aboutsummaryrefslogtreecommitdiff
path: root/raw-wiki-dump/GitRepositories%2Fuser%2Fshatov%2Fcurve25519_fpga_model
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2020-09-13 23:04:30 +0000
committerRob Austein <sra@hactrn.net>2020-09-13 23:04:30 +0000
commitb092ffbcbe2c9398494f7dc9db6f0796971633e0 (patch)
tree6fabf690f1ebf485a9fea9af5298e44ad2a59a3e /raw-wiki-dump/GitRepositories%2Fuser%2Fshatov%2Fcurve25519_fpga_model
parent9d927e49d9c10fc16c6dfa4a2a96cdb6216e4e2b (diff)
Import Cryptech wiki dump
Diffstat (limited to 'raw-wiki-dump/GitRepositories%2Fuser%2Fshatov%2Fcurve25519_fpga_model')
-rw-r--r--raw-wiki-dump/GitRepositories%2Fuser%2Fshatov%2Fcurve25519_fpga_model62
1 files changed, 62 insertions, 0 deletions
diff --git a/raw-wiki-dump/GitRepositories%2Fuser%2Fshatov%2Fcurve25519_fpga_model b/raw-wiki-dump/GitRepositories%2Fuser%2Fshatov%2Fcurve25519_fpga_model
new file mode 100644
index 0000000..50dc56d
--- /dev/null
+++ b/raw-wiki-dump/GitRepositories%2Fuser%2Fshatov%2Fcurve25519_fpga_model
@@ -0,0 +1,62 @@
+{{{
+#!htmlcomment
+
+This page is maintained automatically by a script. Don't modify this page by hand,
+your changes will just be overwritten the next time the script runs. Talk to your
+Friendly Neighborhood Repository Maintainer if you need to change something here.
+
+}}}
+
+{{{
+#!html
+<h1>curve25519_fpga_model</h1>
+
+<p>This reference model was written to help debug Verilog code. It comprises two parts: <strong>x25519_fpga_model</strong> and <strong>ed25519_fpga_model</strong>. See [1] for more information about the difference. The model mimics how an FPGA would do elliptic curve point scalar multiplication. Note, that the model may do weird (from CPU point of view, of course) things at times. Another important thing is that while FPGA modules are actually written to operate in constant-time manner, this model itself doesn't take any active measures to keep run-time constant. Do <strong>NOT</strong> use it in production as-is!</p>
+
+<p>Elliptic curve arithmetic can be split into several "layers":</p>
+
+<ol>
+<li>Low-level arithmetic</li>
+<li>Multi-precision arithmetic</li>
+<li>Modular arithmetic</li>
+<li>Curve arithmetic</li>
+</ol>
+
+<p><strong>Low-level arithmetic</strong> comprises elementary operations that the underlying hardware can do. These are typically 16-/32-/64-bit addition/subtraction and multiplication for conventional processors. Xilinx FPGA devices have specialized DSP slices that can do up to 48-bit addition/subtraction and up to 25x18-bit multiplication (latest 7 Series family at least).</p>
+
+<p><strong>Multi-precision arithmetic</strong> comprises operations on large (256-bit for this model) numbers using the elementary operations from layer 1.</p>
+
+<p><strong>Modular arithmetic</strong> comprises operations modulo certain prime based on layer 2. For this particualar model the prime is p = 2^255 - 19.</p>
+
+<p><strong>Curve arithmetic</strong> comprises addition and doubling of curve points and scalar multiplication based on the double-and-add algorithm.</p>
+
+<p>Levels 1-3 are the same for both X25519 and Ed25519. The trick used in layer 3 is that the model internally works modulo 2p (2^256-38), because it's computationally more efficient to not fully reduce the result until the very end of calculation. See "Special Reduction" in [2] for more information. Final reduction is done by simply adding zero modulo p.</p>
+
+<p>Conversion from the coordinate system used in layer 4 to affine coordinates involves modular inversion. Layer 3 offers modular inversion based on Fermat's little theorem. The addition chain used is from [3]. Thanks for reverse engineering Bernstein's "straightforward sequence of 254 squarings and 11 multiplications" :-P</p>
+
+<p>Modular inversion is offered in two variants: "abstract" (easy to debug user-friendly C code) and microcoded. The latter variant mimics how an FPGA does inversion.</p>
+
+<p>Layer 4 is different for X25519 and Ed25519.</p>
+
+<p>Curve arithmetic for Ed25519 uses Algorithm 4 ("Joye double-and-add") from [4] to do point multiplication. Point doubling is done according to "dbl-2008-hwcd" formulae from [5]. The only difference is that E, F, G &amp; H have opposite sign, this is equivalent to the original algorithm, because the final result depends on E * F and G * H. Point addition is done according to "add-2008-hwcd-4" from [5]. The coordinate system is (X, Y, Z, T), where T = X * Y. Conversion to affine coordinates is: x = X * Z^-1, y = Y * Z^-1. Note that the encoding of the result is somewhat tricky, see [6]. The short story is that we don't need to store entire X coordinate, just its sign is enough to recover X from Y.</p>
+
+<p>_TODO: Describe layer 4 for X25519._</p>
+
+<p>_TODO: Describe how microcode works._</p>
+
+<p>References:</p>
+
+<ol>
+<li><a href="https://crypto.stackexchange.com/questions/27866/why-curve25519-for-encryption-but-ed25519-for-signatures">StackExchange answer explaining the practical difference between Curve25519 and Ed25519</a></li>
+<li><a href="http://joppebos.com/files/waifi09.pdf">"High-Performance Modular Multiplication on the Cell Processor"</a></li>
+<li><a href="https://briansmith.org/ecc-inversion-addition-chains-01">"The Most Efficient Known Addition Chains for Field Element &amp; Scalar Inversion for the Most Popular &amp; Most Unpopular Elliptic Curves"</a></li>
+<li><a href="https://eprint.iacr.org/2011/338.pdf">"Fast and Regular Algorithms for Scalar Multiplication
+over Elliptic Curves"</a></li>
+<li><a href="https://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html">"Extended coordinates with a=-1 for twisted Edwards curves"</a></li>
+<li><a href="https://crypto.stackexchange.com/questions/58921/decoding-a-ed25519-key-per-rfc8032">"decoding a Ed25519 key per RFC8032"</a></li>
+</ol>
+}}}
+
+[[RepositoryIndex(format=table,glob=user/shatov/curve25519_fpga_model)]]
+
+|| Clone `https://git.cryptech.is/user/shatov/curve25519_fpga_model.git` ||