Speeding up the Scalar Multiplication on Binary Huff Curves Using the Frobenius Map

Transcription

1 International Journal of Algebra, Vol. 8, 2014, no. 1, 9-16 HIKARI Ltd, Speeding up the Scalar Multiplication on Binary Huff Curves Using the Frobenius Map Ahmed Youssef Ould Cheikh, Demba Sow and Djiby Sow Ecole Doctorale de Mathématiques et Informatique Laboratoire d Algèbre, de Cryptologie, de Géométrie Algèbrique et Applications Université Cheikh Anta Diop de Dakar, BP 5005 Dakar Fann, Sénégal Copyright c 2014 Ahmed Youssef Ould Cheikh, Demba Sow and Djiby Sow. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Abstract This paper introduces the scalar multiplication on Huff elliptic curves defined over a finite field of even characteristic using the Frobenius expansion. Introduction The use of elliptic curve in cryptography was suggested independently by Neal Koblitz [5] and Victor Miller [7] in The efficiency of elliptic curve cryptosystems relies essentially on the fundamental operation of the scalar multiplication, ie. for a given point P on an elliptic curve E and an integer n, compute the point Q = np = P + P P, (n copies of P ), where the operation + represent the group law on the curve. From here, two approaches are possible to solve this problem: find a good algorithm to efficiently compute np, or find families of curves where the group law can be evaluated efficiently. Among the techniques for computing np, the most common is the doubleand-add method (or binary method) where the scalar n is represented in its binary form. There exist also efficient algorithms such as the non-adjacent form (NAF )technique and all its variants (w-naf for example) introduced independently by Miyaji et al. [8] and Solinas [12]. Many other methods were introduced in [1, 9, 10].

2 10 Ahmed Youssef Ould Cheikh, Demba Sow and Djiby Sow Some arithmetic properties of certain families of elliptic curves can be exploited to devise fast group law, namely Koblitz elliptic curves over a finite field of characteristic two [6]. This curves were named anomalous binary curves by Solinas [11, 12]. The main interest of using this kind of curve is the fact that the scalar multiplication can be evaluated more efficiently by mean of the Frobenius endomorphism. In fact, the computing the Frobenius endomorphism on the curve is faster than the addition or the doubling on the curve [12]. Another approach for accelerating the scalar multiplication consist in finding families of curves where the group law can be evaluated efficiently. Among these curves we can cite Edwards curves [2], Hessian curves [4], Huff curves [3], etc. all in characteristic two. Binary Huff curves were introduced in [3] by Devigne and Joye. In [Huff], the authors show that every elliptic curve over a field F 2 m is isomorphic over F 2 m to an Huff curve. They also give fast addition and doubling formulæ on these curves: 12M for the cost of the addition of two points and 6M + 2D for doubling of a point. In this paper, we introduce the Frobenius endomorphism of a binary Huff curve and we show how to use it to accelerate the scalar multiplication on this curve. The rest of the paper is organized as follows: in the next section we recall some basic notions about the Frobenius endomorphism on elliptic curves and Huff curves. In section 2, we give the main result, ie the main theorem of the Frobenius endomorphism on Huff curves. We finish in section 3 by giving an application of the Frobenius endomorphism to speed up the scalar multiplication 1 Preliminaries 1.1 Frobenius endomorphism on Koblitz elliptic curves Let F q be a finite field of even characteristic(char(f q ) = 2, q = 2 m ). A Koblitz curve E over F q is given by a Weierstrass equation y 2 + xy = x 3 + ax + 1, with a, b F q and a {0, 1} and the point at infinity P. The q th -power Frobenius π q of E is defined as π q : E E (x, y) (x q, y q ).

3 Speeding up the scalar multiplication 11 Let N = #E(F q ), then by the Hasse theorem we have N = q + 1 t, with t 2 q is the trace of π q. The characteristic polynomial χ q (x) Z[x] of π q is given by and satisfies the equality χ q (x) = x 2 tx + q (π 2 q tπ q + q)p = P, for all P E(F q ), where F q is the algebraic closure of F q. 1.2 Huff curves in characteristic two Definition 1.1. A binary Huff curve is a set of projective points (X : Y : Z) P 2 (F 2 m) satisfying the equation E/F 2 m : ax(y 2 + Y Z + Z 2 ) = by (X 2 + XZ + Z 2 ), (1) where a, b F 2m and a b. On this curve there is three points at infinity satisfying the equation of the curve, namely (a : b : 0), (1 : 0 : 0) and (0 : 1 : 0). The corresponding affine model of Equation 1 is given by ax(y 2 + y + 1) = by(x 2 + x + 1). In [3], the authors show that every binary Huff curve is birationally equivalent to an elliptic curve given by a Weierstrass equation v(v + (a + b)u) = u(u + a 2 )(u + b 2 ). The set of rational points of E/F 2 m is equiped with the following group law: If P = (x, y) E(F 2 m) then P = ( x, ȳ), where 2P = (x 3, y 3 ), where x = y 1(b + ax 1 y 1 ) a + bx 1 y 1 and ȳ = x 1(a + bx 1 y 1 ) b + ax 1 y 1. x 3 = (a + b)x2 1(1 + y 2 1) b(1 + x 2 1)(1 + x 1 y 1 ) 2 and x 3 = (a + b)y2 1(1 + x 2 1) a(1 + y 2 1)(1 + x 1 y 1 ) 2

4 12 Ahmed Youssef Ould Cheikh, Demba Sow and Djiby Sow If P = (x 1, y 1 ) and Q = (x 2, y 2 ), then P + Q = (x 3, y 3 ) where x 3 = (x 1y 1 + x 2 y 2 )(1 + y 1 y 2 ) (y 1 + y 2 )(1 + x 1 x 2 y 1 y 2 ) and y 3 = (x 1y 1 + x 2 y 2 )(1 + x 1 x 2 ) (x 1 + x 2 )(1 + x 1 x 2 y 1 y 2 ). The authors present also unified addition formulæ, ie which can be used for doubling and addition. If P + Q = (x 3, y 3 ), then x 3 = b(x 1 + x 2 )(1 + x 1 x 2 y 1 y 2 ) + (a + b)x 1 x 2 (1 + y 1 y 2 ) b(1 + x 1 x 2 )(1 + x 1 x 2 y 1 y 2 ) y 3 = a(y (2) 1 + y 2 )(1 + x 1 x 2 y 1 y 2 ) + (a + b)y 1 y 2 (1 + x 1 x 2 ) a(1 + y 1 y 2 )(1 + x 1 x 2 y 1 y 2 ) They show also if G E(F 2 m) is a subgroup such that (a : b : 0), (1 : 0 : 0) and (0 : 1 : 0) / G, then the addition formulæ given by Equation 2 is complete. 2 Frobenius map on binary Huff curves Let F q be a finite field of characteristic two, ie q = 2 m and let E a,b be a Huff elliptic curve over F q. We define the q th -power Frobenius endomorphism φ q : E a,b E a,b (x, y) (x q, y q ). We introduce the following useful lemmas to demonstrate the main of this work. Lemme 2.1 ([3]). Let K be a finite field of characteristic 2. Then, every binary Huff curve E a,b is birationally equivalent over K to an elliptic curve E given by the Weierstrass equation Proof : See [3] Let σ be the isomorphism v(v + (a + b)u) = u(u + a 2 )(u + b 2 ). σ : E a,b E (x, y) (u, v), where (u, v) = ab ab(axy + b),. xy x 2 y

5 Speeding up the scalar multiplication 13 The inverse map is given by where σ 1 : E E a,b (u, v) (x, y), b(u + a 2 ) a(u + b 2 ) (x, y) =,. v v + (a + b)u Lemme 2.2. Let E a,b be a binary Huff curve over F q (q = 2 m ) and E be the birational equivalent curve of E a,b over F q. Let #E(F q ) = q + 1 t and let σ be the birational map defined above. Let π q be the q th power Frobenius endomorphism over E. Define ψ = σ 1 π q σ. Then, 1. ψ End(E a,b ), ie. ψ is an endomorphism of E a,b. 2. For all P E a,b (F q ) we have ψ 2 (P ) tψ(p ) + qp = O Ea,b Proof : ψ is an isogeny from E a,b to itself since σ is an isomorphism and π q is an isogeny from E to itself over F q. For P E a,b (F q ), let s denote σ(p ) = Q E(F q ). Then, (πq 2 tπ q + q)q = O E. Hence, Therefore We have the main theorem σ 1 (π 2 q tπ q + q)σ(p ) = O Ea,b. ψ 2 (P ) tψ(p ) + qp = O Ea,b. Theorem 2.3. Let E a,b be a binary Huff curve over F q, with #E a,b (F q ) = q + 1 t. Then, the Frobenius endomorphism of E a,b satisfies for all P E a,b (F q ) Proof of the theorem Let P = (x, y) E a,b (F q ). Then, (φ 2 q tφ q + q)p = P, ψ(x, y) = σ 1 π q σ(x, y) ab = σ 1 ab(axy + b) π q, xy x 2 y (ab) = σ 1 q (ab(axy + b))q, (xy) q (x 2 y) q = (α, β) = (x q, y q )

6 14 Ahmed Youssef Ould Cheikh, Demba Sow and Djiby Sow In fact, Then, α = b (ab) q + a 2 (xy) q (ab) q ((axy) q +b q ) x q (xy q ) = b((ab)q + a 2 (xy) q )x q (ab) q ((axy) q + b q ). α x q = xq (b((ab) q + a 2 (xy) q )) x q (ab) q ((axy) q + b q ) (ab) q ((axy) q + b q ) = xq (b((ab) q + a 2 (xy) q ) b q ((ab) q ) (ab) q (axy) q ) (ab) q ((axy) q + b q ) = xq ((ab) q (b b q ) + (a 2 b a 2q b q )(xy) q ) (ab) q ((axy) q + b q ) = 0 since b b q = and a 2 b a 2q b q = 0. Therefore, α = x q. By a similar computation, we have β = y q. Thus, which ends the proof. ψ(x, y) = (x q, y q ) = φ(x, y), 3 Applications to scalar multiplication 3.1 The τ-adic method Recall that the characteristic equation of the Frobenius endomorphism satisfies ϕ 2 + ϕ + 2 = 0. From this equation, it is clear that every integer k can be written in the form s 1 k = k i ϕ i, with k i { 1, 0, 1}. i=0 This representation is called τ-adic representation of the integer k. Therefore, the point kp can be computed as s 1 kp = k i ϕ i (P ). i=0

7 Speeding up the scalar multiplication 15 Algorithm 1 τ-adic method Require: a point P and the τ-adic representation (k s 1,..., k 0 ) of k 1: Q P 2: for (i = s 2; i 0; i ) do 3: if (k i = 0) then 4: Q ϕ(q)) 5: end if 6: if (k i = 1) then 7: Q ϕ(q) + P 8: end if 9: if (k i = 1) then 10: Q ϕ(q) P 11: end if 12: end for 13: return Q Example. A τ-adic expansion of 3 is 3 = = 1 + ( ϕ ϕ 2 ). For k = 5, we have 5 = = 1 + ( ϕ ϕ 2 ) 2 = 1 + ϕ 2 + 2ϕ 3 + ϕ 4 = 1 + ϕ 2 + ( ϕ ϕ 2 )ϕ 3 + ϕ 4 = 1 + ϕ 2 ϕ 5 Hence, 5P = P + ϕ 2 (P ) ϕ 5 (P ). The above algorithm, Algorithm 1 gives a nice way to compute the point kp with a τ-adic expansion of the integer k. References [1] R. Avanzi. A Note on the Signed Sliding Window Integer Recoding and a Left-to-Right Analogue. Proceedings of Selected Areas in Cryptography 2004, Waterloo, ON, Canada, 9-10 August 2004, Lecture Notes in Comput. Sci., Springer-Verlag, Berlin, [2] Bernstein, D.J., Lange, T., Farashahi, R.R. Binary Edwards curves. In Oswald, E., Rohatgi, P. (eds.) Cryptographic Hardware and Embedded Systems.. CHES Lecture Notes in Computer Science, vol. 5154, pp Springer (2008)

8 16 Ahmed Youssef Ould Cheikh, Demba Sow and Djiby Sow [3] J. Devigne, M. Joye. Binary Huff Curves. In A. Kiayias, Ed., Topics in Cryptology, CT-RSA 2011, vol of Lecture Notes in Computer Science, pp , Springer, [4] Farashahi, R.R., Joye, M. Efficient arithmetic on hessian curves. In Nguyen, P.Q., Pointcheval, D. (eds.), PKC LNCS, vol Springer, Heidelberg (2010), pp [5] N. Koblitz. Elliptic curve cryptosystems. Math. Comp., 48: , [6] N. Koblitz. CM-curves with good cryptographic properties. Advances in cryptology CRYPTO 91 (Santa Barbara, CA, 1991), Lecture Notes in Comput. Sci., vol. 576, Springer, Berlin, 1992, pp [7] V. S. Miller. Use of elliptic curves in cryptography. In H. C. Williams, editor, Advances in Cryptology - CRYPTO 85, volume 218 of Lect. Notes Comput. Sci., pages Springer, [8] A. Miyaji, T. Ono, and H. Cohen. Efficient elliptic curve exponentiation. Information and communications security. 1st international conference, ICICS 97, Beijing, China, November 11-14, Proceedings (Y. et al. Han, ed.), LNCS, vol. 1334, Springer-Verlag, 1997, pp [9] J. A. Muir and D. R. Stinson. Minimality and other properties of the width-w nonadjacent form. Tech. Report CORR , Centre for Applied Cryptographic Research, 2004, available at [10] J. A. Muir and D. R. Stinson. New minimal weight representations for left-to-right window methods. Tech. Report CACR , Centre for Applied Cryptographic Research, 2004, available at [11] J. A. Solinas. An improved algorithm for arithmetic on a family of elliptic curves. Advances in Cryptology - CRYPTO th annual international cryptology conference. Santa Barbara, CA, USA. August 17-21, Proceedings (B. S. jun. Kaliski, ed.), LNCS, vol. 1294, Springer, Berlin, 1997, pp [12] J. A. Solinas. Efficient arithmetic on Koblitz curves. Des. Codes Cryptogr. 19 (2000), no. 2-3, , Towards a quarter-century of public key cryptography. Received: November 11, 2013