Download presentation

Presentation is loading. Please wait.

Published byKendall Fowles Modified about 1 year ago

1
IHP Im Technologiepark Frankfurt (Oder) Germany IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Flexible Hardware Reduction for Elliptic Curve Cryptography in GF(2 m ) Steffen Peter, Peter Langendörfer and Krzysztof Piotrowski

2
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Flexibility for ECC implementations = possibility to compute with other key sizes Why? - To communicate with peers that use other key sizes - Change field in case the implemented field has a cryptoanalytical weakness What is the problem? Addition, Multiplication, Registers? - NO (padding zeros) Control program? – NO (it is software) Reduction!

3
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Modular Reduction Corresponds to classic modular division - In GF(11) = {0,1,2,…,9,10} - Example: 5 · 8 = 40 > 10 5 · 8 mod 11 = 40 mod 11 = 7 In GF(2 m ) it is a polynomial division by the irreducible polynomial r(x)

4
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Classic School Division -reduce each bit starting from the left by XORing r until overlapping part C1 is zero -r(x) is the given irreducible of the field

5
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Repeated Multiplication Reduction (RMR) Reduce more bits per iteration by multiplying overlappping part C1 with the irreducible polynomial r C ≡ (C – i · r) mod r for each i C ≡ C – C1 · r

6
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Reduction Polynomials [NIST] fieldIrreducible polynomial 163 Bitx 163 +x 7 +x 6 +x Bitx 233 +x Bitx 283 +x 12 +x 7 +x Bitx 409 +x Bitx 571 +x 10 +x 5 +x 2 +1 Are either trinomials or pentanomials Second highest set position is smaller m/2

7
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Hard-Wired Reduction Direct mapping from C to C0‘‘ with few XOR operations -Very efficient combinatoric circuit - Reduction in GF(2 233 ) needs 0.03mm² (0.25um CMOS ) NOT FLEXIBLE! C1’∙r (∙x 233 ) (∙x 74 ) (∙x 0 ) (∙x 233 ) (∙x 74 ) (∙x 0 ) C1∙r r=(x 233 +x 74 +x 0 )

8
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Multiple Hard-Wired Reduction Blocks Fast, small Limited flexibility C MUX C‘‘ sel Configurationmm² , ,44 Red163Red233Red283

9
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Reduction Polynomials Are either trinomials or pentanomials Second highest set position is smaller m/2 Have structure x m + … + 1 Exploiting these properties is the basis for the Flexible Shift Reduction fieldIrreducible polynomial 163 Bitx 163 +x 7 +x 6 +x Bitx 233 +x Bitx 283 +x 12 +x 7 +x Bitx 409 +x Bitx 571 +x 10 +x 5 +x 2 +1

10
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved C = 2∙283 bit multiplication result Flexible Shift Reduction C0C1 C0’C1’ C0’’ XOR >> >>283-7 >>283-5 >>283 XOR >> >>283-7 >>283-5 >>283 Example: Hardware=283 bit, m = 283 bit, r(x) = x 283 +x 12 +x 7 +x 5 +1

11
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Flexible Shift Reduction C0C1 C0’C1’ C0’’ XOR >>163-7 >>163-6 >>163-3 >>163 XOR >>163-7 >>163-6 >>163-3 >>163 Example: Hardware=283 bit, m = 163 bit, r(x) = x 163 +x 7 +x 6 +x ∙283 bit reduction logic C = 2∙163 bit multiplication result

12
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Flexible Shift Reduction - Design

13
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Comparison of complete ECC designs Time and energy for one Elliptic Curve Point Multiplication

14
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Conclusions Reduction is bottleneck of flexible ECC hardware accelerators More flexiblity implies: –Less speed –More silicon area –More energy consumption Multiple hard-wired reduction blocks (MHWR) is the best choice if supported field sizes are known –A design that support all 5 recommended NIST curves ( bit) needs merely 10% more silicon area than a 571 bit single curve design. Flexible Shift Reduction (FSR) provides more flexibility – in comparison to software (MIPS 33 MHz) it is 500 times faster Requires less than 1% of the energy ECC-FSR is the fastest known implementation with such degree of flexibility

15
IHP Im Technologiepark Frankfurt (Oder) Germany © All rights reserved Thank You Questions?

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google