1 / 33

# Security of Using Special Integers in Elliptic Scalar Multiplication - PowerPoint PPT Presentation

Security of Using Special Integers in Elliptic Scalar Multiplication. Mun-Kyu Lee o Jin Wook Kim Kunsoo Park School of CSE, Seoul National University. 1. Preliminaries. Elliptic Curve. A curve of the form y 2 + xy = x 3 + ax 2 + b or y 2 = x 3 + ax + b

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Security of Using Special Integers in Elliptic Scalar Multiplication' - nickan

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Security of Using Special Integers in Elliptic Scalar Multiplication

Mun-Kyu Leeo Jin Wook Kim Kunsoo Park

School of CSE, Seoul National University

### 1. Preliminaries Multiplication

Elliptic Curve Multiplication

• A curve of the form

y2 + xy = x3 + ax2 + b

or

y2 = x3 + ax + b

• There are many cryptosystems that use elliptic curve operations.

Elliptic Curve Operations [1] Multiplication

• Point Addition: R = P +Q

• First, draw theline through P and Q.

• Then this line intersectsthe elliptic curvein a third point.

• Define R = P +Q(the sum of P and Q)as the reflection ofthis point in the x-axis.

Elliptic Curve Operations [2] Multiplication

• Point Doubling: R = 2P

• First, draw the tangent lineto the curve at P.

• Then this line intersectsthe curve ina second point.

• Define R = 2P(the double of P)as the reflection ofthis point in the x-axis.

Elliptic Curve Operations [3] Multiplication

• Scalar Multiplication kP

• For a nonnegative integer k and a point P,scalar multiplication kP is defined as

• 0P = O, for k = 0, where O is the “point at infinity”which is the additive identity element.

• kP = (k-1)P + P for k > 0.

ECDLP Multiplication

• Elliptic Curve Discrete Log Problem

• Given two points P and Q on an elliptic curve,

• ECDLP is to find k such that kP = Q

Scalar Mult. vs. ECDLP Multiplication

Scalar Multiplication

k, P

Q = kP

Efficient

ECDLP

P, Q

k s.t. Q = kP

- Computationally infeasible

- Hence, security of elliptic curve based cryptosystems is based on this problem.

The purpose of this paper Multiplication

• is to develop a technique to find harder instances of ECDLP,while keeping the efficiency of a scalar multiplication as the same level.

### 2. MultiplicationPrevious Results:Efficient Scalar Mult. Algos.

[1] Binary Method Multiplication

• To compute Q = kP,

• represent k as a binary form.

• scan each bit of k from left to right.

• if the bit is 1, do a doubling and an addition.if the bit is 0, do a doubling only.

• Example: 61P = (1, 1, 1, 1, 0, 1)(2)P

1

1

1

1

0

1

DBL

DBL

1

10

110

1110

11110

111100

P

2P

6P

14P

30P

60P

DBL

DBL

DBL

3P

7P

15P

Q = 61P

11

111

1111

111101

[1] Binary Method Multiplication

• Complexity

• log k doublings and

• HW(k)-1 additions,where HW(k) is the Hamming weight of k,i.e., the number of 1’s in the binary representation of k.

[2] Signed Binary Method Multiplication

• [Morain, Olivos 90]

• Use the following facts.

• For a point P on an elliptic curve, computation of an additive inverse –P is almost free.

• For example,on y2 = x3 + ax + b,–P is the reflection of Pin the x-axis.

• Hence, a subtraction P - Q has the same complexity as that of an addition P +Q.

P = (x, y)

-P = (x, -y)

[2] Signed Binary Method Multiplication

• To compute Q = kP,

• convert k to a signed binary representation k’ with smaller number of nonzero digits than k.

• if a digit is 1, do a doubling and an addition.if a digit is –1, do a doubling and a subtraction.if a digit is 0, do a doubling only.

• Example: 61P = (26 - 22 +1)P = (1, 0, 0, 0,-1, 0, 1)P

-1

1

0

0

0

0

1

DBL

DBL

DBL

DBL

DBL

1

10

100

1000

10000

100010

1000100

P

2P

4P

8P

16P

30P

60P

SUB

DBL

15P

Q = 61P

1000101

10001

[2] Signed Binary Method Multiplication

• Complexity

• log k doublings and

• SHW(k)-1 additions/subtractions,where SHW(k) is the signed Hamming weight of k, i.e., the number of nonzeros in the signed binary representation of k.

[3] MultiplicationAMV method

• In many elliptic curve based systems, we compute kP for a randomly chosen k.

• [Agnew, Mullin, Vanstone 93]

• Choose special k’s that have small HW(k) to reduce the number of additions.

• Specifically, generate random k’s of length m in a binary form s.t. HW(k) = w for a fixed small w.

• One can control the Hamming weight, and thus the number of additions.

[3] MultiplicationAMV method

• Example: m = 8, w = 3

0. Initially, there are 8 empty bits.

1. Choose 3 random positions for ‘1’.

2. Set them as ‘1’ and others as ‘0’.

For kP, we need 7 doublings and 2 additions.

k = (1, 0, 1, 0, 0, 0, 0, 1)

### 3. MultiplicationProposed Method

Our Method Multiplication

• Use special k’s

• Generate random k’s that have small SHW(k).

• Specifically, generate random k’s of length m in a signed binary form s.t. SHW(k) = w for a fixed small w.

• More secure than the AMV selection method, i.e., random selection of k’s with HW(k)=w.

• (Recall that an ECDLP is to find k such that kP = Q.)

• The number of possible k’s in our method is much larger,

• while the amount of computation is the same,i.e., m-1 doublings and w-1 additions/subtractions,in both of the methods.

Naïve Approach Multiplication

• In order to generate a random k of length m s.t. SHW(k) = w,

• randomly select w locations for nonzero digits out of m possible digits of k,

• and then assign ‘1’ or ‘-1’ to each of these digits randomly.

• Problem

• k’s are not unique.

• Hence, the search space for k is much smaller than what we have intended.

• Example: m = 6, w = 3

• (1,0,0,1,0,-1) = (1,0,0,0,1,1) = 35

Solution Multiplication

• select k’s in the nonadjacent form (NAF).

• NAF is a signed binary representation with the property that no two consecutive digits are nonzero.

• A number’s NAF is unique.

35

possible representations

in NAF

not in NAF

(1, 0, 0, 1, 0,-1)

(1, 0, 0, 0, 1, 1)

Selection Algorithm Multiplication

• Now, we want to generate a random k of length min NAF s.t. SHW(k) = w to guarantee the uniqueness of k.

• To satisfy the NAF property, we use ‘10’ and ‘-10’ as single nonzero units instead of ‘1’ and ‘-1’.

• The algorithm has six steps.

Step 1 Multiplication

• Initially there is an array of m-w+1 consecutive empty slots.

Example: m = 8, w = 3

(m -w +1 = 6)

Step 2 Multiplication

• Assign two-digit binary number 10 to the first slot to guarantee that k > 0 and that k has exactlym digits.

Example: m = 8, w = 3

10

Step 3 Multiplication

• Choose w - 1 random slots out of the remaining m – w slots and assign10 or –10 randomly to each of them.

Example: m = 8, w = 3

(w -1 = 2, m -w = 5)

10

-10

10

Step 4 Multiplication

• Assign 0 to each remaining slot.

Example: m = 8, w = 3

10

0

-10

0

0

10

Step 5 Multiplication

• Concatenate all slots to get a number k with m +1 signed binary digits.

• Note that, for now, k is always even.

Example: m = 8, w = 3

10

0

-10

0

0

10

(1, 0, 0,-1, 0, 0, 0, 1, 0)

9 digits

Step 6 Multiplication

• Set k = k / 2

Example: m = 8, w = 3

(1, 0, 0,-1, 0, 0, 0, 1, 0)

k = (1, 0, 0,-1, 0, 0, 0, 1)

8 digits

For kP, we need 7 DBLs and 2 ADD/SUBs.

Distribution of Multiplicationk’s

• k’s generated by this algorithm are unique.

• k’s generated by this algorithm form a uniform distribution of k’s thathave m digits and satisfy SHW(k) = w.

### 4. MultiplicationSecurity Analysis

Security Against BSGS Multiplication

• With k’s of special forms, the best possible attack algorithm against the ECDLP is the baby-step giant-step algorithm, which is a time-memory trade-off version of the exhaustive search.

• Hence, k’s with larger search space is more secure against this attack.

• Now we compare the size of the search space of our method with that of the AMV method.

Comparison of the Sizes of Search Spaces for Multiplicationk

AMV

Our Method

# digits

m

m

# nonzeros

w

w

complexity ofa scalar mult.