Security of using special integers in elliptic scalar multiplication
Download
1 / 33

Security of Using Special Integers in Elliptic Scalar Multiplication - PowerPoint PPT Presentation


  • 74 Views
  • Uploaded on

Security of Using Special Integers in Elliptic Scalar Multiplication. Mun-Kyu Lee o Jin Wook Kim Kunsoo Park School of CSE, Seoul National University. 1. Preliminaries. Elliptic Curve. A curve of the form y 2 + xy = x 3 + ax 2 + b or y 2 = x 3 + ax + b

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security of Using Special Integers in Elliptic Scalar Multiplication' - nickan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security of using special integers in elliptic scalar multiplication

Security of Using Special Integers in Elliptic Scalar Multiplication

Mun-Kyu Leeo Jin Wook Kim Kunsoo Park

School of CSE, Seoul National University


1 preliminaries

1. Preliminaries Multiplication


Elliptic curve
Elliptic Curve Multiplication

  • A curve of the form

    y2 + xy = x3 + ax2 + b

    or

    y2 = x3 + ax + b

  • There are many cryptosystems that use elliptic curve operations.


Elliptic curve operations 1
Elliptic Curve Operations [1] Multiplication

  • Point Addition: R = P +Q

    • First, draw theline through P and Q.

    • Then this line intersectsthe elliptic curvein a third point.

    • Define R = P +Q(the sum of P and Q)as the reflection ofthis point in the x-axis.


Elliptic curve operations 2
Elliptic Curve Operations [2] Multiplication

  • Point Doubling: R = 2P

    • First, draw the tangent lineto the curve at P.

    • Then this line intersectsthe curve ina second point.

    • Define R = 2P(the double of P)as the reflection ofthis point in the x-axis.


Elliptic curve operations 3
Elliptic Curve Operations [3] Multiplication

  • Scalar Multiplication kP

    • For a nonnegative integer k and a point P,scalar multiplication kP is defined as

      • 0P = O, for k = 0, where O is the “point at infinity”which is the additive identity element.

      • kP = (k-1)P + P for k > 0.


Ecdlp
ECDLP Multiplication

  • Elliptic Curve Discrete Log Problem

    • Given two points P and Q on an elliptic curve,

    • ECDLP is to find k such that kP = Q


Scalar mult vs ecdlp
Scalar Mult. vs. ECDLP Multiplication

Scalar Multiplication

k, P

Q = kP

Efficient

ECDLP

P, Q

k s.t. Q = kP

- Computationally infeasible

- Hence, security of elliptic curve based cryptosystems is based on this problem.


The purpose of this paper
The purpose of this paper Multiplication

  • is to develop a technique to find harder instances of ECDLP,while keeping the efficiency of a scalar multiplication as the same level.


2 previous results efficient scalar mult algos

2. MultiplicationPrevious Results:Efficient Scalar Mult. Algos.


1 binary method
[1] Binary Method Multiplication

  • To compute Q = kP,

    • represent k as a binary form.

    • scan each bit of k from left to right.

    • if the bit is 1, do a doubling and an addition.if the bit is 0, do a doubling only.

  • Example: 61P = (1, 1, 1, 1, 0, 1)(2)P

1

1

1

1

0

1

DBL

DBL

1

10

110

1110

11110

111100

P

2P

6P

14P

30P

60P

DBL

DBL

DBL

ADD P

ADD P

ADD P

ADD P

3P

7P

15P

Q = 61P

11

111

1111

111101


1 binary method1
[1] Binary Method Multiplication

  • Complexity

    • log k doublings and

    • HW(k)-1 additions,where HW(k) is the Hamming weight of k,i.e., the number of 1’s in the binary representation of k.


2 signed binary method
[2] Signed Binary Method Multiplication

  • [Morain, Olivos 90]

  • Use the following facts.

    • For a point P on an elliptic curve, computation of an additive inverse –P is almost free.

      • For example,on y2 = x3 + ax + b,–P is the reflection of Pin the x-axis.

    • Hence, a subtraction P - Q has the same complexity as that of an addition P +Q.

P = (x, y)

-P = (x, -y)


2 signed binary method1
[2] Signed Binary Method Multiplication

  • To compute Q = kP,

    • convert k to a signed binary representation k’ with smaller number of nonzero digits than k.

    • if a digit is 1, do a doubling and an addition.if a digit is –1, do a doubling and a subtraction.if a digit is 0, do a doubling only.

  • Example: 61P = (26 - 22 +1)P = (1, 0, 0, 0,-1, 0, 1)P

-1

1

0

0

0

0

1

DBL

DBL

DBL

DBL

DBL

1

10

100

1000

10000

100010

1000100

P

2P

4P

8P

16P

30P

60P

SUB

ADD

DBL

15P

Q = 61P

1000101

10001


2 signed binary method2
[2] Signed Binary Method Multiplication

  • Complexity

    • log k doublings and

    • SHW(k)-1 additions/subtractions,where SHW(k) is the signed Hamming weight of k, i.e., the number of nonzeros in the signed binary representation of k.


3 amv method
[3] MultiplicationAMV method

  • In many elliptic curve based systems, we compute kP for a randomly chosen k.

  • [Agnew, Mullin, Vanstone 93]

    • Choose special k’s that have small HW(k) to reduce the number of additions.

    • Specifically, generate random k’s of length m in a binary form s.t. HW(k) = w for a fixed small w.

    • One can control the Hamming weight, and thus the number of additions.


3 amv method1
[3] MultiplicationAMV method

  • Example: m = 8, w = 3

    0. Initially, there are 8 empty bits.

    1. Choose 3 random positions for ‘1’.

    2. Set them as ‘1’ and others as ‘0’.

    For kP, we need 7 doublings and 2 additions.

k = (1, 0, 1, 0, 0, 0, 0, 1)


3 proposed method

3. MultiplicationProposed Method


Our method
Our Method Multiplication

  • Use special k’s

    • Generate random k’s that have small SHW(k).

    • Specifically, generate random k’s of length m in a signed binary form s.t. SHW(k) = w for a fixed small w.

  • More secure than the AMV selection method, i.e., random selection of k’s with HW(k)=w.

    • (Recall that an ECDLP is to find k such that kP = Q.)

    • The number of possible k’s in our method is much larger,

    • while the amount of computation is the same,i.e., m-1 doublings and w-1 additions/subtractions,in both of the methods.


Na ve approach
Naïve Approach Multiplication

  • In order to generate a random k of length m s.t. SHW(k) = w,

    • randomly select w locations for nonzero digits out of m possible digits of k,

    • and then assign ‘1’ or ‘-1’ to each of these digits randomly.

  • Problem

    • k’s are not unique.

      • Hence, the search space for k is much smaller than what we have intended.

    • Example: m = 6, w = 3

      • (1,0,0,1,0,-1) = (1,0,0,0,1,1) = 35


Solution
Solution Multiplication

  • select k’s in the nonadjacent form (NAF).

    • NAF is a signed binary representation with the property that no two consecutive digits are nonzero.

    • A number’s NAF is unique.

35

possible representations

in NAF

not in NAF

(1, 0, 0, 1, 0,-1)

(1, 0, 0, 0, 1, 1)


Selection algorithm
Selection Algorithm Multiplication

  • Now, we want to generate a random k of length min NAF s.t. SHW(k) = w to guarantee the uniqueness of k.

  • To satisfy the NAF property, we use ‘10’ and ‘-10’ as single nonzero units instead of ‘1’ and ‘-1’.

  • The algorithm has six steps.


Step 1
Step 1 Multiplication

  • Initially there is an array of m-w+1 consecutive empty slots.

Example: m = 8, w = 3

(m -w +1 = 6)


Step 2
Step 2 Multiplication

  • Assign two-digit binary number 10 to the first slot to guarantee that k > 0 and that k has exactlym digits.

Example: m = 8, w = 3

10


Step 3
Step 3 Multiplication

  • Choose w - 1 random slots out of the remaining m – w slots and assign10 or –10 randomly to each of them.

Example: m = 8, w = 3

(w -1 = 2, m -w = 5)

10

-10

10


Step 4
Step 4 Multiplication

  • Assign 0 to each remaining slot.

Example: m = 8, w = 3

10

0

-10

0

0

10


Step 5
Step 5 Multiplication

  • Concatenate all slots to get a number k with m +1 signed binary digits.

  • Note that, for now, k is always even.

Example: m = 8, w = 3

10

0

-10

0

0

10

(1, 0, 0,-1, 0, 0, 0, 1, 0)

9 digits


Step 6
Step 6 Multiplication

  • Set k = k / 2

Example: m = 8, w = 3

(1, 0, 0,-1, 0, 0, 0, 1, 0)

k = (1, 0, 0,-1, 0, 0, 0, 1)

8 digits

For kP, we need 7 DBLs and 2 ADD/SUBs.


Distribution of k s
Distribution of Multiplicationk’s

  • k’s generated by this algorithm are unique.

  • k’s generated by this algorithm form a uniform distribution of k’s thathave m digits and satisfy SHW(k) = w.


4 security analysis

4. MultiplicationSecurity Analysis


Security against bsgs
Security Against BSGS Multiplication

  • With k’s of special forms, the best possible attack algorithm against the ECDLP is the baby-step giant-step algorithm, which is a time-memory trade-off version of the exhaustive search.

  • Hence, k’s with larger search space is more secure against this attack.

  • Now we compare the size of the search space of our method with that of the AMV method.


Comparison of the sizes of search spaces for k
Comparison of the Sizes of Search Spaces for Multiplicationk

AMV

Our Method

# digits

m

m

# nonzeros

w

w

complexity ofa scalar mult.

m-1 DBLsw-1 ADDs

m-1 DBLsw-1 ADD/SUBs

sizes of

search spaces


Comparison in typical settings
Comparison in Typical Settings Multiplication

  • The size of the search space of our method is much larger.

  • Our method is expected to be more secure.