1. INTRODUCTION FAST ELLIPTIC CURVE CRYPTOGRAPHY USING OPTIMAL DOUBLE-BASE CHAINS

Transcription

1 FAST ELLIPTIC CURVE CRYPTOGRAPHY USING OPTIMAL DOUBLE-BASE CHAINS Voapong Suppakitpaisan, Hioshi Imai Gaduate School of Infomation Science and Technology, The Univesity of Tokyo Tokyo, Japan m t dtone@is.s.u-tokyo.ac.jp imai@is.s.u-tokyo.ac.jp Masato Edahio Gaduate School of Infomation Science Nagoya Univesity Nagoya, Japan eda@etl.jp ABSTRACT In this wok, we popose an algoithm to poduce the double-base chain that optimizes the time used fo computing an elliptic cuve scala multiplication, i.e. the bottleneck opeation of the elliptic cuve cyptosystem. The double-base numbe system and its subclass, double-base chain, ae the epesentation that combines the binay and tenay epesentations. The time is measued as the weighted sum in tems of the point double, tiple, and addition, as used in evaluating the pefomance of existing geedytype algoithms, and ou algoithm is the fist to attain the minimum time by means of dynamic pogamming. Compaed with geedy-type algoithm, the expeiments show that ou algoithm educes the time fo computing the scala multiplication by % with almost the same aveage unning time fo the method itself. The poposed algoithm is also bette than the geneal algoithm fo the double-base numbe system using Yao s algoithm when the point tiple is compaatively fast to the point addition. KEYWORDS Intenet Secuity, Cyptogaphy, Elliptic Cuve Cyptogaphy, Minimal Weight Convesion, Digit Set Expansion, Double-Base Numbe System, Double-Base Chain 1. INTRODUCTION Scala multiplication is the bottleneck opeation of the elliptic cuve cyptogaphy. It is to compute Q = S when S, Q ae points on the elliptic cuve and is a positive intege. The computation time of the opeation stongly depends on the epesentation of. The most common way to epesent is to use the binay expansion, n 1 = t t, t=0 whee t is a membe of a finite digit set D S. We call R = 0,..., n 1 as the binay expansion of. If D S = {0, 1}, we can epesent each intege by a unique binay expansion. Howeve, we can epesent some integes by moe than one binay expansion if {0, 1} D S. Fo example, = 15 = = can be epesented 190

2 by R 1 = 1, 1, 1, 1, 0, R = 1, 0, 0, 0, 1, and many othe ways. Shown in Section, the computation of scala multiplication based on the binay expansion R makes the opeation faste than using the binay expansion R 1. The algoithm to find the optimal binay expansion of each intege has been studied extensively in many woks [1], []. The epesentation of is not limited only to binay expansion. Takagi et al. [] have studied about the epesentation in a lage adix, and discuss about its application in paiing-based cyptosystem. The efficiency of epesenting the numbe by tenay expansion is discussed in the pape. Some numbes have bette efficiency in binay expansion, and some ae bette in tenay expansion. Then, it is believed that double-base numbe system (DBNS) [4], [5] can impove the efficiency of the scala multiplication. The double-base numbe system of is defined by C[] = R, X, Y when R = 0,..., m 1 fo i D S {0}, X = x 0,..., x m 1, Y = y 0,..., y m 1 fo x i, y i Z, and = m 1 t=0 t xt yt. The epesentation of each intege in doublebase numbe system is not unique. Fo example, 14 = = can be epesented as C 1 [14] = 1, 1,, 1, 0, 1, and C [14] = 1, 1, 1,, 0, 1. Meloni and Hasan [6] used double-base numbe system with Yao s algoithm to impove the computation time of scala multiplication. Howeve, the implementation is complicated to analyze, and it needs moe memoy to stoe many points on the elliptic cuve. In othe wods, the implementation of scala multiplication based on double-base numbe system is difficult. To cope with the poblem, Dimitov et al. poposed to used double-base chains, double-base numbe system with moe estictions. Double-base chains C[] = t m 1 t=0, x t m 1 t=0, y t m 1 t=0 is simila to double-base numbe system, but doublebase chains equie x i and y i to be monotone, i.e. x 0 x m 1, y 0 y m 1. Concening C 1 [14], C [14] on the pevious paagaph, C 1 [14] is not a double-base chain, while C [14] is. Like binay expansion and double-base numbe system, some integes have moe than one double-base chains, and the efficiency of elliptic cuve cyptogaphy stongly depends on which chain we use. The algoithm to select efficient double-base chains is vey impotant. The poblem has been studied in the liteatue [7], [8], [9]. Howeve, they poposed geedy algoithms which cannot guaantee the optimal chain. On the othe hand, we adapted ou pevious woks [10], whee the dynamic pogamming algoithm is devised to find the optimal binay expansion. The pape pesents efficient dynamic pogamming algoithms which output the chains with optimal cost. Given the cost of elementay opeations fomulated as in [7], [11], we find the best combination of these elementay opeations in the famewok of double-base chains. By the expeiment, we show that the optimal double-base chains ae bette than the best geedy algoithm poposed on double-base chain [9] by.9% when D S = {0, ±1}. The expeimental esults show that the aveage esults of the algoithm ae bette than the algoithm using double-base numbe system with Yao s algoithm [6] in the case when point tiples is compaatively fast to point additions. Even though ou algoithm is complicated than the geedy-type algoithm, both algoithms have the same time complexity, O(lg n). Also, the aveage unning time of ou method fo 448- bit inputs is 0ms when we implement the algoithm using Java in Windows Vista, AMD Athlon(tm) 64X Dual Coe Pocesso GHz, while the aveage unning time of the algoithm in [7] implemented in the same com- 191

3 putation envionment is 9ms. The diffeence between the aveage unning time of ou algoithm and the existing one is negligible, as the aveage computation time of scala multiplication in Java is shown to be between ms [1]. In 010, Imbet and Philippe [1] poposed an algoithm which can output the shotest chains when D S = {0, 1}. Thei woks can be consideed as a specific case of ou woks as ou algoithm can be applied to any finite digit sets. Adjusting the paametes of ou algoithm, we can also output the shotest chains fo double-base chains. The pape is oganized as follows: we descibe the double-and-add scheme, and how we utilize the double-base chain to elliptic cuve cyptogaphy in Section. In Section, we show ou algoithm which outputs the optimal double-base chain. Next, we pesent the expeimental esults compaing to the existing woks in Section 4. Last, we conclude the pape in Section 5.. COMPUTATION TIME FOR DOUBLE- BASE CHAINS Using the binay expansion R = t n 1 t=0, whee = n 1 t=0 t t explained in Section 1, we compute the scala multiplication Q = S by doubleand-add scheme as shown in Algoithm 1. Fo example, we compute Q = 17S when the binay expansion of 17 is R = 1, 1, 1, 1, 1, 1, 1 as follows: Q = (((((S + S) + S) + S) + S) + S) + S. Above, we need two elementay opeations, that ae point doubles (S + S, S) and point additions (S + Q when S Q). These two opeations look simila, but they ae computationally diffeent in many cases. In this example, we need six point doubles and six point additions. Geneally, we need n point doubles and n point additions. Howeve, Q is initialized to O, and we need not the point addition on the fist iteation. Also, t S = 0 if t = 0, and we need not the point addition in this case. Hence, the numbe of the point addition is W (R) 1, whee W (R) is the Hamming weight of the expansion defined as: n 1 W (R) = W ( t ), t=0 whee W ( t ) = 0 when t = 0 and W ( t ) = 1 othewise. In this case, W (R) = 7. The Hamming weight tends to be less if the digit set D S is lage. Howeve, using big D S makes cost fo the pecomputation highe as we need to pecompute t S fo all t D S. Algoithm 1: Double-and-add method input : A point on elliptic cuve S, the positive intege with the binay expansion 0,..., n 1 output: Q = S 1 Q O fo t n 1 to 0 do Q Q + t S 4 if t 0 then Q Q 5 end In Algoithm, we show how to apply the double-base chain C[] = R, X, Y, when R = t m 1 t=0, X = x t m 1 t=0, Y = y t m 1 t=0 to compute scala multiplication. Fo example, one of the double-base chain of 17 = is C[17] = R, X, Y, whee R = 1, 1, 1, X = 0, 1,, Y = 0, 1,. Hence, we can compute Q = 17S as follows: Q = 1 ( 1 1 S + S) + S. In addition to point doubles and point additions equied in the binay expansion, we also need point point tiples (S). In this example, we need two point additions, two point doubles, and thee point tiples. In geneal, the numbe of point additions is W (C) 1 19

4 when W (C) = m is the numbe of tems in the chain C. On the othe hand, the numbe of point doubles and point tiples ae x m 1 and y m 1 espectively. Algoithm : Using the double-base chain to compute scala multiplication input : A point on elliptic cuve S, the positive intege with the double-base chains C[] = R, X, Y, whee R = t m 1 t=0, X = x t m 1 t=0, Y = y t m 1 t=0 output: Q = S 1 Q O fo t m 1 to 0 do Q Q + t S 4 if t 0 then Q (x t 1 x t) (y t 1 y t) Q 5 else Q x 0 y 0 Q 6 end In the double-and-add method, the numbe of point doubles equied is poved to be constantly equal to n 1 = lg 1. Then, the efficiency of the binay expansion stongly depends on the numbe of point additions o the Hamming weight. In double-base chain, the numbe of point doubles and point tiples ae not constant. Hence, we need to optimize the value x m 1 P dbl + y m 1 P tpl + (W (C[]) 1) P add, when P dbl, P tpl, P add ae the cost fo point double, point tiple, and point addition espectively. This is diffeence fom the liteatue [1] whee only the Hamming weight is consideed.. ALGORITHM FOR OPTIMAL DOUBLE- BASE CHAINS.1. Algoithm fo Digit Set {0,1} Define the cost to compute using the chain C[] = R, X, Y as P (C[]) = x m 1 P dbl + y m 1 P tpl + (W (C[]) 1) P add, when C[],,, and P (C[]) = 0 othewise. Ou algoithm is to find the double-base chain of, C[] = R, X, Y such that fo all double-base chain of, Ce[] = Re, Xe, Y e, P (Ce[]) P (C[]). To explain the algoithm, we stat with a small example explained in Example 1 and Figue 1. Example 1 Find the optimal chain C[7] given D S = {0, 1}, P tpl = 1.5, P dbl = 1, P add = 1. Assume that we ae given the optimal chain C[] = R[], X[], Y [] ( = 7 ) and C[] = R[], X[], Y [] ( = 7 ). We want to expess 7 in tem of m 1 t=0 t xt yt, when t D S {0} = {1}. As 7 and 7, the smallest tem much be 1 = 0 0. Hence, x 0 = 0 and y 0 = 0. Then, 7 = m 1 t=1 xt yt + 1. By this equation, thee ae only two ways to compute the scala multiplication Q = 7S with Algoithm. The fist way is to compute S, do point double to 6S and point addition to 7S. As we know the the optimal chain fo, the cost using this way is P (C[]) + P dbl + P add. The othe way is to compute S, do point tiple to 6S and point addition to 7S. In this case, the cost is P (C[]) + P tpl + P add. The optimal way is to select one of these two ways. We will show late that P (C[]) = 1.5 and P (C[]) = 1. Then, P (C[]) + P dbl + P add = =.5, P (C[]) + P tpl + P add = =.5. Both of them have the same amount of computation time P (C[7]) =.5, and we can choose any of them. Suppose that we select the fist choice, and C[] = R[], x[] t m t=0, y[] t m t=0. The optimal double-base chain of 7 is C[7] = R, X, Y when R = 1, R[]. X = x 0,..., x m 1, 19

5 whee x 0 = 0 and x t = x[] t fo 1 t m 1. Y = y 0,..., y m 1, whee y 0 = 0 and y t = y[] t 1 fo 1 t m 1. Next, we find C[] that is the optimal doublebase chain of 7 =. Simila to 7S, we can compute S by two ways. The fist way is to tiple the point S. Using this way, we need one point tiple, which costs P tpl = 1.5. The double-base chain in this case will be 1, 0, 1. The othe way is that we double point S to S, then add S with S to get S. The cost is P dbl + P add = =. In this case, the double-base chain is 1, 1, 0, 1, 0, 0. We select the bette double-base chain that is C[] = 1, 0, 1 P (C[]) = 1.5 P (C[]) + P dbl + P add C[7] = 1, 1, 0, 1, 0, 1 P (C[7]) =.5 C[] = 1, 1, 0 P (C[]) = 1 P (C[]) + P tpl + P add Figue 1. We can compute C[7] by two ways. The fist way is to compute C[], and pefom a point double and a point addition. The cost in this way is P (C[])+P dbl +P add. The second way is to compute C[], and pefom a point tiple and a point addition, whee the cost is P (C[]) + P tpl + P add. The amount of computation time in both ways ae simila, and we can choose any of them q 0 q 1 1 C[] = 1, 0, Last, we find C[], the optimal double-base chain of 7 =. The inteesting point to note is that thee ae only one choice to conside in this case. This is because the fact that we cannot ewite by A + B when A Z and B D S if mod. Then, the only choice left is to double the point S, which costs 1, and the doublebase chain is C[] = 1, 1, 0. To conclude, the optimal double-base chain fo 7 in this case is C[7] = 1, 1, 0, 1, 0, 1. In Example 1, we conside the computation as a top-down algoithm. Howeve, bottom-up algoithm is a bette way to implement the idea. We begin the algoithm by computing the doublebase chain of x fo all x, y Z + such that y x + y = q whee q < q+1. Then, we move 0 0 q Figue. Bottom-up algoithm to find the optimal doublebase chain of to compute the double-base chain of x y fo all x, y Z + such that x + y = q 1 by efeing to the double-base chain of x y when x + y = q. We decease the numbe x + y until x + y = 0, and we get the chain of = 0 0. We illustate this idea in Figue and Example. Example Find the optimal double-base chain of 10 when... P add = P dbl = P tpl = 1 given D S = {0, 1}. In this case, the value q is initialized to lg 10 =. 194

6 On the fist step when q, the possible (x, y) ae (, 0), (, 1), (1, ), (0, ), and the double-base chain we find v = x ae y 10 = 1, = = = 0, The optimal expansion of 0 is,,, and the optimal expansion of 1 is 1, 0, 0. We move to the second step when q. The possible (x, y) ae (, 0), (1, 1), (0, ). In this case, we find the optimal double-base chains of 10 =, = = Fom the fist step, C[1] = 1, 0, 0, with P (C[1]) = 0. The only way to compute S is to double the point S. Hence, and C[] = 1, 1, 0, P (C[]) = P (C[1]) + P dbl = = 1. The thid step is when q 1. The possible (x, y) ae (1, 0) and (0, 1), and we find the optimal double-base chains of 10 = 5, =. 0 1 The only way to compute 5S is to double the point S and add the esult with S, i.e. 5S = (S) + S. Then, we edit C[] = 1, 1, 0 to and C[5] = 1, 1, 0,, 0, 0, P (C[5]) = P (C[]) + P dbl + P add = =. On the othe hand, thee ae two choices fo the optimal double-base chain of S, C[]. The fist choice is to tiple S. In this case, the computation cost will be C[1] + P tpl = = 1. The othe choice is to double the point S to S, and add the esult with S. The computation cost in this case is C[1] + P dbl + P add = =. Then, the optimal case is the fist case, and we edit C[1] = 1, 0, 0 to C[] = 1, 0, 1. In the last step, q 10, and (x, y) = (0, 0). The only optimal double-base chain we need to find in this step is ou output, C[10]. Thee ae two ways to compute 10S using doublebase chain. The fist way is to double a point 5S. The computation cost in this case is P (C[5]) + P dbl = + 1 = 4. The othe choice is to tiple the point S to 9S, and add the esult with S. The computation cost in this case is P (C[]) + P tpl = =. Then, the optimal case is the second case, and we edit C[] = 1, 0, 1 to C[10] = 1, 1, 0, 0, 0,. 195

7 Algoithm : The algoithm finding the optimal double-base chain fo single intege fo any D S input : The positive intege, the finite digit set D S, and the cay set G output: The optimal double-base chain of, C[] = R, X, Y 1 q lg while q 0 do foall the x, y Z such that x + y = q do 4 v x y 5 foall the g v G do 6 va v + g v 7 if va = 0 then C[0],, 8 if va D S then C[va] va, 0, 0 9 else C[va] F O(va, C[G + v ], C[G + v ]) 10 end 11 end 1 q q 1 1 end.. Genealized Algoithm fo Any Digit Sets When D S = {0, 1}, we usually have two choices to compute C[]. One is to pefom a point double, and use the subsolution C[ ]. The othe is to pefom a point tiple, and use the subsolution of C[ ]. Howeve, we have moe choices when we deploy lage digit set. Fo example, when D S = {0, ±1} 5 = + 1 = 1 = 1, the numbe of cases incease fom one in the pevious subsection to thee. Also, we need moe optimal subsolution in this case. Even fo point double, we need C[ ] = C[ 5 ] = C[] and C[ + 1] = C[ 5 + 1] = C[]. We call = as standad, and the additional tem g as Algoithm 4: Function F O (efeed in Algoithm ) input : The positive intege, the optimal double-base chain of g + fo g G, the optimal double-base chain of g + fo g G output: The optimal double-base chain of, C[] = R, X, Y 1 c,u, c,u fo all u D S foall the u D S such that u mod do c,u P (C[ u]) + P dbl 4 if u 0 then c,u c,u + P add 5 end 6 c min c,u, u minag c,u, v u 7 foall the u D S such that u mod do 8 c,u P (C[ u]) + P tpl 9 if u 0 then c,u c,u + P add 10 end 11 c min c,u, u minag c,u, v u 1 if c c then 1 Let C[v ] = t m t=0, x t m t=0, y t m t=0 14 if u = 0 then 15 t = t, x t = x t + 1, y t = y t 16 else 17 0 = u, x 0 = 0, y 0 = 0, t = t 1, x t = x t 1 + 1, y t = y t end 0 else 1 Let C[v ] = t m t=0, x t m t=0, y t m t=0 if u = 0 then t = t, x t = x t, y t = y t else 5 0 = u, x 0 = 0, y 0 = 0, t = t 1, x t = x t 1, y t = y t end 8 if u = 0 then C[] t m t=0, x t m t=0, y t m t=0 9 else C[] t m 1 t=0, x t m 1 t=0, y t m 1 t=0 cay. Fo example, cay g = 1 when we com- 196

8 pute C[], and cay g = 0 when we compute C[]. Suppose that we ae now conside a standad with a cay g. Assume that the last two steps to compute ( + g )P ae point double and point addition with u D S. We get a elation + g = U + u, when U can be witten as a summation of a standad and a cay g. Hence, + g = ( + g ) + u, Let C[ + g = g + u, ( mod ) + g = g + u. + g ] = t m t=0, x t m t=0, y t m t=0 be the optimal solution of +g. The optimal solution C,u [ + g ] = t m 1 t=0, x t m 1 t=0, y t m 1 t=0, whee fo 1 t m 1, fo 1 t m 1, fo 1 t m 1. 0 = u, t = t 1 x 0 = 0, x t = x t y 0 = 0, y t = y t 1 If the last two steps to compute ( + g )P ae point tiple and point addition with u D S. We get a elation + g = ( + g ) + u, when u D S. Same as the case fo point double, we get a elation ( mod ) + g = g + u. In this case, the optimal solution C,u [ + g ] = t m 1 t=0, x t m 1 t=0, y t m 1 t=0, whee fo 1 t m 1, fo 1 t m 1, 0 = u, t = t 1 x 0 = 0, x t = x t 1 y 0 = 0, y t = y t fo 1 t m 1 if C[ + g ] = t m t=0, x t m t=0, y t m t=0 be the optimal solution of + g. In ou algoithm, we compute C,u [ + g ], C,u [ +g ] fo all u D S, and the chain with the smallest cost P (C,u [ + g ]), P (C,u [ + g ]) is chosen to be the optimal solution C[ + g ]. Suppose that the input of the algoithm is, and we ae computing C[]. Ou algoithm needs an optimal chain of +g and +g. Then, ou algoithm equies an optimal chain of 4 + g 4, 6 + g 6, and 9 + g to compute 9 C[ + g ] and C[ + g ]. Let the set of 197

9 possible g k be G k, i.e. G = {0} when is an input of the algoithm. Define G = G. x y x,y Z We show in Appendix A that G is a finite set if D S is finite. This infes that it is enough to compute C[ x + g] fo each g G when we conside a y standad x. We illustate the idea in Example y and Figue. Example Compute the optimal double-base chain of 5 when P add = P dbl = P tpl = 1 and D S = {0, ±1}. When D S = {0, ±1}, we can compute the cay set G = {0, 1} using algoithm poposed in Appendix A. We want to compute C[5] = R, X, Y such that i D S and x i, y i Z, x i x i+1, y i y i+1. 5 can be ewitten as follows: 5 = +1 = (+1) 1 = (1+1) 1. We need C[] ( 5 =, g = 0 o 5 = 1, g 1 = 1) and C[] ( 5 =, g = 1). It is easy to see that the optimal chain C[] = 1, 1, 0 and C[] = 1, 0, 1. P (C[]) = P (C[]) = 1. We choose the best choice among 5 = +1, 5 = 1, 5 = 1. By the fist choice, we get the chain C,1 [5] = 1, 1, 0, 0, 0,. The second choice and the thid choice is C, 1 [5] = C, 1 [5] = 1, 1, 0, 1, 0, 1. We get P (C,1 [5]) = P (C, 1 [5]) = P (C, 1 [5]) =, and all of them can be the optimal chain. Using the idea explained in this subsection, we popose Algoithms,4. 4. EXPERIMENTAL RESULTS To evaluate ou algoithm, we show some expeimental esults in this section. We pefom the expeiment on each implementation envionment such as the scala multiplication defined on the binay field (F q) and the scala multiplication defined on the pime field (F p ). In this section, we will conside the computation time of point addition, point double, and point tiple defined in Section 1 as the numbe of the opeations in lowe laye, field invesion ([i]), field squaing ([s]), and field multiplication ([m]), i.e. we show the aveage computation time of scala multiplication in tems of α[i] + β[s] + ξ[m]. Then, we appoximate the computation time of field squaing [s] and field invesion [i] in tems of multiplicative factos of field multiplication [m], and compae ou algoithm with existing algoithms Scala Multiplication on Binay Field In the binay field, the field squaing is vey fast, i.e. [s] 0. Nomally, Basically, [i]/[m] 10. P dbl = P add = [i] + [s] + [m], and thee ae many eseaches woking on optimizing moe complicated opeation such as point tiple and point quaduple [14] [15]. Moeove, when point addition is chosen to pefom just afte the point double, we can use some intemediate esults of point double to educe the computation time of point addition. Then, it is moe effective to conside point double and point addition togethe as one basic opeation. We call the opeation as point double-and-add, with the computation time P dbl+add < P dbl + P add. 198

10 C[] = 1, 1, 0, P (C[]) = 1 C[] = 1, 0, 1, P (C[]) = 1 C[] = 1, 1, 0 P (C[]) = 1 P (C[]) + P tpl + P add P (C[]) + P dbl + P add P (C[]) + P dbl + P add C[5] = 1, 1, 0, 0, 0, o C[5] = 1, 1, 0, 1, 0, 1 P (C[5]) = Figue. Given D S = {0, ±1}, we can compute C[5] by thee ways. The fist way is to compute C[], and pefom a point double and a point addition. The second is to compute C[], pefom a point double, and a point substitution (addition with S). The thid is to compute C[], pefom a point tiple, and a point substitution. All methods consume the same cost. The simila thing also happens when we pefom point addition afte point tiple, and we also define point tiple-and-add as anothe basic opeation, with the computation time P tpl+add < P tpl + P add. With some small impovements of Algoithms,4, we can also popose the algoithm which output the optimal chains unde the existence of P dbl+add and P tpl+add. To pefom expeiments, we use the same paametes as [7] fo P dbl, P tpl, P add, P dbl+add, and P tpl+add (these paametes ae shown in Appendix B). We set D S = {0, ±1}, and andomly select 10, 000 positive integes which ae less than 16, and find the aveage computation cost compaing between the optimal chain poposed in this pape and the geedy algoithm pesented in [7]. The esults ae shown in Table 1. Ou esult is 4.06% bette than [7] when [i]/[m] = 4, and 4.77% bette than [7] when [i]/[m] = 8. We note that the time complexity of Binay and NAF itself is O(n), while the time complexity of Tenay/Binay, DBC(Geedy), and Optimized DBC is O(n ). 4.. Scala Multiplication on Pime Field When we compute the scala multiplication on pime field, field invesion is a vey expensive task as [i]/[m] is usually moe than 0. To cope with that, we compute scala multiplication in the coodinate in which optimize the numbe of field invesion we need to pefom such as inveted Edwad coodinate with a cuve in Edwads fom [11]. Up to this state, it is the fastest way to implement scala multiplication. In ou expeiment, we use the computation cost P dbl, P tpl, P add as in [6], and set D S = 0, ±1. We pefom five expeiments, fo the positive intege less than 19, 56, 0, and 84. In each expeiment, we andomly select 10, 000 integes, and find the aveage computation cost in tems of [m]. We show that esults in Table. Ou esults impove the tee-based appoach poposed by Doche and Habsiege by.95%,.88%,.90%,.90%,.90% when bit numbes ae 19, 56, 0, 84 espectively. We also evaluate the aveage unning time of ou algoithm itself in this expeiment. Shown in Table, we compae the aveage computation of ou method with the existing geedy-type algoithm using Java in Windows Vista, AMD Athlon(tm) 64X Dual Coe Pocesso GHz. The most notable esult in the table is the esult fo 448-bit inputs. In this case, the aveage unning time of ou algoithm is 0ms, while the existing algoithm [7] takes 9ms. We note that the diffeence between two aveage unning time is negligible, as the aveage computation time of scala multiplication in Java is shown to be between ms [1]. We also compae ou esults with the othe digit 199

11 Table 1. Compaing the computation cost fo scala point multiplication using double-base chains when the elliptic cuve is implemented in the binay field Method [i]/[m] = 4 [i]/[m] = 8 Binay 167[m] 441[m] NAF [1] 1465[m] 5[m] Tenay/Binay [5] 146[m] 168[m] DBC (Geedy) [7] 147[m] 19[m] Optimized DBC (Ou Result) 169[m] 07[m] Table. Compaing the computation cost fo scala point multiplication using double-base chains when the elliptic cuve is implemented in the pime field Method 19 bits 56 bits 0 bits 84 bits NAF [1] [m] 4.5[m] 09.[m] 65.[m] Tenay/Binay [5] 1761.[m] 5.6[m] 944.9[m] 57.[m] DB-Chain (Geedy) [7] 175.5[m] 0.0[m] 879.1[m] 455.[m] Tee-Based Appoach [9] 1691.[m] 55.8[m] 81.0[m] 86.0[m] Ou Result 164.5[m] 168.[m] 710.9[m] 54.1[m] Table. The aveage unning time of ou algoithm compaed with the existing algoithm [7] when D S = {0, ±1} Input Size [7] Ou Results 19 Bits 4ms 7ms 56 Bits 6ms 1ms 0 Bits 0ms 1ms 84 Bits 9ms 0ms sets. In this case, we compae ou esults with the wok by Benstein et al. [8]. In the pape, they use the diffeent way to measue the computation cost of scla multiplication. In addition to the cost of computing S, they also conside the cost fo pecomputations. Fo example, the cost to compute ±S, ±5S,..., ±17S is also included in the computation cost of any P computed using D S = {0, ±1, ±,..., ±17}. We pefom the expeiment on eight diffeent cuves and coodinates. In each cuve, the computation cost fo point double, point addition, and point tiple ae diffeent, and we use the same paametes as defined in [8]. We use D S = {0, ±1, ±,..., ±(h + 1)} when we optimize 0 h 0 that give us the minimal aveage computation cost. Although, the computation cost of the scala multiplication tends to be lowe if we use lage digit set, the highe pecompuation cost makes optimal h lied between 6 to 8 in most of cases. Recently, Meloni and Hasan [6] poposed a new paadigm to compute scala multiplication using double-base numbe system. Instead of using double-base chain, they cope with the difficulties computing the numbe system intoducing Yao s algoithm. Thei esults significantly impoves the esult using the double-base chain using geedy algoithm, especially the cuve whee point tiple is expensive. In Tables 4-5, we compae the esults in [8] and [6] with ou algoithm. Again, we andomly choose 10, 000 positive integes less than 160 in Table 4, and less than 56 in Table 5. We significantly impove the esults of [8]. On the othe hand, ou esults do not impove the esult of [6] 00

12 Table 4. Compaing the computation cost fo scala point muliplication using double-base chains in lage digit set when the elliptic cuve is implemented in the pime field, and the bit numbe is 160. The esults in this table ae diffeent fom the othes. Each numbe is the cost fo computing a scala multiplication with the pecomputation time. In each case, we find the digit set D S that makes the numbe minimal. Method DIK Edwads ExtJQuatic Hessian DBC + Geedy Alg. [8] 150.4[m] 1.9[m] 111.0[m] [m] DBNS + Yao s Alg. [6] 1477.[m] 18.[m] 16.0[m] [m] Ou Algoithm 148.7[m] 184.[m] 176.5[m] [m] Method InvEdwads JacIntesect Jacobian Jacobian- DBC + Geedy Alg. [8] 190.[m] 148.8[m] [m] 1504.[m] DBNS + Yao s Alg. [6] 158.6[m] 101.[m] 154.9[m] 1475.[m] Ou Algoithm 157.5[m] 176.0[m] [m] [m] Table 5. Compaing the computation cost fo scala point muliplication using double-base chains in lage digit set when the elliptic cuve is implemented in the pime field, and the bit numbe is 56. The esults in this table ae diffeent fom the othes. Each numbe is the cost fo computing a scala multiplication with the pecomputation time. In each case, we find the digit set D S that makes the numbe minimal. Method DIK Edwads ExtJQuatic Hessian DBC + Geedy Alg. [8] 9.[m] 089.7[m] 071.[m] 470.6[m] DBNS + Yao s Alg. [6] 19.[m] 09.8[m] [m] 74.0[m] Ou Algoithm 87.4[m] 01.[m] 019.4[m] 407.4[m] Method InvEdwads JacIntesect Jacobian Jacobian- DBC + Geedy Alg. [8] 041.[m] 66.1[m] 466.[m] 79.0[m] DBNS + Yao s Alg. [6] 199.[m] 050.0[m] 416.[m] 16.[m] Ou Algoithm [m] 17.5[m] 41.[m] 19.9[m] in many cases such as Hessian cuves. These cases ae the case when point tiple is a costly opeation, and we need only few point tiples in the optimal chain. In this case, Yao s algoithm woks effciently. Howeve, ou algoithm woks bette in the case whee point tiple is fast compaed to point addition such as DIK and Jacobian-. Ou algoithm woks bette in the inveted Edwad coodinate, which is commonly used as a benchmak to compae scala multiplication algoithms. 5. CONCLUSION In this wok, we use the dynamic pogamming algoithm to pesent the optimal double-base chain. The chain guaantees the optimal computation cost on the scala multiplication. The time complexity of the algoithm is O(lg ) simila to the geedy algoithm. The expeimental esults show that the optimal chains significatly impove the efficiency of scala multiplication fom the geedy algoithm. As futue woks, we want to analyze the minimal aveage numbe of tems equied fo each in- 01

13 tege in double-base chain. In double-base numbe system, it is poved that the aveage numbe of tems equied to define intege, when 0 < q is o(q) [5]. Howeve, it is poved that the aveage numbe of tems in the double-base chains povided by geedy algoithm is in Θ(q). Then, it is inteesting to pove if the minimal aveage numbe of tems in the chain is o(q). The esult might intoduce us to a sublinea time algoithm fo scala multiplication. Anothe futue wok is to apply the dynamic pogamming algoithm to DBNS. As the intoduction of Yao s algoithm with a geedy algoithm makes scala multiplication significantly faste, we expect futhe impovement using the algoithm which outputs the optimal double-base numbe system. Howeve, we ecently found many clues suggesting that the poblem might be NP-had. Refeences [1] O. Egecioglu and C. K. Koc, Exponentiation using canonical ecoding, Theoetical Compute Science, vol. 8, no. 1, pp. 19 8, [] J. A. Mui and D. R. Stinson, New minimal weight epesentation fo left-to-ight window methods, Depatment of Combinatoics and Optimization, School of Compute Science, Univesity of Wateloo, 004. [] T. Takagi, D. Reis, S. M. Yen, and B. C. Wu, Radix- non-adjacent fom and its application to paiing-based cyptosystem, IEICE Tans. Fundamentals, vol. E89- A, pp , Januay 006. [4] V. Dimitov and T. V. Cooklev, Two algoithms fo modula exponentiation based on nonstandad aithmetics, IEICE Tans. Fundamentals, vol. E78-A, pp. 8 87, Januay special issue on cyptogaphy and infomation secuity. [5] V. S. Dimitov, G. A. Jullien, and W. C. Mille, An algoithm fo modula exponentiations, Infomation Pocessing Lettes, vol. 66, pp , [6] N. Meloni and M. A. Hasan, Elliptic cuve scala multiplication combining yao s algoithm and double bases, in CHES 009, pp , 009. [7] V. Dimitov, L. Imbet, and P. K. Misha, The doublebase numbe system and its application to elliptic cuve cyptogaphy, Mathematics of Computation, vol. 77, pp , 008. [8] D. J. Benstein, P. Bikne, T. Lange, and C. Petes, Optimizing double-base elliptic-cuve single-scala multiplication, in In Pogess in Cyptology - IN- DOCRYPT 007, vol of Lectue Notes in Compute Science, pp , Spinge, 007. [9] C. Doche and L. Habsiege, A tee-based appoach fo computing double-base chains, in ACISP 008, pp , 008. [10] Same Authos as This Pape, Fast elliptic cuve cyptogaphy using minimal weight convesion of d integes, in Poceedings of AISC 01 (J. Piepzyk and C. Thomboson, eds.), vol. 15 of CRPIT, pp. 15 6, ACS, Januay 01. [11] D. Benstein and T. Lange, Explicit-fomulas database ( [1] J. Gobschadl and D. Page, E?cient java implementation of elliptic cuve cyptogaphy fo jme-enabled mobile devices, cyptology epint Achive, vol. 71, 011. [1] L. Imbet and F. Philippe, How to compute shotest double-base chains?, in ANTS IX, July 010. [14] M. Ciet, M. Joye, K. Laute, and P. L. Montgomey, Tading invesions fo multiplications in elliptic cuve cyptogaphy, Designs, Codes and Cyptogaphy, vol. 9, no. 6, pp , 006. [15] K. Eisentage, K. Laute, and P. L. Montgomey, Fast elliptic cuve aithmetic and impoved Weil paiing evaluation, in Topics in Cyptology - CT-RSA 00, vol. 61 of Lectue Notes in Compute Science, pp. 4 54, Spinge, 00. [16] P. Longa and C. Gebotys, Fast multibase methods and othe seveal optimizations fo elliptic cuve scala multiplication, Poc. of PKC 009, pp , 009. A. THE CARRY SET As discussed in Section, C S depends on the digit set D S. If D S = {0, 1}, we need only the solution of 1 1 S S d d S d, S d. Howeve, if the digit set is not {0, 1}, we will also need othe sub-solutions. Shown in Example 1, we need ( + c 1 )S ( 1 d + c )S d, 0

14 Algoithm 5: Find the cay set of the given digit set input : the digit set D S output: the cay set C S 1 Ct {0}, C S while Ct do Pick x Ct 4 Ct Ct ({ x+d Z d D S } C S {x}) 5 Ct Ct ({ x+d+1 Z d D S } C S {x}) 6 Ct Ct ({ x+d Z d D S } C S {x}) 7 Ct Ct ({ x+d+1 8 C S C S {x} 9 Ct Ct {x} 10 end Z d D S } C S {x}) 1 d ( + c )S ( + c 4 )S d, when c 1, c, c, c 4 {0, 1} = C S,1. Actually, the set C S,1 = C BS,1 C T S,1 when C BS,1 = C T S,1 = l {0,1} l {0,1,} { l d d D S d l mod }, { l d d D S d l mod } Howeve, the cay set C S,1 defined above is not enough. When, we find the solutions fo each ( 1 + c1 )S ( d + c )S d and ( 1 + c )S ( d + c4 )S d, we will need 1 d ( + c 5 )S ( + c 6 )S d, d ( + c 7 )S ( + c 8 )S d, d ( + c 9 )S ( + c 10 )S d, 9 9 when c 5, c 6, c 7, c 8, c 9, c 10 C S, = C BS, C T S, if C BS, = { l + c d d l mod }, C T S, = l {0,1} l {0,1,} { l + c d d l mod }, when c C S,1 d D S. Then, we get C S,n+1 = C BS,n+1 C T S,n+1 if C BS,n+1 = { l + c d d l mod }, C T S,n+1 = l {0,1} l {0,1,} when c C S,n d D S. We define C S as C S = C S,. { l + c d d l mod }, t=1 We popose an algoithm to find C S in Algoithm 5 based on beadth-fist seach scheme. Also, we pove that C S is finite set fo all finite digit set D S in Lemma A.1. Lemma A.1 Given the finite digit set D S, Algoithm 5 always teminates. And, C S max D S min D S +, when C S is the output cay set. Poof Since C S = l {0,1} l {0,1,} { l + c d c + d l mod } { l + c d c + d l mod }, 0

15 Table 6. P dbl, P tpl, P add, P dbl+add, P tpl+add used in the expeiment on Subsection 4.1 Opeation [i]/[m] = 4 [i]/[m] = 8 P dbl [i] + [s] + [m] [i] + [s] + [m] P add [i] + [s] + [m] [i] + [s] + [m] P tpl [i] + [s] + [m] [i] + 4[s] + 7[m] P dbl+add [i] + [s] + [m] [i] + [s] + 9[m] P tpl+add [i] + [s] + 4[m] [i] + [s] + 9[m] Table 7. P dbl, P tpl, P add used in the expeiment on Subsection 4. Cuve Shape P dbl P tpl P add DIK [m] + 7[s] 6[m] + 6[s] 11[m] + 6[s] Edwads [m] + 4[s] 9[m] + 4[s] 10[m] + 1[s] ExtJQuatic [m] + 5[s] 8[m] + 4[s] 7[m] + 4[s] Hessian [m] + 6[s] 8[m] + 6[s] 6[m] + 6[s] InvEdwads [m] + 4[s] 9[m] + 4[s] 9[m] + 1[s] JacIntesect [m] + 5[s] 6[m] + 10[s] 11[m] + 1[s] Jacobian 1[m] + 8[s] 5[m] + 10[s] 10[m] + 4[s] Jacobian- [m] + 5[s] 7[m] + 7[s] 10[m] + 4[s] whee d D S, c C S. Then, Also, min C S min C S max D S. min C S max D S. max C S min D S + 1. We conclude that if D S is finite, C S is also finite. And, Algoithm 5 always teminates. C S max D S min D S +. B. P dbl, P tpl, P add USED IN OUR EXPERI- MENTS Fo scala multiplication on binay field (Subsection 4.1), we use the same paamete as [7] shown in Table 6. Shown in Table 7, the esults in Subsection 4. ae based on P dbl, P tpl, P add in [6]. In this state, many woks have futhe impoved the cost, but we use these cost to make the compaisons between ou esults and existing woks can be done easily and pecisely. Recently, thee is a wok by Longa and Gebotys [16] on seveal impovements fo double-base chains. The value P dbl, P tpl, P add they used ae smalle than those given in Tables 6 and 7. Afte implementing thei paametes on the numbe with 160 bits, we show the esults in Table 8. We can educe thei computation times by 1.0%, 0.40%, and 0.71% in inveted Edwads coodinates, Jacobian-, and ExtJQuatic espectively. In this state, we ae finding the expeimental esult of othe geedy algoithms unde these P dbl, P tpl, P add value. Table 8. Compaing ou esults with [16] when the bit numbe is 160. Cuve Shape [16] Ou Results InvEdwads 151[m] 17[m] Jacobian- 1460[m] 1454[m] ExtJQuatic 168[m] 159[m] 04