Montgomery-friendly primes and applications to cryptography

This paper deals with Montgomery-friendly primes designed for the modular reduction algorithm of Montgomery. These numbers are scattered in the literature and their properties are partially exploited. We exhibit a large family of Montgomery-friendly primes which give rise to efficient modular reduction algorithms. We develop two main uses. The first one is dedicated directly to cryptography, in particular for isogeny based approaches and more generally to Elliptic Curves Cryptography. We suggest more appropriate finite fields and curves in terms of complexity for the recommended security levels, for both isogeny-based cryptography and ECC. The second use is purely arithmetic, and we propose families of alternative RNS bases. We show that, for dedicated architectures with word operators, we can reach, for a same or better complexity, larger RNS bases with Montgomery-friendly pairwise co-primes than the RNS bases generally used in the literature with Pseudo-Mersenne numbers. This is particularly interesting for modular arithmetic used in cryptography.

[1]  R. Robinson Mersenne and Fermat numbers , 1954 .

[2]  Jean-Claude Bajard,et al.  An RNS Montgomery Modular Multiplication Algorithm , 1998, IEEE Trans. Computers.

[3]  Ingrid Verbauwhede,et al.  FPGA Implementation of Pairings Using Residue Number System and Lazy Reduction , 2011, CHES.

[4]  Filippo Gandino,et al.  An Algorithmic and Architectural Study on Montgomery Exponentiation in RNS , 2012, IEEE Transactions on Computers.

[5]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[6]  Laurent Imbert,et al.  a full RNS implementation of RSA , 2004, IEEE Transactions on Computers.

[7]  Tanja Lange,et al.  Kummer Strikes Back: New DH Speed Records , 2014, ASIACRYPT.

[8]  Ramdas Kumaresan,et al.  Fast Base Extension Using a Redundant Modulus in RNS , 1989, IEEE Trans. Computers.

[9]  Yuichi Komano,et al.  RNS Montgomery reduction algorithms using quadratic residuosity , 2018, Journal of Cryptographic Engineering.

[10]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[11]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[12]  Jean-Claude Bajard,et al.  Modular multiplication and base extensions in residue number systems , 2001, Proceedings 15th IEEE Symposium on Computer Arithmetic. ARITH-15 2001.

[13]  M. Ram Murty,et al.  Prime Numbers and Irreducible Polynomials , 2002, Am. Math. Mon..

[14]  Joris van der Hoeven,et al.  Fast Chinese Remaindering in Practice , 2017, MACIS.

[15]  Francisco Rodríguez-Henríquez,et al.  On the cost of computing isogenies between supersingular elliptic curves , 2018, IACR Cryptol. ePrint Arch..

[16]  Jean Marc Couveignes,et al.  Hard Homogeneous Spaces , 2006, IACR Cryptol. ePrint Arch..

[17]  Reinhard Posch,et al.  Modulo Reduction in Residue Number Systems , 1995, IEEE Trans. Parallel Distributed Syst..

[18]  Michael Hamburg,et al.  Fast and compact elliptic-curve cryptography , 2012, IACR Cryptol. ePrint Arch..

[19]  Jean-Claude Bajard,et al.  Double Level Montgomery Cox-Rower Architecture, New Bounds , 2014, CARDIS.

[20]  Tibor Juhas The use of elliptic curves in cryptography , 2007 .

[21]  Peter Schwabe,et al.  \mu Kummer: Efficient Hyperelliptic Signatures and Key Exchange on Microcontrollers , 2016, CHES.

[22]  David Jao,et al.  Efficient Compression of SIDH Public Keys , 2017, EUROCRYPT.

[23]  Leonel Sousa,et al.  Elliptic Curve point multiplication on GPUs , 2010, ASAP 2010 - 21st IEEE International Conference on Application-specific Systems, Architectures and Processors.

[24]  H. Garner The residue number system , 1959, IRE-AIEE-ACM '59 (Western).

[25]  Shai Halevi,et al.  An Improved RNS Variant of the BFV Homomorphic Encryption Scheme , 2019, IACR Cryptol. ePrint Arch..

[26]  Peter L. Montgomery,et al.  Montgomery Arithmetic from a Software Perspective , 2017, IACR Cryptol. ePrint Arch..

[27]  Craig Costello,et al.  Fast Cryptography in Genus 2 , 2013, Journal of Cryptology.

[28]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[29]  Nicolas Guillermin A high speed coprocessor for elliptic curve scalar multiplication over Fp , 2010 .

[30]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[31]  Reza Azarderakhsh,et al.  Post-Quantum Cryptography on FPGA Based on Isogenies on Elliptic Curves , 2017, IEEE Transactions on Circuits and Systems I: Regular Papers.

[32]  Michael Hamburg,et al.  Ed448-Goldilocks, a new elliptic curve , 2015, IACR Cryptol. ePrint Arch..

[33]  Craig Costello,et al.  Efficient Algorithms for Supersingular Isogeny Diffie-Hellman , 2016, CRYPTO.

[34]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[35]  Marian Srebrny,et al.  Cryptographic Hardware and Embedded Systems – CHES 2016 , 2016, Lecture Notes in Computer Science.

[36]  Julien Eynard,et al.  A Full RNS Variant of FV Like Somewhat Homomorphic Encryption Schemes , 2016, SAC.

[37]  Craig Costello,et al.  Selecting elliptic curves for cryptography: an efficiency and security analysis , 2016, Journal of Cryptographic Engineering.

[38]  Atsushi Shimbo,et al.  Cox-Rower Architecture for Fast Parallel Montgomery Multiplication , 2000, EUROCRYPT.