- 50 Views
- Uploaded on
- Presentation posted in: General

Security of Using Special Integers in Elliptic Scalar Multiplication

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Security of Using Special Integers in Elliptic Scalar Multiplication

Mun-Kyu Leeo Jin Wook Kim Kunsoo Park

School of CSE, Seoul National University

1. Preliminaries

- A curve of the form
y2 + xy = x3 + ax2 + b

or

y2 = x3 + ax + b

- There are many cryptosystems that use elliptic curve operations.

- Point Addition: R = P +Q
- First, draw theline through P and Q.
- Then this line intersectsthe elliptic curvein a third point.
- Define R = P +Q(the sum of P and Q)as the reflection ofthis point in the x-axis.

- Point Doubling: R = 2P
- First, draw the tangent lineto the curve at P.
- Then this line intersectsthe curve ina second point.
- Define R = 2P(the double of P)as the reflection ofthis point in the x-axis.

- Scalar Multiplication kP
- For a nonnegative integer k and a point P,scalar multiplication kP is defined as
- 0P = O,for k = 0, where O is the “point at infinity”which is the additive identity element.
- kP = (k-1)P + P for k > 0.

- For a nonnegative integer k and a point P,scalar multiplication kP is defined as

- Elliptic Curve Discrete Log Problem
- Given two points P and Q on an elliptic curve,
- ECDLP is to find k such that kP = Q

Scalar Multiplication

k, P

Q = kP

Efficient

ECDLP

P, Q

k s.t. Q = kP

- Computationally infeasible

- Hence, security of elliptic curve based cryptosystems is based on this problem.

- is to develop a technique to find harder instances of ECDLP,while keeping the efficiency of a scalar multiplication as the same level.

2. Previous Results:Efficient Scalar Mult. Algos.

- To compute Q = kP,
- represent k as a binary form.
- scan each bit of k from left to right.
- if the bit is 1, do a doubling and an addition.if the bit is 0, do a doubling only.

- Example: 61P = (1, 1, 1, 1, 0, 1)(2)P

1

1

1

1

0

1

DBL

DBL

1

10

110

1110

11110

111100

P

2P

6P

14P

30P

60P

DBL

DBL

DBL

ADD P

ADD P

ADD P

ADD P

3P

7P

15P

Q = 61P

11

111

1111

111101

- Complexity
- log k doublings and
- HW(k)-1 additions,where HW(k) is the Hamming weight of k,i.e., the number of 1’s in the binary representation of k.

- [Morain, Olivos 90]
- Use the following facts.
- For a point P on an elliptic curve, computation of an additive inverse –P is almost free.
- For example,on y2 = x3 + ax + b,–P is the reflection of Pin the x-axis.

- Hence, a subtraction P - Q has the same complexity as that of an addition P +Q.

- For a point P on an elliptic curve, computation of an additive inverse –P is almost free.

P = (x, y)

-P = (x, -y)

- To compute Q = kP,
- convert k to a signed binary representation k’ with smaller number of nonzero digits than k.
- if a digit is 1, do a doubling and an addition.if a digit is –1, do a doubling and a subtraction.if a digit is 0, do a doubling only.

- Example: 61P = (26 - 22 +1)P = (1, 0, 0, 0,-1, 0, 1)P

-1

1

0

0

0

0

1

DBL

DBL

DBL

DBL

DBL

1

10

100

1000

10000

100010

1000100

P

2P

4P

8P

16P

30P

60P

SUB

ADD

DBL

15P

Q = 61P

1000101

10001

- Complexity
- log k doublings and
- SHW(k)-1 additions/subtractions,where SHW(k) is the signed Hamming weight of k, i.e., the number of nonzeros in the signed binary representation of k.

- In many elliptic curve based systems, we compute kP for a randomly chosen k.
- [Agnew, Mullin, Vanstone 93]
- Choose special k’s that have small HW(k) to reduce the number of additions.
- Specifically, generate random k’s of length m in a binary form s.t. HW(k) = w for a fixed small w.
- One can control the Hamming weight, and thus the number of additions.

- Example: m = 8, w = 3
0. Initially, there are 8 empty bits.

1. Choose 3 random positions for ‘1’.

2. Set them as ‘1’ and others as ‘0’.

For kP, we need 7 doublings and 2 additions.

k = (1, 0, 1, 0, 0, 0, 0, 1)

3. Proposed Method

- Use special k’s
- Generate random k’s that have small SHW(k).
- Specifically, generate random k’s of length m in a signed binary form s.t. SHW(k) = w for a fixed small w.

- More secure than the AMV selection method, i.e., random selection of k’s with HW(k)=w.
- (Recall that an ECDLP is to find k such that kP = Q.)
- The number of possible k’s in our method is much larger,
- while the amount of computation is the same,i.e., m-1 doublings and w-1 additions/subtractions,in both of the methods.

- In order to generate a random k of length m s.t. SHW(k) = w,
- randomly select w locations for nonzero digits out of m possible digits of k,
- and then assign ‘1’ or ‘-1’ to each of these digits randomly.

- Problem
- k’s are not unique.
- Hence, the search space for k is much smaller than what we have intended.

- Example: m = 6, w = 3
- (1,0,0,1,0,-1) = (1,0,0,0,1,1) = 35

- k’s are not unique.

- select k’s in the nonadjacent form (NAF).
- NAF is a signed binary representation with the property that no two consecutive digits are nonzero.
- A number’s NAF is unique.

35

possible representations

in NAF

not in NAF

(1, 0, 0, 1, 0,-1)

(1, 0, 0, 0, 1, 1)

- Now, we want to generate a random k of length min NAF s.t. SHW(k) = w to guarantee the uniqueness of k.
- To satisfy the NAF property, we use ‘10’ and ‘-10’ as single nonzero units instead of ‘1’ and ‘-1’.
- The algorithm has six steps.

- Initially there is an array of m-w+1 consecutive empty slots.

Example: m = 8, w = 3

(m -w +1 = 6)

- Assign two-digit binary number 10 to the first slot to guarantee that k > 0 and that k has exactlym digits.

Example: m = 8, w = 3

10

- Choose w - 1 random slots out of the remaining m – w slots and assign10 or –10 randomly to each of them.

Example: m = 8, w = 3

(w -1 = 2, m -w = 5)

10

-10

10

- Assign 0 to each remaining slot.

Example: m = 8, w = 3

10

0

-10

0

0

10

- Concatenate all slots to get a number k with m +1 signed binary digits.
- Note that, for now, k is always even.

Example: m = 8, w = 3

10

0

-10

0

0

10

(1, 0, 0,-1, 0, 0, 0, 1, 0)

9 digits

- Set k = k / 2

Example: m = 8, w = 3

(1, 0, 0,-1, 0, 0, 0, 1, 0)

k = (1, 0, 0,-1, 0, 0, 0, 1)

8 digits

For kP, we need 7 DBLs and 2 ADD/SUBs.

- k’s generated by this algorithm are unique.
- k’s generated by this algorithm form a uniform distribution of k’s thathave m digits and satisfy SHW(k) = w.

4. Security Analysis

- With k’s of special forms, the best possible attack algorithm against the ECDLP is the baby-step giant-step algorithm, which is a time-memory trade-off version of the exhaustive search.
- Hence, k’s with larger search space is more secure against this attack.
- Now we compare the size of the search space of our method with that of the AMV method.

AMV

Our Method

# digits

m

m

# nonzeros

w

w

complexity ofa scalar mult.

m-1 DBLsw-1 ADDs

m-1 DBLsw-1 ADD/SUBs

sizes of

search spaces

- The size of the search space of our method is much larger.
- Our method is expected to be more secure.