+ All Categories
Home > Documents > Software and Hardware Implementation of Elliptic Curve...

Software and Hardware Implementation of Elliptic Curve...

Date post: 14-Mar-2020
Category:
Upload: others
View: 10 times
Download: 0 times
Share this document with a friend
539
ECC Summer School, Bordeaux, France — September 23–25, 2015 Software and Hardware Implementation of Elliptic Curve Cryptography er´ emie Detrey CARAMEL team, LORIA INRIA Nancy – Grand Est, France [email protected] /* */ C,A, /* */ R,a, /* */ M,E, L,i= 5,e, d[5],Q[999 ]={0};main(N ){for (;i--;e=scanf("%" "d",d+i));for(A =*d; ++i<A ;++Q[ i*i% A],R= i[Q]? R:i); for(;i --;) for(M =A;M --;N +=!M*Q [E%A ],e+= Q[(A +E*E- R*L* L%A) %A]) for( E=i,L=M,a=4;a;C= i*E+R*M*L,L=(M*E +i*L) %A,E=C%A+a --[d]);printf ("%d" "\n", (e+N* N)/2 /* cc caramel.c; echo f3 f2 f1 f0 p | ./a.out */ -A);} CARAMEL
Transcript
Page 1: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

ECC Summer School, Bordeaux, France — September 23–25, 2015

Software and Hardware Implementationof Elliptic Curve Cryptography

Jeremie DetreyCARAMEL team, LORIA

INRIA Nancy – Grand Est, [email protected]

/* */ C,A,/* */ R,a,/* */ M,E,

L,i=5,e,

d[5],Q[999 ]={0};main(N ){for(;i--;e=scanf("%" "d",d+i));for(A =*d;++i<A ;++Q[ i*i% A],R= i[Q]?R:i); for(;i --;) for(M =A;M--;N +=!M*Q [E%A ],e+= Q[(A+E*E- R*L* L%A) %A]) for(E=i,L=M,a=4;a;C= i*E+R*M*L,L=(M*E +i*L)

%A,E=C%A+a --[d]);printf ("%d""\n",(e+N*N)/2

/* cc caramel.c; echo f3 f2 f1 f0 p | ./a.out */ -A);}

CARAMEL

Page 2: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Context: Elliptic curves

I Let us consider a finite field Fq and an elliptic curve E/Fq

e.g., E : y 2 = x3 + Ax + B , with parameters A,B ∈ Fq and char(Fq) 6= 2, 3

I The set of Fq-rational points of E is defined as

E (Fq) = {(x , y) ∈ Fq × Fq | (x , y) satisfy E} ∪ {O}

I Additive group law: E (Fq) is an abelian group

• addition via the “chord and tangent” method• O is the neutral element

[See D. Robert’s lectures]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 1 / 60

Page 3: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Context: Elliptic curves

I Let us consider a finite field Fq and an elliptic curve E/Fq

e.g., E : y 2 = x3 + Ax + B , with parameters A,B ∈ Fq and char(Fq) 6= 2, 3

I The set of Fq-rational points of E is defined as

E (Fq) = {(x , y) ∈ Fq × Fq | (x , y) satisfy E} ∪ {O}

I Additive group law: E (Fq) is an abelian group

• addition via the “chord and tangent” method• O is the neutral element

[See D. Robert’s lectures]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 1 / 60

Page 4: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Context: Elliptic curves

I Let us consider a finite field Fq and an elliptic curve E/Fq

e.g., E : y 2 = x3 + Ax + B , with parameters A,B ∈ Fq and char(Fq) 6= 2, 3

I The set of Fq-rational points of E is defined as

E (Fq) = {(x , y) ∈ Fq × Fq | (x , y) satisfy E} ∪ {O}

I Additive group law: E (Fq) is an abelian group

• addition via the “chord and tangent” method• O is the neutral element

[See D. Robert’s lectures]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 1 / 60

Page 5: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The group law

EO

EO

P

Q

P + Q

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 2 / 60

Page 6: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The group law

EO

EO

P

Q

P + Q

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 2 / 60

Page 7: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The group law

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

E/F17 : y2 = x3 + x + 7

O

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

E/F17 : y2 = x3 + x + 7

P

Q

P + Q

O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 2 / 60

Page 8: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The group law

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

E/F17 : y2 = x3 + x + 7

O

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

E/F17 : y2 = x3 + x + 7

P

Q

P + Q

O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 2 / 60

Page 9: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Scalar multiplication and discrete logarithm

I E (Fq) is a finite abelian group:

• let G be a cyclic subgroup of E (Fq)• let ` = #G the order of G and P ∈ G a generator of G

G = 〈P〉 = {O,P , 2P , 3P , . . . , (`− 1)P}

I The scalar multiplication in base P gives an isomorphism between Z/`Z and G:

expP : Z/`Z −→ G

k 7−→ kP = P + P + . . . + P︸ ︷︷ ︸k times

I The inverse map is the so-called discrete logarithm (in base P):

dlogP = exp−1P : G −→ Z/`Z

Q 7−→ k such that Q = kP

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 3 / 60

Page 10: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Scalar multiplication and discrete logarithm

I E (Fq) is a finite abelian group:

• let G be a cyclic subgroup of E (Fq)• let ` = #G the order of G and P ∈ G a generator of G

G = 〈P〉 = {O,P , 2P , 3P , . . . , (`− 1)P}

I The scalar multiplication in base P gives an isomorphism between Z/`Z and G:

expP : Z/`Z −→ G

k 7−→ kP = P + P + . . . + P︸ ︷︷ ︸k times

I The inverse map is the so-called discrete logarithm (in base P):

dlogP = exp−1P : G −→ Z/`Z

Q 7−→ k such that Q = kP

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 3 / 60

Page 11: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Scalar multiplication and discrete logarithm

I E (Fq) is a finite abelian group:

• let G be a cyclic subgroup of E (Fq)• let ` = #G the order of G and P ∈ G a generator of G

G = 〈P〉 = {O,P , 2P , 3P , . . . , (`− 1)P}

I The scalar multiplication in base P gives an isomorphism between Z/`Z and G:

expP : Z/`Z −→ G

k 7−→ kP = P + P + . . . + P︸ ︷︷ ︸k times

I The inverse map is the so-called discrete logarithm (in base P):

dlogP = exp−1P : G −→ Z/`Z

Q 7−→ k such that Q = kP

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 3 / 60

Page 12: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Scalar multiplication and discrete logarithm

I E (Fq) is a finite abelian group:

• let G be a cyclic subgroup of E (Fq)• let ` = #G the order of G and P ∈ G a generator of G

G = 〈P〉 = {O,P , 2P , 3P , . . . , (`− 1)P}

I The scalar multiplication in base P gives an isomorphism between Z/`Z and G:

expP : Z/`Z −→ G

k 7−→ kP = P + P + . . . + P︸ ︷︷ ︸k times

I The inverse map is the so-called discrete logarithm (in base P):

dlogP = exp−1P : G −→ Z/`Z

Q 7−→ k such that Q = kP

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 3 / 60

Page 13: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Towards elliptic curve cryptography

I Scalar multiplication can be computed in polynomial time:

P

k

Pk

I Under a few conditions, discrete logarithm can only be computed in exponentialtime (as far as we know):

Q = Pk

k

[See E. Thome’s lectures, and S. Galbraith’s and M. Kosters’ talks]

I That’s a one-way function

⇒ Public-key cryptography!

• private key: an integer k in Z/`Z• public key: the point kP in G ⊆ E (Fq)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 4 / 60

Page 14: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Towards elliptic curve cryptography

I Scalar multiplication can be computed in polynomial time:

P

k

Pk

I Under a few conditions, discrete logarithm can only be computed in exponentialtime (as far as we know):

Q = Pk

k

[See E. Thome’s lectures, and S. Galbraith’s and M. Kosters’ talks]

I That’s a one-way function

⇒ Public-key cryptography!

• private key: an integer k in Z/`Z• public key: the point kP in G ⊆ E (Fq)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 4 / 60

Page 15: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Towards elliptic curve cryptography

I Scalar multiplication can be computed in polynomial time:

P

k

Pk

I Under a few conditions, discrete logarithm can only be computed in exponentialtime (as far as we know):

Q = Pk

k

[See E. Thome’s lectures, and S. Galbraith’s and M. Kosters’ talks]

I That’s a one-way function

⇒ Public-key cryptography!

• private key: an integer k in Z/`Z• public key: the point kP in G ⊆ E (Fq)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 4 / 60

Page 16: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Towards elliptic curve cryptography

I Scalar multiplication can be computed in polynomial time:

P

k

Pk

I Under a few conditions, discrete logarithm can only be computed in exponentialtime (as far as we know):

Q = Pk

k

[See E. Thome’s lectures, and S. Galbraith’s and M. Kosters’ talks]

I That’s a one-way function

⇒ Public-key cryptography!

• private key: an integer k in Z/`Z• public key: the point kP in G ⊆ E (Fq)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 4 / 60

Page 17: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Towards elliptic curve cryptography

I Scalar multiplication can be computed in polynomial time:

P

k

Pk

I Under a few conditions, discrete logarithm can only be computed in exponentialtime (as far as we know):

Q = Pk

k

[See E. Thome’s lectures, and S. Galbraith’s and M. Kosters’ talks]

I That’s a one-way function

⇒ Public-key cryptography!

• private key: an integer k in Z/`Z• public key: the point kP in G ⊆ E (Fq)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 4 / 60

Page 18: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Towards elliptic curve cryptography

I Scalar multiplication can be computed in polynomial time:

P

k

Pk

I Under a few conditions, discrete logarithm can only be computed in exponentialtime (as far as we know):

Q = Pk

k

[See E. Thome’s lectures, and S. Galbraith’s and M. Kosters’ talks]

I That’s a one-way function

⇒ Public-key cryptography!

• private key: an integer k in Z/`Z• public key: the point kP in G ⊆ E (Fq)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 4 / 60

Page 19: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Towards elliptic curve cryptography

I Scalar multiplication can be computed in polynomial time:

P

k

Pk

I Under a few conditions, discrete logarithm can only be computed in exponentialtime (as far as we know):

Q = Pk

k

[See E. Thome’s lectures, and S. Galbraith’s and M. Kosters’ talks]

I That’s a one-way function ⇒ Public-key cryptography!

• private key: an integer k in Z/`Z• public key: the point kP in G ⊆ E (Fq)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 4 / 60

Page 20: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Towards elliptic curve cryptography

I Scalar multiplication can be computed in polynomial time:

P

k

Pk

I Under a few conditions, discrete logarithm can only be computed in exponentialtime (as far as we know):

Q = Pk

k

[See E. Thome’s lectures, and S. Galbraith’s and M. Kosters’ talks]

I That’s a one-way function ⇒ Public-key cryptography!

• private key: an integer k in Z/`Z• public key: the point kP in G ⊆ E (Fq)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 4 / 60

Page 21: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 1: EC Diffie–Hellman key exchange

I Alice and Bob want to establish a secure communication channel

I How can they decide upon a shared secret key over a public channel?

Alice Bob

? ?? ?P P

ba

Pa PbPa

Pb

a Pb abP

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 5 / 60

Page 22: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 1: EC Diffie–Hellman key exchange

I Alice and Bob want to establish a secure communication channel

I How can they decide upon a shared secret key over a public channel?

Alice Bob

? ?? ?

P P

ba

Pa PbPa

Pb

a Pb abP

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 5 / 60

Page 23: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 1: EC Diffie–Hellman key exchange

I Alice and Bob want to establish a secure communication channel

I How can they decide upon a shared secret key over a public channel?

Alice Bob

? ?? ?

P P

ba

Pa PbPa

Pb

a Pb abP

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 5 / 60

Page 24: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 1: EC Diffie–Hellman key exchange

I Alice and Bob want to establish a secure communication channel

I How can they decide upon a shared secret key over a public channel?

Alice Bob

? ?? ?P P

ba

Pa PbPa

Pb

a Pb abP

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 5 / 60

Page 25: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 1: EC Diffie–Hellman key exchange

I Alice and Bob want to establish a secure communication channel

I How can they decide upon a shared secret key over a public channel?

Alice Bob

? ?? ?P P

ba

Pa PbPa

Pb

a Pb abP

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 5 / 60

Page 26: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 1: EC Diffie–Hellman key exchange

I Alice and Bob want to establish a secure communication channel

I How can they decide upon a shared secret key over a public channel?

Alice Bob

? ?? ?P P

ba

Pa Pb

Pa

Pb

a Pb abP

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 5 / 60

Page 27: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 1: EC Diffie–Hellman key exchange

I Alice and Bob want to establish a secure communication channel

I How can they decide upon a shared secret key over a public channel?

Alice Bob

? ?? ?P P

ba

Pa PbPa

Pb

a Pb abP

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 5 / 60

Page 28: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 1: EC Diffie–Hellman key exchange

I Alice and Bob want to establish a secure communication channel

I How can they decide upon a shared secret key over a public channel?

Alice Bob

? ?? ?P P

ba

Pa PbPa

Pb

a Pb abP

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 5 / 60

Page 29: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 2: EC ElGamal encryption

bAlice Bob

PKIP Pb

P

bP

kPk

Pkb

kP

kPkb P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 6 / 60

Page 30: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 2: EC ElGamal encryption

bAlice Bob

PKIP Pb

P

bP

kPk

Pkb

kP

kPkb P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 6 / 60

Page 31: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 2: EC ElGamal encryption

bAlice Bob

PKIP Pb

P

bP

kPk

Pkb

kP

kPkb P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 6 / 60

Page 32: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 2: EC ElGamal encryption

bAlice Bob

PKIP Pb

P

bP

k

Pk

Pkb

kP

kPkb P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 6 / 60

Page 33: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 2: EC ElGamal encryption

bAlice Bob

PKIP Pb

P

bP

kPk

Pkb

kP

kPkb P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 6 / 60

Page 34: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 2: EC ElGamal encryption

bAlice Bob

PKIP Pb

P

bP

kPk

Pkb

kP

kPkb P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 6 / 60

Page 35: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 2: EC ElGamal encryption

bAlice Bob

PKIP Pb

P

bP

kPk

Pkb

kP

kP

kb P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 6 / 60

Page 36: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Example 2: EC ElGamal encryption

bAlice Bob

PKIP Pb

P

bP

kPk

Pkb

kP

kPkb P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 6 / 60

Page 37: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Central operation: the scalar multiplication

I Elliptic curve Diffie–Hellman (ECDH):

• Alice: QA ← aP and K ← aQB (2 scalar mults)• Bob: QB ← bP and K ← bQA (2 scalar mults)

I Elliptic curve Digital Signature Algorithm (ECDSA):

• Alice (KeyGen): QA ← aP (1 scalar mult)• Alice (Sign): R ← kP (1 scalar mult)• Bob (Verify): R ′ ← uP + vQA (1 double scalar mult)

I etc.

I Other important operations might be required, such as pairings[See J. Kramer’s talk]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 7 / 60

Page 38: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Central operation: the scalar multiplication

I Elliptic curve Diffie–Hellman (ECDH):

• Alice: QA ← aP and K ← aQB (2 scalar mults)• Bob: QB ← bP and K ← bQA (2 scalar mults)

I Elliptic curve Digital Signature Algorithm (ECDSA):

• Alice (KeyGen): QA ← aP (1 scalar mult)• Alice (Sign): R ← kP (1 scalar mult)• Bob (Verify): R ′ ← uP + vQA (1 double scalar mult)

I etc.

I Other important operations might be required, such as pairings[See J. Kramer’s talk]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 7 / 60

Page 39: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Central operation: the scalar multiplication

I Elliptic curve Diffie–Hellman (ECDH):

• Alice: QA ← aP and K ← aQB (2 scalar mults)• Bob: QB ← bP and K ← bQA (2 scalar mults)

I Elliptic curve Digital Signature Algorithm (ECDSA):

• Alice (KeyGen): QA ← aP (1 scalar mult)• Alice (Sign): R ← kP (1 scalar mult)• Bob (Verify): R ′ ← uP + vQA (1 double scalar mult)

I etc.

I Other important operations might be required, such as pairings[See J. Kramer’s talk]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 7 / 60

Page 40: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Central operation: the scalar multiplication

I Elliptic curve Diffie–Hellman (ECDH):

• Alice: QA ← aP and K ← aQB (2 scalar mults)• Bob: QB ← bP and K ← bQA (2 scalar mults)

I Elliptic curve Digital Signature Algorithm (ECDSA):

• Alice (KeyGen): QA ← aP (1 scalar mult)• Alice (Sign): R ← kP (1 scalar mult)• Bob (Verify): R ′ ← uP + vQA (1 double scalar mult)

I etc.

I Other important operations might be required, such as pairings[See J. Kramer’s talk]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 7 / 60

Page 41: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Efficient and secure implementation?

I Many possible meanings for efficiency:

• fast? → low latency or high throughput?• small? → low memory / code / silicon usage?• low power?... or low energy?

⇒ Identify constraints according to application and target platform

I Secure against which attacks?

• protocol attacks? (FREAK, LogJam, etc.) [See N. Heninger’s talk]• curve attacks? (weak curves, twist security, etc.)• timing attacks? [See P. Schwabe’s talk]• fault attacks? [See J. Kramer’s talk]• cache attacks?• branch-prediction attacks?• power or electromagnetic analysis?• etc.

⇒ Possible attack scenarios depend on the application

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 8 / 60

Page 42: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Efficient and secure implementation?

I Many possible meanings for efficiency:

• fast? → low latency or high throughput?

• small? → low memory / code / silicon usage?• low power?... or low energy?

⇒ Identify constraints according to application and target platform

I Secure against which attacks?

• protocol attacks? (FREAK, LogJam, etc.) [See N. Heninger’s talk]• curve attacks? (weak curves, twist security, etc.)• timing attacks? [See P. Schwabe’s talk]• fault attacks? [See J. Kramer’s talk]• cache attacks?• branch-prediction attacks?• power or electromagnetic analysis?• etc.

⇒ Possible attack scenarios depend on the application

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 8 / 60

Page 43: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Efficient and secure implementation?

I Many possible meanings for efficiency:

• fast? → low latency or high throughput?• small? → low memory / code / silicon usage?

• low power?... or low energy?

⇒ Identify constraints according to application and target platform

I Secure against which attacks?

• protocol attacks? (FREAK, LogJam, etc.) [See N. Heninger’s talk]• curve attacks? (weak curves, twist security, etc.)• timing attacks? [See P. Schwabe’s talk]• fault attacks? [See J. Kramer’s talk]• cache attacks?• branch-prediction attacks?• power or electromagnetic analysis?• etc.

⇒ Possible attack scenarios depend on the application

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 8 / 60

Page 44: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Efficient and secure implementation?

I Many possible meanings for efficiency:

• fast? → low latency or high throughput?• small? → low memory / code / silicon usage?• low power?... or low energy?

⇒ Identify constraints according to application and target platform

I Secure against which attacks?

• protocol attacks? (FREAK, LogJam, etc.) [See N. Heninger’s talk]• curve attacks? (weak curves, twist security, etc.)• timing attacks? [See P. Schwabe’s talk]• fault attacks? [See J. Kramer’s talk]• cache attacks?• branch-prediction attacks?• power or electromagnetic analysis?• etc.

⇒ Possible attack scenarios depend on the application

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 8 / 60

Page 45: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Efficient and secure implementation?

I Many possible meanings for efficiency:

• fast? → low latency or high throughput?• small? → low memory / code / silicon usage?• low power?... or low energy?

⇒ Identify constraints according to application and target platform

I Secure against which attacks?

• protocol attacks? (FREAK, LogJam, etc.) [See N. Heninger’s talk]• curve attacks? (weak curves, twist security, etc.)• timing attacks? [See P. Schwabe’s talk]• fault attacks? [See J. Kramer’s talk]• cache attacks?• branch-prediction attacks?• power or electromagnetic analysis?• etc.

⇒ Possible attack scenarios depend on the application

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 8 / 60

Page 46: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Efficient and secure implementation?

I Many possible meanings for efficiency:

• fast? → low latency or high throughput?• small? → low memory / code / silicon usage?• low power?... or low energy?

⇒ Identify constraints according to application and target platform

I Secure against which attacks?

• protocol attacks? (FREAK, LogJam, etc.) [See N. Heninger’s talk]• curve attacks? (weak curves, twist security, etc.)• timing attacks? [See P. Schwabe’s talk]• fault attacks? [See J. Kramer’s talk]• cache attacks?• branch-prediction attacks?• power or electromagnetic analysis?• etc.

⇒ Possible attack scenarios depend on the application

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 8 / 60

Page 47: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Efficient and secure implementation?

I Many possible meanings for efficiency:

• fast? → low latency or high throughput?• small? → low memory / code / silicon usage?• low power?... or low energy?

⇒ Identify constraints according to application and target platform

I Secure against which attacks?

• protocol attacks? (FREAK, LogJam, etc.) [See N. Heninger’s talk]

• curve attacks? (weak curves, twist security, etc.)• timing attacks? [See P. Schwabe’s talk]• fault attacks? [See J. Kramer’s talk]• cache attacks?• branch-prediction attacks?• power or electromagnetic analysis?• etc.

⇒ Possible attack scenarios depend on the application

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 8 / 60

Page 48: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Efficient and secure implementation?

I Many possible meanings for efficiency:

• fast? → low latency or high throughput?• small? → low memory / code / silicon usage?• low power?... or low energy?

⇒ Identify constraints according to application and target platform

I Secure against which attacks?

• protocol attacks? (FREAK, LogJam, etc.) [See N. Heninger’s talk]• curve attacks? (weak curves, twist security, etc.)

• timing attacks? [See P. Schwabe’s talk]• fault attacks? [See J. Kramer’s talk]• cache attacks?• branch-prediction attacks?• power or electromagnetic analysis?• etc.

⇒ Possible attack scenarios depend on the application

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 8 / 60

Page 49: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Efficient and secure implementation?

I Many possible meanings for efficiency:

• fast? → low latency or high throughput?• small? → low memory / code / silicon usage?• low power?... or low energy?

⇒ Identify constraints according to application and target platform

I Secure against which attacks?

• protocol attacks? (FREAK, LogJam, etc.) [See N. Heninger’s talk]• curve attacks? (weak curves, twist security, etc.)• timing attacks? [See P. Schwabe’s talk]

• fault attacks? [See J. Kramer’s talk]• cache attacks?• branch-prediction attacks?• power or electromagnetic analysis?• etc.

⇒ Possible attack scenarios depend on the application

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 8 / 60

Page 50: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Efficient and secure implementation?

I Many possible meanings for efficiency:

• fast? → low latency or high throughput?• small? → low memory / code / silicon usage?• low power?... or low energy?

⇒ Identify constraints according to application and target platform

I Secure against which attacks?

• protocol attacks? (FREAK, LogJam, etc.) [See N. Heninger’s talk]• curve attacks? (weak curves, twist security, etc.)• timing attacks? [See P. Schwabe’s talk]• fault attacks? [See J. Kramer’s talk]

• cache attacks?• branch-prediction attacks?• power or electromagnetic analysis?• etc.

⇒ Possible attack scenarios depend on the application

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 8 / 60

Page 51: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Efficient and secure implementation?

I Many possible meanings for efficiency:

• fast? → low latency or high throughput?• small? → low memory / code / silicon usage?• low power?... or low energy?

⇒ Identify constraints according to application and target platform

I Secure against which attacks?

• protocol attacks? (FREAK, LogJam, etc.) [See N. Heninger’s talk]• curve attacks? (weak curves, twist security, etc.)• timing attacks? [See P. Schwabe’s talk]• fault attacks? [See J. Kramer’s talk]• cache attacks?

• branch-prediction attacks?• power or electromagnetic analysis?• etc.

⇒ Possible attack scenarios depend on the application

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 8 / 60

Page 52: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Efficient and secure implementation?

I Many possible meanings for efficiency:

• fast? → low latency or high throughput?• small? → low memory / code / silicon usage?• low power?... or low energy?

⇒ Identify constraints according to application and target platform

I Secure against which attacks?

• protocol attacks? (FREAK, LogJam, etc.) [See N. Heninger’s talk]• curve attacks? (weak curves, twist security, etc.)• timing attacks? [See P. Schwabe’s talk]• fault attacks? [See J. Kramer’s talk]• cache attacks?• branch-prediction attacks?

• power or electromagnetic analysis?• etc.

⇒ Possible attack scenarios depend on the application

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 8 / 60

Page 53: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Efficient and secure implementation?

I Many possible meanings for efficiency:

• fast? → low latency or high throughput?• small? → low memory / code / silicon usage?• low power?... or low energy?

⇒ Identify constraints according to application and target platform

I Secure against which attacks?

• protocol attacks? (FREAK, LogJam, etc.) [See N. Heninger’s talk]• curve attacks? (weak curves, twist security, etc.)• timing attacks? [See P. Schwabe’s talk]• fault attacks? [See J. Kramer’s talk]• cache attacks?• branch-prediction attacks?• power or electromagnetic analysis?

• etc.

⇒ Possible attack scenarios depend on the application

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 8 / 60

Page 54: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Efficient and secure implementation?

I Many possible meanings for efficiency:

• fast? → low latency or high throughput?• small? → low memory / code / silicon usage?• low power?... or low energy?

⇒ Identify constraints according to application and target platform

I Secure against which attacks?

• protocol attacks? (FREAK, LogJam, etc.) [See N. Heninger’s talk]• curve attacks? (weak curves, twist security, etc.)• timing attacks? [See P. Schwabe’s talk]• fault attacks? [See J. Kramer’s talk]• cache attacks?• branch-prediction attacks?• power or electromagnetic analysis?• etc.

⇒ Possible attack scenarios depend on the application

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 8 / 60

Page 55: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Which target platforms?

I Cryptography should be available everywhere:

• on desktop PCs and laptops→ 64-bit Intel or AMD CPUs with SIMD instructions (SSE / AVX)• on smartphones→ low-power 32- or 64-bit ARM CPUs, maybe with SIMD (NEON)• on wireless sensors→ tiny 8-bit microcontroller (such as Atmel AVRs)• on smart cards and RFID chips→ custom cryptoprocessor (ASIC or ASIP) with dedicated hardware forcryptographic operations

I Other possible target platforms, mostly for cryptanalytic computations:

• clusters of CPUs• GPUs (graphics processors)• FPGAs (reconfigurable circuits)

⇒ In such cases, implementation security is usually less critical

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 9 / 60

Page 56: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Which target platforms?

I Cryptography should be available everywhere:

• on desktop PCs and laptops→ 64-bit Intel or AMD CPUs with SIMD instructions (SSE / AVX)

• on smartphones→ low-power 32- or 64-bit ARM CPUs, maybe with SIMD (NEON)• on wireless sensors→ tiny 8-bit microcontroller (such as Atmel AVRs)• on smart cards and RFID chips→ custom cryptoprocessor (ASIC or ASIP) with dedicated hardware forcryptographic operations

I Other possible target platforms, mostly for cryptanalytic computations:

• clusters of CPUs• GPUs (graphics processors)• FPGAs (reconfigurable circuits)

⇒ In such cases, implementation security is usually less critical

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 9 / 60

Page 57: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Which target platforms?

I Cryptography should be available everywhere:

• on desktop PCs and laptops→ 64-bit Intel or AMD CPUs with SIMD instructions (SSE / AVX)• on smartphones→ low-power 32- or 64-bit ARM CPUs, maybe with SIMD (NEON)

• on wireless sensors→ tiny 8-bit microcontroller (such as Atmel AVRs)• on smart cards and RFID chips→ custom cryptoprocessor (ASIC or ASIP) with dedicated hardware forcryptographic operations

I Other possible target platforms, mostly for cryptanalytic computations:

• clusters of CPUs• GPUs (graphics processors)• FPGAs (reconfigurable circuits)

⇒ In such cases, implementation security is usually less critical

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 9 / 60

Page 58: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Which target platforms?

I Cryptography should be available everywhere:

• on desktop PCs and laptops→ 64-bit Intel or AMD CPUs with SIMD instructions (SSE / AVX)• on smartphones→ low-power 32- or 64-bit ARM CPUs, maybe with SIMD (NEON)• on wireless sensors→ tiny 8-bit microcontroller (such as Atmel AVRs)

• on smart cards and RFID chips→ custom cryptoprocessor (ASIC or ASIP) with dedicated hardware forcryptographic operations

I Other possible target platforms, mostly for cryptanalytic computations:

• clusters of CPUs• GPUs (graphics processors)• FPGAs (reconfigurable circuits)

⇒ In such cases, implementation security is usually less critical

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 9 / 60

Page 59: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Which target platforms?

I Cryptography should be available everywhere:

• on desktop PCs and laptops→ 64-bit Intel or AMD CPUs with SIMD instructions (SSE / AVX)• on smartphones→ low-power 32- or 64-bit ARM CPUs, maybe with SIMD (NEON)• on wireless sensors→ tiny 8-bit microcontroller (such as Atmel AVRs)• on smart cards and RFID chips→ custom cryptoprocessor (ASIC or ASIP) with dedicated hardware forcryptographic operations

I Other possible target platforms, mostly for cryptanalytic computations:

• clusters of CPUs• GPUs (graphics processors)• FPGAs (reconfigurable circuits)

⇒ In such cases, implementation security is usually less critical

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 9 / 60

Page 60: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Which target platforms?

I Cryptography should be available everywhere:

• on desktop PCs and laptops→ 64-bit Intel or AMD CPUs with SIMD instructions (SSE / AVX)• on smartphones→ low-power 32- or 64-bit ARM CPUs, maybe with SIMD (NEON)• on wireless sensors→ tiny 8-bit microcontroller (such as Atmel AVRs)• on smart cards and RFID chips→ custom cryptoprocessor (ASIC or ASIP) with dedicated hardware forcryptographic operations

I Other possible target platforms, mostly for cryptanalytic computations:

• clusters of CPUs• GPUs (graphics processors)• FPGAs (reconfigurable circuits)

⇒ In such cases, implementation security is usually less critical

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 9 / 60

Page 61: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Which target platforms?

I Cryptography should be available everywhere:

• on desktop PCs and laptops→ 64-bit Intel or AMD CPUs with SIMD instructions (SSE / AVX)• on smartphones→ low-power 32- or 64-bit ARM CPUs, maybe with SIMD (NEON)• on wireless sensors→ tiny 8-bit microcontroller (such as Atmel AVRs)• on smart cards and RFID chips→ custom cryptoprocessor (ASIC or ASIP) with dedicated hardware forcryptographic operations

I Other possible target platforms, mostly for cryptanalytic computations:

• clusters of CPUs• GPUs (graphics processors)• FPGAs (reconfigurable circuits)

⇒ In such cases, implementation security is usually less critical

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 9 / 60

Page 62: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementation layers

I A complete ECC implementation relies on many layers:

• protocol (OpenPGP, TLS, SSH, etc.)• cryptographic primitives (ECDH, ECDSA, etc.)• scalar multiplication• elliptic curve arithmetic (point addition, point doubling, etc.)• finite field arithmetic (addition, multiplication, inversion, etc.)• native integer arithmetic (CPU instruction set)• logic circuits (registers, multiplexers, adders, etc.)• logic gates (NOT, NAND, etc.) and wires• transistors

I When designing a cryptoprocessor, the hardware/software partitioning can betailored to the application’s requirements

I All top layers (esp. the blue and green ones) might lead to critical vulnerabilities ifpoorly implemented!⇒ ECC is no more secure than its weakest link

I In these lectures, we will mostly focus on the green layers

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 10 / 60

Page 63: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementation layers

I A complete ECC implementation relies on many layers:

• protocol (OpenPGP, TLS, SSH, etc.)

• cryptographic primitives (ECDH, ECDSA, etc.)• scalar multiplication• elliptic curve arithmetic (point addition, point doubling, etc.)• finite field arithmetic (addition, multiplication, inversion, etc.)• native integer arithmetic (CPU instruction set)• logic circuits (registers, multiplexers, adders, etc.)• logic gates (NOT, NAND, etc.) and wires• transistors

I When designing a cryptoprocessor, the hardware/software partitioning can betailored to the application’s requirements

I All top layers (esp. the blue and green ones) might lead to critical vulnerabilities ifpoorly implemented!⇒ ECC is no more secure than its weakest link

I In these lectures, we will mostly focus on the green layers

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 10 / 60

Page 64: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementation layers

I A complete ECC implementation relies on many layers:

• protocol (OpenPGP, TLS, SSH, etc.)• cryptographic primitives (ECDH, ECDSA, etc.)

• scalar multiplication• elliptic curve arithmetic (point addition, point doubling, etc.)• finite field arithmetic (addition, multiplication, inversion, etc.)• native integer arithmetic (CPU instruction set)• logic circuits (registers, multiplexers, adders, etc.)• logic gates (NOT, NAND, etc.) and wires• transistors

I When designing a cryptoprocessor, the hardware/software partitioning can betailored to the application’s requirements

I All top layers (esp. the blue and green ones) might lead to critical vulnerabilities ifpoorly implemented!⇒ ECC is no more secure than its weakest link

I In these lectures, we will mostly focus on the green layers

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 10 / 60

Page 65: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementation layers

I A complete ECC implementation relies on many layers:

• protocol (OpenPGP, TLS, SSH, etc.)• cryptographic primitives (ECDH, ECDSA, etc.)• scalar multiplication

• elliptic curve arithmetic (point addition, point doubling, etc.)• finite field arithmetic (addition, multiplication, inversion, etc.)• native integer arithmetic (CPU instruction set)• logic circuits (registers, multiplexers, adders, etc.)• logic gates (NOT, NAND, etc.) and wires• transistors

I When designing a cryptoprocessor, the hardware/software partitioning can betailored to the application’s requirements

I All top layers (esp. the blue and green ones) might lead to critical vulnerabilities ifpoorly implemented!⇒ ECC is no more secure than its weakest link

I In these lectures, we will mostly focus on the green layers

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 10 / 60

Page 66: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementation layers

I A complete ECC implementation relies on many layers:

• protocol (OpenPGP, TLS, SSH, etc.)• cryptographic primitives (ECDH, ECDSA, etc.)• scalar multiplication• elliptic curve arithmetic (point addition, point doubling, etc.)

• finite field arithmetic (addition, multiplication, inversion, etc.)• native integer arithmetic (CPU instruction set)• logic circuits (registers, multiplexers, adders, etc.)• logic gates (NOT, NAND, etc.) and wires• transistors

I When designing a cryptoprocessor, the hardware/software partitioning can betailored to the application’s requirements

I All top layers (esp. the blue and green ones) might lead to critical vulnerabilities ifpoorly implemented!⇒ ECC is no more secure than its weakest link

I In these lectures, we will mostly focus on the green layers

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 10 / 60

Page 67: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementation layers

I A complete ECC implementation relies on many layers:

• protocol (OpenPGP, TLS, SSH, etc.)• cryptographic primitives (ECDH, ECDSA, etc.)• scalar multiplication• elliptic curve arithmetic (point addition, point doubling, etc.)• finite field arithmetic (addition, multiplication, inversion, etc.)

• native integer arithmetic (CPU instruction set)• logic circuits (registers, multiplexers, adders, etc.)• logic gates (NOT, NAND, etc.) and wires• transistors

I When designing a cryptoprocessor, the hardware/software partitioning can betailored to the application’s requirements

I All top layers (esp. the blue and green ones) might lead to critical vulnerabilities ifpoorly implemented!⇒ ECC is no more secure than its weakest link

I In these lectures, we will mostly focus on the green layers

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 10 / 60

Page 68: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementation layers

I A complete ECC implementation relies on many layers:

• protocol (OpenPGP, TLS, SSH, etc.)• cryptographic primitives (ECDH, ECDSA, etc.)• scalar multiplication• elliptic curve arithmetic (point addition, point doubling, etc.)• finite field arithmetic (addition, multiplication, inversion, etc.)• native integer arithmetic (CPU instruction set)

• logic circuits (registers, multiplexers, adders, etc.)• logic gates (NOT, NAND, etc.) and wires• transistors

I When designing a cryptoprocessor, the hardware/software partitioning can betailored to the application’s requirements

I All top layers (esp. the blue and green ones) might lead to critical vulnerabilities ifpoorly implemented!⇒ ECC is no more secure than its weakest link

I In these lectures, we will mostly focus on the green layers

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 10 / 60

Page 69: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementation layers

I A complete ECC implementation relies on many layers:

• protocol (OpenPGP, TLS, SSH, etc.)• cryptographic primitives (ECDH, ECDSA, etc.)• scalar multiplication• elliptic curve arithmetic (point addition, point doubling, etc.)• finite field arithmetic (addition, multiplication, inversion, etc.)• native integer arithmetic (CPU instruction set)• logic circuits (registers, multiplexers, adders, etc.)

• logic gates (NOT, NAND, etc.) and wires• transistors

I When designing a cryptoprocessor, the hardware/software partitioning can betailored to the application’s requirements

I All top layers (esp. the blue and green ones) might lead to critical vulnerabilities ifpoorly implemented!⇒ ECC is no more secure than its weakest link

I In these lectures, we will mostly focus on the green layers

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 10 / 60

Page 70: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementation layers

I A complete ECC implementation relies on many layers:

• protocol (OpenPGP, TLS, SSH, etc.)• cryptographic primitives (ECDH, ECDSA, etc.)• scalar multiplication• elliptic curve arithmetic (point addition, point doubling, etc.)• finite field arithmetic (addition, multiplication, inversion, etc.)• native integer arithmetic (CPU instruction set)• logic circuits (registers, multiplexers, adders, etc.)• logic gates (NOT, NAND, etc.) and wires

• transistors

I When designing a cryptoprocessor, the hardware/software partitioning can betailored to the application’s requirements

I All top layers (esp. the blue and green ones) might lead to critical vulnerabilities ifpoorly implemented!⇒ ECC is no more secure than its weakest link

I In these lectures, we will mostly focus on the green layers

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 10 / 60

Page 71: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementation layers

I A complete ECC implementation relies on many layers:

• protocol (OpenPGP, TLS, SSH, etc.)• cryptographic primitives (ECDH, ECDSA, etc.)• scalar multiplication• elliptic curve arithmetic (point addition, point doubling, etc.)• finite field arithmetic (addition, multiplication, inversion, etc.)• native integer arithmetic (CPU instruction set)• logic circuits (registers, multiplexers, adders, etc.)• logic gates (NOT, NAND, etc.) and wires• transistors

I When designing a cryptoprocessor, the hardware/software partitioning can betailored to the application’s requirements

I All top layers (esp. the blue and green ones) might lead to critical vulnerabilities ifpoorly implemented!⇒ ECC is no more secure than its weakest link

I In these lectures, we will mostly focus on the green layers

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 10 / 60

Page 72: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementation layers

I A complete ECC implementation relies on many layers:

• protocol (OpenPGP, TLS, SSH, etc.)• cryptographic primitives (ECDH, ECDSA, etc.)• scalar multiplication• elliptic curve arithmetic (point addition, point doubling, etc.)• finite field arithmetic (addition, multiplication, inversion, etc.)• native integer arithmetic (CPU instruction set)• logic circuits (registers, multiplexers, adders, etc.)• logic gates (NOT, NAND, etc.) and wires• transistors

I When designing a cryptoprocessor, the hardware/software partitioning can betailored to the application’s requirements

I All top layers (esp. the blue and green ones) might lead to critical vulnerabilities ifpoorly implemented!⇒ ECC is no more secure than its weakest link

I In these lectures, we will mostly focus on the green layers

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 10 / 60

Page 73: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementation layers

I A complete ECC implementation relies on many layers:

• protocol (OpenPGP, TLS, SSH, etc.)• cryptographic primitives (ECDH, ECDSA, etc.)• scalar multiplication• elliptic curve arithmetic (point addition, point doubling, etc.)• finite field arithmetic (addition, multiplication, inversion, etc.)• native integer arithmetic (CPU instruction set)• logic circuits (registers, multiplexers, adders, etc.)• logic gates (NOT, NAND, etc.) and wires• transistors

I When designing a cryptoprocessor, the hardware/software partitioning can betailored to the application’s requirements

I All top layers (esp. the blue and green ones) might lead to critical vulnerabilities ifpoorly implemented!⇒ ECC is no more secure than its weakest link

I In these lectures, we will mostly focus on the green layers

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 10 / 60

Page 74: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementation layers

I A complete ECC implementation relies on many layers:

• protocol (OpenPGP, TLS, SSH, etc.)• cryptographic primitives (ECDH, ECDSA, etc.)• scalar multiplication• elliptic curve arithmetic (point addition, point doubling, etc.)• finite field arithmetic (addition, multiplication, inversion, etc.)• native integer arithmetic (CPU instruction set)• logic circuits (registers, multiplexers, adders, etc.)• logic gates (NOT, NAND, etc.) and wires• transistors

I When designing a cryptoprocessor, the hardware/software partitioning can betailored to the application’s requirements

I All top layers (esp. the blue and green ones) might lead to critical vulnerabilities ifpoorly implemented!⇒ ECC is no more secure than its weakest link

I In these lectures, we will mostly focus on the green layers

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 10 / 60

Page 75: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Available implementations

I There already exist several free-software, open-source implementations of ECC (orof useful layers thereof):

• at the protocol level:GnuPG, OpenSSL, GnuTLS, OpenSSH, cryptlib, etc.• at the cryptographic primitive level:

RELIC, NaCl (Ed25519), crypto++, etc.• at the curve arithmetic level: PARI, Sage (not for crypto!)• at the field arithmetic level: MPFQ, GF2X, NTL, GMP, etc.

I Available open-source hardware implementations of ECC:

• implementation of NaCl’s crypto box [Ask P. Schwabe about it]• PAVOIS project (announced) [See A. Tisserand’s talk]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 11 / 60

Page 76: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Available implementations

I There already exist several free-software, open-source implementations of ECC (orof useful layers thereof):

• at the protocol level:GnuPG, OpenSSL, GnuTLS, OpenSSH, cryptlib, etc.

• at the cryptographic primitive level:RELIC, NaCl (Ed25519), crypto++, etc.• at the curve arithmetic level: PARI, Sage (not for crypto!)• at the field arithmetic level: MPFQ, GF2X, NTL, GMP, etc.

I Available open-source hardware implementations of ECC:

• implementation of NaCl’s crypto box [Ask P. Schwabe about it]• PAVOIS project (announced) [See A. Tisserand’s talk]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 11 / 60

Page 77: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Available implementations

I There already exist several free-software, open-source implementations of ECC (orof useful layers thereof):

• at the protocol level:GnuPG, OpenSSL, GnuTLS, OpenSSH, cryptlib, etc.• at the cryptographic primitive level:

RELIC, NaCl (Ed25519), crypto++, etc.

• at the curve arithmetic level: PARI, Sage (not for crypto!)• at the field arithmetic level: MPFQ, GF2X, NTL, GMP, etc.

I Available open-source hardware implementations of ECC:

• implementation of NaCl’s crypto box [Ask P. Schwabe about it]• PAVOIS project (announced) [See A. Tisserand’s talk]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 11 / 60

Page 78: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Available implementations

I There already exist several free-software, open-source implementations of ECC (orof useful layers thereof):

• at the protocol level:GnuPG, OpenSSL, GnuTLS, OpenSSH, cryptlib, etc.• at the cryptographic primitive level:

RELIC, NaCl (Ed25519), crypto++, etc.• at the curve arithmetic level: PARI, Sage (not for crypto!)

• at the field arithmetic level: MPFQ, GF2X, NTL, GMP, etc.

I Available open-source hardware implementations of ECC:

• implementation of NaCl’s crypto box [Ask P. Schwabe about it]• PAVOIS project (announced) [See A. Tisserand’s talk]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 11 / 60

Page 79: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Available implementations

I There already exist several free-software, open-source implementations of ECC (orof useful layers thereof):

• at the protocol level:GnuPG, OpenSSL, GnuTLS, OpenSSH, cryptlib, etc.• at the cryptographic primitive level:

RELIC, NaCl (Ed25519), crypto++, etc.• at the curve arithmetic level: PARI, Sage (not for crypto!)• at the field arithmetic level: MPFQ, GF2X, NTL, GMP, etc.

I Available open-source hardware implementations of ECC:

• implementation of NaCl’s crypto box [Ask P. Schwabe about it]• PAVOIS project (announced) [See A. Tisserand’s talk]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 11 / 60

Page 80: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Available implementations

I There already exist several free-software, open-source implementations of ECC (orof useful layers thereof):

• at the protocol level:GnuPG, OpenSSL, GnuTLS, OpenSSH, cryptlib, etc.• at the cryptographic primitive level:

RELIC, NaCl (Ed25519), crypto++, etc.• at the curve arithmetic level: PARI, Sage (not for crypto!)• at the field arithmetic level: MPFQ, GF2X, NTL, GMP, etc.

I Available open-source hardware implementations of ECC:

• implementation of NaCl’s crypto box [Ask P. Schwabe about it]• PAVOIS project (announced) [See A. Tisserand’s talk]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 11 / 60

Page 81: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Available implementations

I There already exist several free-software, open-source implementations of ECC (orof useful layers thereof):

• at the protocol level:GnuPG, OpenSSL, GnuTLS, OpenSSH, cryptlib, etc.• at the cryptographic primitive level:

RELIC, NaCl (Ed25519), crypto++, etc.• at the curve arithmetic level: PARI, Sage (not for crypto!)• at the field arithmetic level: MPFQ, GF2X, NTL, GMP, etc.

I Available open-source hardware implementations of ECC:

• implementation of NaCl’s crypto box [Ask P. Schwabe about it]

• PAVOIS project (announced) [See A. Tisserand’s talk]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 11 / 60

Page 82: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Available implementations

I There already exist several free-software, open-source implementations of ECC (orof useful layers thereof):

• at the protocol level:GnuPG, OpenSSL, GnuTLS, OpenSSH, cryptlib, etc.• at the cryptographic primitive level:

RELIC, NaCl (Ed25519), crypto++, etc.• at the curve arithmetic level: PARI, Sage (not for crypto!)• at the field arithmetic level: MPFQ, GF2X, NTL, GMP, etc.

I Available open-source hardware implementations of ECC:

• implementation of NaCl’s crypto box [Ask P. Schwabe about it]• PAVOIS project (announced) [See A. Tisserand’s talk]

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 11 / 60

Page 83: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Some references

Elliptic Curves in Cryptography,Ian F. Blake, Gadiel Seroussi, and Nigel P. Smart.London Mathematical Society 265,Cambridge University Press, 1999.

Advances in Elliptic Curves Cryptography,Ian F. Blake, Gadiel Seroussi, and Nigel P. Smart (editors).London Mathematical Society 317,Cambridge University Press, 2005.

Mathematics of Public-Key Cryptography,Steven D. Galbraith.Cambridge University Press, 2012.

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 12 / 60

Page 84: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Some references

Guide to Elliptic Curve Cryptography,Darrel Hankerson, Alfred Menezes, and Scott Vanstone.Springer, 2004.

Handbook of Elliptic and Hyperelliptic Curve Cryptography,Henri Cohen and Gerhard Frey (editors).Chapman & Hall / CRC, 2005.

Proceedings of the CHES workshop and of other crypto conferences.

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 13 / 60

Page 85: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Outline

I. Scalar multiplication

II. Elliptic curve arithmetic

III. Finite field arithmetic

IV. Software considerations

V. Notions of hardware design

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 14 / 60

Page 86: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Outline

I. Scalar multiplication

II. Elliptic curve arithmetic

III. Finite field arithmetic

IV. Software considerations

V. Notions of hardware design

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 15 / 60

Page 87: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Scalar multiplication

I Given k in Z/`Z and P in G ⊆ E (Fq), we want to compute

kP = P + P + . . . + P︸ ︷︷ ︸k times

I Size of ` (and k) for crypto applications: between 250 and 500 bits

I Repeated addition, in O(k) complexity, is out of the question!

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 16 / 60

Page 88: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Scalar multiplication

I Given k in Z/`Z and P in G ⊆ E (Fq), we want to compute

kP = P + P + . . . + P︸ ︷︷ ︸k times

I Size of ` (and k) for crypto applications: between 250 and 500 bits

I Repeated addition, in O(k) complexity, is out of the question!

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 16 / 60

Page 89: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Scalar multiplication

I Given k in Z/`Z and P in G ⊆ E (Fq), we want to compute

kP = P + P + . . . + P︸ ︷︷ ︸k times

I Size of ` (and k) for crypto applications: between 250 and 500 bits

I Repeated addition, in O(k) complexity, is out of the question!

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 16 / 60

Page 90: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Available operations on E (Fq):

• point addition: (Q,R) 7→ Q + R• point doubling: Q 7→ 2Q = Q + Q

I Idea: iterative algorithm based on the binary expansion of k

• start from the most significant bit of k• double current result at each step• add P if the corresponding bit of k is 1• same principle as binary exponentiation

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 17 / 60

Page 91: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Available operations on E (Fq):

• point addition: (Q,R) 7→ Q + R• point doubling: Q 7→ 2Q = Q + Q

I Idea: iterative algorithm based on the binary expansion of k

• start from the most significant bit of k• double current result at each step• add P if the corresponding bit of k is 1• same principle as binary exponentiation

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 17 / 60

Page 92: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Available operations on E (Fq):

• point addition: (Q,R) 7→ Q + R• point doubling: Q 7→ 2Q = Q + Q

I Idea: iterative algorithm based on the binary expansion of k

• start from the most significant bit of k• double current result at each step• add P if the corresponding bit of k is 1

• same principle as binary exponentiation

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 17 / 60

Page 93: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Available operations on E (Fq):

• point addition: (Q,R) 7→ Q + R• point doubling: Q 7→ 2Q = Q + Q

I Idea: iterative algorithm based on the binary expansion of k

• start from the most significant bit of k• double current result at each step• add P if the corresponding bit of k is 1• same principle as binary exponentiation

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 17 / 60

Page 94: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431

= (110101111)2

T =

(((((P · 2 + P) · 2

2

+ P) · 2

2

+ P) · 2 + P) · 2 + P) · 2 + P

=

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 95: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431

= (110101111)2

T =

(((((P · 2 + P) · 2

2

+ P) · 2

2

+ P) · 2 + P) · 2 + P) · 2 + P

=

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 96: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

(((((P · 2 + P) · 2

2

+ P) · 2

2

+ P) · 2 + P) · 2 + P) · 2 + P

=

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 97: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

(((((P · 2 + P) · 2

2

+ P) · 2

2

+ P) · 2 + P) · 2 + P) · 2 + P

= O

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 98: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

(((((

P

· 2 + P) · 2

2

+ P) · 2

2

+ P) · 2 + P) · 2 + P) · 2 + P

= P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 99: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

(((((

P · 2

+ P) · 2

2

+ P) · 2

2

+ P) · 2 + P) · 2 + P) · 2 + P

= 2P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 100: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

(((((

P · 2 + P

) · 2

2

+ P) · 2

2

+ P) · 2 + P) · 2 + P) · 2 + P

= 3P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 101: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

((((

(P · 2 + P) · 2

2 + P) · 2

2

+ P) · 2 + P) · 2 + P) · 2 + P

= 6P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 102: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

((((

(P · 2 + P) · 22

+ P) · 2

2

+ P) · 2 + P) · 2 + P) · 2 + P

= 12P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 103: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

((((

(P · 2 + P) · 22 + P

) · 2

2

+ P) · 2 + P) · 2 + P) · 2 + P

= 13P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 104: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

(((

((P · 2 + P) · 22 + P) · 2

2 + P) · 2 + P) · 2 + P) · 2 + P

= 26P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 105: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

(((

((P · 2 + P) · 22 + P) · 22

+ P) · 2 + P) · 2 + P) · 2 + P

= 52P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 106: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

(((

((P · 2 + P) · 22 + P) · 22 + P

) · 2 + P) · 2 + P) · 2 + P

= 53P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 107: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

((

(((P · 2 + P) · 22 + P) · 22 + P) · 2

+ P) · 2 + P) · 2 + P

= 106P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 108: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

((

(((P · 2 + P) · 22 + P) · 22 + P) · 2 + P

) · 2 + P) · 2 + P

= 107P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 109: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

(

((((P · 2 + P) · 22 + P) · 22 + P) · 2 + P) · 2

+ P) · 2 + P

= 214P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 110: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T =

(

((((P · 2 + P) · 22 + P) · 22 + P) · 2 + P) · 2 + P

) · 2 + P

= 215P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 111: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T = (((((P · 2 + P) · 22 + P) · 22 + P) · 2 + P) · 2 + P) · 2

+ P

= 430P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 112: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T = (((((P · 2 + P) · 22 + P) · 22 + P) · 2 + P) · 2 + P) · 2 + P = 431P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 113: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T = (((((P · 2 + P) · 22 + P) · 22 + P) · 2 + P) · 2 + P) · 2 + P = 431P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 114: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Double-and-add algorithm

I Denoting by (kn−1 . . . k1k0)2, with n = dlog2 `e, the binary expansion of k :

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

I Example: k = 431 = (110101111)2

T = (((((P · 2 + P) · 22 + P) · 22 + P) · 2 + P) · 2 + P) · 2 + P = 431P

I Complexity in O(n) = O(log2 `) operations over E (Fq):

• n doublings, and• n/2 additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 18 / 60

Page 115: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431

= (110 101 111)2 = (657)23

T =

(6P · 23 + 5P) · 23 + 7P

=

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 116: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431

= (110 101 111)2 = (657)23

T =

(6P · 23 + 5P) · 23 + 7P

=

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 117: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431

= (110 101 111)2 = (657)23

T =

(6P · 23 + 5P) · 23 + 7P

=

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 118: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431 = (110 101 111)2

= (657)23

T =

(6P · 23 + 5P) · 23 + 7P

=

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 119: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431 = (110 101 111)2 = (657)23

T =

(6P · 23 + 5P) · 23 + 7P

=

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 120: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431 = (110 101 111)2 = (657)23

T =

(6P · 23 + 5P) · 23 + 7P

= O

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 121: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431 = (110 101 111)2 = (657)23

T =

(

6P

· 23 + 5P) · 23 + 7P

= 6P

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 122: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431 = (110 101 111)2 = (657)23

T =

(

6P · 23

+ 5P) · 23 + 7P

= 48P

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 123: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431 = (110 101 111)2 = (657)23

T =

(

6P · 23 + 5P

) · 23 + 7P

= 53P

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 124: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431 = (110 101 111)2 = (657)23

T = (6P · 23 + 5P) · 23

+ 7P

= 424P

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 125: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431 = (110 101 111)2 = (657)23

T = (6P · 23 + 5P) · 23 + 7P = 431P

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 126: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431 = (110 101 111)2 = (657)23

T = (6P · 23 + 5P) · 23 + 7P = 431P

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 127: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431 = (110 101 111)2 = (657)23

T = (6P · 23 + 5P) · 23 + 7P = 431P

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 128: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431 = (110 101 111)2 = (657)23

T = (6P · 23 + 5P) · 23 + 7P = 431P

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 129: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Windowed method

I Consider 2w -ary expansion of k : i.e., split k into w -bit chunks

I Precompute 2P , 3P , . . . , (2w − 1)P :

• 2w−1 − 1 doublings, and• 2w−1 − 1 additions

I Example with w = 3: k = 431 = (110 101 111)2 = (657)23

T = (6P · 23 + 5P) · 23 + 7P = 431P

I Complexity:

• n doublings, and• (1− 2−w)n/w additions on average

I Select w carefully so that precomputation cost does not become predominant

I Sliding window variant: half as many precomputations

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 19 / 60

Page 130: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431

= (30030001)2

T =

(3P · 23 + 3P) · 24 − P

=

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 131: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431

= (30030001)2

T =

(3P · 23 + 3P) · 24 − P

=

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 132: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431

= (30030001)2

T =

(3P · 23 + 3P) · 24 − P

=

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 133: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431

= (30030001)2

T =

(3P · 23 + 3P) · 24 − P

=

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 134: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431

= (30030001)2

T =

(3P · 23 + 3P) · 24 − P

=

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 135: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431 = (30030001)2

T =

(3P · 23 + 3P) · 24 − P

=

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 136: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431 = (30030001)2

T =

(3P · 23 + 3P) · 24 − P

= O

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 137: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431 = (30030001)2

T =

(

3P

· 23 + 3P) · 24 − P

= 3P

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 138: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431 = (30030001)2

T =

(

3P · 2

3 + 3P) · 24 − P

= 6P

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 139: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431 = (30030001)2

T =

(

3P · 22

+ 3P) · 24 − P

= 12P

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 140: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431 = (30030001)2

T =

(

3P · 23

+ 3P) · 24 − P

= 24P

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 141: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431 = (30030001)2

T =

(

3P · 23 + 3P

) · 24 − P

= 27P

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 142: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431 = (30030001)2

T = (3P · 23 + 3P) · 2

4 − P

= 54P

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 143: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431 = (30030001)2

T = (3P · 23 + 3P) · 22

− P

= 108P

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 144: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431 = (30030001)2

T = (3P · 23 + 3P) · 23

− P

= 216P

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 145: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431 = (30030001)2

T = (3P · 23 + 3P) · 24

− P

= 432P

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 146: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431 = (30030001)2

T = (3P · 23 + 3P) · 24 − P = 431P

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 147: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431 = (30030001)2

T = (3P · 23 + 3P) · 24 − P = 431P

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 148: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Non-adjacent form

I Fact: computing the opposite of a point on E (Fq) has a negligible cost

I Idea: use signed digits to represent scalar k with minimal Hamming weight

I 2w -ary non-adjacent form (w -NAF): use odd digits {−2w−1 + 1, . . . , 2w−1 − 1}and 0 to represent k so that at most every w -th digit is non-zero

I Precompute 3P , 5P , . . . , (2w−1 − 1)P :

• 1 doubling, and• 2w−2 − 1 additions

I Example with w = 3 (digits in {3, 1, 0, 1, 3}): k = 431 = (30030001)2

T = (3P · 23 + 3P) · 24 − P = 431P

I Complexity:

• n doublings, and• n/(w + 1) additions on average

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 20 / 60

Page 149: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation technique

I To compute the sum of several scalar multiplications

e.g., aP + bQ, where a, b ∈ Z/`Z and P ,Q ∈ E (Fq)

I Idea:

• compute and accumulate all scalar multiplications simultaneously• share doubling steps between multiplications

function double-scalar-mult(a,P , b,Q):S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 21 / 60

Page 150: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation technique

I To compute the sum of several scalar multiplications

e.g., aP + bQ, where a, b ∈ Z/`Z and P ,Q ∈ E (Fq)

I Idea:

• compute and accumulate all scalar multiplications simultaneously• share doubling steps between multiplications

function double-scalar-mult(a,P , b,Q):S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 21 / 60

Page 151: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21

= (10101)2and b = 30 = (11110)2

T =

((((P + Q) · 2 + Q) · 2 + P + Q) · 2 + Q) · 2 + P

=

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 152: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21

= (10101)2

and b = 30

= (11110)2

T =

((((P + Q) · 2 + Q) · 2 + P + Q) · 2 + Q) · 2 + P

=

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 153: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21 = (10101)2and b = 30 = (11110)2

T =

((((P + Q) · 2 + Q) · 2 + P + Q) · 2 + Q) · 2 + P

=

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 154: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21 = (10101)2and b = 30 = (11110)2

T =

((((P + Q) · 2 + Q) · 2 + P + Q) · 2 + Q) · 2 + P

= O

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 155: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21 = (10101)2and b = 30 = (11110)2

T =

((((

P + Q

) · 2 + Q) · 2 + P + Q) · 2 + Q) · 2 + P

= P + Q

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 156: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21 = (10101)2and b = 30 = (11110)2

T =

(((

(P + Q) · 2

+ Q) · 2 + P + Q) · 2 + Q) · 2 + P

= 2P + 2Q

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 157: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21 = (10101)2and b = 30 = (11110)2

T =

(((

(P + Q) · 2 + Q

) · 2 + P + Q) · 2 + Q) · 2 + P

= 2P + 3Q

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 158: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21 = (10101)2and b = 30 = (11110)2

T =

((

((P + Q) · 2 + Q) · 2

+ P + Q) · 2 + Q) · 2 + P

= 4P + 6Q

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 159: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21 = (10101)2and b = 30 = (11110)2

T =

((

((P + Q) · 2 + Q) · 2 + P + Q

) · 2 + Q) · 2 + P

= 5P + 7Q

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 160: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21 = (10101)2and b = 30 = (11110)2

T =

(

(((P + Q) · 2 + Q) · 2 + P + Q) · 2

+ Q) · 2 + P

= 10P + 14Q

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 161: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21 = (10101)2and b = 30 = (11110)2

T =

(

(((P + Q) · 2 + Q) · 2 + P + Q) · 2 + Q

) · 2 + P

= 10P + 15Q

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 162: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21 = (10101)2and b = 30 = (11110)2

T = ((((P + Q) · 2 + Q) · 2 + P + Q) · 2 + Q) · 2

+ P

= 20P + 30Q

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 163: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21 = (10101)2and b = 30 = (11110)2

T = ((((P + Q) · 2 + Q) · 2 + P + Q) · 2 + Q) · 2 + P = 21P + 30Q

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 164: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21 = (10101)2and b = 30 = (11110)2

T = ((((P + Q) · 2 + Q) · 2 + P + Q) · 2 + Q) · 2 + P = 21P + 30Q

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 165: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21 = (10101)2and b = 30 = (11110)2

T = ((((P + Q) · 2 + Q) · 2 + P + Q) · 2 + Q) · 2 + P = 21P + 30Q

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 166: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multi-exponentiation techniquefunction double-scalar-mult(a,P , b,Q):

S ← P + QT ← Ofor i ← n − 1 downto 0:

T ← 2Tif ai = 1 and bi = 1:

T ← T + Selse if ai = 1:

T ← T + Pelse if bi = 1:

T ← T + Qreturn T

I Example: a = 21 = (10101)2and b = 30 = (11110)2

T = ((((P + Q) · 2 + Q) · 2 + P + Q) · 2 + Q) · 2 + P = 21P + 30Q

I Complexity:• n doublings, and• 3n/4 additions on average

I With signed digits:• joint sparse form (JSF): n/2 additions• interleaved w -NAF: 2n/(w + 1) additions

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 22 / 60

Page 167: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Proposed by Gallant, Lambert, and Vanstone in 2000:

• take an ordinary elliptic curve with a known efficiently computableendomorphism ψ of small norm• the characteristic polynomial of ψ is of the form χψ(T ) = T 2 − tψT + nψ• there exists a root λ ∈ Z/`Z of χψ(T ) mod ` such that

ψ(P) = λP , for any P ∈ G

⇒ λ-adic decomposition of scalar k as k ≡ k0 + λk1 (mod `) so that

kP = k0P + k1ψ(P)

⇒ compute k0P + k1ψ(P) via multi-exponentiation

I Example:

• let p ≡ 1 (mod 4) and E/Fp : y 2 = x3 + Ax• let ξ ∈ Fp a primitive 4-th root of unity (i.e., ξ2 = −1 and ξ4 = 1)• then ψ : (x , y) 7→ (−x , ξy) is an endomorphism of E and, since

ψ2(x , y) = (x ,−y) = −(x , y),

its characteristic polynomial is χψ(T ) = T 2 + 1 and λ = ±√−1 mod `

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 23 / 60

Page 168: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Proposed by Gallant, Lambert, and Vanstone in 2000:

• take an ordinary elliptic curve with a known efficiently computableendomorphism ψ of small norm

• the characteristic polynomial of ψ is of the form χψ(T ) = T 2 − tψT + nψ• there exists a root λ ∈ Z/`Z of χψ(T ) mod ` such that

ψ(P) = λP , for any P ∈ G

⇒ λ-adic decomposition of scalar k as k ≡ k0 + λk1 (mod `) so that

kP = k0P + k1ψ(P)

⇒ compute k0P + k1ψ(P) via multi-exponentiation

I Example:

• let p ≡ 1 (mod 4) and E/Fp : y 2 = x3 + Ax• let ξ ∈ Fp a primitive 4-th root of unity (i.e., ξ2 = −1 and ξ4 = 1)• then ψ : (x , y) 7→ (−x , ξy) is an endomorphism of E and, since

ψ2(x , y) = (x ,−y) = −(x , y),

its characteristic polynomial is χψ(T ) = T 2 + 1 and λ = ±√−1 mod `

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 23 / 60

Page 169: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Proposed by Gallant, Lambert, and Vanstone in 2000:

• take an ordinary elliptic curve with a known efficiently computableendomorphism ψ of small norm• the characteristic polynomial of ψ is of the form χψ(T ) = T 2 − tψT + nψ

• there exists a root λ ∈ Z/`Z of χψ(T ) mod ` such that

ψ(P) = λP , for any P ∈ G

⇒ λ-adic decomposition of scalar k as k ≡ k0 + λk1 (mod `) so that

kP = k0P + k1ψ(P)

⇒ compute k0P + k1ψ(P) via multi-exponentiation

I Example:

• let p ≡ 1 (mod 4) and E/Fp : y 2 = x3 + Ax• let ξ ∈ Fp a primitive 4-th root of unity (i.e., ξ2 = −1 and ξ4 = 1)• then ψ : (x , y) 7→ (−x , ξy) is an endomorphism of E and, since

ψ2(x , y) = (x ,−y) = −(x , y),

its characteristic polynomial is χψ(T ) = T 2 + 1 and λ = ±√−1 mod `

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 23 / 60

Page 170: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Proposed by Gallant, Lambert, and Vanstone in 2000:

• take an ordinary elliptic curve with a known efficiently computableendomorphism ψ of small norm• the characteristic polynomial of ψ is of the form χψ(T ) = T 2 − tψT + nψ• there exists a root λ ∈ Z/`Z of χψ(T ) mod ` such that

ψ(P) = λP , for any P ∈ G

⇒ λ-adic decomposition of scalar k as k ≡ k0 + λk1 (mod `) so that

kP = k0P + k1ψ(P)

⇒ compute k0P + k1ψ(P) via multi-exponentiation

I Example:

• let p ≡ 1 (mod 4) and E/Fp : y 2 = x3 + Ax• let ξ ∈ Fp a primitive 4-th root of unity (i.e., ξ2 = −1 and ξ4 = 1)• then ψ : (x , y) 7→ (−x , ξy) is an endomorphism of E and, since

ψ2(x , y) = (x ,−y) = −(x , y),

its characteristic polynomial is χψ(T ) = T 2 + 1 and λ = ±√−1 mod `

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 23 / 60

Page 171: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Proposed by Gallant, Lambert, and Vanstone in 2000:

• take an ordinary elliptic curve with a known efficiently computableendomorphism ψ of small norm• the characteristic polynomial of ψ is of the form χψ(T ) = T 2 − tψT + nψ• there exists a root λ ∈ Z/`Z of χψ(T ) mod ` such that

ψ(P) = λP , for any P ∈ G

⇒ λ-adic decomposition of scalar k as k ≡ k0 + λk1 (mod `) so that

kP = k0P + k1ψ(P)

⇒ compute k0P + k1ψ(P) via multi-exponentiation

I Example:

• let p ≡ 1 (mod 4) and E/Fp : y 2 = x3 + Ax• let ξ ∈ Fp a primitive 4-th root of unity (i.e., ξ2 = −1 and ξ4 = 1)• then ψ : (x , y) 7→ (−x , ξy) is an endomorphism of E and, since

ψ2(x , y) = (x ,−y) = −(x , y),

its characteristic polynomial is χψ(T ) = T 2 + 1 and λ = ±√−1 mod `

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 23 / 60

Page 172: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Proposed by Gallant, Lambert, and Vanstone in 2000:

• take an ordinary elliptic curve with a known efficiently computableendomorphism ψ of small norm• the characteristic polynomial of ψ is of the form χψ(T ) = T 2 − tψT + nψ• there exists a root λ ∈ Z/`Z of χψ(T ) mod ` such that

ψ(P) = λP , for any P ∈ G

⇒ λ-adic decomposition of scalar k as k ≡ k0 + λk1 (mod `) so that

kP = k0P + k1ψ(P)

⇒ compute k0P + k1ψ(P) via multi-exponentiation

I Example:

• let p ≡ 1 (mod 4) and E/Fp : y 2 = x3 + Ax• let ξ ∈ Fp a primitive 4-th root of unity (i.e., ξ2 = −1 and ξ4 = 1)• then ψ : (x , y) 7→ (−x , ξy) is an endomorphism of E and, since

ψ2(x , y) = (x ,−y) = −(x , y),

its characteristic polynomial is χψ(T ) = T 2 + 1 and λ = ±√−1 mod `

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 23 / 60

Page 173: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Proposed by Gallant, Lambert, and Vanstone in 2000:

• take an ordinary elliptic curve with a known efficiently computableendomorphism ψ of small norm• the characteristic polynomial of ψ is of the form χψ(T ) = T 2 − tψT + nψ• there exists a root λ ∈ Z/`Z of χψ(T ) mod ` such that

ψ(P) = λP , for any P ∈ G

⇒ λ-adic decomposition of scalar k as k ≡ k0 + λk1 (mod `) so that

kP = k0P + k1ψ(P)

⇒ compute k0P + k1ψ(P) via multi-exponentiation

I Example:

• let p ≡ 1 (mod 4) and E/Fp : y 2 = x3 + Ax

• let ξ ∈ Fp a primitive 4-th root of unity (i.e., ξ2 = −1 and ξ4 = 1)• then ψ : (x , y) 7→ (−x , ξy) is an endomorphism of E and, since

ψ2(x , y) = (x ,−y) = −(x , y),

its characteristic polynomial is χψ(T ) = T 2 + 1 and λ = ±√−1 mod `

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 23 / 60

Page 174: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Proposed by Gallant, Lambert, and Vanstone in 2000:

• take an ordinary elliptic curve with a known efficiently computableendomorphism ψ of small norm• the characteristic polynomial of ψ is of the form χψ(T ) = T 2 − tψT + nψ• there exists a root λ ∈ Z/`Z of χψ(T ) mod ` such that

ψ(P) = λP , for any P ∈ G

⇒ λ-adic decomposition of scalar k as k ≡ k0 + λk1 (mod `) so that

kP = k0P + k1ψ(P)

⇒ compute k0P + k1ψ(P) via multi-exponentiation

I Example:

• let p ≡ 1 (mod 4) and E/Fp : y 2 = x3 + Ax• let ξ ∈ Fp a primitive 4-th root of unity (i.e., ξ2 = −1 and ξ4 = 1)

• then ψ : (x , y) 7→ (−x , ξy) is an endomorphism of E and, since

ψ2(x , y) = (x ,−y) = −(x , y),

its characteristic polynomial is χψ(T ) = T 2 + 1 and λ = ±√−1 mod `

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 23 / 60

Page 175: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Proposed by Gallant, Lambert, and Vanstone in 2000:

• take an ordinary elliptic curve with a known efficiently computableendomorphism ψ of small norm• the characteristic polynomial of ψ is of the form χψ(T ) = T 2 − tψT + nψ• there exists a root λ ∈ Z/`Z of χψ(T ) mod ` such that

ψ(P) = λP , for any P ∈ G

⇒ λ-adic decomposition of scalar k as k ≡ k0 + λk1 (mod `) so that

kP = k0P + k1ψ(P)

⇒ compute k0P + k1ψ(P) via multi-exponentiation

I Example:

• let p ≡ 1 (mod 4) and E/Fp : y 2 = x3 + Ax• let ξ ∈ Fp a primitive 4-th root of unity (i.e., ξ2 = −1 and ξ4 = 1)• then ψ : (x , y) 7→ (−x , ξy) is an endomorphism of E and, since

ψ2(x , y) = (x ,−y) = −(x , y),

its characteristic polynomial is χψ(T ) = T 2 + 1 and λ = ±√−1 mod `

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 23 / 60

Page 176: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Computation of k0 and k1:

• pairs (a, b) ∈ Z2 such that a + bλ ≡ 0 (mod `) form a 2-dimensional lattice Λ• Λ is generated by (`, 0) and (−λ, 1) → precompute short basis (EEA)• given k , find lattice point (k0, k1) ∈ Λ closest to (k , 0)

k ≡ k − (k0 + k1λ) (mod `)

≡ (k − k0) + (−k1)λ (mod `)

• take k0 = (k − k0) mod ` and k1 = −k1 mod `

⇒ k0 and k1 of size ≈ n/2 bits

I Previous example with p = 953 and E/Fp : y 2 = x3 + 5x :

• as #E (Fp) = 2 · 449, we take ` = 449• let ξ = 442 and check that ξ2 ≡ −1 (mod p)• ψ : (x , y) 7→ (−x , ξy): we have ψ(P) = λP for all P ∈ G, with λ = 382• scalar k = 431 can be rewritten as k ≡ 2 + 7λ (mod `), whence

kP = 2P + 7ψ(P)

I Popular constructions exploiting endomorphism ring:

• GLS curves (Galbraith, Lin, and Scott, 2008): large class of GLV-compatiblecurves• Koblitz curves: binary curves, with Frobenius map ψ : (x , y) 7→ (x2, y 2)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 24 / 60

Page 177: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Computation of k0 and k1:

• pairs (a, b) ∈ Z2 such that a + bλ ≡ 0 (mod `) form a 2-dimensional lattice Λ

• Λ is generated by (`, 0) and (−λ, 1) → precompute short basis (EEA)• given k , find lattice point (k0, k1) ∈ Λ closest to (k , 0)

k ≡ k − (k0 + k1λ) (mod `)

≡ (k − k0) + (−k1)λ (mod `)

• take k0 = (k − k0) mod ` and k1 = −k1 mod `

⇒ k0 and k1 of size ≈ n/2 bits

I Previous example with p = 953 and E/Fp : y 2 = x3 + 5x :

• as #E (Fp) = 2 · 449, we take ` = 449• let ξ = 442 and check that ξ2 ≡ −1 (mod p)• ψ : (x , y) 7→ (−x , ξy): we have ψ(P) = λP for all P ∈ G, with λ = 382• scalar k = 431 can be rewritten as k ≡ 2 + 7λ (mod `), whence

kP = 2P + 7ψ(P)

I Popular constructions exploiting endomorphism ring:

• GLS curves (Galbraith, Lin, and Scott, 2008): large class of GLV-compatiblecurves• Koblitz curves: binary curves, with Frobenius map ψ : (x , y) 7→ (x2, y 2)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 24 / 60

Page 178: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Computation of k0 and k1:

• pairs (a, b) ∈ Z2 such that a + bλ ≡ 0 (mod `) form a 2-dimensional lattice Λ• Λ is generated by (`, 0) and (−λ, 1) → precompute short basis (EEA)

• given k , find lattice point (k0, k1) ∈ Λ closest to (k , 0)

k ≡ k − (k0 + k1λ) (mod `)

≡ (k − k0) + (−k1)λ (mod `)

• take k0 = (k − k0) mod ` and k1 = −k1 mod `

⇒ k0 and k1 of size ≈ n/2 bits

I Previous example with p = 953 and E/Fp : y 2 = x3 + 5x :

• as #E (Fp) = 2 · 449, we take ` = 449• let ξ = 442 and check that ξ2 ≡ −1 (mod p)• ψ : (x , y) 7→ (−x , ξy): we have ψ(P) = λP for all P ∈ G, with λ = 382• scalar k = 431 can be rewritten as k ≡ 2 + 7λ (mod `), whence

kP = 2P + 7ψ(P)

I Popular constructions exploiting endomorphism ring:

• GLS curves (Galbraith, Lin, and Scott, 2008): large class of GLV-compatiblecurves• Koblitz curves: binary curves, with Frobenius map ψ : (x , y) 7→ (x2, y 2)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 24 / 60

Page 179: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Computation of k0 and k1:

• pairs (a, b) ∈ Z2 such that a + bλ ≡ 0 (mod `) form a 2-dimensional lattice Λ• Λ is generated by (`, 0) and (−λ, 1) → precompute short basis (EEA)• given k , find lattice point (k0, k1) ∈ Λ closest to (k , 0)

k ≡ k − (k0 + k1λ) (mod `)

≡ (k − k0) + (−k1)λ (mod `)

• take k0 = (k − k0) mod ` and k1 = −k1 mod `

⇒ k0 and k1 of size ≈ n/2 bits

I Previous example with p = 953 and E/Fp : y 2 = x3 + 5x :

• as #E (Fp) = 2 · 449, we take ` = 449• let ξ = 442 and check that ξ2 ≡ −1 (mod p)• ψ : (x , y) 7→ (−x , ξy): we have ψ(P) = λP for all P ∈ G, with λ = 382• scalar k = 431 can be rewritten as k ≡ 2 + 7λ (mod `), whence

kP = 2P + 7ψ(P)

I Popular constructions exploiting endomorphism ring:

• GLS curves (Galbraith, Lin, and Scott, 2008): large class of GLV-compatiblecurves• Koblitz curves: binary curves, with Frobenius map ψ : (x , y) 7→ (x2, y 2)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 24 / 60

Page 180: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Computation of k0 and k1:

• pairs (a, b) ∈ Z2 such that a + bλ ≡ 0 (mod `) form a 2-dimensional lattice Λ• Λ is generated by (`, 0) and (−λ, 1) → precompute short basis (EEA)• given k , find lattice point (k0, k1) ∈ Λ closest to (k , 0)

k ≡ k − (k0 + k1λ) (mod `)

≡ (k − k0) + (−k1)λ (mod `)

• take k0 = (k − k0) mod ` and k1 = −k1 mod `

⇒ k0 and k1 of size ≈ n/2 bits

I Previous example with p = 953 and E/Fp : y 2 = x3 + 5x :

• as #E (Fp) = 2 · 449, we take ` = 449• let ξ = 442 and check that ξ2 ≡ −1 (mod p)• ψ : (x , y) 7→ (−x , ξy): we have ψ(P) = λP for all P ∈ G, with λ = 382• scalar k = 431 can be rewritten as k ≡ 2 + 7λ (mod `), whence

kP = 2P + 7ψ(P)

I Popular constructions exploiting endomorphism ring:

• GLS curves (Galbraith, Lin, and Scott, 2008): large class of GLV-compatiblecurves• Koblitz curves: binary curves, with Frobenius map ψ : (x , y) 7→ (x2, y 2)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 24 / 60

Page 181: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Computation of k0 and k1:

• pairs (a, b) ∈ Z2 such that a + bλ ≡ 0 (mod `) form a 2-dimensional lattice Λ• Λ is generated by (`, 0) and (−λ, 1) → precompute short basis (EEA)• given k , find lattice point (k0, k1) ∈ Λ closest to (k , 0)

k ≡ k − (k0 + k1λ) (mod `)

≡ (k − k0) + (−k1)λ (mod `)

• take k0 = (k − k0) mod ` and k1 = −k1 mod `

⇒ k0 and k1 of size ≈ n/2 bits

I Previous example with p = 953 and E/Fp : y 2 = x3 + 5x :

• as #E (Fp) = 2 · 449, we take ` = 449• let ξ = 442 and check that ξ2 ≡ −1 (mod p)• ψ : (x , y) 7→ (−x , ξy): we have ψ(P) = λP for all P ∈ G, with λ = 382• scalar k = 431 can be rewritten as k ≡ 2 + 7λ (mod `), whence

kP = 2P + 7ψ(P)

I Popular constructions exploiting endomorphism ring:

• GLS curves (Galbraith, Lin, and Scott, 2008): large class of GLV-compatiblecurves• Koblitz curves: binary curves, with Frobenius map ψ : (x , y) 7→ (x2, y 2)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 24 / 60

Page 182: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Computation of k0 and k1:

• pairs (a, b) ∈ Z2 such that a + bλ ≡ 0 (mod `) form a 2-dimensional lattice Λ• Λ is generated by (`, 0) and (−λ, 1) → precompute short basis (EEA)• given k , find lattice point (k0, k1) ∈ Λ closest to (k , 0)

k ≡ k − (k0 + k1λ) (mod `)

≡ (k − k0) + (−k1)λ (mod `)

• take k0 = (k − k0) mod ` and k1 = −k1 mod `

⇒ k0 and k1 of size ≈ n/2 bits

I Previous example with p = 953 and E/Fp : y 2 = x3 + 5x :

• as #E (Fp) = 2 · 449, we take ` = 449• let ξ = 442 and check that ξ2 ≡ −1 (mod p)• ψ : (x , y) 7→ (−x , ξy): we have ψ(P) = λP for all P ∈ G, with λ = 382• scalar k = 431 can be rewritten as k ≡ 2 + 7λ (mod `), whence

kP = 2P + 7ψ(P)

I Popular constructions exploiting endomorphism ring:

• GLS curves (Galbraith, Lin, and Scott, 2008): large class of GLV-compatiblecurves• Koblitz curves: binary curves, with Frobenius map ψ : (x , y) 7→ (x2, y 2)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 24 / 60

Page 183: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Computation of k0 and k1:

• pairs (a, b) ∈ Z2 such that a + bλ ≡ 0 (mod `) form a 2-dimensional lattice Λ• Λ is generated by (`, 0) and (−λ, 1) → precompute short basis (EEA)• given k , find lattice point (k0, k1) ∈ Λ closest to (k , 0)

k ≡ k − (k0 + k1λ) (mod `)

≡ (k − k0) + (−k1)λ (mod `)

• take k0 = (k − k0) mod ` and k1 = −k1 mod `

⇒ k0 and k1 of size ≈ n/2 bits

I Previous example with p = 953 and E/Fp : y 2 = x3 + 5x :

• as #E (Fp) = 2 · 449, we take ` = 449• let ξ = 442 and check that ξ2 ≡ −1 (mod p)• ψ : (x , y) 7→ (−x , ξy): we have ψ(P) = λP for all P ∈ G, with λ = 382• scalar k = 431 can be rewritten as k ≡ 2 + 7λ (mod `), whence

kP = 2P + 7ψ(P)

I Popular constructions exploiting endomorphism ring:

• GLS curves (Galbraith, Lin, and Scott, 2008): large class of GLV-compatiblecurves• Koblitz curves: binary curves, with Frobenius map ψ : (x , y) 7→ (x2, y 2)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 24 / 60

Page 184: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Computation of k0 and k1:

• pairs (a, b) ∈ Z2 such that a + bλ ≡ 0 (mod `) form a 2-dimensional lattice Λ• Λ is generated by (`, 0) and (−λ, 1) → precompute short basis (EEA)• given k , find lattice point (k0, k1) ∈ Λ closest to (k , 0)

k ≡ k − (k0 + k1λ) (mod `)

≡ (k − k0) + (−k1)λ (mod `)

• take k0 = (k − k0) mod ` and k1 = −k1 mod `

⇒ k0 and k1 of size ≈ n/2 bits

I Previous example with p = 953 and E/Fp : y 2 = x3 + 5x :

• as #E (Fp) = 2 · 449, we take ` = 449

• let ξ = 442 and check that ξ2 ≡ −1 (mod p)• ψ : (x , y) 7→ (−x , ξy): we have ψ(P) = λP for all P ∈ G, with λ = 382• scalar k = 431 can be rewritten as k ≡ 2 + 7λ (mod `), whence

kP = 2P + 7ψ(P)

I Popular constructions exploiting endomorphism ring:

• GLS curves (Galbraith, Lin, and Scott, 2008): large class of GLV-compatiblecurves• Koblitz curves: binary curves, with Frobenius map ψ : (x , y) 7→ (x2, y 2)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 24 / 60

Page 185: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Computation of k0 and k1:

• pairs (a, b) ∈ Z2 such that a + bλ ≡ 0 (mod `) form a 2-dimensional lattice Λ• Λ is generated by (`, 0) and (−λ, 1) → precompute short basis (EEA)• given k , find lattice point (k0, k1) ∈ Λ closest to (k , 0)

k ≡ k − (k0 + k1λ) (mod `)

≡ (k − k0) + (−k1)λ (mod `)

• take k0 = (k − k0) mod ` and k1 = −k1 mod `

⇒ k0 and k1 of size ≈ n/2 bits

I Previous example with p = 953 and E/Fp : y 2 = x3 + 5x :

• as #E (Fp) = 2 · 449, we take ` = 449• let ξ = 442 and check that ξ2 ≡ −1 (mod p)

• ψ : (x , y) 7→ (−x , ξy): we have ψ(P) = λP for all P ∈ G, with λ = 382• scalar k = 431 can be rewritten as k ≡ 2 + 7λ (mod `), whence

kP = 2P + 7ψ(P)

I Popular constructions exploiting endomorphism ring:

• GLS curves (Galbraith, Lin, and Scott, 2008): large class of GLV-compatiblecurves• Koblitz curves: binary curves, with Frobenius map ψ : (x , y) 7→ (x2, y 2)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 24 / 60

Page 186: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Computation of k0 and k1:

• pairs (a, b) ∈ Z2 such that a + bλ ≡ 0 (mod `) form a 2-dimensional lattice Λ• Λ is generated by (`, 0) and (−λ, 1) → precompute short basis (EEA)• given k , find lattice point (k0, k1) ∈ Λ closest to (k , 0)

k ≡ k − (k0 + k1λ) (mod `)

≡ (k − k0) + (−k1)λ (mod `)

• take k0 = (k − k0) mod ` and k1 = −k1 mod `

⇒ k0 and k1 of size ≈ n/2 bits

I Previous example with p = 953 and E/Fp : y 2 = x3 + 5x :

• as #E (Fp) = 2 · 449, we take ` = 449• let ξ = 442 and check that ξ2 ≡ −1 (mod p)• ψ : (x , y) 7→ (−x , ξy): we have ψ(P) = λP for all P ∈ G, with λ = 382

• scalar k = 431 can be rewritten as k ≡ 2 + 7λ (mod `), whence

kP = 2P + 7ψ(P)

I Popular constructions exploiting endomorphism ring:

• GLS curves (Galbraith, Lin, and Scott, 2008): large class of GLV-compatiblecurves• Koblitz curves: binary curves, with Frobenius map ψ : (x , y) 7→ (x2, y 2)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 24 / 60

Page 187: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Computation of k0 and k1:

• pairs (a, b) ∈ Z2 such that a + bλ ≡ 0 (mod `) form a 2-dimensional lattice Λ• Λ is generated by (`, 0) and (−λ, 1) → precompute short basis (EEA)• given k , find lattice point (k0, k1) ∈ Λ closest to (k , 0)

k ≡ k − (k0 + k1λ) (mod `)

≡ (k − k0) + (−k1)λ (mod `)

• take k0 = (k − k0) mod ` and k1 = −k1 mod `

⇒ k0 and k1 of size ≈ n/2 bits

I Previous example with p = 953 and E/Fp : y 2 = x3 + 5x :

• as #E (Fp) = 2 · 449, we take ` = 449• let ξ = 442 and check that ξ2 ≡ −1 (mod p)• ψ : (x , y) 7→ (−x , ξy): we have ψ(P) = λP for all P ∈ G, with λ = 382• scalar k = 431 can be rewritten as k ≡ 2 + 7λ (mod `), whence

kP = 2P + 7ψ(P)

I Popular constructions exploiting endomorphism ring:

• GLS curves (Galbraith, Lin, and Scott, 2008): large class of GLV-compatiblecurves• Koblitz curves: binary curves, with Frobenius map ψ : (x , y) 7→ (x2, y 2)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 24 / 60

Page 188: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

GLV curves

I Computation of k0 and k1:

• pairs (a, b) ∈ Z2 such that a + bλ ≡ 0 (mod `) form a 2-dimensional lattice Λ• Λ is generated by (`, 0) and (−λ, 1) → precompute short basis (EEA)• given k , find lattice point (k0, k1) ∈ Λ closest to (k , 0)

k ≡ k − (k0 + k1λ) (mod `)

≡ (k − k0) + (−k1)λ (mod `)

• take k0 = (k − k0) mod ` and k1 = −k1 mod `

⇒ k0 and k1 of size ≈ n/2 bits

I Previous example with p = 953 and E/Fp : y 2 = x3 + 5x :

• as #E (Fp) = 2 · 449, we take ` = 449• let ξ = 442 and check that ξ2 ≡ −1 (mod p)• ψ : (x , y) 7→ (−x , ξy): we have ψ(P) = λP for all P ∈ G, with λ = 382• scalar k = 431 can be rewritten as k ≡ 2 + 7λ (mod `), whence

kP = 2P + 7ψ(P)

I Popular constructions exploiting endomorphism ring:

• GLS curves (Galbraith, Lin, and Scott, 2008): large class of GLV-compatiblecurves• Koblitz curves: binary curves, with Frobenius map ψ : (x , y) 7→ (x2, y 2)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 24 / 60

Page 189: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Security issuesI Back to the double-and-add algorithm:

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

Z ← T + Preturn T

I At step i , point addition T ← T + P is computed if and only if ki = 1

• careful timing analysis will reveal Hamming weight of secret k• power analysis will leak bits of k

Pow

er

Time

1 0 0 1 1 0 1 0 0 1

Pow

er

Time

I Use double-and-add-always algorithm?

• the result of the point addition is used if and only if ki = 1

⇒ vulnerable to fault attacks

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 25 / 60

Page 190: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Security issuesI Back to the double-and-add algorithm:

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

Z ← T + Preturn T

I At step i , point addition T ← T + P is computed if and only if ki = 1

• careful timing analysis will reveal Hamming weight of secret k• power analysis will leak bits of k

Pow

er

Time

1 0 0 1 1 0 1 0 0 1

Pow

er

Time

I Use double-and-add-always algorithm?

• the result of the point addition is used if and only if ki = 1

⇒ vulnerable to fault attacks

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 25 / 60

Page 191: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Security issuesI Back to the double-and-add algorithm:

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

Z ← T + Preturn T

I At step i , point addition T ← T + P is computed if and only if ki = 1• careful timing analysis will reveal Hamming weight of secret k

• power analysis will leak bits of k

Pow

er

Time

1 0 0 1 1 0 1 0 0 1

Pow

er

Time

I Use double-and-add-always algorithm?

• the result of the point addition is used if and only if ki = 1

⇒ vulnerable to fault attacks

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 25 / 60

Page 192: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Security issuesI Back to the double-and-add algorithm:

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

Z ← T + Preturn T

I At step i , point addition T ← T + P is computed if and only if ki = 1• careful timing analysis will reveal Hamming weight of secret k• power analysis will leak bits of k

Pow

er

Time

1 0 0 1 1 0 1 0 0 1

Pow

er

Time

I Use double-and-add-always algorithm?

• the result of the point addition is used if and only if ki = 1⇒ vulnerable to fault attacks

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 25 / 60

Page 193: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Security issuesI Back to the double-and-add algorithm:

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Preturn T

Z ← T + Preturn T

I At step i , point addition T ← T + P is computed if and only if ki = 1• careful timing analysis will reveal Hamming weight of secret k• power analysis will leak bits of k

Pow

er

Time

1 0 0 1 1 0 1 0 0 1

Pow

er

Time

I Use double-and-add-always algorithm?

• the result of the point addition is used if and only if ki = 1⇒ vulnerable to fault attacks

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 25 / 60

Page 194: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Security issuesI Back to the double-and-add algorithm:

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Pelse:

Z ← T + Preturn T

I At step i , point addition T ← T + P is computed if and only if ki = 1• careful timing analysis will reveal Hamming weight of secret k• power analysis will leak bits of k

1 0 0 1 1 0 1 0 0 1

Pow

er

Time

I Use double-and-add-always algorithm?

• the result of the point addition is used if and only if ki = 1⇒ vulnerable to fault attacks

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 25 / 60

Page 195: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Security issuesI Back to the double-and-add algorithm:

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Pelse:

Z ← T + Preturn T

I At step i , point addition T ← T + P is computed if and only if ki = 1• careful timing analysis will reveal Hamming weight of secret k• power analysis will leak bits of k

1 0 0 1 1 0 1 0 0 1

Pow

er

Time

I Use double-and-add-always algorithm?• the result of the point addition is used if and only if ki = 1

⇒ vulnerable to fault attacks

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 25 / 60

Page 196: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Security issuesI Back to the double-and-add algorithm:

function scalar-mult(k ,P):T ← Ofor i ← n − 1 downto 0:

T ← 2Tif ki = 1:

T ← T + Pelse:

Z ← T + Preturn T

I At step i , point addition T ← T + P is computed if and only if ki = 1• careful timing analysis will reveal Hamming weight of secret k• power analysis will leak bits of k

1 0 0 1 1 0 1 0 0 1

Pow

er

Time

I Use double-and-add-always algorithm?• the result of the point addition is used if and only if ki = 1⇒ vulnerable to fault attacks

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 25 / 60

Page 197: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:

• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19

= (10011)2

T0 =

P · 2

2

+ 5P + 10P

=

T1 =

(

P

· 2 + P + 2P) · 2

2

=

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 198: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:

• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19

= (10011)2

T0 =

P · 2

2

+ 5P + 10P

=

T1 =

(

P

· 2 + P + 2P) · 2

2

=

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 199: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step

• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19

= (10011)2

T0 =

P · 2

2

+ 5P + 10P

=

T1 =

(

P

· 2 + P + 2P) · 2

2

=

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 200: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step

• loop invariant: T1 = T0 + P

I Example: k = 19

= (10011)2

T0 =

P · 2

2

+ 5P + 10P

=

T1 =

(

P

· 2 + P + 2P) · 2

2

=

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 201: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19

= (10011)2

T0 =

P · 2

2

+ 5P + 10P

=

T1 =

(

P

· 2 + P + 2P) · 2

2

=

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 202: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19

= (10011)2

T0 =

P · 2

2

+ 5P + 10P

=

T1 =

(

P

· 2 + P + 2P) · 2

2

=

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 203: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 =

P · 2

2

+ 5P + 10P

=

T1 =

(

P

· 2 + P + 2P) · 2

2

=

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 204: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 =

P · 2

2

+ 5P + 10P

= OT1 =

(

P

· 2 + P + 2P) · 2

2

= P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 205: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 =

P · 2

2

+ 5P + 10P

= OT1 =

(

P

· 2 + P + 2P) · 2

2

= P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 206: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P

· 2

2

+ 5P + 10P

= P

T1 =

(

P

· 2 + P + 2P) · 2

2

= P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 207: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P

· 2

2

+ 5P + 10P

= P

T1 =

(

P · 2

+ P + 2P) · 2

2

= 2P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 208: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P

· 2

2

+ 5P + 10P

= P

T1 =

(

P · 2

+ P + 2P) · 2

2

= 2P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 209: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P

· 2

2

+ 5P + 10P

= P

T1 =

(

P · 2 + P

+ 2P) · 2

2

= 3P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 210: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P · 2

2 + 5P + 10P

= 2P

T1 =

(

P · 2 + P

+ 2P) · 2

2

= 3P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 211: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P · 2

2 + 5P + 10P

= 2P

T1 =

(

P · 2 + P

+ 2P) · 2

2

= 3P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 212: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P · 2

2 + 5P + 10P

= 2P

T1 =

(

P · 2 + P + 2P

) · 2

2

= 5P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 213: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P · 22

+ 5P + 10P

= 4P

T1 =

(

P · 2 + P + 2P

) · 2

2

= 5P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 214: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P · 22

+ 5P + 10P

= 4P

T1 =

(

P · 2 + P + 2P

) · 2

2

= 5P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 215: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P · 22 + 5P

+ 10P

= 9P

T1 =

(

P · 2 + P + 2P

) · 2

2

= 5P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 216: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P · 22 + 5P

+ 10P

= 9P

T1 = (P · 2 + P + 2P) · 2

2

= 10P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 217: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P · 22 + 5P

+ 10P

= 9P

T1 = (P · 2 + P + 2P) · 2

2

= 10P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 218: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P · 22 + 5P + 10P = 19P

T1 = (P · 2 + P + 2P) · 2

2

= 10P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 219: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P · 22 + 5P + 10P = 19P

T1 = (P · 2 + P + 2P) · 22 = 20P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 220: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Montgomery ladderI Algorithm proposed by Montgomery in 1987:

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I Properties:• perform one addition and one doubling at each step• ensure that both results are used in the next step• loop invariant: T1 = T0 + P

I Example: k = 19 = (10011)2

T0 = P · 22 + 5P + 10P = 19P

T1 = (P · 2 + P + 2P) · 22 = 20P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 26 / 60

Page 221: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

More security issues

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I The conditional branches depend on the value of secret bit ki

⇒ might be vulnerable to branch prediction attacks

I Compute indices for T0 and T1 from ki?

• memory accesses to T0 or T1 depend on secret bit ki

⇒ might be vulnerable to cache attacks

I Use bit masking to avoid secret-dependent memory access patterns

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 27 / 60

Page 222: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

More security issues

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I The conditional branches depend on the value of secret bit ki

⇒ might be vulnerable to branch prediction attacks

I Compute indices for T0 and T1 from ki?

• memory accesses to T0 or T1 depend on secret bit ki

⇒ might be vulnerable to cache attacks

I Use bit masking to avoid secret-dependent memory access patterns

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 27 / 60

Page 223: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

More security issues

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

if ki = 1:T0 ← T0 + T1

T1 ← 2T1

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I The conditional branches depend on the value of secret bit ki⇒ might be vulnerable to branch prediction attacks

I Compute indices for T0 and T1 from ki?

• memory accesses to T0 or T1 depend on secret bit ki

⇒ might be vulnerable to cache attacks

I Use bit masking to avoid secret-dependent memory access patterns

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 27 / 60

Page 224: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

More security issues

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

T1−ki ← T0 + T1

Tki ← 2Tki

return T0

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I The conditional branches depend on the value of secret bit ki⇒ might be vulnerable to branch prediction attacks

I Compute indices for T0 and T1 from ki?

• memory accesses to T0 or T1 depend on secret bit ki

⇒ might be vulnerable to cache attacks

I Use bit masking to avoid secret-dependent memory access patterns

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 27 / 60

Page 225: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

More security issues

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

T1−ki ← T0 + T1

Tki ← 2Tki

return T0

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I The conditional branches depend on the value of secret bit ki⇒ might be vulnerable to branch prediction attacks

I Compute indices for T0 and T1 from ki?

• memory accesses to T0 or T1 depend on secret bit ki

⇒ might be vulnerable to cache attacks

I Use bit masking to avoid secret-dependent memory access patterns

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 27 / 60

Page 226: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

More security issues

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

T1−ki ← T0 + T1

Tki ← 2Tki

return T0

else:T1 ← T0 + T1

T0 ← 2T0

return T0

I The conditional branches depend on the value of secret bit ki⇒ might be vulnerable to branch prediction attacks

I Compute indices for T0 and T1 from ki?

• memory accesses to T0 or T1 depend on secret bit ki

⇒ might be vulnerable to cache attacks

I Use bit masking to avoid secret-dependent memory access patterns

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 27 / 60

Page 227: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

More security issues

function scalar-mult(k ,P):T0 ← OT1 ← Pfor i ← n − 1 downto 0:

M ← (ki . . . ki)2R ← T0 + T1

S ← 2((M&T0) | (M&T1))T0 ← (M&S) | (M&R)T1 ← (M&R) | (M&S)

return T0

return T0

I The conditional branches depend on the value of secret bit ki⇒ might be vulnerable to branch prediction attacks

I Compute indices for T0 and T1 from ki?

• memory accesses to T0 or T1 depend on secret bit ki

⇒ might be vulnerable to cache attacks

I Use bit masking to avoid secret-dependent memory access patterns

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 27 / 60

Page 228: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Outline

I. Scalar multiplication

II. Elliptic curve arithmetic

III. Finite field arithmetic

IV. Software considerations

V. Notions of hardware design

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 28 / 60

Page 229: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling

EO

EO

P

Q

EO

P

Q

LP,Q

EO

P

Q

R ′

LP,Q

EO

P

Q

R ′

LP,Q

LR′,O EO

P

Q

R ′

R = P + Q

LP,Q

LR′,O EO

P

EO

P

LP,P

EO

P

R ′

LP,P

EO

P

R ′

LP,P

LR′,O EO

P

R ′

R = 2P

LP,P

LR′,O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 29 / 60

Page 230: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling

EO

EO

P

Q

EO

P

Q

LP,Q

EO

P

Q

R ′

LP,Q

EO

P

Q

R ′

LP,Q

LR′,O EO

P

Q

R ′

R = P + Q

LP,Q

LR′,O EO

P

EO

P

LP,P

EO

P

R ′

LP,P

EO

P

R ′

LP,P

LR′,O EO

P

R ′

R = 2P

LP,P

LR′,O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 29 / 60

Page 231: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling

EO EO

P

Q

EO

P

Q

LP,Q

EO

P

Q

R ′

LP,Q

EO

P

Q

R ′

LP,Q

LR′,O EO

P

Q

R ′

R = P + Q

LP,Q

LR′,O EO

P

EO

P

LP,P

EO

P

R ′

LP,P

EO

P

R ′

LP,P

LR′,O EO

P

R ′

R = 2P

LP,P

LR′,O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 29 / 60

Page 232: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling

EO EO

P

Q

EO

P

Q

LP,Q

EO

P

Q

R ′

LP,Q

EO

P

Q

R ′

LP,Q

LR′,O EO

P

Q

R ′

R = P + Q

LP,Q

LR′,O EO

P

EO

P

LP,P

EO

P

R ′

LP,P

EO

P

R ′

LP,P

LR′,O EO

P

R ′

R = 2P

LP,P

LR′,O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 29 / 60

Page 233: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling

EO EO

P

Q

EO

P

Q

LP,Q

EO

P

Q

R ′

LP,Q

EO

P

Q

R ′

LP,Q

LR′,O

EO

P

Q

R ′

R = P + Q

LP,Q

LR′,O EO

P

EO

P

LP,P

EO

P

R ′

LP,P

EO

P

R ′

LP,P

LR′,O EO

P

R ′

R = 2P

LP,P

LR′,O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 29 / 60

Page 234: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling

EO EO

P

Q

EO

P

Q

LP,Q

EO

P

Q

R ′

LP,Q

EO

P

Q

R ′

LP,Q

LR′,O

EO

P

Q

R ′

R = P + Q

LP,Q

LR′,O

EO

P

EO

P

LP,P

EO

P

R ′

LP,P

EO

P

R ′

LP,P

LR′,O EO

P

R ′

R = 2P

LP,P

LR′,O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 29 / 60

Page 235: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling

EO EO

P

Q

EO

P

Q

LP,Q

EO

P

Q

R ′

LP,Q

EO

P

Q

R ′

LP,Q

LR′,O EO

P

Q

R ′

R = P + Q

LP,Q

LR′,O

EO

P

EO

P

LP,P

EO

P

R ′

LP,P

EO

P

R ′

LP,P

LR′,O EO

P

R ′

R = 2P

LP,P

LR′,O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 29 / 60

Page 236: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling

EO EO

P

Q

EO

P

Q

LP,Q

EO

P

Q

R ′

LP,Q

EO

P

Q

R ′

LP,Q

LR′,O EO

P

Q

R ′

R = P + Q

LP,Q

LR′,O EO

P

EO

P

LP,P

EO

P

R ′

LP,P

EO

P

R ′

LP,P

LR′,O EO

P

R ′

R = 2P

LP,P

LR′,O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 29 / 60

Page 237: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling

EO EO

P

Q

EO

P

Q

LP,Q

EO

P

Q

R ′

LP,Q

EO

P

Q

R ′

LP,Q

LR′,O EO

P

Q

R ′

R = P + Q

LP,Q

LR′,O EO

P

EO

P

LP,P

EO

P

R ′

LP,P

EO

P

R ′

LP,P

LR′,O EO

P

R ′

R = 2P

LP,P

LR′,O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 29 / 60

Page 238: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling

EO EO

P

Q

EO

P

Q

LP,Q

EO

P

Q

R ′

LP,Q

EO

P

Q

R ′

LP,Q

LR′,O EO

P

Q

R ′

R = P + Q

LP,Q

LR′,O EO

P

EO

P

LP,P

EO

P

R ′

LP,P

EO

P

R ′

LP,P

LR′,O

EO

P

R ′

R = 2P

LP,P

LR′,O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 29 / 60

Page 239: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling

EO EO

P

Q

EO

P

Q

LP,Q

EO

P

Q

R ′

LP,Q

EO

P

Q

R ′

LP,Q

LR′,O EO

P

Q

R ′

R = P + Q

LP,Q

LR′,O EO

P

EO

P

LP,P

EO

P

R ′

LP,P

EO

P

R ′

LP,P

LR′,O

EO

P

R ′

R = 2P

LP,P

LR′,O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 29 / 60

Page 240: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling formulae

E/Fq : y 2 = x3 + Ax + B

I Let P = (xP , yP) and Q = (xQ , yQ) ∈ E (Fq)\{O} (affine coordinates)

I The opposite of P is −P = (xP ,−yP)

I If P 6= −Q, then P + Q = R = (xR , yR) with

xR = λ2 − xP − xQ and yR = λ(xP − xR)− yP

where

λ =

yQ − yPxQ − xP

if P 6= Q, or

−(∂f /∂x) (xP , yP)

(∂f /∂y) (xP , yP)=

3x2P + a

2yPif P = Q

I Cost (number of inversions, multiplications and squares in Fq):

• addition: 1I + 2M + 1S• doubling: 1I + 2M + 2S

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 30 / 60

Page 241: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling formulae

E/Fq : y 2 = x3 + Ax + B

I Let P = (xP , yP) and Q = (xQ , yQ) ∈ E (Fq)\{O} (affine coordinates)

I The opposite of P is −P = (xP ,−yP)

I If P 6= −Q, then P + Q = R = (xR , yR) with

xR = λ2 − xP − xQ and yR = λ(xP − xR)− yP

where

λ =

yQ − yPxQ − xP

if P 6= Q, or

−(∂f /∂x) (xP , yP)

(∂f /∂y) (xP , yP)=

3x2P + a

2yPif P = Q

I Cost (number of inversions, multiplications and squares in Fq):

• addition: 1I + 2M + 1S• doubling: 1I + 2M + 2S

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 30 / 60

Page 242: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling formulae

E/Fq : y 2 = x3 + Ax + B

I Let P = (xP , yP) and Q = (xQ , yQ) ∈ E (Fq)\{O} (affine coordinates)

I The opposite of P is −P = (xP ,−yP)

I If P 6= −Q, then P + Q = R = (xR , yR) with

xR = λ2 − xP − xQ and yR = λ(xP − xR)− yP

where

λ =

yQ − yPxQ − xP

if P 6= Q, or

−(∂f /∂x) (xP , yP)

(∂f /∂y) (xP , yP)=

3x2P + a

2yPif P = Q

I Cost (number of inversions, multiplications and squares in Fq):

• addition: 1I + 2M + 1S• doubling: 1I + 2M + 2S

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 30 / 60

Page 243: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling formulae

E/Fq : y 2 = x3 + Ax + B

I Let P = (xP , yP) and Q = (xQ , yQ) ∈ E (Fq)\{O} (affine coordinates)

I The opposite of P is −P = (xP ,−yP)

I If P 6= −Q, then P + Q = R = (xR , yR) with

xR = λ2 − xP − xQ and yR = λ(xP − xR)− yP

where

λ =

yQ − yPxQ − xP

if P 6= Q, or

−(∂f /∂x) (xP , yP)

(∂f /∂y) (xP , yP)=

3x2P + a

2yPif P = Q

I Cost (number of inversions, multiplications and squares in Fq):

• addition: 1I + 2M + 1S• doubling: 1I + 2M + 2S

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 30 / 60

Page 244: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling formulae

E/Fq : y 2 = x3 + Ax + B

I Let P = (xP , yP) and Q = (xQ , yQ) ∈ E (Fq)\{O} (affine coordinates)

I The opposite of P is −P = (xP ,−yP)

I If P 6= −Q, then P + Q = R = (xR , yR) with

xR = λ2 − xP − xQ and yR = λ(xP − xR)− yP

where

λ =

yQ − yPxQ − xP

if P 6= Q, or

−(∂f /∂x) (xP , yP)

(∂f /∂y) (xP , yP)=

3x2P + a

2yPif P = Q

I Cost (number of inversions, multiplications and squares in Fq):

• addition: 1I + 2M + 1S• doubling: 1I + 2M + 2S

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 30 / 60

Page 245: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling formulae

E/Fq : y 2 = x3 + Ax + B

I Let P = (xP , yP) and Q = (xQ , yQ) ∈ E (Fq)\{O} (affine coordinates)

I The opposite of P is −P = (xP ,−yP)

I If P 6= −Q, then P + Q = R = (xR , yR) with

xR = λ2 − xP − xQ and yR = λ(xP − xR)− yP

where

λ =

yQ − yPxQ − xP

if P 6= Q, or

−(∂f /∂x) (xP , yP)

(∂f /∂y) (xP , yP)=

3x2P + a

2yPif P = Q

I Cost (number of inversions, multiplications and squares in Fq):

• addition: 1I + 2M + 1S

• doubling: 1I + 2M + 2S

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 30 / 60

Page 246: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Addition and doubling formulae

E/Fq : y 2 = x3 + Ax + B

I Let P = (xP , yP) and Q = (xQ , yQ) ∈ E (Fq)\{O} (affine coordinates)

I The opposite of P is −P = (xP ,−yP)

I If P 6= −Q, then P + Q = R = (xR , yR) with

xR = λ2 − xP − xQ and yR = λ(xP − xR)− yP

where

λ =

yQ − yPxQ − xP

if P 6= Q, or

−(∂f /∂x) (xP , yP)

(∂f /∂y) (xP , yP)=

3x2P + a

2yPif P = Q

I Cost (number of inversions, multiplications and squares in Fq):

• addition: 1I + 2M + 1S• doubling: 1I + 2M + 2S

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 30 / 60

Page 247: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Other coordinate systems

E/Fq : y 2 = x3 + Ax + B

I One can use other coordinate systems which provide more efficient formulae

I Projective coordinates: points (X : Y : Z ) with (x , y) = (X/Z ,Y /Z )

E/Fq : Y 2Z = X 3 + AXZ 2 + BZ 3

• idea: get rid of the inversion over Fq by using Z as the denominator• addition: 12M + 2S• doubling: 7M + 5S

I Jacobian coordinates: points (X : Y : Z ) with (x , y) = (X/Z 2,Y /Z 3)

E/Fq : Y 2 = X 3 + AXZ 4 + BZ 6

• addition: 12M + 4S• doubling: 4M + 6S

I And many others: modified jacobian coordinates, Lopez–Dahab (over F2n), etc.

I Explicit-Formula Database (by Bernstein and Lange):

http://hyperelliptic.org/EFD/

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 31 / 60

Page 248: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Other coordinate systems

E/Fq : y 2 = x3 + Ax + B

I One can use other coordinate systems which provide more efficient formulae

I Projective coordinates: points (X : Y : Z ) with (x , y) = (X/Z ,Y /Z )

E/Fq : Y 2Z = X 3 + AXZ 2 + BZ 3

• idea: get rid of the inversion over Fq by using Z as the denominator• addition: 12M + 2S• doubling: 7M + 5S

I Jacobian coordinates: points (X : Y : Z ) with (x , y) = (X/Z 2,Y /Z 3)

E/Fq : Y 2 = X 3 + AXZ 4 + BZ 6

• addition: 12M + 4S• doubling: 4M + 6S

I And many others: modified jacobian coordinates, Lopez–Dahab (over F2n), etc.

I Explicit-Formula Database (by Bernstein and Lange):

http://hyperelliptic.org/EFD/

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 31 / 60

Page 249: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Other coordinate systems

E/Fq : y 2 = x3 + Ax + B

I One can use other coordinate systems which provide more efficient formulae

I Projective coordinates: points (X : Y : Z ) with (x , y) = (X/Z ,Y /Z )

E/Fq : Y 2Z = X 3 + AXZ 2 + BZ 3

• idea: get rid of the inversion over Fq by using Z as the denominator

• addition: 12M + 2S• doubling: 7M + 5S

I Jacobian coordinates: points (X : Y : Z ) with (x , y) = (X/Z 2,Y /Z 3)

E/Fq : Y 2 = X 3 + AXZ 4 + BZ 6

• addition: 12M + 4S• doubling: 4M + 6S

I And many others: modified jacobian coordinates, Lopez–Dahab (over F2n), etc.

I Explicit-Formula Database (by Bernstein and Lange):

http://hyperelliptic.org/EFD/

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 31 / 60

Page 250: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Other coordinate systems

E/Fq : y 2 = x3 + Ax + B

I One can use other coordinate systems which provide more efficient formulae

I Projective coordinates: points (X : Y : Z ) with (x , y) = (X/Z ,Y /Z )

E/Fq : Y 2Z = X 3 + AXZ 2 + BZ 3

• idea: get rid of the inversion over Fq by using Z as the denominator• addition: 12M + 2S• doubling: 7M + 5S

I Jacobian coordinates: points (X : Y : Z ) with (x , y) = (X/Z 2,Y /Z 3)

E/Fq : Y 2 = X 3 + AXZ 4 + BZ 6

• addition: 12M + 4S• doubling: 4M + 6S

I And many others: modified jacobian coordinates, Lopez–Dahab (over F2n), etc.

I Explicit-Formula Database (by Bernstein and Lange):

http://hyperelliptic.org/EFD/

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 31 / 60

Page 251: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Other coordinate systems

E/Fq : y 2 = x3 + Ax + B

I One can use other coordinate systems which provide more efficient formulae

I Projective coordinates: points (X : Y : Z ) with (x , y) = (X/Z ,Y /Z )

E/Fq : Y 2Z = X 3 + AXZ 2 + BZ 3

• idea: get rid of the inversion over Fq by using Z as the denominator• addition: 12M + 2S• doubling: 7M + 5S

I Jacobian coordinates: points (X : Y : Z ) with (x , y) = (X/Z 2,Y /Z 3)

E/Fq : Y 2 = X 3 + AXZ 4 + BZ 6

• addition: 12M + 4S• doubling: 4M + 6S

I And many others: modified jacobian coordinates, Lopez–Dahab (over F2n), etc.

I Explicit-Formula Database (by Bernstein and Lange):

http://hyperelliptic.org/EFD/

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 31 / 60

Page 252: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Other coordinate systems

E/Fq : y 2 = x3 + Ax + B

I One can use other coordinate systems which provide more efficient formulae

I Projective coordinates: points (X : Y : Z ) with (x , y) = (X/Z ,Y /Z )

E/Fq : Y 2Z = X 3 + AXZ 2 + BZ 3

• idea: get rid of the inversion over Fq by using Z as the denominator• addition: 12M + 2S• doubling: 7M + 5S

I Jacobian coordinates: points (X : Y : Z ) with (x , y) = (X/Z 2,Y /Z 3)

E/Fq : Y 2 = X 3 + AXZ 4 + BZ 6

• addition: 12M + 4S• doubling: 4M + 6S

I And many others: modified jacobian coordinates, Lopez–Dahab (over F2n), etc.

I Explicit-Formula Database (by Bernstein and Lange):

http://hyperelliptic.org/EFD/

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 31 / 60

Page 253: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Other coordinate systems

E/Fq : y 2 = x3 + Ax + B

I One can use other coordinate systems which provide more efficient formulae

I Projective coordinates: points (X : Y : Z ) with (x , y) = (X/Z ,Y /Z )

E/Fq : Y 2Z = X 3 + AXZ 2 + BZ 3

• idea: get rid of the inversion over Fq by using Z as the denominator• addition: 12M + 2S• doubling: 7M + 5S

I Jacobian coordinates: points (X : Y : Z ) with (x , y) = (X/Z 2,Y /Z 3)

E/Fq : Y 2 = X 3 + AXZ 4 + BZ 6

• addition: 12M + 4S• doubling: 4M + 6S

I And many others: modified jacobian coordinates, Lopez–Dahab (over F2n), etc.

I Explicit-Formula Database (by Bernstein and Lange):

http://hyperelliptic.org/EFD/

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 31 / 60

Page 254: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Other coordinate systems

E/Fq : y 2 = x3 + Ax + B

I One can use other coordinate systems which provide more efficient formulae

I Projective coordinates: points (X : Y : Z ) with (x , y) = (X/Z ,Y /Z )

E/Fq : Y 2Z = X 3 + AXZ 2 + BZ 3

• idea: get rid of the inversion over Fq by using Z as the denominator• addition: 12M + 2S• doubling: 7M + 5S

I Jacobian coordinates: points (X : Y : Z ) with (x , y) = (X/Z 2,Y /Z 3)

E/Fq : Y 2 = X 3 + AXZ 4 + BZ 6

• addition: 12M + 4S• doubling: 4M + 6S

I And many others: modified jacobian coordinates, Lopez–Dahab (over F2n), etc.

I Explicit-Formula Database (by Bernstein and Lange):

http://hyperelliptic.org/EFD/

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 31 / 60

Page 255: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Montgomery curves

I Proposed by Montgomery in 1987, Montgomery curves are of the form

C/Fq : By 2 = x3 + Ax2 + x , with parameters A,B ∈ Fq and char(Fq) 6= 2

• all Montgomery curves are elliptic curves• not all elliptic curves can be rewritten in Montgomery form

I Addition and doubling formulae

• let P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq)\{O}, with P 6= ±Q• then, writing R = P + Q = (xR , yR) and S = P − Q = (xS , yS), we have

xRxS(xP − xQ)2 = (xPxQ − 1)2

• the x-coord. of R = P + Q depends only on the x-coord. of P , Q, and P − Q⇒ x-only differential addition• similarly, when P = Q and R = 2P = (xR , yR), we have

4xPxR(x2P + AxP + 1) = (x2P − 1)2

⇒ x-only doubling

I We can drop the y -coordinate altogether in the scalar multiplication

• use projective coordinates: points (X : Z ) with x = X/Z• cheap differential addition (4M + 2S) and doubling (2M + 2S)• compatible with the Montgomery ladder (since T1 − T0 = P)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 32 / 60

Page 256: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Montgomery curves

I Proposed by Montgomery in 1987, Montgomery curves are of the form

C/Fq : By 2 = x3 + Ax2 + x , with parameters A,B ∈ Fq and char(Fq) 6= 2

• all Montgomery curves are elliptic curves• not all elliptic curves can be rewritten in Montgomery form

I Addition and doubling formulae

• let P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq)\{O}, with P 6= ±Q• then, writing R = P + Q = (xR , yR) and S = P − Q = (xS , yS), we have

xRxS(xP − xQ)2 = (xPxQ − 1)2

• the x-coord. of R = P + Q depends only on the x-coord. of P , Q, and P − Q⇒ x-only differential addition• similarly, when P = Q and R = 2P = (xR , yR), we have

4xPxR(x2P + AxP + 1) = (x2P − 1)2

⇒ x-only doubling

I We can drop the y -coordinate altogether in the scalar multiplication

• use projective coordinates: points (X : Z ) with x = X/Z• cheap differential addition (4M + 2S) and doubling (2M + 2S)• compatible with the Montgomery ladder (since T1 − T0 = P)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 32 / 60

Page 257: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Montgomery curves

I Proposed by Montgomery in 1987, Montgomery curves are of the form

C/Fq : By 2 = x3 + Ax2 + x , with parameters A,B ∈ Fq and char(Fq) 6= 2

• all Montgomery curves are elliptic curves• not all elliptic curves can be rewritten in Montgomery form

I Addition and doubling formulae

• let P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq)\{O}, with P 6= ±Q• then, writing R = P + Q = (xR , yR) and S = P − Q = (xS , yS), we have

xRxS(xP − xQ)2 = (xPxQ − 1)2

• the x-coord. of R = P + Q depends only on the x-coord. of P , Q, and P − Q⇒ x-only differential addition• similarly, when P = Q and R = 2P = (xR , yR), we have

4xPxR(x2P + AxP + 1) = (x2P − 1)2

⇒ x-only doubling

I We can drop the y -coordinate altogether in the scalar multiplication

• use projective coordinates: points (X : Z ) with x = X/Z• cheap differential addition (4M + 2S) and doubling (2M + 2S)• compatible with the Montgomery ladder (since T1 − T0 = P)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 32 / 60

Page 258: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Montgomery curves

I Proposed by Montgomery in 1987, Montgomery curves are of the form

C/Fq : By 2 = x3 + Ax2 + x , with parameters A,B ∈ Fq and char(Fq) 6= 2

• all Montgomery curves are elliptic curves• not all elliptic curves can be rewritten in Montgomery form

I Addition and doubling formulae

• let P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq)\{O}, with P 6= ±Q

• then, writing R = P + Q = (xR , yR) and S = P − Q = (xS , yS), we have

xRxS(xP − xQ)2 = (xPxQ − 1)2

• the x-coord. of R = P + Q depends only on the x-coord. of P , Q, and P − Q⇒ x-only differential addition• similarly, when P = Q and R = 2P = (xR , yR), we have

4xPxR(x2P + AxP + 1) = (x2P − 1)2

⇒ x-only doubling

I We can drop the y -coordinate altogether in the scalar multiplication

• use projective coordinates: points (X : Z ) with x = X/Z• cheap differential addition (4M + 2S) and doubling (2M + 2S)• compatible with the Montgomery ladder (since T1 − T0 = P)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 32 / 60

Page 259: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Montgomery curves

I Proposed by Montgomery in 1987, Montgomery curves are of the form

C/Fq : By 2 = x3 + Ax2 + x , with parameters A,B ∈ Fq and char(Fq) 6= 2

• all Montgomery curves are elliptic curves• not all elliptic curves can be rewritten in Montgomery form

I Addition and doubling formulae

• let P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq)\{O}, with P 6= ±Q• then, writing R = P + Q = (xR , yR) and S = P − Q = (xS , yS), we have

xRxS(xP − xQ)2 = (xPxQ − 1)2

• the x-coord. of R = P + Q depends only on the x-coord. of P , Q, and P − Q⇒ x-only differential addition• similarly, when P = Q and R = 2P = (xR , yR), we have

4xPxR(x2P + AxP + 1) = (x2P − 1)2

⇒ x-only doubling

I We can drop the y -coordinate altogether in the scalar multiplication

• use projective coordinates: points (X : Z ) with x = X/Z• cheap differential addition (4M + 2S) and doubling (2M + 2S)• compatible with the Montgomery ladder (since T1 − T0 = P)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 32 / 60

Page 260: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Montgomery curves

I Proposed by Montgomery in 1987, Montgomery curves are of the form

C/Fq : By 2 = x3 + Ax2 + x , with parameters A,B ∈ Fq and char(Fq) 6= 2

• all Montgomery curves are elliptic curves• not all elliptic curves can be rewritten in Montgomery form

I Addition and doubling formulae

• let P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq)\{O}, with P 6= ±Q• then, writing R = P + Q = (xR , yR) and S = P − Q = (xS , yS), we have

xRxS(xP − xQ)2 = (xPxQ − 1)2

• the x-coord. of R = P + Q depends only on the x-coord. of P , Q, and P − Q⇒ x-only differential addition

• similarly, when P = Q and R = 2P = (xR , yR), we have

4xPxR(x2P + AxP + 1) = (x2P − 1)2

⇒ x-only doubling

I We can drop the y -coordinate altogether in the scalar multiplication

• use projective coordinates: points (X : Z ) with x = X/Z• cheap differential addition (4M + 2S) and doubling (2M + 2S)• compatible with the Montgomery ladder (since T1 − T0 = P)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 32 / 60

Page 261: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Montgomery curves

I Proposed by Montgomery in 1987, Montgomery curves are of the form

C/Fq : By 2 = x3 + Ax2 + x , with parameters A,B ∈ Fq and char(Fq) 6= 2

• all Montgomery curves are elliptic curves• not all elliptic curves can be rewritten in Montgomery form

I Addition and doubling formulae

• let P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq)\{O}, with P 6= ±Q• then, writing R = P + Q = (xR , yR) and S = P − Q = (xS , yS), we have

xRxS(xP − xQ)2 = (xPxQ − 1)2

• the x-coord. of R = P + Q depends only on the x-coord. of P , Q, and P − Q⇒ x-only differential addition• similarly, when P = Q and R = 2P = (xR , yR), we have

4xPxR(x2P + AxP + 1) = (x2P − 1)2

⇒ x-only doubling

I We can drop the y -coordinate altogether in the scalar multiplication

• use projective coordinates: points (X : Z ) with x = X/Z• cheap differential addition (4M + 2S) and doubling (2M + 2S)• compatible with the Montgomery ladder (since T1 − T0 = P)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 32 / 60

Page 262: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Montgomery curves

I Proposed by Montgomery in 1987, Montgomery curves are of the form

C/Fq : By 2 = x3 + Ax2 + x , with parameters A,B ∈ Fq and char(Fq) 6= 2

• all Montgomery curves are elliptic curves• not all elliptic curves can be rewritten in Montgomery form

I Addition and doubling formulae

• let P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq)\{O}, with P 6= ±Q• then, writing R = P + Q = (xR , yR) and S = P − Q = (xS , yS), we have

xRxS(xP − xQ)2 = (xPxQ − 1)2

• the x-coord. of R = P + Q depends only on the x-coord. of P , Q, and P − Q⇒ x-only differential addition• similarly, when P = Q and R = 2P = (xR , yR), we have

4xPxR(x2P + AxP + 1) = (x2P − 1)2

⇒ x-only doubling

I We can drop the y -coordinate altogether in the scalar multiplication

• use projective coordinates: points (X : Z ) with x = X/Z• cheap differential addition (4M + 2S) and doubling (2M + 2S)• compatible with the Montgomery ladder (since T1 − T0 = P)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 32 / 60

Page 263: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Montgomery curves

I Proposed by Montgomery in 1987, Montgomery curves are of the form

C/Fq : By 2 = x3 + Ax2 + x , with parameters A,B ∈ Fq and char(Fq) 6= 2

• all Montgomery curves are elliptic curves• not all elliptic curves can be rewritten in Montgomery form

I Addition and doubling formulae

• let P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq)\{O}, with P 6= ±Q• then, writing R = P + Q = (xR , yR) and S = P − Q = (xS , yS), we have

xRxS(xP − xQ)2 = (xPxQ − 1)2

• the x-coord. of R = P + Q depends only on the x-coord. of P , Q, and P − Q⇒ x-only differential addition• similarly, when P = Q and R = 2P = (xR , yR), we have

4xPxR(x2P + AxP + 1) = (x2P − 1)2

⇒ x-only doubling

I We can drop the y -coordinate altogether in the scalar multiplication

• use projective coordinates: points (X : Z ) with x = X/Z• cheap differential addition (4M + 2S) and doubling (2M + 2S)• compatible with the Montgomery ladder (since T1 − T0 = P)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 32 / 60

Page 264: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Montgomery curves

I Proposed by Montgomery in 1987, Montgomery curves are of the form

C/Fq : By 2 = x3 + Ax2 + x , with parameters A,B ∈ Fq and char(Fq) 6= 2

• all Montgomery curves are elliptic curves• not all elliptic curves can be rewritten in Montgomery form

I Addition and doubling formulae

• let P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq)\{O}, with P 6= ±Q• then, writing R = P + Q = (xR , yR) and S = P − Q = (xS , yS), we have

xRxS(xP − xQ)2 = (xPxQ − 1)2

• the x-coord. of R = P + Q depends only on the x-coord. of P , Q, and P − Q⇒ x-only differential addition• similarly, when P = Q and R = 2P = (xR , yR), we have

4xPxR(x2P + AxP + 1) = (x2P − 1)2

⇒ x-only doubling

I We can drop the y -coordinate altogether in the scalar multiplication

• use projective coordinates: points (X : Z ) with x = X/Z

• cheap differential addition (4M + 2S) and doubling (2M + 2S)• compatible with the Montgomery ladder (since T1 − T0 = P)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 32 / 60

Page 265: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Montgomery curves

I Proposed by Montgomery in 1987, Montgomery curves are of the form

C/Fq : By 2 = x3 + Ax2 + x , with parameters A,B ∈ Fq and char(Fq) 6= 2

• all Montgomery curves are elliptic curves• not all elliptic curves can be rewritten in Montgomery form

I Addition and doubling formulae

• let P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq)\{O}, with P 6= ±Q• then, writing R = P + Q = (xR , yR) and S = P − Q = (xS , yS), we have

xRxS(xP − xQ)2 = (xPxQ − 1)2

• the x-coord. of R = P + Q depends only on the x-coord. of P , Q, and P − Q⇒ x-only differential addition• similarly, when P = Q and R = 2P = (xR , yR), we have

4xPxR(x2P + AxP + 1) = (x2P − 1)2

⇒ x-only doubling

I We can drop the y -coordinate altogether in the scalar multiplication

• use projective coordinates: points (X : Z ) with x = X/Z• cheap differential addition (4M + 2S) and doubling (2M + 2S)

• compatible with the Montgomery ladder (since T1 − T0 = P)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 32 / 60

Page 266: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Montgomery curves

I Proposed by Montgomery in 1987, Montgomery curves are of the form

C/Fq : By 2 = x3 + Ax2 + x , with parameters A,B ∈ Fq and char(Fq) 6= 2

• all Montgomery curves are elliptic curves• not all elliptic curves can be rewritten in Montgomery form

I Addition and doubling formulae

• let P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq)\{O}, with P 6= ±Q• then, writing R = P + Q = (xR , yR) and S = P − Q = (xS , yS), we have

xRxS(xP − xQ)2 = (xPxQ − 1)2

• the x-coord. of R = P + Q depends only on the x-coord. of P , Q, and P − Q⇒ x-only differential addition• similarly, when P = Q and R = 2P = (xR , yR), we have

4xPxR(x2P + AxP + 1) = (x2P − 1)2

⇒ x-only doubling

I We can drop the y -coordinate altogether in the scalar multiplication

• use projective coordinates: points (X : Z ) with x = X/Z• cheap differential addition (4M + 2S) and doubling (2M + 2S)• compatible with the Montgomery ladder (since T1 − T0 = P)

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 32 / 60

Page 267: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Edwards curves

I Proposed by Edwards in 2007, Edwards curves are of the form

C/Fq : x2 + y 2 = 1 + dx2y 2, with parameter d ∈ Fq and char(Fq) 6= 2

• all Edwards curves are elliptic curves• not all elliptic curves can be rewritten in Edwards form

C

O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 33 / 60

Page 268: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Edwards curves

I Proposed by Edwards in 2007, Edwards curves are of the form

C/Fq : x2 + y 2 = 1 + dx2y 2, with parameter d ∈ Fq and char(Fq) 6= 2

• all Edwards curves are elliptic curves• not all elliptic curves can be rewritten in Edwards form

C

O

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 33 / 60

Page 269: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Edwards curves

C/Fq : x2 + y 2 = 1 + dx2y 2

I Addition and doubling formulae (assuming d is not a square in Fq)

• neutral element: O = (0, 1)• opposite: for all P = (xP , yP) ∈ C (Fq), −P = (−xP , yP)• addition: for all P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq), then

P + Q =

(xPyQ + xQyP

1 + dxPxQyPyQ,

yPyQ − xPxQ1− dxPxQyPyQ

)• doubling: same as addition

I Strongly unified and complete addition law:• works for both addition and doubling• no exceptional case

⇒ resilient against timing or power analysis attacks

I Inverted coordinates: points (X : Y : Z ) with (x , y) = (Z/X ,Z/Y )• addition: 9M + 1S• doubling: 3M + 4S

I Generalization by Bernstein et al. (2008): twisted Edwards curves

C/Fq : ax2 + y 2 = 1 + dx2y 2, with parameter a, d ∈ Fq and char(Fq) 6= 2

• birationally equivalent to Montgomery curves

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 34 / 60

Page 270: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Edwards curves

C/Fq : x2 + y 2 = 1 + dx2y 2

I Addition and doubling formulae (assuming d is not a square in Fq)• neutral element: O = (0, 1)

• opposite: for all P = (xP , yP) ∈ C (Fq), −P = (−xP , yP)• addition: for all P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq), then

P + Q =

(xPyQ + xQyP

1 + dxPxQyPyQ,

yPyQ − xPxQ1− dxPxQyPyQ

)• doubling: same as addition

I Strongly unified and complete addition law:• works for both addition and doubling• no exceptional case

⇒ resilient against timing or power analysis attacks

I Inverted coordinates: points (X : Y : Z ) with (x , y) = (Z/X ,Z/Y )• addition: 9M + 1S• doubling: 3M + 4S

I Generalization by Bernstein et al. (2008): twisted Edwards curves

C/Fq : ax2 + y 2 = 1 + dx2y 2, with parameter a, d ∈ Fq and char(Fq) 6= 2

• birationally equivalent to Montgomery curves

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 34 / 60

Page 271: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Edwards curves

C/Fq : x2 + y 2 = 1 + dx2y 2

I Addition and doubling formulae (assuming d is not a square in Fq)• neutral element: O = (0, 1)• opposite: for all P = (xP , yP) ∈ C (Fq), −P = (−xP , yP)

• addition: for all P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq), then

P + Q =

(xPyQ + xQyP

1 + dxPxQyPyQ,

yPyQ − xPxQ1− dxPxQyPyQ

)• doubling: same as addition

I Strongly unified and complete addition law:• works for both addition and doubling• no exceptional case

⇒ resilient against timing or power analysis attacks

I Inverted coordinates: points (X : Y : Z ) with (x , y) = (Z/X ,Z/Y )• addition: 9M + 1S• doubling: 3M + 4S

I Generalization by Bernstein et al. (2008): twisted Edwards curves

C/Fq : ax2 + y 2 = 1 + dx2y 2, with parameter a, d ∈ Fq and char(Fq) 6= 2

• birationally equivalent to Montgomery curves

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 34 / 60

Page 272: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Edwards curves

C/Fq : x2 + y 2 = 1 + dx2y 2

I Addition and doubling formulae (assuming d is not a square in Fq)• neutral element: O = (0, 1)• opposite: for all P = (xP , yP) ∈ C (Fq), −P = (−xP , yP)• addition: for all P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq), then

P + Q =

(xPyQ + xQyP

1 + dxPxQyPyQ,

yPyQ − xPxQ1− dxPxQyPyQ

)

• doubling: same as addition

I Strongly unified and complete addition law:• works for both addition and doubling• no exceptional case

⇒ resilient against timing or power analysis attacks

I Inverted coordinates: points (X : Y : Z ) with (x , y) = (Z/X ,Z/Y )• addition: 9M + 1S• doubling: 3M + 4S

I Generalization by Bernstein et al. (2008): twisted Edwards curves

C/Fq : ax2 + y 2 = 1 + dx2y 2, with parameter a, d ∈ Fq and char(Fq) 6= 2

• birationally equivalent to Montgomery curves

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 34 / 60

Page 273: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Edwards curves

C/Fq : x2 + y 2 = 1 + dx2y 2

I Addition and doubling formulae (assuming d is not a square in Fq)• neutral element: O = (0, 1)• opposite: for all P = (xP , yP) ∈ C (Fq), −P = (−xP , yP)• addition: for all P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq), then

P + Q =

(xPyQ + xQyP

1 + dxPxQyPyQ,

yPyQ − xPxQ1− dxPxQyPyQ

)• doubling: same as addition

I Strongly unified and complete addition law:• works for both addition and doubling• no exceptional case

⇒ resilient against timing or power analysis attacks

I Inverted coordinates: points (X : Y : Z ) with (x , y) = (Z/X ,Z/Y )• addition: 9M + 1S• doubling: 3M + 4S

I Generalization by Bernstein et al. (2008): twisted Edwards curves

C/Fq : ax2 + y 2 = 1 + dx2y 2, with parameter a, d ∈ Fq and char(Fq) 6= 2

• birationally equivalent to Montgomery curves

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 34 / 60

Page 274: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Edwards curves

C/Fq : x2 + y 2 = 1 + dx2y 2

I Addition and doubling formulae (assuming d is not a square in Fq)• neutral element: O = (0, 1)• opposite: for all P = (xP , yP) ∈ C (Fq), −P = (−xP , yP)• addition: for all P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq), then

P + Q =

(xPyQ + xQyP

1 + dxPxQyPyQ,

yPyQ − xPxQ1− dxPxQyPyQ

)• doubling: same as addition

I Strongly unified and complete addition law:• works for both addition and doubling• no exceptional case

⇒ resilient against timing or power analysis attacks

I Inverted coordinates: points (X : Y : Z ) with (x , y) = (Z/X ,Z/Y )• addition: 9M + 1S• doubling: 3M + 4S

I Generalization by Bernstein et al. (2008): twisted Edwards curves

C/Fq : ax2 + y 2 = 1 + dx2y 2, with parameter a, d ∈ Fq and char(Fq) 6= 2

• birationally equivalent to Montgomery curves

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 34 / 60

Page 275: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Edwards curves

C/Fq : x2 + y 2 = 1 + dx2y 2

I Addition and doubling formulae (assuming d is not a square in Fq)• neutral element: O = (0, 1)• opposite: for all P = (xP , yP) ∈ C (Fq), −P = (−xP , yP)• addition: for all P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq), then

P + Q =

(xPyQ + xQyP

1 + dxPxQyPyQ,

yPyQ − xPxQ1− dxPxQyPyQ

)• doubling: same as addition

I Strongly unified and complete addition law:• works for both addition and doubling• no exceptional case⇒ resilient against timing or power analysis attacks

I Inverted coordinates: points (X : Y : Z ) with (x , y) = (Z/X ,Z/Y )• addition: 9M + 1S• doubling: 3M + 4S

I Generalization by Bernstein et al. (2008): twisted Edwards curves

C/Fq : ax2 + y 2 = 1 + dx2y 2, with parameter a, d ∈ Fq and char(Fq) 6= 2

• birationally equivalent to Montgomery curves

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 34 / 60

Page 276: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Edwards curves

C/Fq : x2 + y 2 = 1 + dx2y 2

I Addition and doubling formulae (assuming d is not a square in Fq)• neutral element: O = (0, 1)• opposite: for all P = (xP , yP) ∈ C (Fq), −P = (−xP , yP)• addition: for all P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq), then

P + Q =

(xPyQ + xQyP

1 + dxPxQyPyQ,

yPyQ − xPxQ1− dxPxQyPyQ

)• doubling: same as addition

I Strongly unified and complete addition law:• works for both addition and doubling• no exceptional case⇒ resilient against timing or power analysis attacks

I Inverted coordinates: points (X : Y : Z ) with (x , y) = (Z/X ,Z/Y )• addition: 9M + 1S• doubling: 3M + 4S

I Generalization by Bernstein et al. (2008): twisted Edwards curves

C/Fq : ax2 + y 2 = 1 + dx2y 2, with parameter a, d ∈ Fq and char(Fq) 6= 2

• birationally equivalent to Montgomery curves

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 34 / 60

Page 277: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Edwards curves

C/Fq : x2 + y 2 = 1 + dx2y 2

I Addition and doubling formulae (assuming d is not a square in Fq)• neutral element: O = (0, 1)• opposite: for all P = (xP , yP) ∈ C (Fq), −P = (−xP , yP)• addition: for all P = (xP , yP) and Q = (xQ , yQ) ∈ C (Fq), then

P + Q =

(xPyQ + xQyP

1 + dxPxQyPyQ,

yPyQ − xPxQ1− dxPxQyPyQ

)• doubling: same as addition

I Strongly unified and complete addition law:• works for both addition and doubling• no exceptional case⇒ resilient against timing or power analysis attacks

I Inverted coordinates: points (X : Y : Z ) with (x , y) = (Z/X ,Z/Y )• addition: 9M + 1S• doubling: 3M + 4S

I Generalization by Bernstein et al. (2008): twisted Edwards curves

C/Fq : ax2 + y 2 = 1 + dx2y 2, with parameter a, d ∈ Fq and char(Fq) 6= 2

• birationally equivalent to Montgomery curves

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 34 / 60

Page 278: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Outline

I. Scalar multiplication

II. Elliptic curve arithmetic

III. Finite field arithmetic

IV. Software considerations

V. Notions of hardware design

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 35 / 60

Page 279: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementing finite field arithmetic

I Group law over E (Fq) requires:

• additions / subtractions over Fq

• multiplications / squarings over Fq

• a few inversions over Fq

I Typical finite fields Fq:

• prime field Fp, with n = |p| between 250 and 500 bits• binary field F2n, with prime m between 250 and 500

... still secure? [See M. Kosters’ talk]

I What we have at our disposal:

• basic integer arithmetic (addition, multiplication)• left and right shifts• bitwise logic operations (bitwise NOT, AND, etc.)

I ... on w -bit words:

• w = 32 or 64 on CPUs• w = 8 or 16 bits on microcontrollers• a bit more flexibility in hardware

(but integer arithmetic with w > 64 bits is hard!)

⇒ elements of Fq represented using several words

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 36 / 60

Page 280: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementing finite field arithmetic

I Group law over E (Fq) requires:

• additions / subtractions over Fq

• multiplications / squarings over Fq

• a few inversions over Fq

I Typical finite fields Fq:

• prime field Fp, with n = |p| between 250 and 500 bits• binary field F2n, with prime m between 250 and 500

... still secure? [See M. Kosters’ talk]

I What we have at our disposal:

• basic integer arithmetic (addition, multiplication)• left and right shifts• bitwise logic operations (bitwise NOT, AND, etc.)

I ... on w -bit words:

• w = 32 or 64 on CPUs• w = 8 or 16 bits on microcontrollers• a bit more flexibility in hardware

(but integer arithmetic with w > 64 bits is hard!)

⇒ elements of Fq represented using several words

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 36 / 60

Page 281: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementing finite field arithmetic

I Group law over E (Fq) requires:

• additions / subtractions over Fq

• multiplications / squarings over Fq

• a few inversions over Fq

I Typical finite fields Fq:

• prime field Fp, with n = |p| between 250 and 500 bits• binary field F2n, with prime m between 250 and 500

... still secure? [See M. Kosters’ talk]

I What we have at our disposal:

• basic integer arithmetic (addition, multiplication)• left and right shifts• bitwise logic operations (bitwise NOT, AND, etc.)

I ... on w -bit words:

• w = 32 or 64 on CPUs• w = 8 or 16 bits on microcontrollers• a bit more flexibility in hardware

(but integer arithmetic with w > 64 bits is hard!)

⇒ elements of Fq represented using several words

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 36 / 60

Page 282: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementing finite field arithmetic

I Group law over E (Fq) requires:

• additions / subtractions over Fq

• multiplications / squarings over Fq

• a few inversions over Fq

I Typical finite fields Fq:

• prime field Fp, with n = |p| between 250 and 500 bits• binary field F2n, with prime m between 250 and 500

... still secure? [See M. Kosters’ talk]

I What we have at our disposal:

• basic integer arithmetic (addition, multiplication)• left and right shifts• bitwise logic operations (bitwise NOT, AND, etc.)

I ... on w -bit words:

• w = 32 or 64 on CPUs• w = 8 or 16 bits on microcontrollers• a bit more flexibility in hardware

(but integer arithmetic with w > 64 bits is hard!)

⇒ elements of Fq represented using several words

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 36 / 60

Page 283: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementing finite field arithmetic

I Group law over E (Fq) requires:

• additions / subtractions over Fq

• multiplications / squarings over Fq

• a few inversions over Fq

I Typical finite fields Fq:

• prime field Fp, with n = |p| between 250 and 500 bits• binary field F2n, with prime m between 250 and 500

... still secure? [See M. Kosters’ talk]

I What we have at our disposal:

• basic integer arithmetic (addition, multiplication)• left and right shifts• bitwise logic operations (bitwise NOT, AND, etc.)

I ... on w -bit words:

• w = 32 or 64 on CPUs• w = 8 or 16 bits on microcontrollers• a bit more flexibility in hardware

(but integer arithmetic with w > 64 bits is hard!)

⇒ elements of Fq represented using several words

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 36 / 60

Page 284: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Implementing finite field arithmetic

I Group law over E (Fq) requires:

• additions / subtractions over Fq

• multiplications / squarings over Fq

• a few inversions over Fq

I Typical finite fields Fq:

• prime field Fp, with n = |p| between 250 and 500 bits• binary field F2n, with prime m between 250 and 500

... still secure? [See M. Kosters’ talk]

I What we have at our disposal:

• basic integer arithmetic (addition, multiplication)• left and right shifts• bitwise logic operations (bitwise NOT, AND, etc.)

I ... on w -bit words:

• w = 32 or 64 on CPUs• w = 8 or 16 bits on microcontrollers• a bit more flexibility in hardware

(but integer arithmetic with w > 64 bits is hard!)

⇒ elements of Fq represented using several words

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 36 / 60

Page 285: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry• might need reduction modulo P : compare then subtract (in constant time!)• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2

a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

ccc

r0r1r2r3c

p0p1p2p3≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 286: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P

• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry• might need reduction modulo P : compare then subtract (in constant time!)• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2

a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

ccc

r0r1r2r3c

p0p1p2p3≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 287: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry• might need reduction modulo P : compare then subtract (in constant time!)• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2

a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

ccc

r0r1r2r3c

p0p1p2p3≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 288: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry• might need reduction modulo P : compare then subtract (in constant time!)• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

ccc

r0r1r2r3c

p0p1p2p3≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 289: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry• might need reduction modulo P : compare then subtract (in constant time!)• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

ccc

r0r1r2r3c

p0p1p2p3≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 290: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition

• need to propagate carry• might need reduction modulo P : compare then subtract (in constant time!)• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

ccc

r0r1r2r3c

p0p1p2p3≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 291: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry

• might need reduction modulo P : compare then subtract (in constant time!)• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

c

cc

r0

r1r2r3c

p0p1p2p3≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 292: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry

• might need reduction modulo P : compare then subtract (in constant time!)• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

c

cc

r0

r1r2r3c

p0p1p2p3≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 293: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry

• might need reduction modulo P : compare then subtract (in constant time!)• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

c

c

c

r0r1

r2r3c

p0p1p2p3≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 294: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry

• might need reduction modulo P : compare then subtract (in constant time!)• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

cc

c

r0r1r2

r3c

p0p1p2p3≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 295: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry

• might need reduction modulo P : compare then subtract (in constant time!)• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

ccc

r0r1r2r3c

p0p1p2p3≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 296: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry

• might need reduction modulo P : compare then subtract (in constant time!)• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

ccc

r0r1r2r3c

p0p1p2p3≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 297: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry• might need reduction modulo P : compare then subtract (in constant time!)

• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

ccc

r0r1r2r3c

P≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 298: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry• might need reduction modulo P : compare then subtract (in constant time!)

• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

ccc

r0r1r2r3c

p0p1p2p3≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 299: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry• might need reduction modulo P : compare then subtract (in constant time!)

• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

ccc

r0r1r2r3c

p0p1p2p3

≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 300: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiprecision representation

I Consider A ∈ FP , with P an n-bit prime

• represent A as an integer modulo P• split A into k = dn/we w -bit words (or limbs), ak−1, ..., a1, a0:

A = ak−12(k−1)w + · · ·+ a12w + a0

I Addition of A and B ∈ FP :

• right-to-left word-wise addition• need to propagate carry• might need reduction modulo P : compare then subtract (in constant time!)• lazy reduction: if kw > n, do not reduce after each addition

A

n

a0a1a2a3

a3

wwww

a0

b0

a1

b1

a2

b2

a3

b3+

ccc

r0r1r2r3c

p0p1p2p3

≥?

r ′0r ′1r ′2r ′3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 37 / 60

Page 301: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication

I Multiplication of A and B ∈ Fp:

• schoolbook method: k2 w -by-w -bit multiplications• final product fits into 2k words• need to reduce product modulo P (see later)• should run in constant time (for fixed P)!

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

+

+

+

+

r0r1r2r3r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 38 / 60

Page 302: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication

I Multiplication of A and B ∈ Fp:

• schoolbook method: k2 w -by-w -bit multiplications

• final product fits into 2k words• need to reduce product modulo P (see later)• should run in constant time (for fixed P)!

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

+

+

+

+

r0r1r2r3r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 38 / 60

Page 303: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication

I Multiplication of A and B ∈ Fp:

• schoolbook method: k2 w -by-w -bit multiplications

• final product fits into 2k words• need to reduce product modulo P (see later)• should run in constant time (for fixed P)!

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

+

+

+

+

r0r1r2r3r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 38 / 60

Page 304: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication

I Multiplication of A and B ∈ Fp:

• schoolbook method: k2 w -by-w -bit multiplications

• final product fits into 2k words• need to reduce product modulo P (see later)• should run in constant time (for fixed P)!

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

+

+

+

+

r0r1r2r3r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 38 / 60

Page 305: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication

I Multiplication of A and B ∈ Fp:

• schoolbook method: k2 w -by-w -bit multiplications

• final product fits into 2k words• need to reduce product modulo P (see later)• should run in constant time (for fixed P)!

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

+

+

+

+

r0r1r2r3r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 38 / 60

Page 306: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication

I Multiplication of A and B ∈ Fp:

• schoolbook method: k2 w -by-w -bit multiplications

• final product fits into 2k words• need to reduce product modulo P (see later)• should run in constant time (for fixed P)!

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

+

+

+

+

r0r1r2r3r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 38 / 60

Page 307: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication

I Multiplication of A and B ∈ Fp:

• schoolbook method: k2 w -by-w -bit multiplications

• final product fits into 2k words• need to reduce product modulo P (see later)• should run in constant time (for fixed P)!

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

+

+

+

+

r0r1r2r3r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 38 / 60

Page 308: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication

I Multiplication of A and B ∈ Fp:

• schoolbook method: k2 w -by-w -bit multiplications

• final product fits into 2k words• need to reduce product modulo P (see later)• should run in constant time (for fixed P)!

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

+

+

+

+

r0r1r2r3r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 38 / 60

Page 309: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication

I Multiplication of A and B ∈ Fp:

• schoolbook method: k2 w -by-w -bit multiplications

• final product fits into 2k words• need to reduce product modulo P (see later)• should run in constant time (for fixed P)!

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

+

+

+

+

r0r1r2r3r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 38 / 60

Page 310: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication

I Multiplication of A and B ∈ Fp:

• schoolbook method: k2 w -by-w -bit multiplications

• final product fits into 2k words• need to reduce product modulo P (see later)• should run in constant time (for fixed P)!

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3

+

+

+

+

+

+

+

r0r1r2r3r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 38 / 60

Page 311: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication

I Multiplication of A and B ∈ Fp:

• schoolbook method: k2 w -by-w -bit multiplications

• final product fits into 2k words• need to reduce product modulo P (see later)• should run in constant time (for fixed P)!

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3

+

+

+

+

+

+

+

r0r1r2r3r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 38 / 60

Page 312: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication

I Multiplication of A and B ∈ Fp:

• schoolbook method: k2 w -by-w -bit multiplications• final product fits into 2k words

• need to reduce product modulo P (see later)• should run in constant time (for fixed P)!

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

+

+

+

+

r0r1r2r3r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 38 / 60

Page 313: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication

I Multiplication of A and B ∈ Fp:

• schoolbook method: k2 w -by-w -bit multiplications• final product fits into 2k words• need to reduce product modulo P (see later)

• should run in constant time (for fixed P)!

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

+

+

+

+

r0r1r2r3r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 38 / 60

Page 314: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication

I Multiplication of A and B ∈ Fp:

• schoolbook method: k2 w -by-w -bit multiplications• final product fits into 2k words• need to reduce product modulo P (see later)• should run in constant time (for fixed P)!

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

+

+

+

+

r0r1r2r3r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 38 / 60

Page 315: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning

: straightforward, regular loop control

• product scanning

: fewer memory accesses and carry propagations

• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2c

a2b0

a1b1

a0b2

+

+

r3c

a3b0

a2b1

a1b2

a0b3

+

+

r4c

a3b1

a2b2

a1b3+

r5c

a3b2

a2b3

r6c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 316: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning

: straightforward, regular loop control• product scanning

: fewer memory accesses and carry propagations

• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2c

a2b0

a1b1

a0b2

+

+

r3c

a3b0

a2b1

a1b2

a0b3

+

+

r4c

a3b1

a2b2

a1b3+

r5c

a3b2

a2b3

r6c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 317: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning

: straightforward, regular loop control• product scanning

: fewer memory accesses and carry propagations

• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2c

a2b0

a1b1

a0b2

+

+

r3c

a3b0

a2b1

a1b2

a0b3

+

+

r4c

a3b1

a2b2

a1b3+

r5c

a3b2

a2b3

r6c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 318: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning

: straightforward, regular loop control• product scanning

: fewer memory accesses and carry propagations

• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2c

a2b0

a1b1

a0b2

+

+

r3c

a3b0

a2b1

a1b2

a0b3

+

+

r4c

a3b1

a2b2

a1b3+

r5c

a3b2

a2b3

r6c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 319: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning

: straightforward, regular loop control• product scanning

: fewer memory accesses and carry propagations

• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6

r7

a0b0

r0r1

a1b0

a0b1

+

+

r2c

a2b0

a1b1

a0b2

+

+

r3c

a3b0

a2b1

a1b2

a0b3

+

+

r4c

a3b1

a2b2

a1b3+

r5c

a3b2

a2b3

r6c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 320: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning

: straightforward, regular loop control• product scanning

: fewer memory accesses and carry propagations

• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2c

a2b0

a1b1

a0b2

+

+

r3c

a3b0

a2b1

a1b2

a0b3

+

+

r4c

a3b1

a2b2

a1b3+

r5c

a3b2

a2b3

r6c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 321: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning: straightforward, regular loop control

• product scanning

: fewer memory accesses and carry propagations

• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2c

a2b0

a1b1

a0b2

+

+

r3c

a3b0

a2b1

a1b2

a0b3

+

+

r4c

a3b1

a2b2

a1b3+

r5c

a3b2

a2b3

r6c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 322: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning: straightforward, regular loop control• product scanning

: fewer memory accesses and carry propagations• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2c

a2b0

a1b1

a0b2

+

+

r3c

a3b0

a2b1

a1b2

a0b3

+

+

r4c

a3b1

a2b2

a1b3+

r5c

a3b2

a2b3

r6c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 323: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning: straightforward, regular loop control• product scanning

: fewer memory accesses and carry propagations• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2c

a2b0

a1b1

a0b2

+

+

r3c

a3b0

a2b1

a1b2

a0b3

+

+

r4c

a3b1

a2b2

a1b3+

r5c

a3b2

a2b3

r6c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 324: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning: straightforward, regular loop control• product scanning

: fewer memory accesses and carry propagations• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2c

a2b0

a1b1

a0b2

+

+

r3c

a3b0

a2b1

a1b2

a0b3

+

+

r4c

a3b1

a2b2

a1b3+

r5c

a3b2

a2b3

r6c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 325: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning: straightforward, regular loop control• product scanning

: fewer memory accesses and carry propagations• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2

c

a2b0

a1b1

a0b2

+

+

r3c

a3b0

a2b1

a1b2

a0b3

+

+

r4c

a3b1

a2b2

a1b3+

r5c

a3b2

a2b3

r6c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 326: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning: straightforward, regular loop control• product scanning

: fewer memory accesses and carry propagations• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2

c

a2b0

a1b1

a0b2

+

+

r3

c

a3b0

a2b1

a1b2

a0b3

+

+

r4c

a3b1

a2b2

a1b3+

r5c

a3b2

a2b3

r6c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 327: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning: straightforward, regular loop control• product scanning

: fewer memory accesses and carry propagations• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2

c

a2b0

a1b1

a0b2

+

+

r3

c

a3b0

a2b1

a1b2

a0b3

+

+

r4

c

a3b1

a2b2

a1b3+

r5c

a3b2

a2b3

r6c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 328: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning: straightforward, regular loop control• product scanning

: fewer memory accesses and carry propagations• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2

c

a2b0

a1b1

a0b2

+

+

r3

c

a3b0

a2b1

a1b2

a0b3

+

+

r4

c

a3b1

a2b2

a1b3+

r5

c

a3b2

a2b3

r6c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 329: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning: straightforward, regular loop control• product scanning

: fewer memory accesses and carry propagations• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2

c

a2b0

a1b1

a0b2

+

+

r3

c

a3b0

a2b1

a1b2

a0b3

+

+

r4

c

a3b1

a2b2

a1b3+

r5

c

a3b2

a2b3

r6

c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 330: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning: straightforward, regular loop control• product scanning: fewer memory accesses and carry propagations

• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2

c

a2b0

a1b1

a0b2

+

+

r3

c

a3b0

a2b1

a1b2

a0b3

+

+

r4

c

a3b1

a2b2

a1b3+

r5

c

a3b2

a2b3

r6

c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 331: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning: straightforward, regular loop control• product scanning: fewer memory accesses and carry propagations• many variants, such as left-to-right

• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2

c

a2b0

a1b1

a0b2

+

+

r3

c

a3b0

a2b1

a1b2

a0b3

+

+

r4

c

a3b1

a2b2

a1b3+

r5

c

a3b2

a2b3

r6

c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 332: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP multiplication: operand vs. product scanning

I In which order should we compute the subproducts aibj?

• operand scanning: straightforward, regular loop control• product scanning: fewer memory accesses and carry propagations• many variants, such as left-to-right• subquadratic algorithms (e.g., Karatsuba) when k is large

a0a1a2a3

b0b1b2b3×

a0b0

a1b0

a2b0

a3b0

a0b1

a1b1

a2b1

a3b1

a0b2

a1b2

a2b2

a3b2

a0b3

a1b3

a2b3

a3b3+

+

+

r0r1r2r3r4

+

+

r5

+

+

r6r7

a0b0

r0r1

a1b0

a0b1

+

+

r2

c

a2b0

a1b1

a0b2

+

+

r3

c

a3b0

a2b1

a1b2

a0b3

+

+

r4

c

a3b1

a2b2

a1b3+

r5

c

a3b2

a2b3

r6

c

a3b3

r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 39 / 60

Page 333: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reductionI Given an integer A < P2 (on 2k words), compute R = A mod P

I Easy case: P is a pseudo-Mersenne prime P = 2n − c with c “small” (e.g., < 2w)

• then 2n ≡ c (mod P)• split A wrt. 2n: A = AH2n + AL

• compute A′ ← c · AH + AL (one 1× w -word multiplication)• rinse & repeat (one 1× 1-word multiplication)• final subtraction might be necessary

I Examples: P = 2255− 19 (Curve25519) or P = 2448− 2224− 1 (Ed448-Goldilocks)

A

2n

P

ALAH

nn

AHc · AH+

A′LA′H≤ w

c · A′H+

A′′

≤ 1P−

A mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 40 / 60

Page 334: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reductionI Given an integer A < P2 (on 2k words), compute R = A mod P

I Easy case: P is a pseudo-Mersenne prime P = 2n − c with c “small” (e.g., < 2w)

• then 2n ≡ c (mod P)• split A wrt. 2n: A = AH2n + AL

• compute A′ ← c · AH + AL (one 1× w -word multiplication)• rinse & repeat (one 1× 1-word multiplication)• final subtraction might be necessary

I Examples: P = 2255− 19 (Curve25519) or P = 2448− 2224− 1 (Ed448-Goldilocks)

A

2n

P

ALAH

nn

AHc · AH+

A′LA′H≤ w

c · A′H+

A′′

≤ 1P−

A mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 40 / 60

Page 335: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reductionI Given an integer A < P2 (on 2k words), compute R = A mod P

I Easy case: P is a pseudo-Mersenne prime P = 2n − c with c “small” (e.g., < 2w)

• then 2n ≡ c (mod P)

• split A wrt. 2n: A = AH2n + AL

• compute A′ ← c · AH + AL (one 1× w -word multiplication)• rinse & repeat (one 1× 1-word multiplication)• final subtraction might be necessary

I Examples: P = 2255− 19 (Curve25519) or P = 2448− 2224− 1 (Ed448-Goldilocks)

A

2n

P

ALAH

nn

AHc · AH+

A′LA′H≤ w

c · A′H+

A′′

≤ 1P−

A mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 40 / 60

Page 336: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reductionI Given an integer A < P2 (on 2k words), compute R = A mod P

I Easy case: P is a pseudo-Mersenne prime P = 2n − c with c “small” (e.g., < 2w)

• then 2n ≡ c (mod P)• split A wrt. 2n: A = AH2n + AL

• compute A′ ← c · AH + AL (one 1× w -word multiplication)• rinse & repeat (one 1× 1-word multiplication)• final subtraction might be necessary

I Examples: P = 2255− 19 (Curve25519) or P = 2448− 2224− 1 (Ed448-Goldilocks)

A

2n

P

ALAH

nn

AHc · AH+

A′LA′H≤ w

c · A′H+

A′′

≤ 1P−

A mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 40 / 60

Page 337: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reductionI Given an integer A < P2 (on 2k words), compute R = A mod P

I Easy case: P is a pseudo-Mersenne prime P = 2n − c with c “small” (e.g., < 2w)

• then 2n ≡ c (mod P)• split A wrt. 2n: A = AH2n + AL

• compute A′ ← c · AH + AL (one 1× w -word multiplication)

• rinse & repeat (one 1× 1-word multiplication)• final subtraction might be necessary

I Examples: P = 2255− 19 (Curve25519) or P = 2448− 2224− 1 (Ed448-Goldilocks)

A

2n

P

AL

AH

nn

AH

c · AH+

A′LA′H≤ w

c · A′H+

A′′

≤ 1P−

A mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 40 / 60

Page 338: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reductionI Given an integer A < P2 (on 2k words), compute R = A mod P

I Easy case: P is a pseudo-Mersenne prime P = 2n − c with c “small” (e.g., < 2w)

• then 2n ≡ c (mod P)• split A wrt. 2n: A = AH2n + AL

• compute A′ ← c · AH + AL (one 1× w -word multiplication)

• rinse & repeat (one 1× 1-word multiplication)• final subtraction might be necessary

I Examples: P = 2255− 19 (Curve25519) or P = 2448− 2224− 1 (Ed448-Goldilocks)

A

2n

P

AL

AH

nn

AH

c · AH

+

A′LA′H≤ w

c · A′H+

A′′

≤ 1P−

A mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 40 / 60

Page 339: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reductionI Given an integer A < P2 (on 2k words), compute R = A mod P

I Easy case: P is a pseudo-Mersenne prime P = 2n − c with c “small” (e.g., < 2w)

• then 2n ≡ c (mod P)• split A wrt. 2n: A = AH2n + AL

• compute A′ ← c · AH + AL (one 1× w -word multiplication)• rinse & repeat (one 1× 1-word multiplication)

• final subtraction might be necessary

I Examples: P = 2255− 19 (Curve25519) or P = 2448− 2224− 1 (Ed448-Goldilocks)

A

2n

P

AL

AH

nn

AH

c · AH+

A′LA′H≤ w

c · A′H+

A′′

≤ 1P−

A mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 40 / 60

Page 340: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reductionI Given an integer A < P2 (on 2k words), compute R = A mod P

I Easy case: P is a pseudo-Mersenne prime P = 2n − c with c “small” (e.g., < 2w)

• then 2n ≡ c (mod P)• split A wrt. 2n: A = AH2n + AL

• compute A′ ← c · AH + AL (one 1× w -word multiplication)• rinse & repeat (one 1× 1-word multiplication)

• final subtraction might be necessary

I Examples: P = 2255− 19 (Curve25519) or P = 2448− 2224− 1 (Ed448-Goldilocks)

A

2n

P

AL

AH

nn

AH

c · AH+

A′L

A′H≤ w

c · A′H

+

A′′

≤ 1P−

A mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 40 / 60

Page 341: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reductionI Given an integer A < P2 (on 2k words), compute R = A mod P

I Easy case: P is a pseudo-Mersenne prime P = 2n − c with c “small” (e.g., < 2w)

• then 2n ≡ c (mod P)• split A wrt. 2n: A = AH2n + AL

• compute A′ ← c · AH + AL (one 1× w -word multiplication)• rinse & repeat (one 1× 1-word multiplication)

• final subtraction might be necessary

I Examples: P = 2255− 19 (Curve25519) or P = 2448− 2224− 1 (Ed448-Goldilocks)

A

2n

P

AL

AH

nn

AH

c · AH+

A′L

A′H≤ w

c · A′H+

A′′

≤ 1

P−

A mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 40 / 60

Page 342: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reductionI Given an integer A < P2 (on 2k words), compute R = A mod P

I Easy case: P is a pseudo-Mersenne prime P = 2n − c with c “small” (e.g., < 2w)

• then 2n ≡ c (mod P)• split A wrt. 2n: A = AH2n + AL

• compute A′ ← c · AH + AL (one 1× w -word multiplication)• rinse & repeat (one 1× 1-word multiplication)• final subtraction might be necessary

I Examples: P = 2255− 19 (Curve25519) or P = 2448− 2224− 1 (Ed448-Goldilocks)

A

2n

P

AL

AH

nn

AH

c · AH+

A′L

A′H≤ w

c · A′H+

A′′

≤ 1

P−

A mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 40 / 60

Page 343: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reductionI Given an integer A < P2 (on 2k words), compute R = A mod P

I Easy case: P is a pseudo-Mersenne prime P = 2n − c with c “small” (e.g., < 2w)

• then 2n ≡ c (mod P)• split A wrt. 2n: A = AH2n + AL

• compute A′ ← c · AH + AL (one 1× w -word multiplication)• rinse & repeat (one 1× 1-word multiplication)• final subtraction might be necessary

I Examples: P = 2255− 19 (Curve25519) or P = 2448− 2224− 1 (Ed448-Goldilocks)

A

2n

P

AL

AH

nn

AH

c · AH+

A′L

A′H≤ w

c · A′H+

A′′

≤ 1

P−

A mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 40 / 60

Page 344: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)• compute A←

(

Q · P

) mod 2(k+1)w

(one k × k-word multiplication)• compute remainder R ← A− A• at most two extra subtractions

p0p1p2p3 p′0p′1p′2p′3

a0a1a2a3a4a5a6a7 a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8 q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 345: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!

• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)• compute A←

(

Q · P

) mod 2(k+1)w

(one k × k-word multiplication)• compute remainder R ← A− A• at most two extra subtractions

p0p1p2p3 p′0p′1p′2p′3

a0a1a2a3a4a5a6a7 a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8 q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 346: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)• compute A←

(

Q · P

) mod 2(k+1)w

(one k × k-word multiplication)• compute remainder R ← A− A• at most two extra subtractions

p0p1p2p3 p′0p′1p′2p′3

a0a1a2a3a4a5a6a7 a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8 q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 347: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)• compute A←

(

Q · P

) mod 2(k+1)w

(one k × k-word multiplication)• compute remainder R ← A− A• at most two extra subtractions

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7 a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8 q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 348: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)

• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)• compute A←

(

Q · P

) mod 2(k+1)w

(one k × k-word multiplication)• compute remainder R ← A− A• at most two extra subtractions

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7 a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8 q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 349: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc

• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)• compute A←

(

Q · P

) mod 2(k+1)w

(one k × k-word multiplication)• compute remainder R ← A− A• at most two extra subtractions

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7

a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8 q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 350: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc

• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)• compute A←

(

Q · P

) mod 2(k+1)w

(one k × k-word multiplication)• compute remainder R ← A− A• at most two extra subtractions

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7

a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8 q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 351: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc

• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)• compute A←

(

Q · P

) mod 2(k+1)w

(one k × k-word multiplication)• compute remainder R ← A− A• at most two extra subtractions

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7

a3a4a5a6a7

×

q0q1q2q3q4q5q6q7q8 q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 352: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)

• compute A←

(

Q · P

) mod 2(k+1)w

(one k × k-word multiplication)• compute remainder R ← A− A• at most two extra subtractions

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7

a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8

q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 353: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)

• compute A←

(

Q · P

) mod 2(k+1)w

(one k × k-word multiplication)• compute remainder R ← A− A• at most two extra subtractions

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7

a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8

q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 354: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)

• compute A←

(

Q · P

) mod 2(k+1)w

(one k × k-word multiplication)• compute remainder R ← A− A• at most two extra subtractions

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7

a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8

q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 355: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)• compute A←

(

Q · P

) mod 2(k+1)w

(one k × k-word multiplication)

• compute remainder R ← A− A• at most two extra subtractions

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7

a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8

q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 356: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)• compute A←

(

Q · P

) mod 2(k+1)w

(one k × k-word multiplication)

• compute remainder R ← A− A• at most two extra subtractions

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7

a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8

q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 357: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)• compute A←

(

Q · P

) mod 2(k+1)w

(one k × k-word multiplication)• compute remainder R ← A− A

• at most two extra subtractions

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7

a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8

q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 358: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)• compute A← (Q · P) mod 2(k+1)w (one k × k-word short multiplication)• compute remainder R ← A− A

• at most two extra subtractions

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7

a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8

q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 359: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general caseI Idea: find quotient Q = bA/Pc, then take remainder as A− QP

• Euclidean division is way too expensive!• since P is fixed, precompute 1/P with enough precision

I Barrett reduction:

• precompute P ′ = b22kw/Pc (k words)• given A < P2, get the k + 1 most significant words AH ← bA/2(k−1)wc• compute Q ← bAH · P ′/2(k+1)wc (one (k + 1)× k-word multiplication)• compute A← (Q · P) mod 2(k+1)w (one k × k-word short multiplication)• compute remainder R ← A− A• at most two extra subtractions

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7

a3a4a5a6a7×

q0q1q2q3q4q5q6q7q8

q5q6q8q9

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 41 / 60

Page 360: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ←

(

A + A

)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3 p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 361: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP

• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ←

(

A + A

)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 362: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)

• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ←

(

A + A

)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 363: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)

• compute A← K · P (one k × k-word multiplication)• compute remainder R ←

(

A + A

)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7

×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 364: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)

• compute A← K · P (one k × k-word multiplication)• compute remainder R ←

(

A + A

)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7

×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 365: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)

• compute A← K · P (one k × k-word multiplication)• compute remainder R ←

(

A + A

)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 366: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)

• compute remainder R ←

(

A + A

)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 367: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ←

(

A + A

)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7

+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 368: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ←

(

A + A

)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7

0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 369: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ←

(

A + A

)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3

r4r5r6r7 0000

r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 370: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ←

(

A + A

)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3

r4r5r6r7 0000

r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 371: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ← (A + A)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000

r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 372: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ← (A + A)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3

p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000

r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 373: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ← (A + A)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3 p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 374: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ← (A + A)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P

• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3 p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 375: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ← (A + A)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication

• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3 p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 376: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ← (A + A)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3 p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 377: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ← (A + A)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3 p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 378: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ← (A + A)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3 p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 379: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP modular reduction: general case

I Montgomery reduction (REDC): like Barrett, but on the least significant words

• requires P odd (on k words) and A < 2kwP• precompute P ′ ← (−P−1) mod 2kw (on k words)• given A, compute K ← (A · P ′) mod 2kw (one k × k-word short multiplication)• compute A← K · P (one k × k-word multiplication)• compute remainder R ← (A + A)/2kw

• at most one extra subtraction

I REDC(A) returns R = (A · 2−kw) mod P , not A mod P!

• represent X ∈ FP in Montgomery representation: X = (X · 2kw) mod P• if Z = (X · Y ) mod P , then

REDC(X · Y ) = (X · Y · 2kw) mod P = Z

→ that’s the so-called Montgomery multiplication• conversions:

X = REDC(X , 22kw mod P) and X = REDC(X , 1)

• Montgomery representation is compatible with addition / subtraction in FP

⇒ do all computations in Montgomery repr. instead of converting back and forth

I REDC can be computed iteratively (one word at a time) and

interleaved with the computation of X · Y

p0p1p2p3 p′0p′1p′2p′3

a0a1a2a3a4a5a6a7×

k0k1k2k3k4k5k6k7

p0p1p2p3×

a0a1a2a3a4a5a6a7

a0a1a2a3a4a5a6a7+

r0r1r2r3r4r5r6r7 0000 r4r5r6r7

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 42 / 60

Page 380: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P

• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)

• precompute short sequence of squarings and multiplications for fastexponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 381: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P

• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)

• precompute short sequence of squarings and multiplications for fastexponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 382: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation

• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)

• precompute short sequence of squarings and multiplications for fastexponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 383: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A

⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)

• precompute short sequence of squarings and multiplications for fastexponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 384: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)

• precompute short sequence of squarings and multiplications for fastexponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 385: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)

• precompute short sequence of squarings and multiplications for fastexponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 386: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A

• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 387: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 388: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A

A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 389: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 390: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 391: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11

A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 392: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1S

A210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 393: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 394: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 395: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 396: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 397: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 398: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 399: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 400: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

MP field inversionI Given A ∈ F∗P , compute A−1 mod P

I Extended Euclidean algorithm:• compute Bezout’s coefficients: U and V such that UA + VP = gcd(A,P) = 1• then UA ≡ 1 (mod P) and A−1 = U mod P• can be adapted to Montgomery representation• fast, but running time depends on A⇒ requires randomization of A to protect against timing attacks

I Fermat’s little theorem:• we know that AP−1 = 1 (mod P), whence AP−2 = A−1 (mod P)• precompute short sequence of squarings and multiplications for fast

exponentiation of A• example: P = 2255 − 19 in 11M and 254S [Bernstein, 2006]

A A2S

A9S2

A11 A25−1SA210−1S5

A220−1S10

A240−1

S20

A250−1 S10

A2100−1 S50

A2100−1 S100

A2250−1 S50

A2255−21 S5

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 43 / 60

Page 401: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Residue Number System (RNS)

I Let B = (m1, . . . ,mk) a tuple of k pairwise coprime integers

• typically, the mi ’s are chosen to fit in a machine word (w bits)• pseudo-Mersenne primes allow for easy reduction modulo mi :

mi = 2w − ci , with small ci

• write M =k∏

i=1

mi and, for all i , Mi = M/mi

I Let A < M be an integer

• represent A as the tuple−→A = (a1, . . . , ak) with ai = A mod mi = |A|mi

, for all i→ that is the RNS representation of A in base B• given

−→A = (a1, . . . , ak), retrieve the unique corresponding integer A ∈ Z/MZ

using the Chinese remaindering theorem (CRT):

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

I If P ≤ M , we can represent elements of FP in RNS

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 44 / 60

Page 402: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Residue Number System (RNS)

I Let B = (m1, . . . ,mk) a tuple of k pairwise coprime integers

• typically, the mi ’s are chosen to fit in a machine word (w bits)• pseudo-Mersenne primes allow for easy reduction modulo mi :

mi = 2w − ci , with small ci

• write M =k∏

i=1

mi and, for all i , Mi = M/mi

I Let A < M be an integer

• represent A as the tuple−→A = (a1, . . . , ak) with ai = A mod mi = |A|mi

, for all i→ that is the RNS representation of A in base B• given

−→A = (a1, . . . , ak), retrieve the unique corresponding integer A ∈ Z/MZ

using the Chinese remaindering theorem (CRT):

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

I If P ≤ M , we can represent elements of FP in RNS

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 44 / 60

Page 403: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Residue Number System (RNS)

I Let B = (m1, . . . ,mk) a tuple of k pairwise coprime integers

• typically, the mi ’s are chosen to fit in a machine word (w bits)• pseudo-Mersenne primes allow for easy reduction modulo mi :

mi = 2w − ci , with small ci

• write M =k∏

i=1

mi and, for all i , Mi = M/mi

I Let A < M be an integer

• represent A as the tuple−→A = (a1, . . . , ak) with ai = A mod mi = |A|mi

, for all i→ that is the RNS representation of A in base B• given

−→A = (a1, . . . , ak), retrieve the unique corresponding integer A ∈ Z/MZ

using the Chinese remaindering theorem (CRT):

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

I If P ≤ M , we can represent elements of FP in RNS

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 44 / 60

Page 404: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Residue Number System (RNS)

I Let B = (m1, . . . ,mk) a tuple of k pairwise coprime integers

• typically, the mi ’s are chosen to fit in a machine word (w bits)• pseudo-Mersenne primes allow for easy reduction modulo mi :

mi = 2w − ci , with small ci

• write M =k∏

i=1

mi and, for all i , Mi = M/mi

I Let A < M be an integer

• represent A as the tuple−→A = (a1, . . . , ak) with ai = A mod mi = |A|mi

, for all i→ that is the RNS representation of A in base B

• given−→A = (a1, . . . , ak), retrieve the unique corresponding integer A ∈ Z/MZ

using the Chinese remaindering theorem (CRT):

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

I If P ≤ M , we can represent elements of FP in RNS

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 44 / 60

Page 405: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Residue Number System (RNS)

I Let B = (m1, . . . ,mk) a tuple of k pairwise coprime integers

• typically, the mi ’s are chosen to fit in a machine word (w bits)• pseudo-Mersenne primes allow for easy reduction modulo mi :

mi = 2w − ci , with small ci

• write M =k∏

i=1

mi and, for all i , Mi = M/mi

I Let A < M be an integer

• represent A as the tuple−→A = (a1, . . . , ak) with ai = A mod mi = |A|mi

, for all i→ that is the RNS representation of A in base B• given

−→A = (a1, . . . , ak), retrieve the unique corresponding integer A ∈ Z/MZ

using the Chinese remaindering theorem (CRT):

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

I If P ≤ M , we can represent elements of FP in RNS

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 44 / 60

Page 406: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

The Residue Number System (RNS)

I Let B = (m1, . . . ,mk) a tuple of k pairwise coprime integers

• typically, the mi ’s are chosen to fit in a machine word (w bits)• pseudo-Mersenne primes allow for easy reduction modulo mi :

mi = 2w − ci , with small ci

• write M =k∏

i=1

mi and, for all i , Mi = M/mi

I Let A < M be an integer

• represent A as the tuple−→A = (a1, . . . , ak) with ai = A mod mi = |A|mi

, for all i→ that is the RNS representation of A in base B• given

−→A = (a1, . . . , ak), retrieve the unique corresponding integer A ∈ Z/MZ

using the Chinese remaindering theorem (CRT):

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

I If P ≤ M , we can represent elements of FP in RNS

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 44 / 60

Page 407: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS arithmetic

I Let−→A = (a1, . . . , ak) and

−→B = (b1, . . . , bk)

• add., sub. and mult. can be performed in parallel on all “channels”:−→A ±

−→B = (|a1 ± b1|m1

, . . . , |ak ± bk |mk)

−→A ×

−→B = (|a1 × b1|m1

, . . . , |ak × bk |mk)

• native parallelism: suited to SIMD instructions and hardware implementation

I Limitations:

• operations are computed in Z/MZ: beware of overflows!• no simple way to compute divisons, modular reductions or comparisons

−→A

−→B

a4a3a2a1

b4b3b2b1

× × × ×

r4r3r2r1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 45 / 60

Page 408: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS arithmetic

I Let−→A = (a1, . . . , ak) and

−→B = (b1, . . . , bk)

• add., sub. and mult. can be performed in parallel on all “channels”:−→A ±

−→B = (|a1 ± b1|m1

, . . . , |ak ± bk |mk)

−→A ×

−→B = (|a1 × b1|m1

, . . . , |ak × bk |mk)

• native parallelism: suited to SIMD instructions and hardware implementation

I Limitations:

• operations are computed in Z/MZ: beware of overflows!• no simple way to compute divisons, modular reductions or comparisons

−→A

−→B

a4a3a2a1

b4b3b2b1

× × × ×

r4r3r2r1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 45 / 60

Page 409: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS arithmetic

I Let−→A = (a1, . . . , ak) and

−→B = (b1, . . . , bk)

• add., sub. and mult. can be performed in parallel on all “channels”:−→A ±

−→B = (|a1 ± b1|m1

, . . . , |ak ± bk |mk)

−→A ×

−→B = (|a1 × b1|m1

, . . . , |ak × bk |mk)

• native parallelism: suited to SIMD instructions and hardware implementation

I Limitations:

• operations are computed in Z/MZ: beware of overflows!• no simple way to compute divisons, modular reductions or comparisons

−→A

−→B

a4a3a2a1

b4b3b2b1

× × × ×

r4r3r2r1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 45 / 60

Page 410: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS arithmetic

I Let−→A = (a1, . . . , ak) and

−→B = (b1, . . . , bk)

• add., sub. and mult. can be performed in parallel on all “channels”:−→A ±

−→B = (|a1 ± b1|m1

, . . . , |ak ± bk |mk)

−→A ×

−→B = (|a1 × b1|m1

, . . . , |ak × bk |mk)

• native parallelism: suited to SIMD instructions and hardware implementation

I Limitations:

• operations are computed in Z/MZ: beware of overflows!• no simple way to compute divisons, modular reductions or comparisons

−→A

−→B

a4a3a2a1

b4b3b2b1

× × × ×

r4r3r2r1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 45 / 60

Page 411: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS arithmetic

I Let−→A = (a1, . . . , ak) and

−→B = (b1, . . . , bk)

• add., sub. and mult. can be performed in parallel on all “channels”:−→A ±

−→B = (|a1 ± b1|m1

, . . . , |ak ± bk |mk)

−→A ×

−→B = (|a1 × b1|m1

, . . . , |ak × bk |mk)

• native parallelism: suited to SIMD instructions and hardware implementation

I Limitations:

• operations are computed in Z/MZ: beware of overflows!• no simple way to compute divisons, modular reductions or comparisons

−→A

−→B

a4a3a2a1

b4b3b2b1

× × × ×

r4r3r2r1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 45 / 60

Page 412: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS arithmetic

I Let−→A = (a1, . . . , ak) and

−→B = (b1, . . . , bk)

• add., sub. and mult. can be performed in parallel on all “channels”:−→A ±

−→B = (|a1 ± b1|m1

, . . . , |ak ± bk |mk)

−→A ×

−→B = (|a1 × b1|m1

, . . . , |ak × bk |mk)

• native parallelism: suited to SIMD instructions and hardware implementation

I Limitations:

• operations are computed in Z/MZ: beware of overflows!• no simple way to compute divisons, modular reductions or comparisons

−→A

−→B

a4a3a2a1

b4b3b2b1

× × × ×

r4r3r2r1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 45 / 60

Page 413: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS arithmetic

I Let−→A = (a1, . . . , ak) and

−→B = (b1, . . . , bk)

• add., sub. and mult. can be performed in parallel on all “channels”:−→A ±

−→B = (|a1 ± b1|m1

, . . . , |ak ± bk |mk)

−→A ×

−→B = (|a1 × b1|m1

, . . . , |ak × bk |mk)

• native parallelism: suited to SIMD instructions and hardware implementation

I Limitations:

• operations are computed in Z/MZ: beware of overflows!• no simple way to compute divisons, modular reductions or comparisons

−→A

−→B

a4a3a2a1

b4b3b2b1

× × × ×

r4r3r2r1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 45 / 60

Page 414: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS

⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P

=

((k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 415: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P

=

((k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 416: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P

=

((k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 417: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P

=

((k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 418: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P

=

((k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 419: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

⌋=

⌊k∑

i=1

|ai ·M−1i |mi

mi

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P

=

((k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 420: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

⌋=

⌊k∑

i=1

|ai ·M−1i |mi

mi

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P

=

((k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 421: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

⌋≈

⌊k∑

i=1

|ai ·M−1i |mi

2w

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P

=

((k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 422: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

⌋≈

⌊k∑

i=1

|ai ·M−1i |mi

2w

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P

=

((k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 423: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

⌋≈

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P

=

((k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 424: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

⌋≈

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P

=

((k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 425: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

⌋≈

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P

=

((k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 426: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

⌋≈

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P

A =

((k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 427: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

⌋≈

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P =

(

(k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 428: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

⌋≈

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P =

(

(k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P

(mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 429: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reductionI Not a positional number system: no equivalent of pseudo-Mersenne primes in RNS⇒ Need to approximate CRT reconstruction and reduce it modulo P

I From the CRT:

A =

∣∣∣∣∣k∑

i=1

|ai ·M−1i |mi·Mi

∣∣∣∣∣M

=

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

with 0 ≤ q < k , whose actual value depends on A

I Compute q, approximation of q:

q =

⌊k∑

i=1

|ai ·M−1i |mi·Mi

M

⌋≈

k∑

i=1

⌊|ai ·M−1i |mi

2w−t

⌋2t

+ ε

= q

• approximate mi = 2w − ci by 2w

• use only the t most significant bits of |ai ·M−1i |mito compute q

• add fixed corrective term (∑

i ci + k(2w−t − 1)) /2w < ε < 1

I If 0 ≤ A < (1− ε)M , then q = q and

A mod P ≡

(

(k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P (mod P)

(k∑

i=1

|ai ·M−1i |mi·Mi

)− qM

)mod P

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 46 / 60

Page 430: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reduction

A mod P ≡

(k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P (mod P)

function reduce-mod-P(−→A ):

(∀i) zi ←∣∣ai · |M−1i |mi

∣∣mi

(∀i) zi ← bzi/2w−tcq ← b

∑i zi/2t + εc

(∀i) ri ← 0

for j ← 1 to k:

(∀i) ri ←∣∣∣ri + zj · ||Mj |P |mi

∣∣∣mi

(∀i) ri ←∣∣ri − ||qM |P |mi

∣∣mi

I Precomputations:

• for all i ∈ {1, . . . , k}, |M−1i |mi(k words)

• for all j ∈ {1, . . . , k},−−−→|Mj |P (k2 words)

• for all q ∈ {1, . . . , k − 1},−−−→|qM |P (k2 words)

I Cost:

k mults + k2 mults → quadratic complexity

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 47 / 60

Page 431: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reduction

A mod P ≡

(k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P (mod P)

function reduce-mod-P(−→A ):

(∀i) zi ←∣∣ai · |M−1i |mi

∣∣mi

(∀i) zi ← bzi/2w−tcq ← b

∑i zi/2t + εc

(∀i) ri ← 0

for j ← 1 to k:

(∀i) ri ←∣∣∣ri + zj · ||Mj |P |mi

∣∣∣mi

(∀i) ri ←∣∣ri − ||qM |P |mi

∣∣mi

I Precomputations:

• for all i ∈ {1, . . . , k}, |M−1i |mi(k words)

• for all j ∈ {1, . . . , k},−−−→|Mj |P (k2 words)

• for all q ∈ {1, . . . , k − 1},−−−→|qM |P (k2 words)

I Cost:

k mults + k2 mults → quadratic complexity

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 47 / 60

Page 432: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reduction

A mod P ≡

(k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P (mod P)

function reduce-mod-P(−→A ):

(∀i) zi ←∣∣ai · |M−1i |mi

∣∣mi

(∀i) zi ← bzi/2w−tcq ← b

∑i zi/2t + εc

(∀i) ri ← 0

for j ← 1 to k:

(∀i) ri ←∣∣∣ri + zj · ||Mj |P |mi

∣∣∣mi

(∀i) ri ←∣∣ri − ||qM |P |mi

∣∣mi

I Precomputations:

• for all i ∈ {1, . . . , k}, |M−1i |mi(k words)

• for all j ∈ {1, . . . , k},−−−→|Mj |P (k2 words)

• for all q ∈ {1, . . . , k − 1},−−−→|qM |P (k2 words)

I Cost:

k mults + k2 mults → quadratic complexity

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 47 / 60

Page 433: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reduction

A mod P ≡

(k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P (mod P)

function reduce-mod-P(−→A ):

(∀i) zi ←∣∣ai · |M−1i |mi

∣∣mi

(∀i) zi ← bzi/2w−tcq ← b

∑i zi/2t + εc

(∀i) ri ← 0

for j ← 1 to k:

(∀i) ri ←∣∣∣ri + zj · ||Mj |P |mi

∣∣∣mi

(∀i) ri ←∣∣ri − ||qM |P |mi

∣∣mi

I Precomputations:

• for all i ∈ {1, . . . , k}, |M−1i |mi(k words)

• for all j ∈ {1, . . . , k},−−−→|Mj |P (k2 words)

• for all q ∈ {1, . . . , k − 1},−−−→|qM |P (k2 words)

I Cost:

k mults + k2 mults → quadratic complexity

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 47 / 60

Page 434: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reduction

A mod P ≡

(k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P (mod P)

function reduce-mod-P(−→A ):

(∀i) zi ←∣∣ai · |M−1i |mi

∣∣mi

(∀i) zi ← bzi/2w−tcq ← b

∑i zi/2t + εc

(∀i) ri ← 0

for j ← 1 to k:

(∀i) ri ←∣∣∣ri + zj · ||Mj |P |mi

∣∣∣mi

(∀i) ri ←∣∣ri − ||qM |P |mi

∣∣mi

I Precomputations:

• for all i ∈ {1, . . . , k}, |M−1i |mi(k words)

• for all j ∈ {1, . . . , k},−−−→|Mj |P (k2 words)

• for all q ∈ {1, . . . , k − 1},−−−→|qM |P (k2 words)

I Cost:

k mults + k2 mults → quadratic complexity

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 47 / 60

Page 435: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reduction

A mod P ≡

(k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P (mod P)

function reduce-mod-P(−→A ):

(∀i) zi ←∣∣ai · |M−1i |mi

∣∣mi

(∀i) zi ← bzi/2w−tcq ← b

∑i zi/2t + εc

(∀i) ri ← 0

for j ← 1 to k:

(∀i) ri ←∣∣∣ri + zj · ||Mj |P |mi

∣∣∣mi

(∀i) ri ←∣∣ri − ||qM |P |mi

∣∣mi

I Precomputations:

• for all i ∈ {1, . . . , k}, |M−1i |mi(k words)

• for all j ∈ {1, . . . , k},−−−→|Mj |P (k2 words)

• for all q ∈ {1, . . . , k − 1},−−−→|qM |P (k2 words)

I Cost:

k mults + k2 mults → quadratic complexity

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 47 / 60

Page 436: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reduction

A mod P ≡

(k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P (mod P)

function reduce-mod-P(−→A ):

(∀i) zi ←∣∣ai · |M−1i |mi

∣∣mi

(∀i) zi ← bzi/2w−tcq ← b

∑i zi/2t + εc

(∀i) ri ← 0

for j ← 1 to k:

(∀i) ri ←∣∣∣ri + zj · ||Mj |P |mi

∣∣∣mi

(∀i) ri ←∣∣ri − ||qM |P |mi

∣∣mi

I Precomputations:

• for all i ∈ {1, . . . , k}, |M−1i |mi(k words)

• for all j ∈ {1, . . . , k},−−−→|Mj |P (k2 words)

• for all q ∈ {1, . . . , k − 1},−−−→|qM |P (k2 words)

I Cost: k mults

+ k2 mults → quadratic complexity

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 47 / 60

Page 437: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reduction

A mod P ≡

(k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P (mod P)

function reduce-mod-P(−→A ):

(∀i) zi ←∣∣ai · |M−1i |mi

∣∣mi

(∀i) zi ← bzi/2w−tcq ← b

∑i zi/2t + εc

(∀i) ri ← 0

for j ← 1 to k:

(∀i) ri ←∣∣∣ri + zj · ||Mj |P |mi

∣∣∣mi

(∀i) ri ←∣∣ri − ||qM |P |mi

∣∣mi

I Precomputations:

• for all i ∈ {1, . . . , k}, |M−1i |mi(k words)

• for all j ∈ {1, . . . , k},−−−→|Mj |P (k2 words)

• for all q ∈ {1, . . . , k − 1},−−−→|qM |P (k2 words)

I Cost: k mults + k2 mults

→ quadratic complexity

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 47 / 60

Page 438: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS modular reduction

A mod P ≡

(k∑

i=1

|ai ·M−1i |mi· |Mi |P

)− |qM |P (mod P)

function reduce-mod-P(−→A ):

(∀i) zi ←∣∣ai · |M−1i |mi

∣∣mi

(∀i) zi ← bzi/2w−tcq ← b

∑i zi/2t + εc

(∀i) ri ← 0

for j ← 1 to k:

(∀i) ri ←∣∣∣ri + zj · ||Mj |P |mi

∣∣∣mi

(∀i) ri ←∣∣ri − ||qM |P |mi

∣∣mi

I Precomputations:

• for all i ∈ {1, . . . , k}, |M−1i |mi(k words)

• for all j ∈ {1, . . . , k},−−−→|Mj |P (k2 words)

• for all q ∈ {1, . . . , k − 1},−−−→|qM |P (k2 words)

I Cost: k mults + k2 mults → quadratic complexity

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 47 / 60

Page 439: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

I Requires two RNS bases Bα = (mα,1, . . . ,mα,k) and Bβ = (mβ,1, . . . ,mβ,k) suchthat P < Mα, P < Mβ, and gcd(Mα,Mβ) = 1

I RNS base extension algorithm (BE) [Kawamura et al., 2000]

• given−→Xα in base Bα, BE(

−→Xα,Bα,Bβ) computes

−→Xβ, the repr. of X in base Bβ

• similarly, BE(−→Xβ,Bβ,Bα) computes

−→Xα in base Bα

• similar to RNS modular reduction → O(k2) complexity

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 48 / 60

Page 440: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

I Requires two RNS bases Bα = (mα,1, . . . ,mα,k) and Bβ = (mβ,1, . . . ,mβ,k) suchthat P < Mα, P < Mβ, and gcd(Mα,Mβ) = 1

I RNS base extension algorithm (BE) [Kawamura et al., 2000]

• given−→Xα in base Bα, BE(

−→Xα,Bα,Bβ) computes

−→Xβ, the repr. of X in base Bβ

• similarly, BE(−→Xβ,Bβ,Bα) computes

−→Xα in base Bα

• similar to RNS modular reduction → O(k2) complexity

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 48 / 60

Page 441: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

I Requires two RNS bases Bα = (mα,1, . . . ,mα,k) and Bβ = (mβ,1, . . . ,mβ,k) suchthat P < Mα, P < Mβ, and gcd(Mα,Mβ) = 1

I RNS base extension algorithm (BE) [Kawamura et al., 2000]

• given−→Xα in base Bα, BE(

−→Xα,Bα,Bβ) computes

−→Xβ, the repr. of X in base Bβ

• similarly, BE(−→Xβ,Bβ,Bα) computes

−→Xα in base Bα

• similar to RNS modular reduction → O(k2) complexity

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 48 / 60

Page 442: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

−→Aα

−→Aβ

Bα Bβ

aα,4aα,3aα,2aα,1−→Aα

aβ,4aβ,3aβ,2aβ,1−→Aβ

p′α,4p′α,3p′α,2p′α,1−−−−−→(−P−1)α

× × × ×

kα,4kα,3kα,2kα,1−→Kα kβ,1 kβ,2 kβ,3 kβ,4

−→Kβ

BE

pα,4pα,3pα,2pα,1−→Pα

× × × ×pβ,4pβ,3pβ,2pβ,1

−→Pβ

× × × ×

aα,4aα,3aα,2aα,1−→Aα

+ + + +aβ,4aβ,3aβ,2aβ,1

−→Aβ

+ + + +

0000−→Tα ≡ 0 (mod Mα) tβ,4tβ,3tβ,2tβ,1

−→Tβ

m′β,4m′β,3m′β,2m′β,1−−−−→(M−1α )β

× × × ×

rβ,4rβ,3rβ,2rβ,1−→Rβrα,1rα,2rα,3rα,4−→

RαBE

I Result is (−→Rα,−→Rβ) ≡ (A ·M−1α ) (mod P)

I See recent results on this topic by Bigou and Tisserand

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 49 / 60

Page 443: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

−→Aα

−→Aβ

Bα Bβaα,4aα,3aα,2aα,1−→

Aαaβ,4aβ,3aβ,2aβ,1

−→Aβ

p′α,4p′α,3p′α,2p′α,1−−−−−→(−P−1)α

× × × ×

kα,4kα,3kα,2kα,1−→Kα kβ,1 kβ,2 kβ,3 kβ,4

−→Kβ

BE

pα,4pα,3pα,2pα,1−→Pα

× × × ×pβ,4pβ,3pβ,2pβ,1

−→Pβ

× × × ×

aα,4aα,3aα,2aα,1−→Aα

+ + + +aβ,4aβ,3aβ,2aβ,1

−→Aβ

+ + + +

0000−→Tα ≡ 0 (mod Mα) tβ,4tβ,3tβ,2tβ,1

−→Tβ

m′β,4m′β,3m′β,2m′β,1−−−−→(M−1α )β

× × × ×

rβ,4rβ,3rβ,2rβ,1−→Rβrα,1rα,2rα,3rα,4−→

RαBE

I Result is (−→Rα,−→Rβ) ≡ (A ·M−1α ) (mod P)

I See recent results on this topic by Bigou and Tisserand

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 49 / 60

Page 444: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

−→Aα

−→Aβ

Bα Bβaα,4aα,3aα,2aα,1−→

Aαaβ,4aβ,3aβ,2aβ,1

−→Aβ

p′α,4p′α,3p′α,2p′α,1−−−−−→(−P−1)α

× × × ×

kα,4kα,3kα,2kα,1−→Kα kβ,1 kβ,2 kβ,3 kβ,4

−→Kβ

BE

pα,4pα,3pα,2pα,1−→Pα

× × × ×pβ,4pβ,3pβ,2pβ,1

−→Pβ

× × × ×

aα,4aα,3aα,2aα,1−→Aα

+ + + +aβ,4aβ,3aβ,2aβ,1

−→Aβ

+ + + +

0000−→Tα ≡ 0 (mod Mα) tβ,4tβ,3tβ,2tβ,1

−→Tβ

m′β,4m′β,3m′β,2m′β,1−−−−→(M−1α )β

× × × ×

rβ,4rβ,3rβ,2rβ,1−→Rβrα,1rα,2rα,3rα,4−→

RαBE

I Result is (−→Rα,−→Rβ) ≡ (A ·M−1α ) (mod P)

I See recent results on this topic by Bigou and Tisserand

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 49 / 60

Page 445: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

−→Aα

−→Aβ

Bα Bβaα,4aα,3aα,2aα,1−→

Aαaβ,4aβ,3aβ,2aβ,1

−→Aβ

p′α,4p′α,3p′α,2p′α,1−−−−−→(−P−1)α

× × × ×

kα,4kα,3kα,2kα,1−→Kα

kβ,1 kβ,2 kβ,3 kβ,4−→Kβ

BE

pα,4pα,3pα,2pα,1−→Pα

× × × ×pβ,4pβ,3pβ,2pβ,1

−→Pβ

× × × ×

aα,4aα,3aα,2aα,1−→Aα

+ + + +aβ,4aβ,3aβ,2aβ,1

−→Aβ

+ + + +

0000−→Tα ≡ 0 (mod Mα) tβ,4tβ,3tβ,2tβ,1

−→Tβ

m′β,4m′β,3m′β,2m′β,1−−−−→(M−1α )β

× × × ×

rβ,4rβ,3rβ,2rβ,1−→Rβrα,1rα,2rα,3rα,4−→

RαBE

I Result is (−→Rα,−→Rβ) ≡ (A ·M−1α ) (mod P)

I See recent results on this topic by Bigou and Tisserand

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 49 / 60

Page 446: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

−→Aα

−→Aβ

Bα Bβaα,4aα,3aα,2aα,1−→

Aαaβ,4aβ,3aβ,2aβ,1

−→Aβ

p′α,4p′α,3p′α,2p′α,1−−−−−→(−P−1)α

× × × ×

kα,4kα,3kα,2kα,1−→Kα kβ,1 kβ,2 kβ,3 kβ,4

−→Kβ

BE

pα,4pα,3pα,2pα,1−→Pα

× × × ×pβ,4pβ,3pβ,2pβ,1

−→Pβ

× × × ×

aα,4aα,3aα,2aα,1−→Aα

+ + + +aβ,4aβ,3aβ,2aβ,1

−→Aβ

+ + + +

0000−→Tα ≡ 0 (mod Mα) tβ,4tβ,3tβ,2tβ,1

−→Tβ

m′β,4m′β,3m′β,2m′β,1−−−−→(M−1α )β

× × × ×

rβ,4rβ,3rβ,2rβ,1−→Rβrα,1rα,2rα,3rα,4−→

RαBE

I Result is (−→Rα,−→Rβ) ≡ (A ·M−1α ) (mod P)

I See recent results on this topic by Bigou and Tisserand

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 49 / 60

Page 447: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

−→Aα

−→Aβ

Bα Bβaα,4aα,3aα,2aα,1−→

Aαaβ,4aβ,3aβ,2aβ,1

−→Aβ

p′α,4p′α,3p′α,2p′α,1−−−−−→(−P−1)α

× × × ×

kα,4kα,3kα,2kα,1−→Kα kβ,1 kβ,2 kβ,3 kβ,4

−→Kβ

BE

pα,4pα,3pα,2pα,1−→Pα

× × × ×pβ,4pβ,3pβ,2pβ,1

−→Pβ

× × × ×

aα,4aα,3aα,2aα,1−→Aα

+ + + +aβ,4aβ,3aβ,2aβ,1

−→Aβ

+ + + +

0000−→Tα ≡ 0 (mod Mα) tβ,4tβ,3tβ,2tβ,1

−→Tβ

m′β,4m′β,3m′β,2m′β,1−−−−→(M−1α )β

× × × ×

rβ,4rβ,3rβ,2rβ,1−→Rβrα,1rα,2rα,3rα,4−→

RαBE

I Result is (−→Rα,−→Rβ) ≡ (A ·M−1α ) (mod P)

I See recent results on this topic by Bigou and Tisserand

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 49 / 60

Page 448: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

−→Aα

−→Aβ

Bα Bβaα,4aα,3aα,2aα,1−→

Aαaβ,4aβ,3aβ,2aβ,1

−→Aβ

p′α,4p′α,3p′α,2p′α,1−−−−−→(−P−1)α

× × × ×

kα,4kα,3kα,2kα,1−→Kα kβ,1 kβ,2 kβ,3 kβ,4

−→Kβ

BE

pα,4pα,3pα,2pα,1−→Pα

× × × ×pβ,4pβ,3pβ,2pβ,1

−→Pβ

× × × ×

aα,4aα,3aα,2aα,1−→Aα

+ + + +aβ,4aβ,3aβ,2aβ,1

−→Aβ

+ + + +

0000−→Tα ≡ 0 (mod Mα) tβ,4tβ,3tβ,2tβ,1

−→Tβ

m′β,4m′β,3m′β,2m′β,1−−−−→(M−1α )β

× × × ×

rβ,4rβ,3rβ,2rβ,1−→Rβrα,1rα,2rα,3rα,4−→

RαBE

I Result is (−→Rα,−→Rβ) ≡ (A ·M−1α ) (mod P)

I See recent results on this topic by Bigou and Tisserand

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 49 / 60

Page 449: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

−→Aα

−→Aβ

Bα Bβaα,4aα,3aα,2aα,1−→

Aαaβ,4aβ,3aβ,2aβ,1

−→Aβ

p′α,4p′α,3p′α,2p′α,1−−−−−→(−P−1)α

× × × ×

kα,4kα,3kα,2kα,1−→Kα kβ,1 kβ,2 kβ,3 kβ,4

−→Kβ

BE

pα,4pα,3pα,2pα,1−→Pα

× × × ×pβ,4pβ,3pβ,2pβ,1

−→Pβ

× × × ×

aα,4aα,3aα,2aα,1−→Aα

+ + + +aβ,4aβ,3aβ,2aβ,1

−→Aβ

+ + + +

0000−→Tα ≡ 0 (mod Mα) tβ,4tβ,3tβ,2tβ,1

−→Tβ

m′β,4m′β,3m′β,2m′β,1−−−−→(M−1α )β

× × × ×

rβ,4rβ,3rβ,2rβ,1−→Rβrα,1rα,2rα,3rα,4−→

RαBE

I Result is (−→Rα,−→Rβ) ≡ (A ·M−1α ) (mod P)

I See recent results on this topic by Bigou and Tisserand

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 49 / 60

Page 450: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

−→Aα

−→Aβ

Bα Bβaα,4aα,3aα,2aα,1−→

Aαaβ,4aβ,3aβ,2aβ,1

−→Aβ

p′α,4p′α,3p′α,2p′α,1−−−−−→(−P−1)α

× × × ×

kα,4kα,3kα,2kα,1−→Kα kβ,1 kβ,2 kβ,3 kβ,4

−→Kβ

BE

pα,4pα,3pα,2pα,1−→Pα

× × × ×

pβ,4pβ,3pβ,2pβ,1−→Pβ

× × × ×

aα,4aα,3aα,2aα,1−→Aα

+ + + +

aβ,4aβ,3aβ,2aβ,1−→Aβ

+ + + +

0000−→Tα ≡ 0 (mod Mα)

tβ,4tβ,3tβ,2tβ,1−→Tβ

m′β,4m′β,3m′β,2m′β,1−−−−→(M−1α )β

× × × ×

rβ,4rβ,3rβ,2rβ,1−→Rβrα,1rα,2rα,3rα,4−→

RαBE

I Result is (−→Rα,−→Rβ) ≡ (A ·M−1α ) (mod P)

I See recent results on this topic by Bigou and Tisserand

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 49 / 60

Page 451: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

−→Aα

−→Aβ

Bα Bβaα,4aα,3aα,2aα,1−→

Aαaβ,4aβ,3aβ,2aβ,1

−→Aβ

p′α,4p′α,3p′α,2p′α,1−−−−−→(−P−1)α

× × × ×

kα,4kα,3kα,2kα,1−→Kα kβ,1 kβ,2 kβ,3 kβ,4

−→Kβ

BE

pα,4pα,3pα,2pα,1−→Pα

× × × ×

pβ,4pβ,3pβ,2pβ,1−→Pβ

× × × ×

aα,4aα,3aα,2aα,1−→Aα

+ + + +

aβ,4aβ,3aβ,2aβ,1−→Aβ

+ + + +

0000−→Tα ≡ 0 (mod Mα)

tβ,4tβ,3tβ,2tβ,1−→Tβ

m′β,4m′β,3m′β,2m′β,1−−−−→(M−1α )β

× × × ×

rβ,4rβ,3rβ,2rβ,1−→Rβrα,1rα,2rα,3rα,4−→

RαBE

I Result is (−→Rα,−→Rβ) ≡ (A ·M−1α ) (mod P)

I See recent results on this topic by Bigou and Tisserand

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 49 / 60

Page 452: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

−→Aα

−→Aβ

Bα Bβaα,4aα,3aα,2aα,1−→

Aαaβ,4aβ,3aβ,2aβ,1

−→Aβ

p′α,4p′α,3p′α,2p′α,1−−−−−→(−P−1)α

× × × ×

kα,4kα,3kα,2kα,1−→Kα kβ,1 kβ,2 kβ,3 kβ,4

−→Kβ

BE

pα,4pα,3pα,2pα,1−→Pα

× × × ×

pβ,4pβ,3pβ,2pβ,1−→Pβ

× × × ×

aα,4aα,3aα,2aα,1−→Aα

+ + + +

aβ,4aβ,3aβ,2aβ,1−→Aβ

+ + + +

0000−→Tα ≡ 0 (mod Mα)

tβ,4tβ,3tβ,2tβ,1−→Tβ

m′β,4m′β,3m′β,2m′β,1−−−−→(M−1α )β

× × × ×

rβ,4rβ,3rβ,2rβ,1−→Rβ

rα,1rα,2rα,3rα,4−→Rα

BE

I Result is (−→Rα,−→Rβ) ≡ (A ·M−1α ) (mod P)

I See recent results on this topic by Bigou and Tisserand

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 49 / 60

Page 453: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

−→Aα

−→Aβ

Bα Bβaα,4aα,3aα,2aα,1−→

Aαaβ,4aβ,3aβ,2aβ,1

−→Aβ

p′α,4p′α,3p′α,2p′α,1−−−−−→(−P−1)α

× × × ×

kα,4kα,3kα,2kα,1−→Kα kβ,1 kβ,2 kβ,3 kβ,4

−→Kβ

BE

pα,4pα,3pα,2pα,1−→Pα

× × × ×

pβ,4pβ,3pβ,2pβ,1−→Pβ

× × × ×

aα,4aα,3aα,2aα,1−→Aα

+ + + +

aβ,4aβ,3aβ,2aβ,1−→Aβ

+ + + +

0000−→Tα ≡ 0 (mod Mα)

tβ,4tβ,3tβ,2tβ,1−→Tβ

m′β,4m′β,3m′β,2m′β,1−−−−→(M−1α )β

× × × ×

rβ,4rβ,3rβ,2rβ,1−→Rβrα,1rα,2rα,3rα,4−→

RαBE

I Result is (−→Rα,−→Rβ) ≡ (A ·M−1α ) (mod P)

I See recent results on this topic by Bigou and Tisserand

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 49 / 60

Page 454: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

−→Aα

−→Aβ

Bα Bβaα,4aα,3aα,2aα,1−→

Aαaβ,4aβ,3aβ,2aβ,1

−→Aβ

p′α,4p′α,3p′α,2p′α,1−−−−−→(−P−1)α

× × × ×

kα,4kα,3kα,2kα,1−→Kα kβ,1 kβ,2 kβ,3 kβ,4

−→Kβ

BE

pα,4pα,3pα,2pα,1−→Pα

× × × ×

pβ,4pβ,3pβ,2pβ,1−→Pβ

× × × ×

aα,4aα,3aα,2aα,1−→Aα

+ + + +

aβ,4aβ,3aβ,2aβ,1−→Aβ

+ + + +

0000−→Tα ≡ 0 (mod Mα)

tβ,4tβ,3tβ,2tβ,1−→Tβ

m′β,4m′β,3m′β,2m′β,1−−−−→(M−1α )β

× × × ×

rβ,4rβ,3rβ,2rβ,1−→Rβrα,1rα,2rα,3rα,4−→

RαBE

I Result is (−→Rα,−→Rβ) ≡ (A ·M−1α ) (mod P)

I See recent results on this topic by Bigou and Tisserand

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 49 / 60

Page 455: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

RNS Montgomery reduction

−→Aα

−→Aβ

Bα Bβaα,4aα,3aα,2aα,1−→

Aαaβ,4aβ,3aβ,2aβ,1

−→Aβ

p′α,4p′α,3p′α,2p′α,1−−−−−→(−P−1)α

× × × ×

kα,4kα,3kα,2kα,1−→Kα kβ,1 kβ,2 kβ,3 kβ,4

−→Kβ

BE

pα,4pα,3pα,2pα,1−→Pα

× × × ×

pβ,4pβ,3pβ,2pβ,1−→Pβ

× × × ×

aα,4aα,3aα,2aα,1−→Aα

+ + + +

aβ,4aβ,3aβ,2aβ,1−→Aβ

+ + + +

0000−→Tα ≡ 0 (mod Mα)

tβ,4tβ,3tβ,2tβ,1−→Tβ

m′β,4m′β,3m′β,2m′β,1−−−−→(M−1α )β

× × × ×

rβ,4rβ,3rβ,2rβ,1−→Rβrα,1rα,2rα,3rα,4−→

RαBE

I Result is (−→Rα,−→Rβ) ≡ (A ·M−1α ) (mod P)

I See recent results on this topic by Bigou and Tisserand

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 49 / 60

Page 456: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Outline

I. Scalar multiplication

II. Elliptic curve arithmetic

III. Finite field arithmetic

IV. Software considerations

V. Notions of hardware design

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 50 / 60

Page 457: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Software considerations

I In fact, pretty much has already been said...

I Know your favorite CPU’s instruction set by heart!

• what’s PCLMULQDQ? how many 32-bit words can fit in a NEON register?• sometimes, floating-point arithmetic is faster than integer arithmetic• download http://www.agner.org/optimize/instruction_tables.pdf to

find all instruction latencies and thoughputs for Intel and AMD CPUs

I Beware of fancy CPU features!

• avoid secret-dependent memory access patterns (cache attacks)• avoid secret-dependent conditional branches (timing, branch predictor attacks)

I Have a look at existing libraries (from OpenSSL to MPFQ):

• plenty of great ideas in there!• you might even find bugs and vulnerabilities

I Read, code, hack, experiment!

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 51 / 60

Page 458: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Software considerations

I In fact, pretty much has already been said...

I Know your favorite CPU’s instruction set by heart!

• what’s PCLMULQDQ? how many 32-bit words can fit in a NEON register?• sometimes, floating-point arithmetic is faster than integer arithmetic• download http://www.agner.org/optimize/instruction_tables.pdf to

find all instruction latencies and thoughputs for Intel and AMD CPUs

I Beware of fancy CPU features!

• avoid secret-dependent memory access patterns (cache attacks)• avoid secret-dependent conditional branches (timing, branch predictor attacks)

I Have a look at existing libraries (from OpenSSL to MPFQ):

• plenty of great ideas in there!• you might even find bugs and vulnerabilities

I Read, code, hack, experiment!

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 51 / 60

Page 459: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Software considerations

I In fact, pretty much has already been said...

I Know your favorite CPU’s instruction set by heart!

• what’s PCLMULQDQ? how many 32-bit words can fit in a NEON register?

• sometimes, floating-point arithmetic is faster than integer arithmetic• download http://www.agner.org/optimize/instruction_tables.pdf to

find all instruction latencies and thoughputs for Intel and AMD CPUs

I Beware of fancy CPU features!

• avoid secret-dependent memory access patterns (cache attacks)• avoid secret-dependent conditional branches (timing, branch predictor attacks)

I Have a look at existing libraries (from OpenSSL to MPFQ):

• plenty of great ideas in there!• you might even find bugs and vulnerabilities

I Read, code, hack, experiment!

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 51 / 60

Page 460: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Software considerations

I In fact, pretty much has already been said...

I Know your favorite CPU’s instruction set by heart!

• what’s PCLMULQDQ? how many 32-bit words can fit in a NEON register?• sometimes, floating-point arithmetic is faster than integer arithmetic

• download http://www.agner.org/optimize/instruction_tables.pdf tofind all instruction latencies and thoughputs for Intel and AMD CPUs

I Beware of fancy CPU features!

• avoid secret-dependent memory access patterns (cache attacks)• avoid secret-dependent conditional branches (timing, branch predictor attacks)

I Have a look at existing libraries (from OpenSSL to MPFQ):

• plenty of great ideas in there!• you might even find bugs and vulnerabilities

I Read, code, hack, experiment!

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 51 / 60

Page 461: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Software considerations

I In fact, pretty much has already been said...

I Know your favorite CPU’s instruction set by heart!

• what’s PCLMULQDQ? how many 32-bit words can fit in a NEON register?• sometimes, floating-point arithmetic is faster than integer arithmetic• download http://www.agner.org/optimize/instruction_tables.pdf to

find all instruction latencies and thoughputs for Intel and AMD CPUs

I Beware of fancy CPU features!

• avoid secret-dependent memory access patterns (cache attacks)• avoid secret-dependent conditional branches (timing, branch predictor attacks)

I Have a look at existing libraries (from OpenSSL to MPFQ):

• plenty of great ideas in there!• you might even find bugs and vulnerabilities

I Read, code, hack, experiment!

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 51 / 60

Page 462: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Software considerations

I In fact, pretty much has already been said...

I Know your favorite CPU’s instruction set by heart!

• what’s PCLMULQDQ? how many 32-bit words can fit in a NEON register?• sometimes, floating-point arithmetic is faster than integer arithmetic• download http://www.agner.org/optimize/instruction_tables.pdf to

find all instruction latencies and thoughputs for Intel and AMD CPUs

I Beware of fancy CPU features!

• avoid secret-dependent memory access patterns (cache attacks)• avoid secret-dependent conditional branches (timing, branch predictor attacks)

I Have a look at existing libraries (from OpenSSL to MPFQ):

• plenty of great ideas in there!• you might even find bugs and vulnerabilities

I Read, code, hack, experiment!

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 51 / 60

Page 463: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Software considerations

I In fact, pretty much has already been said...

I Know your favorite CPU’s instruction set by heart!

• what’s PCLMULQDQ? how many 32-bit words can fit in a NEON register?• sometimes, floating-point arithmetic is faster than integer arithmetic• download http://www.agner.org/optimize/instruction_tables.pdf to

find all instruction latencies and thoughputs for Intel and AMD CPUs

I Beware of fancy CPU features!

• avoid secret-dependent memory access patterns (cache attacks)• avoid secret-dependent conditional branches (timing, branch predictor attacks)

I Have a look at existing libraries (from OpenSSL to MPFQ):

• plenty of great ideas in there!• you might even find bugs and vulnerabilities

I Read, code, hack, experiment!

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 51 / 60

Page 464: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Software considerations

I In fact, pretty much has already been said...

I Know your favorite CPU’s instruction set by heart!

• what’s PCLMULQDQ? how many 32-bit words can fit in a NEON register?• sometimes, floating-point arithmetic is faster than integer arithmetic• download http://www.agner.org/optimize/instruction_tables.pdf to

find all instruction latencies and thoughputs for Intel and AMD CPUs

I Beware of fancy CPU features!

• avoid secret-dependent memory access patterns (cache attacks)• avoid secret-dependent conditional branches (timing, branch predictor attacks)

I Have a look at existing libraries (from OpenSSL to MPFQ):

• plenty of great ideas in there!• you might even find bugs and vulnerabilities

I Read, code, hack, experiment!

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 51 / 60

Page 465: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Outline

I. Scalar multiplication

II. Elliptic curve arithmetic

III. Finite field arithmetic

IV. Software considerations

V. Notions of hardware design

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 52 / 60

Page 466: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Describing hardware circuits

I We surely do NOT want to

• program millions of logic cells / transistors by hand• connect their inputs and outputs by hand

I Design circuits using a hardware description language (HDL)

• VHDL, Verilog, etc.• usually independent from the target technology

I HDL paradigm completely different from software programming languages

• used to describe concurrent systems: unable to express sequentiality• structural and hierarchical description of the circuit

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 53 / 60

Page 467: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Describing hardware circuits

I We surely do NOT want to

• program millions of logic cells / transistors by hand• connect their inputs and outputs by hand

I Design circuits using a hardware description language (HDL)

• VHDL, Verilog, etc.• usually independent from the target technology

I HDL paradigm completely different from software programming languages

• used to describe concurrent systems: unable to express sequentiality• structural and hierarchical description of the circuit

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 53 / 60

Page 468: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Describing hardware circuits

I We surely do NOT want to

• program millions of logic cells / transistors by hand• connect their inputs and outputs by hand

I Design circuits using a hardware description language (HDL)

• VHDL, Verilog, etc.• usually independent from the target technology

I HDL paradigm completely different from software programming languages

• used to describe concurrent systems: unable to express sequentiality• structural and hierarchical description of the circuit

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 53 / 60

Page 469: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A half-adder in VHDL

1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity ha is

5 port ( x : in std logic;

6 y : in std logic;

7 s : out std logic;

8 co : out std logic );

9 end entity;

10

11 architecture arch of ha is

12 begin

13

s <= x xor y;

14

co <= x and y;

15 end architecture;

x + y = s + 2co

x y

sco

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 54 / 60

Page 470: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A half-adder in VHDL

1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity ha is

5 port ( x : in std logic;

6 y : in std logic;

7 s : out std logic;

8 co : out std logic );

9 end entity;

10

11 architecture arch of ha is

12 begin

13

s <= x xor y;

14

co <= x and y;

15 end architecture;

x + y = s + 2co

x y

sco

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 54 / 60

Page 471: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A half-adder in VHDL

1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity ha is

5 port ( x : in std logic;

6 y : in std logic;

7 s : out std logic;

8 co : out std logic );

9 end entity;

10

11 architecture arch of ha is

12 begin

13

s <= x xor y;

14

co <= x and y;

15 end architecture;

x + y = s + 2co

x y

sco

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 54 / 60

Page 472: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A half-adder in VHDL

1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity ha is

5 port ( x : in std logic;

6 y : in std logic;

7 s : out std logic;

8 co : out std logic );

9 end entity;

10

11 architecture arch of ha is

12 begin

13

s <= x xor y;

14

co <= x and y;

15 end architecture;

x + y = s + 2co

x

y

sco

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 54 / 60

Page 473: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A half-adder in VHDL

1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity ha is

5 port ( x : in std logic;

6 y : in std logic;

7 s : out std logic;

8 co : out std logic );

9 end entity;

10

11 architecture arch of ha is

12 begin

13

s <= x xor y;

14

co <= x and y;

15 end architecture;

x + y = s + 2co

x y

sco

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 54 / 60

Page 474: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A half-adder in VHDL

1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity ha is

5 port ( x : in std logic;

6 y : in std logic;

7 s : out std logic;

8 co : out std logic );

9 end entity;

10

11 architecture arch of ha is

12 begin

13

s <= x xor y;

14

co <= x and y;

15 end architecture;

x + y = s + 2co

x y

s

co

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 54 / 60

Page 475: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A half-adder in VHDL

1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity ha is

5 port ( x : in std logic;

6 y : in std logic;

7 s : out std logic;

8 co : out std logic );

9 end entity;

10

11 architecture arch of ha is

12 begin

13

s <= x xor y;

14

co <= x and y;

15 end architecture;

x + y = s + 2co

x y

sco

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 54 / 60

Page 476: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A half-adder in VHDL

1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity ha is

5 port ( x : in std logic;

6 y : in std logic;

7 s : out std logic;

8 co : out std logic );

9 end entity;

10

11 architecture arch of ha is

12 begin

13

s <= x xor y;

14

co <= x and y;

15 end architecture;

x + y = s + 2co

x y

sco

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 54 / 60

Page 477: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A half-adder in VHDL

1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity ha is

5 port ( x : in std logic;

6 y : in std logic;

7 s : out std logic;

8 co : out std logic );

9 end entity;

10

11 architecture arch of ha is

12 begin

13 s <= x xor y;

14

co <= x and y;

15 end architecture;

x + y = s + 2co

x y

sco

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 54 / 60

Page 478: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A half-adder in VHDL

1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity ha is

5 port ( x : in std logic;

6 y : in std logic;

7 s : out std logic;

8 co : out std logic );

9 end entity;

10

11 architecture arch of ha is

12 begin

13 s <= x xor y;

14

co <= x and y;

15 end architecture;

x + y = s + 2co

x y

sco

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 54 / 60

Page 479: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A half-adder in VHDL

1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity ha is

5 port ( x : in std logic;

6 y : in std logic;

7 s : out std logic;

8 co : out std logic );

9 end entity;

10

11 architecture arch of ha is

12 begin

13 s <= x xor y;

14 co <= x and y;

15 end architecture;

x + y = s + 2co

x y

sco

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 54 / 60

Page 480: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A half-adder in VHDL

1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity ha is

5 port ( x : in std logic;

6 y : in std logic;

7 s : out std logic;

8 co : out std logic );

9 end entity;

10

11 architecture arch of ha is

12 begin

13 s <= x xor y;

14 co <= x and y;

15 end architecture;

x + y = s + 2co

x y

sco

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 54 / 60

Page 481: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A half-adder in VHDL

1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity ha is

5 port ( x : in std logic;

6 y : in std logic;

7 s : out std logic;

8 co : out std logic );

9 end entity;

10

11 architecture arch of ha is

12 begin

13 s <= x xor y;

14 co <= x and y;

15 end architecture;

x + y = s + 2co

x y

sco

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 54 / 60

Page 482: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13

component ha is

14

port ( x : in std logic; y : in std logic;

15

s : out std logic; co : out std logic );

16

end component;

17

signal s 0 : std logic;

18

signal co 0 : std logic;

19

signal co 1 : std logic;

20 begin

21

ha 0 : ha port map ( x => x, y => y,

22

s => s 0, co => co 0 );

23

ha 1 : ha port map ( x => s 0, y => ci,

24

s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 483: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13

component ha is

14

port ( x : in std logic; y : in std logic;

15

s : out std logic; co : out std logic );

16

end component;

17

signal s 0 : std logic;

18

signal co 0 : std logic;

19

signal co 1 : std logic;

20 begin

21

ha 0 : ha port map ( x => x, y => y,

22

s => s 0, co => co 0 );

23

ha 1 : ha port map ( x => s 0, y => ci,

24

s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 484: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13

component ha is

14

port ( x : in std logic; y : in std logic;

15

s : out std logic; co : out std logic );

16

end component;

17

signal s 0 : std logic;

18

signal co 0 : std logic;

19

signal co 1 : std logic;

20 begin

21

ha 0 : ha port map ( x => x, y => y,

22

s => s 0, co => co 0 );

23

ha 1 : ha port map ( x => s 0, y => ci,

24

s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 485: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13

component ha is

14

port ( x : in std logic; y : in std logic;

15

s : out std logic; co : out std logic );

16

end component;

17

signal s 0 : std logic;

18

signal co 0 : std logic;

19

signal co 1 : std logic;

20 begin

21

ha 0 : ha port map ( x => x, y => y,

22

s => s 0, co => co 0 );

23

ha 1 : ha port map ( x => s 0, y => ci,

24

s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 486: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13

component ha is

14

port ( x : in std logic; y : in std logic;

15

s : out std logic; co : out std logic );

16

end component;

17

signal s 0 : std logic;

18

signal co 0 : std logic;

19

signal co 1 : std logic;

20 begin

21 ha 0 : ha port map ( x => x, y => y,

22 s => s 0, co => co 0 );

23

ha 1 : ha port map ( x => s 0, y => ci,

24

s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 487: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13 component ha is

14 port ( x : in std logic; y : in std logic;

15 s : out std logic; co : out std logic );

16 end component;

17

signal s 0 : std logic;

18

signal co 0 : std logic;

19

signal co 1 : std logic;

20 begin

21 ha 0 : ha port map ( x => x, y => y,

22 s => s 0, co => co 0 );

23

ha 1 : ha port map ( x => s 0, y => ci,

24

s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 488: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13 component ha is

14 port ( x : in std logic; y : in std logic;

15 s : out std logic; co : out std logic );

16 end component;

17

signal s 0 : std logic;

18

signal co 0 : std logic;

19

signal co 1 : std logic;

20 begin

21 ha 0 : ha port map ( x => x, y => y,

22 s => s 0, co => co 0 );

23

ha 1 : ha port map ( x => s 0, y => ci,

24

s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 489: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13 component ha is

14 port ( x : in std logic; y : in std logic;

15 s : out std logic; co : out std logic );

16 end component;

17

signal s 0 : std logic;

18

signal co 0 : std logic;

19

signal co 1 : std logic;

20 begin

21 ha 0 : ha port map ( x => x, y => y,

22 s => s 0, co => co 0 );

23

ha 1 : ha port map ( x => s 0, y => ci,

24

s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 490: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13 component ha is

14 port ( x : in std logic; y : in std logic;

15 s : out std logic; co : out std logic );

16 end component;

17 signal s 0 : std logic;

18

signal co 0 : std logic;

19

signal co 1 : std logic;

20 begin

21 ha 0 : ha port map ( x => x, y => y,

22 s => s 0, co => co 0 );

23

ha 1 : ha port map ( x => s 0, y => ci,

24

s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0

co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 491: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13 component ha is

14 port ( x : in std logic; y : in std logic;

15 s : out std logic; co : out std logic );

16 end component;

17 signal s 0 : std logic;

18 signal co 0 : std logic;

19

signal co 1 : std logic;

20 begin

21 ha 0 : ha port map ( x => x, y => y,

22 s => s 0, co => co 0 );

23

ha 1 : ha port map ( x => s 0, y => ci,

24

s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 492: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13 component ha is

14 port ( x : in std logic; y : in std logic;

15 s : out std logic; co : out std logic );

16 end component;

17 signal s 0 : std logic;

18 signal co 0 : std logic;

19

signal co 1 : std logic;

20 begin

21 ha 0 : ha port map ( x => x, y => y,

22 s => s 0, co => co 0 );

23 ha 1 : ha port map ( x => s 0, y => ci,

24 s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 493: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13 component ha is

14 port ( x : in std logic; y : in std logic;

15 s : out std logic; co : out std logic );

16 end component;

17 signal s 0 : std logic;

18 signal co 0 : std logic;

19

signal co 1 : std logic;

20 begin

21 ha 0 : ha port map ( x => x, y => y,

22 s => s 0, co => co 0 );

23 ha 1 : ha port map ( x => s 0, y => ci,

24 s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 494: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13 component ha is

14 port ( x : in std logic; y : in std logic;

15 s : out std logic; co : out std logic );

16 end component;

17 signal s 0 : std logic;

18 signal co 0 : std logic;

19

signal co 1 : std logic;

20 begin

21 ha 0 : ha port map ( x => x, y => y,

22 s => s 0, co => co 0 );

23 ha 1 : ha port map ( x => s 0, y => ci,

24 s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 495: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13 component ha is

14 port ( x : in std logic; y : in std logic;

15 s : out std logic; co : out std logic );

16 end component;

17 signal s 0 : std logic;

18 signal co 0 : std logic;

19

signal co 1 : std logic;

20 begin

21 ha 0 : ha port map ( x => x, y => y,

22 s => s 0, co => co 0 );

23 ha 1 : ha port map ( x => s 0, y => ci,

24 s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 496: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13 component ha is

14 port ( x : in std logic; y : in std logic;

15 s : out std logic; co : out std logic );

16 end component;

17 signal s 0 : std logic;

18 signal co 0 : std logic;

19 signal co 1 : std logic;

20 begin

21 ha 0 : ha port map ( x => x, y => y,

22 s => s 0, co => co 0 );

23 ha 1 : ha port map ( x => s 0, y => ci,

24 s => s, co => co 1 );

25

co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 497: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13 component ha is

14 port ( x : in std logic; y : in std logic;

15 s : out std logic; co : out std logic );

16 end component;

17 signal s 0 : std logic;

18 signal co 0 : std logic;

19 signal co 1 : std logic;

20 begin

21 ha 0 : ha port map ( x => x, y => y,

22 s => s 0, co => co 0 );

23 ha 1 : ha port map ( x => s 0, y => ci,

24 s => s, co => co 1 );

25 co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 498: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13 component ha is

14 port ( x : in std logic; y : in std logic;

15 s : out std logic; co : out std logic );

16 end component;

17 signal s 0 : std logic;

18 signal co 0 : std logic;

19 signal co 1 : std logic;

20 begin

21 ha 0 : ha port map ( x => x, y => y,

22 s => s 0, co => co 0 );

23 ha 1 : ha port map ( x => s 0, y => ci,

24 s => s, co => co 1 );

25 co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 499: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

A full-adder in VHDL1 library ieee;

2 use ieee.std logic 1164.all;

3

4 entity fa is

5 port ( x : in std logic;

6 y : in std logic;

7 ci : in std logic;

8 s : out std logic;

9 co : out std logic );

10 end entity;

11

12 architecture arch of fa is

13 component ha is

14 port ( x : in std logic; y : in std logic;

15 s : out std logic; co : out std logic );

16 end component;

17 signal s 0 : std logic;

18 signal co 0 : std logic;

19 signal co 1 : std logic;

20 begin

21 ha 0 : ha port map ( x => x, y => y,

22 s => s 0, co => co 0 );

23 ha 1 : ha port map ( x => s 0, y => ci,

24 s => s, co => co 1 );

25 co <= co 0 or co 1;

26 end architecture;

x + y + ci = s + 2co

co s

y cix

x y

sco

ha 0ha

s 0co 0

ha 1

sco

x y

ha

co 1

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 55 / 60

Page 500: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Design process

I Verification and debugging

• software simulator• feed the circuit with test vectors• extensive use of waveforms for debugging

I Synthesis

• converts the circuit description (HDL) into a netlist• extraction of logic primitives (multiplexers, shifters, registers, adders, ...)• logic minimization effort• independent from the target technology

I Implementation

• mapping: builds a netlist of technology-dependent logic cells / transistors• place and route: place each logic cell on the chip and route wires between them

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 56 / 60

Page 501: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Design process

I Verification and debugging

• software simulator• feed the circuit with test vectors• extensive use of waveforms for debugging

I Synthesis

• converts the circuit description (HDL) into a netlist• extraction of logic primitives (multiplexers, shifters, registers, adders, ...)• logic minimization effort• independent from the target technology

I Implementation

• mapping: builds a netlist of technology-dependent logic cells / transistors• place and route: place each logic cell on the chip and route wires between them

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 56 / 60

Page 502: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Design process

I Verification and debugging

• software simulator• feed the circuit with test vectors• extensive use of waveforms for debugging

I Synthesis

• converts the circuit description (HDL) into a netlist• extraction of logic primitives (multiplexers, shifters, registers, adders, ...)• logic minimization effort• independent from the target technology

I Implementation

• mapping: builds a netlist of technology-dependent logic cells / transistors• place and route: place each logic cell on the chip and route wires between them

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 56 / 60

Page 503: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Arithmetic over F2m

I Polynomial representation: F2m∼= F2[x ]/(F (x))

• elements of F2m as polynomials modulo F (x):

A = am−1xm−1 + · · ·+ a1x + a0, with ai ∈ F2

• 1 bit per coefficient

I Addition: coefficient-wise addition over Fp

I Squaring: 2-nd power Frobenius

• linear operation: each coefficient of the result is a linear combination of theinput coefficients• for instance, over F2409 = F2[x ]/(x409 + x87 + 1)

A2 = . . . + (a86 + a247 + a408)x172 + . . . + (a213 + a374)x17 + . . .

I Inversion: no need for a full blown extended Euclidean algorithm

• use Fermat’s little theorem: A−1 = A2m−2 =(A2m−1−1

)2• computing A2m−1−1 only requires multiplications and Frobeniuses

[Itoh and Tsujii, 1988]• no extra hardware for inversion

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 57 / 60

Page 504: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Arithmetic over F2m

I Polynomial representation: F2m∼= F2[x ]/(F (x))

• elements of F2m as polynomials modulo F (x):

A = am−1xm−1 + · · ·+ a1x + a0, with ai ∈ F2

• 1 bit per coefficient

I Addition: coefficient-wise addition over Fp

I Squaring: 2-nd power Frobenius

• linear operation: each coefficient of the result is a linear combination of theinput coefficients• for instance, over F2409 = F2[x ]/(x409 + x87 + 1)

A2 = . . . + (a86 + a247 + a408)x172 + . . . + (a213 + a374)x17 + . . .

I Inversion: no need for a full blown extended Euclidean algorithm

• use Fermat’s little theorem: A−1 = A2m−2 =(A2m−1−1

)2• computing A2m−1−1 only requires multiplications and Frobeniuses

[Itoh and Tsujii, 1988]• no extra hardware for inversion

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 57 / 60

Page 505: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Arithmetic over F2m

I Polynomial representation: F2m∼= F2[x ]/(F (x))

• elements of F2m as polynomials modulo F (x):

A = am−1xm−1 + · · ·+ a1x + a0, with ai ∈ F2

• 1 bit per coefficient

I Addition: coefficient-wise addition over Fp

I Squaring: 2-nd power Frobenius

• linear operation: each coefficient of the result is a linear combination of theinput coefficients• for instance, over F2409 = F2[x ]/(x409 + x87 + 1)

A2 = . . . + (a86 + a247 + a408)x172 + . . . + (a213 + a374)x17 + . . .

I Inversion: no need for a full blown extended Euclidean algorithm

• use Fermat’s little theorem: A−1 = A2m−2 =(A2m−1−1

)2• computing A2m−1−1 only requires multiplications and Frobeniuses

[Itoh and Tsujii, 1988]• no extra hardware for inversion

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 57 / 60

Page 506: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Arithmetic over F2m

I Polynomial representation: F2m∼= F2[x ]/(F (x))

• elements of F2m as polynomials modulo F (x):

A = am−1xm−1 + · · ·+ a1x + a0, with ai ∈ F2

• 1 bit per coefficient

I Addition: coefficient-wise addition over Fp

I Squaring: 2-nd power Frobenius

• linear operation: each coefficient of the result is a linear combination of theinput coefficients• for instance, over F2409 = F2[x ]/(x409 + x87 + 1)

A2 = . . . + (a86 + a247 + a408)x172 + . . . + (a213 + a374)x17 + . . .

I Inversion: no need for a full blown extended Euclidean algorithm

• use Fermat’s little theorem: A−1 = A2m−2 =(A2m−1−1

)2• computing A2m−1−1 only requires multiplications and Frobeniuses

[Itoh and Tsujii, 1988]• no extra hardware for inversion

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 57 / 60

Page 507: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Arithmetic over F2m

I Polynomial representation: F2m∼= F2[x ]/(F (x))

• elements of F2m as polynomials modulo F (x):

A = am−1xm−1 + · · ·+ a1x + a0, with ai ∈ F2

• 1 bit per coefficient

I Addition: coefficient-wise addition over Fp

I Squaring: 2-nd power Frobenius

• linear operation: each coefficient of the result is a linear combination of theinput coefficients• for instance, over F2409 = F2[x ]/(x409 + x87 + 1)

A2 = . . . + (a86 + a247 + a408)x172 + . . . + (a213 + a374)x17 + . . .

I Inversion: no need for a full blown extended Euclidean algorithm

• use Fermat’s little theorem: A−1 = A2m−2 =(A2m−1−1

)2• computing A2m−1−1 only requires multiplications and Frobeniuses

[Itoh and Tsujii, 1988]• no extra hardware for inversion

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 57 / 60

Page 508: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Arithmetic over F2m

I Polynomial representation: F2m∼= F2[x ]/(F (x))

• elements of F2m as polynomials modulo F (x):

A = am−1xm−1 + · · ·+ a1x + a0, with ai ∈ F2

• 1 bit per coefficient

I Addition: coefficient-wise addition over Fp

I Squaring: 2-nd power Frobenius

• linear operation: each coefficient of the result is a linear combination of theinput coefficients• for instance, over F2409 = F2[x ]/(x409 + x87 + 1)

A2 = . . . + (a86 + a247 + a408)x172 + . . . + (a213 + a374)x17 + . . .

I Inversion: no need for a full blown extended Euclidean algorithm

• use Fermat’s little theorem: A−1 = A2m−2 =(A2m−1−1

)2• computing A2m−1−1 only requires multiplications and Frobeniuses

[Itoh and Tsujii, 1988]• no extra hardware for inversion

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 57 / 60

Page 509: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Arithmetic over F2m

I Polynomial representation: F2m∼= F2[x ]/(F (x))

• elements of F2m as polynomials modulo F (x):

A = am−1xm−1 + · · ·+ a1x + a0, with ai ∈ F2

• 1 bit per coefficient

I Addition: coefficient-wise addition over Fp

I Squaring: 2-nd power Frobenius

• linear operation: each coefficient of the result is a linear combination of theinput coefficients• for instance, over F2409 = F2[x ]/(x409 + x87 + 1)

A2 = . . . + (a86 + a247 + a408)x172 + . . . + (a213 + a374)x17 + . . .

I Inversion: no need for a full blown extended Euclidean algorithm

• use Fermat’s little theorem: A−1 = A2m−2 =(A2m−1−1

)2• computing A2m−1−1 only requires multiplications and Frobeniuses

[Itoh and Tsujii, 1988]• no extra hardware for inversion

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 57 / 60

Page 510: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 511: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 512: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 513: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

···

· x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 514: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x

) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 515: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x

) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 516: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 517: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 518: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 519: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 520: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·

· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 521: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 522: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 523: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 524: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 525: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 526: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)

• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 527: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

I Low-area design: parallel–serial multiplier

• iterative algorithm of quadratic complexity• d coefficients of the second operand processed at each iteration

(most-significant coefficients first)• dm/de clock cycles for computing the product• area grows with d : area–time trade-off

B

Axm−1 1xx2· · ·

bm−3

bm−1

bm−2

A

A

A

··· · x2

· x) mod F

) mod F

(

(

R (partial sum)

mod F)· x2A

mod F)· xA

A

(bm−1 ·(bm−2 ·bm−3 ·

bm−5

bm−4

bm−6

A

A

A

··

·· x· x2· x3

) mod F

) mod F

) mod F

(

(

(

R (partial sum)

mod F)· x3

mod F)· x2A

mod F)· xA

A

R(

(bm−4 ·(bm−5 ·bm−6 ·

· · ·

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 58 / 60

Page 528: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

• feedback loop for accumulation of the result• coefficient-wise partial product with F2 multipliers (AND gates)• free shifts!• a few F2 adders for reduction modulo F• coefficient-wise addition (XOR gates in F2)

A B

r

mod Fmod F

� 1 � 2 � 3

mod F

� 1 � 2 � 3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 59 / 60

Page 529: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

• feedback loop for accumulation of the result

• coefficient-wise partial product with F2 multipliers (AND gates)• free shifts!• a few F2 adders for reduction modulo F• coefficient-wise addition (XOR gates in F2)

A B

r

mod Fmod F

� 1 � 2 � 3

mod F

� 1 � 2 � 3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 59 / 60

Page 530: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

• feedback loop for accumulation of the result• coefficient-wise partial product with F2 multipliers (AND gates)

• free shifts!• a few F2 adders for reduction modulo F• coefficient-wise addition (XOR gates in F2)

A B

r

mod Fmod F

� 1 � 2 � 3

mod F

� 1 � 2 � 3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 59 / 60

Page 531: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

• feedback loop for accumulation of the result• coefficient-wise partial product with F2 multipliers (AND gates)• free shifts!

• a few F2 adders for reduction modulo F• coefficient-wise addition (XOR gates in F2)

A B

r

mod Fmod F

� 1 � 2 � 3

mod F

� 1 � 2 � 3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 59 / 60

Page 532: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

• feedback loop for accumulation of the result• coefficient-wise partial product with F2 multipliers (AND gates)• free shifts!• a few F2 adders for reduction modulo F

• coefficient-wise addition (XOR gates in F2)

A B

r

mod Fmod F

� 1 � 2 � 3

mod F

� 1 � 2 � 3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 59 / 60

Page 533: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Multiplication over F2m

• feedback loop for accumulation of the result• coefficient-wise partial product with F2 multipliers (AND gates)• free shifts!• a few F2 adders for reduction modulo F• coefficient-wise addition (XOR gates in F2)

A B

r

mod Fmod F

� 1 � 2 � 3

mod F

� 1 � 2 � 3

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 59 / 60

Page 534: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Arithmetic coprocessor for ECC over F2m

Registerfile

Parallel–serialmultiplier

d coeffs / cycle

dm/de cycles / product

Unified operator

Frobenius (·)2addition

feedback loop

double Frobenius (·)4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 60 / 60

Page 535: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Arithmetic coprocessor for ECC over F2m

Registerfile

Parallel–serialmultiplier

d coeffs / cycle

dm/de cycles / product

Unified operator

Frobenius (·)2addition

feedback loop

double Frobenius (·)4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 60 / 60

Page 536: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Arithmetic coprocessor for ECC over F2m

Registerfile

Parallel–serialmultiplier

d coeffs / cycle

dm/de cycles / product

Unified operator

Frobenius (·)2addition

feedback loop

double Frobenius (·)4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 60 / 60

Page 537: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Arithmetic coprocessor for ECC over F2m

Registerfile

Parallel–serialmultiplier

d coeffs / cycle

dm/de cycles / product

Unified operator

Frobenius (·)2addition

feedback loop

double Frobenius (·)4

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 60 / 60

Page 538: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Arithmetic coprocessor for ECC over F2m

0 11 0

0 1

A A

$0

$1

$2

$3

DPRAM

$62BB

10

c7–c12

c13

c6

10c14

c15

0 1

0 1

c0–c5

0 1

0 1

0 1(mod F )

×x(mod F )×x2

(mod F )×x3

(mod F )×x13

(mod F )×x14

$63

x2

x2

c16c17

c18

c19

c20c21

c22

c23c24

c25

c26

c27 c28

c29

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 60 / 60

Page 539: Software and Hardware Implementation of Elliptic Curve ...ecc2015.math.u-bordeaux1.fr/documents/detrey.pdfSoftware and Hardware Implementation of Elliptic Curve Cryptography J er emie

Thank you for your attention

Questions?

Jeremie Detrey — Software and Hardware Implementation of Elliptic Curve Cryptography 60 / 60


Recommended