Security of using special integers in elliptic scalar multiplication
This presentation is the property of its rightful owner.
Sponsored Links
1 / 33

Security of Using Special Integers in Elliptic Scalar Multiplication PowerPoint PPT Presentation


  • 50 Views
  • Uploaded on
  • Presentation posted in: General

Security of Using Special Integers in Elliptic Scalar Multiplication. Mun-Kyu Lee o Jin Wook Kim Kunsoo Park School of CSE, Seoul National University. 1. Preliminaries. Elliptic Curve. A curve of the form y 2 + xy = x 3 + ax 2 + b or y 2 = x 3 + ax + b

Download Presentation

Security of Using Special Integers in Elliptic Scalar Multiplication

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Security of using special integers in elliptic scalar multiplication

Security of Using Special Integers in Elliptic Scalar Multiplication

Mun-Kyu Leeo Jin Wook Kim Kunsoo Park

School of CSE, Seoul National University


1 preliminaries

1. Preliminaries


Elliptic curve

Elliptic Curve

  • A curve of the form

    y2 + xy = x3 + ax2 + b

    or

    y2 = x3 + ax + b

  • There are many cryptosystems that use elliptic curve operations.


Elliptic curve operations 1

Elliptic Curve Operations [1]

  • Point Addition: R = P +Q

    • First, draw theline through P and Q.

    • Then this line intersectsthe elliptic curvein a third point.

    • Define R = P +Q(the sum of P and Q)as the reflection ofthis point in the x-axis.


Elliptic curve operations 2

Elliptic Curve Operations [2]

  • Point Doubling: R = 2P

    • First, draw the tangent lineto the curve at P.

    • Then this line intersectsthe curve ina second point.

    • Define R = 2P(the double of P)as the reflection ofthis point in the x-axis.


Elliptic curve operations 3

Elliptic Curve Operations [3]

  • Scalar Multiplication kP

    • For a nonnegative integer k and a point P,scalar multiplication kP is defined as

      • 0P = O,for k = 0, where O is the “point at infinity”which is the additive identity element.

      • kP = (k-1)P + P for k > 0.


Ecdlp

ECDLP

  • Elliptic Curve Discrete Log Problem

    • Given two points P and Q on an elliptic curve,

    • ECDLP is to find k such that kP = Q


Scalar mult vs ecdlp

Scalar Mult. vs. ECDLP

Scalar Multiplication

k, P

Q = kP

Efficient

ECDLP

P, Q

k s.t. Q = kP

- Computationally infeasible

- Hence, security of elliptic curve based cryptosystems is based on this problem.


The purpose of this paper

The purpose of this paper

  • is to develop a technique to find harder instances of ECDLP,while keeping the efficiency of a scalar multiplication as the same level.


2 previous results efficient scalar mult algos

2. Previous Results:Efficient Scalar Mult. Algos.


1 binary method

[1] Binary Method

  • To compute Q = kP,

    • represent k as a binary form.

    • scan each bit of k from left to right.

    • if the bit is 1, do a doubling and an addition.if the bit is 0, do a doubling only.

  • Example: 61P = (1, 1, 1, 1, 0, 1)(2)P

1

1

1

1

0

1

DBL

DBL

1

10

110

1110

11110

111100

P

2P

6P

14P

30P

60P

DBL

DBL

DBL

ADD P

ADD P

ADD P

ADD P

3P

7P

15P

Q = 61P

11

111

1111

111101


1 binary method1

[1] Binary Method

  • Complexity

    • log k doublings and

    • HW(k)-1 additions,where HW(k) is the Hamming weight of k,i.e., the number of 1’s in the binary representation of k.


2 signed binary method

[2] Signed Binary Method

  • [Morain, Olivos 90]

  • Use the following facts.

    • For a point P on an elliptic curve, computation of an additive inverse –P is almost free.

      • For example,on y2 = x3 + ax + b,–P is the reflection of Pin the x-axis.

    • Hence, a subtraction P - Q has the same complexity as that of an addition P +Q.

P = (x, y)

-P = (x, -y)


2 signed binary method1

[2] Signed Binary Method

  • To compute Q = kP,

    • convert k to a signed binary representation k’ with smaller number of nonzero digits than k.

    • if a digit is 1, do a doubling and an addition.if a digit is –1, do a doubling and a subtraction.if a digit is 0, do a doubling only.

  • Example: 61P = (26 - 22 +1)P = (1, 0, 0, 0,-1, 0, 1)P

-1

1

0

0

0

0

1

DBL

DBL

DBL

DBL

DBL

1

10

100

1000

10000

100010

1000100

P

2P

4P

8P

16P

30P

60P

SUB

ADD

DBL

15P

Q = 61P

1000101

10001


2 signed binary method2

[2] Signed Binary Method

  • Complexity

    • log k doublings and

    • SHW(k)-1 additions/subtractions,where SHW(k) is the signed Hamming weight of k, i.e., the number of nonzeros in the signed binary representation of k.


3 amv method

[3] AMV method

  • In many elliptic curve based systems, we compute kP for a randomly chosen k.

  • [Agnew, Mullin, Vanstone 93]

    • Choose special k’s that have small HW(k) to reduce the number of additions.

    • Specifically, generate random k’s of length m in a binary form s.t. HW(k) = w for a fixed small w.

    • One can control the Hamming weight, and thus the number of additions.


3 amv method1

[3] AMV method

  • Example: m = 8, w = 3

    0. Initially, there are 8 empty bits.

    1. Choose 3 random positions for ‘1’.

    2. Set them as ‘1’ and others as ‘0’.

    For kP, we need 7 doublings and 2 additions.

k = (1, 0, 1, 0, 0, 0, 0, 1)


3 proposed method

3. Proposed Method


Our method

Our Method

  • Use special k’s

    • Generate random k’s that have small SHW(k).

    • Specifically, generate random k’s of length m in a signed binary form s.t. SHW(k) = w for a fixed small w.

  • More secure than the AMV selection method, i.e., random selection of k’s with HW(k)=w.

    • (Recall that an ECDLP is to find k such that kP = Q.)

    • The number of possible k’s in our method is much larger,

    • while the amount of computation is the same,i.e., m-1 doublings and w-1 additions/subtractions,in both of the methods.


Na ve approach

Naïve Approach

  • In order to generate a random k of length m s.t. SHW(k) = w,

    • randomly select w locations for nonzero digits out of m possible digits of k,

    • and then assign ‘1’ or ‘-1’ to each of these digits randomly.

  • Problem

    • k’s are not unique.

      • Hence, the search space for k is much smaller than what we have intended.

    • Example: m = 6, w = 3

      • (1,0,0,1,0,-1) = (1,0,0,0,1,1) = 35


Solution

Solution

  • select k’s in the nonadjacent form (NAF).

    • NAF is a signed binary representation with the property that no two consecutive digits are nonzero.

    • A number’s NAF is unique.

35

possible representations

in NAF

not in NAF

(1, 0, 0, 1, 0,-1)

(1, 0, 0, 0, 1, 1)


Selection algorithm

Selection Algorithm

  • Now, we want to generate a random k of length min NAF s.t. SHW(k) = w to guarantee the uniqueness of k.

  • To satisfy the NAF property, we use ‘10’ and ‘-10’ as single nonzero units instead of ‘1’ and ‘-1’.

  • The algorithm has six steps.


Step 1

Step 1

  • Initially there is an array of m-w+1 consecutive empty slots.

Example: m = 8, w = 3

(m -w +1 = 6)


Step 2

Step 2

  • Assign two-digit binary number 10 to the first slot to guarantee that k > 0 and that k has exactlym digits.

Example: m = 8, w = 3

10


Step 3

Step 3

  • Choose w - 1 random slots out of the remaining m – w slots and assign10 or –10 randomly to each of them.

Example: m = 8, w = 3

(w -1 = 2, m -w = 5)

10

-10

10


Step 4

Step 4

  • Assign 0 to each remaining slot.

Example: m = 8, w = 3

10

0

-10

0

0

10


Step 5

Step 5

  • Concatenate all slots to get a number k with m +1 signed binary digits.

  • Note that, for now, k is always even.

Example: m = 8, w = 3

10

0

-10

0

0

10

(1, 0, 0,-1, 0, 0, 0, 1, 0)

9 digits


Step 6

Step 6

  • Set k = k / 2

Example: m = 8, w = 3

(1, 0, 0,-1, 0, 0, 0, 1, 0)

k = (1, 0, 0,-1, 0, 0, 0, 1)

8 digits

For kP, we need 7 DBLs and 2 ADD/SUBs.


Distribution of k s

Distribution of k’s

  • k’s generated by this algorithm are unique.

  • k’s generated by this algorithm form a uniform distribution of k’s thathave m digits and satisfy SHW(k) = w.


4 security analysis

4. Security Analysis


Security against bsgs

Security Against BSGS

  • With k’s of special forms, the best possible attack algorithm against the ECDLP is the baby-step giant-step algorithm, which is a time-memory trade-off version of the exhaustive search.

  • Hence, k’s with larger search space is more secure against this attack.

  • Now we compare the size of the search space of our method with that of the AMV method.


Comparison of the sizes of search spaces for k

Comparison of the Sizes of Search Spaces for k

AMV

Our Method

# digits

m

m

# nonzeros

w

w

complexity ofa scalar mult.

m-1 DBLsw-1 ADDs

m-1 DBLsw-1 ADD/SUBs

sizes of

search spaces


Comparison in typical settings

Comparison in Typical Settings

  • The size of the search space of our method is much larger.

  • Our method is expected to be more secure.


  • Login