ASIACRYPT2017
The23rdAnnualInternationalConferenceonTheory andApplicationofCryptologyandInformationSecurity
SponsoredbytheInternationalAssociationforCryptologicResearch(IACR)
December3–7,2017,HongKong,SARChina
GeneralCo-chairs
DuncanWongCryptoBLKLimited
SiuMingYiuTheUniversityofHongKong,SARChina
ProgramCo-chairs
TsuyoshiTakagiUniversityofTokyo,Japan
ThomasPeyrinNanyangTechnologicalUniversity,Singapore
ProgramCommittee
ShwetaAgrawalIITMadras,India
CélineBlondeauAaltoUniversity,Finland
JoppeW.BosNXPSemiconductors,Belgium
ChrisBrzuskaTUHamburg,Germany
JieChenEastChinaNormalUniversity,China
ShermanS.M.ChowTheChineseUniversityofHongKong,SARChina
Kai-MinChungAcademiaSinica,Taiwan
NicoDöttlingUniversityofCalifornia,Berkeley,USA
ThomasEisenbarthWorcesterPolytechnicInstitute,USA DarioFioreIMDEASoftwareInstitute,Madrid,Spain
GeorgFuchsbauerInriaandENS,France
StevenGalbraithAucklandUniversity,NewZealand JianGuoNanyangTechnologicalUniversity,Singapore VietTungHoangFloridaStateUniversity,USA
JérémyJeanANSSI,France
JooyoungLeeKAIST,SouthKorea
DongdaiLinChineseAcademyofSciences,China Feng-HaoLiuFloridaAtlanticUniversity,USA
StefanMangardGrazUniversityofTechnology,Austria
TakahiroMatsudaAIST,Japan
AlexanderMayRuhrUniversityBochum,Germany
BartMenninkRadboudUniversity,TheNetherlands
AmirMoradiRuhrUniversityBochum,Germany
PratyayMukherjeeVisaResearch,USA
MridulNandiIndianStatisticalInstitute,India
KhoaNguyenNanyangTechnologicalUniversity,Singapore MiyakoOhkuboNICT,Japan
TatsuakiOkamotoNTTSecurePlatformLaboratories,Japan
ArpitaPatraIndianInstituteofScience,India
BartPreneelKULeuven,Belgium
MatthieuRivainCryptoExperts,France
ReihanehSafavi-NainiUniversityofCalgary,Canada
YuSasakiNTTSecurePlatformLaboratories,Japan
PeterSchwabeRadboudUniversity,TheNetherlands FangSongPortlandStateUniversity,USA
Francois-XavierStandaertUCL,Belgium
DamienStehlé ENSLyon,France
RonSteinfeldMonashUniversity,Australia
RainerSteinwandtFloridaAtlanticUniversity,USA
MehdiTibouchiNTTSecurePlatformLaboratories,Japan
DominiqueUnruhUniversityofTartu,Estonia
GillesVanAsscheSTMicroelectronics,Belgium SergeVaudenayEPFL,Switzerland
IngridVerbauwhedeKULeuven,Belgium IvanViscontiUniversityofSalerno,Italy
LeiWangShanghaiJiaotongUniversity,China
MeiqinWangShandongUniversity,China
JiangZhangStateKeyLaboratoryofCryptology,China
AdditionalReviewers
MasayukiAbe
ArashAfshar
DiveshAggarwal
ShashankAgrawal
AhmadAhmadi
MamunAkand
GorjanAlagic
JoelAlwen
AbdelrahamanAly
MiguelAmbrona
ElenaAndreeva
DiegoAranha
NuttapongAttrapadung
SepidehAvizheh
Saikrishna
Badrinarayanan
ShiBai
FatihBalli
SubhadeepBanik
ZhenzhenBao
HridamBasu
AlbertoBatistello
BalthazarBauer
CarstenBaum
GeorgT.Becker
ChristofBeierle
SoniaBeläd
FabriceBenhamouda
FrancescoBerti
GuidoBertoni
SanjayBhattacherjee
Jean-FrancoisBiasse
BegülBilgin
OlivierBlazy
JohannesBloemer
SoniaMihaelaBogos
SashaBoldyreva
CharlotteBonte
RaphaelBost
LeifBoth
FlorianBourse
SébastienCanard
BrentCarmer
WouterCastryck
DarioCatalano
Gizem Çetin
AvikChakraborti
NishanthChandran
MelissaChase
BinyiChen
CongChen
LongChen
Yi-HsiuChen
YuChen
Yu-ChiChen
Nai-HuiChia
GwangbaeChoi
WutichaiChongchitmate
Chi-NingChou
AshishChoudhury
Chitchanok
Chuengsatiansup
HaoChung
MicheleCiampi
ThomasDeCnudde
KatrielCohn-Gordon
HenryCorrigan-Gibbs
CraigCostello
GeoffroyCouteau
EricCrockett
TingtingCui
EdouardCuvelier
JoanDaemen
WeiDai
PratishDatta
BernardoDavid
MargueriteDelcourt
JeroenDelvaux
YiDeng
DavidDerler
JulienDevigne
ClausDiem
ChristophDobraunig
YarkinDoroz
LéoDucas
DungH.Duong
RatnaDutta
StefanDziembowski
MariaEichlseder
MuhammedEsgin
ThomasEspitau
XiongFan
AntonioFaonio
SebastianFaust
BjörnFay
SergeFehr
LucaDeFeo
NilsFleischhacker
Jean-PierreFlori
ToreKasperFrederiksen
ThomasFuhr
MarcFyrbiak
TommasoGagliardoni
ChayaGanesh
FlavioGarcia
PierrickGaudry
RémiGéraud
SatrajitGhosh
IreneGiacomelli
BenediktGierlichs
JunqingGong
LouisGoubin
AlexGrilo
HannesGross
VincentGrosso
ChunGuo
HuiGuo
HeleneHaagh
PatrickHaddad
HarryHalpin
ShuaiHan
YoshikazuHanatani
JensHermans
GottfriedHerold
JuliaHesse
FelixHeuer
MinkiHhan
FumitakaHoshino
Yin-HsunHuang
ZhenyuHuang
AndreasHülsing
JungYeonHwang
IliaIliashenko
MehmetInci
VincenzoIovino
AiIshida
TakanoriIsobe
TetsuIwata
MalikaIzabachène
MichaelJacobson
AbhishekJain
DavidJao
ZhengfengJi
DingdingJia
ShaoquanJiang
AnthonyJournault
Jean-GabrielKammerer
SabyasachiKarati
HandanKilinç
DongwooKim
JihyeKim
Jon-LarkKim
SamKim
TaechanKim
ElenaKirshanova
ÁgnesKiss
FuyukiKitagawa
SusumuKiyoshima
ThorstenKleinjung
MiroslavKnezevic
AlexanderKoch
FrançoisKoeune
KonradKohbrok
LisaKohl
IlanKomargodski
YashvanthKondi
RobertKuebler
FrédéricLafitte
Ching-YiLai
RussellW.F.Lai
AdelineLanglois
GregorLeander
ChangminLee
HyungTaeLee
IraklisLeontiadis
TancrèdeLepoint
DebbieLeung
YongqiangLi
Jyun-JieLiao
BenoitLibert
FuchunLin
Wei-KaiLin
PatrickLonga
JulianLoss
SteveLu
XianhuiLu
AtulLuykx
ChangLv
VadimLyubashevsky
MonosijMaitra
MaryMaller
GiorgiaAzzurraMarson
MarcoMartinoli
DanielMasny
SarahMeiklejohn
PeihanMiao
MicheleMinelli
TakaakiMizuki
AhmadMoghimi
PaymanMohassel
MariaChiaraMolteni
SeyyedAmirMortazavi
FabriceMouhartem
KöksalMus
MichaelNaehrig
RyoNishimaki
AncaNitulescu
LucaNizzardo
KojiNuida
KaisaNyberg
AdamO’Neill
TobiasOder
OlyaOhrimenko
EmmanuelaOrsini
ElisabethOswald
ElenaPagnin
PascalPaillier
JiaxinPan
AlainPasselègue
SikharPatranabis
RoelPeeters
ChrisPeikert
AlicePellet-Mary
LudovicPerret
PeterPessl
ThomasPeters
ChristophePetit
DuongHieuPhan
AntigoniPolychroniadou
RomainPoussier
AliPoustindouz
EmmanuelProuff
KexinQiao
BaodongQin
SebastianRamacher
SominduC.Ramanna
ShahramRasoolzadeh
DivyaRavi
FrancescoRegazzoni
Jean-René Reinhard
LingRen
JoostRenes
OscarReparaz
JoostRijneveld
DamienRobert
JérémieRoland
ArnabRoy
SujoySinhaRoy
VladimirRozic
JoerideRuiter
YusukeSakai
AminSakzad
SimonaSamardjiska
OlivierSanders
PascalSasdrich
AlessandraScafuro
JohnSchanck
TobiasSchneider
JacobSchuldt
GilSegev
OkanSeker
BinandaSengupta
SouravSengupta
JaeHongSeo
MasoumehShafienejad
SetarehShari fian
SinaShiehian
KazumasaShinagawa
DaveSingelée
ShashankSingh
JavierSilva
LuisaSiniscalchi
DanielSlamanig
BenjaminSmith
LingSong
PratikSoni
KoutarouSuzuki
AlanSzepieniec
BjörnTackmann
MostafaTaha
RaymondK.H.Tai
KatsuyukiTakashima
AtsushiTakayasu
BenjaminHong
MengTan
QiangTang
YanBoTi
YosukeTodo
NiTrieu
RobertoTrifiletti
ThomasUnterluggauer
JohnvandeWetering
Muthuramakrishnan
Venkitasubramaniam
DanieleVenturi
Dhinakaran
Vinayagamurthy
VanessaVitse
DamianVizár
SatyanarayanaVusirikala
SebastianWallat
AlexandreWallet
HaoyangWang
MinqianWang
WenhaoWang
XiuhuaWang
YuyuWang
FelixWegener
PuwenWei
WeiqiangWen
MarioWerner
BenjaminWesolowski
BaofengWu
DavidWu
KeitaXagawa
ZejunXiang
ChengboXu
ShotaYamada
KanYang
KangYang
KanYasuda
DonggeonYhee
KazukiYoneyama
KisoonYoon
YuYu
ZuoxiaYu
HenryYuen
AaramYun
MahdiZamani
GregZaverucha
CongZhang
JieZhang
KaiZhang
LocalOrganizingCommittee
Co-chairs
RenZhang
WentaoZhang
YongjunZhao
YuqingZhu
DuncanWongCryptoBLKLimited SiuMingYiuTheUniversityofHongKong,SARChina
Members
LucasHui(Chair)TheUniversityofHongKong,SARChina CatherineChan(Manager)TheUniversityofHongKong,SARChina JunZhangTheUniversityofHongKong,SARChina XuanWangHarbinInstituteofTechnology,Shenzhen,China ZoeJiangHarbinInstituteofTechnology,Shenzhen,China AllenAuTheHongKongPolytechnicUniversity,SARChina ShermanS.M.ChowTheChineseUniversityofHongKong,SARChina
InvitedSpeakers
KummerforGenusOneoverPrimeOrderFields
SabyasachiKarati1(B) andPalashSarkar2
1 iCISLab,DepartmentofComputerScience, UniversityofCalgary,Calgary,Canada sabyasachi.karati@ucalgary.ca
2 AppliedStatisticsUnit,IndianStatisticalInstitute, 203,B.T.Road,Kolkata700108,India palash@isical.ac.in
Abstract. Thisworkconsiderstheproblemoffastandsecurescalar multiplicationusingcurvesofgenusonedefinedoverafieldofprime order.PreviousworkbyGaudryandLubiczin2009hadsuggestedthe useoftheassociatedKummerlinetospeedupscalarmultiplication.In thiswork,weexplorethisideaindetail.Thefirsttaskistoobtainan ellipticcurveinLegendreformwhichsatisfiesnecessarysecurityconditionssuchthattheassociatedKummerlinehassmallparameters andabasepointwithsmallcoordinates.Inturnsoutthattheladder stepontheKummerlinesupportsparallelismandcanbeimplemented veryefficientlyinconstanttimeusingthesingle-instructionmultipledata(SIMD)operationsavailableinmodernprocessors.Forthe128-bit securitylevel,thisworkpresentsthreeKummerlinesdenotedas K1 := KL2519(81, 20), K2 := KL25519(82, 77)and K3 := KL2663(260, 139)over thethreeprimes2251 9,2255 19and2266 3respectively.ImplementationsofscalarmultiplicationsforallthethreeKummerlinesusing Intelintrinsicshavebeendoneandthecodeispubliclyavailable.TimingresultsontherecentSkylakeandtheearlierHaswellprocessorsof Intelindicatethatbothfixedbaseandvariablebasescalarmultiplicationsfor K1 and K2 arefasterthanthoseachievedby Sandy2x whichis ahighlyoptimisedSIMDimplementationinassemblyofthewellknown Curve25519;forexample,onSkylake,variablebasescalarmultiplicationon K1 isfasterthan Curve25519 byabout25%.OnSkylake,both fixedbaseandvariablebasescalarmultiplicationfor K3 arefasterthan Sandy2x;whereasonHaswell,fixedbasescalarmultiplicationfor K3 is fasterthan Sandy2x whilevariablebasescalarmultiplicationforboth K3 and Sandy2x takeroughlythesametime.Infact,onSkylake, K3 isbothfasterandalsooffersabout5bitsofhighersecuritycompared to Curve25519.Inpracticalterms,theparticularKummerlinesthatare introducedinthisworkareseriouscandidatesfordeploymentandstandardisation.
Keywords: Ellipticcurvecryptography · Kummerline · Montgomery curve · Scalarmultiplication
S.Karati—Partoftheworkwasdonewhiletheauthorwasapost-doctoralfellow attheTuringLaboratoryoftheIndianStatisticalInstitute. PartsupportedbyAlbertaInnovatesintheProvinceofAlberta,Canada.
c InternationalAssociationforCryptologicResearch2017
T.TakagiandT.Peyrin(Eds.):ASIACRYPT2017,PartII,LNCS10625,pp.3–32,2017. https://doi.org/10.1007/978-3-319-70697-9 1
1Introduction
Curve-basedcryptographyprovidesaplatformforsecureandefficientimplementationofpublickeyschemeswhosesecurityrelyonthehardnessofdiscretelogarithmproblem.StartingfromthepioneeringworkofKoblitz[29]and Miller[33]introducingellipticcurvesandtheworkofKoblitz[30]introducing hyperellipticcurvesforcryptographicuse,thelastthreedecadeshaveseenan extensiveamountofresearchinthearea.
Appropriatelychosenellipticcurvesandgenustwohyperellipticcurvesare consideredtobesuitableforpracticalimplementation.Table 1 summarisesfeaturesforsomeoftheconcretecurvesthathavebeenproposedintheliterature. Arguably,thetwomostwellknowncurvesproposedtilldateforthe128-bit securitylevelareP-256[37]andCurve25519[2].Alsothe secp256k1 curve[40] hasbecomeverypopularduetoitsdeploymentintheBitcoinprotocol.Allof thesecurvesareinthesettingofgenusoneoverprimeorderfields.Inparticular, wenotethatCurve25519hasbeenextensivelydeployedforvariousapplications. Alistingofsuchapplicationscanbefoundat[17].So,fromthepointofview ofdeployment,practitionersareveryfamiliarwithgenusonecurvesoverprime orderfields.Influentialorganisations,suchasNIST,Brainpool,Microsoft(the NUMScurve)haveconcreteproposalsinthissetting.See[5]forafurtherlisting ofsuchprimesandcurves.Itisquitelikelythatanyfutureportfolioofproposals bystandardisationbodieswillincludeatleastonecurveinthesettingofgenus oneoveraprimefield.
OurContributions
Thecontributionofthispaperistoproposenewcurvesforthesettingofgenus oneoveraprimeorderfield.ActualscalarmultiplicationisdoneovertheKummerlineassociatedwithsuchacurve.TheideaofusingKummerlinewasproposedbyGaudryandLubicz[22].They,however,werenotclearaboutwhether competitivespeedscanbeobtainedusingthisapproach.Ourmaincontribution istoshowthatthiscanindeedbedoneusingthesingle-instructionmultipledata(SIMD)instructionsavailableinmodernprocessors.Wenotethattheuse ofSIMDinstructionstospeedupcomputationhasbeenearlierproposedfor Kummersurfaceassociatedwithgenustwohyperellipticcurves[22].Theapplicationofthisidea,however,toKummerlinehasnotbeenconsideredinthe literature.OurworkfillsthisgapandshowsthatproperlyusingSIMDinstructionsprovidesacompetitivealternativetoknowncurvesinthesettingofgenus oneandprimeorderfields.
AsinthecaseofMontgomerycurve[34],scalarmultiplicationontheKummerlineproceedsviaaladderingalgorithm.Aladderstepcorrespondstoeach bitofthescalarandeachsuchstepconsistsofadoublingandadifferential additionirrespectiveofthevalueofthebit.Asaconsequence,itbecomeseasy todevelopcodewhichrunsinconstanttime.Wedescribeandimplementavectorisedversionoftheladderingalgorithmwhichisalsoconstanttime.Ourtarget isthe128-bitsecuritylevel.
Table1. Featuresofsomecurvesproposedinthelastfewyears.
Reference Genus Form Fieldorder Endomorphisms
NISTP-256[37] 1 Weierstrass Prime No
Curve25519[2] 1 Montgomery Prime No
secp256k1[40] 1 Weierstrass Prime No
Brainpool[11] 1 Weierstrass Prime No
NUMS[41] 1 TwistedEdwards
Longa-Sica[32]
Bosetal.[9]
Bosetal.[10]
Hankersonetal.[26], Olivieraetal.[38] 1 Weierstrass/Koblitz 2n Yes
Longa-Sica[32], Faz-Hern´andezet al.[18] 1 TwistedEdwards p 2 Yes
Costelloetal.[15] 1 Montgomery p 2 Yes
Gaudry-Schost[23], Bernsteinetal.[4] 2 Kummer
Costello-Longa[14]
Hankersonetal.[26], Olivieraetal.[39]
Thiswork 1 Kummer Prime No
ChoiceoftheUnderlyingField: Ourtargetisthe128-bitsecuritylevel.To thisend,weconsiderthreeprimes,namely,2251 9,2255 19and2266 3.These primesareabbreviatedas p2519, p25519and p2663respectively.Theunderlying fieldwillbedenotedas Fp where p isoneof p2519, p25519or p2663.
ChoiceoftheKummerLine: Followingprevioussuggestions[3, 9],weworkin thesquare-onlysetting.Inthiscase,theparametersoftheKummerlinearegiven bytwointegers a2 and b2 .WeprovideappropriateKummerlinesforallthree oftheprimes p2519, p25519and p2663.Thesearedenotedas KL2519(81,20), KL25519(82,77) and KL2663(260,139) respectively.Ineachcase,weidentifya basepointwithsmallcoordinates.TheselectionoftheKummerlinesisdone usingasearchforcurvesachievingcertaindesiredsecurityproperties.Laterwe providethedetailsofthesepropertieswhichindicatethatthecurvesprovide securityatthe128-bitsecuritylevel.
SIMDImplementation: OnIntelprocessors,itispossibletopack464-bit wordsintoasingle256-bitquantityandthenuseSIMDinstructionstosimultaneouslyworkonthe464-bitwords.Weapplythisapproachtocarefullyconsidervariousaspectsoffieldarithmeticover Fp .SIMDinstructionsallowthe simultaneouscomputationof4multiplicationsin Fp andalso4squaringsin Fp .
TheuseofSIMDinstructionsdovetailsverynicelywiththescalarmultiplication algorithmovertheKummerlineasweexplainbelow.
Fig.1. Oneladdersteponthe Kummerline.
OneladderstepontheMontgomery curve.
ScalarMultiplicationovertheKummerLine: Auniform,ladderstyle algorithmisused.Intermsofoperationcount,eachladdersteprequires2field multiplications,6fieldsquarings,6multiplicationsbyparametersand2multiplicationsbybasepointcoordinates[22].Incontrast,oneladdersteponthe Montgomerycurverequires4fieldmultiplications,4squarings,1multiplication bycurveparameterand1multiplicationbyabasepointcoordinate.Thishad ledtoGaudryandLubicz[22]commentingthatKummerlinecanbeadvantageousprovidedthattheadvantageoftradingoffmultiplicationsforsquarings isnotoffsetbytheextramultiplicationsbytheparametersandthebasepoint coordinates.
OurchoicesoftheKummerlinesensurethattheparametersandthebase pointcoordinatesareindeedverysmall.ThisisnottosuggestthattheKummer lineisonlysuitableforfixedbasedpointscalarmultiplication.ThemainadvantagearisesfromthestructureoftheladderstepontheKummerlineversusthat ontheMontgomerycurve.
AnexampleoftheladderstepontheKummerlineisshowninFig. 1.Inthe figure,theHadamardtransform H(u,v )isdefinedtobe(u + v,u v ).Observe thatthereare4layersof4simultaneousmultiplications.Thefirstlayerconsists of2fieldmultiplicationsand2squarings,whilethethirdlayerconsistsof4 fieldsquarings.Using256-bitSIMDinstructions,the2multiplicationsandthe2 squaringsinthefirstlayercanbecomputedsimultaneouslyusinganimplementationofvectorisedfieldmultiplicationwhilethethirdlayercanbecomputed usinganimplementationofvectorisedfieldsquaring.Thesecondlayerconsists
Fig.2.
onlyofmultiplicationsbyparametersandiscomputedusinganimplementation ofvectorisedmultiplicationbyconstants.Thefourthlayerconsistsoftwomultiplicationsbyparametersandtwomultiplicationsbybasepointcoordinates.For fixedbasepoint,thislayercanbecomputedusingasinglevectorisedmultiplicationbyconstantswhileforvariablebasepoint,thislayerrequiresavectorised fieldmultiplication.AmajoradvantageoftheladderstepontheKummerlineis thatthepackingandunpackinginto256-bitquantitiesisdoneonceeach.Packingisdoneatthestartofthescalarmultiplicationandunpackingisdoneatthe end.Theentirescalarmultiplicationcanbecomputedonthepackedvectorised quantities.
Incontrast,theladderstepontheMontgomerycurveisshowninFig. 2 whichhasbeenreproducedfrom[2].ThestructureofthisladderisnotasregularastheladderstepontheKummerline.Thismakesitdifficulttooptimally grouptogetherthemultiplicationsforSIMDimplementation. Curve25519 isa Montgomerycurve.SIMDimplementationsof Curve25519 havebeenreported in[7, 12, 16, 19].Thework[16]formsfourgroupsofindependentmultiplications/squaringswiththefirstandthethirdgroupconsistingoffourmultiplications/squaringseach,thesecondgroupconsistingoftwomultiplications andthefourthgroupconsistsofasinglemultiplication.Interspersedwith thesemultiplicationsaretwogroupseachconsistingoffourindependentadditions/subtractions.Themainproblemwiththisapproachisthatofrepeated packing/unpackingofdatawithinaladderstep.Thisdrawbackwilloutweigh thebenefitsoffoursimultaneousSIMDmultiplicationsandthisapproachhas notbeenfollowedinlaterworks[7, 12, 19].Theselaterimplementationsgrouped togetheronlytwoindependentmultiplications.Inparticular,wenotethatthe wellknown Sandy2x implementationof Curve25519 isanSIMDimplementationwhichisbasedon[12]andgroupstogetheronlytwomultiplications.AVX2 basedimplementationofCurve25519in[19]alsogroupstogetheronly2multiplications/squarings.
Ataforum1 TungChoucomments(perhapsobliviousof[16])thatitwould bettertofindfourindependentmultiplications/squaringsandvectorisethem.As discussedabove,thepreviousworksonSIMDimplementationof Curve25519 do notseemtohavebeenabletoidentifythis.Ontheotherhand,fortheladderstep ontheKummerlineshowninFig. 1,performingvectorisationof4independent multiplications/squaringscomesquitenaturally.Thisindicatesthattheladder stepontheKummerlineismoreSIMDfriendlythantheladdersteponthe Montgomerycurve.
Implementation: WereportimplementationsofallthethreeKummerlines KL2519(81,20), KL25519(82,77) and KL2663(260,139).Theimplementationsare inIntelintrinsicsanduseAVX2instructions.OntherecentSkylakeprocessor, bothfixedandvariablebasescalarmultiplicationsforallthethreeKummerlines arefasterthan Sandy2x whichisthepresentlythebestknownSIMDimplementationinassemblyof Curve25519.OntheearlierHaswellprocessor,bothfixed andvariablebasescalarmultiplicationsfor KL2519(81,20), KL25519(82,77) are 1 https://moderncrypto.org/mail-archive/curves/2015/000637.html
fasterthanthatof Sandy2x;fixedbasescalarmultiplicationfor KL2663(260,139) isfasterthanthatof Sandy2x whilevariablebasescalarmultiplicationforboth KL2663(260,139) and Sandy2x takeroughlythesametime.Detailedtiming resultsareprovidedlater.
Atabroadlevel,thetimingresultsreportedinthisworkshowthattheavailabilityofSIMDinstructionsleadstothefollowingtwopracticalconsequences.
1.Atthe128-bitsecuritylevel,thechoiceof F2255 19 asthebasefieldisnotthe fastest.Ifoneiswillingtosacrificeabout2bitsofsecurity,thenusing F2251 9 asthebasefieldleadstoabout25%speedupontheSkylakeprocessor.
2.Moregenerally,theladderstepontheKummerlineisfasterthantheladder stepontheMontgomerycurve.Wehavedemonstratedthisbyimplementing ontheIntelprocessors.Futureworkcanexplorethisissueonotherplatforms suchastheARMNEONarchitecture.
Duetopagelimitrestrictions,weareunabletoincludeallthedetailsinthis version.Theseareprovidedinthefullversion[28].
2Background
Inthissection,webrieflydescribethetafunctionsovergenusone,Kummer lines,Legendreformellipticcurvesandtheirrelations.Inourdescriptionofthe backgroundmaterial,thefullversion[28]providescertaindetailswhicharenot readilyavailableintheliterature.
2.1ThetaFunctions
Inthisandthenextfewsections,weprovideasketchofthemathematicalbackgroundonthetafunctionsovergenusoneandKummerlines.Followingprevious works[22, 27, 36]wedefinethetafunctionsoverthecomplexfield.Forcryptographicpurposes,ourgoalistoworkoveraprimefieldoflargecharacteristic. Allthederivationsthatareusedhaveagoodreduction[22]andsoitispossible tousetheLefschetzprinciple[1, 21]tocarryovertheidentitiesprovedoverthe complextothoseoveralargecharacteristicfield.
Let τ ∈ C havingapositiveimaginarypartand w ∈ C.Let ξ1 ,ξ2 ∈ Q.Theta functionswithcharacteristics ϑ[ξ1 ,ξ2 ](w,τ )aredefinedtobethefollowing:
ϑ[ξ1 ,ξ2 ](w,τ )= n∈Z exp πi(n + ξ1 )2 τ +2πi(n + ξ1 )(w + ξ2 ) . (1)
Forafixed τ ,thefollowingthetafunctionsaredefined.
ϑ1 (w )= ϑ[0, 0](w,τ )and ϑ2 (w )= ϑ [0, 1/2](w,τ ). Θ1 (w )= ϑ[0, 0](w, 2τ )and Θ2 (w )= ϑ [1/2, 0](w, 2τ )
Thefollowingidentitiesholdforthethetafunctions.Proofsaregiveninthe appendixofthefullversion[28].
Putting w1 = w2 = w ,weobtain
Putting w =0in(4),weobtain
2.2KummerLine
Let τ ∈ C havingapositiveimaginarypartanddenoteby P1 (C)theprojective lineover C.TheKummerline(K )associatedwith τ istheimageofthemap ϕ from C to P1 (C)definedby ϕ : w −→ (ϑ1 (w ),ϑ2 (w
Supposethat ϕ(w )=[ϑ1 (w ): ϑ2 (w )]isknownforsome w ∈ Fq .Using(4)it ispossibletocompute Θ1 (2w )and Θ2 (2w )andthenusing(5)itispossibleto compute ϑ1 (2w )and ϑ2 (2w ).So,from ϕ(w )itispossibletocompute ϕ(2w )= [ϑ1 (2w ): ϑ2 (2w )]withoutknowingthevalueof w .
Supposethat ϕ(w1 )=[ϑ1 (w1 ): ϑ2 (w1 )]and ϕ(w2 )=[ϑ1 (w2 ): ϑ2 (w2 )]are knownforsome w1 ,w2 ∈ Fq .Using(4),itispossibletoobtain Θ1 (2w1 ), Θ1 (2w2 ), Θ2 (2w1 )and Θ2 (2w2 ).Then(3)allowsthecomputationof ϑ1 (w1 + w2 )ϑ1 (w1 w2 )and ϑ2 (w1 + w2 )ϑ2 (w1 w2 ).Further,if ϕ(w1 w2 )=[ϑ1 (w1 w2 ): ϑ2 (w1 w2 )]isknown,thenitispossibletoobtain ϕ(w1 + w2 )=[ϑ1 (w1 + w2 ): ϑ2 (w1 + w2 )]withoutknowingthevaluesof w1 and w2 .
Thetaskofcomputing ϕ(2w )from ϕ(w )iscalleddoublingandthetaskof computing ϕ(w1 + w2 )from ϕ(w1 ), ϕ(w2 )and ϕ(w1 w2 )iscalleddifferential (orpseudo)addition.
2.3SquareonlySetting
Let P = ϕ(w )=[x : z ]beapointontheKummerline.Asdescribedabove, doublingcomputesthepoint2P andsupposethat2P =[x3 : z3 ].Further,supposethatinsteadof[x : z ],wehavethevalues x2 and z 2 andafterthedoubling weareinterestedinthevalues x2 3 and z 2 3 .Thenthedoublingoperationgivenby (8)and(9)onlyinvolvesthesquaredquantities ϑ1 (0)2 ,ϑ2 (0)2 ,Θ1 (0)2 ,Θ2 (0)2
and x2 ,z 2 .Asaconsequence,thedoubleof[x : z ]and[x : z ]aresame.We have
Similarly,considerthatfrom
)=[
:
] and P = P1 P 2= ϕ(w1 w2 )=[x : z ]therequirementistocompute P1 + P2 = ϕ(w1 + w2 )=[x3 : z3 ].Ifwehavethevalues
,z 2 alongwith ϑ1 (0)2 ,ϑ2 (0)2 ,Θ1 (0)2 ,Θ2 (0)2 thenwecancomputethevalues x2 3 and z 2 3 byEqs.(10)and(11). x 2 3 = z 2
Thisapproachrequiresonlysquaredvalues,i.e.,itstartswithsquaredvaluesand alsoreturnssquaredvalues.Hence,thisiscalledthesquareonlysetting.Note thatinthesquareonlysetting,[x2 : z 2 ]representstwopoints[x : ±z ]onthe Kummerline.Forthecaseofgenustwo,thesquareonlysettingwasadvocated in[3, 9](seealso[13]).Tothebestofourknowledge,thedetailsofthesquare onlysettingingenusonedonotappearearlierintheliterature.
Let
Thenfrom(6)weobtain Θ1 (0)2 = A2 /2and Θ2 (0)2 = B 2 /2. By Ka2 ,b2 we denotetheKummerlinehavingtheparameters a2 and b2 . Table 2 showstheAlgorithms dbl and diffAdd fordoublinganddifferential addition.Detailsregardingcorrectnessofthecomputationareprovidedinthe fullversion[28].
Table2. Doubleanddifferentialadditioninthesquare-onlysetting.
In Ka2 ,b2 ,thepoint[a2 : b2 ](representing[a : ±b])inthesquareonlysetting actsastheidentityelementforthedifferentialaddition.Thefullversion[28] providesfurtherdetails.
Intherestofthepaper,wewillworkinthesquareonlysettingovera Kummerline Ka2 ,b2 forsomevaluesoftheparameters a2 and b2
ScalarMultiplication: Suppose P =[x2 1 : z 2 1 ]and n beapositiveinteger.We wishtocompute nP =[x2 n : z 2 n ].ThemethodfordoingthisisgivenbyAlgorithm scalarMult inTable 3.AconceptualdescriptionofaladderstepisgiveninFig. 1.
Table3. Scalarmultiplicationusingaladder.
2.4LegendreFormEllipticCurve
Let E beanellipticcurveand σ : E → E betheautomorphismwhichmapsa pointof E toitsinverse,i.e.,for(a,b) ∈ E , σ (a,b)=(a, b). For μ ∈ Fq ,let
Eμ : Y 2 = X (X 1)(X μ)(12)
beanellipticcurveintheLegendreform.Let Ka2 ,b2 beaKummerlinesuch that
(13)
Anexplicitmap ψ : Ka2 ,b2 → Eμ /σ hasbeengivenin[22].Inthesquareonly setting,let[x2 : z 2 ]representthepoints[x : ±z ]oftheKummerline Ka2 ,b2 such that[x2 : z 2 ] =[b2 : a2 ].Recallthat[a2 : b2 ]actsastheidentityin Ka2 ,b2 .Then from[22],
ψ ([x 2 : z 2 ])= ∞ if[x2 : z 2 ]=[a2 : b2 ]; a 2 x 2 a2 x2 b2 z 2 ,... otherwise. (14)
Given X = a2 x2 /(a2 x2 b2 z 2 ),itispossibletofind ±Y fromtheequationof E , thoughitisnotpossibletouniquelydeterminethesignof Y .Theinverse ψ 1 , mapsapointnotofordertwoof Eμ /σ tothesquaredcoordinatesofpointsin Ka2 ,b2 .Wehave
ψ 1 (P)= [a2 : b2 ]if P = ∞; b2 X a2 (X 1) :1 if P =(X,...). (15)
Notation: Wewilluseupper-caseboldfaceletterstodenotepointsof Eμ and uppercasenormalletterstodenotepointsof Ka2 ,b2 .
Consistency: Let Ka2 ,b2 and Eμ besuchthat(13)holds.Considerthepoint T =(μ, 0)on Eμ .Notethat T isapointofordertwo.Givenanypoint P = (X,...)of Eμ ,let Q = P + T.Thenitiseasytoverifythat Q = μ(X 1) X μ ,... .
Considerthemap ψ : Ka2 ,b2 → Eμ suchthatforpoints[x : ±z ]representedby [x2 : z 2 ]inthesquareonlysetting
Theinversemap ψ 1 takesapoint P of Eμ tosquaredcoordinatesin Ka2 ,b2
Foranytwopoints P1 , P2 on Eμ whicharenotofordertwoand P = P1 P2 thefollowingpropertieshold.
Theproofsfor(17)canbederivedfromtheformulasfor ψ , ψ 1 ;theformulasfor additionanddoublingon Eμ ;andtheformulasarisingfrom dbl and diffAdd.This involvessimplificationsoftheintermediateexpressionsarisingintheseformulas. Suchexpressionsbecomequitelarge.Intheappendixofthefullversion[28] weprovideaSAGEscriptwhichdoesthesymbolicverificationoftherequired calculations.
Therelationsgivenby(17)havethefollowingimportantconsequenceto scalarmultiplication.Suppose P isin Ka2 ,b2 and P = ψ (P ).Then ψ (nP )= nP Fig. 3 depictsthisinpictorialform.
Fig.3. Consistencyofscalarmultiplicationson Eµ and Ka2 ,b2 .
RelationBetweentheDiscreteLogarithmProblems: SupposetheKummerline Ka2 ,b2 ischosensuchthatthecorrespondingcurve Eμ hasacyclic
Another random document with no related content on Scribd:
Gutenberg” is associated) is accessed, displayed, performed, viewed, copied or distributed:
This eBook is for the use of anyone anywhere in the United States and most other parts of the world at no cost and with almost no restrictions whatsoever. You may copy it, give it away or re-use it under the terms of the Project Gutenberg License included with this eBook or online at www.gutenberg.org. If you are not located in the United States, you will have to check the laws of the country where you are located before using this eBook.
1.E.2. If an individual Project Gutenberg™ electronic work is derived from texts not protected by U.S. copyright law (does not contain a notice indicating that it is posted with permission of the copyright holder), the work can be copied and distributed to anyone in the United States without paying any fees or charges. If you are redistributing or providing access to a work with the phrase “Project Gutenberg” associated with or appearing on the work, you must comply either with the requirements of paragraphs 1.E.1 through 1.E.7 or obtain permission for the use of the work and the Project Gutenberg™ trademark as set forth in paragraphs 1.E.8 or 1.E.9.
1.E.3. If an individual Project Gutenberg™ electronic work is posted with the permission of the copyright holder, your use and distribution must comply with both paragraphs 1.E.1 through 1.E.7 and any additional terms imposed by the copyright holder. Additional terms will be linked to the Project Gutenberg™ License for all works posted with the permission of the copyright holder found at the beginning of this work.
1.E.4. Do not unlink or detach or remove the full Project Gutenberg™ License terms from this work, or any files containing a part of this work or any other work associated with Project Gutenberg™.
1.E.5. Do not copy, display, perform, distribute or redistribute this electronic work, or any part of this electronic work, without prominently displaying the sentence set forth in paragraph 1.E.1 with active links or immediate access to the full terms of the Project Gutenberg™ License.
1.E.6. You may convert to and distribute this work in any binary, compressed, marked up, nonproprietary or proprietary form, including any word processing or hypertext form. However, if you provide access to or distribute copies of a Project Gutenberg™ work in a format other than “Plain Vanilla ASCII” or other format used in the official version posted on the official Project Gutenberg™ website (www.gutenberg.org), you must, at no additional cost, fee or expense to the user, provide a copy, a means of exporting a copy, or a means of obtaining a copy upon request, of the work in its original “Plain Vanilla ASCII” or other form. Any alternate format must include the full Project Gutenberg™ License as specified in paragraph 1.E.1.
1.E.7. Do not charge a fee for access to, viewing, displaying, performing, copying or distributing any Project Gutenberg™ works unless you comply with paragraph 1.E.8 or 1.E.9.
1.E.8. You may charge a reasonable fee for copies of or providing access to or distributing Project Gutenberg™ electronic works provided that:
• You pay a royalty fee of 20% of the gross profits you derive from the use of Project Gutenberg™ works calculated using the method you already use to calculate your applicable taxes. The fee is owed to the owner of the Project Gutenberg™ trademark, but he has agreed to donate royalties under this paragraph to the Project Gutenberg Literary Archive Foundation. Royalty payments must be paid within 60 days following each date on which you prepare (or are legally required to prepare) your periodic tax returns. Royalty payments should be clearly marked as such and sent to the Project Gutenberg Literary Archive Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive Foundation.”
• You provide a full refund of any money paid by a user who notifies you in writing (or by e-mail) within 30 days of receipt that s/he does not agree to the terms of the full Project Gutenberg™ License. You must require such a user to return or destroy all copies of the works possessed in a physical medium and discontinue all use of and all access to other copies of Project Gutenberg™ works.
• You provide, in accordance with paragraph 1.F.3, a full refund of any money paid for a work or a replacement copy, if a defect in the electronic work is discovered and reported to you within 90 days of receipt of the work.
• You comply with all other terms of this agreement for free distribution of Project Gutenberg™ works.
1.E.9. If you wish to charge a fee or distribute a Project Gutenberg™ electronic work or group of works on different terms than are set forth in this agreement, you must obtain permission in writing from the Project Gutenberg Literary Archive Foundation, the manager of the Project Gutenberg™ trademark. Contact the Foundation as set forth in Section 3 below.
1.F.
1.F.1. Project Gutenberg volunteers and employees expend considerable effort to identify, do copyright research on, transcribe and proofread works not protected by U.S. copyright law in creating the Project Gutenberg™ collection. Despite these efforts, Project Gutenberg™ electronic works, and the medium on which they may be stored, may contain “Defects,” such as, but not limited to, incomplete, inaccurate or corrupt data, transcription errors, a copyright or other intellectual property infringement, a defective or damaged disk or other
medium, a computer virus, or computer codes that damage or cannot be read by your equipment.
1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGESExcept for the “Right of Replacement or Refund” described in paragraph 1.F.3, the Project Gutenberg Literary Archive Foundation, the owner of the Project Gutenberg™ trademark, and any other party distributing a Project Gutenberg™ electronic work under this agreement, disclaim all liability to you for damages, costs and expenses, including legal fees. YOU AGREE THAT YOU HAVE NO REMEDIES FOR NEGLIGENCE, STRICT LIABILITY, BREACH OF WARRANTY OR BREACH OF CONTRACT EXCEPT THOSE PROVIDED IN PARAGRAPH
1.F.3. YOU AGREE THAT THE FOUNDATION, THE TRADEMARK OWNER, AND ANY DISTRIBUTOR UNDER THIS AGREEMENT WILL NOT BE LIABLE TO YOU FOR ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE OR INCIDENTAL DAMAGES EVEN IF YOU GIVE NOTICE OF THE POSSIBILITY OF SUCH DAMAGE.
1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If you discover a defect in this electronic work within 90 days of receiving it, you can receive a refund of the money (if any) you paid for it by sending a written explanation to the person you received the work from. If you received the work on a physical medium, you must return the medium with your written explanation. The person or entity that provided you with the defective work may elect to provide a replacement copy in lieu of a refund. If you received the work electronically, the person or entity providing it to you may choose to give you a second opportunity to receive the work electronically in lieu of a refund. If the second copy is also defective, you may demand a refund in writing without further opportunities to fix the problem.
1.F.4. Except for the limited right of replacement or refund set forth in paragraph 1.F.3, this work is provided to you ‘AS-IS’, WITH NO OTHER WARRANTIES OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.
1.F.5. Some states do not allow disclaimers of certain implied warranties or the exclusion or limitation of certain types of damages. If any disclaimer or limitation set forth in this agreement violates the law of the state applicable to this agreement, the agreement shall be interpreted to make the maximum disclaimer or limitation permitted by the applicable state law. The invalidity or unenforceability of any provision of this agreement shall not void the remaining provisions.
1.F.6. INDEMNITY - You agree to indemnify and hold the Foundation, the trademark owner, any agent or employee of the Foundation, anyone providing copies of Project Gutenberg™ electronic works in accordance with this agreement, and any volunteers associated with the production, promotion and distribution of Project Gutenberg™ electronic works, harmless from all liability, costs and expenses, including legal fees, that arise directly or indirectly from any of the following which you do or cause to occur: (a) distribution of this or any Project Gutenberg™ work, (b) alteration, modification, or additions or deletions to any Project Gutenberg™ work, and (c) any Defect you cause.
Section 2. Information about the Mission of Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of electronic works in formats readable by the widest variety of computers including obsolete, old, middle-aged and new computers. It exists because of the efforts of hundreds of volunteers and donations from people in all walks of life.
Volunteers and financial support to provide volunteers with the assistance they need are critical to reaching Project
Gutenberg™’s goals and ensuring that the Project Gutenberg™ collection will remain freely available for generations to come. In 2001, the Project Gutenberg Literary Archive Foundation was created to provide a secure and permanent future for Project Gutenberg™ and future generations. To learn more about the Project Gutenberg Literary Archive Foundation and how your efforts and donations can help, see Sections 3 and 4 and the Foundation information page at www.gutenberg.org.
Section 3. Information about the Project Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a nonprofit 501(c)(3) educational corporation organized under the laws of the state of Mississippi and granted tax exempt status by the Internal Revenue Service. The Foundation’s EIN or federal tax identification number is 64-6221541. Contributions to the Project Gutenberg Literary Archive Foundation are tax deductible to the full extent permitted by U.S. federal laws and your state’s laws.
The Foundation’s business office is located at 809 North 1500 West, Salt Lake City, UT 84116, (801) 596-1887. Email contact links and up to date contact information can be found at the Foundation’s website and official page at www.gutenberg.org/contact
Section 4. Information about Donations to the Project Gutenberg Literary Archive Foundation
Project Gutenberg™ depends upon and cannot survive without widespread public support and donations to carry out its mission of increasing the number of public domain and licensed works that can be freely distributed in machine-readable form
accessible by the widest array of equipment including outdated equipment. Many small donations ($1 to $5,000) are particularly important to maintaining tax exempt status with the IRS.
The Foundation is committed to complying with the laws regulating charities and charitable donations in all 50 states of the United States. Compliance requirements are not uniform and it takes a considerable effort, much paperwork and many fees to meet and keep up with these requirements. We do not solicit donations in locations where we have not received written confirmation of compliance. To SEND DONATIONS or determine the status of compliance for any particular state visit www.gutenberg.org/donate.
While we cannot and do not solicit contributions from states where we have not met the solicitation requirements, we know of no prohibition against accepting unsolicited donations from donors in such states who approach us with offers to donate.
International donations are gratefully accepted, but we cannot make any statements concerning tax treatment of donations received from outside the United States. U.S. laws alone swamp our small staff.
Please check the Project Gutenberg web pages for current donation methods and addresses. Donations are accepted in a number of other ways including checks, online payments and credit card donations. To donate, please visit: www.gutenberg.org/donate.
Section 5. General Information About Project Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project Gutenberg™ concept of a library of electronic works that could be freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose network of volunteer support.
Project Gutenberg™ eBooks are often created from several printed editions, all of which are confirmed as not protected by copyright in the U.S. unless a copyright notice is included. Thus, we do not necessarily keep eBooks in compliance with any particular paper edition.
Most people start at our website which has the main PG search facility: www.gutenberg.org.
This website includes information about Project Gutenberg™, including how to make donations to the Project Gutenberg Literary Archive Foundation, how to help produce our new eBooks, and how to subscribe to our email newsletter to hear about new eBooks.
