a gentle introduction to elliptic curve cryptography...part 2: elliptic curves part 3: elliptic...
Post on 04-Jun-2020
35 Views
Preview:
TRANSCRIPT
Part 1: Motivation
Part 2: Elliptic Curves
Part 3: Elliptic Curve Cryptography
Part 4: Next-generation ECC
Diffie-Hellman key exchange (circa 1976)
π =685408003627063761059275919665781694368639459527871881531452
π = 123456789
π = 1606938044258990275541962092341162602522202993782792835301301
π =362059131912941987637880257325269696682836735524942246807440
ππ mod π = 78467374529422653579754596319852702575499692980085777948593
πππ mod π = 437452857085801785219961443000845969831329749878767465041215
560048104293218128667441021342483133802626271394299410128798 = ππ mod π
31 β‘ 3324 β‘ β22 β 7 β 13325 β‘ 53
330 β‘ β2 β 52
334 β‘ β3 β 7 β 19354 β‘ β5 β 11371 β‘ β17387 β‘ 13
Index calculus
e.g. 3π₯ β‘ 37 (mod 1217)
- factor base ππ = {2,3,5,7,11,13,17,19}, #ππ = 8
- Find 8 values of π where 3π splits over ππ, i.e., 3π β‘ Β±βππ mod π
solve ππ₯ β‘ β (mod π)
πΏ 2 β‘ 216πΏ 3 β‘ 1πΏ 5 β‘ 819πΏ 7 β‘ 113
πΏ 11 β‘ 1059πΏ 13 β‘ 87πΏ 17 β‘ 679πΏ 19 β‘ 528
(mod 1217) (mod 1216)
1 β‘ πΏ(3)24 β‘ 608 + 2 β πΏ 2 + πΏ 7 + πΏ(13)25 β‘ 3 β πΏ(5)30 β‘ 608 + πΏ 2 + 2 β πΏ(5)34 β‘ 608 + πΏ 3 + πΏ 7 + πΏ(19)54 β‘ 608 + πΏ 5 + πΏ(11)71 β‘ 608 + πΏ(17)87 β‘ πΏ(13)
(mod 1216)
Index calculus
e.g. 3π₯ β‘ 37 (mod 1217)solve ππ₯ β‘ β (mod π)
πΏ 2 β‘ 216πΏ 3 β‘ 1πΏ 5 β‘ 819πΏ 7 β‘ 113
πΏ 11 β‘ 1059πΏ 13 β‘ 87πΏ 17 β‘ 679πΏ 19 β‘ 528
Now search for π such that ππ β β = 3π β 37 factors over ππ
316 β 37 β‘ 23 β 7 β 11 (mod 1217)
πΏ 37 β‘ 3 β πΏ 2 + πΏ 7 + πΏ 11 β 16 mod 1216β‘ 3 β 216 + 113 + 1059 β 1β‘ 588
Subexponential complexity πΏπ 1/3, 64/9 1/3 = π64/9 1/3+π 1 (ln π )1/3β (lnln π )2/3
Diffie-Hellman key exchange (circa 2016)
π = 123456789
π =5809605995369958062859502533304574370686975176362895236661486152287203730997110225737336044533118407251326157754980517443990529594540047121662885672187032401032111639706440498844049850989051627200244765807041812394729680540024104827976584369381522292361208779044769892743225751738076979568811309579125511333093243519553784816306381580161860200247492568448150242515304449577187604136428738580990172551573934146255830366405915000869643732053218566832545291107903722831634138599586406690325959725187447169059540805012310209639011750748760017095360734234945757416272994856013308616958529958304677637019181594088528345061285863898271763457294883546638879554311615446446330199254382340016292057090751175533888161918987295591531536698701292267685465517437915790823154844634780260102891718032495396075041899485513811126977307478969074857043710
716150121315922024556759241239013152919710956468406379442914941614357107914462567329693649
πππ =330166919524192149323761733598426244691224199958894654036331526394350099088627302979833339501183059198113987880066739419999231378970715307039317876258453876701124543849520979430233302777503265010724513551209279573183234934359636696506968325769489511028943698821518689496597758218540767517885836464160289471651364552490713961456608536013301649753975875610659655755567474438180357958360226708742348175045563437075840969230826767034061119437657466993989389348289599600338950372251336932673571743428823026014699232071116171392219599691096846714133643382745709376112500514300983651201961186613464267685926563624589817259637248558104903657371981684417053993082671827345252841433337325420088380059232089174946086536664984836041334031650438692639106287627157575758383128971053401037407031731509582807639509448704617983930135028
7596589383292751993079161318839043121329118930009948197899907586986108953591420279426874779423560221038468
π =7147687166405; 9571879053605547396582692405186145916522354912615715297097100679170037904924330116019497881089087696131592831386326210951294944584
4004974889298038584931918128447572321023987160439062006177648318875457556
23377085391250529236463183321912173214641346558452549172283787727566955898452199622029450892269665074265269127802446416400\9025927104004338958261
1419862375878988193612187945591802864062679\86483957813927304368495559776413009721221824915810964579376354556\6554629883777859568089157882151127357
4220422646379170599917677567\30420698422392494816906777896174923072071297603455802621072109220\54662739697748553543758990879608882627763290293452560094576029847\39136138876755438662247926529997805988647241453046219452761811989\9746477252908878060493
1795419514638292288904557780459294373052654\10485180264002079415193983851143425084273119820368274789460587100\30497747706924427898968991057212096357725203480402449913844583448
π =655456209464694; 93360682685816031704969423104727624468251177438749706128879957701\93698826859762790479113062308975863428283798589097017957365590672\8357138638957122466760949930089855480244640303954430074800250796203638661931522988606354100532244846391589798641210273772558373965\48653931285483865070903191974204864923589439190352993032676961005\08840431979272991603892747747094094858192679116146502863521484987\08623286193422239171712154568612530067276018808591500424849476686\706784051068715397706852664532638332403983747338379697022624261377163163204493828299206039808703403575100467337085017748387148822224875309641791879395483731754620034884930540399950519191679471224\05558557093219350747155777569598163700850920394705281936392411084\43600686183528465724969562186437214972625833222544865996160464558\54629937016589470425264445624157899586972652935647856967092689604\42796501209877036845001246792761563917639959736383038665362727158
197496648183227193286262018614250555971909799762533760654008147994875775445667054218578105133138217497206890599554928429450667899476854668595594034093493637562451078938296960313488696178848142491351687253054602202966247046105770771577248321682117174246128321195678537631520278649403464797353691996736993577092687178385602298873558954121056430522899619761453727082217823475746223803790014235051396799049446508224661850168149957401474638456716624401906701394472447015052569417746372185093302535739383791980070572381421729029651639304234361268764971707763484300668923972868709121665568669830978657804740157916611563508569886847487772676671207386096152947607114559706340209059103703018182635521898738094546294558035569752596676346614699327742088471255741184755866117812209895514952436160199336532
6052422101474898256696660124195726100495725510022002932814218768060112310763455404567248761396399633344901857872119208518550803791724
ππ
(mod q)=
411604662069593306683228525653441872410777999220572079993574397237156368762038378332742471939666544968793817819321495269833613169937986164811320795616949957400518206385310292475529284550626247132930124027703140131220968771142788394846592816111078275196955258045178705254016469773509936925361994895894163065551105161929613139219782198757542984826465893457768888915561514505048091856159412977576049073563225572809880970058396501719665853110101308432647427786565525121328772587167842037624190143909787938665842005691911997396726455110758448552553744288464337906540312125397571803103278271979007681841394534114315726120595749993896347981789310754194864577435905673172970033596584445206671223874399576560291954856168126236657381519414592942037018351232440467191228145585909045861278091800166330876
4073238447199488070126873048860279221761629281961046255219584327714817248626243962413613075956770018017385724999495117779149416882188
=ππ
(mod q)
β’ Individual secret keys secure under Discrete Log Problem (DLP): π, ππ₯ β¦ π₯
β’ Shared secret secure under Diffie-Hellman Problem (DHP): π, ππ, ππ β¦ πππ
β’ Fundamental operation in DH is group exponentiation: π, π₯ β¦ ππ₯
β¦ done via βsquare-and-multiplyβ, e.g., π₯ 2 = 1,0,1,1,0,0,0,1 β¦
β’ We are working βmod πβ, but only with one operation: multiplication
β’ Main reason for fields being so big: (sub-exponential) index calculus attacks!
Diffie-Hellman key exchange (cont.)
DH key exchange (Koblitz-Miller style)
If all we need is a group, why not use elliptic curve groups?
Rationale: βit is extremely unlikely that an index calculus attack on the elliptic curve method will ever be able to workβ [Miller, 85]
Part 1: Motivation
Part 2: Elliptic Curves
Part 3: Elliptic Curve Cryptography
Part 4: Next-generation ECC
Some good references
Silvermanβs talk: βAn Introduction to the Theory of Elliptic Curvesβhttp://www.math.brown.edu/~jhs/Presentations/WyomingEllipticCurve.pdf
Sutherlandβs MIT course on elliptic curves: https://math.mit.edu/classes/18.783/2015/lectures.html
Koblitz-Menezes: ECC: the serpentine course of a paradigm shift http://eprint.iacr.org/2008/390.pdf
Elliptic curves
Elliptic curves
ECC
elliptic curve group (πΈ,β) can do β β
underlying field (πΎ, +, Γ) can do + β Γ Γ·
If youβve never seen an elliptic curve before....
Remember: an elliptic curve is a group defined over a field
operations in underlying field are used and combined to compute the elliptic curve operation β
Degree 1 (lines)
Degree 2 (conic sections)
e.g., ellipses, hyperbolas, parabolas
β’ βGenusβ measures geometric complexity, and both are genus 0
β’ We know how to describe all solutions to these, e.g., over (exts of) β
β’ Not cryptographically interesting
Boring curvesπ π₯, π¦ = 0 or π π, π, π = 0
ππ₯2 + ππ₯π¦ + ππ¦2 + ππ₯ + ππ¦ + π = 0
ππ β 0ππ₯ + ππ¦ = π
πππ β 0
β’ Degree 3 is where all the fun beginsβ¦
Elliptic curves
ππ₯3 + ππ₯2π¦ + ππ₯π¦2 + ππ¦3 + ππ₯2 + ππ₯π¦ + ππ¦2 + βπ₯ + ππ¦ + π = 0
πΈ/πΎ: π¦2 = π₯3 + ππ₯ + π
πβ πΎ β 2,3
β’ Elliptic curves β genus 1 curves
β’ Set is β points π₯, π¦ β πΎ Γ πΎ satisfying above equation
β’ Geometrically/arithmetically/cryptographically interesting
β’ Fermatβs last theorem/BSD conjecture/ β¦
πΈ specified by πΎ, π, π
β’ So πΈ is a set, but to be a group we need an operation
β’ The operation is between points π₯π, π¦π β π₯π, π¦π = π₯π , π¦π
β’ Remember: a group (πΈ,β) defined over a field (πΎ, +,Γ)
β’ πΎ will be fields weβre used to, e.g., β, β, β, π½π
β’ Remember: the (boring) operations +,β,Γ,Γ· in πΎ are used to compute the (exotic) operation β on πΈ
Elliptic curves are groups
Fun fact: homomorphism between Jacobian of elliptic curve and elliptic curve itself.
Upshot: you donβt have to know what a Jacobian is tounderstand/do elliptic curve cryptography
Elliptic curve group law is easy
The elliptic curve group law β
We need π₯π, π¦π β π₯π, π¦π = π₯π , π¦π
Question: Given two points lying on a cubic curve, how can we use their coordinates to give a third point lying on the curve?
The elliptic curve group law β
We need π₯π, π¦π β π₯π, π¦π = π₯π , π¦π
Question: Given two points lying on a cubic curve, how can we use their coordinates to give a third point lying on the curve?
Answer: A line that intersects a cubic twice must intersect it again, so we draw a line through the points π₯π, π¦π and π₯π, π¦π
The elliptic curve group law βπ¦2= π₯3 + ππ₯ + ππ¦ = ππ₯ + π
π₯3 β ππ₯ + π 2 + ππ₯ + π = 0
π₯3 β π2π₯2 + π β 2ππ π₯ + π β π2 = π₯ β π₯π π₯ β π₯π (π₯ β ππΉ)
π₯π = π2 β π₯π β π₯π
π¦π = β(ππ₯π + π)
π =π¦π β π¦π
π₯π β π₯ππ =
ππ¦
ππ₯=
3π₯π2 + π
2π¦π
intersected with
The (abelian) group axioms
β’ Closure: the third point of intersection must be in the field
β’ Identity: πΈπ,π πΎ = { π₯, π¦ βΆ π¦2 = π₯3 + ππ₯ + π} βͺ {β}
β’ Inverse: β π₯, π¦ = (π₯, βπ¦)
β’ Associative: proof by picture
β’ Commutative: line through π and π same as line through π and π
Part 1: Motivation
Part 2: Elliptic Curves
Part 3: Elliptic Curve Cryptography
Part 4: Next-generation ECC
Diffie-Hellman key exchange (circa 2016)
π = 123456789
π =5809605995369958062859502533304574370686975176362895236661486152287203730997110225737336044533118407251326157754980517443990529594540047121662885672187032401032111639706440498844049850989051627200244765807041812394729680540024104827976584369381522292361208779044769892743225751738076979568811309579125511333093243519553784816306381580161860200247492568448150242515304449577187604136428738580990172551573934146255830366405915000869643732053218566832545291107903722831634138599586406690325959725187447169059540805012310209639011750748760017095360734234945757416272994856013308616958529958304677637019181594088528345061285863898271763457294883546638879554311615446446330199254382340016292057090751175533888161918987295591531536698701292267685465517437915790823154844634780260102891718032495396075041899485513811126977307478969074857043710
716150121315922024556759241239013152919710956468406379442914941614357107914462567329693649
πππ =330166919524192149323761733598426244691224199958894654036331526394350099088627302979833339501183059198113987880066739419999231378970715307039317876258453876701124543849520979430233302777503265010724513551209279573183234934359636696506968325769489511028943698821518689496597758218540767517885836464160289471651364552490713961456608536013301649753975875610659655755567474438180357958360226708742348175045563437075840969230826767034061119437657466993989389348289599600338950372251336932673571743428823026014699232071116171392219599691096846714133643382745709376112500514300983651201961186613464267685926563624589817259637248558104903657371981684417053993082671827345252841433337325420088380059232089174946086536664984836041334031650438692639106287627157575758383128971053401037407031731509582807639509448704617983930135028
7596589383292751993079161318839043121329118930009948197899907586986108953591420279426874779423560221038468
π =7147687166405; 9571879053605547396582692405186145916522354912615715297097100679170037904924330116019497881089087696131592831386326210951294944584
4004974889298038584931918128447572321023987160439062006177648318875457556
23377085391250529236463183321912173214641346558452549172283787727566955898452199622029450892269665074265269127802446416400\9025927104004338958261
1419862375878988193612187945591802864062679\86483957813927304368495559776413009721221824915810964579376354556\6554629883777859568089157882151127357
4220422646379170599917677567\30420698422392494816906777896174923072071297603455802621072109220\54662739697748553543758990879608882627763290293452560094576029847\39136138876755438662247926529997805988647241453046219452761811989\9746477252908878060493
1795419514638292288904557780459294373052654\10485180264002079415193983851143425084273119820368274789460587100\30497747706924427898968991057212096357725203480402449913844583448
π =655456209464694; 93360682685816031704969423104727624468251177438749706128879957701\93698826859762790479113062308975863428283798589097017957365590672\8357138638957122466760949930089855480244640303954430074800250796203638661931522988606354100532244846391589798641210273772558373965\48653931285483865070903191974204864923589439190352993032676961005\08840431979272991603892747747094094858192679116146502863521484987\08623286193422239171712154568612530067276018808591500424849476686\706784051068715397706852664532638332403983747338379697022624261377163163204493828299206039808703403575100467337085017748387148822224875309641791879395483731754620034884930540399950519191679471224\05558557093219350747155777569598163700850920394705281936392411084\43600686183528465724969562186437214972625833222544865996160464558\54629937016589470425264445624157899586972652935647856967092689604\42796501209877036845001246792761563917639959736383038665362727158
197496648183227193286262018614250555971909799762533760654008147994875775445667054218578105133138217497206890599554928429450667899476854668595594034093493637562451078938296960313488696178848142491351687253054602202966247046105770771577248321682117174246128321195678537631520278649403464797353691996736993577092687178385602298873558954121056430522899619761453727082217823475746223803790014235051396799049446508224661850168149957401474638456716624401906701394472447015052569417746372185093302535739383791980070572381421729029651639304234361268764971707763484300668923972868709121665568669830978657804740157916611563508569886847487772676671207386096152947607114559706340209059103703018182635521898738094546294558035569752596676346614699327742088471255741184755866117812209895514952436160199336532
6052422101474898256696660124195726100495725510022002932814218768060112310763455404567248761396399633344901857872119208518550803791724
ππ
(mod q)=
411604662069593306683228525653441872410777999220572079993574397237156368762038378332742471939666544968793817819321495269833613169937986164811320795616949957400518206385310292475529284550626247132930124027703140131220968771142788394846592816111078275196955258045178705254016469773509936925361994895894163065551105161929613139219782198757542984826465893457768888915561514505048091856159412977576049073563225572809880970058396501719665853110101308432647427786565525121328772587167842037624190143909787938665842005691911997396726455110758448552553744288464337906540312125397571803103278271979007681841394534114315726120595749993896347981789310754194864577435905673172970033596584445206671223874399576560291954856168126236657381519414592942037018351232440467191228145585909045861278091800166330876
4073238447199488070126873048860279221761629281961046255219584327714817248626243962413613075956770018017385724999495117779149416882188
=ππ
(mod q)
ECDH key exchange (1999 β nowish)
π = (48439561293906451759052585252797914202762949526041747995844080717082404635286,36134250956749795798585127919587881956611106672985015071877198253568414405109)
π = 2256 β 2224 + 2192 + 296 β 1π = 115792089210356248762697446949407573530086143415290314195533631308867097853951
π =891306445912460335776397706414628550231450284928352556031837219223173
24614395
πΈ/π½π: π¦2 = π₯3 β 3π₯ + π
π =100955574639327864188069383161907080327719109190584053916797810821934
05190826
[a]π = (84116208261315898167593067868200525612344221886333785331584793435449501658416,102885655542185598026739250172885300109680266058548048621945393128043427650740)
[b]π = (101228882920057626679704131545407930245895491542090988999577542687271695288383,77887418190304022994116595034556257760807185615679689372138134363978498341594)
[ab]π = (101228882920057626679704131545407930245895491542090988999577542687271695288383,77887418190304022994116595034556257760807185615679689372138134363978498341594)
#πΈ = 115792089210356248762697446949407573529996955224135760342422259061068512044369
Scalar multiplications via double-and-addHow to (naively) compute π, π β¦ π π ?
for π from π β 1 downto 0 do
if ππ = 1 then
end if
end for
return
π = ππ, ππβ1, β¦ , π0 2
π β 2 π
π β π β π
π β π
π (= π π)
DBL
ADD
Scalar multiplications via double-and-addHow to (naively) compute π, π β¦ π π ?
for π from π β 1 downto 0 do
if ππ = 1 then
end if
end for
return
π = ππ, ππβ1, β¦ , π0 2
π β 2 π
π β π β π
π β π
π (= π π)
DBL
ADD
Scalar multiplications via double-and-addHow to compute π, π β¦ π π on π¦2 = π₯3 + ππ₯ + π?
for π from π β 1 downto 0 do
if ππ = 1 then
end for
return
π = (ππ, ππβ1, β¦ , π0)
π β (3π₯π2 + π)/(2π¦π) ;
(π₯π, π¦π) β π
π β π¦π β ππ₯π ;
π β (π¦π β π¦π)/(π₯π β π₯π) ; π β π¦π β ππ₯π ;
π₯π β π2 β 2π₯π; π¦π β β(ππ₯π + π£);
π₯π β π2 β π₯π β π₯π; π¦π β β(ππ₯π + π£)
π₯π, π¦π = π (π₯π, π¦π)
Projective spaceβ’ Recall we defined the group of πΎ-rational points as
πΈπ,π πΎ = { π₯, π¦ : π¦2 = π₯3 + ππ₯ + π} βͺ {β}
β’ The natural habitat for elliptic curve groups is in β2(πΎ), not πΈ2 πΎ
β’ For (easiest) example, rather than π₯, π¦ β πΈ2, take π: π: π β β2 modulo the equivalence π: π: π βΌ (π π βΆ ππ βΆ ππ) for π β πΎβ
β’ Replace π₯ with π/π and π¦ with π/π, so πΈπ,π πΎ is the set of solutions π: π: π β β2 πΎto
β’ So the affine points π₯, π¦ from before become π₯ βΆ π¦ βΆ 1 βΌ (ππ₯ βΆ ππ¦ βΆ π) and the point at infinity is the unique point with π = 0, i.e., 0 βΆ 1 βΆ 0 βΌ (0 βΆ π βΆ 0)
πΈ βΆ π2π = π3 + πππ2 + ππ3
Projective space, cont.β’ One practical benefit of working over β2 is that the explicit formulas for
computing β become much faster, by avoiding field inversions
β’ Thus, the fundamental ECC operation π, π β¦ π π becomes much fasterβ¦
π β (3π₯2 + π)/(2π¦) ;
π₯β² β π2 β 2π₯;
π¦β² β β(π(π₯β² β π₯) + π¦);
π₯β², π¦β² = [2](π₯, π¦)
πβ² = 2ππ( 3π2 + ππ2 2β 8π2ππ)
πβ² βΆ πβ² βΆ πβ² = [2](π βΆ π βΆ π)
1π + 2π + 1πΌ
πβ² = 3π2 + ππ2 12π2ππ β 3π2 + ππ2 2β 8π4π2
πβ² = 8π3π3
5π + 6π
Projective scalar multiplications
for π from π β 1 downto 0 do
if ππ = 1 then
ππ: ππ: ππ β ππ: ππ: ππ β (ππ: ππ: ππ)end for
return π₯π , π¦π β (ππ/ππ ,ππ/ππ)
(ππ: ππ: ππ ) β π
ππ: ππ: ππ β [2] ππ: ππ: ππ
How to compute π, π β¦ π π on π¦2 = π₯3 + ππ₯ + π?π = (ππ, ππβ1, β¦ , π0)
5π + 6π
9π + 2π
1πΌ + 2π
ECDLP security and Pollardβs rho algorithm
β’ ECDLP: given π, π β πΈ(π½π) of prime order π, find π such that π = π π
β’ Pollardβ78: compute pseudo-random π π = ππ π + ππ π until we find a collision π π = π π with ππ β ππ, then π = (ππ β ππ)/(ππ β ππ)
β’ Birthday paradox says we can expect collision after computing
ππ/2 group elements π π , i.e., after β π group operations.
So 2128 security needs π β 2256
β’ The best known ECDLP algorithm on (well-chosen) elliptic curves remains generic, i.e., elliptic curves are as strong as is possible
Consider πΈ/π½1217: π¦2 = π₯3 β 3π₯ + 139
Index calculus on elliptic curves?
#πΈ π½1217 = 1277
π = (3,401) and π = (192,847)
ECDLP: find π such that π π = π
[Miller, 85] : βit is extremely unlikely that an index calculus [β¦] will ever be able to workβ
Writing π = β ππ π π involves solving discrete logarithms, compare this to integers mod π where we lift and factorise over the integers
e.g., factor base π π = 3,401 , 5,395 , 7,73 , 11,252 , 13,104 , 19,265
Regardless of factor base, canβt efficiently decompose elements!
Part 1: Motivation
Part 2: Elliptic Curves
Part 3: Elliptic Curve Cryptography
Part 4: Next-generation ECC
β’ Side-channel attacks: starting with Kocherβ99, side-channel attacks and their countermeasures have become extremely sophisticated
β’ Decades of new research: we now know much better/faster/simpler/safer ways to do ECC
β’ Suspicion surrounding previous standards: Snowden leaks, dual EC-DRBG backdoor, etc., lead to conjectured weaknesses in the NIST curves
Whatβs wrong with old school ECC?
Next generation elliptic curves
β’ 2014: CFRG receives formal request from TLS working group for recommendations for new elliptic curves
β’ 2015: NIST holds workshop on ECC standards
β’ 2015: CFRG announces two chosen curves, both specified in Montgomery (1987) form
β’ Bernsteinβs Curve25519 [2006]: π = 2255 β 19 and π΄ = 486662
β’ Hamburgβs Goldilocks [2015]: π = 2448 β 2224 β 1 and π΄ = 156326
β’ Both primes offer fast software implementations!
β’ Their group orders are divisible by 8 and 4, but this form offers several advantages.
πΈ/π½π βΆ π¦2 = π₯3 + π΄π₯2 + π₯
Montgomeryβs fast differential arithmeticπΈ/π½π βΆ π¦2 = π₯3 + π΄π₯2 + π₯
π 2 π = ππ + ππ2 ππ β ππ
2
π 2 π = 4ππππ( ππ β ππ2 + π΄ + 2 ππππ)
Extremely fast pseudo-doubling: xDBL
ππ+π = ππβπ ππ β ππ ππ + ππ + ππ + ππ ππ β ππ2
Extremely fast pseudo-addition: xADD
2π + 2π
ππ+π = ππβπ ππ β ππ ππ + ππ β ππ + ππ ππ β ππ2 4π + 2π
β’ drop the π¦-coordinate, and work with π₯-only.
β’ projectively, work with π βΆ π β β1 instead of π βΆ π βΆ π β β2
β’ But (pseudo-)addition of x(π) and x(π) requires π₯(π β π)
Differential additions and the Montgomery ladder
β’ Given only the π₯-coordinates of two points, the π₯-coordinate of their sum can be two possibilities
β’ Inputting the π₯-coordinate of the difference resolves ambiguity
β’ The (ingenious!) Montgomery ladder fixes all differences as the input point: in π, π₯(π) β¦ π₯( π π), every xADD is of the form
xADD π₯( π + 1 π), π₯( π π), π₯(π)
β’ We carry two multiples of π βup the ladderβ: π₯(π) and π₯ π β π
β’ At ππ‘βstep: compute π₯ 2 π β π = π₯π΄π·π·(π₯ π β π , π₯ π , π₯ π )
β’ At ππ‘βstep: pseudo-double (xDBL) one of them depending on ππ
see https://tools.ietf.org/html/rfc7748
(Elliptic curves for security)
Fast, compact, simple, safer Diffie-Hellman
(π₯0, π₯1) β (xDBL π₯π , π₯π)for π = β β 2 downto 0 do
(π₯0, π₯1) β cSWAP ππ+1 β ππ , π₯0, π₯1
(π₯0, π₯1) β (xDBL π₯0 , xADD π₯0, π₯1, π₯π )end for(π₯0, π₯1) β cSWAP π0, π₯0, π₯1
return π₯0 (= π₯ π π)
β’ π₯-only Diffie-Hellman (Miller β85): π₯ ππ π = π₯ π π π = π₯( π π π )
β’ Write π = βπ=0ββ1 ππ2π with πββ1 = 1 and π = (π₯π, π¦π) in πΈ
(e.g., on Curve25519 or Goldilocks)
Inherently uniform, much easier to implement in
constant-time
β’ See βElliptic curves for securityβ https://tools.ietf.org/html/rfc7748
β’ Both curves integrated into TLS ciphersuites
β’ In 2014, OpenSSH defaults to Curve25519
β’ Curve25519 is used in Signal Protocol (Facebook Messenger, Google Allo, WhatsApp), iOS, GnuPG, etc(https://en.wikipedia.org/wiki/Curve25519)
Curve25519 and Goldilocks in the real world
(Elliptic curves for security)
(Twisted) Edwards curves
π₯1, π¦1 + π₯2, π¦2 =π₯1π¦1 + π₯2π¦2
π¦1π¦2 β π₯1π₯2,π₯1π¦1 β π₯2π¦2
π₯1π¦2 β π¦1π₯2
πΈ βΆ ππ₯2 + π¦2 = 1 + ππ₯2π¦2
β’ Neutral element is 0,1 - no projective space needed for πΈ(πΎ)
β’ Addition law is complete (for well-chosen πΈ)
β’ Extremely fast: 8M! Also works for doubling, inverses, everything
β’ Fast, simple, exception-free implementations that always compute correctly
β’ Also birationally equivalent to Montgomery curves!
top related