efficient finite field multiplication for isogeny based
Post on 14-Mar-2022
4 Views
Preview:
TRANSCRIPT
Efficient Finite Field Multiplication for Isogeny BasedPost Quantum Cryptography
Angshuman Karmakar1 Sujoy Sinha Roy1
Frederik Vercauteren1,2 Ingrid Verbauwhede1
1COSIC, ESATKU Leuven and iMinds
2Open Security ResearchChina
WAIFI, 2016
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 1 / 25
Outline
1 IntroductionClassical CryptosystemsPost-quantum cryptography
2 Isogeny Based CryptographyIsogeny in Elliptic curvesSpecial prime structure
3 Efficient modular arithmeticRepresentation of field elementsComparison with other methodsHardware ImplementationResults
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 2 / 25
Outline
1 IntroductionClassical CryptosystemsPost-quantum cryptography
2 Isogeny Based CryptographyIsogeny in Elliptic curvesSpecial prime structure
3 Efficient modular arithmeticRepresentation of field elementsComparison with other methodsHardware ImplementationResults
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 3 / 25
IntroductionClassical cryptosystems
Widely used public key cryptosystems and protocols are based onRSA and ECC.
No known classical algorithm to solve them easily.
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 4 / 25
Classical cryptosystems
Shor’s1 2 algorithm can solve them easily on quantum computersResearch in this field is advancing rapidly.
1Shor, Peter W., ”Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer”
2J. Proos and C. Zalka. ”Shor’s discrete logarithm quantum algorithm for elliptic curves”
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 5 / 25
Outline
1 IntroductionClassical CryptosystemsPost-quantum cryptography
2 Isogeny Based CryptographyIsogeny in Elliptic curvesSpecial prime structure
3 Efficient modular arithmeticRepresentation of field elementsComparison with other methodsHardware ImplementationResults
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 6 / 25
Post quantum cryptography
We need post quantum cryptography schemes to provide privacy andsecurity even in the presence of practical quantum computers.
Many schemes proposed that is presumed to offer such security.
I Lattice based cryptography.II Multivariate cryptography.
III Hash-based cryptography.IV Code-based cryptography.V Supersingular elliptic curve isogeny cryptography
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 7 / 25
Outline
1 IntroductionClassical CryptosystemsPost-quantum cryptography
2 Isogeny Based CryptographyIsogeny in Elliptic curvesSpecial prime structure
3 Efficient modular arithmeticRepresentation of field elementsComparison with other methodsHardware ImplementationResults
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 8 / 25
Isogeny in Elliptic curves
An Isogeny φ : E1 → E2 is morphism between two elliptic curves (E1
& E2)
Basepoint preserving i.e φ(O)→ OWas presumed a hard problem.
First quantum secure cryptosystem based on this problem wasproposed by Stolbunov et al.3
Later Childs et.al showed this problem has sub-exponential quantumcomplexity.4
3Alexander Rostovtsev, Anton Stolbunov ”Constructing public-key cryptographic schemes based on class group action on a
set of isogenous elliptic curves”4
Andrew Childs, David Jao, and Vladimir Soukharev. ”Constructing elliptic curve isogenies in quantum subexponentialtime”
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 9 / 25
Isogeny in Elliptic curves
De Feo et. al(2011) proposed a new cryptosystem based on thehardness of computing isogenies5
Used supersingular ellptic curves instead of ordinary elliptic curves.Complexity : 4
√p on classical and 6
√p on a quantum computer(p :
characteristic of base field).
5Luca De Feo, David Jao & Jerome Plut, ”Towards quantum resistant cryptosystems from supersingular elliptic curve
isogenies’Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 10 / 25
Outline
1 IntroductionClassical CryptosystemsPost-quantum cryptography
2 Isogeny Based CryptographyIsogeny in Elliptic curvesSpecial prime structure
3 Efficient modular arithmeticRepresentation of field elementsComparison with other methodsHardware ImplementationResults
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 11 / 25
Special prime structure
Computation of isogney is a series of finite field operations over thebase field.
Efficient field arithmetic → Faster isogeny computation
The supersingular curves used in isogeny based cryptosystems aredefined over Fp2
p = f · 2a3b − 1, f is a small co-factor.And log 2a ≈ log 3b. In our case f = 2.
Earlier methods used Montgomery reduction and Barrett reduction forefficient modular reduction.
Unable to exploit the special structure of the characteristic prime.
Fields defined over Mersenne prime or Pseudo-Mersenne primes offervery fast modular reduction due to their special structure.
The possibility of exploiting the special structure of p is very intriguing.
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 12 / 25
Outline
1 IntroductionClassical CryptosystemsPost-quantum cryptography
2 Isogeny Based CryptographyIsogeny in Elliptic curvesSpecial prime structure
3 Efficient modular arithmeticRepresentation of field elementsComparison with other methodsHardware ImplementationResults
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 13 / 25
Field element representation
Representation of field elements are very crucial in our method.
We take our prime p = 2 · 2a · 3b − 1 with b even and 2N bits.
An element A ∈ Fp is written as :
A = a1 · 2a3b + a2 · 2a/23b/2 + a3
a1 ∈ [0, 1] and a2, a3 ∈ [0, 2a/23b/2)
Multiply A(a1, a2, a3),B(b1, b2, b3) ∈ Fp
Multiply a2,3 with b2,3 → 4 NxN multiplications.Product C = AxB = c1 · 2a3b + c2 · 2a/23b/2 + c3
Problem : c2, c3 ∈ [0, 2a3b)→ not compatible with our representation
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 14 / 25
Efficient reduction
Solution : We need to divide c2,3 by 2a/23b/2
We used a modified Barrett division to perform these two divisions.
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 15 / 25
Efficient ReductionModified Barrett division
Division by 2a/23b/2 can be made efficient due to the special structureof the divisor.
Fundamentally we have to perform Barrett division for 3b/2 only.
But we have to perform two of these.
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 16 / 25
Outline
1 IntroductionClassical CryptosystemsPost-quantum cryptography
2 Isogeny Based CryptographyIsogeny in Elliptic curvesSpecial prime structure
3 Efficient modular arithmeticRepresentation of field elementsComparison with other methodsHardware ImplementationResults
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 17 / 25
Complexity
Barrett Montgomery Ours
Input Size 4N 4N 4N
Reductions 1 1 2
Multiplications 4N x 2N 2N x 2N 3N/2 x N2N x 2N 4N x 2N N x N/2
(last 2N bits required)
Total 12N2 ≈ 6N2 4N2
Table: Complexity comparison
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 18 / 25
Parallelization
Two Barrett divisions can be run in parallel.
Figure: Serial and Parallel execution of Barrett divisions
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 19 / 25
Outline
1 IntroductionClassical CryptosystemsPost-quantum cryptography
2 Isogeny Based CryptographyIsogeny in Elliptic curvesSpecial prime structure
3 Efficient modular arithmeticRepresentation of field elementsComparison with other methodsHardware ImplementationResults
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 20 / 25
Hardware implementation
Figure: Hardware ArchitectureAngshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 21 / 25
Outline
1 IntroductionClassical CryptosystemsPost-quantum cryptography
2 Isogeny Based CryptographyIsogeny in Elliptic curvesSpecial prime structure
3 Efficient modular arithmeticRepresentation of field elementsComparison with other methodsHardware ImplementationResults
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 22 / 25
Results
Proof of concept implementation
Using C in a 32 bit multi-precision format.Time is measured on a core-i5 cpu running CentOS.62% speed up in reduction and 43% speed up in modularmultiplication.
Operation running time (µ s)
Normal multiplication 67.097
Our Multiplication 38.490
Table: Comparison of Our algorithm with normal Barrett reduction algorithm
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 23 / 25
HW Results
Target FPGA Virtex 6 FPGA xc6vcx240t-2ff784
Registers 11,924LUTs 12,790Frequency 31 MHzCycles 236Time 7.6 µs
Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 24 / 25
top related