Isogeny based cryptography implementation forFPGA

Pedro Maat C. Massolino1 Lejla Batina1 Patrick Longa2

Joost Renes1

1Radboud University, Nijmegen, The Netherlands{p.massolino,j.renes,lejla}@cs.ru.nl

2Microsoft Research, USAplonga@microsoft.com

June 18, 2019

Pedro Maat 18/06/2019 1 / 23

Isogeny based cryptography

• It is like treasure hunting, where in each treasure you generatethe map for next treasure.

• Properly introduced by previous presenters.

• Focus on the Supersingular Isogeny Di�e-Hellman (SIDH)protocol, with parameters from the original SupersingularIsogeny Key Encapsulation (SIKE) proposal.

Pedro Maat 18/06/2019 2 / 23

Why implement Isogeney based cryptography?

1 Patrick Longa and Joost Renes are in SIKE proposal.

2 Closely related to classic elliptic curve cryptography.

3 Smallest NIST PQC key sizes for key exchange.

4 Di�erent approach than the literature.

Pedro Maat 18/06/2019 3 / 23

What do we need to make SIDH?

• Operations in Fp and Fp2 with x2 + 1 as primitive polynomial.

• p is a prime with size 433, 503, 751, 964 bits.

• Montgomery elliptic curve operations.

• Tree traversing procedure.

Pedro Maat 18/06/2019 4 / 23

SIDH/SIKE on FPGA

• Koziel et al. di�erent iterations:• A�ne formulas with an optimized inversion unit [5]• Projective formulas, but the same architecture [6]• Frequency increase and results for 503, 751, 1019, 1533 bits [4]• Added SHAKE and give support for the SIKE operations in the

SIKE proposal. [2]

• Only �eld arithmetic, no elliptic curve operations support,Karmakar et al. [3]

• SIDH with Montgomery multiplier using Redundant Numbersystem, Roy and Mukhopadhyay [9].

Pedro Maat 18/06/2019 5 / 23

Where is our di�erence?

Koziel et al. approach:

• Focused on several dedicatedmultipliers and oneadder/subtraction unit.

• Aimed FPGA Virtex 7 690T.

Our approach:

• One big multiplier accumulator.

• Aimed FPGA Spartan 6 LX75.

Pedro Maat 18/06/2019 6 / 23

How big is the multiplier accumulator?

• The sky is the limit...I mean, the FPGA is the limit.

• DSP48A = 18× 18 signed multiplier or 17× 17 unsigned.

• Spartan 6 LX75 total : 132 DSP48A.

• How much costs a 16× 17 = 272 bits multiplier?• Schoolbook : 256 DSP48A.

• 4× 4× 4× 4 = 256

• 4 Recursive Karatsuba : 81 DSP48A.• 3× 3× 3× 3 = 81

• 1 Schoolbook + 3 Recursive Karatsuba : 108 DSP48A.• 4× 3× 3× 3 = 108

• Karatsuba by Dinechin and Pasca [1] : 136 DSP48A.• ∑15

i=0(i + 1) = 136

Pedro Maat 18/06/2019 7 / 23

Karatsuba-Ofman, can you remind me?

a = a1 · 2w + a0b = b1 · 2w + b0

Schoolbook algorithm Karatsuba algorithm

Pedro Maat 18/06/2019 8 / 23

Whoa there cowboy, and the accumulator?

• Up to ∼ 200 bits, the FPGA tool adder is fast enough [8].

• We need an accumulator more than 272× 2 = 544 bits.

• We choose the AAM from Nguyen et al [7].

• Architecture based on carry select architecture.

• Given the several accumulations we settled on 544+ 35 = 579.

Pedro Maat 18/06/2019 9 / 23

Add-Add-Multiplex (AAM)

• For each bit an addition is performed with the two options ofcarries.

• Each addition carry out is used to solve the carry propagationwith an adder of size k − 2.

• In our case b = 2, thus for 579 bits, k = 290.

Pedro Maat 18/06/2019 10 / 23

Proposal

• ci = aibi + acci , i = 0,...,7

• 8 parallel high level computations in the pipeline.

• 4 stages in case of addition/subtraction.

• Memory interface is 272 bits, and accumulator register is 579.

• Internal multiplier is 273 bits signed, thus it can behave as 272unsigned and signed.

Pedro Maat 18/06/2019 11 / 23

The MAC

Pedro Maat 18/06/2019 12 / 23

Okay, but how do you perform Fp operations?

Given a 273 bits signed MAC (c = a · b + acc), how do weproceed?

• Values can go to multiple 272 bits words:

• Addition/Subtraction direct.

• Montgomery multiplication:• Signed representation [-p, p] instead of unsigned [0, p].• Product scanning (FIPS algorithm) manually unrolled for all 4

sizes.• 10 extra bits instead of only 2 to be able so

addition/subtraction are not reduced.

• Extra operation to reduce from [-p, p] to [0, p - 1].

Pedro Maat 18/06/2019 13 / 23

How to control all operations?

State machine + shift registers.

• Each MAC operation is a state, and for all unrolled operationswe need around 300 states.

• Given the states are instructions that follow a linear order, wemade a special ROM based controller.

• Since all only addresses and sign change for the same 8/4values, then we rotate addresses through registers.

Pedro Maat 18/06/2019 14 / 23

Is this enough?

Our Coprocessor:

• Support Fp addition/subtraction and multiplication for primesup to 1086 bits.

Missing parts:

• Fp inversion.

• Fp2 operations.

• Montgomery elliptic curve operations.

• Tree traversing procedure.

Pedro Maat 18/06/2019 15 / 23

High level architecture

Pedro Maat 18/06/2019 16 / 23

Do we have results?

No...

Pedro Maat 18/06/2019 17 / 23

Routing

The �nal architecture cannot route due to congestion.What do we do?

• Architecture works in the behavioral simulations, synthesis andmapping.

• Try bigger FPGA and perform post route simulations? TriedVirtex 7 and Zynq.

• Sometimes still won't �nish routing or does not pass postroute simulation.

• Shrink the high level architecture?• Merging stack memory.• Removing and adding separate register bank.• Reducing instruction size.• Creating a �pipeline� for address resolution.

Pedro Maat 18/06/2019 18 / 23

Multiplier?

The multiplier seems quite complex, why not the �rst option?

• Only the multiplier waspossible to route.

• High level architecture waswritten with less care.

• It was a mistake, mostprobable it is the multiplier.

Obtained from Xilinx. �Spartan-6 FPGA

Con�gurable Logic Block User Guide�

Pedro Maat 18/06/2019 19 / 23

Next steps

• More tests with other multiplier architectures, even a simpleone.

• Change main processor to work with 16 bits instead of 17.

• Reduce multiplier size to 128 bits.

• Reevaluate the timing an maybe do small optimizations.

Pedro Maat 18/06/2019 20 / 23

Questions

Thank You.Contact : P.Massolino@cs.ru.nl

Pedro Maat 18/06/2019 21 / 23

References I

Florent de Dinechin and Bogdan Pasca.

Large multipliers with less DSP blocks.In Field Programmable Logic and Applications, Czech Republic, August 2009. IEEE.

David Jao, Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess,

Amir Jalali, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Geovandro Pereira,Joost Renes, Vladimir Soukharev, and David Urbanik."supersingular isogeny key encapsulation", 2019.

Angshuman Karmakar, Sujoy Sinha Roy, Frederik Vercauteren, and Ingrid Verbauwhede.

E�cient �nite �eld multiplication for isogeny based post quantum cryptography.In Arithmetic of Finite Fields, pages 193�207, Cham, 2016. Springer International Publishing.

B. Koziel, R. Azarderakhsh, and M. M. Kermani.

A high-performance and scalable hardware architecture for isogeny-based cryptography.IEEE Transactions on Computers, 67(11):1594�1609, Nov 2018.

B. Koziel, R. Azarderakhsh, M. Moza�ari Kermani, and D. Jao.

Post-quantum cryptography on fpga based on isogenies on elliptic curves.IEEE Transactions on Circuits and Systems I: Regular Papers, 64(1):86�99, Jan 2017.

Brian Koziel, Reza Azarderakhsh, and Mehran Moza�ari-Kermani.

Fast hardware architectures for supersingular isogeny di�e-hellman key exchange on fpga.In Progress in Cryptology � INDOCRYPT 2016, pages 191�206, Cham, 2016. SpringerInternational Publishing.

H. D. Nguyen, B. Pasca, and T. B. Preuÿer.

Fpga-speci�c arithmetic optimizations of short-latency adders.In 2011 21st International Conference on Field Programmable Logic and Applications, pages232�237, Sep. 2011.

Pedro Maat 18/06/2019 22 / 23

References II

T. B. Preuÿer and M. Krause.

Survey on and re-evaluation of wide adder architectures on fpgas.In 2016 International Conference on ReConFigurable Computing and FPGAs (ReConFig), pages1�6, Nov 2016.

Debapriya Basu Roy and Debdeep Mukhopadhyay.

Post quantum ecc on fpga platform.Cryptology ePrint Archive, Report 2019/568, 2019.https://eprint.iacr.org/2019/568.

Pedro Maat 18/06/2019 23 / 23

Constructing bigger multipliers - 1

Unsigned multiplier Signed multiplier

Pedro Maat 18/06/2019 2 / 8

Constructing bigger multipliers - 2

Signed multiplier

Pedro Maat 18/06/2019 3 / 8

Constructing bigger multipliers - 3

Signed multiplier

Pedro Maat 18/06/2019 4 / 8

MAC - Instruction set

Append : Append necessary 0's to make the instruction 68 bits.Carmela �ag is to to tell the main processor to not execute and send to Carmela.Carmela internal type :

• Multiplication/square no reduction

• Montgomery modular multiplication/square

• Addition/subtraction no reduction

• Simple reduction

Ma, Mb, Mo : operand address.Sign : indicate if it is addition or subtraction (Mo = Mb +/- Ma).Dir :

• 0 - Direct access. Mem[Ma].

• 1 - Indirect access. Mem[Rd[Ma]].

Pedro Maat 18/06/2019 5 / 8

High level ISA.

Main �ag internal type :

• nop

• jump, jumpeq, jumpl,jumpeql

• push, pushf, pushm

• pop, popf, popm

• copy, copyf, copym

• lconstf, lconstm

• call, ret

• �n

• badd, bsub, bsmul

• bshiftr, bshiftl

• brotr, brotl

• bland, blor, blxor, blnot

mema, memb, memo : operand address.Cx : if the value in the operand is a constant.Sign : if the operation is for signed integers or unsignedDir :

• 0 - Direct access. Mem[mema].

• 1 - Indirect access. Mem[Rd[mema]].

Pedro Maat 18/06/2019 6 / 8

SIDH memory model

Pedro Maat 18/06/2019 7 / 8

MAC memory model

Pedro Maat 18/06/2019 8 / 8