Speeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem

Transcription

1 H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng Speedng up Computaton of Scalar Multplcaton n Ellptc Curve Cryptosystem H. K. Pathak Manju Sangh S.o.S n Computer scence & IT Department of Appled Mathematcs Pt. Ravshanker Shukla Unversty Rungta College of Engneerng &Technology Rapur (C.G.) Inda Bhla (C.G.) Inda Abstract. The basc operaton n ellptc curve cryptosystem s scalar multplcaton. It s the computaton of nteger multple of a gven pont on the curve. Computaton of scalar multple s faster by usng sgned bnary representaton as compared to bnary representaton. In ths paper Drect Recodng Method a new modfed algorthm for computaton of sgned bnary representaton s proposed. Our proposed method s effcent when compared to other standard methods such as NAF, MOF and complementary recodng method. Keywords. Ellptc curve cryptography, Scalar multplcaton, Sgned bnary method, NAF, MOF, Complementary recodng. 1. Introducton Ellptc curve Cryptography was ndepen dently ntroduced by Mller [1] and Kobltz [2] n Snce then t has ganed wde acceptance manly due to ts smaller key sze and greater securty. Scalar multp lcaton s the central operaton of ellptc curve cryptosystem. It nvolves comput aton of kp where k s the secret key (scalar) and P a pont on the ellptc curve. Sgnfcant methods to optmze ECC operatons have been proposed. In ths paper we ntroduce Drect Recodng an effcent method to compute KP effcently. For 2 (p+1) > k > 2 p, k = (2 p+1 ) 2 (2 p+1 k) 2. As ths computaton uses only btwse subtracton t gves the sgned bnary representaton wth the lowest hammng weght. The rest of the paper s organzed as follows. We start wth the ntroducton of Bnary method along wth the computaton of scalar multplcaton n secton 2. Sgned bnary NAF and MOF methods wth ther algorthms for computaton of scalar multplcatons are presented n Sectons 3 and 4 respectvely. In Secton 5 we explan the Complementary recodng method based on NAF and fnally n Secton 6 we explan our proposed method wth examples. Also the run tme of varous scalar multplcaton algorthms are presented n ths secton. 2. Bnary Method Scalar pont multplcaton s the man cryptographc operaton n ECC whch computes Q = kp, a pont P s multpled by an nteger k resultng n another pont Q on the ellptc curve. Bnary method [3] s the tradtonal scalar multplcaton method based on the bnary expanson of the scalar k usng (0, 1). If k has bnary representaton (k l-1, k l-2,,k 0 ) 2 where k Є (0, 1) then k = 0 k 0 k 2. Gven an ellptc pont P, kp 2 P = k 0 P + k P + k P +..+ k l-1 2 l-1 P. = k 0 P + 2(k 1 P + 2(k 2 P +. +2(k l-2 P +2(k l-1 P)..)..e., t uses repeated ellptc curve pont addton and doublng operatons. Ths method scans the bts of k ether from left to rght or rght to left. Algorthm for the computaton of KP s gven below. Algorthm 1. Left-to-rght bnary method for pont multplcaton. Input: Bnary representaton of k and pont P. Output: Q = kp. 1. Q =. 2. For = l-1 to 0 do 2.1 Q = 2Q (Doublng). 2.2 If k = 1 then Q = Q + P (Addton). 3. Return Q. The runnng tme of an algorthm s determned as how many operatons are performed throughout ts ISSN :

2 H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng executon. If k s l then a pont addton s performed and the expected number of ones (hammng weght) n the bnary representaton of k s half of ts length.e., l/2. Fnally a doublng s performed for each value of I.e., l tmes. Therefore the expected runnng tme s l/2 addtons + l doublngs denoted as 2 l A + l D. Example 1. Let k = 26 and P a pont on the ellptc curve E. Gven the bnary expanson of k as 26 = = (11010) 2. The scalar multplcaton denoted by 26P by usng Algorthm 1 would be as follows: 26 P = ( 2 ( 2 2 ( 2P + P) + P )..e., t requres 2 addtons and 4 doublngs. 3. Non Adjacent Form The densty of the bnary expanson can be effectvely reduced wth a sgned bnary representaton [7] that uses elements n the set (-1, 0, 1). Sgned bnary representaton was frst proposed by Booth [4] n Later Retwesner [5] gave a constructve proof that every postve nteger can be unquely represented wth fewest number of non-zero dgts (mnmum hammng weght) whch s called Non Adjacent Form or NAF. In ths form nteger k s represented as k = k 2 where K Є (-1, 0, 1). 0 Algorthm 2. Computaton of NAF of an nteger k. Input: A Postve nteger k. Output: NAF of k (k l-1.k 2 k 1 k 0 ) NAF. 1. = Whle k 0 do 2.1 If k s odd k = 2 - (k mod4), k = k - k ; 2.2 Else k = k = k/2, = Return (k -1 k -2.k 1 k 0 ). NAF method uses both addton and subtracton operatons [6] but subtracton of ponts on ellktc curves s smlar to addton operaton. Hence runnng l tme of NAF s A + ld.e., t reduces the 3 l l hammng weght from to 2 3. Example 2. NAF of k = 687 s 687 = = ( ) NAF = , the hammng weght s 5.e. t uses 5 addton (subtracton equvalent to ad dton) operatons whle the bnary representaton of 687 s = ( ) 2. the hammng weght s 7. By NAF hammng weght of k s reduced from 7 to 5.e. 2 addton operatons have been saved. 4. Mutual Opposte Form (MOF) MOF Mutual Opposte form s an effcent left to rght recodng scheme proposed by Okeya [7] that satsfes the followng propertes: 1. The sgns of adjacent non-zero bts (wthout consderng 0 bts) are opposte. 2. The most nonzero bt and the least nonzero bt are 1 and -1 respectvely. Convertng bnary strng to MOF: The n-bt bnary strng k can be converted to a sgned bnary strng by computng mk = 2k - k where - stands for a btwse subtracton. 2k = k n-1 k n-2... k -1...k 1 k 0. - k = k n-1... k...k 2 k 1 k 0. mk = k n-1 k n-2 - k n-1 k -1 - k.k 1 - k 2 k 0 - k 1 k 0 Algorthm 3: Left to rght generaton from Bnary to MOF. Input: A non-zero n-bt bnary strng k = k n 1 k n 2..k 1 k 0. Output: MOF of k (mk n...mk 1 mk 0 ). 1. mk n = k n-1 2. For = n -1 to 0 do 2.1 mk = k 1 - k. 2.1 mk 0 = - k. 3. Return mk n, mk n 1,...mk 1, mk 0. ISSN :

3 H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng Example 3. Let k = 27, MOF of k s = ( ). Lke bnary method MOF scans the bts ether from left to rght [8] or from rght to left. 5. Complementary Recodng Technque Gven the bnary representaton of a scalar k = (k l 1.k 1 k 0 ) 2 the procedure for convertng bnary strng nto sgned bnary strng usng complementary method ([9], [10]) s gven below: K = 0 where k = 1 k 2 = ( ) (l+1) bts - k - 1 k k 2 k 0 and k = 0 f k = 1 k = 1 f k = 0 for = 0, 1,..., l-1. Example 4. For k = 687 = ( ) 2, by the above method K = ( ) (10 +1) bts - ( ) - 1 = ( ).e., t gves the same output as NAF but by usng the complement of k. 6. Proposed method (Drect Recodng method) Accordng to our proposed method the procedure for convertng the scalar k nto sgned bnary representaton s as follows: For any scalar k where 2 p+1 > k > 2 p, we have K = (2 p+1 ) 2 - (2 p+1 -k) 2. Snce ths method uses only sngle operaton of btwse subtracton wth 0-1 = 1 t gves the sgned bnary representaton wth the lowest hammng weght and n the least possble tme. Hence ths method can be called as Drect recodng method. The output of ths method s also smlar to other standard recodng methods such as NAF, MOF, and complementary recodng. Algorthm 4: Scalar multplcaton usng Proposed method. Input: Sgned bnary representaton usng proposed method. Output: Q = kp. 1. Q = For = n-1 to 0 do 2.1 Q = 2Q. 2.1 If k = 1, Q = Q + P; 2.2 Else If k = -1, Q = Q P. 3. End If. 4. Return Q. Example 5. For k = 686 () By bnary method, we have 686 = ( ) 2. Clearly, the hammng weght of 686 s 6. () By NAF we fnd that 686 = ( ). In ths case, the hammng weght of 686 s reduced from 6 to 5. () By complementary recodng we have 686 = ( ) - ( )- 1 = ( ) - 1 The hammng weght s 6 (5 nternal and 1 external). (v) By our proposed method, for 2 10 > 686 > 2 9 we have 686 = (2 10 ) 2 - ( ) 2 = ( ) - ( ) = ( ). Thus the hammng weght of 686 s 5 but by usng only sngle operaton of btwse subtracton. Example 6. For k = 240 () By bnary method we fnd that 240 = ( ) 2. Clearly, the hammng weght of 240 s 4. () By complementary recodng, we have 240 = ( ) (( ) 1) = ( ) 1. Here, the hammng weght of 240 s ncreased to 6 (5 nternal and 1 external). () By our proposed method for 2 8 > 240 > 2 7 we have, 240 = (2 8 ) 2 - ( ) 2 ISSN :

4 H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng = ( ) - (10000) = ( ). Here, the hammng weght of 240 s reduced from 4 to 2.e., the least hammng weght when compared to all other exstng methods. We know that one addton operaton requres 2 squarng, 2 multplcatons and 1 nverson. Hence our proposed method saves computatonal cost and tme for performng 4 squarng, 4 multplcatons and 2 nversons. TABLE 1 COMPARISION OF RUN TIMES The followng table gves the comparson of run tme of varous sgned bnary represen tatons NAF the Non Adjacent form, MOF the Mutual Opposte form, CRM the Complementary Recodng method and DRM Drect Recodng, the proposed method n seconds. Bt sze Sgned bnary representatons NAF MOF CRM DRM Fg 1 Tme rato of the drect recodng method wth other algorthms (NAF, MOF, CRM, DRM). 7. Concluson In the mplementaton of ECC scalar multplcaton s not only the basc computaton but also the most tme consumng operaton. Its Operatonal effcency drectly determnes the performance of ECC. In ths paper we proposed a scalar multplcaton usng drect recodng method. Theoretcal tasks and numercal tests reveal that ths algorthm can remarkably enhance the computng effcency of scalar multplcaton compared wth other tradtonal algorthms and therefore has practcal sgnfcance for the mplementaton of ECC. Moreover, Fg. 1 shown above earnestly justfes our concluson. We mplemented our algorthm on Intel p4 dual core processor 1.6 GHz and 782 MHz and 504 MB of memory usng Matlab. From the table we fnd that our proposed method takes the least tme to fnd the sgned bnary representaton of any nteger k when compared to the other known methods (See, for nstance, Fg.1 below). 8. References [1] V. S. Mller, Use of ellptc curves n cryptography, Advances n Cryptology, Proceedngs of CRYPTO'85, LNCS, 218 (1986), [2] N. Kobltz, Ellptc curve cryptosystem, Mathematcs of Computaton, 48 (1987) [3] Standard specfcatons for Publc key cryptography, IEEE Standard 1363, [4] A.D. Booth, A sgned bnary multplcaton technque, Journal of Appled Mathematcs, 4(2) (1951), [5] G. W. Retwesner, Bnary Arthmetc, Advances n computers, 1 (1960), [6] F. Moran, J.Olvos, Speedng up the computatons on an ellptc curve usng addton subtracton chans, RAIRO Theoretcal Informatcs and Applcatons, 24 (1990), [7] K. Okeya, Sgned bnary representatons revsted, Proceedngs of CRYPTO'04 (2004), [8] M. Joye, S. Yen, Optmal left to rght bnary sgned dgt recodng, IEEE Transactons on Computers, 49 (2000), [9] P. Balasubramanam, E. Karthkeyan, Ellptc curve scalar multplcaton algorthm usng complementary ISSN :

5 H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng recodng, Appled Mathematcs and Computaton, 190 (2007), [10] P.Balasubramanam, E. Karthkeyan, Fast Smultaneous scalar multplcaton, Appled Mathematcs and Computaton, 192 (2007), Authors Profle 1. Dr. H. K. Pathak receved Post Graduate degree n Mathematcs from Pt. Ravshanker Shukla Unversty, Rapur. He was awarded Ph.D n 1988 by the same Unversty. He has publshed more than 185 research papers n varous nternatonal journals n the feld of non lnear analyss-approxmaton and expanson, Calculus of varatons and optmal controls Optmzaton, Feld theory and polynomals, Fourer analyss, General topology, Integral equatons, Number theory, Operatons research, Mathematcal programmng, Operator theory, Sequences, Seres, summablty. At present he s Professor and Head n S.o.S n Computer scence & IT n Pt. Ravshanker Shukla Unversty. 2. Mrs. Manju Sangh receved the post graduate degree n Mathematcs from Ravshanker Unversty Rapur n Snce 2001 she has been workng as lecturer n Rungta college of Engneerng & Technology Bhla. Currently she s pursung PhD from School of studes n Mathematcs Ravshanker Shukla Unversty Rapur. Her research nterests nclude Cryptography. ISSN :