Açık Anahtarlı Kriptografi için Verimli Algoritmaların Geliştirilmesi

TÜBİTAK EEEAG Proje01.06.2018Projenin genel amacı, kriptografide sıklıkla kullanılan modüler üst alma, polinom çarpması veeliptik egriler üzerindeki islemlerin karmasıklıgını iyilestirecek gelistirmelerin yapılması ve eldeedilecek yeni algoritmaların çesitli platformlar üzerinde gerçeklenmesidir. Bu çalısmalarsonucunda modüler üst alma, eliptik egri aritmetigi ve polinom çarpma islemlerindeiyilestirmeler elde edilmistir. Çalısmalar kapsamında P-521, E-521 ve Curve25519 egrileriüzerindeki islemler Toeplitz matris vektör çarpımları (TMVÇ) kullanılarak hızlandırılmıstır.Eliptik egrilerin üzerinde tanımlandıgı ve eleman sayıları 521 ve 255 bitlik asal sayılar olancisimlerde çarpma islemleri için yeni TMVÇ algoritmaları tasarlanmıs ve bu algoritmalarınsagladıgı iyilestirmeler teorik olarak gösterilmistir. Yapılan gerçeklemeler ile teorikçıkarımlardaki iyilestimeler pratikte de gözlemlenmistir. Diger taraftan polinom çarpmaisleminin iyilestirilmesi için arama algoritmalarının verimi üzerine çalısmalar yapılmıstır.Polinomun terim sayısı arttıkça arama uzayı oldukça büyüdügü için, çarpım polinomunun tümterimlerini hesaplamak yerine, n terimli iki polinomun çarpmının ilk n teriminin hesaplanmasıüzerine analizler yapılmıstır. Böylece arama uzayının boyutu düsürülmüs ve Çinli KalanTeoremi ile polinom çarpımı için algoritmalar elde edebilme olanagı saglanmıstır. Diger biryaklasım ise n terimli iki polinomum ilk l teriminin hesaplanmasıdır. Ayrıca, bu yaklasımdaarama uzayının boyutunun düsürülmesi için ikili dogrusal formların simetriklerinin alınması vebazı terimlerin elenmesi yöntemleri kullanılmıstır. Bu yaklasımlar arama uzayının boyutunubelirgin sekilde azaltmıstır. Ek olarak interpolasyon metodunda hesaplanacak noktalardikkatlice seçilerek, süper singüler izojen bazlı kuantum sonrası kriptografide kullanılan Fp2çarpma islemi ve büyük sayıların çarpımları hızlandırılmıstır. Proje kapsamında çalısılan digerbir konu olan modüler üst alma isleminin hızlandırılması için, literatürdeki küp sekeralgoritması incelenmistir. Bu algoritma, en küçük toplam zinciri ve karma üst alma metotları ilebirlikte kullanılmıstır. Ayrıca, sonuçların daha da hızlandırılması adına, n bitlik bir tamsayınınküp alma isleminden sonra 3n olan boyutunu indirgemek için kullanılan Barett metodudegistirilmis ve böylece teorik olarak islem karmasıklıgında iyilestirmeler yapılmıstır.The primary aim of this project is to develop algebraic techniques for improving the complexity ofthe operations that are widely used in cryptography such as modular exponentiation, polynomialmultiplication, arithmetic on elliptic curves and to implement these algorithms on various platforms.As a result of the studies, improvements on modular exponentiation, polynomial multiplication andelliptic curve arithmetic are obtained. Within the scope of studies, the arithmetic on the curvesP-521, E-521 and Curve25519 are accelarated by using Toeplitz matrix vector product (TMVP).For the multiplication in 521 and 255 bit prime fields on which the elliptic curves are defined, newTMVP algorithms are designed and the improvements that these algorithms provide are provedtheoretically. The implementations show that the improvements can also be observed in practice.On the other side, to improve the polynomial multiplication, studies are focused on the efficiencyof the search algorithms. As the number of the terms of the polynomials increases the size ofthe search space grows so instead of computing all the terms, computing first n terms of theproduct of two n term polynomials is analyzed. By this, the size of the search space decreasesand this makes it possible to develop new polynomial multiplication algorithms using the Chineseremainder theorem. Another approach is to compute the first ` terms of the product of two nterm polynomials. (n + 1 ? ` ? 2n ?? 1). Moreover, in this approach, to reduce the size of thesearch space, symmetric bilinear forms and elimination of some terms are used. These methodsdecrease the size of the search space significantly. In addition, by choosing the evaluation pointscarefully in the interpolation method, the multiplication over Fp2 that is used for supersingularisogeny based post quantum cryptography and large integer multiplicaitons are accelerated. Tospeed up modular exponentiation which is another subject studied in this project, the sugar cubealgorithm is examined. Sugar cube algorithm is combined with the addition chains and hybridexponentiation methods. Moreover, to speed up the operations more, the Barrett reduction methodfor reducing the 3n bit size of the cube of a n bit integer is modified and by this the computationalcomplexity is improved theoretically.Keywords: Cryptographic computations, polynomial multiplication, integer multiplicaiton, ellipticcurve cryptography, modular exponentiation, RS

High-speed algorithms & architectures for number-theoretic cryptosystems

Computer and network security systems rely on the privacy and authenticity of information, which requires implementation of cryptographic functions. Software implementations of these functions are often desired because of their flexibility and cost effectiveness. In this study, we concentrate on developing high-speed and area-efficient modular multiplication and exponentiation algorithms for number-theoretic cryptosystems. The RSA algorithm, the Diffie-Hellman key exchange scheme and Digital Signature Standard require the computation of modular exponentiation, which is broken into a series of modular multiplications. One of the most interesting advances in modular exponentiation has been the introduction of Montgomery multiplication. We are interested in two aspects of modular multiplication algorithms: development of fast and convenient methods on a given hardware platform, and hardware requirements to achieve high-performance algorithms. Arithmetic operations in the Galois field GF(2[superscript]k) have several applications in coding theory, computer algebra, and cryptography. We are especially interested in cryptographic applications where k is large, such as elliptic curve cryptosystems

High-Speed Elliptic Curve and Pairing-Based Cryptography

Elliptic Curve Cryptography (ECC), independently proposed by Miller [Mil86] and Koblitz [Kob87] in mid 80’s, is finding momentum to consolidate its status as the public-key system of choice in a wide range of applications and to further expand this position to settings traditionally occupied by RSA and DL-based systems. The non-existence of known subexponential attacks on this cryptosystem directly translates to shorter keylengths for a given security level and, consequently, has led to implementations with better bandwidth usage, reduced power and memory requirements, and higher speeds. Moreover, the dramatic entry of pairing-based cryptosystems defined on elliptic curves at the beginning of the new millennium has opened the possibility of a plethora of innovative applications, solving in some cases longstanding problems in cryptography. Nevertheless, public-key cryptography (PKC) is still relatively expensive in comparison with its symmetric-key counterpart and it remains an open challenge to reduce further the computing cost of the most time-consuming PKC primitives to guarantee their adoption for secure communication in commercial and Internet-based applications. The latter is especially true for pairing computations. Thus, it is of paramount importance to research methods which permit the efficient realization of Elliptic Curve and Pairing-based Cryptography on the several new platforms and applications. This thesis deals with efficient methods and explicit formulas for computing elliptic curve scalar multiplication and pairings over fields of large prime characteristic with the objective of enabling the realization of software implementations at very high speeds. To achieve this main goal in the case of elliptic curves, we accomplish the following tasks: identify the elliptic curve settings with the fastest arithmetic; accelerate the precomputation stage in the scalar multiplication; study number representations and scalar multiplication algorithms for speeding up the evaluation stage; identify most efficient field arithmetic algorithms and optimize them; analyze the architecture of the targeted platforms for maximizing the performance of ECC operations; identify most efficient coordinate systems and optimize explicit formulas; and realize implementations on x86-64 processors with an optimal algorithmic selection among all studied cases. In the case of pairings, the following tasks are accomplished: accelerate tower and curve arithmetic; identify most efficient tower and field arithmetic algorithms and optimize them; identify the curve setting with the fastest arithmetic and optimize it; identify state-of-the-art techniques for the Miller loop and final exponentiation; and realize an implementation on x86-64 processors with optimal algorithmic selection. The most outstanding contributions that have been achieved with the methodologies above in this thesis can be summarized as follows: • Two novel precomputation schemes are introduced and shown to achieve the lowest costs in the literature for different curve forms and scalar multiplication primitives. The detailed cost formulas of the schemes are derived for most relevant scenarios. • A new methodology based on the operation cost per bit to devise highly optimized and compact multibase algorithms is proposed. Derived multibase chains using bases {2,3} and {2,3,5} are shown to achieve the lowest theoretical costs for scalar multiplication on certain curve forms and for scenarios with and without precomputations. In addition, the zero and nonzero density formulas of the original (width-w) multibase NAF method are derived by using Markov chains. The application of “fractional” windows to the multibase method is described together with the derivation of the corresponding density formulas. • Incomplete reduction and branchless arithmetic techniques are optimally combined for devising high-performance field arithmetic. Efficient algorithms for “small” modular operations using suitably chosen pseudo-Mersenne primes are carefully analyzed and optimized for incomplete reduction. • Data dependencies between contiguous field operations are discovered to be a source of performance degradation on x86-64 processors. Three techniques for reducing the number of potential pipeline stalls due to these dependencies are proposed: field arithmetic scheduling, merging of point operations and merging of field operations. • Explicit formulas for two relevant cases, namely Weierstrass and Twisted Edwards curves over and , are carefully optimized employing incomplete reduction, minimal number of operations and reduced number of data dependencies between contiguous field operations. • Best algorithms for the field, point and scalar arithmetic, studied or proposed in this thesis, are brought together to realize four high-speed implementations on x86-64 processors at the 128-bit security level. Presented results set new speed records for elliptic curve scalar multiplication and introduce up to 34% of cost reduction in comparison with the best previous results in the literature. • A generalized lazy reduction technique that enables the elimination of up to 32% of modular reductions in the pairing computation is proposed. Further, a methodology that keeps intermediate results under Montgomery reduction boundaries maximizing operations without carry checks is introduced. Optimized formulas for the popular tower are explicitly stated and a detailed operation count that permits to determine the theoretical cost improvement attainable with the proposed method is carried out for the case of an optimal ate pairing on a Barreto-Naehrig (BN) curve at the 128-bit security level. • Best algorithms for the different stages of the pairing computation, including the proposed techniques and optimizations, are brought together to realize a high-speed implementation at the 128-bit security level. Presented results on x86-64 processors set new speed records for pairings, introducing up to 34% of cost reduction in comparison with the best published result. From a general viewpoint, the proposed methods and optimized formulas have a practical impact in the performance of cryptographic protocols based on elliptic curves and pairings in a wide range of applications. In particular, the introduced implementations represent a direct and significant improvement that may be exploited in performance-dominated applications such as high-demand Web servers in which millions of secure transactions need to be generated