enhanced digital signature using splitted exponent digit ... · Étudiantspréparantunbachelor of...

Enhanced Digital Signatureusing Splitted Exponent Digit Representation

Jean-Marc ROBERT

Team DALI/LIRMM, Université de Perpignan, France

le 9 mars 2017

Séminaire CASYS-MEF, Laboratoire Jean Kuntzman,Université de Grenoble-Alpes

Jean-Marc ROBERT Team DALI/LIRMM, Université de Perpignan, France 1 / 42

Table des matières

1 Carrière2 Recherche3 m0m1 Exponentiation Method (WAIFI 2016)

DSA SignatureState of the Art for Modular ExponentiationContributionsRadix-R and RNS Digit representationm0m1 Modular ExponentiationSoftware Implementation and Performances

4 Work in progress: R-splitting MethodQuestionsRadix-R and R-splitting representationR-splitting Elliptic Curve Scalar Multiplication

5 Conclusion and work in progress


Carrière

Table des matières






Carrière

Carrière

Ingénieur-Responsable Études Avancées, Industrialisation et Développement1990-1992, Appareillage et Matériels de Servitudes (AMS) ;

1992-2001, PSA Peugeot Citroën (DETA), et SIEMENS A.H.

Enseignant dans le secondaire, 2003-2011Matières enseignées : Sciences de l’Ingénieur, Productique Mécanique, industrialisation,CAO, FAO, informatique industrielle et automatique, de la classe de seconde au BTS.

Exemple de projet : Moteur pneumatique


Carrière

Enseignant dans le supérieur

2011-2014 : Polytech EnR

Éleves ingénieurs, 4ème année, énergies renouvelables, Projet Informatique(langage C, 54 heures par an, six semestres au total).

Bases de données (Rudiments d’Algèbre Relationnelle, projet SQL-C, 12heures au deuxième semestre, un semestre).

2012-2013 : Université de Perpignan, Master EAI Informatique

Étudiants en deuxième année, Intégration et Validation du Logiciel, cours etTD (12 heures par semestre, deux semestres)

2015 : University of Wollongong NSW Australia, B. Sc.

Étudiants préparant un Bachelor of Computer Science, CSCI235, bases dedonnées (Travaux dirigés, 48 heures en face à face, 36 heures d’évaluation)


Carrière

En cours

2016-2017 :

Enseignement secondaire ;Enseignement supérieur :

Informatique, licence 1, TP python, UPVD ;IMERIR, première et deuxième année, cryptographie et sécurité ;


Recherche

Table des matières






Recherche

Thèse, Cryptographie asymétrique

"Contrer l’attaque Simple Power Analysisdans les applications de la cryptographie asymétrique,

algorithmes et implantations"

Cryptographie asymétrique : RSA, courbes elliptiques, attaques par canalauxiliaire.

développements d’algorithmes :opérations arithmétiques sur anneaux et corps finis, arithmétique dugroupe des points d’une courbe elliptique ;parallélisation ;algorithmes réguliers résistants à l’attaque Simple Power Analysis ;

implantations sur plateformes variées : ordinateur de bureau, tablettes(NEXUS 5), principalement en C ;5 publications scientifiques durant la thèse ;


Recherche


New Parallel Approaches for Scalar Multiplication in Elliptic Curve overFields of Small Characteristics - IEEE-TC

Conception et implantation d’algorithmes parallèles basés sur :

le halving de point ;

l’algorithme régulier dit "échelle de Montgomery" ;

implantation sur ordinateur de bureau et système embarqué.

→ Amélioration des performances de 5 à 19 %


Recherche

Thèse, Cryptographie asymétriqueEfficient Modular Exponentiation Based on Multiple Multiplications by aCommon Operand - Arith22 2015Comparaison des complexités : En mutualisant des calculs ne dépendant que de A,→réduction de la complexité globale pour A · B,A · C :

Opération Algorithme # MUL # ADDAB,AC deux MontMuls 4n2 + 2n 8n2 + 4n − 2

AB,A2 MontMul et 72n2 + 7

2n − 1 7n2 + 7n − 2MontSquAB,AC CombinedMontMul 3n2 + 4n + 3 6n2 + 9n + 1

deux multiplications modulaires partageant une opérande commune A · B,A · C :→ amélioration de deux multiplications isolées de l’ordre de 25%;

des multiplications modulaires multiples partageant une opérande communeA · B0,A · B1, . . . ,A · B`:→ amélioration de ` multiplications isolées de l’ordre de 50%;

Application exponentiations modulaires RSA régulières (protégées SPA) :→ amélioration de l’échelle de Montgomery de 9 to 15 %;→ amélioration de l’exponentiation Right-to-left 2γ -aire jusqu’à 4 %;→ amélioration de l’exponentiation Left-to-right 2γ -aire jusqu’à 8 %.


Recherche


� Thèse soutenue le 8 décembre 2015, Mention très honorable ;� 2016-2019 : Personnel Statutaire Associé au LIRMM ;� Publications scientifiques (5 durant la thèse) :

Revue internationale (avec comité de relecture)

IEEE-Transaction on Computer : Christophe Nègre et Jean-Marc Robert, “New ParallelApproaches for Scalar Multiplication in Elliptic Curve over Fields of Small Characteristic”.

Actes de conférences internationales (avec comité de relecture)

WAIFI 2016: Thomas Plantard et Jean-Marc Robert, "Enhanced Digital Signature using RNSDigit Exponent Representation".SECRYPT 2015 : Christophe Nègre et Jean-Marc Robert, "Parallel Approaches for EfficientScalar Multiplication over Elliptic Curve".Arith22 2015: Christophe Nègre, Thomas Plantard et Jean-Marc Robert, "Efficient ModularExponentiation Based on Multiple Multiplications by a Common Operand".INSCRYPT 2014: Jean-Marc Robert, "Parallelized Software Implementation of Elliptic CurveScalar Multiplication".AFRICACRYPT 2013 : Christophe Nègre et Jean-Marc Robert, "Impact of OptimizedOperations AB,AC and AB+CD in Scalar Multiplication over Binary Elliptic Curve".


m0m1 Exponentiation Method (WAIFI 2016)

Table des matières






m0m1 Exponentiation Method (WAIFI 2016) DSA Signature

Signature Protocol

Bob signs a message to Alice :-)

S,M�

x → Bob’s private key y → Bob’s public keyGroup G ((Z/pZ)∗,×, 1)

Bob hashes the message M, using an approved hash function,⇒ z = H(M);

Bob’s public parameters a prime p ∈ N a generator g of G of order qBob’s private key x ∈ [1, q − 1]Bob’s public key y = gx mod p


m0m1 Exponentiation Method (WAIFI 2016) DSA Signature

Signature Protocol(2)

Bob signs a message to Alice :-)

S,M�

Bob chooses a random parameter Verif (S) :k ∈ [1, q − 1] Alice receives (r ′, s′) and M′.

Signature (Bob)S = (r , s)

with{

r = (gk mod p) mod qs = (k−1(z + xr)) mod q

w = (s′)−1 mod q

z = H(M′)u1 = (zw) mod q

u2 = ((r ′)w) mod qu = ((gu1yu2 mod p) mod q)

→ Alice checks wether u = r ′.

→The main operation is the modular exponentiationg k mod p.


m0m1 Exponentiation Method (WAIFI 2016) State of the Art for Modular Exponentiation

Square-and-Multiply

Left-to-Right Square-and-Multiply Modular Exponentiation

Require: k = (kt−1, . . . , k0), the DSA modulus p, g a generator of Z/pZ oforder q.

Ensure: X = gk mod pX ← 1for i from t − 1 downto 0 do

X ← X 2 mod pif ki = 1 then

X ← X · g mod pend if

end forreturn (X )

No storage, t − 1 squarings, ≈ t2 multiplications.



Radix-R

Radix-R Exponentiation Method (Gordon, 1998)

Require: k = (k`−1, . . . , k0)R , the DSA modulus p, g a generator of Z/pZ oforder q.

Ensure: X = gk mod pPrecomputation. Store Gi,j ← g j·R i

, with j ∈ [1, ...,R − 1] and 0 ≤ i < `.X ← 1for i from `− 1 downto 0 do

X ← X · Gi,ki mod pend forreturn (X )

With w ← log2(R) → Storage of dt/we · (R − 1) values ∈ Fp,no squarings, ` = dt/we multiplications.



Fixed-base Comb Method

In this method, the exponent k is written in w rows, and the colums areprocessed one at a time. Thus, d = dt/we is the column size.

k = Kw−1‖ . . . ‖K 1‖K 0

Each K j is a bit string of length d . Let K ji denote the i th bit of K j .

One sets: g [Kw−1i ,...,K1

i ,K0i ] = gKw−1

i 2(w−1)d+...+K2i 2

2d+K1i 2

d+K0i


i ,K0i ] = gKw−1

i 2(w−1)d+...+K2i 2

2d+K1i 2

d+K0i

Fixed-base Comb Method (Lim & Lee, Crypto ’94)

Require: k = (kt−1, . . . , k1, k0)2, the DSA modulus p, g a generator of Z/pZ of order q,window width w , d = dt/we.

Ensure: X = gk mod pPrecomputation. Compute and store g [aw−1,...,a0] mod p, ∀(aw−1, . . . , a0) ∈ Zw

2 .X ← 1for i from d − 1 downto 0 do

X ← X 2 mod p

X ← X · g [Kw−1i ,...,K1

i ,K0i ] mod p

end forreturn (X )

With d ← dt/we → Storage of 2w − 1 values ∈ Fp,d − 1 squarings, d multiplications.



Fixed-base Comb Method


i ,K0i ] = gKw−1

i 2(w−1)d+...+K2i 2

2d+K1i 2

d+K0i

Fixed-base Comb Method (Lim & Lee, Crypto ’94)

Require: k = (kt−1, . . . , k1, k0)2, the DSA modulus p, g a generator of Z/pZ of order q,window width w , d = dt/we.

Ensure: X = gk mod pPrecomputation. Compute and store g [aw−1,...,a0] mod p, ∀(aw−1, . . . , a0) ∈ Zw

2 .X ← 1for i from d − 1 downto 0 do

X ← X 2 mod p

X ← X · g [Kw−1i ,...,K1

i ,K0i ] mod p

end forreturn (X )

With d ← dt/we → Storage of 2w − 1 values ∈ Fp,d − 1 squarings, d multiplications.



Synthesis

Complexities and storage amounts of state of the art methods, average case.

# MM # MS storage(# values ∈ Fp)

Square-and-multiply t/2 t − 1 -Radix-R method dt/we - dt/we · (R − 1)Fixed-base Comb d = dt/we d − 1 2w − 1

100

1000

10000

100000

1e+06

1e+07

20 40 60 80 100 120 140

Tota

l availa

ble

sto

rag

e #

kByte

s

number of field multiplications #MM

Complexity Comparison RadixR/FixedBaseComb

FixedBaseCombradix R

key size t = 512 bits (MS = 0.86×MM).


m0m1 Exponentiation Method (WAIFI 2016) Contributions

Contributions

Starting from the Radix-R method:

RNS digit recoding for exponent;

Enhanced algorithm for modular exponentiation;Complexity and storage requirements evaluation;Software implementations, showing performance improvements.



Contributions


RNS digit recoding for exponent;Enhanced algorithm for modular exponentiation;

Complexity and storage requirements evaluation;Software implementations, showing performance improvements.



Contributions


RNS digit recoding for exponent;Enhanced algorithm for modular exponentiation;Complexity and storage requirements evaluation;

Software implementations, showing performance improvements.



Contributions


RNS digit recoding for exponent;Enhanced algorithm for modular exponentiation;Complexity and storage requirements evaluation;Software implementations, showing performance improvements.



General Idea

Radix-R method:Stores Gi,j ← g j·R i

, (0 ≤ j < R)

Computes∏`−1

i=0 Gi,ki .

→ ≈ Low complexity, large storage

Variant:Stores Gi ← gR i

;

Computes:∏R−1j=0

(∏∀i,0≤i<`−1,ki=j Gi

)j.

⇒ ≈ Low storage, large complexity

⇒

Our method (m0m1 RNS):

Stores Gi ,̃j ← g f (j̃)·R i, (0 ≤ j̃ < m0)

Computes K0 ×∏m1

i=1 K ii with

Ki =∏`−1

j=1,k̃(1)j =i

Gk̃(1)j

i,k̃(0)j

⇒ ≈ Better trade-off.


m0m1 Exponentiation Method (WAIFI 2016) Radix-R and RNS Digit representation

Recoding Algorithm

The Radix-R = m0 ·m1 representation is as follows (gcd(m0,m1) = 1):

k =`−1∑i=0

kiR i , with ` = dt/ log2(R)e,

and we represent the digits ki using RNS with base B = {m0,m1}:{k(0)i = ki mod m0 = |ki |m0 ,

k(1)i = ki mod m1 = |ki |m1 .

Chinese Remainder TheoremUsing the CRT, one can retrieve ki :

ki =∣∣∣k(0)

i ·m1 · |m−11 |m0 + k(1)

i ·m0 · |m−10 |m1

∣∣∣R.



Recoding Algorithm

In the sequel, let’s denote (when k(1)i 6= 0)

m′0 = m1 · |m−11 |m0 ,

m′1 = m0 · |m−10 |m1 ,

k ′i = |k(0)i · (k(1)

i )−1|m0 .

Recoding: → κi ← (k ′i , k(1)i )

We then rewrite the CRT, with the modular reduction modR, as follows:

"New" Chinese Remainder Theorem

ki = k(1)i |k

′i ·m′0 + m′1|R − bk

(1)i · |k ′i ·m′0 + m′1|R/Rc · R.

C is a carry (0 ≤ C < m1):

{if ki+1 ≥ C then ki+1 ← ki+1 − C ,C ← 0,

else ki+1 ← ki+1 + R − C ,C ← 1,

and one gets ki+1 ≥ 0.



Recoding Algorithm

One notices:

The case k(1)i = 0 needs to be taken into account;

it might be necessary to process a last carry C .

→ The sequence of the κi ← (k ′i , k(1)i ) is

the m0m1 recoding of k .



Recoding Algorithm Example

Example: B = {11, 8} (i.e. m0 = 11,m1 = 8), R = m0 ·m1 = 88, ` = d20/ log2(88)e = 4, andtherefore

m′0 = 8 · |8−1|11 = 56,m′1 = 11 · |11−1|8 = 33.

Let us take k = 93619310 (exponent size t of 20 bits, 0 < k < 220)

k = 49+ 78 · 88+ 32 · 882 + 1 · 883.


Values returned by the algorithm:

κ = (

(5, 1), (2, 6), (8, 5), (3, 7)

), and

C = −2.


κ = ((5, 1), (2, 6), (8, 5), (3, 7)), and C = −2.





k = 49+ 78 · 88+ 32 · 882 + 1 · 883.

First digit (i = 0), one has κ0 = k0 = 49.One computes the RNS representation in base B of κ0 = 49:

k(0)0 = |k0|11 = 5, k(1)

0 = |k0|8 = 1.

Since k(1)0 = 1, one sets

|(k(1)0 )−1|11 ← 1

k′0 = |k(0)0 · (k(1)

0 )−1|11 ← 5C ← b(k(1)

0 · |k′0 · 56 + 33|88)/88c ← 0

and finallyκ0 ← (5, 1)


κ = ((5, 1),

(2, 6), (8, 5), (3, 7)

), and

C = −2.


κ = ((5, 1), (2, 6), (8, 5), (3, 7)), and C = −2.





k = 49+ 78 · 88+ 32 · 882 + 1 · 883.

Second digit (i = 1), one has κ1 = k1 = 78.One has C ← 0.One computes the RNS representation in base B of κ1 = 78:

k(0)1 = |k1|11 = 1, k(1)

1 = |k1|8 = 6.

Since k(1)1 6= 0, one has

|(k(1)1 )−1|11 ← 2

k′1 = |k(0)1 · (k(1)

1 )−1|11 ← 2C ← b(k(1)

1 · |k′1 · 56 + 33|88)/88c ← 3

and finallyκ1 ← (2, 6)


κ = ((5, 1), (2, 6),

(8, 5), (3, 7)

), and

C = −2.


κ = ((5, 1), (2, 6), (8, 5), (3, 7)), and C = −2.





k = 49+ 78 · 88+ 32 · 882 + 1 · 883.

Third digit (i = 2), one has now κ2 ← k2 − C = 32− 3 = 29.The RNS representation in base B of κ2 is k(0)

2 = 7, k(1)2 = 5.

One gets C ← 2, andκ2 ← (8, 5).


κ = ((5, 1), (2, 6), (8, 5),

(3, 7)

), and

C = −2.


κ = ((5, 1), (2, 6), (8, 5), (3, 7)), and C = −2.





k = 49+ 78 · 88+ 32 · 882 + 1 · 883.


κ = ((5, 1), (2, 6), (8, 5), (3, 7)), and C = −2.


κ = ((5, 1), (2, 6), (8, 5), (3, 7)), and C = −2.

m0m1 Exponentiation Method (WAIFI 2016) m0m1 Modular Exponentiation

Exponentiation AlgorithmWe use this recoding in modular exponentiation as follows:

gk mod p = g∑`−1

i=0 ki ·R imod p

= g∑`−1

i=0 κi ·R i· gC ·R` mod p

= gC ·R` ·∏`−1

i=0 gκi ·R imod p

with, when k(1)i 6= 0 : gκi ·R i

mod p = gk(1)i ·R

i ·|k′i ·m′0+m′1|R mod p,

and, when k(1)i = 0 : gκi ·R i

mod p = gR i ·||k(0)i +1|m0 ·m

′0+m′1|R · g−R i ·|m′0+m′1|R mod p.

one stores the following values:

Gi,j = gR i ·|j·m′0+m′1|R mod p, with 0 ≤ i ≤ `− 1, 0 ≤ j < m0

and G`,1 = gR`·|m′0+m′1|R mod p.

one also stores the following inverses:

Gi,−1 = g−R i ·|m′0+m′1|R mod p avec 0 ≤ i ≤ `



Exponentiation Algorithm

One uses one value Kj per possible values of 1 ≤ κ(1)i < m1, that is m1 points:

Kj =

∏for all κ(1)

i =j

Gi,κ(0)i

× (G`,sign(C)1)|C |=j mod p

andK0 =

∏for all κ(1)

i =0

Gi,κ(0)i× Gi,−1 mod p.

This leads to

gk mod p = K0 ×m1∏j=1

K jj .



m0m1 Exponentiation Algorithm Example


Our previous example:

k = 93619310, exponent size t of 20 bits, and B = {11, 8}, (i.e.m0 = 11,m1 = 8);

radix R = m0 ·m1 = 88 (` = 4);

κ = ((5, 1), (2, 6), (8, 5), (3, 7)), and C = −2.

K1 ← g49, K2 ← g−59969536, K5 ← g317504, K6 ← g5016, K7 ← g17036800.



In terms of storage, one computes the values

Gi,j = gR i ·|j·m′0+m′1|R mod p with 0 ≤ i ≤ `− 1.

One has the following values of∣∣j ·m′0 + m′1

∣∣R for 0 ≤ j < 11:

{33, 1, 57, 25, 81, 49, 17, 73, 41, 9, 65}

In our case, with the chosen parameters, this brings us to store the following values in Z/pZ:

Gi = {g88i ·33, g88i , g88i ·57, g88i ·25, g88i ·81, g88i ·49, g88i ·17, g88i ·73, g88i ·41, g88i ·9, g88i ·65}.


k = 93619310, κ = ((5, 1), (2, 6), (8, 5), (3, 7)), and C = −2.


K1 ← g49, K2 ← g−59969536, K5 ← g317504, K6 ← g5016, K7 ← g17036800.




k = 93619310, κ = ((5, 1), (2, 6), (8, 5), (3, 7)), and C = −2.


First iteration (i = 0), κ(1)0 = 1 (and κ(0)0 = 5), and this gives

K1 ← G0,κ(0)

0= g880·49 = g49.

K1 ← g49,

K2 ← g−59969536, K5 ← g317504, K6 ← g5016, K7 ← g17036800.




k = 93619310, κ = ((5, 1), (2, 6), (8, 5), (3, 7)), and C = −2.


Second iteration (i = 1), κ(1)1 = 6 (and κ(0)1 = 2), and this gives

K6 ← G1,κ(0)

1= g88·57 = g5016.

K1 ← g49,

K2 ← g−59969536, K5 ← g317504,

K6 ← g5016,

K7 ← g17036800.




k = 93619310, κ = ((5, 1), (2, 6), (8, 5), (3, 7)), and C = −2.


Third iteration (i = 2), κ(1)2 = 5 (and κ(0)2 = 8), and this gives

K5 ← G2,κ(0)

2= g882·41 = g317504.

K1 ← g49,

K2 ← g−59969536,

K5 ← g317504, K6 ← g5016,

K7 ← g17036800.




k = 93619310, κ = ((5, 1), (2, 6), (8, 5), (3, 7)), and C = −2.


Fourth iteration (i = 3), κ(1)2 = 7 (and κ(0)2 = 3), and this gives

K7 ← G3,κ(0)

2= g883·25 = g17036800.

K1 ← g49,

K2 ← g−59969536,

K5 ← g317504, K6 ← g5016, K7 ← g17036800.




k = 93619310, κ = ((5, 1), (2, 6), (8, 5), (3, 7)), and C = −2.


The last carry C = −2 is now processed:

K2 ← G4,−1 = g884·(−1) = g−59969536.

K1 ← g49, K2 ← g−59969536, K5 ← g317504, K6 ← g5016, K7 ← g17036800.




k = 93619310, κ = ((5, 1), (2, 6), (8, 5), (3, 7)), and C = −2.


Final Reconstruction

gk mod p = K0 ×∏m1

j=1 K jj mod p

= g49+2·(−59969536)+5·317504+6·5016+7·17036800 mod p= g936193 mod p,

→ which is the desired result.

K1 ← g49, K2 ← g−59969536, K5 ← g317504, K6 ← g5016, K7 ← g17036800.


Exponentiation Algorithm

Fixed-base m0m1 method modular exponentiation

Require: k =∑`−1

i=0 ki Ri and κ = {κi , 0 ≤ i < `, (C)} the m0m1 recoding of k.

Ensure: X = gk mod p

Precomputation. Store Gi,j ← gRi ·

∣∣∣j·m′0+m′1∣∣∣R ,G`,1 ← g

R`·∣∣∣m′0+m′1

∣∣∣R ,Gi,−1 ← g−Ri ·|m′0+m′1|R

TOTAL STORAGE : (m0 + 1)× `+ m1 + 2 elements of Z/pZ

Computation of the Kj , 0 ≤ j < m1

A← 1,Kj ← 1 for 0 ≤ j < m1for i from 0 to `− 1 do

if κ(1)i = 0 thenK0 ← K0 × G

i,κ(0)i× Gi,−1

elseKκ(1)i← K

κ(1)i× G

i,κ(0)iend if

end forK|C| ← K|C| × G`,sign(C)1


return (K0 ×∏m1

j=1 K jj )

Complexity : (`m1+1m1−m1) MM +H MM +(W − 1) MS



Complexity of the Exponentiation Algorithm

100

1000

10000

100000

1e+06

1e+07

20 40 60 80 100 120 140

Tota

l availa

ble

sto

rage #

kByte

s

number of field multiplications #MM

Complexity Comparison m0m1/FixedBaseComb-RadixR Best of Average Case


m0m1 best case

key size t = 512 bits (MS = 0.86×MM).


m0m1 Exponentiation Method (WAIFI 2016) Software Implementation and Performances

Implementation of the m0m1 exponentiation algorithm

For the three considered exponentiation algorithms:

C language, compiled with gcc 4.8.3;

Multiprecision Integer Operations: low-level functions of the GMP library;

Modular Reduction: block Montgomery approach;

Test processing : a few hundred of dataset for each size, with multiple runand averaging of the minimum of every dataset;

The timings in clock cycles include the recoding;

Tests for the following standards (fips 186-4):

NIST key size (bits) 224 256 384 512field element size (bits) 2048 3072 7680 15360



Performances

Modular ExponentiationState of the Art methods

Fixed-base Comb radix R m0,m1 rec. ratio#CC #CC #CC m0,m1

Storage Storage Storage /Best S.o.A.key size 224 bits, field size 2048 bits (level of security: 112 bits)

221108 CC 227838 CC 219864 CC ×0.9941023.5 kB (w = 12) 829 kB (R = 91) 580 kB (m0 = 89,m1 = 6) ×0.700

210074 CC 206888 CC 207072 CC ×0.9852047.5 kB (w = 13) 1324 kB (R = 163) 766 kB (m0 = 127,m1 = 7) ×0.579

149690 CC 147877 CC 146156 CC ×0.98865535 kB (w = 18) 7289kB (R = 1223) 21599 kB (m0 = 5417,m1 = 6) ×2.96



Performances




524539 CC 502981 CC 501466 CC ×0.9971535 kB (w = 12) 1411 kB (R = 91) 897 kB (m0 = 79,m1 = 6) ×0.636


356892 CC 354640 CC 354071 CC ×0.99898303 kB (w = 18) 6414 kB (R = 571) 12843 kB (m0 = 1721,m1 = 7 ) ×2.002



Performances








Work in progress: R-splitting Method

Table des matières






Work in progress: R-splitting Method Questions

Application of the m0m1 method to Elliptic CurveCryptography

Is the m0m1 recoding suitable for ECC?



m0m1 ECSM Algorithm

Fixed-base m0m1 method ECSM


i=0 ki Ri and κ = {κi , 0 ≤ i < `, (C)} the m0m1 recoding of k, P ∈ E , elliptic curve.

Ensure: X = k · PPrecomputation. Store Mi,j ← R i ·

∣∣j · m′0 + m′1∣∣R · P,M`,1 ← R` ·

∣∣m′0 + m′1∣∣R · P

TOTAL STORAGE : m0 × `+ m1 + 1 points of E



if κ(1)i = 0 thenK0 ← K0 + M

i,κ(0)i−Mi,1

elseKκ(1)i← K

κ(1)i

+ Mi,κ(0)i

end ifend forK|C| ← K|C| + sign(C)M`,1


return (K0 +∑m1

j=1 j ·Mj )

Complexity : (`m1+1m1−m1) Mixed Addition +H Full Addition +(W − 1) Doubling

⇒ Mixed Addition ≈ 2× Doubling



m0m1 ECSM Algorithm

Fixed-base m0m1 method ECSM


i=0 ki Ri and κ = {κi , 0 ≤ i < `, (C)} the m0m1 recoding of k, P ∈ E , elliptic curve.

Ensure: X = k · PPrecomputation. Store Mi,j ← R i ·

∣∣j · m′0 + m′1∣∣R · P,M`,1 ← R` ·

∣∣m′0 + m′1∣∣R · P

TOTAL STORAGE : m0 × `+ m1 + 1 points of E



if κ(1)i = 0 thenK0 ← K0 + M

i,κ(0)i−Mi,1

elseKκ(1)i← K

κ(1)i

+ Mi,κ(0)i

end ifend forK|C| ← K|C| + sign(C)M`,1


return (K0 +∑m1

j=1 j ·Mj )

Complexity : (`m1+1m1−m1) Mixed Addition +H Full Addition +(W − 1) Doubling

⇒ Mixed Addition ≈ 2× DoublingJean-Marc ROBERT Team DALI/LIRMM, Université de Perpignan, France 31 / 42




⇒ NO!

0

500

1000

1500

2000

2500

3000

100 150 200 250 300 350 400 450 500

Requir

ed T

ota

l Sto

rage #

kByte

s

number of field multiplications

Complexity Comparison m0m1/FixedBaseComb Best of Average Case, t=256


best case t=256

Scalar size t = 256 bits. The m0m1 recoding does not perform better than the S-o-A algorithms

If not, how to devise a suitable recoding?





⇒ NO!

0

500

1000

1500

2000

2500

3000

100 150 200 250 300 350 400 450 500

Requir

ed T

ota

l Sto

rage #

kByte

s


Complexity Comparison m0m1/FixedBaseComb Best of Average Case, t=256


best case t=256

Scalar size t = 256 bits. The m0m1 recoding does not perform better than the S-o-A algorithms

If not, how to devise a suitable recoding?Jean-Marc ROBERT Team DALI/LIRMM, Université de Perpignan, France 32 / 42


Back to the General Idea

Radix-R method:Stores Mi,j ← j · R i · P, (0 ≤ j < R)

Computes∑`−1

i=0 Mi,ki .

→ ≈ Low complexity, large storage

Variant:Stores Mi ← R i · P;

Computes:∑R−1j=0

(∑∀i,0≤i<`−1,ki=j j ·Mi

).

⇒ ≈ Low storage, large complexity

⇒

Our method (R-splitting):

Stores Mi ,̃j ← f (̃j) · R i · P,

(0 ≤ j̃ < c)

Computes∑c

i=1 i · Ki with

Ki =∑`−1

j=1,k̃(1)j =i

k̃(1)j ·M

i,k̃(0)j

⇒ ≈ Better trade-off.


Work in progress: R-splitting Method Radix-R and R-splitting representation

Recoding Algorithm

k is the scalar, represented in radix R, prime integer:

k =`−1∑i=0

kiR i , with ` = dt/ log2(R)e,

⇒ Extended Euclidean Algorithm:(EEA, rj is the sequence of Euclidean remainders):

rj = uj × R + vj × ki . (1)

One sets c the upper bound of rj , to terminate the EEA (and dR/ce is the upperbound of |vj |). We then keep k(0)

i = rj and k(1)i = vj .

After (1), since R is prime, one stops the EEA such as

ki = |k(0)i × (k(1)

i )−1|R , with k(0)i < c and |k(1)

i | ≤ dR/ce.



R-splitting Recoding Algorithm


ki = |k(0)i × (k(1)

i )−1|R , with k(0)i < c and |k(1)

i | ≤ dR/ce.

Modular reduction mod R: one distinguishes the cases k(1)i > 0 and k(1)

i < 0





ki = |k(0)i × (k(1)

i )−1|R , with k(0)i < c and |k(1)

i | ≤ dR/ce.


i < 0

if k(1)i > 0, one proceeds as previously:

ki = k(0)i · |(k(1)

i )−1|R −

⌊k(0)i · |(k(1)

i )−1|RR

⌋· R.

Let us denote C =

⌊k(0)i ·|(k

(1)i )−1|RR

⌋(0 ≤ C ≤ c < R)

if ki+1 ≥ C then ki+1 ← ki+1 − C ,C ← 0,

else ki+1 ← ki+1 + R − C ,C ← 1.


C︷︸︸︷




ki = |k(0)i × (k(1)

i )−1|R , with k(0)i < c and |k(1)

i | ≤ dR/ce.


i < 0

if k(1)i < 0, one proceeds slightly differently:

ki = k(0)i · (R − |(−k(1)

i )−1|R)−

⌊k(0)i · |(k(1)

i )−1|RR

⌋· R.

Let us denote C =

⌊k(0)i ·|(k

(1)i )−1|RR

⌋− k(0)

i (−c ≤ C ≤ c < R)

ki+1 ← ki+1 − C ,C ← −bki+1/Rc, ki+1 ← |ki+1|R


C︷︸︸︷



One notices:

The case k(1)i = 0 does not need to be taken into account;

it might be necessary to process a last carry C .

→ The sequence of the κi ← (k ′i , k(1)i ) is

the R-splitting recoding of k .


Work in progress: R-splitting Method R-splitting Elliptic Curve Scalar Multiplication

ECSM

We use this recoding in ECSM as follows:

one stores the following values:

Mi ,j ← (∣∣j−1∣∣R · R i ) · P with 0 ≤ i ≤ `− 1 and 1 ≤ j ≤ dR/ce.

To proceed the last carry, one stores also

M`,1 ← (R`) · P.



R-splitting ECSM Algorithm

Fixed-base R-splitting method ECSM

Require: R prime integer, k =∑`−1

i=0 ki Ri and κ = {κi , 0 ≤ i < `, (C)}, P ∈ E(Fq ).

Ensure: Q = k · PPrecomputation.Store Mi,j ← (

∣∣∣j−1∣∣∣R· R i ) · P,M`,1 ← R` · P,W ← size of c in bits

Computation of the Kj , 1 ≤ j ≤ c

A← O,Kj ← O for 1 ≤ j ≤ cfor i from 0 to `− 1 do

if k(1)i > 0 thenKκ(1)i← K

κ(1)i

+ Mi,k(1)i −1

end ifif k(1)

i < 0 thenKκ(1)i← K

κ(1)i−M

i,−k(1)i −1end if

end forK|C| ← K|C| − sign(C)M`,1

TOTAL STORAGE:`× dR/ce+ c EC points


return (Q ←∑W

j=1 j · Kj )

Complexity : (`− c)×MixedAdd + (W − 1)× Dbl + (H− 1)× Add



Complexity of the ECSM Algorithm

0

500

1000

1500

2000

2500

3000

100 150 200 250 300 350 400 450 500

Requir

ed T

ota

l Sto

rag

e #

kByte

s


Complexity Comparison Rsplitting/FixedBaseComb Best of Average Case, t=256


best case t=256

Scalar size t = 256 bits.



Complexity of the ECSM Algorithm

10

100

1000

10000

100000

1e+06

1e+07

0 200 400 600 800 1000 1200 1400

Requir

ed T

ota

l Sto

rag

e #

kByte

s


Complexity Comparison Rsplitting/FixedBaseComb Best of Average Case, t=521


best case t=521

Scalar size t = 521 bits.


Conclusion and work in progress

Table des matières








� We have presented:

DSA signature protocol;

Main State of the Art approaches for modular exponentiation;

Our Contributions:m0m1 RNS digit recoding for exponent;Enhanced algorithms for modular exponentiation;Software implementations;Performance results: storage saving up to three times;

� Work in progress:

R-splitting (alternative to the m0m1 recoding);

Application to ECDSA (Elliptic Curve Digital Signature Algorithm);

Submission as extension of the WAIFI 2016 paper expected first semester 2017;

� Future work:

Develop improvements to thwart side-channel analysis (cache attack...);



Je vous remercie de votre attention,

et suis à l’écoute de vos questions ?


enhanced digital signature using splitted exponent digit ... · Étudiantspréparantunbachelor of...

Documents