Towards an Efficient Public Key Cryptosystem BY Ehab Tawfeek Younos Ali Alnfrawy Assistant Lecturer, Computer Science and Information System Department, Sadat Academy, Egypt A Thesis Submitted to the Faculty of Computers & and Information CAIRO UNIVERSITY In Partial Fulfillment of the Requirements for the Degree of (DOCTOR OF PHILOSOPHY) In COMPUTER SCIENCE
Under the Supervision of Prof. Aly A. Fahmy
Associate Prof. Mohamed M. Abd-Eldayem
...............................
..............................................
FACULTY OF COMPUTERS & INFORMATION CAIRO UNIVERSITY EGYPT December/2010
Towards an Efficient Public Key Cryptosystem BY Ehab Tawfeek Younos Ali Alnfrawy Assistant Lecturer, Computer Science and Information System Department, Sadat Academy, Egypt A Thesis Submitted to the Faculty of Computers & and Information CAIRO UNIVERSITY In Partial Fulfillment of the Requirements for the Degree of (DOCTOR OF PHILOSOPHY) In COMPUTER SCIENCE
Approved by the Examining Committee:
Prof. Dr. Aly Aly Fahmy, Prof. Dr. Mohammad Esam Khalifa, Prof. Dr. Mahmoud Ibraheem Marey,
Signature ...................... ...................... ......................
FACULTY OF COMPUTERS & INFORMAION CAIRO UNIVERSITY , EGYPT December/2010
Thesis Main Advisor Member Member
Declaration
I certify that this work has not been accepted in substance for any academic degree and is not being concurrently submitted in candidate for any other degree. Any portion of this thesis for which I am indebted to other sources are maintained and explicit references are given.
Ehab Tawfeek Younos Ali Alnfrawy signature:
Abstract The speed of public key encryption techniques is slow compared with the speed of symmetric encryption techniques, therefore symmetric encryption techniques are preferred to be used in encryption applications, and public key encryption techniques are used in applications that symmetric encryption techniques can’t be used. Many research works try to improve the efficiency of public key encryption techniques to speed up security application at high level of security. Elliptic Curve Cryptosystem (ECC) is the best candidate public key encryption technique to achieve this target. ECC efficiency can be improved by speeding up finite field operations or elliptic curve operations. Elliptic curve point scalar multiplication is the most operation that affect on the efficiency of ECC, therefore the efficiency of the proposed ECC algorithm is improved based on speeding up the elliptic curve point scalar multiplication operation using a another proposed algorithm for computing addition subtraction chain. Also we suggest a new combination for using mixed coordinates to speed up the elliptic curve scalar multiplication which gives a new idea for securing the ECC. In this thesis, the proposed algorithm to compute the addition subtraction chain gives improvement (in shorten the chains of 160 bit integers) by 20%. Also the proposed algorithm to compute scalar multiplication gives speeding up the ECCs with 26% specially ECIECS and PSEC.
Prof. Aly A. Fahmy
Associate Prof. Mohamed M. Abd-Eldayem
...............................
......................................
i
Acknowledgment I would like to acknowledge my supervisors Prof. Aly A. Fahmy and Dr. Mohamed M. Abd-Eldayem for suggesting the point, for continuous guidance, for his patience, and support. Thanks are to my first cryptology instructor Dr. Hatem Bahig for suggesting that I work in this field and for continuous support. A lot of thanks to my brother Captain Mohammad Tawfeek Alnfrawy for his support in word processing , Internet support, publishing , delivery and official document Thanks also to My deep friend Waleed Emam Thanks for my hard friend Eng. Mohammad Nabeel about his graphics support Thanks for Dr. Hazem Bahig because his support in final revision. Always, thanks to my parents and my wife for their love and support.
ii
Contents Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
i
Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ii
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vi
List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
1
2
3
List of Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ix
List of Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
x
List of Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . .
xi
Introduction
1
1.1
Thesis Overview . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1.2
Thesis Objectives . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1.3
Thesis Organization . . . . . . . . . . . . . . . . . . . . . . . . .
3
Introduction to Cryptography
4
2.1
9
ECC versus RSA . . . . . . . . . . . . . . . . . . . . . . . . . .
Elliptic Curve Cryptography
11
3.1
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
3.1.1
12
A Short Introduction to Group Theory . . . . . . . . . .
iii
3.1.2
A Short Introduction to Field Theory . . . . . . . . . . .
15
Elliptic Curve Arithmetic . . . . . . . . . . . . . . . . . . . . . .
16
3.2.1
Group Law . . . . . . . . . . . . . . . . . . . . . . . . .
18
3.3
Elliptic Curve Arithmetic Computations . . . . . . . . . . . . . .
20
3.4
Elliptic Curve Cryptosystems . . . . . . . . . . . . . . . . . . . .
27
3.4.1
Elliptic Curve Diffie-Hellman Key Exchange . . . . . . .
30
3.4.2
Elliptic Curve ElGamal Cryptosystem . . . . . . . . . . .
32
3.4.3
ElGamal Digital Signature . . . . . . . . . . . . . . . . .
34
3.4.4
Elliptic Curve Digital Signature Algorithm . . . . . . . .
35
3.4.5
PSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
3.4.6
ECIES . . . . . . . . . . . . . . . . . . . . . . . . . . .
39
ECC efficiency factors . . . . . . . . . . . . . . . . . . . . . . .
41
3.2
3.5 4
5
Elliptic Curve Scalar Multiplication
46
4.1
Binary Method . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
4.2
Window NAF Algorithm . . . . . . . . . . . . . . . . . . . . . .
51
4.3
Fixed Base Comb . . . . . . . . . . . . . . . . . . . . . . . . . .
53
4.4
Addition Chains and Scalar Multiplication . . . . . . . . . . . . .
55
4.4.1
Addition Chains . . . . . . . . . . . . . . . . . . . . . .
56
4.4.2
Golden Ratio Algorithm . . . . . . . . . . . . . . . . . .
57
Proposed Algorithms 5.1
66
The proposed Algorithm to compute Addition Subtraction Chain (AlnASC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
67
5.1.1
72
Analysis of AlnASC Algorithm . . . . . . . . . . . . . .
iv
5.2
Modified Algorithm to compute addition subtraction chain (W2CASC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.3
5.4
6
7
74
Elliptic Curve Scalar Multiplication based on the proposed W2ASC Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
78
Selecting the used mixed coordinates . . . . . . . . . . . . . . . .
83
5.4.1
87
Mixed coordinates and security . . . . . . . . . . . . . .
The Implementations and Experimental Results
90
6.1
Implementation Environment . . . . . . . . . . . . . . . . . . . .
90
6.1.1
Used Features from MIRACL . . . . . . . . . . . . . . .
91
6.1.2
Programmed Features . . . . . . . . . . . . . . . . . . .
92
6.2
Selecting window width . . . . . . . . . . . . . . . . . . . . . . .
93
6.3
W2CASC implementation . . . . . . . . . . . . . . . . . . . . .
94
6.4
W2CASC based scalar multiplication . . . . . . . . . . . . . . .
95
6.5
EEC Performance . . . . . . . . . . . . . . . . . . . . . . . . . .
96
The Conclusions and Research Directions
98
7.1
Thesis Summary . . . . . . . . . . . . . . . . . . . . . . . . . .
98
7.2
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
99
7.3
Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
References
9
v
List of Figures 2.1
The classification of cryptology . . . . . . . . . . . . . . . . . . .
7
3.1
Examples of Elliptic Curves . . . . . . . . . . . . . . . . . . . .
17
3.2
EC Addition . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
3.3
EC Doubling . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
3.4
Elliptic Curve E : y2 = x3 + x + 1 over F23 . . . . . . . . . . . . .
20
3.5
Addition of elliptic curve points (3, 10), (9, 7) . . . . . . . . . . .
21
3.6
Doubling of elliptic curve point (3, 10) . . . . . . . . . . . . . . .
22
3.7
Scalar multiplication in ECC . . . . . . . . . . . . . . . . . . . .
26
3.8
ECC Design Factors . . . . . . . . . . . . . . . . . . . . . . . .
42
4.1
Kinds of Scalar Multiplication Algorithms . . . . . . . . . . . . .
48
5.1
The main steps of AlnASC . . . . . . . . . . . . . . . . . . . . .
67
5.2
Step 1 of AlnASC . . . . . . . . . . . . . . . . . . . . . . . . . .
68
5.3
Step 2 of AlnASC . . . . . . . . . . . . . . . . . . . . . . . . . .
69
5.4
Step 3 of AlnASC . . . . . . . . . . . . . . . . . . . . . . . . . .
70
5.5
W2CASC Based Scalar Multiplication . . . . . . . . . . . . . . .
81
5.6
Mixed coordinates and security . . . . . . . . . . . . . . . . . . .
89
vi
List of Tables 2.1
RSA against ECC
. . . . . . . . . . . . . . . . . . . . . . . . .
10
3.1
Find points on E : y2 = x3 + x + 6 over Z11 . . . . . . . . . . . . .
23
5.1
The result of step 1 . . . . . . . . . . . . . . . . . . . . . . . . .
76
5.2
The result of step 2 . . . . . . . . . . . . . . . . . . . . . . . . .
77
5.3
The result of step 3 . . . . . . . . . . . . . . . . . . . . . . . . .
79
5.4
Computational costs using mixed coordinates, combination 1 . . .
84
5.5
Computational costs using mixed coordinates, combination 2 . . .
85
5.6
Computational costs using mixed coordinates, combination 3 . . .
86
6.1
Different window length . . . . . . . . . . . . . . . . . . . . . .
94
6.2
Comparison of the current algorithms in addition chain . . . . . .
95
6.3
Average cost of scalar multiplication algorithms for 160 bit integers 96
6.4
ECC performances for 160 bit integers . . . . . . . . . . . . . . .
vii
97
List of Algorithms 3.1
ECDSA signature generation . . . . . . . . . . . . . . . . . . . . .
36
3.2
ECDSA signature verification . . . . . . . . . . . . . . . . . . . .
36
3.3
PSEC encryption . . . . . . . . . . . . . . . . . . . . . . . . . . .
38
3.4
PSEC decryption . . . . . . . . . . . . . . . . . . . . . . . . . . .
38
3.5
ECIES encryption . . . . . . . . . . . . . . . . . . . . . . . . . .
40
3.6
ECIES decryption . . . . . . . . . . . . . . . . . . . . . . . . . .
40
4.1
Right-to-Left Binary Scalar Multiplication . . . . . . . . . . . . .
50
4.2
Left-to-Right Binary Scalar Multiplication . . . . . . . . . . . . .
50
4.3
Computing the Width - w NAF of an Integer . . . . . . . . . . . .
52
4.4
Left-to-Right Window NAF . . . . . . . . . . . . . . . . . . . . .
53
4.5
Fixed-Base Comb . . . . . . . . . . . . . . . . . . . . . . . . . .
54
4.6
Golden Ratio Addition-Subtraction Chain method (GRASC method) 60
5.1
AlnASC : Using 2’s Complement To Produce Addition-Subtraction (AS) Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2
5.3
71
W2CASC : Using 2’s Complement in Window Method To Produce Addition-Subtraction (AS) Chain - modified . . . . . . . . . . . .
74
continued - W2CASC . . . . . . . . . . . . . . . . . . . . . . . .
75
viii
5.4
Scalar Multiplication based on W2CASC . . . . . . . . . . . . . .
ix
80
List of Symbols A
Affine Coordinates
J
Jacobian Coordinates
JM
modified Jacobian Coordinates
JC
Chudnovsky Jacobian
P
Projective Coordinates
M
finite field Multiplication
I
finite field Inversion
S
finite field Squaring
p
prime number
Fp
prime Finite Field of order p
N
the set of natural integers: {0, 1, 2, 3, ...}
x
List of Abbreviations ECC
Elliptic Curve Cryptosystems
ECDLP
Elliptic Curve Discrete Logarithm Problem
ASC
Addition Subtraction Chain
AC
Addition Chain
W2CASC
Window with 2’s Complement Addition Subtraction Chain Algorithm
AES
Advanced Encryption Standard
ANSI
American National Standards Institute
DES
Data Encryption Standard
DH
Diffie-Hellman
DHP
Diffie-Hellman Problem
DL
Discrete Logarithm
DLP
Discrete Logarithm Problem
DPA
Differential Power Analysis
DSA
Digital Signature Algorithm
DSS
Digital Signature Standard
ECC
Elliptic Curve Cryptography
ECDDHP
Elliptic Curve Decision Diffie-Hellman Problem
ECDH
Elliptic Curve Diffie-Hellman
ECDHP
Elliptic Curve Diffie-Hellman Problem
ECDLP
Elliptic Curve Discrete Logarithm Problem
ECDSA
Elliptic Curve Digital Signature Algorithm
ECIES
Elliptic Curve Integrated Encryption Scheme xi
EC-KCDSA
Elliptic Curve Korean Certificate-based Digital Signature Algorithm
ECMQV
Elliptic Curve Menezes-Qu-Vanstone
FIPS
Federal Information Processing Standards
IEEE
Institute of Electrical and Electronics Engineers
IFP
Integer Factorization Problem
ISO
International Organization for Standardization
NAF
Non-Adjacent Form
NIST
National Institute of Standards and Technology
OEF
Optimal Extension Field
PKI
Public-Key Infrastructure
PSEC
Provably Secure Elliptic Curve Encryption
RSA
Rivest-Shamir-Adleman
SEC
Standards for Efficient Cryptography
SECG
Standards for Efficient Cryptography Group
SPA
Simple Power Analysis
SSL
Secure Sockets Layer
MIRACL
Multi-precision Integer and Rational Arithmetic C/C++ Library
xii
Chapter 1 Introduction 1.1
Thesis Overview
Speeding up the public key cryptosystems is one of attractive research fields in Cryptography. Because theses cryptosystems hold the best level of security. So the researchers need public key cryptosystems to collect the both properties security and efficiency. The best candidate for this issue is Elliptic Curve Cryptosystem (ECC). ECC efficiency factors dominated in speeding up the finite field operations or elliptic curve operations. Here we speeding up ECC by improving elliptic curve point scalar multiplication.
1.2
Thesis Objectives
Inside elliptic curve point scalar multiplication algorithms, we focus on the algorithms that using addition subtraction chain. In this area we provide the following:
1
• new algorithm to compute addition subtraction chain. • new combination of mixed coordinates (representation) of elliptic curve points. • new strategy for securing the scalar multiplication. • new algorithm to compute elliptic curve point scalar multiplication. This work supported by the implementation issues and needed comparisons. These comparison on the level of algorithms for addition subtraction chains, algorithms for elliptic curve point scalar multiplications, and elliptic curve cryptosystems Generally, we select the public key cryptosystem because we need the security of Public Key Cryptosystem with the efficiency near Private Key Cryptosystem. We Select Elliptic Curve Cryptosystem because it is the best security with smallest key sizes which gives a good candidate to improve the speed. We select to work on Prime fields (integers) not Binary Fields (polynomials) as a base of elliptic curves because it is more suitable for software applications. This gives more general range of applications and less in cost. we select the field of improving scalar multiplication (from the elliptic curve operations) because it is more effective to speed up the elliptic curve cryptosystems and it is the dominate operation in elliptic curve cryptosystems time consuming. We select Addition Subtraction Chain as a tool to improve the scalar multiplication because it has less attention in the research community and it is the best tool to improve a large class of elliptic curve cryptosystems
2
1.3
Thesis Organization
The thesis consists of seven chapters as follows : Chapter 2 introduces basic concepts, outlines the problems in the current cryptosystems and provides a justification for the work described in this dissertation. Chapter 3 offers an overview of elliptic curve cryptosystems , its history and efficiencies factors effect on them. Chapter 4 introduces the state-of-the-art view of research in the field of scalar multiplication. This chapter include also, a brief background on theoretical basis of using addition chain in exponentiation was given. Chapter 5 includes our proposed algorithms and strategies in computing addition subtraction chains and scalar multiplications. Chapter 6 presents the implementation and analysis results assessment of the proposed algorithms. Finally, Chapter 7 presents the conclusions from this dissertation and proposes future research disciplines.
3
Chapter 2 Introduction to Cryptography Cryptography has a long and a fascinating history since it was initially being practiced by the ancient Egyptians four millennial ago. An encyclopedic history of cryptography could be cited from [1] or for a brief overview one may refer to [2]. Historically, cryptography deals with methods of transmitting information in a confidential manner such that a third party (adversary) cannot read the information, even if the transmission is done through an insecure channel such as a public telephone line. Cryptography can be provided as a half of cryptology science. Cryptology has two main parts : cryptography and cryptoanalysis. Cryptography to build secure systems. Cryptoanalysis to break a secure system. In todays point of view, definition of cryptography deals with designing of algorithms, protocols and systems for secure transfer of information. Cryptography are used to provide the following security services: 1. Confidentiality, a service that provides information content only to the authorized recipients. 4
2. Data integrity, a service which addresses the unauthorized alteration of data. To assure data integrity, one must have the ability to detect data manipulation by unauthorized parties. Data manipulation includes insertion, deletion, and substitution of the transferred information. 3. Authentication,a service related to identification. This function both applies to entities and information itself. Two parties entering into a communication should identify each other. 4. Non-repudiation, a service which prevents an entity from denying previous commitments or actions. In order to satisfy privacy, one needs to convert the information (message, plain text) to some unintelligent language cryptogram, cipher text, codeword) by using some secret data (cryptographic key), this operation is called encryption. The other party receiving the cipher text takes it back to a plain text only by correct secret key, that is called the decryption operation. Algorithms, protocols and systems satisfying cryptographic encryption-decryption operations are called cryptosystems. There are two types of cryptosystems to achieve secure transmission: secretkey cryptosystems and public-key cryptosystems. The most oldest and by far the fastest type of cryptosystems is the secret-key cryptosystems also known as the symmetric-key cryptosystems. This involves sharing key between two communicating parities where the secret key is used for both the encryption and decryption process. This is why it is called symmetrickey cryptosystems. The current standardized method of this type is the AES (Advanced Encryption Standard) symmetric-key cryptosystem. Almost all method of 5
this type involves bit manipulation between the message (binary form) and the secret key. Decryption is achieved by reversing these manipulation hence the process is fast. The major drawback of symmetric-key cryptosystem involves sharing of key between two people beforehand in a secure way, and that key management is more tricky in a large network. The most striking development in the history of cryptography came in 1976 when Diffie and Hellman published their article [3]. This article introduced the revolutionary concept of public-key cryptosystem and also provided a new and ingenious method for key exchange, the security of this method is based on the intractability of the discrete logarithm problem. Hence, adversary will not be able to decrypt the encrypted message even it is known publicly. In fact, having the encryption public has many advantages such as enabling protocols for authentication, signature, and key agreement and distribution. Even though public-key cryptosystem is slow compared to the symmetric-key cryptosystem, it is used as a complement of symmetric-key cryptosystem, either for signatures or authentication or for key exchange due to short messages being transmitted. Figure 2.1 gives the general view of cryptology.
It remains a major problem to find suitable public-key cryptosystems. Many cryptosystems have been proposed, and many have been broken. The two types of methods survived are Rivest-Shamir-Adleman (RSA) and Diffie-Hellman (DH). The RSA variants cryptosystem are used widely. These are based on the asymmetrical fact that it is very efficient to create large prime numbers but intractable to factor it into two non trivial primes. Todays computer technologies are able to 6
Figure 2.1: The classification of cryptology 7
factor 700-bit numbers. The existence of sub-exponential algorithm explains the necessity of using 768 or 1024-bit prime numbers, in other words very large keys. The case of Diffie-Hellman considers asymmetric cryptosystems based on the computational in-feasibility of the Discrete Logarithm Problem (DLP). That is, finding the exponent with respect to some pre-defined element (base) of an abelian group is computationally hard. In the late eighties, Neal Koblitz and Victor Miller independently proposed a public-key cryptosystem using additive points on an elliptic curve. This emerged a new research area called elliptic curve cryptography. They exploited the discrete logarithm problem on a general elliptic curve that has no sub-exponential time solution to propose an elliptic curve cryptosystem. Such type of cryptosystem provides the same level of security with smaller key sizes compared to RSA that requiring large key size (see Table 2.1) [4]. Hence, elliptic curve cryptosystems can be used in environments such as smart cards since ciphers need less memory and smaller processor requirements. It was not until the late 1990s when elliptic curve systems started receiving commercial acceptance due to accredited standards organization specified elliptic curve protocols, and private companies included these protocols in their security products. An abundance of research has been published on the security and efficient implementation of elliptic curve cryptography. The computations involved for the basic operations on elliptic curve are more complicated, therefore it is crucial to implement efficient operations required by the cryptosystems. The efficiency of most elliptic curve cryptosystems depends on the computations of scalar or multi-scalar multiplication operations. This is one of the active research area in elliptic curve cryptography. As we begin this new millennium, the effects of cryptography on our daily 8
lives will only increase since we are in the midst of a revolution in information processing and telecommunications. To ever increasing depths, our lives are impacted on the daily basis by interactions that requires sending of digital messages through cyberspace. This may involve the electronic transfer of digital dollars, the sending of personal electronic messages, or the sending of military secrets. One common requirement to all these types of message-sending is the need to keep these messages secret, and ensure that nobody tampers with the message. Hence, the importance of cryptography to our information-based society will more deepen in future time. It is essential that we are equipped with the knowledge to understand and deal more effectively with the new reality. Due to the improvements and inventions of new technologies that may cause danger to break secret codes, there is a need for a continued research in cryptography to compensate for information security with this changing modern world.
2.1
ECC versus RSA
In this section we are going to compare the RSA cryptosystem with ECC cryptosystems. As we have already heard in the former section, the security of RSA is based on the difficulty of factoring large integers, called the integer factorization problem (IFP), whereas the security of ECC cryptosystems relies on the difficulty of the DLP in elliptic curve groups. For the IFP several sub exponential algorithms are known. The most powerful methods for factoring large integers are number Field sieves, where the best number Field sieve algorithm allows an n-bit integer to be factored in O(en
1/3+ε
) time. Neither these methods nor Lenstra’s ECM 1/2+ε
method with a running time of O(en
9
) nor index calculus algorithms, which
can be used to determine the discrete logarithm in Finite cyclic groups, seem to be applicable to the ECDLP. Thus, no sub exponential time algorithm solving the ECDLP has been found so far and it is assumed that the ECDLP problem is much harder than the IFP. Therefore, ECC algorithms can use smaller key sizes compared to RSA. By way of comparison, a 160 bit elliptic curve key provides more or less the same security as an 1024 bit RSA key [5], which yields a tremendous improvement in speed and memory consumption. This circumstance makes ECC especially suitable for constrained environments, like cell phones and smart cards.
Cryptosystem ECC 160 RSA/DL 1024
Security level (bits) 224 256 384 512 2048 3072 8192 15360
Table 2.1: RSA against ECC
10
Chapter 3 Elliptic Curve Cryptography Over the past few decades, elliptic curves have been playing an increasingly important role both in number theory and related fields such as cryptography. In mid eighties, Neal Koblitz [6] and Victor Miller [7], independently discovered the use of elliptic curves in cryptosystems and hence elliptic curve techniques were developed for factorization and primality testing. We abbreviate the term elliptic curve cryptosystem in what follows to ECC for the sake of convenience. In the 1980s and 1990s, elliptic curve played an important role in the proofs of Fermats Last Theorem. In 1992, Koyama et. al [8] proposed an analogue of RSA by using a special class of elliptic curves over the ring Z/nZ where n ∈ N is composite. In 1993 Demytko [9] presented another analogue of RSA, in this case where there is minimal restriction on the types of elliptic curves to be used. In 1997, Vanstone and Zuccherato [10] developed a new cryptosystem based on elliptic curves over Z/nZ in which the message is contained in the exponent instead of the group element. The security of all of the above RSA analogues is based upon the presumed difficulty of factoring. In 1997, Anshel and Goldfeld [11]
11
presented an explicit construction of a pseudo random number generator arising from an elliptic curve, which can be effectively computed at low computational cost. They introduced a new intractable problem, that leads to a new class of oneway functions based on the arithmetic theory of zeta functions, and against which there is currently no known attack. There are several fine texts on arithmetic and cryptographic aspects of elliptic curves in the literature that could be consulted, such as [12, 13, 14, 15, 16, 17, 18]. The main purpose of this chapter is to introduce the basic concepts of elliptic curves over prime fields. This has importance in the remaining chapters. The detailed work of arithmetics on elliptic curves could be found in [2, 19, 18]. First, we formally define the notion of elliptic curves.
3.1
Background
This section gives a short introduction to the basics of group theory and finite field theory. Both topics are connected and are a crucial part of ECC as well as public key cryptography in general.
3.1.1
A Short Introduction to Group Theory
A group is a basic structure in both algebra and number theory. Groups are used to abstract calculations with specific numbers and form the basis for many other algebraic concepts. Definition 3.1 A group (G, ∗) is a set of elements G plus an arithmetic operation satisfying the subsequent properties:
12
• The product of two elements x, y ∈ G: x ∗ y yields always another element of G. In other words, G is closed with respect to *. • For all elements x, y, z ∈ G holds: (x*y)*z = x*(y*z). (associativity) • There is a neutral element e ∈ G, which means that x ∗ e = e ∗ x = x for every x ∈ G. (neutral element) • For each x ∈ G there is an inverse element x−1 , such that: x∗x−1 = x−1 ∗x = e (inverse element) A group (G, ∗) is called abelian, if it is commutative:
∀x, y ∈ G : x ∗ y = y ∗ x
(3.1)
Groups can be also written in an additive way. Then, the operation * is replaced by + . As we are going to see later, this is the case for elliptic curve groups. Example 3.1: The following two groups are often used in algebra: (Fm = {0, ..., m − 1} , +) forms an additive, abelian group. Addition is done modulo m , 0 is the neutral element and each element x has the inverse −x. Let p be prime. Then, (F∗p = {1, ..., p − 1} , ∗) is a multiplicative, abelian group modulo p with neutral element 1. Groups (G, ∗) that allow every element y ∈ G to be expressed as a power of another element g ∈ G(i.e. y = gk with k ∈ Z) are called cyclic and g is the socalled generator of the group. In such a case we write G =< g >. Similarly, we can write every element y of a cyclic additive group (G0 , +) with generator g as a multiple of g: y = k × g.
13
Example 3.2: The generators of the group (Z∗5 , ∗) are 2 and 3:
g=2 21 = 2 22 = 4 23 = 8 ≡ 3 mod 5 24 = 16 ≡ 1 mod 5
g=3 31 = 3 32 = 9 ≡ 4 mod 5 33 = 27 ≡ 2 mod 5 34 = 81 ≡ 1 mod 5
The order of an element x, denoted by ordG (x), is the smallest, positive integer k, so that xk = e (or additively: k × x = e). If there is no such k, then x is said to have infinite order. The order of generators equals the group’s cardinality, which is also called the group order ord(G) or alternatively |G|. Example 3.3: The order of 4 in (F∗5 , ∗) is 2: 41 = 4, 42 = 16 ≡ 1
mod 5.
(3.2)
A subgroup (H, ∗) of some group (G, ∗) (denoted by (H, ∗) ≤ (G, ∗) ) is itself a group and H is a subset of G. The Discrete Logarithm Problem: We already saw that in cyclic groups every element x can be expressed as a power of the generator g: x = gk . When k is chosen to be the smallest, positive integer possible, it is called the discrete logarithm (DL) or sometimes also index of x with respect to g, written as logg (x).
Example 3.4: In (Z∗5 , ∗) we have log3 (4) = 2. Just like the ordinary logarithm, the discrete logarithm has some important features: 14
• logh (x) = logg (x) × logg (h), and • logg (x.y) = logg (x) + logg (y), where g and h are both generators of the same cyclic group G. Definition 3.2 (DLP). Given a generator g of the cyclic group (G, ∗) and an element x in G, the difficulty of finding an integer k such that:
x = gk
(3.3)
is called the discrete logarithm problem (DLP). Note that the hardness of the DLP depends on the group structure. So, for example it is hard in groups of the type (Z∗p , ∗) but not in groups of the type (Z p , +).
3.1.2
A Short Introduction to Field Theory
The notion of fields can be built on top of the group concept. The big difference to a group is that a field has got two distinct operations: Definition 3.3 (Field). A field (K, +, ∗) consists of a set of elements K and two operations + and *, where • (K, +) is an additive abelian group with neutral element 0, • (K∗ , ∗) is a multiplicative abelian group with neutral element 1, and • both groups are adjoined by distributivity: – ∀x, y, z ∈ K : x ∗ (y + z) = x ∗ y + x ∗ z (left-distributivity) 15
– ∀x, y, z ∈ K : (x + y) ∗ z = x ∗ z + y ∗ z (right-distributivity) A field K is said to be finite, if it has only finitely many elements. The characteristic of a field K, char(K), is defined as the smallest integer n ≥ 1 such that n × 1 = 0. If there is no such n, the characteristic is defined to be 0. In general, the characteristic is either 0 or a prime p. Furthermore, finite fields always have prime characteristic. Example 3.5: Commonly used fields are for example: • (R, +, .) is the infinite fields of real numbers. • For some prime p, (Z p , +, .) is a finite field often used for cryptographic purposes. In future we will write F p for it.
3.2
Elliptic Curve Arithmetic
We shall consider finite fields F p in order to define elliptic curves for cryptographic purposes. Definition 3.4 Let p be a prime number, and let F p denote the field of integers modulo p with characteristic not equal to 2 or 3. An elliptic curve E defined over F p is given by an equation of the form y2 = x3 + ax + b
(3.4)
where a, b ∈ Fp such that 4a3 + 27b2 6= 0. The set of solutions (x, y) ∈ F p for the equation( 3.4) together with a point O ( the point of infinity), is denoted by E(F p ). And they called the set of F p -rational 16
Figure 3.1: Examples of Elliptic Curves points on E. The value ∆(E) = −16(4a3 + 27b2 ) is called the discriminant of the elliptic curve E. Figure 3.1 gives some examples of elliptic curves. If the points on the curve are represented using affine coordinates, as P = (x, y), both the point addition and point doubling involve an expensive field inversion (to compute the slope of the chord of the tangent). To avoid these inversion, several projective systems of coordinates have been proposed in literature [20]. The major coordinate systems include the, affine coordinates system (A ), projective coordinates system (P ), Jacobian coordinates system (J ), Chudnovsky Jacobian coordinates system (J C ) and modified Jacobian coordinates system (J M ). In further chapters, mixed coordinates system are considered since it has lower computational cost compared to other coordinate systems as proposed by Cohen et. al [21] . The notations I, S and M denotes the cost of one inversion, one squaring and one multiplication, respectively. The cost of field additions is negligible. Generally, it is assumed that S = 0.8M for curves over odd prime field [22].
17
Figure 3.2: EC Addition
3.2.1
Group Law
Suppose P and Q are points on an elliptic curve E. The following provides the definition of point inversion, point addition and point doubling. Definition 3.5 Point Inversion Negative of a point represents the point inversion, which means the reflection of the point about the x-axis. Definition 3.6 Point Addition (ECADD) (P + Q). If P 6= O and P 6= Q, then there must be the third point R on E, uniquely determined as the intersection point of the line through P and Q. Taking the reflection of R about the x-axis gives the result P + Q. Hence, P + Q = −R. Graphically we can do elliptic curve addition as Figure 3.2
18
Figure 3.3: EC Doubling Definition 3.7 Point Doubling (ECDBL) (2P). We assume that P = Q and P 6= −Q. Then to form P + Q = 2P, we take the tangent line at P, which gives rise to a third point R = (x3 , y3 ), uniquely determined as the intersection point of E with that tangent line. Then the reflection −R of R about the x-axis is what we define as P + P = 2P = −R. Thus, −R is the other point of intersection of E with the line x = x3 , which is also the intersection of the line containing R and O with E. Graphically we can do elliptic curve doubling as 3.3 Example 3.6: To use the elliptic curves in cryptography point must be finite and discrete. Let us consider the elliptic curve E : y2 = x3 + x + 1 over finite field (prime field) F23 . The points of this curve can be considered as Figure 3.4. The addition of points (3, 10), (9, 7) given in the Figure 3.5. The doubling of point 19
Figure 3.4: Elliptic Curve E : y2 = x3 + x + 1 over F23 (3, 10) given in the Figure 3.6
3.3
Elliptic Curve Arithmetic Computations
Let E be an elliptic curve defined by y2 = x3 + Ax + B. Let P1 = (x1 , y1 ) and P2 = (x2 , y2 ) be points on E and P1, P2 6= O . Let P1 + P2 = (x3 , y3 ) : 1. If x1 6= x2 , then x3 = m2 − x1 − x2 , y3 = m(x1 − x3 ) − y1 , where m =
y2 −y1 x2 −x1
2. x1 = x2 but y1 6= y2 , then P1 + P2 = O . 3. If P1 = P2 and y1 6= 0, then x3 = m2 − 2x1 , y3 = m(x1 − x3 ) − y1 , where 20
Figure 3.5: Addition of elliptic curve points (3, 10), (9, 7) m=
3x12 +A 2y1 .
4. If P1 = P2 and y1 = 0, then P1 + P2 = O . 5. P + O = P for all points P ∈ E. Note that when P1 and P2 have coordinates in the field F p that contains A and B, then P1 + P2 also has coordinates in F p . Therefore, E(F p ) is closed under the above addition points. Theorem 3.1 The addition of two points on an elliptic curve E satisfies the following properties: 1. commutativity, since P1 + P2 = P2 + P1 for all P1 , P2 ∈ E; 21
Figure 3.6: Doubling of elliptic curve point (3, 10) 2. existence of identity, since P + O = P for all points P on E; 3. existence of inverses, since given P on E, there exist P0 on E with P + P0 =
O . This point P0 is usually denoted as −P; 4. associativity, since (P1 + P2 ) + P3 = P1 + (P2 + P3 ) for all P1 , P2 , P3 on E. In other words, the points on E form an additive abelian group with O as the identity element. If P is a point on an elliptic curve and k is a positive integer, the k × P denotes P + P + + P (with k summands). If k < 0, then k × P = (−P) + (−P) + + (−P), with |k| summands. To compute k × P for a large integer k, it is inefficient to add
22
P to itself repeatedly, it is faster to involve doublings. Because the number of operations to compute the scalar multiplication will be halved. Note that the size of the points are continually reduced
mod p since we are considering a finite
field F p . Also note that the associative property allows computations irrespective of the order of the combined summands. Example 3.7: E : y2 = x3 + x + 6 over Z11 . To find all (x, y) and O , we will fix x and determine y. So we can find 12 (x, y) pairs plus O (O is an artificial point). Table 3.1 shows this points.
x x3 + x + 6 mod 11 quad res? 0 6 no 1 8 no 2 5 yes 3 yes 3 4 8 no 5 4 yes 8 no 6 7 4 yes 8 9 yes 7 no 9 10 4 yes
y
4 or 7 5 or 6 2 or 9 2 or 9 3 or 8 2 or 9
Table 3.1: Find points on E : y2 = x3 + x + 6 over Z11 So we have #E = 13. There are 13 points on the group E(Z11 ) and so any non-identity point (i.e. not the point at infinity, noted as O ) is a generator of E(Z11 ). Choose generator α = (2, 7). Compute 2α = (x2 , y2 ). λ=
3x12 +a 2y1
=
3(2)2 +1 2×7
=
13 14
= 2 × 3−1 = 2 × 4 = 8 mod 11
x2 = λ2 − 2x1 = (8)2 − 2 × (2) = 5 mod 11 23
y2 = (x1 − x2 )λ − y1 = (2 − 5) × 8 − 7 = 2 mod 11 Compute 3α = (x3 , y3 ) λ=
y2 −y1 x2 −x1
=
2−7 5−2
= 2 mod 11
x3 = λ2 − x1 − x2 = 22 − 2 − 5 = 8 mod 11 y3 = (x1 − x3 )λ − y1 = (2 − 8) × 2 − 7 = 3 mod 11 So we can compute : α = (2, 7). 2α = (5, 2). 3α = (8, 3). 4α = (10, 2). 5α = (3, 6). 6α = (7, 9). 7α = (7, 2). 8α = (3, 5). 9α = (10, 9). 10α = (8, 8). 11α = (5, 9). 12α = (2, 4). These points will construct the group of points closed under the operations of elliptic curves. So, we can use this group in cryptographic usage due to the discrete and finite properties. But in practical uses the number of elements (points) will be very big. On the other hand, if we are working over a large finite field and are given points P and kP on elliptic curve over this field, it is very difficult to determine the value of k. This is called an elliptic curve discrete logarithm problem (ECDLP) 24
and this is the basic for elliptic curve cryptosystems. The security of elliptic curve cryptosystems can be defined as follows : Definition 3.8 If E is an elliptic curve over a field F p , then the elliptic curve discrete logarithm problem to base Q ∈ E(F p ) is the problem of finding an x ∈ Z (if one exists) such that P = xQ for a given P ∈ E(F p ). Currently, the DLP in elliptic curve groups is several orders of magnitude and is more difficult then the DLP in multiplicative group of finite field (of similar size). Explicitly this means that for a suitably chosen elliptic curve E over F p , the DLP for the group of E(F p ) appears to be (given our current state of knowledge) of complexity exponential in the size dlog2 pe of the field elements, whereas there exist sub exponential algorithms in dlog2 pe for the DLP in F∗p . The lack of sub exponential attacks on ECCs gives us the advantage of allowing smaller message units, as well as smaller amounts of processing time and electrical power. Moreover, a consensus is that a suitably chosen elliptic curve in a given ECC over a finite field of size approximately 160 bits ensures security equivalent to RSA with modulus of 1024 bits. There are two major drawbacks of ECC: First, it involves the deep amount of mathematics which allows only a small group of qualified people to deal with the implementation of ECCs. Secondly, a short span of time has been contributed for its researches up to date. For example, the appearance of MOV attack [23], showing that the DLP can be solved on super singular curves is worrying to some, since other classes of elliptic curves have similarly fallen victim. If elliptic curves are to be used, then it is considered wise to use key sizes of 300 bits for even the most modest security requirements, and 500 bits for more sensitive communication. Such safety margins are recom25
Figure 3.7: Scalar multiplication in ECC mended since the real threat to the presumed intractability of both discrete logs and factoring is unexpected with the new mathematical discoveries. It is not certain what algorithm will be discovered in the near future. There are relatively very few people who have worked on the problem of discrete logs and integer factorization, which implies that the area has just not been examined exhaustively. Lastly, there is a new threat of quantum computers, even though they are currently only a theoretical possibility. We can provide Figure 5.6 to summarize the importance of scalar multiplication in ECC.
26
3.4
Elliptic Curve Cryptosystems
On its own, Elliptic Curve Cryptography is just mathematical equations. To make it useful for security, it must be put into algorithms, such as the ones listed below: • Digital Signatures – ECDSA: Elliptic Curve Digital Signature Algorithm – ECPVS: Elliptic Curve Pintsov Vanstone Signatures – ECNR: Elliptic Curve Nyberg Rueppel • Key Agreement – ECMQV: Elliptic Curve Menezes-Qu-Vanstone – ECDH: Elliptic Curve Diffie-Hellman • Encryption – ECIES: Elliptic Curve Integrated Encryption Standard NIST, ANSI and IEEE have standardized ECC, as detailed below.
• The National Institute of Standards and Technology http://www.nist. gov/index.html(NIST) issues standards that mandate what cryptographic algorithms US Federal Government agencies can use, such as: – Federal Information Processing Standards (FIPS) 186-2: The Digital Signature Standard (DSS). This standardizes the Elliptic Curve Digital Signature Algorithm (ECDSA) and recommends fifteen sets of elliptic curve domain parameters. 27
– Special Publication 800-56: Recommendation on Key Establishment Schemes. (Draft) This standardizes ECC key establishment, which includes Elliptic Curve Diffie-Hellman (ECDH) key agreement and the more advanced Elliptic Curve Menezes-Qu-Vanstone (ECMQV) key agreement. – Special Publication 800-57: Key Management Guideline, Part 1. (Draft) This gives guidance on managing symmetric keys, such as AES keys, with public keys, such as ECC keys. It mentions which ECC key sizes are appropriate for which AES key sizes. • The American National Standards Institute http://www.ansi.org/(ANSI) committee X9 develops standards for the US financial services industry, including: – American National Standard X9.62: The Elliptic Curve Digital Signature Algorithm. This specifies ECDSA. – American National Standard X9.63: Key Agreement and Key Transport Using Elliptic Curve Cryptography. This specifies ECDH and ECMQV key agreement, as well as ECIES key transport. • The Institute for Electrical and Electronics Engineers http://standards. ieee.org/ (IEEE) develops standards, including the following: – IEEE 1363-2000: Standard Specifications for Public Key Cryptography. This specifies ECDSA, ECDH, and ECMQV. • Other bodies recommending ECC are Europe’s NESSIE https://www.
28
cosic.esat.kuleuven.be/nessie/ and Japan’s CryptRec http://www. cryptrec.go.jp/english/ and ISO globally. • Applications of ECC have also been standardized by IETF http://www. ietf.org/ and other organizations, including PKIX http://datatracker. ietf.org/wg/pkix/charter/. This section reviews three cryptographic schemes that exploits the intractability of the ECDLP. Although they are originally designed for the group (F p )∗ and therefore exploit that the DLP is a complex mathematical problem, they can be adjusted to work with elliptic curves. Throughout this section, it is assumed that the elliptic curves used in the cryptosystems are chosen in accordance with [24, 25] and that the order of the public points as well as the chosen parameters are 160-bit numbers. The operations we are mainly concerned with are unknown point scalar multiplication (computing nP where both n and P are not known in advance), known point scalar multiplication (computing nP where n is unknown and P is known) and known multiplier scalar multiplication (computing nP where n is known and P is unknown). We study algorithms specific to each of these cases in Chapter 4. A public key encryption scheme allows two parties to communicate securely. One popular encryption scheme is ECIES [26]. In this scheme, encryption requires the computation of one unknown point scalar multiplication and one known point scalar multiplication. Decryption requires one known multiplier scalar multiplication. PSEC [27] is another encryption scheme. In this protocol, encryption requires the computation of one unknown point scalar multiplication and one known point scalar multiplication. Decryption requires a known multiplier scalar multi29
plication and a known point scalar multiplication. Key establishment algorithms allow two parties to establish a common secret for use in symmetric cryptography. ECDH [28] is the elliptic curve variant of the Diffie-Hellman key agreement protocol. That is used to establish the common key to symmetric encryption. Each party requires the computation of one known point scalar multiplication and one unknown point scalar multiplication. Another popular key establishment algorithm is ECMQV [29]. In this protocol, each party requires the ability to compute both known point scalar multiplication and unknown point scalar multiplication. A signature scheme allows one party to digitally sign a piece of data, providing authentication and non-repudiation. ECDSA [30] is the standard digital signature scheme using elliptic curves. Signature generation requires a known point scalar multiplication and verification requires the computation of aP + bQ where P is known, Q is unknown and a, b are unknown. The elliptic curve scalar multiplication operations are the most time consuming parts of each of the above protocols. In order to implement these protocols efficiently, it is important that unknown point, known point and known multiplier scalar multiplication are all computed as efficiently as possible.
3.4.1
Elliptic Curve Diffie-Hellman Key Exchange
Alice and Bob wants to agree on a common secret key that they can use for exchanging data via a symmetric encryption scheme such as DES or AES. One way to establish a secret key is the following method proposed by Diffie and Hellman [3]. 1. Alice and Bob agree on an elliptic curve E over a finite field F p such that 30
the discrete logarithm problem is hard in E(F p ). They also agree on a point P ∈ E(F p ) such that the subgroup generated by P has large order. 2. Alice chooses a secret integer a (private key) , computes (public key)Pa = aP, and sends Pa to Bob. 3. Bob chooses a secret integer (private key) b, computes (public key) Pb = bP, and sends Pb to Alice. 4. Alice computes aPb = abP . 5. Bob computes bPa = baP . 6. Alice and Bob use some publicly agreed on method to extract a key from abP . For example, either they could use the last 256 bits of the x-coordinate of abP as the key or they could compute the hash function at the x-coordinate. The only information eavesdropper has is the curve E, the finite field F p , and the points P, aP and bP . He therefore can’t compute abP using the given information because he needs either secret integer a or b that are stored only by Alice or Bob respectively, this is known as the Diffie-Hellman problem. If the eavesdropper can solve discrete logs in E(F p ), then he can use P and aP to find a. Then she can compute a(bP). However, it is not known whether there is some way to compute abP without first solving a discrete log problem. This protocol can be used to establish a secure tunnel between two parties, e.g the SSH protocol uses this technique to exchange the secret key required for a symmetric scheme.
31
3.4.2
Elliptic Curve ElGamal Cryptosystem
The Elliptic Curve ElGamal Cryptosystem is an adapted cryptosystem for elliptic curve from the original ElGamal cryptosystem [31]. Also can be considered as extension of Diffie-Hellman key exchange protocol and its purpose is to encrypt and decrypt messages. It is described as follows: Suppose Alice wants to send a message to Bob. First, Bob has to establish his public key. He chooses an elliptic curve E over a finite field F p such that the discrete log problem is hard for E(F p ). He also chooses a point P on E. He chooses a secret integer b and computes B = bP . The elliptic curve E, the finite field F p , and the points P and B are Bobs public key. To send the message to Bob, Alice does the following: 1. Download Bobs public key. 2. Expresses her message as a point M ∈ E(F p ). 3. Chooses a secret random integer k and computes M1 = kP. 4. Computes M2 = M + kB . 5. Sends M1 , M2 to Bob. Bob decrypts by calculating M = M2 − bM1 . Since
M2 − bM1 = (M + kB) − b(kP) = M + k(bP) − bkP = M.
(3.5)
The eavesdropper knows Bobs public information P and B and points M1 and M2 . If he can solve the ECDLP then he can retrieve b from P and B, then he can decrypt the messages as M2 − bM1 . 32
It is important for Alice to choose different random k for each encryption. 0
Suppose Alice uses the same k for both M and M then the eavesdropper can 0
0
0
detect easily that M = M . Hence, he can compute M2 − M2 = M − M. Suppose 0
0
M is revealed to the public day later. Then he can calculate M = M − M2 + M2 . Therefore, knowledge of one plain text M can help him to deduce another plain 0
text M in such situation. Example 3.8: Considering the Example 3.3, Lets modify ElGamal encryption by using the elliptic curve E(Z11 ). Suppose that α = (2, 7) and Bobs private key is 7, so
β = 7α = (7, 2)
(3.6)
ek (x, k) = (k(2, 7), x + k(7, 2))
(3.7)
Thus the encryption operation is
where x ∈ E and 0 ≤ k ≤ 12, and the decryption operation is
dk (y1 , y2 ) = y2 − 7y1
(3.8)
Suppose that Alice wishes to encrypt the plaintext x = (10, 9) (which is a point on E). If she chooses the random value k = 3, then
y1 = 3(2, 7) = (8, 3)
(3.9)
y2 = (10, 9) + 3(7, 2) = (10, 9) + (3, 5) = (10, 2)
(3.10)
33
Hence y = ((8, 3), (10, 2)). Now, if Bob receives the ciphertext y, he decrypts it as follows:
3.4.3
x = (10, 2) − 7(8, 3) = (10, 2) − (3, 5)
(3.11)
= (10, 2) + (3, 6) = (10, 9)
(3.12)
ElGamal Digital Signature
Suppose Alice wants to send a signed electronic message m to Bob. The naive way is to digitize the signature and append it to the message. In such situation, the eavesdropper may tamper with the signature by attaching a different message. Therefore, Alice must insert the signature in the message such that it can not be used again. However signature validation and authentication are required. These are shown in ElGamal digital signature algorithm, that is classically based on multiplicative group of discrete logs. In fact, it applies to any finite group, hence we will consider it for elliptic curves. First, Alice establishes a public key. She chooses an elliptic curve E over a finite field F p such that the discrete log problem is hard for E(F p ). She also chooses a point A ∈ E(F p ) such that the order N of A is a large prime. Alice chooses a secret a and computes B = aA. Finally, she chooses a function f : E(F p ) −→ Z where f (x, y) = x such that 0 ≤ x ≤ p. Alice makes the following information public. That is E, F p , f ,A and B. She keeps a private. To sign a message, Alice does the following. 34
1. Represents the document as an integer m. In the case, m > N, a larger curve should be chosen. 2. Chooses a random integer k with gcd(k, N) = 1 and computes R = kA. 3. Computes s ≡ k−1 (m − a f (R))( mod N). Resulting the signed message as (m, R, s), where m, s are integers and R is a point on E. To verify the message, Bob does the following. 1. Downloads the Alices public information. 2. Computes V1 = f (R)B + sR and V2 = mA. 3. If V1 = V2 , he declares the signature valid. The signature is valid if V1 = V2 since
V1 = f (R)B + sR = f (R)aA + skA = f (R)aA + (m − a f (R))A = mA = V2 . (3.13)
The fact that sk ≡ (m − a f (R))( mod N) implies sk ≡ (m − a f (R)) + zN for some integer z. Therefore,
skA = (m − a f (R))A + zNA = (m − a f (R))A + ∞ = (m − a f (R))A.
3.4.4
(3.14)
Elliptic Curve Digital Signature Algorithm
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It is the most widely standardized elliptic curve-based signature scheme, appearing in the ANSI X9.62, FIPS 35
186-2, IEEE 1363-2000 and ISO/IEC 15946-2 standards as well as several draft standards[24, 25]. The signature generation and verification provided in algorithms 3.1 and 3.1. In the following, H denotes a cryptographic hash function whose outputs have bitlength no more than that of n (if this condition is not satisfied, then the outputs of H can be truncated). Algorithm 3.1: ECDSA signature generation
1 2 3 4 5 6
Input: Domain parameters D = (q, FR, S, a, b, P, n, h), private key d , message m. Output: Signature(r, s) Select k ∈R [1, n − 1]; Compute kP = (x1 , y1 ) and convert x1 to an integer x¯1 ; Compute r = x¯1 mod n. If r = 0then go to step 3.1; Compute e = H(m); Compute s = k−1 (e + dr) mod n. If s = 0 then go to step 3.1; Return(r, s);
Algorithm 3.2: ECDSA signature verification
1
Input: Domain parameters D = (q, FR, S, a, b, P, n, h), public key Q , message m , signature (r, s). Output: Acceptance or rejection of the signature. Verify that r and s are integers in the interval [1, n − 1]. If any verification fails then
return(”Reject the signature”).; Compute e = H(m); 3 Compute w = s−1 mod n; 4 Compute u1 = ew mod n and u2 = rw mod n; 5 Compute X = u1 P + u2 Q; 2
6 7 8 9 10 11 12 13
if X = ∞ then return (”Reject the signature”); Convert the x -coordinate x1 of X to an integer x¯1 ; Compute v = x¯1 mod n; if v = r then return (”Accept the signature”); else return (”Reject the signature”);
Proof that signature verification works: If a signature (r, s) on a message 36
m was indeed generated by the legitimate signer, thens ≡ k−1 (e + dr)( mod n). Rearranging gives k ≡ s−1 (e + dr) ≡ s−1 e + s−1 rd ≡ we + wrd ≡ u1 + u2 d( mod n).
(3.15)
Thus X = u1 P + u2 Q = (u1 + u2 d)P = kP , and so v = r as required.
3.4.5
PSEC
Provably Secure Encryption Curve scheme (PSEC) [27] is due to Fujisaki and Okamoto. The version we present here is derived by combining PSEC-KEM, a Key Encapsulation Mechanism, and DEM1, a Data Encapsulation Mechanism, that are described in the ISO 18033-2 draft standard. PSEC-KEM has also been evaluated by NESSIE and CRYPTREC. The following cryptographic primitives are used in PSEC: 1. KDF is a key derivation function that is constructed from a hash function. 2. ENC is the encryption function for a symmetric-key encryption scheme such as the AES, and DEC is the decryption function. 3. MAC is a message authentication code algorithm such as HMAC. The encryption and decryption of PSEC are provided in algorithms 3.3 and 3.4 Proof that decryption works: If cipher text (R,C, s,t) was indeed generated by the legitimate entity when encrypting m , then
dR = d(kP) = k(dP) = kQ 37
(3.16)
Algorithm 3.3: PSEC encryption
1 2 3 4 5 6 7
Input: Domain parameters D = (q, FR, S, a, b, P, n, h), public key Q , plain text m . Output: Ciphertext(R,C, s,t). l Select r ∈R {0, 1} , where l is the bit-length of n; (k0 , k1 , k2 ) = KDF(r), where k0 has bit-length l + 128; Compute k = k0 mod n; Compute R = kPand Z = kQ; Compute s = r ⊕ KDF(R, Z); Compute C = ENCk1 (m) and t = MACk2 (C); return (R,C, s,t);
Algorithm 3.4: PSEC decryption
1 2 3 4 5 6 7 8 9 10 11 12
Input: Domain parameters D = (q, FR, S, a, b, P, n, h), private keyd , cipher text (R,C, s,t). Output: Plain text m or rejection of the cipher text. Compute Z = dR. ; Compute r = s ⊕ KDF(R, Z). ; (k0 , k1 , k2 ) = KDF(r), where k0 has bit-length l + 128 ; Compute k = k0 mod n. ; Compute R0 = k × P . ; if R0 6= R then return (”Reject the cipher text”); Compute t 0 = MACk2 (C); if t 0 6= t then return (”Reject the cipher text”); Compute m = DECk1 (C); return (m);
38
Thus the decryptor computes the same keys (k0 , k1 , k2 ) as the encryptor, accepts the cipher text, and recovers m .
3.4.6
ECIES
The Elliptic Curve Integrated Encryption Scheme (ECIES)[26] was proposed by Bellare and Rogaway, and is a variant of the ElGamal public-key encryption scheme. It has been standardized in ANSI X9.63 [32] and ISO/IEC 15946-3, and it is in the IEEE P1363a draft standard [33]. In ECIES, a Diffie-Hellman shared secret is used to derive two symmetric keys k1 and k2 . k1 is used to encrypt the plain-text using a symmetric-key cipher, while k2 is used to authenticate the resulting cipher-text. Intuitively, the authentication guards against chosen cipher-text attacks since the adversary cannot generate valid cipher-texts on her own. The following cryptographic primitives are used: 1. KDF is a key derivation function that is constructed from a hash function H . If a key of l bits is required then KDF(S) is defined to be the concatenation of the hash values H (S, i ), where i is a counter that is incremented for each hash function evaluation until l bits of hash values have been generated. 2. ENC is the encryption function for a symmetric-key encryption scheme such as the AES, and DEC is the decryption function. 3. MAC is a message authentication code algorithm such as HMAC. The encryption and decryption of ECIES are provided in algorithms 3.5 and 3.6
39
Algorithm 3.5: ECIES encryption
1 2 3 4 5 6 7
Input: Domain parameters D = (q, FR, S, a, b, P, n, h), public key Q , plain text m Output: Ciphertext (R,C,t) Select k ∈R [1, n − 1]; Compute R = k × Pand Z = h k × Q; if Z = ∞ then go to step 3.5;
(k1 , k2 ) = KDF(xZ , R), where xZ is the x -coordinate of Z ; Compute C = ENCk1 (m) and t = MACk2 (C); return (R,C,t)
Algorithm 3.6: ECIES decryption Input: Domain parameters D = (q, FR, S, a, b, P, n, h), private key d , cipher text (R,C,t). Output: Plain text m or rejection of the cipher text. Perform an embedded public key validation of R If the validation fails then return(”Reject the cipher text”). ; 2 Compute Z = h d R; 1
3 4 5 6 7 8
if Z = ∞ then return (”Reject the cipher text”) (k1 , k2 ) = KDF(xZ , R), where xZ is the x -coordinate of Z ; Compute t 0 = MACk2 (C); if t 0 6= t then return (”Reject the cipher text”)
; 10 Compute m = DECk1 (C); 11 return (m); 9
40
Proof that decryption works : If cipher text (R,C,t) was indeed generated by the legitimate entity when encrypting m , then
h d R = h d(k × P) = h k(d × P) = h k Q
(3.17)
Thus the decryptor computes the same keys (k1 , k2 ) as the encryptor, accepts the cipher text, and recovers m.
3.5
ECC efficiency factors
The design of elliptic curve based cryptographic systems implies a number of nontrivial challenges and trade-offs. Fig. 3.8 summarizes the factors involved in the design process and their impact on the layers of the ECC engineering map. First of all, the target computing environment is likely to influence significantly the design process. This is especially true of ECC, since it finds a natural application in resource- constrained systems, such as PDAs, mobile phones, and smart cards. The overall available resourcesprocessing power, memory, power consumptionoften determine the functionality of the system designed and, in that respect, they conflict with application requirements. For example, on a smart card it is reasonable to implement ECC based signature and encryption, but it is not so for curve generation. On the other hand, the characterization of the target application usually influences the way such resources are exploited. In fact, different applications require different cryptographic schemes and in turn involve the underlying elliptic curve
41
Figure 3.8: ECC Design Factors operations in different ways. As a result, spending large efforts for improving the execution time of a specific operation may or may not make sense. In addition, the application scope and expected life-cycle have a considerable impact on implementation efforts toward flexibility and scalability. It is crucial to assess the level of flexibility necessary in order for the designed system to respond to changes in parameters/algorithms/schemes that are likely to occur during its life-cycle. Similar observations hold for security requirements. Once the impact of computing environment constraints and application requirements is assessed, a large number of design choices must be addressed at each layer of Fig. 3.8 and correspondingly many different trade-offs can be recognized. These include the following: 42
• Implementation efficiency versus implementation security. As shown in the previous sections, at each layer of the ECC design map there are a number of implementation options that are specifically related to the problem of obtaining secure designs. For example, for the implementation of elliptic curve arithmetic there are many available algorithms in the technical literature (see [34]) that are deliberately conceived for thwarting side-channel attacks. There measures often entail non-optimal time/area performance and, in some cases, limit the generality of the implemented solutions. While a slight penalty in performance is usually acceptable in favor of security, compromising the flexibility of the design solution would in general require a deeper cost/benefit analysis. • Time-to-market versus speed/flexibility/security. The time-to-market is perhaps the major factor that impacts the commercial value of a design solution. Special measures enabling implementation efficiency, flexibility, and security are all likely to increase development times with respect to straightforward approaches. On the other hand, generic off-the-shelf solutions (IP cores, software programs) could not meet such specific requirements, or otherwise they could entail additional costs. • Execution time versus area/memory requirements. The usual time versus area trade-offs hold at many different layers of ECC design map, including among the other things double-and-add versus windowing methods, scalar versus parallel field multiplicator, etc. • Speed versus flexibility. As mentioned in the introductory sections, implementation of ECC offers many tempting possibilities of exploiting parameter43
specific optimizations or particular standard prescriptions. For example, the implementation of field multiplication takes advantage of particular irreducible polynomials used for representation, often suggested by standards such as NIST [35]. The latter point highlights the impact of standard compliance on the design process. In fact, standards usually contain many implementation-aware provisions, and many standard parameters, such as curve type/coefficients, field order, etc., are defined with hardware or software implementation implications in mind. Indeed, the implementation of ECC standards is probably very different from the implementation of general ECC algorithms. A design choice that takes on a particular importance for elliptic curve based systems is the hardware/software partitioning. Where the bound between hardware and software should be placed significantly depends, again, from the specific class of parameters adopted. For instance, implementation of GF(2m ) arithmetic drastically benefits from hardware acceleration due to its carry-less nature, while for GF(p) arithmetic there are many efficient techniques for software implementation. Whether to use dedicated hardware blocks or not has considerable implications on design budgets, time-to-market, flexibility, scalability, and even security alongside mere time performance. Many research works and commercial proposals suggest that generic hardware support for field arithmetic and software control for the higher layers could turn out to be a profitable choice for usual applications, as it enables speed optimization of the basic mathematical operations (e.g., field multiplications/inversions) while leaving room for flexibility, scalability and algorithmic security of the overall design. Below the layers of Fig. 3.8 are the design choices made at the technol44
ogy level. These include low-level protection mechanisms (randomised clocking, noise generation, sensor meshes, dual-rail logic etc.) and radical technology choices such as the use of application-specific ICs (ASICs) or field-programmable gate arrays (FPGAs), with significant implications on security, flexibility, speed, costs. We have not discussed the technology level here, since it is mostly orthogonal to the classes of security applications designed above it. Conventional techniques for production of cryptographic devices and previous research investigations about protection methods and implementation technologies (e.g., ASICs versus FPGAs) still apply to the case of ECC. These concluding remarks highlight the fact that, although ECC is now a mature and widely accepted alternative to traditional public-key cryptosystems, engineering of ECC is still an open research field and constitutes a complex, interdisciplinary subject[34]. From [36], we can summarize the content of this section in the following points: • Choice of the underlying field: depending on hard- or software implementations • Representation of the elements of this field: influences mostly the speed • Implementing the arithmetic in the field: the same • Selecting an appropriate curve: influences speed and security • Implementing the EC operations (addition, doubling, scalar multiplication): influences speed and security
45
Chapter 4 Elliptic Curve Scalar Multiplication The basic operation in the most elliptic curve cryptosystems is a scalar multiplication kP. In fact, scalar multiplications are the most time consuming operations for elliptic curve cryptosystems where implementation are mainly on devices with constrain computational power and memory, therefore efficient operations are essential. Scalar multiplication is required in many Elliptic Curve Cryptosystems (ECC) such as in verification process of ElGamal digital signature, verification process of ECDSA, provable-secure digital signatures [37, 38], multi-party protocols [39] and protocols of Brands [40]. In most cases where scalar multiplication is applied, the process is dominant in determining the overall efficiency. Hence, efficiency of scalar multiplication is essential in elliptic curve cryptosystems. Conventional methods for computation of scalar multiplication can be classified into three types. This chapter reviews conventional algorithm for the computation of scalar
46
multiplication. Scalar multiplication, adding a point P to itself k times, is an important operation on the group of points on an elliptic curve, especially for ECC. Scalar multiplication is a multiplication of elliptic curve point by an integer. In certain situations, either the point or the multiplier is known in advance. This is called the unknown point case and any pre-computation involving the point to be multiplied is included as part of the operation. Also there are algorithms for the known point case and the known multiplier case. The unknown point methods are related to the classical binary scalar multiplication algorithm [41]. The binary method computes the scalar multiple of a point by a sequence of successive doubling and additions determined by the digits of the binary representation of the multiplier [42]. Improvements to this algorithm can be made by taking different binary representations of the multiplier such as the non-adjacent form (NAF)[43] or the width w non-adjacent form (w-NAF)[44]. These and similar representations lead to the binary NAF, window NAF, sliding window [4], and fractional window algorithms [45]. An algorithm based on double-base number systems [46] generalizes the binary algorithm. In the known point or known multiplier cases, some steps can be taken to speed up scalar multiplication. The main speeding up techniques for the known point case are the fixed-base windowing technique [47, 48] and the comb method [49]. Windowing works by precomputing a number of the binary power multiples of the fixed point to eliminate the need for doubling. In the comb method, expensive sums of certain multiples of P are stored in order to reduce the number of operations needed. These involve expensive pre-computations and provide a significant speedup compared 47
Figure 4.1: Kinds of Scalar Multiplication Algorithms to the unknown point algorithms. The known multiplier algorithms rely on generating an addition chain for the multiplier which we concern here. Golden ration technique can be used for AS Chain generation [50]. Creating the Euclidean addition chains also can give a solution[51]. Figure 4.1 shows the general view of the scalar algorithms kinds. The comparison between these algorithms of computing scalar multiplication implemented and provided in chapter 6
48
4.1
Binary Method
The naive method for computing k × P from P is to add P to itself k times. This method is inefficient since it takes k elliptic curve operations. Binary exponentiation is a simple method for exponentiation that requires on the order of log(k) elliptic curve operations. This algorithm is equivalent to the square-andmultiply method for modular exponentiation (see Gordon [42] ) but it is described in additive form. It is sometimes referred to as the double-and-add algorithm. The algorithm relies on the fact that every integer k has a binary representation (kd−1 , ..., k0 )2 such that k = kd−1 2d−1 + · · · + k1 2 + k0
(4.1)
with kd−1 6= 0 and ki ∈ 0, 1. Using Horner’s rule [41] we can write
k × P = 2(2...(2kd−1 P + kd−2 P) + + k1 P) + k0 P,
(4.2)
This equation allowing k × P to be computed using a sequence of doublings and additions. In the right-to-left binary scalar multiplication Algorithm 4.1 [42], based on Horner’s rule, the computation begins with the least significant digits. Each binary power multiple of P is computed, and is added to the running total when the corresponding digit is 1. The left-to-right binary scalar multiplication Algorithm 4.2 [42] begins with the most significant digits. The point P is added to the running total for each nonzero digit and the total is doubled for every digit. Both of Algorithms 4.1 and 49
Algorithm 4.1: Right-to-Left Binary Scalar Multiplication
1 2 3 4 5 6 7
Input: Affine point P, positive integer k with binary representation (kd−1 , ..., k0 )2 Output: Affine point k × P Q = O; T = P; for i = 0 down to d − 1 do if ki 6= 0 then Q = Q+T T = 2T ; return Q;
Algorithm 4.2: Left-to-Right Binary Scalar Multiplication
1 2 3 4 5 6 7
Input: Affine point P, positive integer k with binary representation (kd−1 , ..., k0 )2 Output: Affine point k × P Q = P; for i = d − 2 to 0 do if ki = 1 then Q = 2Q + P else Q = 2Q return Q;
50
4.2 take d − 1 squaring and H(k) − 1 additions where d is the bit-length of k and H(k) is the Hamming weight (i.e. the number of non-zero digits) of k. H(k) is (d + 1)/2 on average.
4.2
Window NAF Algorithm
Given w ≥ 2, a width − wNAF (or simply w − NAF) of an integer k is a base 2 representation d−1
k=
∑ ki2i,
(4.3)
i=0
where w ≥ 2, ki is odd, |ki | < 2w−1 for all i and at most one of any w consecutive digits is non-zero. The set of possible values for ki is called the digit set of the representation. Notice that when w = 2, this corresponds to the NAF representation. Every k ∈ N has a unique width − wNAF, denoted NAFw (k) (see Muir and Stinson [44]). This representation is a generalization of the NAF representation. Theorem 4.1 summarizes the properties of w − NAF from Muir and Stinson [44].
Theorem 4.1 Let k, w be positive integers. 1. k has a unique width − wNAF. 2. NAF2 (k) = NAF(k). 3. The length of NAFw (k) is at most one more than the length of the binary representation of k.
51
4. The average density of nonzero digits among all width-w NAFs of length l is 1/(w + 1). Moller [45] and Bosma [43] discuss methods to eliminate the length expansion of a w-NAF expansion in around half the cases. As with the NAF, there is a leftto-right analogue of the w − NAF, namely the w − MOF described in Okeya et al[52]. Algorithm 4.3 computes the width-w NAF of an integer, from Hankerson et al [4]. Algorithm 4.3: Computing the Width - w NAF of an Integer
1 2 3 4 5 6 7 8 9 10
Input: Positive integers k, w Output: Width-w NAF of k, (ki−1 , ..., k0 ) i = 0; while k > 1 do if k is odd then ki = k mod 2w (signed); k = k − ki else ki = 0 k = k/2; i = i + 1; return (ki−1 , ..., k0 )
The digit set B for this representation is the odd integers between −2w−1 and 2w−1 . If the points b × P are precomputed for every positive b in the digit set B, the binary algorithm can again be applied. The advantage is that in this case, the number of non-zero digits and hence the number of additions needed is lower. This leads to Algorithm 4.4 for computing a scalar multiple of a point, given the w-NAF of the multiplier, adapted from Hankerson et al. [4]. The density of the non-zero width-w NAFs of length d is approximately d/(w+
52
Algorithm 4.4: Left-to-Right Window NAF
1 2 3 4
5 6 7 8 9 10 11 12 13 14
Input: Positive integer k with NAFw (k) = (kd−1 , ..., k0 ), affine point P Output: Affine point k × P /* Pre-computation: Set P1 = P; P2 = 2P; foreach i ∈ 3, 5, ..., 2w−1 − 1 do Pi = Pi−2 + P2 /* Computation : Q = Pd−1 ; for i = d − 2 to 0 do if ki > 0 then Q = 2Q + Pki else if ki < 0 then Q = 2Q − Pki else Q = 2Q return Q
*/
*/
1). This means that the running time of Algorithm 4.4 is approximately
(D + (2w−2 − 1)A) + ((
d − 1)A + (d − 1)D) w+1
(4.4)
Algorithm 4.4 also requires the storage of 2w−2 − 1 points.
4.3
Fixed Base Comb
In the fixed-base windowing method, the values 2wi × P are computed and combined with addition to form kP . In the fixed-base comb method, rather than eliminating all the doublings, the goal is to use pre-computation to utilize the doublings more efficiently. This idea was originally proposed by Lim and Lee [49]. Suppose
53
that k ∈ N is represented by l bit-strings of length w, i.e.
k = Kl − 1||Kl − 2|| · · · ||K1 ||K0 ,
(4.5)
whereKi = Ki,w−1 ||Ki,w−2 || · · · ||Ki,1 and Ki, j ∈ {0, 1}. We can write k as follows: l−1 w−1
k=
∑∑
w−1 l−1
Ki, j 2wi+ j =
i=0 j=0
w−1
∑ ( ∑ Ki, j 2wi+ j ) =
j=0 i=0
∑
j=0
l−1
2 j ( ∑ Ki, j 2wi )
(4.6)
i=0
l−1 By pre-computing all the possible values for ∑i=0 Ki, j 2wi , it takes w − 1 dou-
bles and w − 1 additions on average to compute kP. In order to simplify the notation, we define
[al−1 , al−2 , ..., a1 , a0 ]P := al−1 2(l−1)w P+al−2 2(l−2)w P+...+a1 2w P+a0 P. (4.7) These values are precomputed for all possible (a1−1 , · · · , a0 ) ∈ {0, 1}l , resulting in Algorithm 4.5, adapted from Hankerson et al. [4]. The average running time Algorithm 4.5: Fixed-Base Comb
1 2 3 4 5
Input: Affine point P, positive integer k with k written as l bit-strings of length w : K1−1 ||K1−2 || · · · ||K1 ||K0 Output: Affine point k × P /* Off-line Pre-computation: Compute [al−1 , al−2 , · · · , a1 , a0 ]P for all (a1−1 , · · · , a0 ) ∈ 0, 1l ; Q = O; foreach j from w − 1 down to 0 do Q = 2Q + [K1−1, j , · · · , K0, j ]P return Q
*/
of Algorithm 4.5 is (
2l − 1 (w − 1))A + (w − 1)D 2l 54
(4.8)
The algorithm also requires the storage of 21 − 2 temporary points.
4.4
Addition Chains and Scalar Multiplication
There are several situations in cryptography in which a number of exponentiations by a fixed exponents must be calculated, such as RSA encryption and decryption, and ElGamal decryption [19]. In such cases, addition chain plays a vital role. It is used to efficiently compute an exponentiation or, more generally, several exponentiations. The purpose of an addition chain is to minimize the number of multiplications required for an exponentiation. For example, given an addition chain of length l for the positive integer e then computation of ge for any element g of an abelian group G, such that g 6= 1 requires exactly l multiplications. Therefore, finding addition chains of smaller lengths are essential for efficient computations. However finding a shortest addition chain is known to be an NP-complete problem. Scalar multiplication for elliptic curves is a special case of general problem of exponentiation in abelian groups. Therefore, it benefits from all the techniques available for the general problem, and the related short addition chain problem for integers. The addition chain is defined as follows. Let k be a positive integer as input. Starting from the integer 1, and computing at each step the sum of two previous results, what is the least number of steps required to reach k? Efficient algorithms for group exponentiation have received much attention in recent years for applications of public key cryptography. However, the initial interest is from the ancient times. An excellent technical and historical account of 55
exponentiation and the addition chain problem is given by Knuth [41] in chapter 4, who traces the problem back to 200 BC. A survey carried by Gordon [42] describes various fast methods, including some specialized methods for elliptic curve groups. Also various techniques and algorithms for exponentiations in the context of elliptic curve cryptography are described in [19]. There are certain properties of elliptic curve version which makes exponentiation algorithms more faster. Such as, the elliptic curve subtraction has virtually the same cost as addition, so the search space for fast algorithms can be expanded to addition-subtraction chains and signed binary representations. In this chapter some of well known results and algorithms concerning addition chains and exponentiations are reviewed as preliminaries of this thesis.
4.4.1
Addition Chains
In this section, some classic definitions used in the study of addition chains and an overview on Fibonacci sequence are presented. More details could be cited from [20, 53]. Definition 4.1 An addition chain computing for an integer k is given by two sequences v = (v0 , ..., vl ) and w = (w1 , ..., wl )such that v0 = 1, vl = k, vi = vr + vs , for all1 ≤ i ≤ l with respect to wi = (r, s) and 0 ≤ r, s ≤ i − 1 . The length of the addition chain is l. Definition 4.2 An addition-subtraction chain is similar to an addition chain except that the coordinate vi = vr + vs is replaced by vi = vr + vs or vi = vr − vs .
56
4.4.2
Golden Ratio Algorithm
In this section, we review the strategy for finding an efficient doubling-free short addition-subtraction chain by utilizing a precise golden ratio. This result is the recent result in the field of computing Addition Subtraction Chain (ASC) to be suitable for scalar multiplication in ECC. In [54] the authors term it as the Golden Ratio Addition-Subtraction Chain method (GRASC)[54]. We need some classic definitions used in the study of addition chains and an overview on Fibonacci sequence. More details could be cited from [20, 53]. Definition 4.3 The Fibonacci sequence is defined as Fn = Fn−1 + Fn−2 for n ≥ 2 where F0 = 0 and F1 = 1. The Fibonacci sequence has many properties [53, 55] We recall one here by stating the following Binet’s Formula. Theorem 4.2 (Binet’s Formula). φn − (1 − φ)n √ , ∀n ∈ N, Fn = 5
(4.9)
√ where φ = (1 + 5)/2 is the positive root of the real polynomial X 2 − X − 1. From the above theorem it is easy to deduce the following classical result. Fn = φ, n→∞ Fn−1 lim
where φ is the golden section and here we term it as the golden ratio.
57
(4.10)
The last term, vl in a doubling-free addition chain is maximal if v is a Fibonacci sequence as follows :
vi = vi−i + vi−2 ∀i = 2, 3, ..., l,
(4.11)
Therefore, our aim is to maintain a Fibonacci pattern. Our strategy creates chain starting from the last term. As deduced from equation ( 4.10), the ratio between the two large succeeding terms in a Fibonacci sequence, maintains the value near to φ, therefore we consider multiplying the last term (in the case of 160 bit integer) by an inverse of a golden ratio to get its preceding term. That is vi−1 ≈ vi × φ−1 , where φ−1 = (−1 +
(4.12)
√ 5)/2 is the inverse of the golden ratio. Then we follow
the Fibonacci pattern working downwards, checking each time the ratio between two succeeding terms to be near the golden ratio value, if not, then we take few actions and repeat the Fibonacci pattern working downwards. We continue with this process until we reach some prescribed lower bound, a small term, thereafter we can efficiently find doubling-free short addition chain. We join this short addition chain to the previous chain to complete the overall chain. Experimentally, we found that a 160 bit Fibonacci integer has minimal chain length of 231, whereas GRASC method gives an average chain of length 258 for an arbitrary integer of 160 bit. In fact, GRASC methods gives minimal chain for Fibonacci numbers or equivalently if ( 4.12) is hold but we do not guarantee for the case of non Fibonacci arbitrary integers to be minimal. We believe that GRASC method
58
gives moderately short addition- subtraction chain since it utilizes mostly of the Fibonacci pattern. The following describes the GRASC method in detail. We consider making chain starting from the last term, which is the input k. Let ui denote the reverse of vi , that is, ui = vl−i . To maintain ( 4.12), let u0 = k, u1 = [u0 × φ−1 ], ui = ui−2 − ui−1 f ori = 2, 3, ...
(4.13)
If continued with the procedure ( 4.13), we will not be able to achieve the best result, since ui will exponentially deviate from (ui × φ−1 ) as i increases. In order to overcome this problem, we introduce the parameter MAXIMALGAP such that the above procedure ( 4.13) terminates at the following condition
|ui − (ui−1 × φ−1 )| > MAXIMALGAP or ui ≤
ui−1 . 2
(4.14)
In such case, we define, new ui to be the nearest integer of (ui−1 × φ−1 ). We resume the procedure (4.13) with ui−1 and new ui as the initial terms. Note that it is necessary to include old ui in the chain between ui−1 and new ui . As a consequence, we have a gap, g j = |oldui −newui | which we include in the storage. Also note that a subtraction is involved, whenever old ui ¡ new ui . We introduce another parameter, LOWERBOUND, to cease the procedure (4.13) when ui ≤ LOW ERBOUND. Note that the storage initially consists of 1, 2, and 3. Later we have included all the g j ’s in the storage. Once the execution of procedure (4.13) is ceased, we include the last two ui ’s of the chain in the storage. Thus, using the storage, we randomly find a short addition chain by avoiding the use of doubling, except for numeral 2. Finally, we join this chain to the third last ui of the previous chain resulting in a moderately short addition-subtraction chain for the given input 59
k. Note that the storage capacity depends on the experimentally selected values for the two parameters. Algorithm 4.6: Golden Ratio Addition-Subtraction Chain method (GRASC method)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
Input: An integer k, MAXIMALGAP and LOWERBOUND. Output: Short addition-subtraction chain for k. √ −1+ 5 −1 φ = 2 ; u0 = k� ; � u1 = k × φ−1 ; u2 = u0 − u1 ; v = {u0 , u1 , u2 }; S = {1, 2, 3}; i = 2; j = 1; while ui > LOWERBOUND do if |ui − (ui−1 × φ−1 )| > MAXIMALGAP or ui ≤ ui −1 2 then i = i+ � 1; � ui = ui−2 × φ−1 ; v = v ∪ ui ; ui+1 = ui−2 − ui ; v = v ∪ ui+1 ; g j = |ui − ui+1 |; S = S ∪ g j; j = j + 1; i = i + 1; else i = i + 1; ui = ui−2 − ui−1 ; v = v ∪ ui ; S = S ∪ ui , ui−1 ; w = a short addition chain including all terms from S; return w ∪ v
Note that in line 15 of Algorithm 4.6, if ui < ui+1 then g j ’s will involve subtraction during exponentiation.
60
Example 4.1: Evaluate Algorithm 4.6 for the inputs k = 131456, LOWERBOUND = 10 and MAXIMALGAP = 6. We begin by letting
u0 = k = 131456, � � u1 = u0 × φ−1 = 81244, u2 = u0 − u1 = 50212, u3 = u1 − u2 = 31032, u4 = u2 − u3 = 19180, u5 = u3 − u4 = 11852, u6 = u4 − u5 = 7328, u7 = u5 − u6 = 4524, u8 = u6 − u7 = 2804.
Since u8 exceeds the MAXIMALGAP, that is|2804 − (4524 × φ6−1)| > 6, we let
u9 = [u7 × φ−1 ] = 2796.
61
(4.15)
There is a gap, gi = |2804 − 2796| = 8 , which we include in the storage. Let
u10 = u7 − u9 = 1728, u11 = u9 − u10 = 1068, u12 = u10 − u11 = 660, u13 = u11 − u12 = 408, u14 = u12 − u13 = 252, u15 = u13 − u14 = 156, u16 = u14 − u15 = 96, u17 = u15 − u16 = 60, u18 = u16 − u17 = 36, u19 = u17 − u18 = 24, u20 = u18 − u19 = 12.
Since u20 ≤
u19 2
, we let � � u21 = u19 φ−1 = 15.
(4.16)
There is a gap, g2 = |12 − 15| = 3 , which we include in the storage. Let
u22 = u19 − u21 = 9.
62
(4.17)
We stop the above continuous procedure at u21 , since u22 transcends the given LOWERBOUND = 10. Now, we consider the storage which consists of prenumbers 1, 2, 3 and additional gap numbers g1 = 8 and g2 = 3. Further, we include u21 = 15 and u22 = 9 in the storage. Hence we have
1, 2, 3, 8, 3, 15, 9
(4.18)
We exclude the repeated numbers and rearrange it as
1, 2, 3, 8, 9, 15
(4.19)
We search for a moderately short addition chain including all numbers from the storage. We already have 1 , 2 and 3 . Further, we insert 5, so that 3 + 5 → 8 . It follows that 1 + 8 → 9, 5 + 9 → 14 and 1 + 14 → 15 . Hence, this completes our chain utilizing all the storage elements. Thus, we attain the following doublingfree short addition chain.
1 → 2 → 3 → 5 → 8 → 9 → 14 → 15.
(4.20)
Finally, we join this chain to the previous chain at u20 , resulting in a complete chain for k = 131456 with length 28. Next, we utilize the above chain to compute exponent k = 131456 starting from numeral 1. we denote v as the addition-subtraction chain, where vl−i = ui .
63
It follows that
v0 = v28−28 = u28 = 1, v1 = v28−27 = u27 = v0 + v0 = 2, v2 = v28−26 = u26 = v0 + v1 = 3, v3 = v28−25 = u25 = v1 + v2 = 5, v4 = v28−24 = u24 = v2 + v3 = 8, v5 = v28−23 = u23 = v0 + v4 = 9, v6 = v28−22 = u22 = v3 + v5 = 14, v7 = v28−21 = u21 = v0 + v6 = 15, v8 = v28−20 = u20 = −v2 + v7 = 12, v9 = v28−19 = u19 = v5 + v7 = 24, v10 = v28−18 = u18 = v8 + v9 = 36, v11 = v28−17 = u17 = v9 + v10 = 60, v12 = v28−16 = u16 = v10 + v11 = 96, v13 = v28−15 = u15 = v11 + v12 = 156, v14 = v28−14 = u14 = v12 + v13 = 252,
64
v15 = v28−13 = u13 = v13 + v14 = 408, v16 = v28−12 = u12 = v14 + v15 = 660, v17 = v28−11 = u11 = v15 + v16 = 1068, v18 = v28−10 = u10 = v16 + v17 = 1728, v19 = v28−9 = u9 = v17 + v18 = 2796, v20 = v28−8 = u8 = v4 + v19 = 2804, v21 = v28−7 = u7 = v18 + v19 = 4524, v22 = v28−6 = u6 = v20 + v21 = 7328, v23 = v28−5 = u5 = v21 + v22 = 11852, v24 = v28−4 = u4 = v22 + v23 = 19180, v25 = v28−3 = u3 = v23 + v24 = 31032, v26 = v28−2 = u2 = v24 + v25 = 50212, v27 = v28−1 = u1 = v25 + v26 = 81244, v28 = v28−0 = u0 = v26 + v27 = 131456.
65
Chapter 5 Proposed Algorithms The speed of public key encryption techniques is slow compared with the speed of symmetric encryption techniques, therefore symmetric encryption techniques are preferred to be used in encryption applications, and public key encryption techniques are used in applications that symmetric encryption techniques can’t be used. Many research works try to improve the efficiency of public key encryption techniques to speed up security application at high level of security. ECC is the best candidate public key encryption technique to achieve this target. ECC efficiency can be improved by speeding up finite field operations or elliptic curve operations. Elliptic curve point scaler multiplication is the most operation that affect on the efficiency of ECC there for the efficiency of the proposed ECC algorithm is improved based on speeding up the elliptic curve point scaler multiplication operation using addition subtraction chain. in this chapter, the proposed algorithm to computer the addition subtraction chain is described in section 5.1 and section 5.2, the proposed algorithm to compute scalar multiplication is described in sec-
66
Figure 5.1: The main steps of AlnASC tion 5.3, the proposed selection of mixed points coordinates systems to improve the scalar multiplication is described in section 5.4.
5.1
The proposed Algorithm to compute Addition Subtraction Chain (AlnASC)
The proposed algorithm (AlnASC) is an algorithm to compute an addition subtraction chain for a long integer which creates a set of numbers started by one and ended by the long integer. This set is the addition subtraction chain. We propose and publish this algorithm in [56]. This algorithm is based on the following ideas: 1. Partitioning the binary representation of the long integer (k) into equally length binary strings called windows.
67
Figure 5.2: Step 1 of AlnASC 2. Using the 2’s complement in some manner. The main steps of the algorithm is charted in Figure 5.1. The proposed algorithm is explained in details in the following steps: Step 1, precomputing the elements of the target chain (Chain[]) 1,2,3,5,...,2w−1 (only odd numbers in addition to 2), where w is the width of the window (See Figure 5.2). Step 2, Constructing the windows : • scanning the binary representation of k from right to left. • Constructing and evaluate numerical value for each window using substring of constant width w from the whole integer representation and store 68
Figure 5.3: Step 2 of AlnASC it in wv[]. • If the following window (the next w bits i.e the left w of the current window) starts with zero from right then: 1. Substitute the current window with its 2’s complement value, 2. Add 1 to the decimal value of the following window, and 3. Put a flag with 1 for subtraction (sub[]). Each window constructed in this step inserted in the target chain (Chain[]) directly (See Figure 5.3). Step 3, Scanning the created windows from left to right as follows :
69
Figure 5.4: Step 3 of AlnASC 1. Doubling the current window w times. With each doubling append the new element to the target chain 2. Check if the flag of the next window is 0 then add the next window to the last element created in the chain. Otherwise subtract the next window from the last created element in the chain. Then goto the previous step with next window as new current window. This will complete the algorithm (See Figure 5.4). The whole algorithm written by pseudocode in Algorithm 5.1.
70
Algorithm 5.1: AlnASC : Using 2’s Complement To Produce AdditionSubtraction (AS) Chain Input: k = (kn−1 , kn−2 , ..., k1 , k0 ) binary representation of n bit integer, w the width of used window
Output: Chain = 1, 2, 3, ..., 2w − 1, ..., k 1
2 3 4 5 6 7 8 9 10 11 12 13 14
15 16 17 18 19 20 21 22 23 24 25 26
Procedure of calculating the difference between addition and doubling operation, let d = addition - doubling ; windex = 0 ; index = 0 ; cindex = 1; Chain[0] = 1; Chain[cindex] = Chain[cindex − 1] +Chain[cindex − 1]; cindex = cindex + 1; Chain[cindex] = Chain[cindex − 1] +Chain[cindex − 2]; cindex = cindex + 1;
while Chain[cindex] ≤ 2w − 1 do Chain[cindex] = Chain[cindex − 1] +Chain[1]; cindex = cindex + 1; while index ≤ n − 1 do wv[windex] = decimal value of w bits (kindex+w−1 , ..., kindex ); if kindex+w = 0 then wv[windex + 1] = wv[windex + 1] + 1; wv[windex] = 2w − wv[windex]; sub[windex] = 1; Procedure of insert wv[windex] into the Chain by insertion sort and put the position of it in wpos[windex] ; index = index + w ; windex = windex + 1; llwi= windex − 1 ; Chain[cindex] = Chain[wpos[llwi]] +Chain[wpos[llwi]]; cindex = cindex + 1; for t = 2 to w do Chain[cindex] = Chain[cindex] +Chain[cindex]; cindex = cindex + 1; for i = llwi − 1 down to 0 do if sub[i] = 0 then Chain[cindex] = Chain[cindex − 1] +Chain[wpos[i]]; cindex = cindex + 1; else Chain[cindex] = Chain[cindex − 1] −Chain[wpos[i]]; cindex = cindex + 1; for t = 1 to w do Chain[cindex] = Chain[cindex − 1] +Chain[cindex − 1]; cindex = cindex + 1;
71
5.1.1
Analysis of AlnASC Algorithm
Theorem 5.1 The proposed Algorithm 5.1 is correct. Proof: Let y be a binary string of the long integer representation k. This means y = (yi , yi−1 , ...y j ) since yi = kl ∈ (kn−1 , kn−2 , ..., k1 , k0 ). We can easily deduce from the above algorithm that we substitute each y by 2k − y´ since y´ is the two’s complement of y. We add one to the left window instead of 2k . And put flag subtract to indicate subtraction. Theorem 5.2 The running time of AlnASC Algorithm (Algorithm 5.1) is O((n(2w−1 )/w)+ 3/2) of bit operations. Proof: We will concentrate on the main loops to find the complexity of this algorithm and neglect the computation on the regular integers and we will concern with long integer computation. The main steps of the AlnASC Algorithm are: 1. In line 6, The loop of computing the start part of the Chain. The loop repeats 2w−1 iterations. Each iteration include n bit additions. This means that this loop will cost n · 2w−1 bit operations. 2. In line 9, the loop for creating the windows is provided. This loop will repeated
n w
times. Each iteration will include 2 assignment statement with
w addition bit operations, therefore the loop will cost 2n/w operations, the small operations are neglected like addition by one. 3. In line 18, loop has w − 1 repetitions. 4. In line 20, loop has n/w repetitions.
72
• In Line 21, consume n operations. • In Line 25, loop has w repetitions. 5. insertion of the resultant windows in the chain, will takes (n/w)((2w − 1/2) + 1) assignment operations in the worst case by insertion sort. 6. loop of concatenation the windows to each others, This loop is repeated n/w times. Each iteration takes w operations. Then this loop totally takes n operations. The main component in the running time is (n/w)×((2w −1/2)+1) = (n(2w−1 )/w)+ 3/2 of bit operations. Theorem 5.3 Algorithm 5.1 produces Addition Subtraction Chain of length ( wn )(w+ 2) + 2w−1 + w + 3/2 in the worst case. Proof: • the precomputed chain part contains (2w − 1/2) + 1 elements. • After composing the windows, we must insert n/w elements into the chain in the worst case. • Before the last loop in line 25, we will add 1 + w elements. • In each iteration of the loop, we will add 1 + w elements. This loops repeated
n w
times.
So we get the target expression in the theorem.
73
5.2
Modified Algorithm to compute addition subtraction chain (W2CASC)
Algorithm 5.2: W2CASC : Using 2’s Complement in Window Method To Produce Addition-Subtraction (AS) Chain - modified Input: k = (kn−1 , kn−2 , ..., k1 , k0 ) binary representation of n bit integer, w the width of used window Output: Chain = 1, 2, 3, ..., 2w − 1, ..., k, co[], ce1[], ce2[], f d f [] 1 windex = 0; index = 0; cindex = 1;Chain[0] = 1; 2 Chain[cindex] = Chain[cindex − 1] +Chain[cindex − 1] ; 3
4 5
6 7 8 9 10 11 12 13 14
15 16 17 18
co[cindex] = 0; ce1[cindex] = cindex − 1; ce2[cindex] = cindex − 1; cindex = cindex + 1; Chain[cindex] = Chain[cindex − 1] +Chain[cindex − 2] ; co[cindex] = 1; ce1[cindex] = cindex − 1; ce2[cindex] = cindex − 2; cindex = cindex + 1; while Chain[cindex] ≤ 2w − 1 do Chain[cindex] = Chain[cindex − 1] +Chain[1]; co[cindex] = 1; ce1[cindex] = cindex − 1; ce2[cindex] = 1; cindex = cindex + 1; while index ≤ n − 1 do wv[windex] = decimal value of w bits (kindex+w−1 , ..., kindex ); if kindex+w = 0 then wv[windex + 1] = wv[windex + 1] + 1; wv[windex] = 2w − wv[windex]; sub[windex] = 1; By insertion sort, insert wv[windex] into the Chain and its position in wpos[windex] ; index = index + w+; windex = windex + 1; llwi= windex − 1 ; Chain[cindex] = Chain[wpos[llwi]] +Chain[wpos[llwi]] ; co[cindex] = 0; ce1[cindex] = wpos[llwi]; ce2[cindex] = wpos[llwi]; cindex = cindex + 1;
We modify the Algorithm 5.1 (AlnASC) in [56] by adding an array co[i] to store the code of the operation that performed to compute the element i in the chain. Array ce1[i] used to store the index of the first operand to compute the element i in the chain. Array ce2[i] used to store the index of the second operand to compute the element i in the chain. Array f d f [] used to record a flag 74
Algorithm 5.3: continued - W2CASC 1 2 3
4 5 6 7
8 9 10
11 12 13
14 15
for t = 2 to w do Chain[cindex] = Chain[cindex] +Chain[cindex]; co[cindex] = 0; ce1[cindex] = cindex; ce2[cindex] = cindex;cindex = cindex + 1; for i = llwi − 1 down to 0 do if sub[i] = 0 then Chain[cindex] = Chain[cindex − 1] +Chain[wpos[i]]; co[cindex] = 1; ce1[cindex] = cindex − 1; ce2[cindex] = wpos[i];cindex = cindex + 1; else Chain[cindex] = Chain[cindex − 1] −Chain[wpos[i]] ; co[cindex] = 2; ce1[cindex] = cindex − 1; ce2[cindex] = wpos[i]; cindex = cindex + 1; for t = 1 to w do Chain[cindex] = Chain[cindex − 1] +Chain[cindex − 1]; co[cindex] = 0; ce1[cindex] = cindex − 1; ce2[cindex] = cindex − 1; cindex = cindex + 1; if t = w then f d f [cindex] = 1
for final doubling. Final doubling before the addition and subtraction must be distinguished from the other doublings because it will be computed in different coordinate. By the following example, we review the W2CASC algorithm for finding short addition-subtraction chain by utilizing a 2’s Complement with Window method algorithm. The W2CASC algorithm considers making chain by using the binary representation of k and partition it as windows of constant length. And substitute some of windows by 2’s Complement of its value under some condition. Algorithm 5.2 is modified model of the algorithm in [56]. This to make an integration in elliptic curve scalar multiplication. Example 5.1: Given the integer 207062. Step 1: is the compute the numbers from 1, 2, 2w By the selection w = 3 then the 75
first part of the chain is 1, 2, 3, 5, 7 Table 5.1 gives the result of first step. i 0 1 2 3 4
chain[i] C[i][0] C[i][1] C[i][2] 1 0 0 0 2 0 0 0 3 1 0 1 5 1 0 2 7 1 0 3 Table 5.1: The result of step 1
Step 2: The input integer has the following binary representation
110010100011010110
(5.1)
We take w = 3 to be suitable for the input integer binary representation length:
• the first window from the right is 6 (110) • It followed by 0 bit at the beginning of the next window So 6 replaced by 2 because 2 = 8 6 , since 8 = 23. • And save this value in the wv[0] = 2 and Sub[0] = 1 as flag for subtraction • Adding 1 to the next window (2) it becomes 3. This ends the first iteration of splitting the binary representation to windows • The second iteration start with 3 as initial value for wv[1] but no action will be taken since the next bit is 1 .So wv[1] = 3
76
• By this manner we get the wv[]=2,3,5,3,5,7, sub []=1,0,1,1,1,0 As in the Table 5.2 • which already computed by the first step of the algorithm. • After insertion the computed windows the chain has the following : (1,2,3,5,7) without any change about the result of the first step i wv[i] sub[i] 0 2 1 1 3 0 2 5 1 3 3 1 5 1 4 5 7 0 Table 5.2: The result of step 2 Step 3:
• we start with the last window 7 and repeating the doublings (w = 3) times i.e. 14 , 28, 56 and insert these numbers in the chain and looking for sub[] of the previous window 5 (0 or 1) (0 for adding 5 to 56 or 1 for subtract 5 from 56) but it is value is 1 then we will insert 51 (= 56 5) also to the chain • By this manner we get the following the chain 1,2,3,5,7,14,28,56,51,102,204, 408,3405,810,1620,3240,3235,6470,12940,25880,25883,51766,103532,207064,207062 • Note : According to the implementation, we use the C[...][3] as a two dimensional array of number of raws equal to chain length and three column (0,1,2). The 77
column 0 contains the values of the array co[]. The column 1 contains the values of the array ce1[]. The column 2 contains the values of the array ce2[]. Each raw i C [i] [] record information about the chain element of index i. Column 0 filled by operation code (0 for doubling , 1 for addition , and 2 for subtraction) Column 1 filled by the first operand index in the chain. Column 2 filled by the second operand index in the chain. • When putting (14) in the chain we record that C[6][0]=0 C[6][1]=5 C[6][2]=5 means that the element no. 6 in the chain computed (Doubling operation kind 0) of element no. 5 • When putting (51) in the chain we record that C[8][0]=2 C[8][1]=7 C[8][2]=3 means that the element no. 8 in the chain computed by (Subtraction operation kind 2) of element no. 3 from the element no. 7 • We can get the contents of C[25][3] like Table 5.3:
5.3
Elliptic Curve Scalar Multiplication based on the proposed W2ASC Algorithm
In this section, we propose a scalar multiplication algorithm by utilizing the proposed W2CASC Algorithm 5.2. This algorithm computes the elliptic curve scalar multiplication.
78
i C[i][0] C[i][1] C[i][2] 0 0 0 0 1 0 0 0 2 1 1 0 1 2 1 3 4 1 3 1 0 4 4 5 0 5 5 6 7 0 6 6 2 7 3 8 9 0 8 8 0 9 9 10 11 0 10 10 2 11 2 12 13 0 12 12 14 0 13 13 15 0 14 14 2 15 3 16 0 16 16 17 18 0 17 17 0 18 18 19 20 1 19 2 21 0 20 20 0 21 21 22 23 0 22 22 2 23 1 24 Table 5.3: The result of step 3 The proposed algorithm depends on the pre-computed arrays co, ce1, ce2. co[] contains the code of the operations (0 for doubling, 1 for addition, and 2 for subtraction). ce1[] contains the index of the first operand of the operation in the pre-computed chain from the algorithm 5.2. ce2[] contains the index of the second operand of the operation in the pre-computed chain from the algorithm 5.2. The Figure 5.5 will gives the flowchart of the algorithm. The Algorithm 5.4 gives the details of the algorithm.
79
Algorithm 5.4: Scalar Multiplication based on W2CASC
1 2 3 4 5
6 7 8 9
10 11
12 13
14 15
16
Input: P, l length of Chain generated in W2CASC for integer k , and ce1[], ce2[], co[], f d f [] arrays mentioned in W2CASC Output: Point kP ∈ E Points[1] = P; Points[2] = Points[1] + Points[1]; for t = 3 to 2w do Points[t] = Points[ce1[t]]; Points[t] = Points[t] + Points[ce2[t]]; /* pre-addition computed here for t = 2w + 1 to l do Points[t] = Points[ce1[t]]; if co[t] = 0 then Points[t] = 2 ∗ Points[t]; /* main doubling computed here if fdf[t]=1 then Points[t] = 2 ∗ Points[t]; /* final doubling computed here else if co[t] = 1 then Points[t] = Points[t] + Points[ce2[t]]; /* internal addition computed else Points[t] = Points[t] − Points[ce2[t]]; /* internal subtraction computed here (addition) same coordinates return (Points[t]);
80
*/
*/
*/
*/
*/
Figure 5.5: W2CASC Based Scalar Multiplication The following example will provide the mechanism of the proposed algorithm for elliptic curve scalar multiplication. Example 5.2: • Given ( 207062 × P ) for P elliptic curve point. • In the algorithm we check the value of operation kind in the first column in the array C[][3] that prepared before in the algorithm of computing addition subtraction chain • According the operation type and the elements indices • Firstly ECP[0]=P as start point.
81
• let we check the start portion of the C[][] array
000 110 121
• Now ci=1 C[1][0]=0 means doubling the element no. C[1][1] = 0 in ECP[] (i.e.) Doubling of P an assigned to ECP[1] . Now ECP[]=P,2P • Let take another portion from C[][] 2 15 3 0 16 16
• This means ECP[16] = ECP[15] - ECP[3] (i.e) 3235 P = 3240 P 5 P. • In Computing 207062P by this manner , Since we use the proposed Algorithm 5.2 to get the following chain: 1,2,3,5,7,14,28,56,51,102,204,408,405,810,1620,3240,3235,6470,12940,25880, 25883,51766,103532,207064,207062 Then, We use the proposed Algorithm 5.4 to provide this chain in terms of P as follows: 2P = 2 ∗ P, 3P=2P+P, 5P=3P+2P, 7P=5P+2P, 14P = 2 ∗ (7P), 82
28P = 2 ∗ (14P), 56P = 2 ∗ (28P), 51P=56P-5P, 102P = 2 ∗ (51P), 204P = 2 ∗ (102P), 408P = 2 ∗ (204p), 405P=408P-3P, 810P = 2 ∗ (405P), 1620P = 2 ∗ (810P), 3240P = 2 ∗ (1620P), 3235P=3240P-5P, 6470P = 2 ∗ (3235P), 12940P = 2 ∗ (6470P), 25880P = 2 ∗ (12940P), 25883P=25880P+3P, 51766P = 2 ∗ (25883P), 103532P = 2 ∗ (51766P), 207064P = 2 ∗ (103532P), 207062P=207064P-2P,
5.4
Selecting the used mixed coordinates
In this section, we will consider mixed coordinates system since it has lower computational cost compared to other coordinate systems as proposed by Cohen et. 83
al [21] and [57]. We will select the best operation for calculating the cost of In other words we will make a new combination in the mixed coordinate idea from the coordinates in [21, 57]. Algorithm 5.2 based scalar multiplication algorithm. Note that we will use S, M, and I to denote the cost of one squaring , one multiplication, and one inversion respectively. We shall always leave out the cost of field additions and subtraction. In this paper we follow the conventions from Okeya and Sakurai [58] and Lim and Hwang [59] and assume that S = (4/5)M = 0.8M, I = 80M. Table 5.4: Computational costs using mixed coordinates, combination 1 pre-Addition main and final Doubling internal Addition Operation A + J → J 2J → J J +J → J Cost 8M+ 3S 4M+ 4S 12M+4S If we select the mixed coordinates combination 1 in Table 5.4 we get the following .
A + J → J mixed coordinates used for the first 2w points in the computations, since w is the window length used in the algorithm 5.2. This cost 2w (8M + 3S) = 2w (10.4)M The rest of computation includes long series of doubling followed by addition or subtraction. We use 2J → J in the long sires of doubling which cost (4M +4S = 7.2M) for each doubling. We use J + J → J for the addition or subtraction which cost (12M + 4S = 15.2M) for each addition and subtraction Theorem 5.4 The average cost of Algorithm 5.4 is 1691.2 finite field multiplications for 160 bit integers multiplier by using mixed coordinates combination 1 in Table 5.4
84
Proof: According to our result in [56], the length of the chain is 204. The used w equals to 5. So the first part of additions in Algorithm 5.4 includes 32 additions of cost (10.4)M i.e. 32(10.4)M = (332.8)M The rest operations is (204 − 32 = 172). Also According our result in [56], we have 15 (additions or subtraction) and 157 (doubling). The cost is 15(15.2)M + 157(7.2)M = (228)M + (1130.4)M So the total cost is (228)M + (1130.4)M + (332.8)M = 1691.2M Table 5.5: Computational costs using mixed coordinates, combination 2 pre-Addition main Doubling final Doubling internal Addition Operation A + J C → J C 2J M → J M 2J M → J J +JC → JM Cost 8M+ 3S 4M + 4S 3M + 4S 12M+5S If we select the mixed coordinates combination 2 in Table 5.5 we get the following:
A + J C → J C mixed coordinates used for the first 2w points in the computations, since w is the window length used in the algorithm 5.2. This cost 2w (8M + 3S) = 2w (10.4)M The rest of computation includes a long series of doubling followed by addition or subtraction. We use 2J M → J M in the long sires of doubling which cost (4M + 4S = 7.2M) for each doubling. We will We use 2J M → J for the final doublings before the addition or subtraction each one of them cost 3M + 4S = 6.2M. We use J + J C → J M for the addition or subtraction each one of them cost (12M + 5S = 16M). Theorem 5.5 The average cost of Algorithm 5.4 is 1688.2 finite field multiplications for 160 bit integers multiplier by using mixed coordinates combination 2 in 85
Table 5.5
Proof: According to our result in [56], the length of the chain is 204. The used w equals to 5. So the first part of additions in Algorithm 5.4 includes 32 additions of cost (10.4)M i.e. 32(10.4)M = (332.8)M The rest operations is (204 − 32 = 172). Also According our result in [56], we have 15 (additions or subtraction) and 157 (doubling). These doubling will classified into two classes. Main Doublings (157 − 15 = 142) and 15 final Doublings. So that, The cost is 15(16)M + 142(7.2)M + 15(6.2)M So the total cost is (332.8)M + 15(16)M + 142(7.2)M + 15(6.2)M = (332.8 + 240 + 1022.4 + 93)M = (1688.2)M Table 5.6: Computational costs using mixed coordinates, combination 3 pre-Addition main Doubling final Doubling internal Addition Operation A + J C → J C 2J → J 2J → J C JC +JC → J Cost 8M + 3S 4M + 4S 5M + 5S 10M + 2S If we select the mixed coordinates combination 3 in Table 5.6 we get the following:
A + J C → J C mixed coordinates used for the first 2w points in the computations, since w is the window length used in the algorithm 5.2. This cost 2w (8M + 3S) = 2w (10.4)M The rest of computation includes a long series of doubling followed by addition or subtraction. We use 2J → J in the long sires of doubling which cost (4M + 4S = 7.2M) for each doubling. We will We use 2J → J C for the final 86
doublings before the addition or subtraction each one of them cost 5M + 5S = 9M. We use J C + J C → J for the addition or subtraction each one of them cost (10M + 2S = 11.6M). Theorem 5.6 The average cost of Algorithm 5.4 is 1664.2 finite field multiplications for 160 bit integers multiplier by using mixed coordinates combination 3 in Table 5.6
Proof: According to our result in [56], the length of the chain is 204. The used w equals to 5. So the first part of additions in Algorithm 5.4 includes 32 additions of cost (10.4)M i.e. 32(10.4)M = (332.8)M The rest operations is (204 − 32 = 172). Also According our result in [56], we have 15 (additions or subtraction) and 157 (doubling). These doublings will classified into two classes. Main Doublings (157 − 15 = 142) and 15 final Doublings. So that, The cost is 15(11.6)M + 142(7.2)M + 15(9)M So the total cost is (332.8)M + 15(11.6)M + 142(7.2)M + 15(9)M = (332.8 + 174 + 1022.4 + 135)M = (1664.2)M
5.4.1
Mixed coordinates and security
The most important and practical attack to ECC is the power analysis which determine the power consuming of the processor in its operations illustrated in a graphics manner by using some machines. And then , determine the number and order of Additions and/or Doubling As an direction to countermeasure this attack 87
, the doubling free algorithms used (i.e.) to make all operations are addition or subtraction operations which are the same in contest of elliptic curve arithmetic Another direction is to evaluate the doubling by two or more methods and addition by two or more method, This will make a good confusion. Then then the number and also the order of Additions and/or Doublings can not be determined. The Figure 5.6 gives the details.
88
Figure 5.6: Mixed coordinates and security
89
Chapter 6 The Implementations and Experimental Results In this chapter we introduce the implementation and comparison results. We start with implementation environment description. Then windows width selection issue. First implementation is for W2CASC algorithm. Also implementation for W2CASC based scalar multiplication algorithm is elaborated. Finally, we compare the general results when used in ECCs.
6.1
Implementation Environment
To compare our proposed algorithms by the literature, we implement them by using a notebook with Intel (R) Core (TM)2 Duo CPU T6570 @2.1GHz 1.19 GHz, 1.92 GB of RAM. The platform is Windows 7 Professional (32 bit). We use library MIRACL [60] in the implementation. MIRACL is a Big Number Library which implements all of the primitives necessary to design Big Num-
90
ber Cryptography into your real-world application. It is primarily a tool for cryptographic system implementors. RSA public key cryptography, Diffie-Hellman Key exchange, DSA digital signature, they are all just a few procedure calls away. Support is also included for even more esoteric Elliptic Curves and Lucas function based schemes. The latest version offers full support for Elliptic Curve Cryptography. It has two options use C or C++. For efficiency reasons , we use C option in the library.
6.1.1
Used Features from MIRACL
The following data types and functions are used from the library MIRACL: big: data type to represent the long integers. epoint: data type to represent the points of the elliptic curves. add : to add the long integers. sub : to subtract the long integers. compare : to compare the long integers. cotnum : to out put the long integers. remain : to compute the reminder in division of long integers. mirvar : to assign a value to long integers. hamming : to calculate the hamming weight of the long integers. logb2 : to calculate the logarithm of long integers with respect to 2. pow : to raise a long integer to some power. bigbits : to generate a random long integer of some given length. cinstr : to assign long integer from a string variable. ecurve init : to initialize an elliptic curve with the factors of required algebraic
91
equation. epoint set : to assign the coordinates of some elliptic curve point. nres : to assign modulus form of some long integers. nres modmult : to multiply two long integers in modulo format.
6.1.2
Programmed Features
The following data types and functions are programmed by the author: winval2 : to calculate the decimal value of some bits in a big integer binary representation. This by taking the big integer, the starting bit, and the number of required bits. insert : to insert the calculated window value in the array of chain in sort manner. lg : to compute the logarithm of an integer with respect to two. display : to screening the results on the monitor and hard disk. wpos : to adjust the indexes (positions) of the chain elements after the insertion of new window values. AlnASC : to implement the main function of creating Addition Subtraction Chain near 300 lines of C code. AlnECSM : to implement the main function of computing elliptic curve scalar multiplication based on the output of AlnASC. binaryAC : to implement the binary algorithm for creating Addition Chain. SVwAC : to implement the window method with variable window width. SCwAC : to implement the window method with constant window width. Even : to check given integer to be even or not.
92
chkzeros : to check the number of zeros from starting bit in the binary representation of long integer. displayCh : to output the complete chain to file and monitor. ECtimings : to determine the timings of MIRACL functions of elliptic curve arithmetic.
FFTimings : to determine the timing of finite fields arithmetic in MIRACL functions. twosComp : to compute the 2s Complement for given integer. timingAlnASC : to determine the timings of AlnASC function. AlnVwASC : to implement the window method with 2s Complement and variable window width for creating addition subtraction chain - like AlnASC but with variable width - (no best results are collected ). shoWindows : to display and test the windows values after step 2 is finished. Generally the code is about 2000 lines of C programming without counting the MIRACL lines.
6.2
Selecting window width
To implement the W2CASC algorithm, we must select the width of the window. In our experiments, the proposed (W2CASC) algorithm is implemented with different window widths to find the best width to get the shortest addition subtraction chain. In Table 6.1, we provide the results of different window width for long integers of length 160 bits. The best result for our algorithm W2CASC (204) is achieved when window width is 5. 93
Table 6.1: Different window length window length addition subtraction chain length 2 238 3 215 4 205 204 5 6 215 7 241 300 8 9 427 678 10
6.3
W2CASC implementation
We compare our result here by result in [54] because it is the last good known result in application to find Addition-Subtraction Chain for 160 bit integers. The proposed (W2CASC) algorithm produce a chain of length 204 elements, that is shorter than 258 the length of the chain produced by [54]. Table 6.2 shows the result of our implementation with comparison to other algorithms, We get that our improvement is about 20% since the last shorter known published lenght in [54] is 258. In table 6.2 we refer to the source of implementation and algorithm. And we implement the non referred algorithms
Algorithms of GRASC, Window Fibonacci and Add, Signed Fibonacci and Add, Fibonacci and Add and EAC different from the others because its doubling free algorithms. Our Trend using a dummy operation to erase the different between addition and doubling which is the major aim of SPA attack.
94
Algorithm AlnASC Addition-Subtraction Chain (Algorithm 5.1 )(w=5) Slide Window Addition Chain (constant length)(w=5) [61] Slide Window Addition Chain (variable length) (max w=5,internal zeros=2) [61] Binary Addition Chain [20] GRASC[54] Window Fibonacci and Add[51] EAC[51] Signed Fibonacci and Add[51] Fibonacci and Add[51]
Length of Chain 204 214 223 239 258 [54] 292 [54] 320 [51] 322 [54] 358 [54]
Table 6.2: Comparison of the current algorithms in addition chain
6.4
W2CASC based scalar multiplication
In Table 6.3, we compare the efficiency of the proposed scalar multiplication based on W2CASC algorithm with other algorithms proposed in [51, 50] for elliptic curve scalar multiplication. The first column contains the names of algorithms with its reference (Alg). The second column contains the name of used coordinates according the references. The third column contains the number of finite field operations needed in each algorithm (#M). The fourth column is the percentage of the difference in the number finite field operations between the algorithms and W2CASC based on ECSM combination 3 algorithm. This results are published in [62] [(#M(Alg) − #M(W))/#M(Alg)] ∗ 100 . W refers to W2CASC based ECSM with MIXED-combination 3.
95
(6.1)
Table 6.3: Average cost of scalar multiplication algorithms for 160 bit integers Algorithm (Alg) Coordinate #M the percentage Fibonacci-and-add [51] NewADD 2311 28% Signed Fib-and-add [51] NewADD 2088 20.3% Window Fib-and-add [51] NewADD 1960 15.1% NewADD 2112 21.2% EAC-320 [51] GRAC-258[50] mixed 1907 12.7% W2CASC based ECSM MIXED-combination1 1691.2 1.6% MIXED-combination2 1688.2 1.4% W2CASC based ECSM W2CASC based ECSM (W) MIXED-combination3 1664.2 0
6.5
EEC Performance
When we using the Library MIRACL for implementation, we get the finite fields timing is 0.00124 ms for 160 bit modulus arithmetic. And the time of the scalar elliptic curve point multiplication in ECC bit cryptosystem will be 2 ms which is the time of ECDH operation, ECDSA signature operation, decryption in PSEC [27],or decryption in ECIES[26]. This compared to fastest performance by internal procedure of MIRACL for point multiplication which is 3.53 ms. This gives a good result in ECC performance. So our algorithm preceded by 43.34%. Table 6.4 will compare our result with the scalar multiplication based on addition subtraction algorithms with respect to finite fields multiplication time 0.00124 ms. In case of ECIES [26], the Decryption requires one known multiplier scalar multiplication which means improvement between 26% and 28% in case of using our algorithms compared with the other algortihms in Table 6.4. And in case of PSEC [27] scheme, Decryption requires a known multiplier scalar multiplication and a known point scalar multiplication. So the improvment between 26% and 28% without any changing in known point scalar multiplication implementation. 96
Table 6.4: ECC performances for 160 bit integers Algorithm (Alg) Cost(C) EC multiplication time in ms Fibonacci-and-add [51] 2311 2.87 Signed Fib-and-add [51] 2088 2.6 Window Fib-and-add [51] 1960 2.43 2112 2.62 EAC-320 [51] 1907 2.36 GRAC-258[50] W2CASC based ECSM 1 1691.2 2.10 W2CASC based ECSM 2 1688.2 2.09 2.06 W2CASC based ECSM 3 1664.2
97
Chapter 7 The Conclusions and Research Directions In this chapter , Thesis Summary, Conclusions, and Future Work are introduced.
7.1
Thesis Summary
Chapter 2 introduces basic concepts, outlines the problems in the current cryptosystems and provides a justification for the work described in this dissertation. Chapter 3 offers an overview of elliptic curve cryptosystems , its history and efficiencies factors effect on them. The state-of-the-art view of research in the field of scalar multiplication has been introduced in chapter 4. This chapter include also, a brief background on theoretical basis of using Addition Chain in exponentiation was given. In chapter 5, Our proposed algorithms in computing addition subtraction chains and scalar multiplications.
98
Chapter 6, the implementation and analysis results assessment of the proposed algorithms have been presented. Finally, Chapter 7 presents the conclusions this dissertation and proposes future research disciplines.
7.2
Conclusion
In this work we have proposed an algorithm for creating addition subtraction chain (W2CASC). The given new algorithm creates shorter addition subtraction chain. This because Our algorithm creates addition subtraction chain of length 204 but the last comparative result is 258 for 160 bit integers. In other words, we have proposed an algorithm for creating addition subtraction chains that preceded by 21% the previous algorithms for creating adddition subtraction chain. The second proposed algorithm is an algorithm for computing elliptic curve scalar multiplication based on W2CASC algorithm. Which preceded by 12.7% to 28% the previous ones known in the literature. This means we speeding up some elliptic curve cryptosystems like ECIES and PSEC by 26% to 28%. We use also a new compinations of elliptic curve point mixed coordinates. The using of mixed coordinates give us more security to use our algorithm of computing scalar multiplications. This because of new style of securing the scalar multiplication. This style is included in using different power consuming for the similar operations over points (additions and doubling).
99
7.3
Future Work
Further work may include finding chains of much shorter lengths in order to improve the computational cost of Addition-Subtraction Chain based scalar multiplication algorithm. Also, if one could reduce the storage content, then AdditionSubtraction Chain scalar multiplication based algorithm could be more applicable to elliptic curve cryptosystems where constraint memory devices such as smart cards needs to be implemented. One Could reduce the storage content to make the scalar multiplications algorithms more applicable for small memory devices One Could study the binary representation of the long scalars to collect another idea for finding addition subtraction chain like using the 2s complement when finding to zeros of bits not only one. One Could use the genetic algorithm to produce more short addition subtraction chain
100
Outcome Publications
• Mohamed M. Abd-Eldayem, Ehab T. Alnfrawy, and Aly A. Fahmy., “AdditionSubtraction Chain for 160 bit Integers by using 2’s Complement”, Egyptian Computer Science Journal, accepted. • Mohamed M. Abd-Eldayem, Ehab T. Alnfrawy, and Aly A. Fahmy, “Efficient Scalar Multiplication Based On Window Algorithm With 2’s Complement Applied For Elliptic Curve Cryptosystems”, The International Conference on Intelligent Systems Design and Applications (ISDA) 2010, accepted.
url
1
References [1] D. Kahn. ”The Codebreakers”. Macmillan, new York, 1967. [2] R.A. Mollin. ”An Introduction to Cryptography”. Chapman Hall/CRC Press, Boca Raton, Florida, 2000. [3] W. Diffie and M. Hellman. ”New directions in cryptography”. IEEE Transactions on information Theory, 22(6):644–654, 1976. [4] D. Hankerson, A. Menezes, and S. Vanstone. ”Guide to Elliptic Curve Cryptosystem”. Sprigner, 2004. [5] A.K. Lenstra and E.R. Verheul. ”Selecting cryptographic key sizes”. Journal of cryptology, 14(4):255–293, 2001. [6] N. Koblitz. ”Elliptic curve cryptosystems”. Mathematics of Computation, 48:203–209, 1987. [7] V. Miller. ”Uses of elliptic curves in cryptography”. In H. Williams, editor, Advances in Cryptology - CRYPTO ’85, volume 218 of LNCS, pages 417– 428. Springer-Verlag, 1986. [8] Kenji Koyama and Yukio Tsuruoka. ”Speeding up Elliptic Cryptosystems by Using a Signed Binary Window Method”. In Proceedings of the 12th 2
Annual International Cryptology Conference on Advances in Cryptology, pages 345–357, London, UK, 1993. Springer-Verlag. [9] N. Demytko. ”A new elliptic curve based analogue of RSA”. In Advances in CryptologyEUROCRYPT93, pages 40–49. Springer, 1994. [10] S.A. Vanstone and R.J. Zuccherato. ”Elliptic curve cryptosystems using curves of smooth order over the ring Zn”. IEEE Transactions on Information Theory, 1997. [11] Michael Anshel and Dorian Goldfeld. ”Zeta functions, one-way functions, and pseudorandom number generators.”. Duke Math. J., 88(2):371–390, 1997. [12] I.F. Blake, G. Seroussi, and N.P. Smart. ”Elliptic curves in cryptography”. Cambridge Univ Pr, 1999. [13] N. Koblitz. ”Introduction to elliptic curves and modular forms”. Springer, 1993. [14] N. Koblitz. ”A course in number theory and cryptography”. Springer, 1994. [15] A.W. Knapp. ”Elliptic curves”. Princeton Univ Pr, 1992. [16] J.H. Silverman. ”The arithmetic of elliptic curves”. Springer Verlag, 2009. [17] J.H. Silverman. ”Advanced topics in the arithmetic of elliptic curves”. Springer, 1994. [18] L.C. Washington. ”Elliptic curves: number theory and cryptography”. Chapman Hall/CRC, Boca Raton, New York, 2003. 3
[19] A. Menezes, P. van Oorschot, and S. Vanstonen. ”Handbook of Applied Cryptography”. CRC Press, Florida, 1997. [20] R. Avanzi, H. Cohen, C. Doche, G. Frey, T. Lange, K. Nguyen, and F. Vercauteren. ”Handbook of Elliptic and Hyperelliptic Curve Cryptography”. Discrete Mathematics. CRC, 2006. [21] H. Cohen, A. Miyaji, and T. Ono. ”Efficient Elliptic Curve Exponentiation Using Mixed Coordinates, in Advances in Cryptology–ASIACRYPT98”. Lecture Notes in Computer Science, 1514:51–65, 1998. [22] K. Fong, D. Hankerson, J. L´opez, and A. Menezes. ”Field inversion and point halving revisited”. Computers, IEEE Transactions on, 53(8):1047– 1059, 2004. [23] AJ Menezes, T. Okamoto, and SA Vanstone. ”Reducing elliptic curve logarithms to logarithms in a finite field”. IEEE Transactions on Information Theory, 39(5):1639–1646, 1993. [24] MFIPS 186-2. ”Digital signature standard”, 2000. [25] IEEE P1363-2000. ”Standard specifications for public key cryptography”, 1993. [26] M. Bellare and P. Rogaway. ”Minimizing the use of random oracles in authenticated encryption schemes”. Information and Communications Security, pages 1–16, 1997.
4
[27] E. Fujisaki and T. Okamoto. ”Secure integration of asymmetric and symmetric encryption schemes”. In Advances in CryptologyCRYPTO99, pages 79–79. Springer, 1999. [28] ANSI X9.42-2000. ”Public key cryptography for the financial services industry: Agreement of symmetric keys using discrete logarithm cryptography”. American National Standards Institute, 1999. [29] L. Law, A. Menezes, M. Qu, J. Solinas, and S. Vanstone. ”An efficient protocol for authenticated key agreement”. Designs, Codes and Cryptography, 28:119134, 2003. [30] D. Johnson, A. Menezes, and S. Vanstone. ”The elliptic curve digital signature algorithm (ECDSA)”. International Journal of Information Security, 1:3663, 2001. [31] T. ElGamal. ”A public key cryptosystem and signature scheme based on discrete logarithms”. IEEE Transaction on Information Theory, 31(4):469– 472, 1985. [32] ANSIX9.63. ”Public Key Cryptography for the Financial Services Industry : Key Agreement and Key Transport Using Elliptic Curve Cryptography”. American National Standards Institute, 2001. [33] IEEEP1363A.
”Standard
CryptographyAmendment 1 :
Specifications
for
Public-Key-
Additional Techniques working draft
12bis”. IEEE, 2003.
5
[34] A. Cilardo, L. Coppolino, N. Mazzocca, and L. Romano. ”Elliptic Curve Cryptography Engineering”.
Proceedings of the IEEE, 94(2), February
2006. [35] FIPS PUB 186-2. ”Digital signature standard(DSS)”, 2000. [36] E. Oswald. ”Secure and Efficient Implementation of Elliptic Curve Cryptosystems”. talk hold on Summer School on Data Safety. Mannhiem, 2003. [37] T. Okamoto. ”Provably secure and practical identification schemes and corresponding signature schemes”. In Advances in CryptologyCRYPTO92, pages 31–53. Springer, 1992. [38] T. Okamoto. ”Practical Identification Schemes as Secure as the DL and RSA problems (Submission to P1363a)”. NTT Laboratories, 1999. [39] M. Bellare, J.A. Garay, and T. Rabin. ”Fast batch verification for modular exponentiation and digital signatures”. Advances in CryptologyEUROCRYPT’98, pages 236–250, 1998. [40] S.A. Brands. ”Rethinking public key infrastructures and digital certificates: building in privacy”. The MIT Press, 2000. [41] Donald E. Knuth. ”The Art of Computer Programming: Seminumerical Algorithms”. Addison-Wesley, 1998. Third edition. [42] D. Gordon. ”A survey of fast exponentiation methods”. Journal of Algorithms, 27:129–146, 1998. [43] W. Bosma. ”Signed bits and fast exponentiation”. J. Th´eor. Nombres Bordeaux, 13(1):27–41, 2001. 6
[44] J.A. Muir and D.R. Stinson. ”Minimality and other properties of the width-w nonadjacent form”. Mathematics of Computation, 75(253):369, 2006. [45] B. M ”oller. ”Improved Techniques for Fast Exponentiation, in Information Security and Cryptology–ICISC 2002”. Lecture Notes in Computer Science, 2587:298–312, 2002. [46] V. Dimitrov, L. Imbert, and P. Mishra. ”Efficient and secure elliptic curve point multiplication using double-base chains”. Advances in CryptologyASIACRYPT 2005, pages 59–78, 2005. [47] E.F. Brickell,
D.M. Gordon,
K.S. McCurley,
and D.B. Wilson.
”Fast exponentiation with precomputation, Advances in Cryptology– EUROCRYPT92”. Lecture Notes in Computer Science, 657:200–217, 1992. [48] A.C.C. Yao. ”On the evaluation of powers”. SIAM Journal on Computing, 5:100, 1976. [49] C. Lim and P. Lee. ”More flexible exponentiation with precomputation”. In Advances in CryptologyCRYPTO94, pages 95–107. Springer, 1994. [50] R.R. Goundar, K. Shiota, and M. Toyonaga. ”SPA resistant scalar multiplication using golden ratio addition chain method”. International Journal of Applied Mathematics, 38(7):38–42, 2008. [51] N. Meloni. ”New Point Addition Formulae for ECC Applications”. In B. Sunar C. Carlet, editor, WAIFI 2007, volume 4547 of LNCS, pages 189– 201. Springer-Verlag, 2007. 7
[52] K. Okeya, K. Schmidt-Samoa, C. Spahn, and T. Takagi. ”Signed binary representations revisited”. In Advances in Cryptology - CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science, pages 123–139. Springer, 2004. [53] D.E. Knuth. ”The art of computer programming, volume 1: fundamental algorithms”. Addison Wesley Longman Publishing Co., Inc. Redwood City, CA, USA, 1997. [54] R. Goundar, K. Shiota, and M. Toyonaga. ”New Strategy for Doubling-free Short Addition-Subtraction Chain”. Applied Mathematics and Information Sciences, 2(2):123 – 133, 2008. [55] N.N. Vorob’ev, N.N. Vorobiev, and M. Martin. ”Fibonacci numbers”. Birkh ”auser, 2002. [56] Mohamed M. Abd-Eldayem, Ehab T. Alnfrawy, and Aly A. Fahmy. ”Addition-Subtraction Chain for 160 bit Integers by using 2’s Complement”. Egyptian Computer Science Journal, 2010. accepted. [57] Nicholas T. Sullivan. ”Fast Algorithms for Arithmetic Elliptic Curves over Prime Fields”. Master’s thesis, Department of Mathematics and Statistics, Departmentof Computer Science, University of Calgary, Calgary, Alberta, 2007. [58] K. Okeya and K. Sakurai. ”Efficient elliptic curve cryptosystems from a scalar multiplication algorithm with recovery of the y-coordinate on a Montgomery-form elliptic curve”. In Cryptographic Hardware and Embedded SystemsCHES 2001, pages 126–141. Springer, 2001.
8
[59] Chae Hoon Lim and Hyo Sun Hwang. ”Fast implementation of elliptic curve arithmetic in GF(pn )”. In Proc. PKC 2000, LNCS 1751, pages 405–421. Springer-Verlag, 2000. [60] Shamus Software Limited. ”Multiprecision Integer and Rational Arithmetic C/C++ Library (MIRACL)”. http://www.shamus.ie/, March 2009. [61] CK Koc.
”Tech. Notes, High-Speed RSA Implementation, RSA Labs.
Tech”. Technical report, Note TR 201, Available in http://www. rsasecurity. com/rsalabs/tech-notes, 1994. [62] Mohamed M. Abd-Eldayem, Ehab T. Alnfrawy, and Aly A. Fahmy. ”Efficient Scalar Multiplication Based On Window Algorithm With 2’s Complement Applied For Elliptic Curve Cryptosystems”. In The International Conference on Intelligent Systems Design and Applications (ISDA’10), 2010. accepted.
9
