高速な楕円曲線の実装

Transcript

1. ߴ଎ͳପԁۂઢͷ࣮૷ ฏా ྒྷ 2020.03.30 αΠϘ΢ζɾϥϘϢʔεୈ 9 ظ ੒Ռใࠂձ 1

2. ࣗݾ঺հ • ฏా ྒྷ • ϥϘϢʔεୈ 9 ظੜ • ిؾ௨৴େֶ

   3 ೥ • GitHub: ykm11 • Twitter: @ykm kn • झຯ͸ιϩπʔϦϯά 2

3. αΠϘ΢ζɾϥϘϢʔε ୈ 9 ظ • ಺༰ • ։ൃςʔϚ: C/C++ʹΑΔιϑτ΢ΣΞ։ൃ •

   ϝϯλʔ: ޫ੒࣎ੜ͞Μ • ߴ଎ͳପԁۂઢΛ࣮૷ʢ& C++ͷษڧʣ • ಛఆͷପԁۂઢʹݶΒΕΔ͕͔ͳΓͷ଎౓Λୡ੒ • ೚ҙਫ਼౓ʹ΋ରԠʢ଎౓͸গ͠མͪΔʣ ੒Ռ෺ - https://github.com/ykm11/lab-youth/tree/master/ellipticCurve 3

4. ໨࣍ • ପԁۂઢͱ͸ • ߴ଎Խ࣮૷΁ͷಓ • ΞϑΟϯ࠲ඪ͔ΒࣹӨ࠲ඪ΁ • Πϯελϯεੜ੒, ԋࢉճ਺ͷ࡟ݮ

   • ಈతϝϞϦ֬อͷఫഇ • εΧϥʔഒࢉΞϧΰϦζϜ • ͞ΒͳΔߴ଎Խ • ͲΕ͚ͩ଎͘ͳ͔ͬͨ 4

5. ପԁۂઢͱ͸ ମ K ্Ͱఆٛ͞ΕΔପԁۂઢ E/K ͸, E/K := {(x, y)

   ∈ K2 | y2 = x3 + ax + b} ∪ {O} a, b ∈ K P, Q ∈ E/K ʹ଍͠ࢉ + Λఆٛ͢Δͱ (E/K, +) ͸Ճ๏܈ʹͳΔ P = (x1, y1), Q = (x2, y2) ∈ E/K ͷ଍͠ࢉ P + Q (x1, y1) + (x2, y2) =: (x3, y3) x3 = m2 − x1 − x2 y3 = m(x1 − x3) − y1 m =    y2−y1 x2−x1 (P ̸= Q) 3x2 1 +a 2y1 (P = Q) ҉߸Ͱ͸ɺఆٛମ K ͸ඪ਺͕ 2,3 Ͱͳ͍༗ݶମ͕Α͘࢖ΘΕΔ 5

6. ߴ଎Խ࣮૷΁ͷಓ Πϯτϩ ໨ඪ • ఺ P ͷεΧϥʔഒ [k]P = P

   + P + .. + P Λ଎͍ͨ͘͠ • Α͍ΞϧΰϦζϜΛ࢖͏ • ଍͠ࢉ, 2 ഒࢉΛ଎͘͢Δ • ֤छΞϧΰϦζϜ͸଍͠ࢉ, 2 ഒࢉͷ૊Έ߹ΘͤͳͷͰɺ ͪ͜ΒΛ଎͘͢Ε͹εΧϥʔഒ΋଎͘ͳΔ 6

7. ߴ଎Խ࣮૷΁ͷಓ ΞϑΟϯ࠲ඪ͔ΒࣹӨ࠲ඪ΁ ΞϑΟϯ࠲ඪͰ࣮૷͢Δͱ͖ʹࠔΔ͜ͱ • ୯Ґݩʢແݶԕ఺ʣͷѻ͍ ఺Ϋϥεͷϝϯόม਺ʹ bool isInf Λ΋ͨͤΔʁ •

   ܏͖ΛٻΊΔͱ͖ʹআࢉ͕ൃੜ • ֦ுϢʔΫϦουͷΞϧΰϦζϜΛ࢖͏͔ɺ • p-2 ৐͢Δ͜ͱʹΑͬͯٯݩΛಘΔʢFermat ͷখఆཧΑΓ ܭࢉͷίετ͸ʁ ࣹӨ࠲ඪͰ࣮૷͢Δ͜ͱʹΑΓɺ্ͷ໰୊Λղܾ 7

8. ߴ଎Խ࣮૷΁ͷಓ ΞϑΟϯ࠲ඪ͔ΒࣹӨ࠲ඪ΁ ࣹӨ࠲ඪͷݫີͳఆٛͳͲ͸ޫ੒͞Μͷஶॻ 1 ΁ K2 ϕ −→ P ∈

   ∈ (x, y) −→ (x : y : 1) (X/Z, Y /Z) ϕ−1 −→ (X : Y : Z) • ఆٛํఔࣜ͸ y2 = x3 + ax + b ͔Β Y 2Z = X3 + aXZ2 + bZ3 ʹ • ୯Ґݩ͸ (0 : 1 : 0) 1https://herumi.github.io/ango/ 8

9. ߴ଎Խ࣮૷΁ͷಓ ΞϑΟϯ࠲ඪ͔ΒࣹӨ࠲ඪ΁ (X1 : Y1 : Z1) + (X2 :

   Y2 : Z2) =: (X3 : Y3 : Z3) ͷެࣜ ಋग़͸লུ͠·͢ • (X1 : Y1 : Z1) ̸= (X2 : Y2 : Z2) u := Y2Z1 − Y1Z2, v := X2Z1 − X1Z2, w := u2Z1Z2 − v3 − 2v2X1Z2, X3 := vw, Y3 := u(v2X1Z2 − w) − v3Y1Z2, Z3 := v3Z1Z2 • (X : Y : Z) ͷ̎ഒެࣜ u := 3X2 + aZ2, v := YZ, w := u2 − 8XYv, X3 := 2vw, Y3 := u(4XYv − w) − 8(Yv)2, Z3 := 8v3 9

10. ߴ଎Խ࣮૷΁ͷಓ ΞϑΟϯ࠲ඪ͔ΒࣹӨ࠲ඪ΁ ࣹӨ࠲ඪͷ࠾༻ʹΑΓ • Z ͷ஋Ͱ୯Ґݩ͔Ͳ͏͔Λ൑ผͰ͖Δ • আࢉ͕ແ͘ͳͬͨ • ৐ࢉ͕૿͑Δ͕ɺআࢉʹൺ΂Δͱ͔ͳΓ҆Ձ

    Table 1: ίετൺֱ Ճࢉ P + Q 2 ഒࢉ (2P) ΞϑΟϯ࠲ඪ 3M + I 4M + I ࣹӨ࠲ඪ 14M 12M M ͸༗ݶମͷ৐ࢉ, I ͸ٯݩͷܭࢉ 10

11. Πϯελϯεੜ੒, ԋࢉճ਺ͷ࡟ݮ • ՃࢉͰ͸ 14 ճͷ༗ݶମͷ৐ࢉ u := Y2Z1 −

    Y1Z2, v := X2Z1 − X1Z2, w := u2Z1Z2 − v3 − 2v2X1Z2, X3 := vw, Y3 := u(v2X1Z2 − w) − v3Y1Z2, Z3 := v3Z1Z2 • ΋ͬͱ͋Γͦ͏ʢʹݟ͑Δʣ • ಉ͡ܭࢉΛ͠ͳ͍ • ͔ͭɺ༗ݶମΠϯελϯεͷੜ੒Λ࠷খݶʹ 11

12. Πϯελϯεੜ੒, ԋࢉճ਺ͷ࡟ݮ • ՃࢉͰ͸ 14 ճͷ༗ݶମͷ৐ࢉ u := Y2Z1 −

    Y1Z2, v := X2Z1 − X1Z2, w := u2Z1Z2 − v3 − 2v2X1Z2, X3 := vw, Y3 := u(v2X1Z2 − w) − v3Y1Z2, Z3 := v3Z1Z2 • ΋ͬͱ͋Γͦ͏ʢʹݟ͑Δʣ • ಉ͡ܭࢉΛ͠ͳ͍ • ͔ͭɺ༗ݶମΠϯελϯεͷੜ੒Λ࠷খݶʹ 12

13. Πϯελϯεੜ੒, ԋࢉճ਺ͷ࡟ݮ • Ұ࣌ม਺Λੜ੒͠ͳ͍ʢม਺͸͢΂ͯ Fp ͷΠϯελϯεʣ x = y *

    z - v * w; • վྑ mul(x, y, z); // x = y * z; mul(t, v, w); // t = v * w; sub(x, x, t); // x = x - t; • “% modulus” Λଟ༻͠ͳ͍ • Fp ͷݩͷՃࢉͷ࠷େ஋͸ 2p − 2 • ݮࢉͷ࠷খ஋͸ −p + 1 • Ճݮࢉͷ৔߹͸ɺԋࢉ݁Ռʹରͯ͠దٓ modulus Λ ଍͔͢Ҿ͔͘ͰΑ͍ 13

14. ಈతϝϞϦ֬อͷఫഇ ໰୊఺ • GMP mpz class ͸ malloc ͰಈతʹϝϞϦΛ֬อ͢Δ -

    ಈతϝϞϦ֬อ͕ϘτϧωοΫ ରࡦ • ಈతϝϞϦ֬อΛ͠ͳ͍ - ϝϞϦ؅ཧΛࣗ෼Ͱߦ͏ - mpz class Λ഑ྻʹஔ͖׵͍͑ͯ͘ - mpn ؔ਺͕͋ΔͷͰଟഒ௕੔਺ͷ࢛ଇԋࢉ͸ΘΓͱ͔Μͨ Μʹॻ͚Δ 14

15. ߴ଎Խ࣮૷΁ͷಓ Πϯτϩʢ࠶ܝʣ ໨ඪ • ఺ P ͷεΧϥʔഒ [k]P = P

    + P + .. + P Λ଎͍ͨ͘͠ • Α͍ΞϧΰϦζϜΛ࢖͏ • ଍͠ࢉ, 2 ഒࢉΛ଎͘͢Δ • ֤छΞϧΰϦζϜ͸଍͠ࢉ, 2 ഒࢉͷ૊Έ߹ΘͤͳͷͰɺ ͪ͜ΒΛ଎͘͢Ε͹εΧϥʔഒ΋଎͘ͳΔ 15

16. εΧϥʔഒࢉΞϧΰϦζϜ ࣮૷ͨ͠΋ͷ • ӈ޲͖, ࠨ޲͖όΠφϦ๏ • sliding window method •

    window NAF method ͋ΔପԁۂઢʹͷΈదԠͰ͖ΔΞϧΰϦζϜ΋͋Δ • GLV for secp256k1 ௨ৗͷεΧϥʔഒࢉΑΓ͓͓Αͦ 1.5 ഒఔ౓ߴ଎ 16

17. ͞ΒͳΔߴ଎Խ • ϠίϏ࠲ඪΛར༻ • ࣹӨ࠲ඪΑΓ΋ 2 ഒࢉͷίετ͕খ͍͞ • 2 ഒࢉΛΑ͘࢖͏ͱ͖ʹ༗ޮ

    • ߴ଎ͳଟഒ௕੔਺ԋࢉΛ࣮૷͢Δ • GMP mpn ͸ͱͯ΋଎͍ • ΞηϯϒϦϨϕϧͰ࠷దԽΛؤுΔ 17

18. ͲΕ͚ͩ଎͘ͳ͔ͬͨ • Golang ੡ͷପԁۂઢ࣮૷ 2, sage-8.83 ͱ଎౓Λൺֱ • ࣮ߦ؀ڥ OS:

    Ubuntu 18.04 (on Mac) CPU: i7-8850H 2.60GHz compiler: gcc-9.2.1 -O3 (for C++) 2https://github.com/ykm11/goCurve 3Python Ͱ࣮ߦͰ͖ΔΦʔϓϯιʔεͳ਺ֶιϑτ΢ΣΞ 18

19. ͲΕ͚ͩ଎͘ͳ͔ͬͨ secp256k1 ͷύϥϝʔλΛ࢖ͬͯܭଌ Table 2: ଎౓ൺֱʢ୯Ґ͸ usecʣ add dbl sage

    19.88 24.68 GolangʢΞϑΟϯ࠲ඪʣ 5.670 6.374 C++ʢࣹӨ࠲ඪʣ 1.432 1.421 C++ʢϠίϏ࠲ඪʣ 1.440 1.002 19

20. ͲΕ͚ͩ଎͘ͳ͔ͬͨ εΧϥʔഒʹ͍ͭͯ΋ܭଌͯ͠ΈΔ ύϥϝʔλ͸ secp256k1 Table 3: ΞϧΰϦζϜͷ଎౓ൺֱʢ୯Ґ͸ usecʣ ࣹӨ࠲ඪ ϠίϏ࠲ඪ

    ࠨ޲͖όΠφϦ๏ 527.17 421.00 ӈ޲͖όΠφϦ๏ 519.92 409.11 Sliding Window Method (size 2) 498.19 403.97 NAF (size 4) 484.88 360.63 GLV (NAF) 320.94 N/A 20

21. ·ͱΊ • ߴ଎ʹಈ࡞͢ΔପԁۂઢΛ C++Ͱ࣮૷ͨ͠ • ఺ͷ଍͠ࢉΛ଎͘͢ΔͱεΧϥʔഒ͕଎͘ͳΔ • ༗ݶମͷ࢛ଇԋࢉΛ଎͘͢Δͱ఺ͷ଍͠ࢉ͕଎͘ͳΔ • ར༻ՄೳͳପԁۂઢΛ૿΍͠ɺ೚ҙਫ਼౓Ͱ΋଎౓͕ग़ΔΑ͏

    ʹ͍ͨ͠ 21