• 沒有找到結果。

橢圓曲線密碼系統之設計與實現

N/A
N/A
Info
下載
Protected

Academic year: 2021

Share "橢圓曲線密碼系統之設計與實現"

Copied!
65
0
0

加載中.... (立即查看全文)

立即下載 ( 65 頁 )

全文

(1)國立交通大學 電子工程學系電子研究所碩士班 碩 士 論 文. 橢圓曲線密碼系統之設計與實現 Design and Implementation for Elliptic Curve Cryptosystems. 研究生:徐維均 指導教授:張錫嘉. 中華民國九十四年十月.

(2) 橢圓曲線密碼系統之設計與實現 Design and Implementation for Elliptic Curve Cryptosystems 學生:徐維均. student :Wei-Chun Hsu. 指導教授:張錫嘉. Advisor : Hsie-Chia Chang. 國立交通大學 電子工程學系電子研究所碩士班 碩士論文. A Thesis Submitted to Department of Electronics Engineering College of Electrical Engineering and Computer Science National Chiao Tung University In Partial Fulfillment of the Requirements For the Degree of Master In Electronics Engineering. October 2005 Hsinchu, Taiwan, R.O.C. ii.

(3) 橢圓曲線密碼系統之設計與實現. 學生 : 徐維均 指導教授 : 張錫嘉 電子工程學系電子研究所碩士班. 摘. 要. 橢圓曲線密碼系統用來對資料作加密,使得資料在傳輸中不會被竊取。 它主要是根據在有限場中的橢圓曲線上之點的運算,加密與解密都是利用點 的 scalar multiplication。本論文利用 point halving 演算法,來實現橢圓曲線 密碼系統。此實現座落在有限場 GF(2163)上,且利用 normal basis。所使用的 橢 圓 曲 線 為 pseudo-random elliptic curve , 其 輸 入 之 base point 為 λ -representation,輸入編碼過之 scalar,以為 halve-and-add 演算法所使用。再 利用 add-and-subtract 演算法來進一步減少 1 的個數。所使用的 normal basis 乘法器為序列式乘法器,點之相加則利用 projective coordinates。此架構以 0.18μm 的製程來實現,需 77K 個邏輯閘。根據模擬的結果,throughput 為 1.76Mb/s。也利用 Xilinx Virtex2 (2V8000) 之 FPGA 作驗證。其頻率為 90Mhz,LUT 數目為 8815.. iii.

(4) Design and Implementation for Elliptic Curve Cryptosystems Student: Wei-Chun Hsu Advisor: Hsie-Chia Chang. Institute of Electronics Engineering National Chiao Tung University. ABSTRACT Elliptic Curve Cryptosystems encrypts data so that the opponent eavesdropping over the channel can’t get any information.. Its operation is. mainly based on the point operations on elliptic curve over finite field. The encryption and decryption utilize scalar multiplication.. This thesis. demonstrates the implementation of Elliptic Curve Cryptosystems using point halving. This implementation uses normal basis over GF(2163). The chosen elliptic curve is pseudo-random elliptic curve and the input base point is in λ -representation. The input scalar encoded first for halve-and-add algorithm. We further use the add-and-sub algorithm to reduce the amount of 1’s in the input scalar. Serial normal basis multiplier is used while the point addition is in projective coordinates.. The architecture is synthesized using 0.18μm. technology and requires 77K gates. The throughput is 1.76Mb/s. Verify the implementation with Xilinx Virtex2 (2V8000) FPGA. The frequency is 90Mhz and number of LUTS is 8815.. iv.

(5) 誌. 謝. 二年的研究所生活很快就過去了,在這兩年中學到了許多知識以及一些處世的道理。 當然要感謝的人非常多,首先最要感謝的當然是我的指導教授張錫嘉博士,這兩年來他 很有耐心的指導我,不但讓我學到許多 IC 設計的經驗,更亦師亦友的督促我給我鼓勵, 真是有幸能在他的實驗室。再來感謝 oasis 實驗室的同學和學弟,很高興認識你們,你 們在各方面都給予我許多幫助,帶給我充滿快樂與回憶的研究生活,再一次跟每個人說 一聲謝謝。. v.

(6) CONTENTS Chapter 1 ...................................................................................................................................1 Introduction ........................................................................................................................1 1.1 Motivation ............................................................................................................2 1.2 Thesis Organization ..............................................................................................3 Chapter 2 ...................................................................................................................................4 Mathemetical Background..................................................................................................4 2.1 Finite Field Arithmetic..........................................................................................4 2.2 Elliptic Curve......................................................................................................12 Chapter 3 .................................................................................................................................25 Scalar Multiplication Algorithms .....................................................................................25 3.1 Double-and-Add Algorithm................................................................................25 3.2 Halve-and-Add Algorithm..................................................................................26 3.3 Add-and-Subtract Algorithm ..............................................................................34 Chapter 4 .................................................................................................................................37 Implementation Results and Comparisons .......................................................................37 Chapter 5 .................................................................................................................................49 Conclusion........................................................................................................................49 Appendix .................................................................................................................................50 Elliptic Curve Cryptosystems...........................................................................................50 a.1 Elliptic Curve ElGamal Cryptosystem ...............................................................51 a.2 Elliptic Curve Diffie-Hellman Key Exchange....................................................52 a.3 Elliptic Curve Digital Signature Algorithm........................................................53 BIBLIOGRAPHY...................................................................................................................56. vi.

(7) List of Figures Figure 2.1: the elliptic curve y2=x3+x+1..................................................................................13 Figure 2.2: Point addition, P+Q=R..........................................................................................14 Figure 2.3: Point doubling, 2P=R ............................................................................................14 Figure 2.4: Negative Point, P+(-P)=O.....................................................................................15 Figure 4.1: Normal Basis Multiplier version 1.........................................................................39 Figure 4.2: Multiplier element of ck .........................................................................................40 Figure 4.3: Normal basis multiplier version 2..........................................................................40 Figure 4.4: Circuit for point halving.........................................................................................42 Figure 4.5: Point halving flow..................................................................................................43 Figure 4.6: Circuit for mix-coordinates addition......................................................................45 Figure 4.7: The control of point halving and projective addition.............................................46. vii.

(8) List of Tables Table 1.1: NIST guidelines for public key sizes for AES...........................................................2 Table 2.1: Normal Basis Table....................................................................................................9 Table 2.2: The multiplication table of type 1 normal basis in GF(24)...................................... 11 Table 2.3: The number of required operations for point doubling ...........................................24 Table 2.4: The number of required operations for point addition.............................................24 Table 2.5: The number of required operations for point addition when Q= (X2, Y2, 1) ...........24 Table 3.1: Comparison between halving and doubling in affine and projective coordinates...32 Table 4.1: The data flow of mix-coordinates addition (5.10) ...................................................44 Table 4.2: The synthesized results ............................................................................................47 Table 4.3: The performance comparison of Elliptic Curve Cryptosystems implementations on ASIC .................................................................................................................................48 Table 4.4: The performance comparison of Elliptic Curve Cryptosystems implementations on FPGA ................................................................................................................................48. viii.

(9) CHAPTER 1 Introduction The objective of cryptography is to enable two people to communicate with each other over an insecure channel such that an opponent can’t steal the information. For private key system or symmetric key system, the two people share the same key and this key must be kept secret. Let Alice wants to send information to Bob, which this information is called plaintext. Alice uses the predetermined key to encrypt the information and then send it to Bob. Bob receive the resulting ciphertext and use the same key to decrypt the information back. Advanced Encryption Standard (AES) and Digital Encryption Standard (DES) are private key systems. For public key systems or asymmetric key systems, user has two keys one is public key and one is private key which is kept secret. If Alice wants to send a message to Bob, she takes Bob’s public key and encrypts the message. After Bob receive the encrypted data Alice sent. He decrypts the message with his own private key. There are two advantages for public key systems. One of them is the amount of keys. Given a group with many users, and users communication with each using private key systems. Then one is required to have the same amount of private keys as the amount of users, since private key can only be share by two people. In case of public key systems, the public key is broadcast to everyone. So given a large group users, only two keys need for each user one public and one private. The other advantage is that private key systems need to establish a secure channel first and send the private key to the user the other side, so that both sides have the same key. While a totally safe channel is not possible, private key system requires addition mechanism to exchange key. The Elliptic Curve Cryptosystems and RSA are public key systems.. 1.

(10) 1.1 Motivation As the popularity of Internet and WLAN grows, the demand of information security rises. Thus, efficient and secure cryptosystems is of great importance.. The Elliptic Curve. Cryptosystems, one of the most advanced cryptosystems, is becoming the mainstream security system in all kinds of application. It is a part of the Digital Signature Standard (DSS) proposed by the National Institute of Standards and Technology.. The Elliptic Curve. Cryptosystems is based on the mathematical operations of elliptic curve. It can achieve high security level using shorter key respect to RSA cryptosystems. As shown bellow[1], the 163-bit ECC key offers the same level of security as 1024-bit RSA key and AES is compared with these two cryptosystems.. Table 1.1: NIST guidelines for public key sizes for AES. ECC Key Size. RSA Key Size. Key Size. AES Key Size. (Bits). (Bits). Ratio. (Bits). 163. 1024. 1:6. 256. 3072. 1:12. 128. 384. 7680. 1:20. 192. 512. 15360. 1:30. 256. In order to speed up the Elliptic Curve Cryptosystem, we proposed an efficient hardware implement for the elliptic curve cryptosystems. The proposed architecture utilizes the point halving technique to achieve a better performance.. 2.

(11) 1.2 Thesis Organization In chapter 2, the mathematical background of finite field, normal basis, polynomial basis, and elliptic curves in projective and affine coordinates are introduced. Chapter 3 shows several algorithms for calculating scalar multiplication, which includes double-and-add algorithm, halve-and-add algorithm, and add-and-subtract algorithm. The idea of Elliptic Curve Cryptosystems is introduced in Chapter 4. Chapter 5 contains the implementation results of the proposed architecture for Elliptic Curve Cryptosystems and comparisons between other implementations are made. Finally, chapter 6 is the conclusion.. 3.

(12) CHAPTER 2 Mathemetical Background The Elliptic Curve Cryptosystems utilize elliptic curves over finite field, either binary field GF(2n) or prime field GF(p). In this chapter, I will give the mathematical background related to Elliptic Curve Cryptosystems. I will focus on finite field GF(2n), where two kinds of basis in this field and each of their basic arithmetic will be introduced. In the second part of the chapter, elliptic curve will be introduced. Elliptic curve, the foundation of Elliptic Curve Cryptosystems, will be specified according to different fields and coordinates. Each different fields and coordinates yields different formulas for the operations of points on elliptic curve, while these point operations are the basis operations of Elliptic Curve Cryptosystems.. 2.1 Finite Field Arithmetic Polynomial Basis For finite field GF(2n), the set of polynomial basis is {αn-1, αn-2, …, α, 1}, where α is the root of the field polynomial. Each element belongs to GF(2n) could be represented as a linear combination of the basis. For instance, let B be an element of GF(2n) with polynomial basis:. B = bn −1 ⋅ α n −1 + bn −2 ⋅ α n −2 ,..., b1 ⋅ α 2 + b0 ⋅ 1. , and we can give a binary notation to this element: B =" bn −1bn −2 ...b1b0 ". 4. (2.1).

(13) For example, given a GF(28) element. α6 +α4 +α2 +α +1 or 0 ⋅ α 7 + 1⋅ α 6 + 0 ⋅ α 5 + 1⋅ α 4 + 0 ⋅ α 3 + 1⋅ α 2 + 1⋅ α + 1⋅1. , its binary representation is “01010111” where each bit match to the coefficient of each term. The arithmetic for elements over finite field with polynomial basis will be introduced in the following paragraph. The sum of two elements in the field is simply bitwise exclusive-or of the two elements. For example, (α6+α4+α2+α+1) and (α7+α+1) are elements of GF(2n) and in binary notation we can find the bitwise exclusive-or of these two numbers: “01010111”♁“10000011”=”11010100”. , which means (α6+α4+α2+α+1)+ (α7+α+1) =(α7+α6+α4+α2). In the case of multiplication, the two elements are treated as polynomials and multiplied first, then module the result by the field polynomial. An example is shown bellow. Let GF(28) and field polynomial. f (α ) = α 8 + α 4 + α 3 + α + 1 find ( α 6+ α 4+ α 2+ α +1). multiply by (α7+α+1): (α 6 + α 4 + α 2 + α + 1)(α 7 + α + 1) = α 13 + α 11 + α 9 + α 8 + α 6 + α 5 + α 4 + α 3 + 1. 5.

(14) α 13 + α 11 + α 9 + α 8 + α 6 + α 5 + α 4 + α 3 + 1 mod(α 8 + α 4 + α 3 + α + 1) = α7 +α6 +1 So the multiplication result is α 7 + α 6 + 1 . Squaring is a special case of multiplication when two inputs are the same. For example , let B=(α7+α+1) be an element of GF(28) and its square B2=(α7+α+1)2 =(α14+α2+1). (α14+α2+1)mod (α 8 + α 4 + α 3 + α + 1) =(α4+α2+α). Observing the above example, note that squaring a function has the same result as squaring each and every term. As a result, given a element B=B(α)∈GF(2n) and the field polynomial f(α). B(α)2=B(α2)mod f(α). (2.2). Normal Basis n −1. n−2. In the normal basis case, the set of the basis is {β 2 , β 2 ,..., β 2 , β } over GF(2n) where β is the root of the field polynomial. Each element in the field could be expressed as the. linear combination of the basis. Let A be an element of GF(2n) with normal basis:. A = a n −1 β 2. n −1. n−2. + a n − 2 β 2 ,..., a1 β 2 , a 0 β. (2.3). Similarly, we can express each element of the field as a binary number “an-1an-2…a1a0”. Addition in normal basis is the same as polynomial basis. It’s still bitwise exclusive-or of the 6.

(15) two elements. For example, let (β8+β2) where its binary notation is “1010” and (β4+β2+β) “0111” are two elements of GF(24), then “1010”♁”0111”=”1101” (β 8 + β 2 ) + (β 4 + β 2 + β ) = (β 8 + β 4 + β ) In the case of squaring, let A be an elements of GF(2n) equation (2.3): then from equation (2.2). n −1. A2 = a n −1 β 2 + a n −2 β 2 ,..., a1 β 2 + a0 β 2 n. 2. (2.4). and from Fermat’s little theorem: Given β∈GF(2n). (2.5). β2 = β n. We can derive from equation (2.4) n −1. A 2 = a n −1 β + a n − 2 β 2 ,..., a1 β 2 + a 0 β 2 n −1. 2. (2.6). = a n − 2 β 2 ,..., a1 β 2 , a 0 β 2 + a n −1 β 2. In normal basis, squaring operation is simply one bit cyclic shift of the original data. Let A=“an-1an-2…a1a0”∈ GF(2n), A2=“an-2…a1a0 an-1”. This squaring characteristic gives normal. basis an advantage over polynomial basis, because the implement of the normal basis squaring requires no extra hardware only wiring. Next we will derive the multiplication of normal basis. Suppose A, B are elements in the field GF(2n):. 7.

(16) n −1. n −1. A = ∑ ai β 2 , B = ∑ bi β 2 i. i =0. i. (2.5). i =0. Multiplying A by B is defined as bellow: n −1 n −1. n −1. C = A × B = ∑∑ a i b j β 2 β 2 = ∑ ci β 2 i. i =0 j =0. j. i. (2.6). i =0. Let the product of multiplying β 2 by β 2 be: i. j. n −1. β 2 β 2 = ∑ λijk β 2 | λ ∈ {0,1} i. j. k. (2.7). k =0. Substitute equation (2.7) into equation (2.6). We can get: n −1 n −1. ck = ∑∑ λijk ai b j | 0 ≤ k ≤ n − 1. (2.8). i =0 j =0. If GF(2n) and the number of the nonzero terms or λijk =1 terms in equation (2.8) equals to 2n-1, then this normal basis is call the optimal normal basis. Optimal normal basis leads to minimum multiplication complexity and thus efficient hardware implement. There are many types of normal basis. [2] givens a chart of existing normal basis type with different field length n of GF(2n).. 8.

(17) Table 2.1: Normal Basis Table n. Normal basis type. n. Normal basis type. 2. 1,2. 155. 2. 3. 2. 156. 13. 4. 1. 157. 10. 5. 2. 158. 2. 6. 2. 159. 22. 7. 4. 160. -. 8. -. 161. 6. 9. 2. 162. 1. 10. 1. 163. 4. #. #. #. #. Of all types, only type 1 and type 2 are optimal normal basis. According to equation (2.7), we raise both side to the power of 2-l. (β. 2i. β. 2j. ). 2− l. i −l. = β2 β2. n −1. n −1. = ∑ λi −l , j −l ,k β 2 = ∑ λijk β 2. j −l. k. k =0. k −l. (2.9). k =0. Comparing the coefficient of the β 2 term, we will get: 0. λijl = λi −l , j −l ,0 | ∀0 ≤ i, j, l ≤ n − 1. This implies we can find the value of every λijk by means of λi −k , j −k ,0 .. (2.10). And from. equation (2.8) utilizing equation (2.10): n −1 n −1. ck = ∑∑ λi −k , j −k ,0 ai b j | 0 ≤ k ≤ n − 1 i =0 j =0. , and by changing the subscripts. 9. (2.10).

(18) n −1 n −1. ck = ∑∑ λij 0 ai + k b j + k | 0 ≤ k ≤ n − 1. (2.11). i =0 j =0. The above the equation shows the property of normal basis multiplication. By cycle shifting the subscripts of the formula for c0, we can obtain other coordinates of the production. We need to construct a table of λijk first before performing normal basis multiplication. For type 1 normal basis and GF(2n), if i and j satisfy one of the following congruence then λijk =1:. 2i + 2j ≣ 1 mod n+1. (2.12). 2i + 2j ≣ 0 mod n+1. Given type 1 normal basis and GF(24), the table of λijk is constructed bellow following to the rules above. Note that only the k=0 column is needed to be evaluated and the rest of the columns could be easily derived from this column by utilizing equation (2.10). For example: λ001=λ330=1, λ011=λ300=0, λ021=λ310=1, and so on.. 10.

(19) Table 2.2: The multiplication table of type 1 normal basis in GF(24) k i. j. 0. 1. 2. 3. 0. 0. 0. 1. 0. 0. 0. 1. 0. 0. 0. 1. 0. 2. 1. 1. 1. 1. 0. 3. 0. 0. 1. 0. 1. 0. 0. 0. 0. 1. 1. 1. 0. 0. 1. 0. 1. 2. 1. 0. 0. 0. 1. 3. 1. 1. 1. 1. 2. 0. 1. 1. 1. 1. 2. 1. 1. 0. 0. 0. 2. 2. 0. 0. 0. 1. 2. 3. 0. 1. 0. 0. 3. 0. 0. 0. 1. 0. 3. 1. 1. 1. 1. 1. 3. 2. 0. 1. 0. 0. 3. 3. 1. 0. 0. 0. Now we can write the product of the type 1 normal basis multiplication in GF(24) from the above table.. c0 = a0 b2 + a1b2 + a1b3 + a 2 b0 + a 2 b1 + a3b1 + a3b3. Since type 1 normal basis is optimal normal basis, the number of terms in above equation equals to 2*4-1=7. And from equation (2.11). ck = a k b2+ k + a1+ k b2+k + a1+k b3+k + a 2+ k bk + a 2+k b1+k + a3+k b1+ k + a3+ k b3+ k. 11.

(20) The formula of other coordinates can be derived by cyclic shifting the subscripts of the c0 formula:. c1 = a1b3 + a 2 b3 + a 2 b0 + a3b1 + a3b2 + a0 b2 + a0 b0 c2 = a 2 b0 + a3b0 + a3b1 + a0 b2 + a0 b3 + a1b3 + a1b1 c3 = a3b1 + a0 b1 + a0 b2 + a1b3 + a1b0 + a 2 b0 + a 2 b2. As for other types of normal basis, [2] provides an efficient algorithm for evaluating the multiplication product the normal basis. Where the type of normal basis and the field length. n of finite field GF(2n) is given as the input data of the algorithm.. 2.2 Elliptic Curve A non-singular elliptic curve over real numbers is described by the following equation:. y2=x3+ax+b. (2.13). Where a, b are real numbers such that 4a 3 + 27b 2 ≠ 0. (2.14). The elliptic curve is singular, if equation (2.14) fails[3]. The following diagram shows an example of an elliptic curve where a=b=1. Note that the diagram is symmetric with respect to x-axis.. 12.

(21) Figure 2.1: the elliptic curve y2=x3+x+1 For finite field GF(p), the elliptic curve satisfies the congruence, where a, b∈GF(p):. y2≡x3+ax2+b(mod p). (2.15). For finite field GF(2n), the elliptic curve is in a slightly different form as shown below, where a, b∈GF(2n):. y2+xy=x3+ax2+b. (2.16). An abelian group can be defined on the set E of solutions (x, y) to the elliptic curve equation plus a point O at infinity. Now consider the addition law of elliptic curve: Given two points P and Q on elliptic curve E, consider the result of P+Q. First, we define L to be the line through P and Q. The L intersects E at point R’, then we reflect R’ in. 13.

(22) the x-axis to get R. We define R to be the result of P+Q, that is, P+Q=R. An example is given below:. Figure 2.2: Point addition, P+Q=R Now consider the situation when P=Q, namely, consider the result of 2P. Since P=Q, line L now become a tangent line passing through P. Similarly, the line L intersects E at point. R’, then we reflect the x-axis to obtain the result R. The following diagram shows this condition:. Figure 2.3: Point doubling, 2P=R The point at infinity O is considered as the identity element:. 14.

(23) P+O=O+P=P. (2.17). We consider the case when Q is the reflection of P in the x-axis. So if we draw a line L through P and Q, then line L will be an vertical through P and intersect E at infinity O and we can get P+Q=O. Since O is the identity element, we can consider that Q as the negative of P, that is Q=-P. We can conclude that the negative point of a given point is the reflection of the point in the x-axis.. Figure 2.4: Negative Point, P+(-P)=O Given a point P∈E over finite field, then E is a finite abelian group. We can find an r   integer r such that rP= P + P + ... + P =O. The integer r is called the order of point P.. Next, I will derive the addition and doubling formula for points on elliptic curve according to the addition law mentioned above. Moreover, a different kind of representation called the projective coordinates representation will be introduced.. Affine Coordinates Representation Affine coordinate representation is respect to projective coordinates representation. Given an elliptic curve E: y2=x3+ax+b, let’s derive the negative of a point first. Let P=(x1,. 15.

(24) y1), the negative of P is simply the corresponding point of the reflected P in the x-axis which is (x1, -y1).. -(x1, y1)=(x1, -y1). (2.18). We next derive the formula for point addition P+Q=R. Let P, Q∈E, where P=(x1, y1),. Q=(x2, y2), R=(x3, y3) and L is the line passing through P and Q represented as y = λx + ν. (2.19). y 2 − y1 x 2 − x1. (2.20). , where the slope of L is:. λ=. , and. ν = y1 − λx1 = y 2 − λx2. (2.21). L will intersects E at point R’. Substitute equation (2.19) into the equation for E to find the solution of the coordinates, we can get (λx + ν ) 2 = x 3 + ax + b. (2.22). x 3 − λ2 x 2 + ( a − 2λν ) x + b − ν 2 = 0. (2.23). , we can derive from above. We have to solve equation (2.23) for the x-coordinates. Since x1 and x2 are two roots of equation (2.23), the sum of the three roots will equal to. 16.

(25) x1 + x2 + x3 = λ2. x3 = λ2 − x1 − x 2. (2.24). Since R’ equals to (x3, -y3). We can derive. λ=. − y 3 − y1 x 3 − x1. (2.25). , or y 3 = λ ( x1 − x 3 ) − y1. (2.26). For the case when doubling a point, we have to find the slope of the tangent line L to point P=(x1, y1). Let 2P=(x3, y3), using the implicit differentiation of the equation of E. 2y. dy = 3x 2 + a dx. (2.27). So the slope of the tangent line L with equation (2.22) to point P is. 3x1 + a 2 y1. (2.28). ν = y1 − λx1. (2.29). λ=. 2. and. The line will intersects with E at R’=(x3, -y3) and substitute the line equation into E. Regarding equation (2.23), the cubic equation has two roots at x1, and one root at x3. So x3 equals:. 17.

(26) x 3 = λ2 − 2x1. (2.30). With the same procedure, we can find y3 by equation (2.26). Finally, the formula for point addition and point doubling can be summarized as bellow. Suppose P=(x1, y1), Q=(x2, y2), P+Q=(x3, y3), elliptic curve with equation (2.13) or (2.15), then the formula of point addition:. λ=. y 2 − y1 x 2 − x1. (2.31). x3 = λ2 − x1 − x 2 y 3 = λ ( x1 − x 3 ) − y1. Let P=(x1, y1), 2Q=(x3, y3), the formula of point doubling. λ=. 3x1 + a 2 y1 2. (2.32). x 3 = λ2 − 2x1 y 3 = λ ( x1 − x 3 ) − y1. When used over finite field GF(2n), the elliptic curve is in the form (2.16). We can derive the formulas for point addition and point addition over finite field GF(2n) in a similar method. As in the previous context, we will derive the negation of a point first. Given a point P=(x1, y1), we try to find the representation of –P=(x2, y2). As mentioned above that P+-P=O, we draw a vertical line L through P and the line will intersect E at point –P. The equation of this line L is simply 18.

(27) x+x1=0. (2.33). , which implies that x2+x1=0 and the x-coordinate of –P is x1. Substitute equation (2.33) into equation (2.16) in order to find the solution of the y-coordinate of –P. We will get: y2+x1y=x13+ax12+b. (2.34). This square equation has two solutions and one of them is y1. The sum of the two solutions will equal to the coefficient of the term y. As the result,. y1+y2=x1. , or. y2=x1 +y1. (2.35). So for P=(x1, y1), the negation of P over finite field GF(2n). -(x1, y1)=(x1, x1+y1). (2.36). Again, let P, Q∈E, where P=(x1, y1), Q=(x2, y2), P+Q=R=(x3, y3) and L is the line passing through P and Q. L has the equation (2.19), where. λ=. y 2 + y1 x 2 + x1. (2.25). and. ν = y1 + λx1 = y 2 + λx 2 Substitute the equation of L (2.19) into the elliptic curve equation (2.16). 19. (2.26).

(28) (λx + ν ) 2 + x (λx + ν ) = x 3 + ax 2 + b. (2.27). x 3 + ( λ 2 + λ + a ) x 2 + νx + b = 0. (2.28). , it is the same as. x1 and x2 are two solutions of the cubic equation, we can find x3 from the coefficient of x2 term. x 3 = λ2 + λ + x1 + x 2 + a. (2.29). Then same as before, we use R’=(x3, x3+y3) and P=(x1, y1) to compute the slope. λ=. x 3 + y 3 + y1 x 3 + x1. (2.30). Derived from above, y 3 = λ ( x 3 + x1 ) + x 3 + y 1. (2.31). Let’s move on to the formulas of doubling a point over GF(2n), using the implicit differentiation of the elliptic curve equation (2.16):. 2y. dy dy + y+x = 3x 2 + 2ax dx dx. (2.32). Applying the property of GF(2n), the equation is reduced to:. y+x. dy = x2 dx. (2.33). Note that if not the xy term in the elliptic curve equation (2.16), the implicit differentiation would be meaningless. This gives one reason why the elliptic curve equation is slightly 20.

(29) differently over finite field GF(2n). Let P=(x1, y1), 2P=(x3, y3) and line L is the tangent line to P described by equation (2.19). The slope of the tangent line L would be: y1 x1. (2.34). ν = y1 + λx1. (2.35). λ = x1 +. while. Following the same procedure, x1 is the two roots of equation (2.29), x3 is the other. So, 2 x1 + x 3 = λ2 + λ + a. which 2x1 =0 over finite field GF(2n) x 3 = λ2 + λ + a. (2.36). Finally, y3 is the same as shown in equation (2.31) The formulas for point addition and point doubling over finite field GF(2n) are given bellow: Let P=(x1, y1), Q=(x2, y2), P+Q=(x3, y3), elliptic curve with equation (2.16), then the point addition formula:. λ=. y 2 + y1 x 2 + x1. x 3 = λ2 + λ + x1 + x 2 + a y 3 = λ ( x 3 + x1 ) + x 3 + y1. 21. (2.37).

(30) And the formula of point doubling, where P=(x1, y1), 2P=(x3, y3). λ = x1 +. y1 x1. (2.38). x 3 = λ2 + λ + a y 3 = λ ( x 3 + x1 ) + x 3 + y1. Projective Coordinates Representation Finite field GF(2n) inversion is relatively expensive. If inversion could be avoided while performing point addition or point doubling, then the performance of the elliptic curve cryptosystems would be improved. This is done by using projective coordinates. Points with projective coordinates have three coordinates, for example, a projective point P=(X, Y, Z). An affine point (x, y) corresponds to the projective coordinate point (x, y, 1), while a projective point (X, Y, Z) could be converted into an affine point (X/Z, Y/Z2). Replacing x= X/Z, y= Y/Z2 into equation (2.4), the resulting projective elliptic curve equation would be:. Y 2 + XYZ = X 3 Z + aX 2 Z 2 + bZ 4. (2.39). The formulas for adding and doubling points on elliptic will be presented here. Let P=(X1, Y1, Z1) , Q=(X2, Y2, Z2), and P+Q=R(X3, Y3, Z3) are points with projective coordinates, then the formula for adding points is [4]:. 22.

(31) A1 = Y2 ⋅ Z 12 ,. D = B1 + B2 ,. H = C ⋅ F,. A2 = Y1 ⋅ Z ,. E = Z1 ⋅ Z 2 ,. X 3 = C + H + G,. B1 = X 2 ⋅ Z 1 ,. F = D ⋅ E,. I = D 2 ⋅ B1 ⋅ E + X 3 ,. B2 = X 1 ⋅ Z 2 ,. Z3 = F 2 ,. J = D 2 ⋅ A1 + X 3 ,. G = D 2 ⋅ ( F + aE 2 ),. Y3 = H ⋅ I + Z 3 ⋅ J .. 2 2. C = A1 + A2,. (2.40). 2. When Z2=1, the formula becomes. A = Y2 ⋅ Z 12 + Y1 ,. Z3 = C 2 ,. B = X 2 ⋅ Z1 + X 1 ,. X 3 = A2 + D + E ,. C = Z 1 ⋅ B,. F = X 3 + X 2 ⋅ Z3,. D = B 2 ⋅ (C + aZ 12 ),. G = ( X 2 + Y2 ) ⋅ Z 32 ,. E = A ⋅ C,. Y3 = ( E + Z 3 ) ⋅ F + G.. (2.41). Suppose P=(X1, Y1, Z1), 2P=Q= (X2, Y2, Z2), the doubling formula is:. Z 2 = Z 12 ⋅ X 12 ,. (2.42). X 2 = X 14 + b ⋅ Z 14 , Y2 = bZ 14 ⋅ Z 2 + X 2 ⋅ ( aZ 2 + Y12 + bZ 14 ).. Comparing with affine coordinates, projective coordinates doubling and adding requires more multiplications but no inversion. The performance analysis with affine coordinates doubling and adding is given below:. 23.

(32) Table 2.3: The number of required operations for point doubling Operations. Affine coordinates. Projective coordinates. Multiplication. 2. 4. Squaring. 1. 5. Inversion. 1. 0. Table 2.4: The number of required operations for point addition Operations. Affine coordinates. Projective coordinates. Multiplication. 2. 13. Squaring. 1. 6. Inversion. 1. 0. Table 2.5: The number of required operations for point addition when Q= (X2, Y2, 1) Operations. Affine coordinates. Projective coordinates. Multiplication. 2. 8. Squaring. 1. 5. Inversion. 1. 0. The performance comparison between the two coordinates is determined by the computational complexity of the finite field inversion in affine coordinates. For example, given the table 2.3 condition and neglecting the squaring operation, the affine coordinates will outperform projective coordinates if the computational complexity of the inversion is less than 6 multiplications.. 24.

(33) CHAPTER 3 Scalar Multiplication Algorithms Scalar multiplication, given a point P on elliptic curve and a scalar k find kP, is the mainly the Elliptic Curve Cryptosystems all about.. In order to compute scalar multiplication. efficiently, many algorithms are proposal. The basic one is the double-and-add algorithm and halve-and-add algorithm gives an efficiently way to compute scalar multiplication by acquiring point halving. These two algorithms will be introduced in this chapter. Besides, we can apply add-and-subtract algorithm to these two algorithms to achieve a better performance.. 3.1 Double-and-Add Algorithm The double-and-add algorithm is the basic algorithm for calculating scalar multiplication. This algorithm is composed of point doubling and point addition. Given GF(2n) a base point P and a scalar k, the double-and-add algorithm is: k = ∑i =0 bi 2 i , bi ∈ {0,1} n −1. Q=O for i from n - 1 down to 0 { Q = 2Q if b i = 1 then Q=Q+P }. 25. (3.1).

(34) For example, given P and a scalar k=10=”1010”:. k=. Q=. O. “1. 0. 1. 0”. ÆP. Æ2P. Æ4P+P=5P. Æ10P. The formulas required for adding points and doubling points in the algorithms is explained in chapter 2.. 3.2 Halve-and-Add Algorithm The halve-and-add algorithm[5] is similar to double-and-add algorithm but the point doubling step is replaced by point halving. Next, the procedure of point halving is given.. Point Halving For P=(x1, y1), 2P=(x3, y3), the formula of point doubling is given in equation (2.38) which is the same as:. λ = x1 +. y1 x1. (3.2). x 3 = λ2 + λ + a y 3 = x1 + x3 (λ + 1) 2. Point halving is the reverse of point doubling. Given an input point 2P=(x3, y3) find P=(x1, y1). In order to compute x1, and y1, first we have to solve λ from:. λ2 + λ = a + x3. Where this square equation has two solutionsλandλ+1.. 26. (3.3).

(35) Solve. x1 = y 3 + x3 (λ + 1). (3.4). 2. for x1. And finally, calculate y1: y1 = x1 ( x1 + λ ). (3.5). The idea of trace plays an important role in deriving the algorithm for point having. Let c∈GF(2n), trace is defined as:. Tr ( c ) = c + c 2 + c 2 + ... + c 2 2. n −1. (3.6). The trace of an element in finite field is either 0 or 1. Following are some properties of trace: let c,d∈GF(2n), Tr ( c ) = Tr ( c 2 ) = Tr ( c ) 2. (3.7). Tr ( c + d ) = Tr ( c ) + Tr ( d ). (3.8). Trace is linear:. My implement uses pseudo-random curve over GF(2163) which has the form E : y 2 + xy = x 3 + x 2 + b. (3.9). The coefficient a in equation (2.16) is always equal to 1. So:. Tr(a)=1. If (x, y) is a point on elliptic curve (3.9), then:. 27. (3.10).

(36) Tr(x)=Tr(a). (3.11). The following theorem finds the correct solution of equation (3.3) while halving a point:. (3.12). Let P=(x1, y1) and 2P=(x3, y3). Let λˆ be a solution to (3.3) and t = y 3 + x3λˆ . Suppose that Tr(a)=1. Then λˆ is the correct solution if and only if Tr(t)=0. We will prove the theorem. If λˆ is a correct solution then it will satisfy equation (4.4), that is,. 2 x1 = y 3 + x3 (λˆ + 1). (3.13). From equation (4.10) and equation (4.11). Tr( y 3 + x3 (λˆ + 1) )=Tr(x12)=Tr(x1)=Tr(a)=1. (3.14). Tr( y 3 + x3 (λˆ + 1) )= Tr (( y 3 + x3λˆ ) + x3 ) = Tr ( y 3 + x3λˆ ) + Tr ( x3 ) = Tr (t ) + 1. (3.15). and. Finally, we can get Tr (t ) + 1 = 1 , Tr(t)=0. 28.

(37) Else if λˆ is not a correct solution then the correct solution must be λˆ +1. Now λˆ +1 will satisfy equation (3.4), substitute λˆ +1 into equation (3.4) 2 x1 = y 3 + x3 (λˆ + 1 + 1) = y 3 + x3 (λˆ ). (3.16). Tr(t)=Tr( y 3 + x3 (λˆ ) )=Tr(x12)=Tr(x1)=Tr(a)=1. (3.17). Similarly,. That is, if Tr(t)=1 then the correct solution is λˆ +1. Let the λ-representation of a point 2P=(x3, y3) be (x3, λ3), where λ3=x3+y3/x3. Let the λ-representation of 2P as the input to point halving, then t in equation (3.12) can be computed directly from this λ-representation y y t = x3 ( x3 + λ3 + λˆ ) = x3 ( x3 + x3 + 3 + λˆ ) = x3 ( 3 + λˆ ) = y 3 + x3 λˆ x3 x3. (3.18). If Tr(t)=0, λˆ is the correct answer, from equation (3.13) 2 x1 = y 3 + x3λˆ + x3 = t + x3. (3.19). x1 = t + x3. If Tr(t)=1, λˆ +1 is the right solution, from equation (3.16) 2 x1 = y 3 + x3λˆ = t. (3.20). x1 = t. Next is the full algorithm of point halving.. The input of the algorithm is λ. -representation 2P=(x3,λ3). The output is the λ-representation of P=(x1,λ1). 29.

(38) 1. Find a solution λˆ of λ2 + λ = a + x3. (3.21). 2. Compute t = x3 ( x3 + λ3 + λˆ ) 3. If Tr(t)=0, then λ1= λˆ , x1 = t + x3 else λ1= λˆ +1, x1 = t. Point halving requires a multiplication and three major operations:. Solving λ2 + λ = a + x3 Computing the trace of t Calculating a square root. t or. n −1. t + x3. n −2. Normal basis is of the form {β 2 , β 2 ,..., β 2 , β } . Let c be an element in field GF(2n). By equation (2.3):. c = cn −1 β 2. n −1. n −2. + cn −2 β 2 ,..., c1 β 2 + c0 β. (3.22). The trace of c is. c = cn −1 + cn −2 +,...,+ c1 + c0. (3.23). The square root equals a cyclic shift right one bit, an inverse of squaring.. c = c0 β 2. n −1. n −2. + cn −1 β 2 ,..., c2 β 2 + c1 β. Solving the Second Degree Equation 30. (3.24).

(39) Now deal with the solutions of the second degree equation in (3.21). Let c equation (3.22), there are two ways to solve a second degree equation as given bellow.. λ2 + λ = c. (3.25). Let. n −1. n −2. (3.26). λ = λn −1 β 2 + λn −2 β 2 ,..., λ1 β 2 + λ0 β. A solution is given by: i. λ0 = 0, λi = ∑ c k for all 1 ≤ i ≤ n − 1. (3.27). k =1. These operations are expected to be inexpensive relative to normal basis multiplication. Or we can solve equation (3.25) by half-trace. H ( c ) = c + c 2 + c 2 ... + c 2 2. 4. n −1. (3.28). Substitute equation (3.28) into (3.25) and from equation (2.2) (2.5) n −1. H ( c ) 2 + H ( c ) = ( c 2 + c 2 + c 2 + ... + c 2 ) + ( c + c 2 + c 2 ... + c 2 ) 3. = c + c 2 + c 3 + ... + c 2. n −1. 5. n. 2. 4. (3.29). + c 2 = tr ( c ) + c n. Utilizing the above equation, we can prove that H( a + x3 ) is a root of equation (3.3). Since tr ( a + x3 ) = tr ( a ) + tr ( x3 ) = 1 + 1 = 0. As the result,. 31. (3.30).

(40) H ( a + x3 ) 2 + H ( a + x3 ) = tr ( a + x3 ) + a + x3 = a + x3. (3.31). Compare the operations of point halving and point doubling in affine and projective coordinates.. Table 3.1: Comparison between halving and doubling in affine and projective coordinates Operations. Affine coordinates. Projective coordinates. Halving. Multiplication. 2. 4. 1. Squaring. 1. 5. 0. Inversion. 1. 0. 0. Solving Second Degree Equation. 0. 0. 1. Square Root. 0. 0. 1. Check. 0. 0. 1. If computation time of 1 second degree equation solving + 1 square root + 1 check is less than 3 multiplications + 5 squaring, then halving a better performance than point doubling in projective coordinates.. Halve-and-Add Algorithm Now we have gone through point halving.. We want to employ it into scalar. multiplication. Let GF(2n), given a point P on elliptic curve of odd odder r and a scalar k. In order to compute kP, we will prove that[6]:. For every scalar k, we can find k’ such that n −1. k≡∑ i =0. k i' (mod r ) 2 n-1-i. We will prove this by first calculating 2n-1 multiplied by k modulo r.. 32. (3.32).

(41) n −1. 2 n −1 k (mod r ) = ∑ k i' 2 i k i' ∈ {0,1} i =0. (3.33). Divide both side by 2n-1 gives the result: n −1. k i' k (mod r ) = ∑ n-1-i k i' ∈ {0,1} i =0 2. 3.34). Next is a left-to-right version of the halve-and-add algorithm, where k is converted to k’ by equation (3.33) first. Given GF(2n), the input is k’ and P while the output is kP. 2 n −1 k (mod r ) = ∑i =0 k i 2 i , k i ∈ {0,1} n −1. '. '. (3.35). Q=O for i from n - 1 down to 0 { if k i = 1 then '. Q=Q+P P = P/2 }. P is in λ-representation (xP, λP) and must transformed into affine representation (xP, yP) before added to Q. Q could have projective coordinates and Q+P is done by (2.41). For example, let GF(24) and r=11=”1011”. Given P and a scalar k=10, compute kP. First we will convert k using equation (3.33): k ' = 2 3 ⋅ 10(mod11) = 80(mod11) = 3 ="0011" One is required to compute the value of P/2(mod11) in this example. We have 2-1(mod11)=6, since 6*2(mod11)=12(mod11)=1.. Given any integer x, x/2(mod11)=x*6(mod11).. (3.35). 33. From.

(42) k'=. “0. 0. 1. 1”. P=. P. ÆP/2=6P. Æ6P/2=3P. Æ14P/2=7P. ÆO. ÆO. ÆO+3P=3P. Æ3P+7P=10P. Q=. O. The result is the same as the one computed from (3.1). Another version of the halve-and-add algorithm is a right-to-left method. Point halving occurs on the accumulator Q, hence the projective coordinates is not usable. 2 n −1 k (mod r ) = ∑i =0 k i 2 i , k i ∈ {0,1} n −1. '. (3.36). '. Q=O for i from n - 1 down to 0 { Q = Q/2 if k i = 1 then '. Q=Q+P }. Use the same condition GF(24) and r=11=”1011”. Given P and a scalar k=10, that is, k’=”0011”. Start from right to left. k'=. “0. 0. 1. 1”. 9P/2=10PÅ. 7P/2=9PÅ. P/2+P=6P+P=7PÅ. O+P=PÅ. O. =Q. And the final answer is 10P. Unlike algorithm (3.35), here only requires one register for Q.. 3.3 Add-and-Subtract Algorithm. 34.

(43) We can further encode the scalar k or k’ of the halve-and-add algorithm when computing kP to reduce the Hamming weight of k or k’, hence reduce the amount of point additions. Since point addition is more expensive than point doubling or halving, the performance of scalar multiplication is improved. Add-and-subtract algorithm [2] eliminates the situation of continuous 1’s by combinations of additions and subtractions. Given an n-bit scalar k n. k = ∑ ei 2 i i =0. ei ∈{−1,0,1}. (3.37). Using add-and-subtract algorithm, we find m: Let k n −1 k n − 2 ...k1 k 0 be the binary representation of k, Let hn hn −1 ...h1 h0 be the sum of k n −1 k n − 2 ...k1 k 0 + k n −1 k n − 2 ...k1 Let g n g n −1 ...g1 g 0 equals to 00k n −1 k n − 2 ...k1 for i from 0 to n { if hi=1 and gi=0, then ei=1 else if hi=0 and gi=1, then ei=-1 else ei=0 }. 35. (3.38).

(44) Take k=29=”11101” for example. h=”11101”+”1110”=”101011”. h=. “1. 0. 1. 0. 1. 1”. g=. “0. 0. 1. 1. 1. 0”. e=. “1. 0. 0. -1. 0. 1”. It’s easy to verify that: k = 1 ⋅ 2 5 − 1 ⋅ 2 2 + 1 = 32 − 4 + 1 = 29. Combine add-and-subtract algorithm with (3.35): 2 n−1 k (mod r ) = ∑i =0 k i 2 i , k i ∈{0,1} n −1. '. '. (3.39). n. = ∑ ei 2 i , ei ∈{−1,0,1} i =0. Q=O for i from n down to 0 { if e i = 1 then Q =Q+P else if e i = −1 then Q = Q-P P = P/2 }. -P is given by (2.36). Combining add-and-subtract algorithm with (3.1) or (3.36) will do too.. 36.

(45) CHAPTER 4 Implementation Results and Comparisons My implementation uses pseudo-random curve of the form in normal basis over GF(2163) y 2 + xy = x 3 + x 2 + b. (4.1). The normal basis is of type 4 which is not optimal normal basis. The base point P=(Px, Py). Px = x162 β 2. 162. + x161 β 2 ,..., x1 β 2 , x0 β. (4.2). Py = y162 β 2. 162. + y161 β 2 ,..., y1 β 2 , y 0 β. (4.3). 161. 161. Express Px and Py as 163bit numbers x162 x161 ,..., x1 x0 and y162 y161 ,..., y1 y 0 . Their value in hexadecimal equals. Px=0_bb95_2eb0_8fc0_b1c8_699f_739a_9357_3474_1e04_4460. (4.4). Py= 7_f185_6ef0_98cf_adc8_077e_e437_33a7_f113_1e41_ae66. (4.5). If P is in λ-representation, then. Pλ= 3_e6c0_a681_341a_b0a3_6cc5_c338_7bff_ea7e_014f_a6a3. (4.6). The value of coefficient b in equation (4.1) is. b= 6_fcde_3c9e_f967_437b_e459_b1ce_438e_3479_a9e7_d133. The base point P has order r. r is a large prime number with value in decimal. 37. (4.7).

(46) r=5846006549323611672814742442876390689256843201587. (4.8). The number of points on elliptic curve is 2r. The fundamental element of the entire circuits is the GF(2163) normal basis serial multiplier. Let the inputs equal (2.5) and output equals (2.6). Using the algorithm in [2], derive the product. c 0 = a1 (b0 + b13 + b132 + b117 ) + a 2 (b117 + b92 + b111 + b145 ) + .... (4.9). The formulas for other coordinates can be derived from above: c1 = a 2 (b1 + b14 + b133 + b118 ) + a3 (b118 + b93 + b112 + b146 ) + ... c 2 = a3 (b2 + b15 + b134 + b119 ) + a 4 (b119 + b94 + b113 + b147 ) + ... #. We can implement this using three register to store input A, B, and output C. Implement equation (4.9) and cyclic shift these three register by one bit at each cycle. The product is generated bit by bit. The circuit diagram is given bellow:. 38.

(47) Figure 4.1: Normal Basis Multiplier version 1 The combinational circuit of the input of c0 is concealed. Only the idea of connection is given. The latency of this multiplier is 163 cycles and c0 has a larger fain-in. We can modify the above multiplier by adding one term at one cycle[9]. For example: c 2 = c1 + a1 (b0 + b13 + b132 + b117 ) c3 = c 2 + a 4 (b119 + b94 + b113 + b147 ) #. The following is the multiplication cell for adding one term at each cycle:. 39.

(48) Figure 4.2: Multiplier element of ck Modify the original multiplier we’ll get:. Figure 4.3: Normal basis multiplier version 2. 40.

(49) This is a conceptual diagram showing the difference of wiring. The fan-in of the output register is reduced. Another benefit of this multiplier is that we could set the register of C to a value say D at beginning. Then the final output will equal A*B+D equivalent to the effect of a MAC, multiplication-and-accumulator. The solution of the second degree equation is given by equation (3.27). This can be easily implemented using a one bit register and an exclusive-or. Since the solution is given out serially, we can modify the above multiplier by adding each ai term of the product at each cycle. For example, c 0 = c1 + a(b13 + b117 + b0 + b132 ). c1 = c 2 + a(b111 + b145 + b117 + b92 ) #. Use similar cells in Figure 4.2, the new normal basis multiplier is. Figure 4.4 serial input normal basis multiplier Combine the solution circuit with the serial input normal results an efficient implementation for point halving.. 41.

(50) The input of point halving is in λ-representation.. For the implementation of point. halving, a normal basis multiplier is used. The second degree equation is solved by half-trace as given by equation (3.31). Trace t is given by exclusive-or every bit of t. Since only one multiplier is required, the over all latency is 163 cycles. The architecture of point halving is given bellow. Let 2P=(x3, λ3), the output is P=(x1, λ1). Figure 4.5: Circuit for point halving The procedure of point halving is:. 42.

(51) Figure 4.6: Point halving flow The coefficient a of pseudo-random is always equal to one. One or the multiplication identity in normal basis is a number where every bit of it is 1. The right hand side of equation (3.3) equals: a + x3 = 1 + x3 = x3. That is, exclusive-or each bit of x3 with 1 is the same as inverting each bit. In order to implement scalar multiplication efficiently, algorithm (3.39) is chosen. Since the point addition in projective coordinates requires no inversion, we let the accumulator Q of (3.39) in projective coordinates.. The point addition Q+P or Q-P has Q in projective. coordinates and P in λ-representation P=(X1,λ1). From (3.5) we modify formula (2.41) as:. 43.

(52) Y2 = X 2 ( X 2 + λ 2 ). Z3 = C 2 ,. A = Y2 ⋅ Z 12 + Y1 ,. X 3 = A2 + D + E,. B = X 2 ⋅ Z1 + X 1 ,. F = X 3 + X 2 ⋅ Z3,. C = Z 1 ⋅ B,. G = ( X 2 + Y2 ) ⋅ Z 32 ,. D = B 2 ⋅ (C + aZ 12 ),. Y3 = ( E + Z 3 ) ⋅ F + G.. (4.10). E = A ⋅ C,. My implementation of (2.41) contains three multipliers. Due to the data dependency, the data calculated at each multiplication is arranged as follow with minimum latency. The data dependency is indicated.. Table 4.1: The data flow of mix-coordinates addition (5.10). As we can see from the above table, the timing of this mix-coordinates addition equals to 4 multiplications which is 4*163 cycles. The following is the circuit diagram of the mix-coordinates addition. The multiplier in the diagram has three inputs where two are from multiplication and one for accumulation. The neg signal is for adding –P to Q. The ini signal indicates the initial condition when O+P=P. That is, X3=X2, Y3=Y2 or X2+Y2, and Z3=1. 44.

(53) Figure 4.7: Circuit for mix-coordinates addition My proposed design is a scalar multiplication circuit based on algorithm (3.39). It is composed of the point halving circuit and the point adding circuit plus some control signals. The inputs are k’ which is derived from k as shown in (3.33) and base point P. The output is kP. k' is first encoded into e as in (3.39). From (3.38), the implementation of the encoding logic uses two shift register to store g and h. The shift registers shift one bit every one point halving complete. We observe the msb of the g and h registers to decide whether the input to the point addition circuits is P or -P. Since there are separate registers for the accumulator Q and P, the halving circuit and adding circuits can process at the same time. This makes computation more efficient. When ei is nonzero or the MSB of the g and h registers are. 45.

(54) different, the halving circuit must hold its output until the adding circuit reads the result. The point addition circuit adds P or –P to the accumulator when ei is 1 or -1. The control flow of the whole circuit is:. Figure 4.8: The control of point halving and projective addition The synthesized result is given bellow. The cycle time is set to 5ns and the synthesis standard library is 0.18μm technology.. 46.

(55) Table 4.2: The synthesized results. Circuits. Gate Counts. Multiplier. 6961. Halving. 14321. Addition. 45723. Scalar multiplication. 77100. The average latency of scalar multiplication is about 37000 cycles and frequent 200Mhz. So the throughput is 2*163*200Mhz/37000=1.76Mbit/s The verification is given by an integrated FPGA system called iProve. This system allows displaying the outputs from FPGA on ModelSim directly. The FPGA chip is Xilinx Virtex2: XC2V8000. The synthesis frequency is set to 90Mhz and the total LUTs is 8815. The table bellow lists a comparison of the Elliptic Curve Cryptosystems implementation. We can see that our design has about the same throughput as [12] while the area is smaller.. 47.

(56) Table 4.3: The performance comparison of Elliptic Curve Cryptosystems implementations on ASIC Authors. Huang [10]. Okada [11]. Bai [12]. Daneshbeh [13]. Sozzani [14]. Proposed. Technology. 0.35μm. 0.25μm. 0.18μm. 0.18μm. 0.13μm. 0.18μm. 251. 163. 233. 163. 163. Field. GF(2 ). GF(2 ). GF(2 ). GF(2 ). GF(2 ). GF(2163). Gate counts. 56K. 165K. 120K. 74K. ?. 77K. Clock rate. 100Mhz. 66Mhz. 100Mhz. 700Mhz. 400Mhz. 200Mhz. ?. ?. ?. 212,552. 11,320. 37,000. Processor. Y. Y. N. Y. Y. N. Algorithm. Montgomery. for kP. (affine). Basis. Poly. Poly. Poly. Poly. Poly. Normal. Throughput. 91Kb/s. 501Kb/s. 1.86Mb/s. 1.1Mb/s. 12Mb/s. 1.76Mb/s. Latency for kP (cycles) Double. Montgomer. ?. y. -and -Add (serial). Halve. Montgomery. -and-. (parallel). Add. Table 4.4: The performance comparison of Elliptic Curve Cryptosystems implementations on FPGA. Authors. Orlando & Paar[15]. Gura[16]. Lutz[17]. Proposed. Platform. Xilinx XCV400E. Xilinx XCV2000E. Xilinx XCV2000E. Xilinx XC2V8000. Technology. 0.18μm. 0.18μm. 0.18μm. 0.15/0.12μm. 167. 163. 2. 163. 2. 2163. Field. 2. LUTs. 3002. 19508. 10017. 8815. FFs. 1769. 6442. 1930. N/A. Processor. Y. Y. Y. N. Clock rate. 76Mhz. 66Mhz. 66Mhz. 90Mhz. Algorithm for kP. Montgomery. Montgomery. τ-NAF. Halve-and-Add. Basis. Poly. Poly. Poly. Normal. Throughput. 1.5Mb/s. 2.2Mb/s. 4.3Mb/s. 792kb/s. 48.

(57) CHAPTER 5 Conclusion In this paper, an implementation of Elliptic Curve Cryptosystems is shown.. The. architecture uses point halving to reduce the computation complexity. Point halving only requires one multiplier and some addition circuits. We can replace double-and-add algorithm by halve-and-add algorithms. The normal basis multiplier in the implementation is a serial multiplier. The projective addition circuit contains three multiplier and the timing equals to 4 times the timing of a multiplier and no inversion over finite field is required. The input is encoded as for the use of halve-and-add.. We can further reduce the Hamming weight of the input, using. add-and-subtract algorithm. The halving circuit and projective addition circuit can work in parallel under certain condition when the data have no dependency. The implementation is synthesized using synthesis library of 0.18μm technology. We use Xilinx Virtex2 (XC2V8000) to verify the implementation.. 49.

(58) APPENDIX Elliptic Curve Cryptosystems In elliptic curve cryptosystems, we need to map a message onto a point on an elliptic curve. Then elliptic curve cryptosystems operate on that point to yield a new point that serves as the ciphertext. The idea of the mapping method is the following. Let equation (2.15) be the elliptic curve. The message m will be assign as the x-coordinates of a point first. However, there is only 1/2 chance that there exist a solution y such that y 2 ≡ x 3 + am + b(mod p). (a.1). Therefore, we append a few bits at the end of m, and try every pattern of these bits until there is a solution for equation (a.1). Namely, let K be a large integer so that when trying to map a message as a point on elliptic curve the failure rate of 1/2K is low. Suppose that. (m+1)K<p. (a.2). x=mK+j, where 0 ≤ j<K. (a.3). Represent the message m as. For j=0, 1, …, K-1, try to a solution y from (a.1). If a solution y exists, then message m is mapped to Pm=(x, y) and we can stop trying. Otherwise, increase j by one and use this new x to find a solution again. If we can’t found any solution for j=0 to K-1, then we failed to map message m to a point. Maybe we should pick a larger integer for K and start all over again. Since for each j, the probability of finding a solution is 1/2, we have 1/2K chance of failure. Finally, the encoded message can be recovered from the point Pm=(x, y) by. 50.

(59) m = ⎣x / K ⎦. (a.4). For example, let message m=5, p=179 and elliptic curve be y 2 = x 3 + 2 x + 7 . Pick K=10, so the failure rate is 1/210, which is acceptable. x=mK+j=50+j, x=50, 51, …, 59. For x=51 we get x3+2x+7=121(mod 179), thus y=11. The message m is mapped to point (51, 11) and can be recover by m = ⎣51 / 10⎦ = 5 . For elliptic curve over GF(2n) of the form (2.16). The steps of representing message m are the same. Let message m has t-bit, we append u-bit number j to the end of m and t+u≦n. The message m will be represented as x=m2u+j. For j=0, 1, …, 2u-1, try to find a solution y from (2.16). If a solution is found we take Pm=(x, y), else increase j and try again. Solving y from (2.16) given x is explained in [8]. Elliptic Curve Cryptosystems rely on the difficulty of solving the discrete logarithm problem for elliptic curves, which is described as follow. Suppose P, Q are two points on elliptic curve, find k such that Q=kP[7].. a.1 Elliptic Curve ElGamal Cryptosystem An Elliptic Curve ElGamal Cryptosystem, a public key system, is one popular application of elliptic curve cryptography. One uses public key to encrypt plaintext and use private key to decrypt ciphertext. Let’s take a look at this cryptosystem. Alice wants to send a message to Bob, so Bob chooses an elliptic curve (2.15), where p is a large prime. He also chooses a point P and a scalar k, which is the private key. He computes Q = kP. 51. (a.5).

(60) The point Q and P are public keys of Bob. Alice represents her message as a point x on elliptic curve (2.15). She also chooses a private integer a, and computes. The add and subtracts here are point operations. y1 = aP and y 2 = x + aQ. (a.6). She sends y1 and y2 to Bob. Bob can decrypt x by calculating y 2 − ky1 = ( x + aQ) − kaP = x + akP − kaP = x. (a.7). Next is a example of Elliptic Curve ElGamal Cryptosystem. Let the point P=(4,11) and elliptic curve y 2 ≡ x 3 + 3x + 45(mod 8831) . The message of Alice is represented as point Pm=(5, 1743). She wants to send the message to Bob. Bob has a private key k=3 and computes Q=kP=(413, 1808). Q is made public. Alice takes Bob’s public key Q. She chooses a random number a=8. She computes y1=aP=(5415, 6321) and y2=Pm+aQ=(6626,3576) and sends (y1, y2) to Bob. Bob wants to decrypt (y1, y2). Bob first calculates ky1=3(5415, 6321)=(673, 146) and subtracts this from y2. (6626, 3576)-(673,146)=(6626, 3576)+(673,-146)=(5,1743). a.2 Elliptic Curve Diffie-Hellman Key Exchange Another useful system is the Elliptic Curve Diffie-Hellman Key Exchange, which can be used for key exchange for private key system. Alice and Bob want to exchange a key. They choose a base point P=(3,5) on an elliptic curve E: y 2 ≡ x 3 + x + 7206(mod 7211) . Alice chooses a random integer a=12 and bob choose b=23. The compute aP and bP and make them public.. 52.

(61) aP=(1794,6375) and bP=(3861, 1242). Alice take bP and multiply by a to get the key. a(bP)=12(3861, 1242) =(1472,2098). In the same way, Bob takes aP and compute b(aP). a(bP)=12(3861, 1242) =(1472,2098). Now they have the same key.. a.3 Elliptic Curve Digital Signature Algorithm Signature is the opposite of public key system. One use the private to sign and others use the public key to verify the signature. Next is the Elliptic Curve Digital Signature Algorithm:. Let p be a prime and let elliptic curve E defined over GF(p). A is a point on E having prime order q and define: K=(p, q, E, P, m, Q), where Q=mP p, q, E, P and Q are public key and m is the private key K=(p, q, E, P, m, Q) and k is a random number, define sigK(x, k)=(r, s), where kP=(u, v) r=u mod q, and. 53. (a.8).

(62) s=k-1(SHA-1(x)+mr)mod q Verification is given bellow: w=s-1modq i=wSHA-1(x) mod q j=wrmod q (u,v)=iP+jQ verK(x, (r,s)) is true if and only if u mod q= r Let E: y 2 ≡ x 3 + x + 6(mod11) and p=11, q=13, P=(2,7), m=7 and Q=(7,2).. Suppose. message x and SHA-1(x)=4, Alice sign the message with random value k=3. She computes:. (u, v)=3(2, 7)=(8, 3) r=u mod 13=8, and s=3-1(4+7*8)mod 13=7 (8, 7) is the signature. Bob verifies the signature by w=7-1 mod 13=2 i=2*4mod 13=8 j=2*8mod 13=3 (u, v)=8P+3Q=(8,3), and. 54.

(63) u mod 13=8=r. Then the signature is verified.. 55.

(64) BIBLIOGRAPHY [1] “Certicom ECC FAQ”, http://www.certicom.com/index.php?action=ecc,ecc_faq. [2] IEEE Std 1363-2000, IEEE standard specifications for public-key cryptography, IEEE Computer Society, August 29, 2000.. [3] Douglas R. Stinson, Cryptography: Theory and Practice - Second edition, Chapman & Hall/CRC , 2002. [4] J. Lopez and R. Dahab, “Improved algorithms for elliptic curve arithmetic in GF(2n)", Selected Areas in Cryptography - SAC '98, LNCS 1556, 1999, 201-212.. [5] K. Fong, D. Hankerson, J. Lopez, and A. Menezes. “Field Inversion and Point Halving Revisited". IEEE Transactions on Computers, 53(8):1047-1059, August 2004.. [6] E. Knudsen, “Elliptic scalar multiplication using point halving", Advances in Cryptology - Asiacrypt '99, LNCS 1716, 1999, 135-149.. [7]. W. Trappe and L.C. Washington: Introduction to Cryptography with Coding Theory, Prentice Hall, 2001.. [8] A. X9.62. Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), 1998.. [9]. Philip H. W. Leong and Ivan K. H. Leung. “A microcoded elliptic curve processor using FPGA technology”. IEEE Transactions on VLSI Systems, 10(5), October 2002.. [10]. Chi Huang, Jimmei Lai, Junyan Ren, and Qianling Zhang, “Scalable Elliptic Curve Encryption Processor for Portable Application,” 5th Int. Conf. ASIC, pp. 1312-1316, Oct. 2003.. 56.

(65) [11] Souichi Okada, Naoya Torii, Kouichi Itoh, and Masahiko Takenaka. “Implementation of. elliptic curve cryptographic coprocessor over GF(2m) on an FPGA.” In Cryptographic Hardware and Embedded Systems (CHES), pages 25–40. Springer-Verlag, 2000.. [12] Guoqiang Bai, Zhun Huang, Hang Yuan, Hongyi Chen, Ming Liu, Gang Chen, Tao Zhou,. and Zhihua Chen. “A high performance VLSI chip of the elliptic curve cryptosystems,” 7th Int. Conf. SICT, pp. 2059-2062, Oct. 2004. [13] A. Daneshbeh, M. Hasan, “Area Efficient High Speed Elliptic Curve Cryptoprocessors for Random Curves,” Proceedings of ITCC 04, Las Vegas, NE, USA, 2004. [14] F. Sozzani, G. Bertoni, S. Turcato, L. Breveglieri, “A parallelized Design for an Elliptic Curve Cryptosystem Coprocessor” Proceedings of ITCC 05, 2005.. [15] G. Orlando and C. Paar. “A high-performance reconfigurable elliptic curve processor for GF(2m).” In Cryptographic Hardware and Embedded Systems (CHES), 2000.. [16] N. Gura, S. C. Shantz, H. Eberle, S. Gupta, V. Gupta, D. Finchelstein, E. Goupy, and D. Stebila. “And end-to-end systems approach to elliptic curve cryptography.” In Cryptographic Hardware and Embedded Systems (CHES), 2002.. [17] J. Lutz, A. Hasan., “High Performance FPGA based Elliptic Curve Cryptographic Co-Processor”. Proceedings of ITCC 04, Las Vegas, NE, USA, 2004. 57.

(66)

數據

Table 1.1: NIST guidelines for public key sizes for AES
Table 2.1: Normal Basis Table
Table 2.2: The multiplication table of type 1 normal basis in GF(2 4 ) k i j 0 1 2 3 0 0 0 1 0 0 0 1 0 0 0 1 0 2 1 1 1 1 0 3 0 0 1 0 1 0 0 0 0 1 1 1 0 0 1 0 1 2 1 0 0 0 1 3 1 1 1 1 2 0 1 1 1 1 2 1 1 0 0 0 2 2 0 0 0 1 2 3 0 1 0 0 3 0 0 0 1 0 3 1 1 1 1 1 3
Figure 2.1: the elliptic curve y 2 =x 3 +x+1
+7

參考文獻

立即下載 ( PDF - 65 頁 - 462.97 KB )

Outline

Elliptic Curve Halve-and-Add Algorithm

相關文件

Mathematical preliminaries and error analysis

A floating point number in double precision IEEE standard format uses two words (64 bits) to store the number as shown in the following figure.. 1 sign

Forces Chapter 11 Liquids, Solids, and Intermolecular

Example 11.5 Using the Two-Point Form of the Clausius–Clapeyron Equation to Predict the Vapor Pressure at a Given

Mathematical preliminaries and error analysis

A floating point number in double precision IEEE standard format uses two words (64 bits) to store the number as shown in the following figure.. 1 sign

3 Properties of the New NCP-Function

Then, it is easy to see that there are 9 problems for which the iterative numbers of the algorithm using ψ α,θ,p in the case of θ = 1 and p = 3 are less than the one of the

Refined Holographic Entanglement Entropy for the AdS Solitons and AdS black Holes

obtained by the Disk (Cylinder ) topology solutions. When there are blue and red S finite with same R, we choose the larger one. For large R, it obeys volume law which is same

Spontaneous symmetry breaking in open systems

Field operators a † ↵, (q) and a ↵, (q) create or destroy a photon or exciton (note that both are bosonic excitations) with in-plane momentum q and polarization (there are

1 電荷與電場

• Follow Example 21.5 to calculate the magnitude of the electric field of a single point charge.. Electric-field vector of a

Introduction • iQuarks Production at LHC • Prompt Annihilation (After Energy Loss) • Summary •

In particular, in the context of folded supersymmetry it is pointed out in Ref.[4] that production of the squirk-antisquirk pair ˜ Q ˜ Q ∗ at the large hadron collider (LHC)