Efficient Finite Field Multiplication for Isogeny Based ...

Efficient Finite Field Multiplication for Isogeny BasedPost Quantum Cryptography

Angshuman Karmakar1 Sujoy Sinha Roy1

Frederik Vercauteren1,2 Ingrid Verbauwhede1

1COSIC, ESATKU Leuven and iMinds

2Open Security ResearchChina

WAIFI, 2016

Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 1 / 25

Outline

1 IntroductionClassical CryptosystemsPost-quantum cryptography

2 Isogeny Based CryptographyIsogeny in Elliptic curvesSpecial prime structure

3 Efficient modular arithmeticRepresentation of field elementsComparison with other methodsHardware ImplementationResults


Outline





IntroductionClassical cryptosystems

Widely used public key cryptosystems and protocols are based onRSA and ECC.

No known classical algorithm to solve them easily.


Classical cryptosystems

Shor’s1 2 algorithm can solve them easily on quantum computersResearch in this field is advancing rapidly.

1Shor, Peter W., ”Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer”

2J. Proos and C. Zalka. ”Shor’s discrete logarithm quantum algorithm for elliptic curves”


Outline





Post quantum cryptography

We need post quantum cryptography schemes to provide privacy andsecurity even in the presence of practical quantum computers.

Many schemes proposed that is presumed to offer such security.

I Lattice based cryptography.II Multivariate cryptography.

III Hash-based cryptography.IV Code-based cryptography.V Supersingular elliptic curve isogeny cryptography


Outline





Isogeny in Elliptic curves

An Isogeny φ : E1 → E2 is morphism between two elliptic curves (E1

& E2)

Basepoint preserving i.e φ(O)→ OWas presumed a hard problem.

First quantum secure cryptosystem based on this problem wasproposed by Stolbunov et al.3

Later Childs et.al showed this problem has sub-exponential quantumcomplexity.4

3Alexander Rostovtsev, Anton Stolbunov ”Constructing public-key cryptographic schemes based on class group action on a

set of isogenous elliptic curves”4

Andrew Childs, David Jao, and Vladimir Soukharev. ”Constructing elliptic curve isogenies in quantum subexponentialtime”


Isogeny in Elliptic curves

De Feo et. al(2011) proposed a new cryptosystem based on thehardness of computing isogenies5

Used supersingular ellptic curves instead of ordinary elliptic curves.Complexity : 4

√p on classical and 6

√p on a quantum computer(p :

characteristic of base field).

5Luca De Feo, David Jao & Jerome Plut, ”Towards quantum resistant cryptosystems from supersingular elliptic curve

isogenies’Angshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 10 / 25

Outline





Special prime structure

Computation of isogney is a series of finite field operations over thebase field.

Efficient field arithmetic → Faster isogeny computation

The supersingular curves used in isogeny based cryptosystems aredefined over Fp2

p = f · 2a3b − 1, f is a small co-factor.And log 2a ≈ log 3b. In our case f = 2.

Earlier methods used Montgomery reduction and Barrett reduction forefficient modular reduction.

Unable to exploit the special structure of the characteristic prime.

Fields defined over Mersenne prime or Pseudo-Mersenne primes offervery fast modular reduction due to their special structure.

The possibility of exploiting the special structure of p is very intriguing.


Outline





Field element representation

Representation of field elements are very crucial in our method.

We take our prime p = 2 · 2a · 3b − 1 with b even and 2N bits.

An element A ∈ Fp is written as :

A = a1 · 2a3b + a2 · 2a/23b/2 + a3

a1 ∈ [0, 1] and a2, a3 ∈ [0, 2a/23b/2)

Multiply A(a1, a2, a3),B(b1, b2, b3) ∈ Fp

Multiply a2,3 with b2,3 → 4 NxN multiplications.Product C = AxB = c1 · 2a3b + c2 · 2a/23b/2 + c3

Problem : c2, c3 ∈ [0, 2a3b)→ not compatible with our representation


Efficient reduction

Solution : We need to divide c2,3 by 2a/23b/2

We used a modified Barrett division to perform these two divisions.


Efficient ReductionModified Barrett division

Division by 2a/23b/2 can be made efficient due to the special structureof the divisor.

Fundamentally we have to perform Barrett division for 3b/2 only.

But we have to perform two of these.


Outline





Complexity

Barrett Montgomery Ours

Input Size 4N 4N 4N

Reductions 1 1 2

Multiplications 4N x 2N 2N x 2N 3N/2 x N2N x 2N 4N x 2N N x N/2

(last 2N bits required)

Total 12N2 ≈ 6N2 4N2

Table: Complexity comparison


Parallelization

Two Barrett divisions can be run in parallel.

Figure: Serial and Parallel execution of Barrett divisions


Outline





Hardware implementation

Figure: Hardware ArchitectureAngshuman Karmakar, Sujoy Sinha Roy Frederik Vercauteren, Ingrid Verbauwhede (Universities of Somewhere and Elsewhere)Efficient Finite Field Multiplication for Isogeny Based Post Quantum CryptographyWAIFI, 2016 21 / 25

Outline





Results

Proof of concept implementation

Using C in a 32 bit multi-precision format.Time is measured on a core-i5 cpu running CentOS.62% speed up in reduction and 43% speed up in modularmultiplication.

Operation running time (µ s)

Normal multiplication 67.097

Our Multiplication 38.490

Table: Comparison of Our algorithm with normal Barrett reduction algorithm


HW Results

Target FPGA Virtex 6 FPGA xc6vcx240t-2ff784

Registers 11,924LUTs 12,790Frequency 31 MHzCycles 236Time 7.6 µs


Thank you!!

Date post:	14-Mar-2022
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

Efficient Finite Field Multiplication for Isogeny Based ...

Documents