1

RuhrRuhrUniversityUniversityBochumBochum

Hyperelliptic Hyperelliptic Curve CryptosystemsCurve Cryptosystems for for Embedded Embedded ApplicationsApplications

ECC 2003ECC 2003

Christof PaarChristof Paar

joint work with joint work with Jan Pelz & Thomas WollingerJan Pelz & Thomas Wollinger

Chair for Communication SecurityChair for Communication Security

RuhrRuhr--University of BochumUniversity of Bochumwww.crypto.rub.dewww.crypto.rub.de

ECC 2003

ContentsContents

1. Next Generation IT Systems

• Embedded systems and pervasive computing

• Security in pervasive computing

2. HECC

• HECC for engineers

• Implementational results

• Conclusion

ECC 2003

WhatWhat areare Embedded Systems?Embedded Systems?

• „A computer that doesn‘t look like a computer“, or

• Processor hidden in a product

+ = EmbeddedSystem

ECC 2003

Are embedded systems really important?Are embedded systems really important?

Depends on your viewpoint, but: CPUs sold in 2000

Ex. high-end BMW ⇒ appr. 80 CPUs

2

ECC 2003

Characteristics of Traditional Characteristics of Traditional IT ApplicationsIT Applications

• Mostly based on interactive (= traditional) computers

• „One user – one computer“ paradigm• Static networks• Large number of users per network

Q: How will the IT future look?

ECC 2003

Brave new pervasive worldBrave new pervasive world

#2 Bridge sensors#3 Cleaning robots

#6 Car with Internet access#8 Networked robots#9 Smart street lamps#14 Pets with electronic

sensors#15 Smart windows

ECC 2003

Pervasive ComputingPervasive Computing CaseCase StudyStudy ::Radio Radio FrequencyFrequency ID (RFID)ID (RFID)

• Smart tags with receiver & some processing

• Many applications in logisitics, consumer products, ...

• MIT‘s AutoID Center: smart bar codes

• 500·109 bar codes scans per day

• Cost goal: 5 centsECC 2003

ContentsContents

1. Next Generation IT Systems

• Embedded systems and pervasive computing

• Security in pervasive computing

2. HECC

• HECC for engineers

• Implementational results

• Conclusion

3

ECC 2003

Security Concerns in Pervasive Security Concerns in Pervasive Applications Applications

• Often wireless channels ⇒ vulnerable• Pervasive nature and high-volume of nodes increase

risk potential (hacking into home devices, cars, …)• Contents protection in many applications

• Privacy issues (geolocation, medical sensors, monitoring of home activities, etc.)

• Stealing of services (sensors etc.)

• …

Do we really need Do we really need cryptographycryptography in in pervasive applications?pervasive applications?

• Crypto ops for entity authentication is fundamental for embedded security

• Almost all ad-hoc protocols (even routing!) require crypto ops for every hop

• At least symmetric alg. are needed• Asymmetric alg. allow fancier protocols

→ Embedded crypto is enabling technology for pervasive applications

→ Computation/memory/power constrained(esp. problematic for public-key alg)

ECC 2003

History of some publicHistory of some public--key schemes with key schemes with practical relevancepractical relevance

1976 Diffie-Hellman

1977 RSA1985 Elliptic curves

(practical relevance since mid 1990s)1988 Hyperelliptic curves

(practical relevance since 2000)

ECC 2003

ContentsContents

1. Next Generation IT Systems

• Embedded systems and pervasive computing

• Security in pervasive computing

2. HECC

• HECC for engineers

• Improving the group operation

• Implementational results

4

ECC 2003

Arithmetic requirements of PK algorithmsArithmetic requirements of PK algorithms

160 bit

1024 bit

1024 bit

Operand lengthfor multipl.

≈ 16

1

1

# multipl./ group op

≈ 200 Elliptic Curves

≈ 200Discrete log

17 (verify)≈ 1300 (sign)

RSA etc.

# group ops/crypto fct.

Algorithm

Q: Are there other (faster) PK algorithms, esp. for embedded applications?

A: Yes , hyperelliptic curves cryptosystems (HECC) look promising, but many open issues ...

ECC 2003

Why use hyperelliptic curve Why use hyperelliptic curve cryptosystems (HECC)?cryptosystems (HECC)?

• Really cool name• Shorter operand length than ECC (and certainly RSA & DL)

⇒ looks promising for constrained processors• Hopefully as secure as ECC

• But open questions1. Is the over-all performance really better?2. Are HECC secure??3. What are hyperelliptic curves (HEC) ???

ECC 2003

HEC: HEC: The definitionThe definition

A HEC of genus g over a finite field F is given by the setof solutions (x,y)? F x F to the equation

C: y2 + h(x) y = f(x)

where - g is the „genus“- h(x) is a polynomial of degree = g over F- f(x) is a monic polynomial of degree 2g+1over F

- certain further conditions

C: y2 = x5 - 5x3 + 4x + 3over R

An Example: HEC over the reals

5

1. Group elements are not points on the curve (unlike ECC!)2. Groupelements are „divisors“ (= formal sum of g points):

i

g

iPg PmPPfD

i∑=

==1

1 ),...,(

3. Abelian group: (reduced) divisors forms „Jacobian“ of the curve JC(Fq)

Where is the groupWhere is the group forfor the the DL DL problemproblem??

ECC 2003

Group Cardinality • HEC of genus g over Fq

• The cardinality of JC(Fq) is given by Hasse-Weil:

• Major implication: group size ≈ (field size)g

• Don‘t choose genus = 5 (or perhaps = 4)because of attacks [Frey/Rück, Gaudry, …]

gqC

g qFJq 22 )1()()1( +≤≤−

ECC 2003

Example: Group size vs. field sizeExample: Group size vs. field size

Ex. group size = 2160 (commercial security level)

– ECC (g=1): field size = 160 bit

– HECC (g=2): field size = 80 bit

– HECC (g=4): field size = 40 bit

ECC 2003

HECC: So, where is the catch?HECC: So, where is the catch?

Trade-off: „group operation“ becomes much more complex as genus increases

2

1

1

0

# inverses /group ops

≈ 164

≈ 76

≈ 25

≈ 16

# mult.+ #sq./group ops

40 bit4 (HECC)

53 bit3 (HECC)

80 bit2 (HECC)

160 bit1 (ECC)

field size (example)

genus

6

The group lawThe group law (Cantor)(Cantor)

Polynomial representation [Mumford] of divisors:

D = div (a,b), where a(x), b(x), s.th. deg(b) = deg(a) = g

Input: D1 = div(a1,b1), D2 = div(a2,b2)2)Output: D3 = D1 + D2 = div(a3,b3)Composition: d = gcd(a1,a2,b1+b2+h)=s1a1+s2a2+s3(b1+b2+h)

a‘3 = a1a2/db‘3 = [s1a1b2+s2a2b1+s3(b1b2+f)]/f mod a‘3

Reduction: WHILE deg(a‘k) > g, DOa‘k = f – b‘k-1 mod a‘kb‘k = (-h-b‘k-1) mod a‘k

END WHILEa3 = a‘kb3 = b‘k

Cantor‘s Algorithm:

needs polyn. ops:

• gcd,

• division,

• multiplication

• reduction!ECC 2003

ContentsContents

1. Next Generation IT Systems

• Embedded systems and pervasive computing

• Security in pervasive computing

2. HECC

• HECC for engineers

• Improving the group operation

• Implementations

ECC 2003

ImprovingImproving the group operationthe group operation

Cantor‘s algorithm is slow since1. Computes GCD, even so almost always GCD = 1

2. Polynomial arithmetic3. Iterative

Idea: Assume GCD=1 and derive explicit formulae [Harley 2000]

• holds with probability ≈ 1-O(1/q) • only field operations

Brief Historyof HECC Improvements

1988- Use of HEC as a cryptosystem first suggested[Koblitz 1988]

1994/ Explicit formulae suggested for genus-2 HECC2000 [Spallek 1994; Harley 2000]

2001- Efficient explicit formulae for genus-2 HECC [Matsuo et al. 2001; Miyamoto et al. 2002; Lange 2002]

2002- Efficient explicit formulae for genus-3 HECC[Kuroki et al. 2002; Pelzl 2002; Pelzl et al. 2003]

2003- Efficient explicit formulae for genus-4 HECC [Pelzl et al. 2003]

7

t1 = a*e;t1 = a*e;t2 = b*d;t3 = b*f;t4 = c*e;t5 = a*f;t6 = c*d;t7 = sqr(c+f);t8 = sqr(b+e);t9 = (a+d)*(t3+t4);t10= (a+d)*(t5+t6);r =(f+c+t1+t2)*(t7+t9) + t10*(t5+t6) + t8*(t3+t4);t11 = (b+e)*(c+f);inv2 = (t1+t2+c+f)*(a+d)+t8;inv1 = inv2*d + t10 + t11;inv0 = inv2*e + d*(t10+t11) + t9 + t7;t12 = (inv1+inv2)*(k+n+l+o);t13 = (l+o)*inv1;t14 = (inv0+inv2)*(k+n+m+p);t15 = (m+p)*inv0;t16 = (inv0+inv1)*(l+o+m+p);t17 = (k+n)*inv2;rs0 = t15;rs1 = t13+t15+t16;rs2 = t13+t14+t15+t17;rs3 = t12+t13+t17;rs4 = t17;t18 = rs3+rs4*d;s0s = rs0 + f*t18;s1s = rs1 + rs4*f + e*t18;s2s = rs2 + rs4*e + d*t18;w1 = inv(r*s2s);w2 = r*w1;w3 = w1*sqr(s2s);w4 = r*w2;w5 = sqr(w4);

Improvements group operationExample: Adding divisors on HEC of genus 3

Input: D1 = div(a1,b1), D 2 = div(a2,b2)

Output: D3 = D 1 + D 2 = div(a3,b3)

Composition: d = gcd(a1,a2,b1+b2+h)=s1a1+s2a2+s3(b1+b2+h)

a‘3 = a 1a2/d

b‘3 = [s1a1b2+s2a2b1+s3(b1b2+f)]/f mod a‘3Reduction: WHILE deg(a‘k) > g, DO

a‘k = f – b‘k-1 mod a‘kb‘k = ( -h-b‘k-1) mod a‘k

END WHILE

a3 = a ‘k

b3 = b‘k

s0 = w2*s0s;s1 = w2*s1s;s2 = w2*s2s;z0 = s0*c;z1 = s1*c+s0*b;z2 = s0*a+s1*b+c;z3 = s1*a+s0+b;z4 = a+s1;z5 = to_GF2E(1L);t1 = w4*h2;t2 = w4*h3;u3s = d + z4 + s1;u2s = d*u3s + e + z3 + s0 + t2 + s1*z4;u1s = d*u2s + e*u3s + f + z2 + t1 + s1*(z3+t2) +

s0*z4 + w5;u0s = d*u1s + e*u2s + f*u3s + z1 + w4*h1 +

s1*(z2+t1)+ s0*(z3+t2) + w5*(a+f6);

t1 = u3s+z4;v0s = w3*(u0s*t1 + z0) + h0 + m;v1s = w3*(u1s*t1 + u0s + z1) + h1 + l;v2s = w3*(u2s*t1 + u1s + z2) + h2 + k;v3s = w3*(u3s*t1 + u2s + z3) + h3;a3 = f6 + u3s + v3s*(v3s+h3);b3 = u2s + a3*u3s + f5 + v3s*h2 + v2s*h3;c3 = u1s + a3*u2s + b3*u3s + f4 +

v2s*(v2s+h2) + v3s*h1 + v1s*h3;k3 = v2s + (v3s+h3)*a3 + h2;l3 = v1s + (v3s+h3)*b3 + h1;m3 = v0s + (v3s+h3)*c3 + h0;

Polynomial arithmetic: Explicit formulae (field arithmetic only ):

Speed-ups with explicit formulae(curves over odd characteristiccurves over odd characteristic))

164

386

76

200

25

70

# mult. & sq .

59%2explicit

6polyn. Cantor1)4

65%1explicit

4polyn. Cantor1)3

64%1explicit2)

3polyn. Cantor1)2

complexityimpr.3)

# inv.TypeGenus

1) Cantor‘s 1) Cantor‘s algorithm implementedalgorithm implemented by by [[NagaoNagao 2000]2000]

2) 2) ExplicitExplicit formulaeformulae by [Lange 2002]by [Lange 2002]

3)3) assumptionassumption : 1 : 1 inverse inverse costscosts 8 mult.8 mult.

ECC 2003

Big Question: Big Question: Can HECC beat ECC in practice?Can HECC beat ECC in practice?

ECC 2003

ECC vs. HECCECC vs. HECCHighHigh--level arithmetic comparisonlevel arithmetic comparison for 1 for 1 group opgroup op

164

76

25

16

# mult. & sq.

0.25242)

0.33132)

0.5122)

1-11) (ECC)

rel. fieldsize

# inv.Genus

1) ECC with projective coordinates GF(p)

2) HEC over fields of arbitrarycharacteristic

8

ECC 2003

Theoretical complexity comparisonTheoretical complexity comparisonECC vs. HECCECC vs. HECC

Preliminary remarks about comparisons

1. fair comparisons tend to be tricky

2. needs accurate metric

3. should have practical relevance (no big-O statements)

We chose

•• FF2n arithm. with best known algorithms for ECC & HECC

• metric: atomic operations (shifts, adds, ...)

ECC 2003

HECC g=4

0

200000

400000

600000

800000

1000000

1200000

1400000

1600000

1800000

ECC (projective)

ECC (affine)

HECC g=2

HECC g=3

Atomic Operations

- over F2m,

- no specialautomorphisms

- 1 inv = 6 mult

Atomic operations for 160-bit scalar multiplication

ECC 2003

ContentsContents

1. Next Generation IT Systems

• Embedded systems and pervasive computing

• Security in pervasive computing

2. HECC

• HECC for engineers

• Improving the group operation

• Implementations

4

3

2

1 (ECC)

Genus

202F2472188

72F2632189

121F2952190

100F21912191

Divisor mult.

[msec]

FieldGroup order

• special curves over char 2 fields

• no special endomorphisms used

• parts of the ECC library by Koç et al. were used [Koç 2000]

Embedded implementation: ARM7@80MHz

9

4

3

2

1 (ECC)

Genus

8.05 msF2472188

3.01 msF2632189

4.47 msF2952190

2.78 msF21912191

Divisor mult.FieldGroup order

• special curves over char 2 fields

• no special endomorphisms used

• parts of the ECC library by Koç et al. were used [Koç 2000]

Desktop implementation:P4@1.8GHz

ECC 2003

Genus-4 curves

Fact: Genus-4 HECC is almost twice as slow as genus-2 HECC at standard security levels (group > 2160)

Question: Is there any use for genus-4 curves??

ECC 2003

324128 2~~2 qq ⇒

Allows 128 / 4 = 32 bit field arithmetic!• 1 field element = 1 processor word• no carries, easy data types• great for (embedded) 32 processors

(big) but: Are HEC with group size 2128 secure?

An interesting design option:An interesting design option:GenusGenus--4 HECC with group size 24 HECC with group size 2128128

ECC 2003

Hard data on attacks (outside government agencies)

1. DES (56-bit) Challenge III – 22 hours,19992. ECCp-109 challenge – 1.5 years, 104 computers, 2002

(considerably harder than DES break or RSA 512)

? HECC (g≤3) with a group order of 2128

• are 724 times harder to break than ECCp-109• far more secure than DES or RSA 512 (still widely used)• sufficient for many embedded applications

(short-medium term security)

Security of 128Security of 128--bit HECCbit HECC

10

ECC 2003

Light weight security on the ARM7 @ 80MHz

4

3

2

genus

49.0msF2322128

47.1msF2432129

71.5msF2642128

divisormultipl.

fieldgrouporder

Note: g = 4 curves are very competitive despite poor theoretical complexity

ECC 2003

Conclusions HECCConclusions HECC• Some HECC show good performance on real-world

platforms

• On embedded processors, genus-3 HECC can

outperform ECC

• For special type of curves, genus-3 HECC are faster

than genus-2 HECC

• g = 4 curves are interesting for light-weight crypto

• further reading: [Pelzl et al. 2003a, 2003b]

ECC 2003

Suggestions for further researchSuggestions for further research

1. Explicit group operation formulae– Systematic further complexity reduction (= faster)

– Parallelization for modern uP

2. Standardization of HECC (protocols, parameters, curves)

3. How realistic are attacks against HECC with g=4, 5,…?

ECC 2003

Related HGI EventsRelated HGI Events

(see also www.crypto.rub.de)

• Conference ESCAR (Embedded Security in Cars)November 2003(first conference ever about this topic)

• and, of course, CHES

11

Cryptographic Hardware and Embedded Systems

Sept. 7-102003

chesworkshop.org

ECC 2003

ReferencesReferencesHarley, R. Fast Arithmetic on Genus Two Curves. Availableat

http://cristal.inria.fr/harley/hyper/.adding.txt and .doubling.cKoblitz, N. A Familyof Jacobians Suitable for Discrete Log Cryptosystems. In

Advances in Cryptology – Crypto ’88, Shafi Goldwasser, Ed. LectureNotes in Computer Sciences, vol. 403. Springer-Verlag, Berlin, 94-99.

Koç, Ç., and Saldamli, G. Support for field arithmetic libraryand elliptic curveroutines.

Kuroki, J., Gonda, M., Matsuo, K., Chao, J., and Tsuji, S. Fast Genus ThreeHyperelliptic Curve Cryptosystems. In The 2002 Symposium on Cryptography and Information Security, Japan – SCIS 2002.

Lange, T. Efficient Arithmetic on Genus Two Hyperelliptic Curves over Finite Fields via Explicit Formulae. CryptologyePrint Archive, Report 2002/121. http://eprint.iacr.org/

Lopez, J., and Dahab, R. High-speed software multiplication in F2m. In INDOCRYPT 2000, 203-212.

Matsuo, K., Chao , J., and Tsuji, S. Fast Genus Two Hyperelliptic Cryptosystems. In ISEC2001-31, IEICE.

ECC 2003

ReferencesReferencesMiyamoto, Y., Doi, H., Matsuo, K., Chao , J., and Tsuji, S. 2002. A Fast Addition

Algorithm of Genus Two Hyperelliptic Curve. In The 2002 Symposium on Cryptography and Information Security – SCIS 2002, IEICE Japan. 497-502, in Japanese.

Nagao, K. 2002. Improving Group Law Algorithms for Jacobians of Hyperelliptic Curves. In ANTS IV, W. Bosma, Ed. LNCS, vol. 1838. Springer-Verlag, Berlin, 439-448.

Pelzl, J. 2002. Hyperelliptic Cryptosystems on Embedded Processors. M.S. thesis, Department of Electrical Engineering and Information Sciences, Ruhr-Universität Bochum, Bochum, Germany.

Pelzl, J., Wollinger, T., Guajardo, J., and Paar, C. 2003. Hyperelliptic CurveCryptosystems: Closing the Performance Gap to Elliptic Curves. In Workshop on Cryptographic Harwareand Embedded Systems 2003 - CHES 2003.

Pelzl, J., Wollinger, and Paar, C. 2003. Low Cost Security: Explicit Formulae for Genus-4 Hyperelliptic Curves. In Selected Areas in Cryptography 2003 - SAC 2003.

Spallek, A.M. 1994. Kurven vom Geschlecht 2 und ihre Anwendung in Public-Key-Kryptosystemen, 1994. PhD Thesis. Universität Gesamthochschule Essen.