Fast Scalar Multiplication On Elliptic Curves - Tanja Lange
Fast Scalar Multiplication On Elliptic Curves - Tanja Lange
Fast Scalar Multiplication On Elliptic Curves - Tanja Lange
curves
Tanja Lange
Technische Universiteit Eindhoven
[email protected]
08.05.2007
Tanja Lange Fast scalar multiplication on elliptic curves p. 1
Overview
Why scalar multiplication
Elliptic curves
Denition and group law in afne coordinates
Other coordinate systems
Comparison
Side-channel attacks
Why unied group laws?
Edwards coordinates
Comparison
Multi-scalar multiplication
Tanja Lange Fast scalar multiplication on elliptic curves p. 2
Why scalar multiplication?
Tanja Lange Fast scalar multiplication on elliptic curves p. 3
Dife-Hellman Key exchange
Alice Bob
1. secretly generates 1. secretly generates
a < [P)[ b < [P)[
2. computes Q
1
= [a]P 2. computes Q
2
= [b]P
3. transmits Q
1
3. transmits Q
2
P
P
P
P
P
P
P
P
Pq
4. computes 4. computes
[a]Q
2
= [ab]P = [b] Q
1
Common Key: the group element k = [ab]P P)
can be used in symmetric encryption.
Tanja Lange Fast scalar multiplication on elliptic curves p. 4
ElGamal encryption
Public parameters:
Group G, generator P, ord(P) = l, some invertible
embedding function H : m G.
Receiver has secret key s
A
and public key P
A
= [s
A
]P.
Encrypt message m
choose random integer k
compute R = [k]P and c = H(m) + [k]P
A
Decrypt ciphertext (R, c)
compute S = [s
A
]R
obtain m = H
1
(c S)
(This gives m since S = [s
A
]R = [ks
A
]P = [k]P
A
).
Disclaimer: this is the school-book method, do not
implement as shown.
Tanja Lange Fast scalar multiplication on elliptic curves p. 5
Elliptic curve Digital Signature Algorithm
Elliptic curve E, point P E, ord(P) = l, some
cryptographic hash function h : m ZZ. Point R has
coordinate x
R
.
Sign message m:
choose random integer k
compute R = [k]P and put r = x
R
(mod l)
put s = k
1
(h(m) +rs
A
) (mod l).
Verify signature (r, s):
compute w = s
1
(mod l)
compute Q
1
= [wr]P
A
, Q
2
= [wh(m)]P and Q = Q
1
Q
2
accept signature if and only if x
Q
r mod l.
This accepts valid signatures since
[s
1
rs
A
]P[s
1
h(m)]P = [(h(m)+rs
A
)
1
k(rs
A
+h(m))]P = [k]P.
Tanja Lange Fast scalar multiplication on elliptic curves p. 6
DL systems
These systems assume that the Discrete Logarithm
Problem (DLP) is hard to solve, i.e.
given P and P
A
= [s
A
]P
it is hard to nd s
A
.
The Computational Dife-Hellman Problem (CDHP) is the
problem
given P, P
A
= [s
A
]P, and P
B
= [s
B
]P
compute [s
A
s
B
]P.
The Decisional Dife-Hellman Problem (DDHP) is the
problem
given P, P
A
= [s
A
]P, P
B
= [s
B
]P and R = [r]P
decide whether R = [s
A
s
B
]P.
Tanja Lange Fast scalar multiplication on elliptic curves p. 7
Elliptic curves
Tanja Lange Fast scalar multiplication on elliptic curves p. 8
Elliptic curve
E : y
2
+ (a
1
x +a
3
)
. .
h(x)
y = x
3
+a
2
x
2
+a
4
x +a
6
. .
f(x)
, h, f IF
q
[x].
Group: E(IF
q
) = (x, y) IF
2
q
: y
2
+h(x)y = f(x) P
Often q = 2
r
or q = p, prime. Isomorphic transformations
lead to
y
2
= f(x) q odd,
for
y
2
+xy = x
3
+a
2
x
2
+a
6
y
2
+y = x
3
+a
4
x +a
6
q = 2
r
,
curve non-supersingular
curve supersingular
Tanja Lange Fast scalar multiplication on elliptic curves p. 9
Group Law in E(IR), h = 0
y
2
= x
3
x
P
R
Tanja Lange Fast scalar multiplication on elliptic curves p. 10
Group Law in E(IR), h = 0
y
2
= x
3
x
P
R
S
Tanja Lange Fast scalar multiplication on elliptic curves p. 10
Group Law in E(IR), h = 0
y
2
= x
3
x
P
R
S
P R
Tanja Lange Fast scalar multiplication on elliptic curves p. 10
Group Law (q odd)
E : y
2
= x
3
+a
4
x +a
6
, a
i
IF
q
P
R
S
Line y = x + has slope
=
y
R
y
P
x
R
x
P
.
Equating gives
(x +)
2
= x
3
+a
4
x +a
6
.
This equation has 3 solutions, the x-coordinates of P, R
and S, thus
(x x
P
)(x x
R
)(x x
S
) = x
3
2
x
2
+ (a
4
2)x +a
6
2
x
S
=
2
x
P
x
R
Tanja Lange Fast scalar multiplication on elliptic curves p. 11
Group Law (q odd)
E : y
2
= x
3
+a
4
x +a
6
, a
i
IF
q
P
R
S
P +R
Point P is on line, thus
y
P
= x
P
+, i.e.
= y
P
x
P
,
and
y
S
= x
S
+
= x
S
+y
P
x
P
= (x
S
x
P
) +y
P
Point P R has the same x-coordinate as S but negative
y-coordinate:
x
PR
=
2
x
P
x
R
, y
PR
= (x
P
x
PR
) y
P
Tanja Lange Fast scalar multiplication on elliptic curves p. 11
Group Law (q odd)
E : y
2
= x
3
+a
4
x +a
6
, a
i
IF
q
P
R
S
P +R
2P
2P
In general, for (x
P
, y
P
) ,= (x
R
, y
R
):
(x
P
, y
P
) (x
R
, y
R
) =
= (x
PR
, y
PR
) =
= (
2
x
P
x
R
, (x
P
x
PR
) y
P
),
where
=
_
(y
R
y
P
)/(x
R
x
P
) if x
P
,= x
R
,
(3x
2
P
+a
4
)/(2y
P
) else.
Addition and Doubling need
1 I, 2M, 1S and 1 I, 2M, 2S, respectively
Tanja Lange Fast scalar multiplication on elliptic curves p. 11
Weierstra equation
E : y
2
+ (a
1
x +a
3
)
. .
h(x)
y = x
3
+a
2
x
2
+a
4
x +a
6
. .
f(x)
, h, f IF
q
[x].
Negative of P = (x
P
, y
P
) is given by
P = (x
P
, y
P
h(x
P
)).
(x
P
, y
P
) (x
R
, y
R
) = (x
3
, y
3
) =
= (
2
+a
1
a
2
x
P
x
R
, (x
P
x
3
) y
P
a
1
x
3
a
3
),
where
=
_
(y
R
y
P
)/(x
R
x
P
) if x
P
,= x
R
,
3x
2
P
+2a
2
x
P
+a
4
a
1
y
P
2y
P
+a
P
x
P
+a
3
else.
Tanja Lange Fast scalar multiplication on elliptic curves p. 12
Projective Coordinates
P = (X
1
: Y
1
: Z
1
), Q = (X
2
: Y
2
: Z
2
), P Q = (X
3
: Y
3
: Z
3
)
on E : Y
2
Z = X
3
+a
4
XZ
2
+a
6
Z
3
Addition: P ,= Q Doubling P = Q ,= P
A = Y
2
Z
1
Y
1
Z
2
, B = X
2
Z
1
X
1
Z
2
, A = a
4
Z
2
1
+ 3X
2
1
, B = Y
1
Z
1
,
C = A
2
Z
1
Z
2
B
3
2B
2
X
1
Z
2
C = X
1
Y
1
B, D = A
2
8C
X
3
= BC, Z
3
= B
3
Z
1
Z
2
X
3
= 2BD, Z
3
= 8B
3
.
Y
3
= A(B
2
X
1
Z
2
C) B
3
Y
1
Z
2
, Y
3
= A(4C D) 8Y
2
1
B
2
No inversion is needed and the computation times are
12M + 2S for a general addition and 7M + 5S for a doubling.
Tanja Lange Fast scalar multiplication on elliptic curves p. 13
Jacobian Coordinates
P = (X
1
: Y
1
: Z
1
), Q = (X
2
: Y
2
: Z
2
), P Q = (X
3
: Y
3
: Z
3
)
on Y
2
= X
3
+a
4
XZ
4
+a
6
Z
6
by
Addition: P ,= Q Doubling P = Q ,= P
A = X
1
Z
2
2
, B = X
2
Z
2
1
, C = Y
1
Z
3
2
, A = 4X
1
Y
2
1
, B = 3X
2
1
+a
4
Z
4
1
D = Y
2
Z
3
1
, E = B A, F = D C
X
3
= E
3
2AE
2
+F
2
, Z
3
= Z
1
Z
2
E, X
3
= 2A +B
2
, Z
3
= 2Y
1
Z
1
Y
3
= CE
3
+F(AE
2
X
3
), Y
3
= 8Y
4
1
+B(AX
3
).
No inversion is needed and the computation times are
12M + 4S for a general addition and 4M + 6S for a doubling.
Tanja Lange Fast scalar multiplication on elliptic curves p. 14
Different coordinate systems y
2
= x
3
+ax +b
system points correspondence
afne (/) (x, y)
projective (T) (X, Y, Z) (X/Z, Y/Z)
jacobian () (X, Y, Z) (X/Z
2
, Y/Z
3
)
Chudnovsky jacobian (
C
) (X, Y, Z, Z
2
, Z
3
) (X/Z
2
, Y/Z
3
)
modied jacobian (
m
) (X, Y, Z, aZ
4
) (X/Z
2
, Y/Z
3
)
system addition doubling
afne (/) 2M 1S 1I 2M 2S 1I
projective (T) 12M 2S 7M 5S
jacobian () 12M 4S 4M 6S
Chudnovsky jacobian (
C
) 11M 3S 5M 6S
modied jacobian (
m
) 13M 6S 4M 4S
Tanja Lange Fast scalar multiplication on elliptic curves p. 15
Mixed coordinates
(Cohen, Miyaji, Ono, Asiacrypt 98)
affordable inversions:
precomputations in / (with Montgomery),
main doublings in
m
,
nal doublings 2
m
= ,
additions /+ =
m
expensive inversions:
precomputations in
C
,
main doublings in
m
,
nal doublings 2
m
= ,
additions +
C
=
m
Tanja Lange Fast scalar multiplication on elliptic curves p. 16
Side-channel attacks
l
i=0
n
i
2
i
OUT: Q = nP
1. Q = P
2. for i = l 1 down to 0 do
3. Q = 2Q
4. if (n
i
= 1) then Q = Q+P
5. output Q
If ADD ,= DBL one can easily determine n from the sequence
of ADD and DBL:
DBL DBL ADD DBL ADD DBL DBL (101100)
2
= 44
Tanja Lange Fast scalar multiplication on elliptic curves p. 20
Weierstrass form (q odd)
E : y
2
= x
3
+a
4
x +a
6
, a
i
IF
q
P
R
P R
P +R
[2]P
[2]P
(x
1
, y
1
) + (x
2
, y
2
) =
= (x
3
, y
3
) =
= (
2
x
1
x
2
, (x
1
x
3
) y
1
),
where
=
_
(y
2
y
1
)/(x
2
x
1
) if x
1
,= x
2
,
(3x
2
1
+a
4
)/(2y
1
) else.
Addition and Doubling differ considerably.
ADD: 1 I, 2M, 1S vs. DBL: 1 I, 2M, 2S
Unprotected arithmetic prone to SSCA.
Tanja Lange Fast scalar multiplication on elliptic curves p. 21
Double-and-always-Add
This is the obvious countermeasure . . .
IN: P E(IF
q
), n ZZ, n =
l
i=0
n
i
2
i
OUT: Q = nP
1. Q = P, R = [2]P
2. for i = l 1 down to 0 do
3. Q = [2]Q
4. if n
i
== 1 then Q = QP
else R = QP //dummy operation
5. output Q
. . . but it is very inefcient.
Caution: If an active adversary is allowed, the dummy
operations might be detected (fault attacks)
Tanja Lange Fast scalar multiplication on elliptic curves p. 22
Common countermeasures
Double-and-always-add
very inefcient
Side-channel atomicity (Chevallier-Mames, Ciet, Joye)
build group operation from identical blocks.
Each block consists of:
1 multiplication, 1 addition, 1 negation, 1 addition;
ll with cheap dummy additions and negations
ADD (/+T) needs 11 blocks
DBL (2T) needs 10 blocks
. . . . . .
Brier and Joye, uniform Jacobian coordinates
Tanja Lange Fast scalar multiplication on elliptic curves p. 23
Common countermeasures
Double-and-always-add
very inefcient
Side-channel atomicity (Chevallier-Mames, Ciet, Joye)
build group operation from identical blocks.
Each block consists of:
1 multiplication, 1 addition, 1 negation, 1 addition;
ll with cheap dummy additions and negations
ADD (/+T) needs 11 blocks
DBL (2T) needs 10 blocks
. . . . . .
ADD
9
ADD
10
ADD
11
DBL
1
DBL
2
DBL
3
DBL
4
DBL
5
Brier and Joye, uniform Jacobian coordinates
Tanja Lange Fast scalar multiplication on elliptic curves p. 23
Uniform Group Operations
Liardet and Smart CHES 2001: Jacobi intersection
Billet and Joye AAECC 2003: Jacobi-Model
E
J
: Y
2
= X
4
2X
2
Z
2
+Z
4
.
Joye and Quisquater suggested Hessian Curves
E
H
: X
3
+Y
3
+Z
3
= cXY Z.
They achieve uniformity by
[2](X
1
: Y
1
: Z
1
) = (Z
1
: X
1
: Y
1
) + (Y
1
: Z
1
: X
1
)
and (Z
1
: X
1
: Y
1
) ,= (Y
1
: Z
1
: X
1
).
Tanja Lange Fast scalar multiplication on elliptic curves p. 24
Edwards coordinates
Tanja Lange Fast scalar multiplication on elliptic curves p. 25
Addition on Elliptic Curves
At Mathematics: Algorithms and Proofs in Leiden, January
2007, Harold M. Edwards gave a talk on Addition on Elliptic
Curves
So Dan and I expected . . .
P
R
P R
P +R
[2]P
[2]P
Tanja Lange Fast scalar multiplication on elliptic curves p. 26
Addition on Elliptic Curves
At Mathematics: Algorithms and Proofs in Leiden, January
2007, Harold M. Edwards gave a talk on Addition on Elliptic
Curves
But there it was the elliptic curve:
x
2
+y
2
= a
2
(1 +x
2
y
2
).
Tanja Lange Fast scalar multiplication on elliptic curves p. 26
Addition on Elliptic Curves
At Mathematics: Algorithms and Proofs in Leiden, January
2007, Harold M. Edwards gave a talk on Addition on Elliptic
Curves
But there it was the elliptic curve:
x
2
+y
2
= a
2
(1 +x
2
y
2
).
Nonsingular if and only if a
5
,= a.
Tanja Lange Fast scalar multiplication on elliptic curves p. 26
Addition on Elliptic Curves
At Mathematics: Algorithms and Proofs in Leiden, January
2007, Harold M. Edwards gave a talk on Addition on Elliptic
Curves
But there it was the elliptic curve:
x
2
+y
2
= a
2
(1 +x
2
y
2
).
Nonsingular if and only if a
5
,= a.
To see that this is indeed an elliptic curve, use
z = y(1 a
2
x
2
)/a to obtain
z
2
= x
4
(a
2
+ 1/a
2
)x
2
+ 1.
Tanja Lange Fast scalar multiplication on elliptic curves p. 26
Edwards Addition Formulae
P = (x
P
, y
P
), Q = (x
Q
, y
Q
) on x
2
+y
2
= a
2
(1 +x
2
y
2
).
P +Q =
_
x
P
y
Q
+y
P
x
Q
a(1 +x
P
x
Q
y
P
y
Q
)
,
y
P
y
Q
x
P
x
Q
a(1 x
P
x
Q
y
P
y
Q
)
_
.
[2]P =
_
x
P
y
P
+y
P
x
P
a(1 +x
P
x
P
y
P
y
P
)
,
y
P
y
P
x
P
x
P
a(1 x
P
x
P
y
P
y
P
)
_
=
_
2x
P
y
P
a(1 + (x
P
y
P
)
2
)
,
y
2
P
x
2
P
a(1 (x
P
y
P
)
2
)
_
.
For much more information on elliptic curves in this
shape see Edwards 2007 paper in Bull. AMS.,
electronic April 9.
Tanja Lange Fast scalar multiplication on elliptic curves p. 27
Following results are joint
work with
Daniel J. Bernstein
Tanja Lange Fast scalar multiplication on elliptic curves p. 28
Edwards form
Slightly generalized shape:
E
E
: x
2
+y
2
= c
2
(1 +dx
2
y
2
)
is elliptic curve for c, d ,= 0 and dc
4
,= 1.
Afne formulae
(x
1
, y
1
)+(x
2
, y
2
) =
_
x
1
y
2
+y
1
x
2
c(1 +dx
1
x
2
y
1
y
2
)
,
y
1
y
2
x
1
x
2
c(1 dx
1
x
2
y
1
y
2
)
_
.
Projective version takes
10M + 1S + 1C + 1D + 7A,
where C is the cost of multiplying by c, D is the cost of
multiplying by d, and A abbreviates addition.
Tanja Lange Fast scalar multiplication on elliptic curves p. 29
Comparison of unied formulae
System Cost of unied addition-or-doubling
Jacobian 11M+6S+1C; see Brier/Joye 03
Jacobian if a
4
= 1 13M+3S; see Brier/Joye 02
Jacobi intersection 13M+2S+1C; see Liardet/Smart 01
Jacobi quartic 10M+3S+3C; see Billet/Joye 01
Hessian 12M; see Joye/Quisquater 01
Edwards 10M+1S+1C
Fastest unied addition-or-doubling formulae.
Exactly the same formulae for doubling (no
re-arrangement like in Hessian)
No exceptional cases afne input produces correct
afne output if d is not a square, i.e. no points with
dx
1
x
2
y
1
y
2
= 1.
Tanja Lange Fast scalar multiplication on elliptic curves p. 30
Multi-scalar multiplication
Tanja Lange Fast scalar multiplication on elliptic curves p. 31
Idea of joint doublings
To compute [n
1
]P
1
[n
2
]P
2
[n
m
]P
m
compute the
doublings together, i.e. write scalars n
i
in binary:
n
1
= n
1,l1
2
l1
+n
1,l2
2
l2
+n
1,l3
2
l3
. . . +n
1,1
2 +n
1
n
2
= n
2,l1
2
l1
+n
2,l2
2
l2
+n
2,l3
2
l3
. . . +n
2,1
2 +n
2
.
.
. =
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
n
m
= n
m,l1
2
l1
+n
m,l2
2
l2
+n
m,l3
2
l3
. . . +n
m,1
2 +n
m,
Tanja Lange Fast scalar multiplication on elliptic curves p. 32
Idea of joint doublings
To compute [n
1
]P
1
[n
2
]P
2
[n
m
]P
m
compute the
doublings together, i.e. write scalars n
i
in binary:
n
1
= n
1,l1
2
l1
+n
1,l2
2
l2
+n
1,l3
2
l3
. . . +n
1,1
2 +n
1
n
2
= n
2,l1
2
l1
+n
2,l2
2
l2
+n
2,l3
2
l3
. . . +n
2,1
2 +n
2
.
.
. =
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
n
m
= n
m,l1
2
l1
+n
m,l2
2
l2
+n
m,l3
2
l3
. . . +n
m,1
2 +n
m,
Compute as
[2]([n
1,l1
]P
1
[n
2,l1
]P
2
[n
3,l1
]P
3
[n
m,l1
]P
m
. .
rst column
)
Tanja Lange Fast scalar multiplication on elliptic curves p. 32
Idea of joint doublings
To compute [n
1
]P
1
[n
2
]P
2
[n
m
]P
m
compute the
doublings together, i.e. write scalars n
i
in binary:
n
1
= n
1,l1
2
l1
+n
1,l2
2
l2
+n
1,l3
2
l3
. . . +n
1,1
2 +n
1
n
2
= n
2,l1
2
l1
+n
2,l2
2
l2
+n
2,l3
2
l3
. . . +n
2,1
2 +n
2
.
.
. =
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
n
m
= n
m,l1
2
l1
+n
m,l2
2
l2
+n
m,l3
2
l3
. . . +n
m,1
2 +n
m,
Compute as
[2]
_
[2]([n
1,l1
]P
1
[n
2,l1
]P
2
[n
3,l1
]P
3
[n
m,l1
]P
m
)
([n
1,l2
]P
1
[n
2,l2
]P
2
[n
3,l2
]P
3
[n
m,l2
]P
m
_
etc.
Needs many more additions than doublings, even with
precomputations.
Tanja Lange Fast scalar multiplication on elliptic curves p. 32
Applications
ECDSA verication uses 2 scalar multiplications ... just
to add the results.
If base point P is xed, precompute R = [2
l/2
]P and
include in the curve parameters. Split scalar
n = n
1
2
l/2
+n
0
and compute
[n
1
]R [n
0
]P.
GLV curves split scalar in two halves to get faster scalar
multiplication.
Verication in accelerated ECDSA can be extended to
use 4 or even 6 scalars. Splitting of the scalar is done
by LLL techniques
Further applications in batch verication of signatures
many scalars by taking random linear combinations.
Tanja Lange Fast scalar multiplication on elliptic curves p. 33
Comparison 1 DBL & 0.5 mixed ADD
System Cost of 1 DBL & 0.5 mixed ADD
Projective 10.5M+6S+1C 15.3M
Edwards 10.5M+4.5S+1.5C 14.1M
Jacobi quartic 5M+10.5S+4.5C 13.4M
Hessian 11M+3S 13.4M
Jacobian 6M+8.5S+1C 12.8M
Jacobi intersection 9.5M+4S+0.5C 12.7M
Jacobian/Chudnovsky 7M+6.5S 12.2M
if a
4
= 3
Tanja Lange Fast scalar multiplication on elliptic curves p. 34
1 DBL & 0.75 ADD & 0.75 mixed ADD
System Cost of 1DBL & 0.75 ADD & 0.75 mixed ADD
Projective 21.75M+8S+1C 28.15M
Jacobi intersection 22M+6S+1.5C 26.8M
Jacobian 16.25M+13S+1C 26.65M
Jacobian if a
4
= 3 17.25M+11S 26.05M
Jacobi quartic 14.5M+13.5S+7.5C 25.3M
Hessian 22.5M+3S 24.9M
Chudnovsky if a
4
= 3 16.5M+10.25S 24.7M
Edwards 20.25M+5.5S+2.5C 24.65M
Tanja Lange Fast scalar multiplication on elliptic curves p. 35
Results
Most coordinate systems optimized for many doublings,
few additions (single scalar multiplication with
windowing).
Projective Edwards formulae offer best speed for
addition and are not bad for doubling either.
Edwards coordinates are an ideal system for batch
verication.
Tanja Lange Fast scalar multiplication on elliptic curves p. 36
Results
Most coordinate systems optimized for many doublings,
few additions (single scalar multiplication with
windowing).
Projective Edwards formulae offer best speed for
addition and are not bad for doubling either.
Edwards coordinates are an ideal system for batch
verication.
Anybody need unied, SSCA resistant multi-scalar
multiplication???
Tanja Lange Fast scalar multiplication on elliptic curves p. 36
The end
http://cr.yp.to/papers.html#newelliptic
Tanja Lange Fast scalar multiplication on elliptic curves p. 37