1
RuhrRuhrUniversityUniversityBochumBochum
Hyperelliptic Hyperelliptic Curve CryptosystemsCurve Cryptosystems for for Embedded Embedded ApplicationsApplications
ECC 2003ECC 2003
Christof PaarChristof Paar
joint work with joint work with Jan Pelz & Thomas WollingerJan Pelz & Thomas Wollinger
Chair for Communication SecurityChair for Communication Security
RuhrRuhr--University of BochumUniversity of Bochumwww.crypto.rub.dewww.crypto.rub.de
ECC 2003
ContentsContents
1. Next Generation IT Systems
• Embedded systems and pervasive computing
• Security in pervasive computing
2. HECC
• HECC for engineers
• Implementational results
• Conclusion
ECC 2003
WhatWhat areare Embedded Systems?Embedded Systems?
• „A computer that doesn‘t look like a computer“, or
• Processor hidden in a product
+ = EmbeddedSystem
ECC 2003
Are embedded systems really important?Are embedded systems really important?
Depends on your viewpoint, but: CPUs sold in 2000
Ex. high-end BMW ⇒ appr. 80 CPUs
2
ECC 2003
Characteristics of Traditional Characteristics of Traditional IT ApplicationsIT Applications
• Mostly based on interactive (= traditional) computers
• „One user – one computer“ paradigm• Static networks• Large number of users per network
Q: How will the IT future look?
ECC 2003
Brave new pervasive worldBrave new pervasive world
#2 Bridge sensors#3 Cleaning robots
#6 Car with Internet access#8 Networked robots#9 Smart street lamps#14 Pets with electronic
sensors#15 Smart windows
ECC 2003
Pervasive ComputingPervasive Computing CaseCase StudyStudy ::Radio Radio FrequencyFrequency ID (RFID)ID (RFID)
• Smart tags with receiver & some processing
• Many applications in logisitics, consumer products, ...
• MIT‘s AutoID Center: smart bar codes
• 500·109 bar codes scans per day
• Cost goal: 5 centsECC 2003
ContentsContents
1. Next Generation IT Systems
• Embedded systems and pervasive computing
• Security in pervasive computing
2. HECC
• HECC for engineers
• Implementational results
• Conclusion
3
ECC 2003
Security Concerns in Pervasive Security Concerns in Pervasive Applications Applications
• Often wireless channels ⇒ vulnerable• Pervasive nature and high-volume of nodes increase
risk potential (hacking into home devices, cars, …)• Contents protection in many applications
• Privacy issues (geolocation, medical sensors, monitoring of home activities, etc.)
• Stealing of services (sensors etc.)
• …
Do we really need Do we really need cryptographycryptography in in pervasive applications?pervasive applications?
• Crypto ops for entity authentication is fundamental for embedded security
• Almost all ad-hoc protocols (even routing!) require crypto ops for every hop
• At least symmetric alg. are needed• Asymmetric alg. allow fancier protocols
→ Embedded crypto is enabling technology for pervasive applications
→ Computation/memory/power constrained(esp. problematic for public-key alg)
ECC 2003
History of some publicHistory of some public--key schemes with key schemes with practical relevancepractical relevance
1976 Diffie-Hellman
1977 RSA1985 Elliptic curves
(practical relevance since mid 1990s)1988 Hyperelliptic curves
(practical relevance since 2000)
ECC 2003
ContentsContents
1. Next Generation IT Systems
• Embedded systems and pervasive computing
• Security in pervasive computing
2. HECC
• HECC for engineers
• Improving the group operation
• Implementational results
4
ECC 2003
Arithmetic requirements of PK algorithmsArithmetic requirements of PK algorithms
160 bit
1024 bit
1024 bit
Operand lengthfor multipl.
≈ 16
1
1
# multipl./ group op
≈ 200 Elliptic Curves
≈ 200Discrete log
17 (verify)≈ 1300 (sign)
RSA etc.
# group ops/crypto fct.
Algorithm
Q: Are there other (faster) PK algorithms, esp. for embedded applications?
A: Yes , hyperelliptic curves cryptosystems (HECC) look promising, but many open issues ...
ECC 2003
Why use hyperelliptic curve Why use hyperelliptic curve cryptosystems (HECC)?cryptosystems (HECC)?
• Really cool name• Shorter operand length than ECC (and certainly RSA & DL)
⇒ looks promising for constrained processors• Hopefully as secure as ECC
• But open questions1. Is the over-all performance really better?2. Are HECC secure??3. What are hyperelliptic curves (HEC) ???
ECC 2003
HEC: HEC: The definitionThe definition
A HEC of genus g over a finite field F is given by the setof solutions (x,y)? F x F to the equation
C: y2 + h(x) y = f(x)
where - g is the „genus“- h(x) is a polynomial of degree = g over F- f(x) is a monic polynomial of degree 2g+1over F
- certain further conditions
C: y2 = x5 - 5x3 + 4x + 3over R
An Example: HEC over the reals
5
1. Group elements are not points on the curve (unlike ECC!)2. Groupelements are „divisors“ (= formal sum of g points):
i
g
iPg PmPPfD
i∑=
==1
1 ),...,(
3. Abelian group: (reduced) divisors forms „Jacobian“ of the curve JC(Fq)
Where is the groupWhere is the group forfor the the DL DL problemproblem??
ECC 2003
Group Cardinality • HEC of genus g over Fq
• The cardinality of JC(Fq) is given by Hasse-Weil:
• Major implication: group size ≈ (field size)g
• Don‘t choose genus = 5 (or perhaps = 4)because of attacks [Frey/Rück, Gaudry, …]
gqC
g qFJq 22 )1()()1( +≤≤−
ECC 2003
Example: Group size vs. field sizeExample: Group size vs. field size
Ex. group size = 2160 (commercial security level)
– ECC (g=1): field size = 160 bit
– HECC (g=2): field size = 80 bit
– HECC (g=4): field size = 40 bit
ECC 2003
HECC: So, where is the catch?HECC: So, where is the catch?
Trade-off: „group operation“ becomes much more complex as genus increases
2
1
1
0
# inverses /group ops
≈ 164
≈ 76
≈ 25
≈ 16
# mult.+ #sq./group ops
40 bit4 (HECC)
53 bit3 (HECC)
80 bit2 (HECC)
160 bit1 (ECC)
field size (example)
genus
6
The group lawThe group law (Cantor)(Cantor)
Polynomial representation [Mumford] of divisors:
D = div (a,b), where a(x), b(x), s.th. deg(b) = deg(a) = g
Input: D1 = div(a1,b1), D2 = div(a2,b2)2)Output: D3 = D1 + D2 = div(a3,b3)Composition: d = gcd(a1,a2,b1+b2+h)=s1a1+s2a2+s3(b1+b2+h)
a‘3 = a1a2/db‘3 = [s1a1b2+s2a2b1+s3(b1b2+f)]/f mod a‘3
Reduction: WHILE deg(a‘k) > g, DOa‘k = f – b‘k-1 mod a‘kb‘k = (-h-b‘k-1) mod a‘k
END WHILEa3 = a‘kb3 = b‘k
Cantor‘s Algorithm:
needs polyn. ops:
• gcd,
• division,
• multiplication
• reduction!ECC 2003
ContentsContents
1. Next Generation IT Systems
• Embedded systems and pervasive computing
• Security in pervasive computing
2. HECC
• HECC for engineers
• Improving the group operation
• Implementations
ECC 2003
ImprovingImproving the group operationthe group operation
Cantor‘s algorithm is slow since1. Computes GCD, even so almost always GCD = 1
2. Polynomial arithmetic3. Iterative
Idea: Assume GCD=1 and derive explicit formulae [Harley 2000]
• holds with probability ≈ 1-O(1/q) • only field operations
Brief Historyof HECC Improvements
1988- Use of HEC as a cryptosystem first suggested[Koblitz 1988]
1994/ Explicit formulae suggested for genus-2 HECC2000 [Spallek 1994; Harley 2000]
2001- Efficient explicit formulae for genus-2 HECC [Matsuo et al. 2001; Miyamoto et al. 2002; Lange 2002]
2002- Efficient explicit formulae for genus-3 HECC[Kuroki et al. 2002; Pelzl 2002; Pelzl et al. 2003]
2003- Efficient explicit formulae for genus-4 HECC [Pelzl et al. 2003]
7
t1 = a*e;t1 = a*e;t2 = b*d;t3 = b*f;t4 = c*e;t5 = a*f;t6 = c*d;t7 = sqr(c+f);t8 = sqr(b+e);t9 = (a+d)*(t3+t4);t10= (a+d)*(t5+t6);r =(f+c+t1+t2)*(t7+t9) + t10*(t5+t6) + t8*(t3+t4);t11 = (b+e)*(c+f);inv2 = (t1+t2+c+f)*(a+d)+t8;inv1 = inv2*d + t10 + t11;inv0 = inv2*e + d*(t10+t11) + t9 + t7;t12 = (inv1+inv2)*(k+n+l+o);t13 = (l+o)*inv1;t14 = (inv0+inv2)*(k+n+m+p);t15 = (m+p)*inv0;t16 = (inv0+inv1)*(l+o+m+p);t17 = (k+n)*inv2;rs0 = t15;rs1 = t13+t15+t16;rs2 = t13+t14+t15+t17;rs3 = t12+t13+t17;rs4 = t17;t18 = rs3+rs4*d;s0s = rs0 + f*t18;s1s = rs1 + rs4*f + e*t18;s2s = rs2 + rs4*e + d*t18;w1 = inv(r*s2s);w2 = r*w1;w3 = w1*sqr(s2s);w4 = r*w2;w5 = sqr(w4);
Improvements group operationExample: Adding divisors on HEC of genus 3
Input: D1 = div(a1,b1), D 2 = div(a2,b2)
Output: D3 = D 1 + D 2 = div(a3,b3)
Composition: d = gcd(a1,a2,b1+b2+h)=s1a1+s2a2+s3(b1+b2+h)
a‘3 = a 1a2/d
b‘3 = [s1a1b2+s2a2b1+s3(b1b2+f)]/f mod a‘3Reduction: WHILE deg(a‘k) > g, DO
a‘k = f – b‘k-1 mod a‘kb‘k = ( -h-b‘k-1) mod a‘k
END WHILE
a3 = a ‘k
b3 = b‘k
s0 = w2*s0s;s1 = w2*s1s;s2 = w2*s2s;z0 = s0*c;z1 = s1*c+s0*b;z2 = s0*a+s1*b+c;z3 = s1*a+s0+b;z4 = a+s1;z5 = to_GF2E(1L);t1 = w4*h2;t2 = w4*h3;u3s = d + z4 + s1;u2s = d*u3s + e + z3 + s0 + t2 + s1*z4;u1s = d*u2s + e*u3s + f + z2 + t1 + s1*(z3+t2) +
s0*z4 + w5;u0s = d*u1s + e*u2s + f*u3s + z1 + w4*h1 +
s1*(z2+t1)+ s0*(z3+t2) + w5*(a+f6);
t1 = u3s+z4;v0s = w3*(u0s*t1 + z0) + h0 + m;v1s = w3*(u1s*t1 + u0s + z1) + h1 + l;v2s = w3*(u2s*t1 + u1s + z2) + h2 + k;v3s = w3*(u3s*t1 + u2s + z3) + h3;a3 = f6 + u3s + v3s*(v3s+h3);b3 = u2s + a3*u3s + f5 + v3s*h2 + v2s*h3;c3 = u1s + a3*u2s + b3*u3s + f4 +
v2s*(v2s+h2) + v3s*h1 + v1s*h3;k3 = v2s + (v3s+h3)*a3 + h2;l3 = v1s + (v3s+h3)*b3 + h1;m3 = v0s + (v3s+h3)*c3 + h0;
Polynomial arithmetic: Explicit formulae (field arithmetic only ):
Speed-ups with explicit formulae(curves over odd characteristiccurves over odd characteristic))
164
386
76
200
25
70
# mult. & sq .
59%2explicit
6polyn. Cantor1)4
65%1explicit
4polyn. Cantor1)3
64%1explicit2)
3polyn. Cantor1)2
complexityimpr.3)
# inv.TypeGenus
1) Cantor‘s 1) Cantor‘s algorithm implementedalgorithm implemented by by [[NagaoNagao 2000]2000]
2) 2) ExplicitExplicit formulaeformulae by [Lange 2002]by [Lange 2002]
3)3) assumptionassumption : 1 : 1 inverse inverse costscosts 8 mult.8 mult.
ECC 2003
Big Question: Big Question: Can HECC beat ECC in practice?Can HECC beat ECC in practice?
ECC 2003
ECC vs. HECCECC vs. HECCHighHigh--level arithmetic comparisonlevel arithmetic comparison for 1 for 1 group opgroup op
164
76
25
16
# mult. & sq.
0.25242)
0.33132)
0.5122)
1-11) (ECC)
rel. fieldsize
# inv.Genus
1) ECC with projective coordinates GF(p)
2) HEC over fields of arbitrarycharacteristic
8
ECC 2003
Theoretical complexity comparisonTheoretical complexity comparisonECC vs. HECCECC vs. HECC
Preliminary remarks about comparisons
1. fair comparisons tend to be tricky
2. needs accurate metric
3. should have practical relevance (no big-O statements)
We chose
•• FF2n arithm. with best known algorithms for ECC & HECC
• metric: atomic operations (shifts, adds, ...)
ECC 2003
HECC g=4
0
200000
400000
600000
800000
1000000
1200000
1400000
1600000
1800000
ECC (projective)
ECC (affine)
HECC g=2
HECC g=3
Atomic Operations
- over F2m,
- no specialautomorphisms
- 1 inv = 6 mult
Atomic operations for 160-bit scalar multiplication
ECC 2003
ContentsContents
1. Next Generation IT Systems
• Embedded systems and pervasive computing
• Security in pervasive computing
2. HECC
• HECC for engineers
• Improving the group operation
• Implementations
4
3
2
1 (ECC)
Genus
202F2472188
72F2632189
121F2952190
100F21912191
Divisor mult.
[msec]
FieldGroup order
• special curves over char 2 fields
• no special endomorphisms used
• parts of the ECC library by Koç et al. were used [Koç 2000]
Embedded implementation: ARM7@80MHz
9
4
3
2
1 (ECC)
Genus
8.05 msF2472188
3.01 msF2632189
4.47 msF2952190
2.78 msF21912191
Divisor mult.FieldGroup order
• special curves over char 2 fields
• no special endomorphisms used
• parts of the ECC library by Koç et al. were used [Koç 2000]
Desktop implementation:[email protected]
ECC 2003
Genus-4 curves
Fact: Genus-4 HECC is almost twice as slow as genus-2 HECC at standard security levels (group > 2160)
Question: Is there any use for genus-4 curves??
ECC 2003
324128 2~~2 qq ⇒
Allows 128 / 4 = 32 bit field arithmetic!• 1 field element = 1 processor word• no carries, easy data types• great for (embedded) 32 processors
(big) but: Are HEC with group size 2128 secure?
An interesting design option:An interesting design option:GenusGenus--4 HECC with group size 24 HECC with group size 2128128
ECC 2003
Hard data on attacks (outside government agencies)
1. DES (56-bit) Challenge III – 22 hours,19992. ECCp-109 challenge – 1.5 years, 104 computers, 2002
(considerably harder than DES break or RSA 512)
? HECC (g≤3) with a group order of 2128
• are 724 times harder to break than ECCp-109• far more secure than DES or RSA 512 (still widely used)• sufficient for many embedded applications
(short-medium term security)
Security of 128Security of 128--bit HECCbit HECC
10
ECC 2003
Light weight security on the ARM7 @ 80MHz
4
3
2
genus
49.0msF2322128
47.1msF2432129
71.5msF2642128
divisormultipl.
fieldgrouporder
Note: g = 4 curves are very competitive despite poor theoretical complexity
ECC 2003
Conclusions HECCConclusions HECC• Some HECC show good performance on real-world
platforms
• On embedded processors, genus-3 HECC can
outperform ECC
• For special type of curves, genus-3 HECC are faster
than genus-2 HECC
• g = 4 curves are interesting for light-weight crypto
• further reading: [Pelzl et al. 2003a, 2003b]
ECC 2003
Suggestions for further researchSuggestions for further research
1. Explicit group operation formulae– Systematic further complexity reduction (= faster)
– Parallelization for modern uP
2. Standardization of HECC (protocols, parameters, curves)
3. How realistic are attacks against HECC with g=4, 5,…?
ECC 2003
Related HGI EventsRelated HGI Events
(see also www.crypto.rub.de)
• Conference ESCAR (Embedded Security in Cars)November 2003(first conference ever about this topic)
• and, of course, CHES
11
Cryptographic Hardware and Embedded Systems
Sept. 7-102003
chesworkshop.org
ECC 2003
ReferencesReferencesHarley, R. Fast Arithmetic on Genus Two Curves. Availableat
http://cristal.inria.fr/harley/hyper/.adding.txt and .doubling.cKoblitz, N. A Familyof Jacobians Suitable for Discrete Log Cryptosystems. In
Advances in Cryptology – Crypto ’88, Shafi Goldwasser, Ed. LectureNotes in Computer Sciences, vol. 403. Springer-Verlag, Berlin, 94-99.
Koç, Ç., and Saldamli, G. Support for field arithmetic libraryand elliptic curveroutines.
Kuroki, J., Gonda, M., Matsuo, K., Chao, J., and Tsuji, S. Fast Genus ThreeHyperelliptic Curve Cryptosystems. In The 2002 Symposium on Cryptography and Information Security, Japan – SCIS 2002.
Lange, T. Efficient Arithmetic on Genus Two Hyperelliptic Curves over Finite Fields via Explicit Formulae. CryptologyePrint Archive, Report 2002/121. http://eprint.iacr.org/
Lopez, J., and Dahab, R. High-speed software multiplication in F2m. In INDOCRYPT 2000, 203-212.
Matsuo, K., Chao , J., and Tsuji, S. Fast Genus Two Hyperelliptic Cryptosystems. In ISEC2001-31, IEICE.
ECC 2003
ReferencesReferencesMiyamoto, Y., Doi, H., Matsuo, K., Chao , J., and Tsuji, S. 2002. A Fast Addition
Algorithm of Genus Two Hyperelliptic Curve. In The 2002 Symposium on Cryptography and Information Security – SCIS 2002, IEICE Japan. 497-502, in Japanese.
Nagao, K. 2002. Improving Group Law Algorithms for Jacobians of Hyperelliptic Curves. In ANTS IV, W. Bosma, Ed. LNCS, vol. 1838. Springer-Verlag, Berlin, 439-448.
Pelzl, J. 2002. Hyperelliptic Cryptosystems on Embedded Processors. M.S. thesis, Department of Electrical Engineering and Information Sciences, Ruhr-Universität Bochum, Bochum, Germany.
Pelzl, J., Wollinger, T., Guajardo, J., and Paar, C. 2003. Hyperelliptic CurveCryptosystems: Closing the Performance Gap to Elliptic Curves. In Workshop on Cryptographic Harwareand Embedded Systems 2003 - CHES 2003.
Pelzl, J., Wollinger, and Paar, C. 2003. Low Cost Security: Explicit Formulae for Genus-4 Hyperelliptic Curves. In Selected Areas in Cryptography 2003 - SAC 2003.
Spallek, A.M. 1994. Kurven vom Geschlecht 2 und ihre Anwendung in Public-Key-Kryptosystemen, 1994. PhD Thesis. Universität Gesamthochschule Essen.