{"id":148,"date":"2020-01-18T11:09:00","date_gmt":"2020-01-18T10:09:00","guid":{"rendered":"http:\/\/blog.himitsu.eu\/?p=148"},"modified":"2020-01-18T11:15:55","modified_gmt":"2020-01-18T10:15:55","slug":"elliptic-curves-and-how-to-use-them-part-four","status":"publish","type":"post","link":"https:\/\/blog.himitsu.eu\/?p=148","title":{"rendered":"Elliptic curves and how to use them (part four)"},"content":{"rendered":"

Go to part 3<\/a><\/p>\n

One of the basic parameters of processors is the word length of a single arithmetic operation. This value can range from 8 bits for simple micro-controllers through 32 bits for 80386 derivatives to the most popular 64-bit length today. In addition, processors may have extended instruction sets (such as MMX, SSE, etc.) that can extend the processor’s capabilities to 128-bit (or larger) words.
\nThe word lengths provided are therefore too short for the implementation of cryptographic algorithms. For RSA, the suggested (in terms of security) key length is today (year 2019) 4096 bits, which is many times more than standard processors provide. For elliptic curves, the length of the prime number in the suggested curve is 521 bits (no, it’s not an error: \"2^{521}-1\" is one of Mersenne prime numbers).
\nSo, if we want to create an implementation of elliptic curves, we must have implementations of large integer numbers. We can use an existing one (mathematical libraries usually implement not only ‘large numbers’ but also the elliptic curves themselves) or write it yourself (it is enough to implement addition, subtraction, multiplication, modulo and division). The presented examples are written in Python, which has built-in ‘large numbers’ arithmetic, but when writing an implementation in a typical embedded we do not have this comfort – we have to implement everything in C \/ C ++.
\nLet’s check the performance of the implementation presented in the previous part, but let’s use the more demanding curve:<\/p>\n

#3.3.  521-Bit Random ECP Group\nprint "ECPoint 521-Bit"\np = (2**521)-1\ntv = FieldElement(p, 1)\nneutral = ECPoint(p, -3, 0x0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00)\ngx = FieldElement.factoryMethod(tv, 0x00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66)\ngy = FieldElement.factoryMethod(tv, 0x011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650)\ng = ECPoint.factoryMethod(neutral, gx, gy)\n\n#8.3.  521-Bit Random ECP Group\ni = 0x0037ADE9319A89F4DABDB3EF411AACCCA5123C61ACAB57B5393DCE47608172A095AA85A30FE1C2952C6771D937BA9777F5957B2639BAB072462F68C27A57382D4A52\nr = 0x0145BA99A847AF43793FDD0E872E7CDFA16BE30FDC780F97BCCC3F078380201E9C677D600B343757A3BDBF2A3163E4C2F869CCA7458AA4A4EFFC311F5CB151685EB9\nstart = monotonic.time.time()\ngi = g*i\nstop = monotonic.time.time()\nprint "Time: %s"%(stop-start)\nstart = monotonic.time.time()\ngr = g*r\nstop = monotonic.time.time()<\/code><\/pre> 
 <\/div> <\/div>\n
ECPoint 521-Bit
\nTime: 0.146764039993
\nTime: 0.149250984192<\/p><\/blockquote>\n
So, one point multiplication on one Intel G4560 3.50GHz core amounted to over 400 ms, and at the time of establishing the connection you need to perform at least 4 multiplications (key negotiation and authentication), i.e. mathematical calculations alone would take almost 2 seconds. For processors whose speeds are measured not in GHz, but in MHz, the results would be measured in minutes, which is completely unacceptable. So we can try to optimize several implementation elements:<\/p>\n