on Elliptic Curves over Prime Fields by Nicholas T. Sullivan A THESIS SUBMITTED TO THE FACULTY OF GRADUATE STUDIES IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE CROSS-DISCIPLINARY DEGREE OF MASTER OF SCIENCE DEPARTMENT OF MATHEMATICS AND STATISTICS and DEPARTMENT OF COMPUTER SCIENCE CALGARY, ALBERTA January, 2007 (cid:13)c Nicholas T. Sullivan 2007 THE UNIVERSITY OF CALGARY FACULTY OF GRADUATE STUDIES The undersigned certify that they have read, and recommend to the Faculty of Graduate Studies for acceptance, a thesis entitled “Fast Algorithms for Arithmetic on Elliptic Curves over Prime Fields” submitted by Nicholas T. Sullivan in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE. Supervisor, Dr. R. Scheidler Dr. M. Bauer Department of Mathematics and Department of Mathematics and Statistics Statistics Co-supervisor, Dr. M. J. Jacobson Dr. J. Aycock Department of Computer Science Department of Computer Science Dr. A. O. Fapojuwo Department of Electrical and Com- puter Engineering Date ii Abstract We present here a thorough discussion of the problem of fast arithmetic on elliptic curves over prime order finite fields. Since elliptic curves were independently pro- posed as a setting for cryptography by Koblitz [53] and Miller [67], the group of points on an elliptic curve has been widely used for discrete logarithm based cryp- tosystems. In this thesis, we survey, analyse and compare the fastest known serial and parallel algorithms for elliptic curve scalar multiplication, the primary operation in discrete logarithm based cryptosystems. We also introduce some new algorithms for the basic group operation and several new parallel scalar multiplication algo- rithms. We present a mathematical basis for comparing the various algorithms and make recommendations for the fastest algorithms to use in different circumstances. iii Acknowledgements I would like to thank my supervisors, Drs. Renate Scheidler and Michael J. Jacob- son, who have done more for me than I could have asked for. I would also like to acknowledge the glorious invention of cheese and all the mammals that help make dairy possible. Oh, and Dave Lowry, the music of Pirates are Pussies, the city of Toronto, the city of Calgary, Tubby Dog, the Ship and Anchor, The Bakery/Old School, Francine and $, the Cynar club, the discrete math seminar, toques, the town of Laramie, the purple Intrepid, the other purple Intrepid, Gull Lake Summer Vil- lage, Michael Scott, Arby’s customers, Ralph Bucks, the laziness-enabling number 3 bus, Spilker’n’co., Edward Luistro and his neverending quest, CPU’s pizza, mid- night chinese buffets, Richard Guy, Pieter and his beard, a ghost, Redmonton and its artery the Albertabahn, Mike Vernon, everybody whose birthday or name I’ve ever forgotten, various belt buckles, Google the noun, Google the verb, pint day, the chemical properties of water, Alan the LATEX guru, Carolyn, Tom, Grace, Gramps, moonlighting, beauty and other abstract ideas, authors everywhere and most espe- cially of all, you. iv Table of Contents Approval Page ii Abstract iii Acknowledgements iv Table of Contents v List of Tables x List of Figures and Illustrations xi List of Algorithms xii 1 Introduction 1 1.1 Contributions of the Thesis . . . . . . . . . . . . . . . . . . . . . . . 4 1.1.1 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.1.2 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Elliptic Curve Basics 10 2.1 Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.1.1 Weierstraß Equation . . . . . . . . . . . . . . . . . . . . . . . 12 2.1.2 Simplified Weierstraß Equations . . . . . . . . . . . . . . . . . 14 2.1.3 Alternative Models . . . . . . . . . . . . . . . . . . . . . . . . 17 2.2 Coordinate Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.2.1 Projective Coordinates . . . . . . . . . . . . . . . . . . . . . . 18 2.2.2 Generalized Projective Coordinates . . . . . . . . . . . . . . . 22 2.3 The Group of Points . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.3.1 The Group Law . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.3.2 Scalar Multiplication . . . . . . . . . . . . . . . . . . . . . . . 31 2.3.3 Custom Group Law Formulas . . . . . . . . . . . . . . . . . . 31 2.3.4 Group of Points Over F . . . . . . . . . . . . . . . . . . . . . 33 q 2.3.5 Basic Group Properties . . . . . . . . . . . . . . . . . . . . . . 34 2.4 Optimizing Formulas for Prime Curve Arithmetic . . . . . . . . . . . 35 2.4.1 Affine Operations . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.4.2 Projective Operations . . . . . . . . . . . . . . . . . . . . . . 39 2.4.3 Mixed Coordinate Operations . . . . . . . . . . . . . . . . . . 44 2.4.4 Specialized Formulas . . . . . . . . . . . . . . . . . . . . . . . 50 v 3 Elliptic Curve Scalar Multiplication 55 3.1 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 3.2 Unknown Point Scalar Multiplication . . . . . . . . . . . . . . . . . . 59 3.2.1 Binary Method . . . . . . . . . . . . . . . . . . . . . . . . . . 59 3.2.2 Binary NAF . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 3.2.3 Window NAF . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 3.2.4 Sliding Window . . . . . . . . . . . . . . . . . . . . . . . . . . 74 3.2.5 Fractional Window . . . . . . . . . . . . . . . . . . . . . . . . 78 3.2.6 Double-Base Representation . . . . . . . . . . . . . . . . . . . 84 3.2.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 3.3 Known Point Scalar Multiplication . . . . . . . . . . . . . . . . . . . 92 3.3.1 Fixed-Base Windowing . . . . . . . . . . . . . . . . . . . . . . 92 3.3.2 Fixed-Base Comb . . . . . . . . . . . . . . . . . . . . . . . . . 96 3.4 Known Multiplier Scalar Multiplication . . . . . . . . . . . . . . . . . 98 3.4.1 Addition Chains . . . . . . . . . . . . . . . . . . . . . . . . . 98 4 Parallel Scalar Multiplication Methods 104 4.1 Computing Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 4.2 Parallel Precomputation . . . . . . . . . . . . . . . . . . . . . . . . . 107 4.3 Parallel Unknown Point Scalar Multiplication . . . . . . . . . . . . . 111 4.3.1 pth Order Binary . . . . . . . . . . . . . . . . . . . . . . . . . 112 4.3.2 Right-to-Left Parallel . . . . . . . . . . . . . . . . . . . . . . . 116 4.3.3 Right-to-Left Parallel With Hedging . . . . . . . . . . . . . . 119 4.3.4 Two-Processor Right-to-Left . . . . . . . . . . . . . . . . . . . 122 4.3.5 Two-Processor Window Right-to-Left . . . . . . . . . . . . . 125 4.3.6 Left-to-Right Parallel . . . . . . . . . . . . . . . . . . . . . . . 128 4.3.7 Left-to-Right (3 Processors) . . . . . . . . . . . . . . . . . . . 129 4.3.8 Two-Processor Left-to-Right Parallel with Precomputation . . 132 4.3.9 Parallel Double-Base Representation . . . . . . . . . . . . . . 136 4.3.10 Parallel Montgomery Ladder . . . . . . . . . . . . . . . . . . . 139 4.3.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 5 Conclusion 150 5.1 Further Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 5.1.1 Simultaneous Multiplication . . . . . . . . . . . . . . . . . . . 152 5.1.2 Side Channel Attacks . . . . . . . . . . . . . . . . . . . . . . . 155 5.1.3 Binary Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 5.1.4 Parallelization . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Bibliography 161 vi A Finite Fields 174 A.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 A.2 Finite Field Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 A.3 Prime Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 A.3.1 Addition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 A.3.2 Multiplication . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 A.3.3 Modular Reduction . . . . . . . . . . . . . . . . . . . . . . . . 189 A.3.4 Inversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 A.4 Complexity Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 B Algorithm Costs 200 vii List of Tables 2.1 Field Cost of Mixed Addition and Doubling . . . . . . . . . . . . . . 48 2.2 Field Cost of Special Operations . . . . . . . . . . . . . . . . . . . . . 54 3.1 Binary Method Average Cost . . . . . . . . . . . . . . . . . . . . . . 63 3.2 Binary NAF Method Average Cost . . . . . . . . . . . . . . . . . . . 67 3.3 Window NAF Method Average Cost (d = 192) . . . . . . . . . . . . 73 3.4 Window NAF Method Average Cost (d = 521) . . . . . . . . . . . . 73 3.5 Sliding Window Method Average Cost (d = 192) . . . . . . . . . . . 78 3.6 Sliding Window Method Average Cost (d = 521) . . . . . . . . . . . 78 3.7 Fractional Window Method Average Cost (d = 192) . . . . . . . . . 83 3.8 Fractional Window Method Average Cost (d = 521) . . . . . . . . . 83 3.9 Results of Greedy Algorithm on 2500 Integers . . . . . . . . . . . . . 87 3.10 Double-Base Chain Average Cost . . . . . . . . . . . . . . . . . . . . 89 3.11 Scalar Multiplication (P192) . . . . . . . . . . . . . . . . . . . . . . 90 3.12 Low Storage Scalar Multiplication Comparison . . . . . . . . . . . . 91 3.13 Fixed-Base Window Average Cost (d = 192) . . . . . . . . . . . . . . 95 3.14 Fixed-Base Comb Average Cost (d = 192) . . . . . . . . . . . . . . . 98 4.1 pth Order Binary Method Average Cost (d = 192) . . . . . . . . . . . 116 4.2 Right-to-Left Parallel Method Average Cost (d = 192) . . . . . . . . 118 4.3 Right-to-Left Parallel Method Average Cost (8 Processors) . . . . . . 122 4.4 Two-Processor Right-to-Left Average Cost . . . . . . . . . . . . . . . 124 4.5 Right-to-Left Windowing Method Average Cost (d = 192) . . . . . . 127 4.6 Left-to-Right (3 Processors) Average Cost (d = 192) . . . . . . . . . 131 4.7 Largest Values of w for a given v, d . . . . . . . . . . . . . . . . . . . 134 4.8 Left-to-Right (2 Processors) Average Cost . . . . . . . . . . . . . . . 136 4.9 Double-Base n-Chain Average Cost (d = 192) . . . . . . . . . . . . . 139 4.10 Parallel Montgomery Ladder Average Cost . . . . . . . . . . . . . . 143 4.11 Parallel Scalar Multiplication (P192) . . . . . . . . . . . . . . . . . . 144 4.12 Parallel Scalar Multiplication (P521) . . . . . . . . . . . . . . . . . . 145 4.13 Scalar Multiplication Speedup (P192) . . . . . . . . . . . . . . . . . 146 4.14 Scalar Multiplication Speedup (P521) . . . . . . . . . . . . . . . . . 147 A.1 Estimated Time of Prime Field Operations (in µs) . . . . . . . . . . 199 B.1 Window NAF Method Average Cost (d = 224) . . . . . . . . . . . . 200 B.2 Window NAF Method Average Cost (d = 256) . . . . . . . . . . . . 201 B.3 Window NAF Method Average Cost (d = 384) . . . . . . . . . . . . 201 viii B.4 Sliding Window Method Average Cost (d = 224) . . . . . . . . . . . 202 B.5 Sliding Window Method Average Cost (d = 256) . . . . . . . . . . . 202 B.6 Sliding Window Method Average Cost (d = 384) . . . . . . . . . . . 203 B.7 Fractional Window Method Average Cost (d = 224) . . . . . . . . . 203 B.8 Fractional Window Method Average Cost (d = 256) . . . . . . . . . 203 B.9 Fractional Window Method Average Cost (d = 384) . . . . . . . . . 204 B.10 Scalar Multiplication (P224) . . . . . . . . . . . . . . . . . . . . . . 204 B.11 Scalar Multiplication (P256) . . . . . . . . . . . . . . . . . . . . . . 205 B.12 Scalar Multiplication (P384) . . . . . . . . . . . . . . . . . . . . . . 205 B.13 Scalar Multiplication (P521) . . . . . . . . . . . . . . . . . . . . . . 205 B.14 Fixed-Base Window Average Cost (d = 224) . . . . . . . . . . . . . . 206 B.15 Fixed-Base Window Average Cost (d = 256) . . . . . . . . . . . . . . 206 B.16 Fixed-Base Window Average Cost (d = 384) . . . . . . . . . . . . . . 206 B.17 Fixed-Base Window Average Cost (d = 521) . . . . . . . . . . . . . . 207 B.18 Fixed-Base Comb Average Cost (d = 224) . . . . . . . . . . . . . . . 207 B.19 Fixed-Base Comb Average Cost (d = 256) . . . . . . . . . . . . . . . 208 B.20 Fixed-Base Comb Average Cost (d = 384) . . . . . . . . . . . . . . . 208 B.21 Fixed-Base Comb Average Cost (d = 521) . . . . . . . . . . . . . . . 208 B.22 pth Order Binary Method Average Cost (d = 224) . . . . . . . . . . . 209 B.23 pth Order Binary Method Average Cost (d = 256) . . . . . . . . . . . 209 B.24 pth Order Binary Method Average Cost (d = 384) . . . . . . . . . . . 209 B.25 pth Order Binary Method Average Cost (d = 521) . . . . . . . . . . . 210 B.26 Right-to-Left Parallel Method Average Cost (d = 224) . . . . . . . . 210 B.27 Right-to-Left Parallel Method Average Cost (d = 256) . . . . . . . . 210 B.28 Right-to-Left Parallel Method Average Cost (d = 384) . . . . . . . . 211 B.29 Right-to-Left Parallel Method Average Cost (d = 521) . . . . . . . . 211 B.30 Right-to-Left Windowing Method Average Cost (d = 224) . . . . . . 212 B.31 Right-to-Left Windowing Method Average Cost (d = 256) . . . . . . 212 B.32 Right-to-Left Windowing Method Average Cost (d = 384) . . . . . . 212 B.33 Right-to-Left Windowing Method Average Cost (d = 521) . . . . . . 213 B.34 Left-to-Right (3 Processors) Average Cost (d = 224) . . . . . . . . . 213 B.35 Left-to-Right (3 Processors) Average Cost (d = 256) . . . . . . . . . 213 B.36 Left-to-Right (3 Processors) Average Cost (d = 384) . . . . . . . . . 214 B.37 Left-to-Right (3 Processors) Average Cost (d = 521) . . . . . . . . . 214 B.38 Double-Base n-Chain Average Cost (d = 224) . . . . . . . . . . . . . 215 B.39 Double-Base n-Chain Average Cost (d = 256) . . . . . . . . . . . . . 215 B.40 Double-Base n-Chain Average Cost (d = 384) . . . . . . . . . . . . . 216 B.41 Double-Base n-Chain Average Cost (d = 521) . . . . . . . . . . . . . 216 B.42 Parallel Scalar Multiplication (P224) . . . . . . . . . . . . . . . . . . 217 B.43 Parallel Scalar Multiplication (P256) . . . . . . . . . . . . . . . . . . 218 ix B.44 Parallel Scalar Multiplication (P384) . . . . . . . . . . . . . . . . . . 219 x

Description:
Oh, and Dave Lowry, the music of Pirates are Pussies, the city of. Toronto, the city .. algorithm for solving the DLP in this group still has exponential running time. This .. and u ∈ K∗ where L is a field with K ⊆ L ⊆ K. Then the map.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.