Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

19127 >> Josh Benaloh: All right. It's a pleasure...

advertisement 
19127
>> Josh Benaloh: All right. It's a pleasure to welcome Ed Dawson today. Ed has probably been
with the ISCR longer than I have, which is good and sad in some ways, I guess. I don't know.
Been too long.
Ed is actually a local, went to high school around Olympia, is it? But has been at the Queensland
Institute of Technology for more than 35 years, I think.
>> Ed Dawson: Yes.
>> Josh Benaloh: So he's been in all aspects of crypto for many years in many ways. And today
he's going to be telling us about efficient elliptic curve point addition, but I think just a brief
overview of the Information Security Institute at QIT.
>> Ed Dawson: Yes. I'd like to thank Josh for inviting me here. As Josh mentioned, I originally
came from Washington State. And Josh, I guess I come here either before or after crypto over
the last 20 some years. Usually end up in Washington State to visit family and that.
I've been speaking to Josh for quite a number of times to come here. And it's my pleasure to
actually finally to be here now to visit Microsoft and that.
I should say that I was just, to age myself, I was just at my high school, just by chance, there was
a 45th high school reunion which I went to for Olympia High School on Saturday night. So born
and raised there in Olympia. I went to the University of Washington, undergraduate degree.
And then in the early '70s and probably I don't know if anybody was around here, probably not, at
that time, at that time there was a bit of a problem in this area.
The unemployment rate was 20 percent. Imagine no Microsoft, okay? And the government shut
down this SST program for the supersonic transport. And the unemployment rate was 20
percent.
And the saying was, would the last person that leaves Seattle please turn the lights off. So I took
the advice of a famous person from, American from the 19th century called Horace Greeley. And
he said go west young man. So I went west, and there was no further to go west here, except
you had to go to across the ocean, so I ended up in Australia in 1971 and I've been there, in
Australia, since that.
Okay. So I'm going to, first of all, I'm just going to give you a brief overview of our -- let me grab
this thing here -- of our institute. I'll pass these around. I've got a couple of these. I'll leave these
here, just describing, brochures describing our institute at QIT. I was the research director of this
for like 15 or 16 years. But three years ago I took a golden handshake. So I just work three days
a week, and I'm an emeritus professor and that.
So we were formed originally in 1988, which is sort of early days at universities informing centers
and information security. And originally we were just in the area of information technology, and
we had crypto, network security and trusted computing.
But in 2005, our university decided to look at the wider issues than that in information security.
And we combined research from four different faculties to do research across, because as all of
you know that we could work in our crypto world, but there's also issues, legal issues and all sorts
of other issues related into using our information security.
So that's what we looked at in terms of business, where they want us to look at a
multi-disciplinary approach. So that's what we adapted at QET in 2005. So this is sort of our
aim. I won't spend much time on that.
And this is what the size of who we are. We have a large number of -- most of those students are
Ph.D. students. About 90 percent of them are Ph.D. students.
So in size, we're equivalent in size to any other group that I know in the world at a university. The
United States, similar university to us, would be Purdue University, would be similar to what our
group at QIT is and that. And just to finish this section, then, that we work across -- my main
interest is in crypto, but I've also worked in e-business and e-government with applications.
We have a legal section. Network security is still with us. And then we also bring in -- we have a
large number in the engineering side who are working in biometrics and surveillance area. We
have like 20 Ph.D. students in that area, and we have risk and crisis management from our
business and IT people.
So that's who we are at QUT. And those brochurespy passed around, and I'll leave those here,
describes us in a little bit more detail.
Want to go to the next one?
>>: Let me switch.
>> Ed Dawson: Okay. So when Josh is getting this ready, the talk that I'm giving here is mainly
the Ph.D. thesis of my student Hussein, who is back in Turkey and ready to go into the Turkish
Army, has to spend a year in the Turkish Army.
>>: Ed has kindly left me a copy of his thesis.
>> Ed Dawson: I left his thesis there for anyone who is interested in looking at his thesis after I
leave today. The talk I am going to today is an invited talk that I presented at the Shannon
Institute conference workshop in Ireland, and I presented in May in Ireland, right before
Eurocrypt.
We'll have an overview. Look at some of the tools we developed. Look at some of our inversion
free point edition and look at some experimental results and a conclusion at the end.
So if we're looking at -- and this work is all concerned about implementing elliptic curves in
software. So there's three different areas that we would be concerned about looking for efficiency
is trying to get our finite field arithmetic done quickly.
We could look at point additions, new coordinate systems, new and faster formula and we could
also look at scalar multiplication methods.
So our work here -- what's that?
>>: The other way.
>> Ed Dawson: So our -- Hussein's thesis is mainly concerned with that part. Although we'll
bring in previous work not his new work but bring in previous work at the end when we bring in
our experimental results at the end.
So I don't have to -- it's like teaching -- everybody knows using crypto here. So we want to have
efficient methods. The aim of this thesis was to derive an addition law on arbitrary curve and
efficient adding points on this elliptic curve using the derived addition law.
We had practical speed-ups in higher level operations which depend on point additions,
particularly the contributions immediately fine applications in crypto.
So we're going to go over the five -- and these are the five different forms which are being used
quite widely in elliptic curve cryptography, and most of the work -- this is the previous work. We
mentioned that a little bit. But most of the work then was going through these four different forms
then and trying to define a complete addition formula and then also trying to find efficient methods
for doing implementations as we'll see.
So we also found a wire Strauss curve which is birationally equivalent to each of the curves in the
standard form.
And also we brought Hussein did some interesting algebraic tools using MAGMA and Maple
packages. Everybody familiar with those two packages in that? MAGMA is actually Australian
package from John Canon from the University of Sydney, who I well in that.
And we looked at group law and affine coordinates for each of the studied forms, simple way of
exception handling, so in the thesis he has a complete algebraic -- a complete algorithm for doing
the addition for each one of these forms and that.
And we have -- then we're going to have efficient inversion free algorithms that we'll talk about
and then optimize high speed software.
So some notions and assumptions that we'll use, we'll use M for multiplication. S for squaring. I
for inversion and D for multiplication by curve constant. And people can argue these. But this is
roughly the sort of measure that we take and compare in these different operations then.
>>: Multiplication and addition here? You mentioned multiplication, is that the same operation as
the curve multiplication?
>> Ed Dawson: No, that's just -- that's field operations.
>>: So when multiplication would be that curve constant, what special -- seems like ->> Ed Dawson: Like the As and the Bs here.
>>: Okay.
>> Ed Dawson: So the short wire Strauss form then, as usual when we display the elliptic curves
we actually take a real curve here just for the sake of showing the curve, just make it look nice
and that.
So this covers all -- and all elliptic curves characteristics two and three. So the work is totally
concerned with large prime characteristic that we're looking at. Before the work that -- before
2006, this was what everybody looked at because it was the most efficient form in that. We're
going to see how things have changed now over the last three or four years based on our work
and the work of others, particularly the work of Dan Bernstine and Tanya Lang as well and that.
So the next one is the extended Jacobi curve. This curve here. That covers all elliptic curves
with a point order or two characteristic not two.
This is what our -- this is the speed records that we had then for what has come out of this work
and that. And this is currently the best for doubling intensive operations. And this is the mapping
to change -- for each one of these curves then we're going to map -- we can map back and forth
between this curve and the wire Strauss curve, and this is the formula for mapping from that
curve to that curve then.
The next one is the twisted Hessian form, which is this curve here. That covers all elliptic order
curves with point of order three. These are again our speed records, as we'll see.
And this is interesting for parallel implementations. And again here's -- this is equivalent to that
wire Strauss form and here's our mapping here, then.
This is the one probably people, anybody working with elliptic curves probably heard about is this
one. This is what Tanya Lang and Dan Bernstine brought out. And then we extended theirs to
still be the most efficient. We thought one of the ones we actually had afterward, we went back
tried more tricks but this still came out the most efficient, as we'll see.
And that covers all elliptic curves covered by that Montgomery curve. And that's the form here.
And it's best for addition intensive operations. Very interesting for parallel implementations.
I'm not going to talk about parallel implementations but there's some of that work in Hussein's
thesis as well in that. And again the curve, that Edwards curve is equivalent to this wire Strauss
curve, and there's our mapping.
The next is this twisted Jacobi intersection form here, which is this curve here. That covers all
elliptic curves with exactly three points of order two. New addition for homogenous projective
coordinates, and this is our speeds here that we have in this.
And here's, again that's our mapping to map from that to that. Okay. So you can see that the
Weierstrass form. This is the number of isomorphic classes.
You can see we don't lose that much by going to these other curves and that. In particular like
the twisted Edwards, we lose about half the size in that a number of isomorphic classes but still
we have a large number of classes and that.
>>: What's the Q mean?
>> Ed Dawson: That's the field. And again -- and we're going to talk about -- we're also going to
talk about having some single curve constant, and we get more speed but we lose a little bit of
classes but we still have a large number of classes by having single curve constants. We're
going to do some of that -- we're going to have like if we put a 1 there, we get a little bit more
speed as we're going to talk about.
Okay. So that's a brief introduction to the curves. And I actually gave you all the results there.
So the results. But now we're going to go into more detail. So the part now we're going to look at
is we want to -- we're going to develop the form for, to get a complete algorithm for adding each
one of these forms.
Now, I'm not going to go through -- I'm only going to go through the twisted Edwards curve.
Actually, I'm going to go through detail through the twisted Edwards curve for each thing that
we're going to do, because the rest, the other ones are actually doing similar sort of things and it's
all in his thesis. I'll only go through the process to use the twisted Edwards ones because they're
the most efficient ones anyway.
So we wanted to automate the group law derivation to find the minimal degree point doubling and
addition forms and we use MAGMA and Maple as the tools for doing this then. And that also
allows us to verify the correctness of our derived formulas, and we also found some alternative
formulas as well.
Okay. So this is -- and I won't go through the proof of this. But this is a little theorem here, which
we're going to use here. It's that we have two different forms. We're going to use the
Weierstrass form and some other form. And assume that there's a mapping from the phi from W
to M. From the Weierstrass form to the other one, and psi which maps to M to W, such that those
maps, the competition phi and psi and psi/phi are equal to the identity maps on each of them.
And let plus W be the affine part of the unique edition law on W, which we know. Then the affine
part of the unique addition law on M is given by this composition.
So that's the result we're going to use then. Okay. So we're going to -- as I mention we're going
to let W be the Weierstrass and we'll let this be this generic form. And we know what the group -and plus W then is a group addition on W then.
So then if we have this psi and phi as we defined before mapping one to the other such that their
competition is the identity map from that theorem, then we know what the mapping on M is then,
what the addition law is.
So now we're going to apply this then to the twisted Edwards curve then. So we use this curve
then. And, oh, just briefly, some overview of this curve, then. There's two points of affinity. And
then we can blow them up to produce two other points. Omega 1, omega 2 and blow up the
other one and we get omega 3 and omega 4.
So if we apply that rule, that theorem, this rule here, using the addition, plus W was the
Weierstrass addition form, then the addition form and plus M is given by that, and you can see
there's our mappings, phi and psi. And then we do that.
And here's the addition -- there's the addition law on W. Using the standard Weierstrass addition
law. And so then here's the addition law on twisted Edwards as given by this composition, then.
>>: Sorry, you were talking about the affine part of the addition log does that mean it's just your
rules for adding affine points to one another?
>> Ed Dawson: Yes. Yes. It is. And there's some cases we'll show you how to -- I'll give you a
complete algorithm which does all of it, which will come out shortly.
>>: Okay.
>> Ed Dawson: That's at the end of this section. The answer is yes.
>>: Okay, thanks.
>> Ed Dawson: So here it is. Now, that's a mess, okay. So this is where Hussein went farther
than that, some other tools.
So we expect something nice, okay, but we ended up with something that's a mess. And it's not
going to give us sufficient arithmetic in that.
So what then was Hussein, one of my other students, former students, Ken Wong, found this
algorithm by Monagan and Pearce. He hadn't applied it to elliptic curves, but that's what we did
with our work in that.
I think it's Pearce's thesis, that finds a fraction with a minimal toll degree sum of the numerator
and denominator. And the algorithm walks up to the degrees of the numerator and denominator,
at each step attempts to solve this equation mod I, where I -- this is the elliptical curve points and
that of the X1, Y1. X2 Y2. N is the original denominator. D the original denominator and the
other two, eta and delta, are the lower degree denominator candidates.
If you apply this using a computer algebra package to do it, you get this, then.
So it reduces down without using the computer algebra package with that, using Pearce's stuff.
We didn't know anybody who actually applied this stuff to it. Hussein did this for each one of the
forms, he derived formulas by doing the same sort of trick for each one of those forms, then.
And then from there, then, using this formula then, this is the complete, then, addition law. And
for adding points in the twisted Edwards curve then, and that's a complete addition law with
using -- you can see using the singular points and that with all these else's and ifs and that and
you get the complete addition formula for the twisted Edwards curve then.
And Hussein's thesis, he's done the same thing for all of those forms then. Got the complete
addition law.
Okay. So that finishes that section then. That was the sort of computer algebra section that he
did in that.
Okay. So now I guess we're going to come to the implementation part. So we're going to look at
efficient group laws, develop new low degree inversion free formula, new and faster algorithms,
and new coordinate systems and new mixed coordinates for each of the forms.
And again I'll go through -- I'll give the results for each of the forms but I'll only go through in detail
with the twisted Edwards, but I'll give you the results of each of them with the final results.
So the twisted Edwards then, this is the work from Dan Bernstine and Tanya language, and I'm
not sure who all the other people they had with them. I've got some references at the end, who
some of their coworkers were.
What we've got is additional results. All this stuff we used projective coordinates for elliptic
curves. Because they're projected curves, we can get rid of the inversions then.
So we have additional results for inverted coordinates, a new system which extended
homogenous coordinates we call EE, a new system which is a mixed projective coordinates EX.
We have dedicated formulas which is faster than unified formulas for addition.
So this is the -- so the first two are results of Dan and Tanya. This is with their projective
coordinates and inverted coordinates. So we add another projective coordinates, and doing that
we get rid of -- you notice there's no division anymore.
So we don't have to worry about inversion anymore. And they also have an inverted coordinates.
So when we looked -- these are their speed records. We're going to find tricks to actually
improve these a little bit.
So what we observed at a high degree polynomial expressions we can further lower the degrees
by keeping the track of XY over Z separately and doing that by introducing a new variable. We
have XYT and Z then. Where T is XY over Z. And then XYTZ satisfies that equation.
And there's our formulas then for addition. I mean, by doing this we have to actually store
another variable, but in software the storage is cheap. So this is not -- this is no big deal.
So by doing that, then, the point addition now takes 9 M plus 2 D. And we could have -- if A is a
square and K and D is not a square in K, this is actually a complete addition then.
So the brackets means that was the previous work, and this is our work. And then if you put A as
minus 1 you can have a little bit more speedup as well.
This is going through -- I won't go through, I won't go through that-- but that's going through, you
can see computing this, the XYZ and T is the sort of things you do in registers and the forms you
need to go through and registers, completing the XYZ and T.
So then we added a little bit more, another little trick, just doing little tricks at the edges here. The
trick here was then to have a mixed coordinate system.
>>: Did the curves have elliptic curves each number is at least two if not three, and can they
work on the register and the articles we care about?
>> Ed Dawson: I have to ask Hussein. I'm not sure. I'm sure you can. Well, I'll give you the
implementation of software and that. He's implemented all this in software. Generally, I'll give
you the speeds and all that at the end.
So what we've got is a mixed ->>: 256 --
>> Ed Dawson: So for repeated doubleings, he used the 2 E 2 E system, which is this one up
here. If a W is followed by addition, use 2 E to the extended ones for the doubling step and then
followed by using in the extended form, to do the addition step, and output that back in the E form
then. That's sort of using a mixed trial and that gives the highest speeds then, we'll see.
As well, another a little trick that Hussein found is that the affine point addition is dependent upon
A and D given by this formula here, has both A and D in it. However, we can get rid of the -- we
can get rid of the D by doing this little trick here, doing that little change in that, and we can get rid
of the D.
Then if we go back to the projective forms, and our extended forms, then this is the new form in
this four coordinate system. And now a point addition is now nine multiplications systems plus D
that saves an extra D.
If we have a point addition with A equals minus 1, we can take that down to eight multiplications.
And if you have a base point of odd order, we don't have to worry about you know that big form I
gave, you don't have to worry about any exception points then if you have a base point of odd
order.
So then this is our final results then for doing all those tricks together and that. These give our
complete results then.
Okay. So that was the twisted Edwards. For the other forms now, there actually was not that
much implementation done before our work. This is the extended Jacobi quartic, there was an
addition in unified form but these are all of our -- we do the same trick -- we do the same sort of
tricks. Projective, extended, mixed coordinates. And you can see the sort of speeds that we
have here then.
And then this is for operation accounts for twisted Jacobi with B equal to 1 and different
coordinate systems. And again doing the same sort of tricks. You can see that was what -before our work and these are our new results then.
And the same with the Hessian form. These are the previous results and these are our new
results with all those projected modified extended and mixed coordinates again.
And finally we also looked at the -- there's a few little -- little bit of Hussein has added a little bit of
more implementations to the Weierstrass forms as well. You can see most of that work was done
previously on the Weierstrass. So he didn't spend that much time on the Weierstrass.
Okay. So the last part, then, we're going to look at some of the implementation here, then. Some
of the implementation of the curves and that. So we took the elliptic curve that -- I mean the finite
field we chose was 2 to the 5, 6, minus 5, 8, 7. And then we found -- and these are the five
different elliptic curves that we used for comparison.
What the H means here is that the order of the curve is -- well, that order of that curve is prime,
okay? And the other one is a large prime times 2, a large prime times 3 and so forth.
So these curves, then, if we look in terms of discrete log attacks then that these curves should be
secure then against any sort of discrete log attacks [indiscernible] and so forth because they have
a large prime order for each -- for each of them and that.
I'm not sure what -- RSA is -- is that 2,000 bits or something like that? Is it ->>: [indiscernible].
>> Ed Dawson: What?
>>: [indiscernible].
>> Ed Dawson: So I mean but that size there, size RSA.
>>: Very big RSA like 16 K.
>> Ed Dawson: Okay. Okay. So I mentioned at the start that I mentioned that level of doing the
scalar multiplication, that we weren't trying to actually add anything new. We were just trying to
use some of the best results there when we're actually doing the implementation. So we use this
scalar multiplication from this hands -- Alfred menses and Scott vanstone's work in '03 for the
scalar algorithm 3.38. And the energy recoding algorithm or the scalar multiplication we use this
algorithm from 2005. That runs on the fly as the main loop of the scalar multiplication is
performed.
And we also wanted to look at if we have look-up tables, and we kept all points in extended
projective coordinates. So let's look at applying to those curves then.
So before 2006 everybody said Weierstrass then. So we did this on, implemented this on core 2
computer, and you can see then that the different -- what this actually means in terms of speed
then. That the twisted Edwards then is marginally better than the Jacobi quartic then. And the
Weierstrass was the slowest of them all then in comparison then.
So we also did a comparison -- we're just going to compare the Weierstrass one and the twisted
Edwards in this slide. So we looked up -- and this is the size of the lookup table. And you can
see then again having the same size of lookup tables that again the twisted Edwards is faster
than the Weierstrass as well in that.
Okay. So the goal here was to revisit elliptic curves and that and see if we can end up with some
more efficient point additions. We applied some interesting algebraic tools to develop automated
group laws. Found a way to simplify these using that Pearce's Ph.D. thesis, applied the elliptic
curves gave us a really efficient way to give us simple statements for our addition and that then.
For each of those forms, then, we developed a complete description of the group law. I gave you
the twisted Edwards forms, but in the thesis, then, there's complete addition forms for each one of
those forms in that then.
And that was the first time for most, those forms that's actually been in the literature and that. I
should also make the statement that a lot of this stuff is actually -- he's writing the paper on this
right now. We haven't published some of this work and that.
And the part here we published the Edward stuff but some of the stuff is not published yet. And
then we developed high speed software to verify the results from our inversion free formulas as
well and that.
So this is some of the papers that we published, then, over the last two or three years. I guess
the highlight paper's this one we had in Asiacrypt in 2008 where we did the twisted Edwards
curve and that.
Okay. Thank you, then. [applause].
>>: So you used the automatic tools to derive these formulas, the packets that you showed
there? So finally with the answer you also add like these formulas saying what the computer
actually does? So ->> Ed Dawson: That wasn't automated that was ->>: That was my question. So it's still hand work, like finding these and writing down the
formulas.
>> Ed Dawson: Actually before he was using the computer software he actually derived some of
those by hand, some of that stuff too and that. And then my other former Ph.D. student, Ken
Wong, more of a computer algebra freak started working with this and got Hussein working on the
computer algebra. And then he said wow look what I can do with this stuff and that.
And he went to that. But the actual derivation of the formulas actually do it by hand and that. So
it was a bit of work to actually go through all those rules and that.
>>: And that result just gives you the minimal like degree for this?
>> Ed Dawson: Yes. He hadn't applied it for the -- first ones to apply elliptic curves. No one has
done it before with elliptic curves and that.
>>: Thanks.
>>: So have you tried to derive [indiscernible].
>> Ed Dawson: Sorry?
>>: Have you tried to derive additions from the [indiscernible] that could be used from
multiplication [phonetic]?
>> Ed Dawson: We have another -- I haven't been working on the paring work at all myself.
Hussein did work with another one of our students Craig Costello, and Craig's doing some more
work us and that. I'm not sure -- he's visiting somewhere in the United States now.
>>: We've done some of this by hand, too. Twisted Edwards.
>> Ed Dawson: But they worked, Craig and Hussein worked together for a little while so Craig
got his background from Hussein.
>> Josh Benaloh: Thank you, then.
Related documents
COMPUTER PROBLEMS: DAY 10 (1) Find the first 10,000 pythagorean triples.
COMPUTER PROBLEMS: DAY 10 (1) Find the first 10,000 pythagorean triples.
Course MA342P — Sample Paper 2 Timothy Murphy May 2, 2016
Course MA342P — Sample Paper 2 Timothy Murphy May 2, 2016
MA426–ELLIPTIC CURVES SPRING 2016 Exercise Sheet 2 − Z
MA426–ELLIPTIC CURVES SPRING 2016 Exercise Sheet 2 − Z
M360 Mathematics of Information Security
M360 Mathematics of Information Security
Econ Chapter 1
Econ Chapter 1
Math 105 Assignment 6 Due the week of February 28
Math 105 Assignment 6 Due the week of February 28
MATH 360 Mathematics of Information Security
MATH 360 Mathematics of Information Security
Download
advertisement