Use of Sparse and/or Complex Exponents in Batch Verification of Exponentiations

Size: px

Start display at page:

Download "Use of Sparse and/or Complex Exponents in Batch Verification of Exponentiations"

Harriet Benson
6 years ago
Views:

1 Use of Sparse and/or Complex Exponents n Batch Verfcaton of Exponentatons Jung Hee Cheon 1 and Dong Hoon Lee 2 1 Department of Mathematcs, Seoul Natonal Unversty jhcheon@math.snu.ac.kr, 2 Natonal Securty Research Insttute (NSRI) dlee@etr.re.kr Abstract. Modular exponentaton n an abelan group s one of the most frequently used mathematcal prmtves n modern cryptography. Batch verfcaton s to verfy many exponentatons smultaneously. We propose two fast batch verfcaton algorthms. The frst one makes use of exponents wth small weght, called sparse exponents, whch s asymptotcally 10 tmes faster than the ndvdual verfcaton and twce faster than the prevous works wthout securty loss. The second one s appled only to ellptc curves defned over small fnte felds. Usng sparse Frobenus expanson wth small nteger coeffcents, we propose a complex exponent test whch s four tmes faster than the prevous works. For example, each exponentaton n one batch requres asymptotcally 9 ellptc curve addtons n some ellptc curves for 2 80 securty. Keywords: Batch verfcaton, modular exponentaton, sparse exponent, Frobenus map. 1 Introducton Batch verfcaton s an algorthm to verfy many exponentatons smultaneously: Let G be an abelan group wth a generator g. Gven a batch nstance of n exponentaton pars {(x 1, y 1 ), (x 2, y 2 ),..., (x n, y n )} wth x Z and y G, the algorthm checks at once f g x = y for all. The small exponent test s to check f g n =1 x s = n =1 ys for randomly chosen l bt ntegers s when the screenng parameter s l [2]. We extend the small exponent test to more general exponent sets and mprove the performance usng sparse exponents. Our dea s to take random exponents whch have smaller Hammng weghts and longer bt szes. The probablty that a wrong batch nstance passes the proposed test wth an exponent set S s at most 1/ S, as we wll show, when all elements n S are dstnct modulo the order of a gven group. Therefore t s mportant how to take a exponent set S and how to

2 maxmze the cardnalty of elements that are dstnct modulo the order of the group. If we take S to be a set of non-negatve ntegers n Z p wth Hammng weght k 19 from Z p for an 160 bt prme p, S s greater than In ths case, our sparse exponent test requres at most n multplcatons to verfy n exponents wth securty 2 80, whle the small exponent test requres n multplcatons at average. Another varant of the algorthm s to use sparse sgned bnary exponents. It s proper for verfyng scalar multplcatons on ellptc curves where a subtracton s as effcent as an addton. More savngs are obtaned by usng even larger exponents than the order of the underlyng group. It s applcable to sgnature schemes the order of whose underlyng group s secret such as RSA and Gullou-Qusquater (GQ) sgnatures [9]. We can generalze the exponents set to complex endomorphsms n ellptc curves. When an ellptc curve s defned over a small fnte feld F q, we have a very effcent complex endomorphsm, called the Frobenus map. We take as an exponent set S a polynomal of the Frobenus map wth small nteger coeffcents. In most prevous works on Frobenus expansons, the set of coeffcents have at most q cardnalty due to the unqueness of representaton (For more references, refer to [14]). If we consder ths coeffcent set, we have the same effcency wth the sparse exponent set. In our method, however, we enlarge the coeffcent set to all ntegers whose absolute values are less than q 2 /2 and coprme to q and prove that each element of S s dstnct as an endomorphsm on the cyclc subgroup of the ellptc curve f each element of S has no adjacent non-zero coeffcents. As a result, we obtan the batch verfcaton four tmes faster than the prevous works. For example, each exponentaton requres asymptotcally 9 ellptc curve addtons n Kobltz curves for 2 80 securty. Batch Cryptography Batch cryptography was frst ntroduced by Fat [8]. He ntroduced an algorthm to obtan two exponentatons by one full exponentaton and several small exponentatons. More technques on batch computatons can be found n [3, 12]. Batch verfcaton of exponentatons was frst proposed by Naccache et al. [15] to verfy effcently modfed DSA sgnatures. They used the subset consstng of e-bts prme numbers for small e as an exponent set. Yen and Lah [18] mproved the test by adoptng small exponents set {0, 1} l for the screenng parameter l. Bellare et al. [2] gave systematc approaches wth two more tests: the atomc test uses S = {0, 1} and the

3 bucket test s the combnaton of the atomc test and the small exponent test. Later, Boyd and Pavlovsk [4] ndcated the weakness of the tests when they are used n non-prme order subgroups. Current batch verfcatons are effcent for verfyng many sgnatures by one sgner at once. The applcatons nclude: 1)an authentcated database n whch each data s sgned by a data owner [13], 2) electronc commerce where shops or banks need to verfy all the cons, usually ssued by one bank, very effcently, and 3) votng protocols where the tally needs to authentcate huge number of votes and an effectve vote should be accompaned by the sgnature sgned by the votng center. Organzaton Ths paper s organzed as follows: In Secton 2, we ntroduce general approach for batch verfcatons and dscuss ts securty. In Secton 3, we propose a batch verfcaton algorthm usng sparse bnary exponents and ts varants usng sparse sgned bnary exponents and sparse long exponents. In Secton 4, we consder complex exponents on ellptc curves. We conclude n Secton 5. 2 Batch Verfcaton For the defnton of batch verfcaton, we wll follow the notaton n [2]. Let G be a cyclc group of order p wth a generator g and R( ) a Boolean relaton on the set of nstances {(x, y) x Z p, y G}. We say that R(x, y) = 1 or the nstance (x, y) s correct f and only f g x = y. A batch nstance for relaton R s a sequence nst 1,, nst n of nstances for R. We say that the batch nstance s correct (R(nst 1,..., nst n ) = 1) f R(nst ) = 1 for all = 1,..., n, and ncorrect (R(nst 1,..., nst n ) = 0) f there s some {1,..., n} for whch R(nst ) = 0. Defnton 1. A batch verfer for relaton R s a probablstc algorthm V that takes a batch nstance X = (nst 1,..., nst n ) for R and a screenng parameter l, and satsfes: 1. If X s correct then V outputs If X s not correct then the probablty that V outputs 1 s at most 2 l. In ths case, we say the error of V s 2 l. Now we consder a subset S of Z such that the dfference of any two elements of S s coprme to p. Then we defne a batch verfer V S as Fgure 1.

4 Input: A batch nstance {(x 1, y 1),..., (x n, y n)} wth x Z p and y G. Check: That g x = y for all 1 n. 1. Choose n elements s 1,..., s n randomly from S. 2. Compute g n =1 s x and n =1 ys. 3. Accept f they concde, else reject. Fg. 1. The Batch Verfer V S wth a Exponent Set S Note that any correct batch nstance always passes the test, but even a wrong nstance may pass the test wth some probablty. If we let α Z p be such that g α = y /g x, the test s passed f and only f g n =1 s α = 1. Thus the error of the batch verfer V S s Err(V S ) = max α {(s 1,..., s n) g s α = 1 for s S}, (1) {(s 1,..., s n) s 1,..., s n S} where α = (α 1,..., α n ) runs through all but (0, 0,, 0) n Z n p, f all elements of S are equally lkely to be chosen n the test. Now we ntroduce the formula for Err(V S ). Theorem 1. Let S be a subset of nonnegatve ntegers such that the dfference of any two elements n S s coprme to p. Then we have Err(V S ) 1/ S. Proof. Consder an nstance of n exponentaton pars (x 1, y 1 ),..., (x n, y n ) wth x Z p and y G where y = g x +α for some α Z p. Gven a test parameter (s 1,..., s n ) S n, the nstance passes the test f and only f g s 1α 1 + +s nα n = 1. If the nstance contans an ncorrect par, there must be at least one such that α 0 mod p. In that case, we have at most one s satsfyng s α n j s jα j mod p, because any two elements s, s satsfyng the equaton should have gcd(s s, p) 1 whch contradcts the assumpton of S. Hence, for any gven α, we have {(s 1,..., s n) s α 0 mod p for s S} S n 1. From Equaton (1), we have Err(V S ) 1/ S. In [2], Bellare et al. suggested three tests. In the atomc test, S s taken to be {0, 1}. In the small exponent test, S s taken to be {s Z 0 s < 2 l } for a gven screenng parameter l. The bucket test s the combnaton of the atomc test and the small exponent test. In ths paper, we consder dfferent types of a set conssts of sparse exponents.

5 2.1 How to Select Screenng Parameters The securty level of today s sgnature schemes s usually set on 2 80, whch s equvalent to that of 1024-bt RSA or 160-bt ellptc curve cryptosystem. But, the screenng level of batch verfer can be dfferent because even the owner of sgnng key can produce a set of wrong sgnatures that passes the verfers, wth at most 2 l probablty for the screenng parameter l. In [2] and [4], l = 60 was proposed for most practcal use. Usually, selecton of the screenng parameter depends on the stuaton where each applcaton deploys. If an applcaton performs only small number of verfcatons, t would be very unlkely to accept the wrong nstance n ts lfetme even wth the small screenng parameter. When we take the small screenng parameter, the batch verfcaton algorthm s more effcent. Hence t s desrable to set the screenng parameter as small as possble n tolerable ranges for each applcaton. We may consder an teraton of several weak batch verfcatons to acheve stronger batch verfcatons. If we perform t tmes the batch verfcaton wth screenng level l ndependently, then the screenng level becomes tl. Ths enables us a parallelzaton of batch verfcaton. Moreover we can desgn a cascade flter of sgnatures consstng of successve weak batch verfers. If the test fals n the frst flter, the set of sgnatures should be moved to the step of dentfyng wrong sgnatures. If the test succeeds, t goes to the second flter and so on untl the ntended screenng level s acheved. Ths would be useful for fast screenng DoS attacks. Note that when there s only one nvald sgnature n the set of n nstances and the batch verfer fals the verfcaton, we can dentfy the nvald one wth at most log 2 n + 1 batch verfcatons by bnary tree search technque. If the number of wrong sgnatures are k, the maxmum number of batch verfcatons becomes k( log 2 n log 2 k )+2 log 2 k Sparse Exponent Test 3.1 Basc Sparse Exponent Test Let l be the screenng parameter and let the order of G be a prme p. In sparse exponent test, we consder the set S of exponents S = {s Z 0 s < 2 log p, wt(s) k}, where wt(s) s the Hammng weght of s n the bnary representaton. Then every element s dstnct modulo p and so we have Err(V S ) 1/ S

6 by Theorem 1. To bound Err(V S ) by 2 l, k must satsfy S = k ( ) log p 2 l. Table 1 gves mnmum k values for varous screenng parameters l that satsfy the above equaton when log p = 160. Observe that k s much less than l/4. In partcular, k l/5 for l 50. Table 1. k values for varous screenng parameters when log p = 160 l k Our sparse exponent test s descrbed n Fgure 2. In order to perform the test effcently, we use the technque of smultaneous multplcatons as usual. Input: (x, y ) for 1 n. Check: That g x = y for all 1 n. 1. Choose n random elements s 1, s 2,..., s n from S defned n Equaton (3.1) 2. y 1 and y 0 g. 3. s 0 n =1 sx mod p. 4. For j = log p to 1, do (a) For = 0 to n, y yy f the j-th bt of s s one. (b) y y 2 unless j = Accept f y s one, else reject. Fg. 2. Sparse exponent test usng smultaneous multplcatons Table 2 gves the average numbers of operatons whch are requred for verfyng n nstances for the naïve test, the small exponent test (SE), and our sparse exponent test (SPET). Naïve test verfes n nstances ndependently. In the table, Exp, Mul, and Sqr represent the exponentaton, the multplcaton, and the squarng on G respectvely. P denotes a prme feld (Sqr=0.8 Mul) and B-PB and B-NB denote a bnary feld wth a polynomal bass (Sqr=0.1 Mul) and a bnary feld wth a normal bass (Sqr s for free), respectvely. Multplcaton modulo p operatons are gnored n total estmatons.

7 Table 2. Average number of operatons for verfyng n-nstances when log p = 160. Naïve SE SPET(ours) Exp n 1 0 Mul 0 ln/2 kn + log p /2 Sqr 0 l log p Total P 208n 10n n (n Mul) B-PB 96n 10n n + 96 l = 20 B-NB 80n 10n n + 80 Total P 208n 40n n (n Mul) B-PB 96n 40n n + 96 l = 80 B-NB 80n 40n n + 80 Compared wth the small exponent test, our method removes one exponentaton and reduces the number of multplcatons at the cost of ncreasng only a small number of squarngs (whch s ndependent of n). Moreover squarng s generally more effcent than multplcaton [5, 10]. 3 From Table 2, we can see that our test s expected to be about 2 3 tmes faster than the small exponent test as n grows. The sparse exponent test can be appled to sgnature schemes based on modular exponentatons. Especally t s useful for modfed DSA as n [15]. But we need to take prmes p and q such that (p 1)/(2q) has no dvsor less than q, and regard two group elements to be equal f they are the same up to the sgn due to the attack by Boyd and Pavlovsk [4]. 3.2 Bucket Test based on Sparse Exponents The bucket test s a combnaton of the atomc test and the small exponent test [2]. We can get another bucket test based on sparse exponents by replacng the small exponent test by the sparse exponent test appearng n the bucket test: Gven an nstance of n exponentaton pars (x, y ), n pars are randomly parttoned nto 2 m groups and the x s and y s n the same partton are added and multpled to form a new exponentaton par. Then the 2 m pars are verfed usng the sparse exponent test wth the screenng parameter m. Ths procedure s repeated ndependently 3 Accordng to [5, 10], the speed rato of the squarng over the multplcaton s for prme felds and for bnary felds.

8 l/(m 1) tmes for the screenng parameter l. The m s chosen to optmze the performance of the test. We compare the performance of the bucket test based on sparse expoents wth the prevous tests n Table 3. In the table, we set p to be 160 bt prmes and l = 60 as n [2]. Hence k = 13 s enough for our test. K denotes the unt of Table 3. Comparson of Average Numbers of Multplcatons for Dfferent Tests n Naïve Small Exp Bucket Sparse Exp Buc.+Spar. 5 1 K 0.41 K 4.35 K K 2.99 K K 3.26 K 5.78 K 1.48 K 4.08 K K 6.26 K 7.17 K 2.78 K 5.08 K K 15.3 K 10.8 K 6.68 K 8.08 K 1K 200 K 30.2 K 16.6 K 13.2 K 13.1 K 10K 2000 K 300 K 100 K K 85.6 K Observe that our sparse exponent test mproves the small exponent test by a factor of about two and our bucket test based on sparse exponent test gves better performance than the orgnal bucket test. 3.3 A Group wth Secret Order: a Composte Modulus Let N be a product of two strong prmes p N and q N such that p N = 2p N + 1 and q N = 2q N + 1 for two prmes p N and q N. We assume that N s hard to factorze. Then we may take even larger exponents than N for batch verfcaton. We consder S = {s [0, 2 L ) wt(s) k}, where L s a sze of the exponent set S. We may assume that the dfference of any two elements n S s coprme to φ(n)/4 = p N q N. Otherwse, we can get a nontrval dvsor of p N q N or a multple of φ(n) whch gves a factorzaton of N [11]. Hence we may assume that the batch verfer wth exponent set S has the error at most 1/ S by Theorem 1. The cardnalty of S s gven by S = k ( ) L.

9 For the screenng parameter l, k s the mnmum nteger satsfyng S > 2 l. Table 4 gves several k values for varous exponent szes L and screenng parameters l. Table 4. k values for varous exponent szes L and screenng parameters l L k when l = k when l = k when l = The sparse long exponent test s smlar to the sparse exponent test (Fgure 2). The dfference s that the order p of G s secret and the bt length of exponents s longer. Snce p s unknown, Step 3 of Fgure 2 uses normal nteger operatons. Ths s useful for verfyng the modfed GQ sgnatures. We need to modfy the scheme a lttle bt as n the DSA scheme [15, 4]. Let N be the product of two prmes p N and q N and e be a 160 bt nteger. Take random J and compute a J e 1 mod N. Then the publc key s (N, J, e) and the prvate key s (p N, q N, a). The GQ sgnature for a message m Z N s (r = (k e mod N), σ = (ka h mod N)) for randomly chosen k Z N and h a hash output of m and r. The verfcaton s to check f σ e J h r mod N. Assume we are gven n sgnatures (m, r, σ ). We take n random s from S to apply our batch verfcaton and computes ( n =1 σ s ) e J n =1 s h and n =1 r s, (L+160) log n 2 +2kn+80 and verfy f they are equal modulo N. It requres multplcatons and (L + 160) log n + 2L squarngs at average. It can be also appled to the RSA, but t s effcent only when relatvely large publc exponent s used. Some applcatons may requre relatvely large publc exponent e [17] to reduce the prvate exponent. Also the smlar technque can be appled to sgnatures based on strong RSA problems. One example s one of two verfcaton equaltes n the verfcaton n the Cramer-Shoup sgnature [6]. 3.4 Sparse Sgned Bnary Exponent Tests In ellptc curves, subtractons are as effcent as addtons. In ths case, we may consder sgned bnary representaton of exponents. Let S be a

10 subset of nonnegatve ntegers S = {s = log p 1 s 2 0 s = 0, ±1, s s +1 = 0}, where the number of nonzero a s at most k. That s, an element of S has a non-adjacent representaton of the weght k and the most sgnfcant bt s one. Note that an nteger has the unque non-adjacent form (NAF) [16]. By modfyng the proof, we can show that all elements n S are dstnct modulo p. Lemma 1. Any two elements n S are dstnct modulo p. Proof. Suppose that two elements x = log p 1 x 2 and y = log p 1 y 2 n S are congruent modulo p and have dfferent representaton n NAF. Then two elements are between zero and p 1 and so t should be dentcal n Z. Let j be the frst bt from the least sgnfcant bt such that x j y j. Then (x y)/2 j 0 mod 4. Ths s a contradcton. The cardnalty of S s gven n the next theorem. Theorem 2. S = k ( ) log p =1 Proof. We partton S nto two dsjont subsets S 0 and S 1, where log p 1 S 0 = { s 2 S s log p 1 = 0} and S 1 = S \ S 0. Frst, we count the cardnalty of S 0. We choose postons from log p postons, each poston except the frst poston from the most sgnfcant bt s flled wth 01 or 0 1, and the frst poston s flled wth 01 because an element of S should be postve. Snce they are all dstnct and covers all elements of weght n S 0, we have k ( ) log p S 0 = =1 When we count the cardnalty S 1, we frst fx the frst bt of each element by one. Then by smlar argument but wthout the constrant on the frst poston, we have ( k 1 S 1 = log p 1 ) 2 = ( k =1 log p 1 ) 2 1.

11 Usng the well-known formula ( a b 1) + ( a b ) = ( a+1 b ), we have the lemma. In Table 5, we compare the k values for sparse bnary exponents and sparse sgned bnary exponents. Table 5 shows that f we use sparse sgned bnary exponents, then the batch verfcaton could be more effcent when the screenng parameter l 40. ECDSA that s the ellptc curve analogue of DSA s a good example that admts a sparse sgned bnary exponent tests [7]. We have to slghtly modfy the ECDSA for batch verfcaton n the same way [15]. Remark that f we take an ellptc curve whose order s prme, the Boyd and Pavlovsk attack [4] can not be appled. Table 5. k values for varous screenng parameters when log p = 160 l k (Sparse Bnary) k (Sparse Sgned Bnary) Complex Exponent Test Consder an ordnary ellptc curve E defned over F q wth #E(F q ) = q + 1 t and gcd(q, t) = 1. The Frobenus map φ s defned as follows: φ : E(F q ) E(F q ); (x, y) (x q, y q ), where F q s the algebrac closure of F q. The Frobenus map φ satsfes φ 2 tφ + q = 0 on E(F q ). The endomorphsm rng of E contans Z[φ] = Z[x]/(x 2 tx + q). Then the norm functon N( ) on Z[φ] s defned by N(a + bφ) := (a + bφ)(a + b φ) = a 2 + tab + qb 2, a, b Z, where φ s the dual of φ correspondng to the complex conjugate of φ n C. (We may regard φ as a complex number (t + t 2 4q)/2 and Z[φ] as a subset of C.) We denote E(F q m) by the subgroup of E(F q ) consstng of F q m-ratonal ponts. Let G be the subgroup of E(F q m) generated by P wth a prme order p satsfyng p 2 #E(F q m) and p E(F q ). Then we have φ m = 1 and φ m 1 + φ m φ + 1 = 0 on the group G snce G E(F q ) = {O}.

12 In ths secton, the exponent sets can be extended to ths endomorphsm rng, that s why we call complex exponents. Now we consder two canddates for the exponent set. S 1 = { S 2 = { e a φ a Z, a q 1, a a +1 = 0}, e a φ a Z, q a, a < q 2 /2, a a +1 = 0}, where the number of non-zero a s at most k. We note that each S s a set of generalzed sgned φ-adc NAF expansons. To count the number of elements n S whch are dstnct as endomorphsms of G, we need the followng lemma. Lemma 2. Let e 5 and f(x) = e a x be a polynomal n Z[x] wth a M. If 30q e+1 M 2 p, f(φ)p = 0 mples that x 2 tx + q dvdes f(x) n Z[x]. Proof. By dvson algorthm, we have g, r Z such that f(x) = (x 2 tx + q)(g e 2 x e g 1 x + g 0 ) + r 1 x + r 0. Let M 0 = 0, M 1 = M and M = M + t M 1 + qm 2 for 2. Then, by equatng the coeffcents of x, we have g e 2 = a e M 1, g e 3 = a e 1 + tg e 2 M + t M 1 = M 2, g e 1 = a e +1 + tg e qg e +1 for 2 e 1. Also we have M + t M 1 + qm 2 = M r 1 = a 1 + tg 0 qg 1 M e, r 0 = a 0 qg 0 M + qm e 1. If we take M = M + M ( 0) for M = M/( t + q 1), we have M = t M 1 + qm 2 for 2. Ths recurrence relaton has the unque soluton M = c 1β1 +c 2β2 where β 1 and β 2 are the solutons of x 2 t x+q n C and c 1 = M β 2 +M M β 1 β 2 and c 2 = M β 1 +M M β 2 β 1. Thus we have for 4 M max{c 1, c 2 } β 1 + β 2 + M 21 8 q/2 M,

13 because and c ( ) M q + 1 4q t 2 t + q M β 1 + β 2 = q + 1 #E 1 (F q ) 2 q by Hasse-Wel Theorem, where E 1 s E f t > 0 and the twst of E (wth q t F q -ratonal ponts) f t < 0. Hence we have and r qe/2 M r 0 M + qm e 1 ( q(e+1)/2 )M 22 8 q(e+1)/2 M. Usng ths bound, we have N(f(φ)) = N(r 1 φ+r 0 ) = r1 2q+tr 1r 0 +r0 2 < 30q e+1 M 2. Suppose f(φ)p = O. Then N(f(φ))P = f( φ)f(φ)p = O and N(f(φ)) Z, and so N(f(φ)) s dvsble by p. Therefore, f we take 30q e+1 M 2 p, then N(f(φ)) = 0 and so r 1 = r 0 = 0, whch completes proof. Now we can show that each element of S s dstnct as an endomorphsm of G under some condton. log p 2 log M 5 Theorem 3. If 5 e log q, then each element of S s a dstnct endomorphsm of G where M = 2(q 1) for S 1 and M = 2 q2 1 2 for S 2. Proof. Suppose that f 1 (φ)p = f 2 (φ)p for two dfferent polynomals f 1 (x) = e a x and f 2 (x) = e b x n Z[x] wth a M/2 and b M/2. Then f 1 (x) f 2 (x) s dvsble by x 2 tx + q by Lemma 2. Let j be the smallest ndex such that a j b j. Then g(x) = (f 1 (x) f 2 (x))/x j = e j c x Z[x] s dvsble by x 2 tx + q. So c 0 must be a multple of q. Let c 0 = c 0/q Z. Then (g(x) c 0 (x2 tx + q))/x = e j =3 c x 1 + (c 2 c 0 )x + (c 1 + tc 0 ) s also dvsble by x2 tx + q, hence c 1 + tc 0 must be dvded by q agan. That s, q2 dvdes qc 1 + tc 0. If ether a j = 0 or b j = 0, then q does not dvde c 0 by the defnton of S 1 and S 2. If both of a j and b j are non-zero, then a j+1 = b j+1 = 0 and q 2 qc 1 + tc 0 = tc 0. In both cases, g(x) can not be dvded by x 2 tx + q, whch s a contradcton. The cardnalty of S s gven n the next theorem.

14 Theorem 4. The cardnalty of S s gven by 1. S 1 = k 2. S 2 = k ( e+2 ( e+2 ) (2q 2), ) (q 2 q). Proof. At frst, we wll count the cardnalty of S 1. The proof s smlar to the proof of Theorem 2. The dfference s that a negatve coeffcent s allowed n the most sgnfcant nonzero poston. The number of elements whose most sgnfcant bt s zero s k ( ) e + 1 (2q 2). The number of elements whose most sgnfcant bt s nonzero s k 1 ( ) e (2q 2) (2q 2) 1. By summng up the above values, we have S 1 = k ( ) e + 2 (2q 2). For the cardnalty of S 2, t s essentally same as the above case. Only dfference s the number of coeffcents, whch s q 2 q. Our complex exponent test usng Frobenus maps s descrbed n Fgure 3. In order to perform the test effcently, we utlze BGMW multplcatons [1]. In Table 6, gven a power of prme q we present the maxmum e such that all elements of S are dstnct as endomorphsms of G. Also we compute the maxmum weght k satsfyng that the cardnalty S s greater than 2 l for varous screenng parameter l. For example, when q = 8, the maxmum e becomes 47 and we need only 9 ellptc curve addtons for each exponentaton when the number of batch nstances n s large. More precsely, to verfy n exponentatons, we need 9n + 80 ellptc curve addtons when a normal bass s used for representaton of feld elements.

15 Input: (x, Q ) for 1 n. Check: x P = Q for all 1 n where P s a generator of E. 1. Choose n random elements σ 1, σ 2,, σ n from S 1(e, k, q) or S 1(e, k, q) Denote that σ = e j=0 cjφj and ɛ j = c j/ c j for nonzero c j for each. 2. σ n =1 σx mod (φm 1 + φ m φ + 1). 3. R[] O for 0 M 4. For j = 0 to e, do (a) For = 0 to n, do f c j of σ s not zero, then R[ c j ] R[ c j ] + ɛ jφ j (Q ). 5. Q R[M], T R[M] 6. For = M 1 to 1 do (a) T T + R[] (b) Q Q + T 7. Accept f Q = σp, else reject. Fg. 3. Complex exponent test usng Frobenus maps Table 6. The maxmum weght k n each S 1 and S 2 l S 1 (q = 2, e = 153) S 2 (q = 2, e = 153) S 1 (q = 4, e = 74) S 2 (q = 4, e = 73) S 1 (q = 8, e = 49) S 2 (q = 8, e = 47) l S 1 (q = 3, e = 95) S 2 (q = 3, e = 94) S 1 (q = 5, e = 64) S 2 (q = 5, e = 62) S 1 (q = 7, e = 52) S 2 (q = 7, e = 51)

16 5 Concluson In ths paper, we developed two batch verfcaton algorthms usng sparse exponents wth small weghts. The frst one makes use of exponents of (sgned) bnary representaton. We can take exponents whose weght s less than l/4 wth bnary expanson and l/5.5 wth sgned bnary expanson whle the average weght of exponents s l/2 n the small exponent test. Hence we expect that our test s about twce faster. If we use a group whose order s secret, e.g. RSA group, we can extend our algorthm to allow longer exponents to reduce the weght of exponents. The second one can be appled only to specal famly of ellptc curves defned over small fnte felds. It utlzes the exponents wth sparse φ-adc expanson. By enlargng the coeffcents set of the expanson, we obtaned a complex exponent test much faster than sparse exponent test. References 1. E. Brckell, D. Gordon, K. McCurley, and D. Wlson, Fast Exponentaton wth Precomputaton, Proc. of Eurocrypt 92, LNCS Vol. 658, pp , Sprnger- Verlag, M. Bellare, J. Garay, and T. Rabn, Fast Batch Verfcaton for Modular Exponentaton and Dgtal Sgnatures, Proc. of Eurocrypt 98, LNCS Vol. 1403, pp , Sprnger-Verlag, Full verson s avalable va 3. M. Beller and Y. Yacob, Batch Dffe-Hellman Key Agreement Systems and ther Applcaton to Portable Communcatons, Proc. of Eurocrypt 92, LNCS Vol. 658, pp , Sprnger-Verlag, C. Boyd and C. Pavlovsk, Attackng and Reparng Batch Verfcaton Schemes, Proc. of Asacrypt 2000, LNCS Vol. 1976, pp , Sprnger-Verlag, M. Brown, D. Hankerson, J. López, and A. Menezes, Software Implementaton of the NIST Ellptc Curves over Prmes Felds, Proc. of CT-RSA 2001, LNCS, Vol. 2020, pp , Sprnger-Verlag, R. Cramer and V. Shoup, Sgnature Schemes based on the Strong RSA Assumptons, ACM TISSEC, Vol. 3, No. 3, pp , A prelmnary verson appeared n Proc. of Crypto 89, LNCS Vol. 435, pp , Sprnger-Verlag, Publc Key Cryptography for the Fnancal Servces Industry: The Ellptc Curve Dgtal Sgnature Algorthm (ECDSA), ANSI X9.62, approved January 7, A. Fat, Batch RSA, J. Cryptology, Vol. 10, No. 2, pp , Sprnger-Verlag, A prelmnary verson appeared n Proc. of Crypto 89, LNCS Vol. 435, pp , Sprnger-Verlag, L. Gullou and J. Qusquater, A Practcal Zero-knowledge Protocol ftted to Securty Mcroprocessor Mnmzng both Transmsson and Memory, Proc. of Eurocrypt 88, LNCS Vol. 330, pp , Sprnger-Verlag, D. Hankerson, J. Hernandez, and A. Menezes, Software Implementaton of Ellptc Curve Cryptography Over Bnary Felds, Proc. of CHES 2000, LNCS, Vol. 1965, pp. 1 24, Sprnger-Verlag, 2000.

17 11. A. May, Computng the RSA Secret Key s Determnstc Polynomal Tme equvalent to Factorng, Proc. of Crypto 2004, LNCS Vol. 3152, pp , Sprnger- Verlag, D. M Rath and D. Naccache, Batch Exponentaton - A Fast DLP based Sgnature Generaton Strategy, ACM Conference on Computer and Communcatons Securty, pp , ACM, E. Mykletun, M. Narasmha and G. Tsudk, Authentcaton and Integrty n Outsourced Databases, Proc. of ISOC Symposum on Network and Dstrbuted Systems Securty (NDSS04), V. Muller, Fast Multplcaton on Ellptc Curves over Small Felds of Characterstc Two, J. of Cryptology, Vol. 11, pp , Sprnger-Verlag, D. Naccache, D. M Rath, S. Vaudenay, and D. Raphael, Can D.S.A be Improved? Complexty trade-offs wth the Dgtal Sgnature Standard, Proc. of Eurocrypt 94, LNCS Vol. 950, pp , Sprnger-Verlag, J. Solnas, An Improved Algorthm for Arthmetc on a Famly of Ellptc Curves, Proc. of Crypto 97, pp , Sprnger-Verlag, Full verson s avaable at H. Sun, W. Yang, and C. Lah, On the Desgn of RSA wth Short Secret Exponent, Proc. of Asacrypt 99, pp , Sprnger-Verlag, S. Yen and C. Lah, Improved Dgtal Sgnature sutable for Batch Verffcaton, IEEE Trans. on Computers, Vol. 44, No. 7, pp , 1995.

Speeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem

Speeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng Speedng up Computaton of Scalar Multplcaton n Ellptc Curve Cryptosystem H. K. Pathak Manju Sangh S.o.S n Computer scence