Embed Size (px)
DESCRIPTION
Security of Using Special Integers in Elliptic Scalar Multiplication. Mun-Kyu Lee o Jin Wook Kim Kunsoo Park School of CSE, Seoul National University. 1. Preliminaries. Elliptic Curve. A curve of the form y 2 + xy = x 3 + ax 2 + b or y 2 = x 3 + ax + b - PowerPoint PPT Presentation
Citation preview
Security of Using Special Integers in Elliptic Scalar Multiplication
Mun-Kyu Leeo Jin Wook Kim Kunsoo Park
School of CSE, Seoul National University
1. Preliminaries
3/33
Elliptic Curve
A curve of the formy2 + xy = x3 + ax2 + b ory2 = x3 + ax + b
There are many cryptosystems that use elliptic curve operations.
4/33
Elliptic Curve Operations [1]
Point Addition: R = P +Q– First, draw the
line through P and Q.– Then this line intersects
the elliptic curvein a third point.
– Define R = P +Q(the sum of P and Q)as the reflection ofthis point in the x-axis.
5/33
Elliptic Curve Operations [2]
Point Doubling: R = 2P– First, draw the tangent line
to the curve at P.– Then this line intersects
the curve ina second point.
– Define R = 2P (the double of P)as the reflection ofthis point in the x-axis.
6/33
Elliptic Curve Operations [3]
Scalar Multiplication kP– For a nonnegative integer k and a point P,
scalar multiplication kP is defined as• 0P = O, for k = 0,
where O is the “point at infinity”which is the additive identity element.
• kP = (k-1)P + P for k > 0.
7/33
ECDLP
Elliptic Curve Discrete Log Problem – Given two points P and Q on an elliptic curve,– ECDLP is to find k such that kP = Q
8/33
Scalar Mult. vs. ECDLP
Scalar Multiplicationk, P Q = kP
Efficient
ECDLPP, Q k s.t. Q = kP
- Computationally infeasible- Hence, security of elliptic curve based cryptosystems is based on this problem.
9/33
The purpose of this paper
is to develop a technique to find harder instances of ECDLP,while keeping the efficiency of a scalar multiplication as the same level.
2. Previous Results:Efficient Scalar Mult. Algos.
11/33
[1] Binary Method
To compute Q = kP,– represent k as a binary form.– scan each bit of k from left to right.– if the bit is 1, do a doubling and an addition.
if the bit is 0, do a doubling only. Example: 61P = (1, 1, 1, 1, 0, 1)(2)P
PDBL
2P
1
ADD P
3P
1
6P
1
DBL
ADD P
7P
14PDBL
ADD P
15P
01 1
30PDBL
DBL
60P
ADD P
Q = 61P
101
11
110
111
1110
1111
11110 111100
111101
12/33
[1] Binary Method
Complexity– log k doublings and– HW(k)-1 additions,
where HW(k) is the Hamming weight of k,i.e., the number of 1’s in the binary representation of k.
13/33
[2] Signed Binary Method
[Morain, Olivos 90] Use the following facts.
– For a point P on an elliptic curve, computation of an additive inverse –P is almost free.
• For example,on y2 = x3 + ax + b,–P is the reflection of Pin the x-axis.
– Hence, a subtraction P - Q has the same complexity as that of an addition P +Q.
P = (x, y)
-P = (x, -y)
14/33
[2] Signed Binary Method
To compute Q = kP,– convert k to a signed binary representation k’ with smaller
number of nonzero digits than k.– if a digit is 1, do a doubling and an addition.
if a digit is –1, do a doubling and a subtraction.if a digit is 0, do a doubling only.
Example: 61P = (26 - 22 +1)P = (1, 0, 0, 0,-1, 0, 1)P
PDBL
2P
01
4P
0
8P
-10 1101 100 1000
0DBL DBL DBL
16P10000
SUB
15P10001
DBL
30P100010
60P1000100DBL
ADD
Q = 61P1000101
15/33
[2] Signed Binary Method
Complexity– log k doublings and– SHW(k)-1 additions/subtractions,
where SHW(k) is the signed Hamming weight of k, i.e., the number of nonzeros in the signed binary representation of k.
16/33
[3] AMV method
In many elliptic curve based systems, we compute kP for a randomly chosen k.
[Agnew, Mullin, Vanstone 93]– Choose special k’s that have small HW(k) to reduce the
number of additions.– Specifically, generate random k’s of length m in a
binary form s.t. HW(k) = w for a fixed small w.– One can control the Hamming weight, and thus the
number of additions.
17/33
[3] AMV method
Example: m = 8, w = 30. Initially, there are 8 empty bits.
1. Choose 3 random positions for ‘1’.
2. Set them as ‘1’ and others as ‘0’.
For kP, we need 7 doublings and 2 additions.k = (1, 0, 1, 0, 0, 0, 0, 1)
3. Proposed Method
19/33
Our Method
Use special k’s– Generate random k’s that have small SHW(k).– Specifically, generate random k’s of length m in a signed
binary form s.t. SHW(k) = w for a fixed small w. More secure than the AMV selection method, i.e.,
random selection of k’s with HW(k)=w.– (Recall that an ECDLP is to find k such that kP = Q.)– The number of possible k’s in our method is much
larger,– while the amount of computation is the same,
i.e., m-1 doublings and w-1 additions/subtractions,in both of the methods.
20/33
Naïve Approach
In order to generate a random k of length m s.t. SHW(k) = w,– randomly select w locations for nonzero digits out of m
possible digits of k,– and then assign ‘1’ or ‘-1’ to each of these digits
randomly. Problem
– k’s are not unique.• Hence, the search space for k is much smaller than what
we have intended.– Example: m = 6, w = 3
• (1,0,0,1,0,-1) = (1,0,0,0,1,1) = 35
21/33
Solution
select k’s in the nonadjacent form (NAF).– NAF is a signed binary representation with the
property that no two consecutive digits are nonzero.
– A number’s NAF is unique.
35
(1, 0, 0, 1, 0,-1) (1, 0, 0, 0, 1, 1)
possible representations
in NAF not in NAF
22/33
Selection Algorithm
Now, we want to generate a random k of length m in NAF s.t. SHW(k) = w to guarantee the uniqueness of k.
To satisfy the NAF property, we use ‘10’ and ‘-10’ as single nonzero units instead of ‘1’ and ‘-1’.
The algorithm has six steps.
23/33
Step 1
Initially there is an array of m-w+1 consecutive empty slots.
Example: m = 8, w = 3 (m -w +1 = 6)
24/33
Step 2
Assign two-digit binary number 10 to the first slot to guarantee that k > 0 and that k has exactly m digits.
Example: m = 8, w = 3
10
25/33
Step 3
Choose w - 1 random slots out of the remaining m – w slots and assign10 or –10 randomly to each of them.
Example: m = 8, w = 3 (w -1 = 2, m -w = 5)
10 10-10
26/33
Step 4
Assign 0 to each remaining slot.
Example: m = 8, w = 3
10 10-10 0 0 0
27/33
Step 5
Concatenate all slots to get a number k with m +1 signed binary digits.
Note that, for now, k is always even.
Example: m = 8, w = 3
10 10-10 0 0 0
(1, 0, 0,-1, 0, 0, 0, 1, 0)
9 digits
28/33
Step 6
Set k = k / 2
Example: m = 8, w = 3
k = (1, 0, 0,-1, 0, 0, 0, 1)
8 digits
(1, 0, 0,-1, 0, 0, 0, 1, 0)
For kP, we need 7 DBLs and 2 ADD/SUBs.
29/33
Distribution of k’s
k’s generated by this algorithm are unique.
k’s generated by this algorithm form a uniform distribution of k’s thathave m digits and satisfy SHW(k) = w.
4. Security Analysis
31/33
Security Against BSGS
With k’s of special forms, the best possible attack algorithm against the ECDLP is the baby-step giant-step algorithm, which is a time-memory trade-off version of the exhaustive search.
Hence, k’s with larger search space is more secure against this attack.
Now we compare the size of the search space of our method with that of the AMV method.
32/33
Comparison of the Sizes of Search Spaces for k
AMV Our Method
# digits
# nonzeros
m
w
m
w
sizes ofsearch spaces
1
1
w
m 121
w
w
wm
complexity ofa scalar mult.
m-1 DBLsw-1 ADDs
m-1 DBLsw-1 ADD/SUBs
33/33
Comparison in Typical Settings
The size of the search space of our method is much larger.
Our method is expected to be more secure.
