CA2353395C - A method for accelerating cryptographic operations on elliptic curves - Google Patents
A method for accelerating cryptographic operations on elliptic curves Download PDFInfo
- Publication number
- CA2353395C CA2353395C CA2353395A CA2353395A CA2353395C CA 2353395 C CA2353395 C CA 2353395C CA 2353395 A CA2353395 A CA 2353395A CA 2353395 A CA2353395 A CA 2353395A CA 2353395 C CA2353395 C CA 2353395C
- Authority
- CA
- Canada
- Prior art keywords
- cryptographic
- point
- cryptographic processor
- bit string
- tables
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/724—Finite field arithmetic
- G06F7/725—Finite field arithmetic over elliptic curves
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Complex Calculations (AREA)
Abstract
This invention provides a method for accelerating multiplication of an elliptic curve point Q(x,y) by a scalar k, the method comprising the steps of selecting an elliptic curve over a finite field Fq where q is a prime power such that there exists an endomorphism ~, where ~(Q) = .lambda..Q for all points Q(x,y) on the elliptic curve; and using smaller representations ki of the scalar k in combination with the mapping ~ to compute the scalar multiple of the elliptic curve point Q.
Description
i~V~ 00/3966!; PCT/CA99/OI222 TI3~I3 FOIZ ACCFLERATIhI~.i CR~IPT~G IiIC ~fE TI~1~1~
~IV ELL C CUIL~
This invention relates to a method for pcrforrning cpmputations in crypto _ hit systems utilising elliptic curves.
HACKf'.qR~UI~ GF THE I~ENTI~I~T
A puhlic-key data commtutication system anay be used to transfer inforraaation betwecn a pair of correspondents. At least part of the inforanation exchanged is enciphered by a predetermined mathematical operation by the scnder and the recipicnt may perform a complementary mathematical operation to decipher the information.
Each correspondent has a private key and a public key that is mathematically related to the private key. The relationship is such that it is not feasible to determine the private key from knowledge of the public key. The keys are used in the transfer of data, either to en t data that is to be transferred or to attach a signature to allow verification of the authenticity of 1 S the data.
for encryption, one correspondent uses the public key of the recipient to cncrypt the message and sends it to the rccipient. The recipient then uses her private key to decipher the mcssagc.
~ common key rnay also be generated by combining one parties public key with the other parties private key. It is usual in such cases to gcncrate new private and corrcsponding public keys for each communication session, usually referred to as session keys or cpheyneral keys, to avoid the long-term keys of the parries being compromised.
The exchange of messages and generation of the public keys may therefore involve significant coanpueation involving exponentiation when the cryptographic system utilizes in Z*p, the finite field of integers mad p where p is a prime or the analogous operation of poine multiplication when the system utilizes an elliptic curve. In an elliptic curve system, an ephemeral key pair is obtained by generating a secret integer, k and performing a point multiplication in the seed point Q to provide the epizcmera! public key kQ.
Sizrtilarly, the generation of a comanon ephemeral session key will require multiplication of a public key kzQ, which is a point on the curve, with a secret integer kb of the other correspondent so that point multiplication is again required.
SU113~°TfPLT'I°E SIFIEET (ItIIJLE 26) W~ ~013966 ~~'~'1~A99/~&~~2 A similar procedure is used to sign a message except that the sender applies his private key to the message. This permits any recipient to recover and verify the message using the senders public key.
'Iarious protocols exist for implementing such a schcgnc and soane have been widely used. In each case, however, the sender is required to perform a computation t~ sign the information to be transferred and the recemer gs requgred to perform a computation to verify the signed information.
In a typical implementation a signature component s has the foran.-s = ae ~- k (mod n) where; in an elliptic curve crypto system, P is a point on the underlying curve which is a predefined parameter of the system;
k is a randorra integer selected as a shog°c term privcate or session key;
It = kP is the corresponding short term public key;
a is the long tcrgn private key of the sender;
l~ Q = aP is the senders corresponding public key;
a is a secure hash, such as the SI-IA-1 hash function, of a message m and the shot term public key IZ; and n is the order of the curve.
The sender sends to the recipient a message including an, s, and ~ and the signature is verified by computing the value IR _ (sP-eQ) which should correspond t~ It. If the computed values correspond then the signature is verif ed.
In order to perform the verification it is necessary to compute the point rnultiplications to obtain sP and eQ, tech of which is computationally c~mplex. Vllhere the recipient has adequate computing, power this does not present a particular problem but where the recipient has Ii~nited corxiputing power, such as in a secure token or a a~Synart card "~
application, the computations may introduce delays in the verification process.
Key generation and signature protocols rnay therefore be computationally intensive. As cryptography becomes more widely used there is an increasing demand to implement cryptographic systeans that are faster and that use limited computing power, such as may be found on a smart card or wireless device.
Elliptic curve c tography (ECC) provides a solution to flee c~gnpaztat9on fissue. ECM
permits reductions in key and certificate size that translates to sgnaller anegnory requirements,
~IV ELL C CUIL~
This invention relates to a method for pcrforrning cpmputations in crypto _ hit systems utilising elliptic curves.
HACKf'.qR~UI~ GF THE I~ENTI~I~T
A puhlic-key data commtutication system anay be used to transfer inforraaation betwecn a pair of correspondents. At least part of the inforanation exchanged is enciphered by a predetermined mathematical operation by the scnder and the recipicnt may perform a complementary mathematical operation to decipher the information.
Each correspondent has a private key and a public key that is mathematically related to the private key. The relationship is such that it is not feasible to determine the private key from knowledge of the public key. The keys are used in the transfer of data, either to en t data that is to be transferred or to attach a signature to allow verification of the authenticity of 1 S the data.
for encryption, one correspondent uses the public key of the recipient to cncrypt the message and sends it to the rccipient. The recipient then uses her private key to decipher the mcssagc.
~ common key rnay also be generated by combining one parties public key with the other parties private key. It is usual in such cases to gcncrate new private and corrcsponding public keys for each communication session, usually referred to as session keys or cpheyneral keys, to avoid the long-term keys of the parries being compromised.
The exchange of messages and generation of the public keys may therefore involve significant coanpueation involving exponentiation when the cryptographic system utilizes in Z*p, the finite field of integers mad p where p is a prime or the analogous operation of poine multiplication when the system utilizes an elliptic curve. In an elliptic curve system, an ephemeral key pair is obtained by generating a secret integer, k and performing a point multiplication in the seed point Q to provide the epizcmera! public key kQ.
Sizrtilarly, the generation of a comanon ephemeral session key will require multiplication of a public key kzQ, which is a point on the curve, with a secret integer kb of the other correspondent so that point multiplication is again required.
SU113~°TfPLT'I°E SIFIEET (ItIIJLE 26) W~ ~013966 ~~'~'1~A99/~&~~2 A similar procedure is used to sign a message except that the sender applies his private key to the message. This permits any recipient to recover and verify the message using the senders public key.
'Iarious protocols exist for implementing such a schcgnc and soane have been widely used. In each case, however, the sender is required to perform a computation t~ sign the information to be transferred and the recemer gs requgred to perform a computation to verify the signed information.
In a typical implementation a signature component s has the foran.-s = ae ~- k (mod n) where; in an elliptic curve crypto system, P is a point on the underlying curve which is a predefined parameter of the system;
k is a randorra integer selected as a shog°c term privcate or session key;
It = kP is the corresponding short term public key;
a is the long tcrgn private key of the sender;
l~ Q = aP is the senders corresponding public key;
a is a secure hash, such as the SI-IA-1 hash function, of a message m and the shot term public key IZ; and n is the order of the curve.
The sender sends to the recipient a message including an, s, and ~ and the signature is verified by computing the value IR _ (sP-eQ) which should correspond t~ It. If the computed values correspond then the signature is verif ed.
In order to perform the verification it is necessary to compute the point rnultiplications to obtain sP and eQ, tech of which is computationally c~mplex. Vllhere the recipient has adequate computing, power this does not present a particular problem but where the recipient has Ii~nited corxiputing power, such as in a secure token or a a~Synart card "~
application, the computations may introduce delays in the verification process.
Key generation and signature protocols rnay therefore be computationally intensive. As cryptography becomes more widely used there is an increasing demand to implement cryptographic systeans that are faster and that use limited computing power, such as may be found on a smart card or wireless device.
Elliptic curve c tography (ECC) provides a solution to flee c~gnpaztat9on fissue. ECM
permits reductions in key and certificate size that translates to sgnaller anegnory requirements,
2 w~ OOI3966~ &'CT/CA99I01222 and significant cost savings. ECC can not only significantly reduce the cost, but also accelerate the deployment of smart cards in next-generation applications.
Additionally, although the ECC algorithm allows for a reduction in key size, the same level of security as other algorithms with larger keys is maintained.
However, there is still a need to perform faster calculations on the keys so as to speed up the information transfer while maintaining a low cost of production of cryptographic devices.
Computing multiples of a point on an elliptic curve is one of the most frequent computations performed in elliptic curve cryptography. ~ne method of speeding up such computations is to use tables of precomputed multiples of a point. This technique is more useful when a point is known beforehand. However, there are cases when multiples of previously unknown points are required (for example, in ECI)SA verification).
Thus there is a need for a system and method for facilitating point muitiplications.
S RY ~F THE INVENTI~N
In general terms, the present invention represents the scalar k as a combination of components k; and an integer 7~ derived from an endomonphisim in the underlying curve.
The method is based on the observation that, given an elliptic curve (EC) having complex multiplication mapping over a finite field, there is an 7~, which is the solution to a quadratic, for which the complex multiplication mapping is equivalent to multiplying a point Q by ~.. It will often be less computationally expensive to compute ~,Q via the complex multiplication map, compared to treating 7r as a integer and performing the EC
multiplication.
In practice, point multiplication by other scalars (not just ~,) is required.
It is also shown how the multiplication mapping may be used to compute other multiples of the point.
In accordance with this invention there is provided a method for accelerating multiplication of an elliptic curve point Q(x,y) 'by a scalar k, the method comprising the steps of selecting an elliptic curve over a finite field F such that there exists an endomorphism yr, where y~(Q) _ ~°Q for all points Q(x,y) on the elliptic curve; and using smaller representation k; of the scalar k in combination with the mapping ~r to compute the scalar anultiple of the elliptic curve point Q.
Additionally, although the ECC algorithm allows for a reduction in key size, the same level of security as other algorithms with larger keys is maintained.
However, there is still a need to perform faster calculations on the keys so as to speed up the information transfer while maintaining a low cost of production of cryptographic devices.
Computing multiples of a point on an elliptic curve is one of the most frequent computations performed in elliptic curve cryptography. ~ne method of speeding up such computations is to use tables of precomputed multiples of a point. This technique is more useful when a point is known beforehand. However, there are cases when multiples of previously unknown points are required (for example, in ECI)SA verification).
Thus there is a need for a system and method for facilitating point muitiplications.
S RY ~F THE INVENTI~N
In general terms, the present invention represents the scalar k as a combination of components k; and an integer 7~ derived from an endomonphisim in the underlying curve.
The method is based on the observation that, given an elliptic curve (EC) having complex multiplication mapping over a finite field, there is an 7~, which is the solution to a quadratic, for which the complex multiplication mapping is equivalent to multiplying a point Q by ~.. It will often be less computationally expensive to compute ~,Q via the complex multiplication map, compared to treating 7r as a integer and performing the EC
multiplication.
In practice, point multiplication by other scalars (not just ~,) is required.
It is also shown how the multiplication mapping may be used to compute other multiples of the point.
In accordance with this invention there is provided a method for accelerating multiplication of an elliptic curve point Q(x,y) 'by a scalar k, the method comprising the steps of selecting an elliptic curve over a finite field F such that there exists an endomorphism yr, where y~(Q) _ ~°Q for all points Q(x,y) on the elliptic curve; and using smaller representation k; of the scalar k in combination with the mapping ~r to compute the scalar anultiple of the elliptic curve point Q.
3 3~~ ~0/396b~ ~'c~T/~f~~9/Ot~a2 D F I~ESCIZIPTI01~1 OF THE DRW'IIVGS
These and other features of the preferred embodiments of the invention will become more apparent in the following detailed description in which reference is made t~ the appended drawings wherein:
Figure ~ is a schematic diagram of a communication system9 Figure Z is a flow ehart showing the steps of implementing a first embodiment of the present invention.
l~Figure 3 is a flow chart showing the steps of providing parameters required to implement the method of figure 2.
DETAILED DESC1~TIOI~1 OF THE PIZEFEI~ItED E1~0I3I1~E1~ITS
For convenience in the following description, like numerals refer to like structures in the drawings. Referring to Figure I, a data communication system 10 includes a pair of correspondents, designated as a senderl2, and a recipient 14, connected by a communication I S channel 16. Each of the correspondents 12,14 includes a cryptographic processor 18,20 respectively that may process digital information and prepare it for transrnission through the channel 16 as will be described below. Each of the correspondents 12,I~ also includes a computational unit 19,21 respectively to perform mathematical computations related to the cryptographic processors 18,20. The processors 18, 20 may be embodied in an integrated cireuit incorporated in the processor or may be implemented as instructions encoded on a data carrier to implement a predetermined protocol in conjunction with a general purpose processor. For the propose of illustration it will be assumed that the correspondent 12 is in the form of a srnart card having a dedicated processor 18 with relatively limited computing power. The processor 20 may be a central server communicating with ties card by channel 1 ~
and channel I 6 may be a wireless communication channel if preferred.
The cryptographic processors 18 implement an elliptic curve crypto~aphic system, of ECC, and one of the functions of the cryptographic processor 18 is t~ perforpn point multiplications of the form k°Q, where k is an integer and Q a point on the underlying elliptie curve, so that they may be used as a key pair lc, kQ in a cryptographic scheme. As noted above, cryptographic computations such as the multiplieation of an elliptic curve point by a scalar value are computationally expensive.
w~ 00/39b6~ PC'f/CA99/01222 A method for accelerating scalar multiplication of an elliptic curve point Q(x,y) is shown in figure 2 and indicated generally by the numeral 50. The subject algorithm increases the speed at which the processors 12 can for example sign and verify messages for specific classes of elliptic curves. The method is based on the observation that given the general equation for an elliptic curve E:
+a~Xy+a3y=X3+aZX2+aax+aG {1) over a finite field, exemplified as Fq {q is a prime power) and when there exists an endomorphism fir, where y(Q) _ ~.°Q for all points Q(x,y) on the elliptic curve, then multiplication of the point Q by an integer k may be accelerated by utilizing combinations of smaller representations k; of k in combination with the mapping ~. The mapping ~ also allows precomputation of group elements and combinations thereof, which may be used in subsequent calculation of kQ.
Referring now to figure 2, a flow chart of a general embodiment for accelerating point multiplication on an elliptic curve, is shown by numeral 50. The system parameters are farst selected. As an initial step an underlying elliptic curve E is selected to have certain characteristics. In a first embodiment of the invention the generalized elliptic curare { 1 ) may be expressed in the following form:
E: y2 = x3 + b mod p; where p is a prime. (2) Firstly, the modulus p can be detezznined such that there is a number, y where y E FP
(Fp is the field of size p consisting of all integers mod p), and y3 = 1 mod p (a cube root of unity). If for example p = 7, then y = 2, since 23 mod 7 =1. Such a y does not necessarily exist for all p, and therefore this must be taken into consideration when choosing the value of p. Typically, the chosen p should be at least 160 bits in length for adequate cryptographic strength.
After the curve E has been selected, a mapping function yr is determined. The mapping function ~: (x, y) -~ (yx, y), simply maps one set of points on the curve to another set of points on the curve. There exists an integer ?~ such that yr(Q) _ ?~°Q for all points Q(x,y) of interest on the elliptic curve, E. This integer ?~ may be found by noting that 7~3 --- I
mod n, where n is the number of points on the elliptic curve E over FP i.e.
the number of points on E(Fp). There may exist more than one solution for ~. in ~.3 --- 1 mod n, but only one of those solutions will satisfy the mapping fixnction yr. It is important to note that since y~
~le'~ 00/3966 ~~°I°/C~991~y222 mod p = 1, both Q and ~(Q) satisfy the equation for ~. T'herefore, instead of having to perform lengthy calculations to determine the results of multiplication by A, it can be done very eff ciently using the results of the mapping function so that multiplication by ~, can be done very efficiently.
A seed point Q is selected and the system parameters E, p, Q, ~., yr(Q), and y arc stored in the card 12, as indicated at 52, at manufacture tune for use by the cryptographic processor 18. 'To impleanent a cryptographic procedure such as encryption, key agreement or signature it is necessary to select an integer k for use as an ephemeral private key k and generate a corresponding public key kQ.
'The value of k may be expressed as: -k = (lea ~ kli~) mod n (~) where n is the number of points on E(FP) and ka and k, are integers.
T°he point k°~
then becomes:
k°Q ° (koQ + k~~.Q) mod n (4) 1 S For some cryptographic operations the value of k rrzay be chosen at random and in these cases, rather than select k it is possible to select values for ka and kl at random, having a length of [Iogz (n)J~2 not including sign bits, (i.e. tlae length of the ki's are chosen to be at least one half the length k) and then calculate the value for k using equation (3).
Having selected the values of ka, k, as indicated a 54 in figure 2, the right side of equation (4) can be calculated quickly using an algorithm analogous to the °'Simultaneous Multiple Exponentiation'° as described in the "Handbook of Applied Cryptography"
(HAC) by Nlenezes et. al.(Algorithm 14.88) and indicated at 56. For convenience the algorithm is reproduced below. It rxaay be noted that in an additive group exponentiation is analogous to addition, thus replacing the multiplication in the algorithm with addition, yields the following:
AlgurltW n 1 Simultaneous Multiple Addition UT: group elements gfl, g', ..., gl_~ and non negative t-bit integers ea9 e1, ...9 eI_t.
~l.ffFLTT: goeo + g~e~ ~ ... ~- gl_~el_i.
stepl. Precornpac~~cta~n. For i from 0 to (2l - 1):
~e ~- ~~ l~111 where a = 4i~_' ... io)z W~ 00/3966 PC'f/CA99/01222 step2. A ~- 0 step3. For i from I to t do the following:
A ~-- A + A, A ~-- .4 + G,, step4. Return (A) where A = goeo + g'e~ + ... + gr_~er-i Applying this algorithm to equation (4) it can be seen that there are two group elements, go, g~ namely Q and ?~Q, so that 1= 2 and two integers eo, e~ namely ko,k;. The algorithm permits precomputation of some of the values and initially G; is precomputed. The results of precomputation of Ca; with I = 2 is shown in table 1.
i 0 1 2 3 C; 0 go gi go +
g~
Table 1.
After performing a point addition to construct the point: Q + y((~). It is possible to fill in table I with the computed elements to yield table 2. These elements may be pre-computed and stored in memory as shown at step 5~ in figure 2.
i 0 1 2 3 Gr ~ Q Vr(Q) ~ + ~(C~) i ~ r Table 2.
Before step of the algorithm can be performed, Gl; has to be determined and accordingly I, through I' have to be found as indicated at 60. A notional matrix or combing table may be constructed using the binary representation of k;. If, for example, ko = 30 and k~ = 10, then t has the value five since the maximum number of bits in the binary representation of ka through k~ is five and the notional matrix constructed from their binary representation is shown in Table 3. I; is determined by the number represented in the ich column where the first row contains the least significant bit, the second row contains the next significant bit, etc.
Therefore it can be seen from table 3 that I3 = IZ = (1I) = 3, I3 = (01) =1, I4 =3, and IS = 0.
a ~ 0013966 ~C°t'°/~~99/Ot~~2 't able .i All the components needed to complete the algorithm are available and the iteration of step three is performed as shown at 62.
Initially A ~-- ~ and i is set to 1.
I; = Ii which from table 3 is equal to 1. C~, is therefore C~~ which from table 2 is Q.
'The value of A from the iteration for I = 1 is therefore ~ + Q = Q.
For the next iteration where i = 2 the initial value of A is Q so A ~ Q+Q = 2Q
I; = I2 = 3 from table 3. CT,2 therefore equates t~ Cs3 from table 2 which gs Q+ya(Q).
A + G,. therefore is coanputed as 2Q+Q+y,~Q = 3Q+yQ.
'The iterations continue for each value of i set out in table 4 until after the Sg~' iteration the value for koq = k, ~,Q, i.e. kQ is computed.
2 3Q -- y~(Q) 3 7Q + 2~Y(Q) 15Q + 5~(Q) S 30Q + l0ya(Q) fable ~
Each iteration requires a point doubling (A+A) and a point addition {~.+ C~, ) alth~ugh in some cases the value of G,; array be ~ that will reduce the computation.
Thus it may be seen that this method will require a number of point doubles equal to max ~log2(k;)}, and almost as many point additions. The number of point additions can be reduced using windowing (AIg. 14.85 IiAC) and exponent recoding techniques.
Since the value of i and Cg; can be precomputed, the point additions are easily performed by retrieving the appropriate precomputed element Ci; from table 2. ~nce kl' has been computed, it may be I~
w~ OOI3966~ ~'C°TI~A99/01222 used as the correspondents 12 ephemeral public key in encrypting or signing transmissions over the channel 16.
To summarize, for cryptographic operations like encryption and Diffie-I~ellman, signature, an integer k is required with a corresponding public key kQ, computed. The values ka and tc~ are chosen at random, each having a length one half the length of n and the term koQ = ki7~Q generated using a suitable algorithm. When the k's are chosen in this way, the method seems to be as secure as the random generation of k itself Of course it is possible to choose the k;'s to have fewer bits in order to improve efficiency.
In the above technique, the method of writing k=ko+k~~, in conjunction with simultaneous combing achieves a speed up of the simultaneous multiple addition algorithm.
The technique of writing k=ko+kE7~ may also be used with the scalar multiplication techniques to advantage, namely with winding, combing ,etc.
For some mappings ~, it is also possible to use more than two sub k's. It is possible for some W's to write k=kd+k~~,+k2?~z allowing the value of k to be computed by applying the simultaneous multiple addition algorithm.
In a second embodiment of the invention a different form of the generalized elliptic curve equation (1) is used, namely:
ya = (x3 - ax) mod p ( Once again, p will be a prime number ha~~ing at least 160 bits. For this type of curve, the properties required for y are different. It is now required to find a value such that yz =-1 mod p. A change in the property of y requires a different mapping function ~r° to be used. In this embodiment the mapping takes the form y': (x, y) ~ (-x, yy). If (x,y) is on the curve, then y~'(x,y) is also on the curve. In this case 7~4 --- 1 mod n (n is still the number of points on E(Fp)), and therefore ?~ can be calculated. The mapping 4r'(Q) _ ~,°Q is performed as before and once again multiplication by ~, can be done very efficiently for this curve. The equation for k in this embodiment is the same as in the first embodiment and is represented by:
lc = (ko + ky) mod n , (6) This equation is the same as in the previous embodiment, having only two group elements.
Thus using the group elements Q and Q+ y~'(Q) in the algorithm 1, the point k°Q may be calculated. This computation will require a number of point doubles equal to max(log2(k;)), W~ ~013966 &~C'y'/~A991~g22~
and a similar number of point additions. As described earlier the number of point additions can be reduced using windowing and exponent recoding techniques.
'this method applies to other elliptic curves, so long as there exists an efficiently computable endomorphism, ~.
The above embodiments assume that k can be chosen at random and therefore k~, and k' can be selected instead and determine k. For cryptographic protocols, where it is not possible to choose k, it is first necessary to find lco, k, of the desired "short" form from the given value of k such that k = (ko + k;7~) mod n. In some cases, more than two k's can be used to advantage.
As may be seen in the embodiments described above when a point is known beforehand, tables can be built to speed multiplication. However, there are cases when multiples of previously unknown points are required (for example, this can occur in ECI~SA
verif cation) and it is then necessary to take the value of k as provided and then determine suitable representations for k;.
Thus in a third embodiment, system parameters and a value k is provided, the point Q, the required multiple k, and the complex multiplication multiple ~, are known.
It is necessary to determine the "short" k;'s from the value for k, which is predetermined. A
method for doing this described as follows and illustrated in the flow chart of f gore 3.
As a pre-computation (not requiring k) we compute two relations:
ao + ba7~ = 0 mod n al+b,~,=Omodn such that a; and b; are numbers smaller than n. It is preferable that a; and b; are as small as possible, however, the present method has advantages even when a; and b; are not minimal.
The pair, a; and b;, where a; and b; are both small, can be viewed as a vector, u; with a small Euclidean length. Typically the method described below produces ko and ki having representations one half the size of the original k.
Ian the present embodiment, k~ can be computed eff ciently by utilizing precomputed, short vector representations to obtain an expression of the fornn:
Q + ~, k, Q
This is accomplished by using precomputed vectors to derive fractionsg~ ands that do not require knowledge of k. A vector z is generated from the combination of fractions f'o and '10 w~ 00/3966 PCTiCA99/OI222 ~l and k. The vector z is used to calculate a second vector v~ where v'=
(vo~,v~ ~) and the value of kQ calculated as vo'Q + 7w~'Q ( The method of achieving this solution is described below in greater detail.
To produce small a; and b;, it is possible to make use of the L3 - lattice basis reduction algorithm (HAC p.l 18}, which would directly result in short basis vectors.
However, in this preferred embodiment the simple extended Euclidean algorithm is employed on the pair (n, ~.). The extended Euclidean algorithm on (n, ?~) produces linear combinations c;n + d;~. = r;, where the representation of r; (e.g. bit-length) decreases and the representation of c; and d;
i 0 increases with i.
The two smallest values of ((d;, r; )~ resulting from using the extended Euclidean algorithm are saved. The size of these vectors are measured with the squared Euclidean norm ~(d;, r; )i = d;z -f- r;2. The terms in these minimal relations are denoted do, is and d,, i-, . And will typically occur in the middle of the algorithm. Even if the minimal relations are not retained, suboptimal relations may still give the method an advantage in the ealculation of point multiples.
The values of a; and b; are constructed by def ping as = - so , bo = do and at = - i', , b~ = do all of which may be precomputed.
The next task is to find a small representation for the multiple k.
C'siven the computation of ao,bo and a;,b; it is possible to designate the vectors uo,ul, where uo = (aa, bo} and ul = (a,, b,). These vectors satisfy a; +b;?~ = 0 (mod n). The multiplication of the group elements Q by the vector v = (va, vl) is defined as (va + v17~)Q.
Since a; +b;~. = 0 (mod n), uoR = u'R = 0 for any group element R. Hence for any integers zo and zl, v'R = (v - zouo - z' u')R for any group element R.
Integers zo and zt may be chosen such that the vector v' = v - zouo - zy~ has components that are as small as possible. Again, this method will have an advantage if the components of v' are small, but not necessarily minimally so.
The appropriate zo and z, are calculated by converting the basis of v into the basis {uo, ul~. The conversion between basis involves matrix multiplication. To convert the vector v =
(vo, v') from the {uo, uy} basis to the standard orthonormal basis ~(1,O),(0,1)}, W~ ODI396~~ ~~'~'I~~~~I~&~2~
_ ~o bo ~i(1.~).(0.1)I ~(uo~°°i)~ (~0' ~1 ~t b1 T'o convert in the other direction, from the standard orthonormal basis g(1,0),(~,1)~ to the (an~, u~) basis, the multiplication is simply by the inverse of Ice, y = v aaaverse M = v 1 bi - bo (yo.u,) iti,o).do,i)I ( ) ((i.o).(o.i)I
Gobi _ caibo _ y ego Since the vector v = (k, 0) has a zero component, the bottom row of inverse(li~I) is not required, and therefore to convert to the {u~, ~al~ basis only the fractions - b, Gobi -~tbo and _ bo .~ ~obt - ~lbo are needed.
'The fi-actions fo and fi may be precomputed to enough precision so that this operation may be effected only with multiplication. It should be noted that the computations leading to these fractions do not depend upon k, therefore they can be computed once when the elliptic curve is chosen as a system parameter, and do not need to be recalculated for each k.
Similarly the vectors v, ago and u~ may be precomputed and stored.
~nce a value of k is selected or determined the value of k~ rnay be computed by fret calculating z = (zc, zl), where z is defined as (z~, z,) _ (round(kf~), round(kfl)).
~ther vectors near to z will also be useful, therefore rounding could be replaced with floor or ceiling functions or some other approximation.
~nce a suitable ~ has been determined, an efficient equivalent to ~ (k,0) is calculated by v' _ (v~ , vt') _ ~ - z~u~ -z)un. The phrase "efficient equivalent99 implies a vector d' such that v'P = vP and v' has small coefficients. The value kQ is then calculated as v~'~ + v~'~,Q.
°l'has value can be calculated using simultaneous point addition as described above, ~,vith enhanced efficiency obtained from the use of non-adjacent form (I~AP°) recoding as described above and as described in H.A.C. 14.7 at page 627. 'Thus, even where k is predetermined, values of ko and k) can be computed and used wgth the mappqng ction to obtain a value of kQ and hus he key pair k, k6~.
W~ 0013966 PC'T/CA99/01222 For the case where k is to be separated into 3 portions k = ko+ k~~. + kz~', small vectors can be obtained from L3 -row-reducing 1 0 _ ~z ua 0 1 - ~2 to u, 0 0 - n uo A small vector equivalent (three-dimensional row) can be obtained in a similar way to the two-dimensional case.
Using these methods to determine the value of k°Q greatly reduces the processing power required by the cryptographic processors 12. It also increases the speed at which these repetitive calculations can be done which, in tum, reduces the time to transfer information.
I O It will be appreciated that once the scalar multiple k has been represented in terms of shortened components k = ko+ k,7~ + k2~.2 + ...k,~_'~.m-~, other options for efficient elliptic curve scalar multiplication may be used in place of or in conjunction with the simultaneous multiple addition algorithm. These options include windowing (fixed and sliding), combing, bit recoiling and combinations of these techniques.
I5 ~ne particularly beneficial technique permits tables built for one component of the multiplication, say ko, to be reused for other components ki etc. This is accomplished by transforming the computed table elements by applying the mapping 'y as requiredo As a further exemplification, an embodiment where k can be recast as k = ka +
kt~, +
kZ7~2, where k has m-bits and k; have roughly m/3 bits is described below.
20 ~nce the components k; have been determined, they may be recoiled from the binary representation 'io the signed binary representation having less non-zero bits.
This recoiling can take the Non-Adjacent-Form (NAF), where every 1 or -I bit in the representation if k; is non-adjacent to another non-zero in the signed binary string. Tlxis recoiling is described in I-i.A.C. I4.7 p. 627.
25 ~nce each k; has been recoiled, a table can be constructed to aid in computing k;~fP.
A NAF' windowing table precomputes certain short-bit length multiples of ~'P.
The width of the window determines the size of the table. As k; has been recordedto have no adjacent non zeros, odd window widths are suitable. A ~-bit wide NAF window would contain i3 ~ 001396b~ ~~'t'/C~99/Ot~~2 l0I IO-1 The recoded k; values are built by concatenating these windows, and padding where necessary with zeros (I-i.A.C., p. 61 b).
The required number of additions can be reduced with use of this table, since it is necessary to add or subtract an EC point only for every window encountered instead of for every non zero bit.
Initially therefore dais technique is applied to the computation of kmP.
The table built for the koP calculation can be applied to the k~~. ~
calculation if the IO table elements are mapped with the y~ mapping using the operator y.
similarly, kz~zP can be accelerated by using the table built for k~P, but mapping the table elements with y~.
In applying the sliding window technique to the components, only one set of doublings need be performed.
To illustrate this example of a preferred embodiment the following example will be 15 used:
If k = [101101011101]2 + [111010101101]z ~,, then recoding k = [10-100-IO-100-101] + [1000-10-10-10-l0l] ~., =ko+k;~, 20 A. 3-bit window table on P is precomputed containing l~P, [IO-I]~P9 [101]~I~. This requires two EC additions, and two EC doublings.
A~.er this,1cP can be calculated as kP = [IO-100-10-100-101] P + [1000-l0-l0-lo-l0I] ~ ~,P
by addinglsubtracting elements from the table.
2$ This can be done using an accumulator A as f~llows:
~ ; lnltla112e ~ += y, (I ~ P) ; consuming the top bit of k~
double A
A ~- 2A
30 A ~ [I 0-I] P ; consuming the top 3 bits ~f k~
W~ 00/39668 ~CT/CA99/01222 A ~- 2~A ;
A _ _ [101 ] ~r P ; consuming a 3 bit window of ki A <- 2A ; double A
A - _ [ 1 Ol ] P ; consuming 3 bits of k~
A ~- 24A
A - _ [1O1] y~ p ; consuming 3 bits of ki A ø- 2zA
A - _ [10-1] P ; consuming the last of ko A + _ ~ p ; producing kp.
In summary, the previously described technique is as follows. Given an elliptic curve E and an endomorphism y, there corresponds an integer 7~ such that ~,~=~r(Q) for all points QEE. Select an integer m and compute an equivalent number m of "short basis vectors" bl, b2, ...,bm.. Each such basis vector corresponds to an integer, and each such integer is divisible by the number of points n = # E(Fp'") {i.e. the number of points).
Now, given an integer k, (0 < k < n), we write k = k; ~ >.' , where the k;'s are chosen to be "short". This is done by finding the difference between a certain vector (which represents k) and a nearby vector in the lattice generated by b,, bz, ...,bm.
The following embodiment explicitly describes an application of the previously described technique (endomorphism and basis conversion and "Shamir's trick") to elliptic curves defined over composite fields. In particular, we describe an application to curves E(Fp~") where p is an odd prime is described. The following embodiments exemplify techniques for such curves.
This technique is described in the case where the snap y is the Frobenius map yr(x,y) = (xp,y~) and E'A,a(Fpm) where A,EEFp.
In this case, it is known that the Frobenius map satisfies the yrZ - tar + p =
0, where t =
p+1- #E(Frr").
It follovds that ?~Z - t~, + p = 0 mod n and so ~,z+a _ t~l+' + p~,' = 0 rnod n.
Note that the vectors;
( ~,~'-°... ~.2, ~', ~° ) W~ 00/3966 1PC°~'dCA99/Od~Z~
bl (~, ~, ~,... ~, I, t7 P) ba C 1 ~ _t9 P~ Q) (l, -t, p,~,~,... ...,~) (-t, p, ~,Q, . . . . . .,~, I ) ~, ~,~,... ~, I7 t) consist of m "short" basis vectors of the vector space Q°. It follows that to compute k~Q on such a curve we can proceed using the vectors b,,ba...b~, and the technique described pre~riously.
In the above embodiments it will be appreciated that k,~.~ can be obtained from yd(kQ) is the mapping is more efficient than addition.
Although the invention has been described with reference to certain specifac embodiments, various modif rations thereof will be apparent to those skilled in the aft without departing from the spirit and scope of the invention as outlined in the claims appended hereto.
These and other features of the preferred embodiments of the invention will become more apparent in the following detailed description in which reference is made t~ the appended drawings wherein:
Figure ~ is a schematic diagram of a communication system9 Figure Z is a flow ehart showing the steps of implementing a first embodiment of the present invention.
l~Figure 3 is a flow chart showing the steps of providing parameters required to implement the method of figure 2.
DETAILED DESC1~TIOI~1 OF THE PIZEFEI~ItED E1~0I3I1~E1~ITS
For convenience in the following description, like numerals refer to like structures in the drawings. Referring to Figure I, a data communication system 10 includes a pair of correspondents, designated as a senderl2, and a recipient 14, connected by a communication I S channel 16. Each of the correspondents 12,14 includes a cryptographic processor 18,20 respectively that may process digital information and prepare it for transrnission through the channel 16 as will be described below. Each of the correspondents 12,I~ also includes a computational unit 19,21 respectively to perform mathematical computations related to the cryptographic processors 18,20. The processors 18, 20 may be embodied in an integrated cireuit incorporated in the processor or may be implemented as instructions encoded on a data carrier to implement a predetermined protocol in conjunction with a general purpose processor. For the propose of illustration it will be assumed that the correspondent 12 is in the form of a srnart card having a dedicated processor 18 with relatively limited computing power. The processor 20 may be a central server communicating with ties card by channel 1 ~
and channel I 6 may be a wireless communication channel if preferred.
The cryptographic processors 18 implement an elliptic curve crypto~aphic system, of ECC, and one of the functions of the cryptographic processor 18 is t~ perforpn point multiplications of the form k°Q, where k is an integer and Q a point on the underlying elliptie curve, so that they may be used as a key pair lc, kQ in a cryptographic scheme. As noted above, cryptographic computations such as the multiplieation of an elliptic curve point by a scalar value are computationally expensive.
w~ 00/39b6~ PC'f/CA99/01222 A method for accelerating scalar multiplication of an elliptic curve point Q(x,y) is shown in figure 2 and indicated generally by the numeral 50. The subject algorithm increases the speed at which the processors 12 can for example sign and verify messages for specific classes of elliptic curves. The method is based on the observation that given the general equation for an elliptic curve E:
+a~Xy+a3y=X3+aZX2+aax+aG {1) over a finite field, exemplified as Fq {q is a prime power) and when there exists an endomorphism fir, where y(Q) _ ~.°Q for all points Q(x,y) on the elliptic curve, then multiplication of the point Q by an integer k may be accelerated by utilizing combinations of smaller representations k; of k in combination with the mapping ~. The mapping ~ also allows precomputation of group elements and combinations thereof, which may be used in subsequent calculation of kQ.
Referring now to figure 2, a flow chart of a general embodiment for accelerating point multiplication on an elliptic curve, is shown by numeral 50. The system parameters are farst selected. As an initial step an underlying elliptic curve E is selected to have certain characteristics. In a first embodiment of the invention the generalized elliptic curare { 1 ) may be expressed in the following form:
E: y2 = x3 + b mod p; where p is a prime. (2) Firstly, the modulus p can be detezznined such that there is a number, y where y E FP
(Fp is the field of size p consisting of all integers mod p), and y3 = 1 mod p (a cube root of unity). If for example p = 7, then y = 2, since 23 mod 7 =1. Such a y does not necessarily exist for all p, and therefore this must be taken into consideration when choosing the value of p. Typically, the chosen p should be at least 160 bits in length for adequate cryptographic strength.
After the curve E has been selected, a mapping function yr is determined. The mapping function ~: (x, y) -~ (yx, y), simply maps one set of points on the curve to another set of points on the curve. There exists an integer ?~ such that yr(Q) _ ?~°Q for all points Q(x,y) of interest on the elliptic curve, E. This integer ?~ may be found by noting that 7~3 --- I
mod n, where n is the number of points on the elliptic curve E over FP i.e.
the number of points on E(Fp). There may exist more than one solution for ~. in ~.3 --- 1 mod n, but only one of those solutions will satisfy the mapping fixnction yr. It is important to note that since y~
~le'~ 00/3966 ~~°I°/C~991~y222 mod p = 1, both Q and ~(Q) satisfy the equation for ~. T'herefore, instead of having to perform lengthy calculations to determine the results of multiplication by A, it can be done very eff ciently using the results of the mapping function so that multiplication by ~, can be done very efficiently.
A seed point Q is selected and the system parameters E, p, Q, ~., yr(Q), and y arc stored in the card 12, as indicated at 52, at manufacture tune for use by the cryptographic processor 18. 'To impleanent a cryptographic procedure such as encryption, key agreement or signature it is necessary to select an integer k for use as an ephemeral private key k and generate a corresponding public key kQ.
'The value of k may be expressed as: -k = (lea ~ kli~) mod n (~) where n is the number of points on E(FP) and ka and k, are integers.
T°he point k°~
then becomes:
k°Q ° (koQ + k~~.Q) mod n (4) 1 S For some cryptographic operations the value of k rrzay be chosen at random and in these cases, rather than select k it is possible to select values for ka and kl at random, having a length of [Iogz (n)J~2 not including sign bits, (i.e. tlae length of the ki's are chosen to be at least one half the length k) and then calculate the value for k using equation (3).
Having selected the values of ka, k, as indicated a 54 in figure 2, the right side of equation (4) can be calculated quickly using an algorithm analogous to the °'Simultaneous Multiple Exponentiation'° as described in the "Handbook of Applied Cryptography"
(HAC) by Nlenezes et. al.(Algorithm 14.88) and indicated at 56. For convenience the algorithm is reproduced below. It rxaay be noted that in an additive group exponentiation is analogous to addition, thus replacing the multiplication in the algorithm with addition, yields the following:
AlgurltW n 1 Simultaneous Multiple Addition UT: group elements gfl, g', ..., gl_~ and non negative t-bit integers ea9 e1, ...9 eI_t.
~l.ffFLTT: goeo + g~e~ ~ ... ~- gl_~el_i.
stepl. Precornpac~~cta~n. For i from 0 to (2l - 1):
~e ~- ~~ l~111 where a = 4i~_' ... io)z W~ 00/3966 PC'f/CA99/01222 step2. A ~- 0 step3. For i from I to t do the following:
A ~-- A + A, A ~-- .4 + G,, step4. Return (A) where A = goeo + g'e~ + ... + gr_~er-i Applying this algorithm to equation (4) it can be seen that there are two group elements, go, g~ namely Q and ?~Q, so that 1= 2 and two integers eo, e~ namely ko,k;. The algorithm permits precomputation of some of the values and initially G; is precomputed. The results of precomputation of Ca; with I = 2 is shown in table 1.
i 0 1 2 3 C; 0 go gi go +
g~
Table 1.
After performing a point addition to construct the point: Q + y((~). It is possible to fill in table I with the computed elements to yield table 2. These elements may be pre-computed and stored in memory as shown at step 5~ in figure 2.
i 0 1 2 3 Gr ~ Q Vr(Q) ~ + ~(C~) i ~ r Table 2.
Before step of the algorithm can be performed, Gl; has to be determined and accordingly I, through I' have to be found as indicated at 60. A notional matrix or combing table may be constructed using the binary representation of k;. If, for example, ko = 30 and k~ = 10, then t has the value five since the maximum number of bits in the binary representation of ka through k~ is five and the notional matrix constructed from their binary representation is shown in Table 3. I; is determined by the number represented in the ich column where the first row contains the least significant bit, the second row contains the next significant bit, etc.
Therefore it can be seen from table 3 that I3 = IZ = (1I) = 3, I3 = (01) =1, I4 =3, and IS = 0.
a ~ 0013966 ~C°t'°/~~99/Ot~~2 't able .i All the components needed to complete the algorithm are available and the iteration of step three is performed as shown at 62.
Initially A ~-- ~ and i is set to 1.
I; = Ii which from table 3 is equal to 1. C~, is therefore C~~ which from table 2 is Q.
'The value of A from the iteration for I = 1 is therefore ~ + Q = Q.
For the next iteration where i = 2 the initial value of A is Q so A ~ Q+Q = 2Q
I; = I2 = 3 from table 3. CT,2 therefore equates t~ Cs3 from table 2 which gs Q+ya(Q).
A + G,. therefore is coanputed as 2Q+Q+y,~Q = 3Q+yQ.
'The iterations continue for each value of i set out in table 4 until after the Sg~' iteration the value for koq = k, ~,Q, i.e. kQ is computed.
2 3Q -- y~(Q) 3 7Q + 2~Y(Q) 15Q + 5~(Q) S 30Q + l0ya(Q) fable ~
Each iteration requires a point doubling (A+A) and a point addition {~.+ C~, ) alth~ugh in some cases the value of G,; array be ~ that will reduce the computation.
Thus it may be seen that this method will require a number of point doubles equal to max ~log2(k;)}, and almost as many point additions. The number of point additions can be reduced using windowing (AIg. 14.85 IiAC) and exponent recoding techniques.
Since the value of i and Cg; can be precomputed, the point additions are easily performed by retrieving the appropriate precomputed element Ci; from table 2. ~nce kl' has been computed, it may be I~
w~ OOI3966~ ~'C°TI~A99/01222 used as the correspondents 12 ephemeral public key in encrypting or signing transmissions over the channel 16.
To summarize, for cryptographic operations like encryption and Diffie-I~ellman, signature, an integer k is required with a corresponding public key kQ, computed. The values ka and tc~ are chosen at random, each having a length one half the length of n and the term koQ = ki7~Q generated using a suitable algorithm. When the k's are chosen in this way, the method seems to be as secure as the random generation of k itself Of course it is possible to choose the k;'s to have fewer bits in order to improve efficiency.
In the above technique, the method of writing k=ko+k~~, in conjunction with simultaneous combing achieves a speed up of the simultaneous multiple addition algorithm.
The technique of writing k=ko+kE7~ may also be used with the scalar multiplication techniques to advantage, namely with winding, combing ,etc.
For some mappings ~, it is also possible to use more than two sub k's. It is possible for some W's to write k=kd+k~~,+k2?~z allowing the value of k to be computed by applying the simultaneous multiple addition algorithm.
In a second embodiment of the invention a different form of the generalized elliptic curve equation (1) is used, namely:
ya = (x3 - ax) mod p ( Once again, p will be a prime number ha~~ing at least 160 bits. For this type of curve, the properties required for y are different. It is now required to find a value such that yz =-1 mod p. A change in the property of y requires a different mapping function ~r° to be used. In this embodiment the mapping takes the form y': (x, y) ~ (-x, yy). If (x,y) is on the curve, then y~'(x,y) is also on the curve. In this case 7~4 --- 1 mod n (n is still the number of points on E(Fp)), and therefore ?~ can be calculated. The mapping 4r'(Q) _ ~,°Q is performed as before and once again multiplication by ~, can be done very efficiently for this curve. The equation for k in this embodiment is the same as in the first embodiment and is represented by:
lc = (ko + ky) mod n , (6) This equation is the same as in the previous embodiment, having only two group elements.
Thus using the group elements Q and Q+ y~'(Q) in the algorithm 1, the point k°Q may be calculated. This computation will require a number of point doubles equal to max(log2(k;)), W~ ~013966 &~C'y'/~A991~g22~
and a similar number of point additions. As described earlier the number of point additions can be reduced using windowing and exponent recoding techniques.
'this method applies to other elliptic curves, so long as there exists an efficiently computable endomorphism, ~.
The above embodiments assume that k can be chosen at random and therefore k~, and k' can be selected instead and determine k. For cryptographic protocols, where it is not possible to choose k, it is first necessary to find lco, k, of the desired "short" form from the given value of k such that k = (ko + k;7~) mod n. In some cases, more than two k's can be used to advantage.
As may be seen in the embodiments described above when a point is known beforehand, tables can be built to speed multiplication. However, there are cases when multiples of previously unknown points are required (for example, this can occur in ECI~SA
verif cation) and it is then necessary to take the value of k as provided and then determine suitable representations for k;.
Thus in a third embodiment, system parameters and a value k is provided, the point Q, the required multiple k, and the complex multiplication multiple ~, are known.
It is necessary to determine the "short" k;'s from the value for k, which is predetermined. A
method for doing this described as follows and illustrated in the flow chart of f gore 3.
As a pre-computation (not requiring k) we compute two relations:
ao + ba7~ = 0 mod n al+b,~,=Omodn such that a; and b; are numbers smaller than n. It is preferable that a; and b; are as small as possible, however, the present method has advantages even when a; and b; are not minimal.
The pair, a; and b;, where a; and b; are both small, can be viewed as a vector, u; with a small Euclidean length. Typically the method described below produces ko and ki having representations one half the size of the original k.
Ian the present embodiment, k~ can be computed eff ciently by utilizing precomputed, short vector representations to obtain an expression of the fornn:
Q + ~, k, Q
This is accomplished by using precomputed vectors to derive fractionsg~ ands that do not require knowledge of k. A vector z is generated from the combination of fractions f'o and '10 w~ 00/3966 PCTiCA99/OI222 ~l and k. The vector z is used to calculate a second vector v~ where v'=
(vo~,v~ ~) and the value of kQ calculated as vo'Q + 7w~'Q ( The method of achieving this solution is described below in greater detail.
To produce small a; and b;, it is possible to make use of the L3 - lattice basis reduction algorithm (HAC p.l 18}, which would directly result in short basis vectors.
However, in this preferred embodiment the simple extended Euclidean algorithm is employed on the pair (n, ~.). The extended Euclidean algorithm on (n, ?~) produces linear combinations c;n + d;~. = r;, where the representation of r; (e.g. bit-length) decreases and the representation of c; and d;
i 0 increases with i.
The two smallest values of ((d;, r; )~ resulting from using the extended Euclidean algorithm are saved. The size of these vectors are measured with the squared Euclidean norm ~(d;, r; )i = d;z -f- r;2. The terms in these minimal relations are denoted do, is and d,, i-, . And will typically occur in the middle of the algorithm. Even if the minimal relations are not retained, suboptimal relations may still give the method an advantage in the ealculation of point multiples.
The values of a; and b; are constructed by def ping as = - so , bo = do and at = - i', , b~ = do all of which may be precomputed.
The next task is to find a small representation for the multiple k.
C'siven the computation of ao,bo and a;,b; it is possible to designate the vectors uo,ul, where uo = (aa, bo} and ul = (a,, b,). These vectors satisfy a; +b;?~ = 0 (mod n). The multiplication of the group elements Q by the vector v = (va, vl) is defined as (va + v17~)Q.
Since a; +b;~. = 0 (mod n), uoR = u'R = 0 for any group element R. Hence for any integers zo and zl, v'R = (v - zouo - z' u')R for any group element R.
Integers zo and zt may be chosen such that the vector v' = v - zouo - zy~ has components that are as small as possible. Again, this method will have an advantage if the components of v' are small, but not necessarily minimally so.
The appropriate zo and z, are calculated by converting the basis of v into the basis {uo, ul~. The conversion between basis involves matrix multiplication. To convert the vector v =
(vo, v') from the {uo, uy} basis to the standard orthonormal basis ~(1,O),(0,1)}, W~ ODI396~~ ~~'~'I~~~~I~&~2~
_ ~o bo ~i(1.~).(0.1)I ~(uo~°°i)~ (~0' ~1 ~t b1 T'o convert in the other direction, from the standard orthonormal basis g(1,0),(~,1)~ to the (an~, u~) basis, the multiplication is simply by the inverse of Ice, y = v aaaverse M = v 1 bi - bo (yo.u,) iti,o).do,i)I ( ) ((i.o).(o.i)I
Gobi _ caibo _ y ego Since the vector v = (k, 0) has a zero component, the bottom row of inverse(li~I) is not required, and therefore to convert to the {u~, ~al~ basis only the fractions - b, Gobi -~tbo and _ bo .~ ~obt - ~lbo are needed.
'The fi-actions fo and fi may be precomputed to enough precision so that this operation may be effected only with multiplication. It should be noted that the computations leading to these fractions do not depend upon k, therefore they can be computed once when the elliptic curve is chosen as a system parameter, and do not need to be recalculated for each k.
Similarly the vectors v, ago and u~ may be precomputed and stored.
~nce a value of k is selected or determined the value of k~ rnay be computed by fret calculating z = (zc, zl), where z is defined as (z~, z,) _ (round(kf~), round(kfl)).
~ther vectors near to z will also be useful, therefore rounding could be replaced with floor or ceiling functions or some other approximation.
~nce a suitable ~ has been determined, an efficient equivalent to ~ (k,0) is calculated by v' _ (v~ , vt') _ ~ - z~u~ -z)un. The phrase "efficient equivalent99 implies a vector d' such that v'P = vP and v' has small coefficients. The value kQ is then calculated as v~'~ + v~'~,Q.
°l'has value can be calculated using simultaneous point addition as described above, ~,vith enhanced efficiency obtained from the use of non-adjacent form (I~AP°) recoding as described above and as described in H.A.C. 14.7 at page 627. 'Thus, even where k is predetermined, values of ko and k) can be computed and used wgth the mappqng ction to obtain a value of kQ and hus he key pair k, k6~.
W~ 0013966 PC'T/CA99/01222 For the case where k is to be separated into 3 portions k = ko+ k~~. + kz~', small vectors can be obtained from L3 -row-reducing 1 0 _ ~z ua 0 1 - ~2 to u, 0 0 - n uo A small vector equivalent (three-dimensional row) can be obtained in a similar way to the two-dimensional case.
Using these methods to determine the value of k°Q greatly reduces the processing power required by the cryptographic processors 12. It also increases the speed at which these repetitive calculations can be done which, in tum, reduces the time to transfer information.
I O It will be appreciated that once the scalar multiple k has been represented in terms of shortened components k = ko+ k,7~ + k2~.2 + ...k,~_'~.m-~, other options for efficient elliptic curve scalar multiplication may be used in place of or in conjunction with the simultaneous multiple addition algorithm. These options include windowing (fixed and sliding), combing, bit recoiling and combinations of these techniques.
I5 ~ne particularly beneficial technique permits tables built for one component of the multiplication, say ko, to be reused for other components ki etc. This is accomplished by transforming the computed table elements by applying the mapping 'y as requiredo As a further exemplification, an embodiment where k can be recast as k = ka +
kt~, +
kZ7~2, where k has m-bits and k; have roughly m/3 bits is described below.
20 ~nce the components k; have been determined, they may be recoiled from the binary representation 'io the signed binary representation having less non-zero bits.
This recoiling can take the Non-Adjacent-Form (NAF), where every 1 or -I bit in the representation if k; is non-adjacent to another non-zero in the signed binary string. Tlxis recoiling is described in I-i.A.C. I4.7 p. 627.
25 ~nce each k; has been recoiled, a table can be constructed to aid in computing k;~fP.
A NAF' windowing table precomputes certain short-bit length multiples of ~'P.
The width of the window determines the size of the table. As k; has been recordedto have no adjacent non zeros, odd window widths are suitable. A ~-bit wide NAF window would contain i3 ~ 001396b~ ~~'t'/C~99/Ot~~2 l0I IO-1 The recoded k; values are built by concatenating these windows, and padding where necessary with zeros (I-i.A.C., p. 61 b).
The required number of additions can be reduced with use of this table, since it is necessary to add or subtract an EC point only for every window encountered instead of for every non zero bit.
Initially therefore dais technique is applied to the computation of kmP.
The table built for the koP calculation can be applied to the k~~. ~
calculation if the IO table elements are mapped with the y~ mapping using the operator y.
similarly, kz~zP can be accelerated by using the table built for k~P, but mapping the table elements with y~.
In applying the sliding window technique to the components, only one set of doublings need be performed.
To illustrate this example of a preferred embodiment the following example will be 15 used:
If k = [101101011101]2 + [111010101101]z ~,, then recoding k = [10-100-IO-100-101] + [1000-10-10-10-l0l] ~., =ko+k;~, 20 A. 3-bit window table on P is precomputed containing l~P, [IO-I]~P9 [101]~I~. This requires two EC additions, and two EC doublings.
A~.er this,1cP can be calculated as kP = [IO-100-10-100-101] P + [1000-l0-l0-lo-l0I] ~ ~,P
by addinglsubtracting elements from the table.
2$ This can be done using an accumulator A as f~llows:
~ ; lnltla112e ~ += y, (I ~ P) ; consuming the top bit of k~
double A
A ~- 2A
30 A ~ [I 0-I] P ; consuming the top 3 bits ~f k~
W~ 00/39668 ~CT/CA99/01222 A ~- 2~A ;
A _ _ [101 ] ~r P ; consuming a 3 bit window of ki A <- 2A ; double A
A - _ [ 1 Ol ] P ; consuming 3 bits of k~
A ~- 24A
A - _ [1O1] y~ p ; consuming 3 bits of ki A ø- 2zA
A - _ [10-1] P ; consuming the last of ko A + _ ~ p ; producing kp.
In summary, the previously described technique is as follows. Given an elliptic curve E and an endomorphism y, there corresponds an integer 7~ such that ~,~=~r(Q) for all points QEE. Select an integer m and compute an equivalent number m of "short basis vectors" bl, b2, ...,bm.. Each such basis vector corresponds to an integer, and each such integer is divisible by the number of points n = # E(Fp'") {i.e. the number of points).
Now, given an integer k, (0 < k < n), we write k = k; ~ >.' , where the k;'s are chosen to be "short". This is done by finding the difference between a certain vector (which represents k) and a nearby vector in the lattice generated by b,, bz, ...,bm.
The following embodiment explicitly describes an application of the previously described technique (endomorphism and basis conversion and "Shamir's trick") to elliptic curves defined over composite fields. In particular, we describe an application to curves E(Fp~") where p is an odd prime is described. The following embodiments exemplify techniques for such curves.
This technique is described in the case where the snap y is the Frobenius map yr(x,y) = (xp,y~) and E'A,a(Fpm) where A,EEFp.
In this case, it is known that the Frobenius map satisfies the yrZ - tar + p =
0, where t =
p+1- #E(Frr").
It follovds that ?~Z - t~, + p = 0 mod n and so ~,z+a _ t~l+' + p~,' = 0 rnod n.
Note that the vectors;
( ~,~'-°... ~.2, ~', ~° ) W~ 00/3966 1PC°~'dCA99/Od~Z~
bl (~, ~, ~,... ~, I, t7 P) ba C 1 ~ _t9 P~ Q) (l, -t, p,~,~,... ...,~) (-t, p, ~,Q, . . . . . .,~, I ) ~, ~,~,... ~, I7 t) consist of m "short" basis vectors of the vector space Q°. It follows that to compute k~Q on such a curve we can proceed using the vectors b,,ba...b~, and the technique described pre~riously.
In the above embodiments it will be appreciated that k,~.~ can be obtained from yd(kQ) is the mapping is more efficient than addition.
Although the invention has been described with reference to certain specifac embodiments, various modif rations thereof will be apparent to those skilled in the aft without departing from the spirit and scope of the invention as outlined in the claims appended hereto.
Claims (13)
1. A method of operating an elliptic curve cryptographic processor in a data communication system for generating a bit string output representing the coordinates of a point that is a sum of a plurality of point-multiples in a cryptographic operation performed by said cryptographic processor using a computational unit, said method comprising:
storing in a memory accessible to said cryptographic processor, a plurality of computer readable tables, each of said tables corresponding to a respective one of a plurality of points on an elliptic curve, each table containing a set of computer readable representations of small multiples of the respective point to permit computation of said point multiples;
said cryptographic processor accessing said memory to obtain said tables during said cryptographic operation upon being initiated to compute a sum of a plurality of point multiples;
said cryptographic processor using said computational unit to determine a bit string representation of each of a plurality of scalars provided to said cryptographic processor during said cryptographic operation;
said cryptographic processor using said computational unit for:
- initializing an accumulator in said cryptographic processor;
- windowing adjacent bits in each of the bit string representations;
- simultaneously examining in a bitwise fashion, each of the bit string representations and at each bit performing a doubling operation of said accumulator; and - at the limit of each window during said examining, adding to said accumulator, a value of small multiple obtained from the respective one of the tables and corresponding to a bit string in such window to obtain upon completion of said examining, a result representing said sum; and said cryptographic processor accessing said result from said accumulator, determining said bit string output for said result, and utilizing said bit string output in performing cryptographic operations requiring said sum.
storing in a memory accessible to said cryptographic processor, a plurality of computer readable tables, each of said tables corresponding to a respective one of a plurality of points on an elliptic curve, each table containing a set of computer readable representations of small multiples of the respective point to permit computation of said point multiples;
said cryptographic processor accessing said memory to obtain said tables during said cryptographic operation upon being initiated to compute a sum of a plurality of point multiples;
said cryptographic processor using said computational unit to determine a bit string representation of each of a plurality of scalars provided to said cryptographic processor during said cryptographic operation;
said cryptographic processor using said computational unit for:
- initializing an accumulator in said cryptographic processor;
- windowing adjacent bits in each of the bit string representations;
- simultaneously examining in a bitwise fashion, each of the bit string representations and at each bit performing a doubling operation of said accumulator; and - at the limit of each window during said examining, adding to said accumulator, a value of small multiple obtained from the respective one of the tables and corresponding to a bit string in such window to obtain upon completion of said examining, a result representing said sum; and said cryptographic processor accessing said result from said accumulator, determining said bit string output for said result, and utilizing said bit string output in performing cryptographic operations requiring said sum.
2. A method according to claim 1, said method comprising recoding said scalars from a binary representation to a signed binary representation.
3. A method according to claim 2 wherein said signed binary representation is a Non-Adjacent Form (NAF).
4. A method according to any one of claims 1 to 3 wherein said windowing comprises one of a sliding window and a fixed window.
5. A method according to any one of claims 1 to 4 wherein said output comprises a pair of point multiples in a signature verification scheme.
6. A method according to any one of claims 1 to 5 wherein the size of said tables is determined according to said windowing.
7. A computer readable medium having computer readable instructions for causing a cryptographic processor to perform the method of any one of claims 1 to 6.
8. A system for operating an elliptic curve cryptographic processor in a data communication system for generating a bit string output representing the coordinates of a point that is a sum of a plurality of point-multiples in a cryptographic operation performed by said cryptographic process using a computational unit, said system comprising said cryptographic processor, said computational unit, an accumulator, a memory accessible to said cryptographic processor, and a set of computer executable instructions for operating said cryptographic processor, including instructions for:
storing in said memory a plurality of computer readable tables, each of said tables corresponding to a respective one of said plurality of points on an elliptic curve, each table containing a set of computer readable representations of small multiples of the respective point to permit computation of said point-multiples;
said cryptographic processor accessing said memory to obtain said tables during said cryptographic operation upon being initiated to compute a sum of a plurality of point multiples;
said cryptographic processor using said computational unit to determine a bit string representation of each said plurality of scalars provided to said cryptographic processor during said cryptographic operation;
said cryptographic processor using said computational unit for:
- initializing said accumulator;
- windowing adjacent bits in each of the bit string representations;
- simultaneously examining in a bitwise fashion each of the bit string representations and at each bit performing a doubling operation of said accumulator; and - at the limit of each window during said examining, adding to said accumulator, a value of a small multiple obtained from the respective one of the tables and corresponding to a bit string in such window to obtain upon completion of said examining, a result representing said sum; and said cryptographic processor accessing said result from said accumulator, determining said bit string output for said result, and utilizing said bit string output in performing cryptographic operations requiring said sum.
storing in said memory a plurality of computer readable tables, each of said tables corresponding to a respective one of said plurality of points on an elliptic curve, each table containing a set of computer readable representations of small multiples of the respective point to permit computation of said point-multiples;
said cryptographic processor accessing said memory to obtain said tables during said cryptographic operation upon being initiated to compute a sum of a plurality of point multiples;
said cryptographic processor using said computational unit to determine a bit string representation of each said plurality of scalars provided to said cryptographic processor during said cryptographic operation;
said cryptographic processor using said computational unit for:
- initializing said accumulator;
- windowing adjacent bits in each of the bit string representations;
- simultaneously examining in a bitwise fashion each of the bit string representations and at each bit performing a doubling operation of said accumulator; and - at the limit of each window during said examining, adding to said accumulator, a value of a small multiple obtained from the respective one of the tables and corresponding to a bit string in such window to obtain upon completion of said examining, a result representing said sum; and said cryptographic processor accessing said result from said accumulator, determining said bit string output for said result, and utilizing said bit string output in performing cryptographic operations requiring said sum.
9. The system of claim 8 wherein said cryptographic processor is provided as a dedicated processor in a smart card.
10. The system of any one of claims 8 to 9 wherein said computer executable instructions further comprise instructions for recoding said scalars from a binary representation to a signed binary representation.
11. The system of any one of claims 8 to 10 wherein said signed binary representation is a Non-Adjacent Form (NAF).
12. The system of any one of claims 8 to 11 wherein said windowing comprises one of a sliding window and a fixed window
13. The system of any one of claims 8 to 12, wherein the size of said tables is determined according to said windowing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA2353395A CA2353395C (en) | 1998-12-24 | 1999-12-23 | A method for accelerating cryptographic operations on elliptic curves |
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002257008A CA2257008C (en) | 1998-12-24 | 1998-12-24 | A method for accelerating cryptographic operations on elliptic curves |
| CA2,257,008 | 1998-12-24 | ||
| PCT/CA1999/001222 WO2000039668A1 (en) | 1998-12-24 | 1999-12-23 | A method for accelerating cryptographic operations on elliptic curves |
| CA2353395A CA2353395C (en) | 1998-12-24 | 1999-12-23 | A method for accelerating cryptographic operations on elliptic curves |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2353395A1 CA2353395A1 (en) | 2000-07-06 |
| CA2353395C true CA2353395C (en) | 2014-07-08 |
Family
ID=25680682
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA2353395A Expired - Lifetime CA2353395C (en) | 1998-12-24 | 1999-12-23 | A method for accelerating cryptographic operations on elliptic curves |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2353395C (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10320565B2 (en) * | 2017-02-28 | 2019-06-11 | Certicom Corp. | Generating an elliptic curve point in an elliptic curve cryptographic system |
-
1999
- 1999-12-23 CA CA2353395A patent/CA2353395C/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| CA2353395A1 (en) | 2000-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1141820B1 (en) | A method for accelerating cryptographic operations on elliptic curves | |
| US7995752B2 (en) | Method for accelerating cryptographic operations on elliptic curves | |
| EP0804758B1 (en) | Elliptic curve encryption systems | |
| Merkle | A digital signature based on a conventional encryption function | |
| US6202076B1 (en) | Scheme for arithmetic operations in finite field and group operations over elliptic curves realizing improved computational speed | |
| US8549299B2 (en) | Accelerated key agreement with assisted computations | |
| US7961874B2 (en) | XZ-elliptic curve cryptography with secret key embedding | |
| CA2233120C (en) | Accelerated finite field operations on an elliptic curve | |
| CN111325535A (en) | Block chain private key management method, system and storage medium based on elliptic curve migration | |
| Amounas | Elliptic curve digital signature algorithm using Boolean permutation based ECC | |
| Lange | Koblitz curve cryptosystems | |
| CA2353395C (en) | A method for accelerating cryptographic operations on elliptic curves | |
| Li et al. | A novel algorithm for scalar multiplication in ecdsa | |
| EP1066558B1 (en) | Accelerated finite field operations on an elliptic curve | |
| JP4306829B2 (en) | Accelerating finite field operations on elliptic curves | |
| CN111897578A (en) | Parallel processing method and device for scalar multiplication on elliptic curve with characteristic of 2 | |
| CN101320323B (en) | Method and device for producing factor of RSA moduli | |
| Raharinirina | Use of Signed Permutations in Cryptography | |
| CA2263056C (en) | Method and apparatus for finite field basis conversion | |
| Ederov | Merkle tree traversal techniques | |
| Paar et al. | Public-key cryptosystems based on the discrete logarithm problem | |
| KR20010035704A (en) | Process and method for fast scalar multiplication of elliptic curve point | |
| CA2640641C (en) | Public key cryptography utilizing elliptic curves | |
| CA2711188C (en) | Public key cryptography utilizing elliptic curves | |
| van Tilborg | Discrete Logarithm Based Systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKEX | Expiry |
Effective date: 20191223 |
|
| MKEX | Expiry |
Effective date: 20191223 |
|
| MKEX | Expiry |
Effective date: 20191223 |