An Efficient Scalar Multiplication Method Using Naf

International Journal of Computer Engineering and Applications, Volume X, Issue VII, July 16 www.ijcea.com ISSN 2321-3469

AN EFFICIENT SCALAR MULTIPLICATION METHOD USING NAF

Aditya Bhattacharyya1 and Sanjit Kumar Setua2

1Dept. of Computer Science, Vidyasagar University,2Dept. of Computer Sc. & Engineering, University of Calcutta, India

ABSTRACT:

Point multiplication (Scalar multiplication) has become the basic operation in Elliptic Curve Cryptography. Multiplying a point (on the curve) with an integer gives another point on the curve. Signed Digit Representation in Elliptic Curve Cryptography makes the scalar multiplication efficient for its shorter key representation and low Hamming weight. Non- Adjacent Form (NAF) is one of the signed digit representations. In this paper we have proposed an algorithm in NAF representation. The algorithm bears the low Hamming weight compared to Mutual Opposite Form (MOF), Binary Method and conventional NAF.

Keywords: Elliptic Curve Cryptography (ECC), Scalar Multiplication, Mutual opposite Form, Non-Adjacent Form, Hamming weight.

[1] INTRODUCTION In 1985, Victor Milller & Neal Kolbitz developed ECC. Now it plays a major role in the field of Public Key Cryptography for its larger security and shorter key size. Multiplying the point P on the curve with an integer k (Secret Key) , we get an another point Q on the curve (i.e., Q=kP) - this process is called Scalar Multiplication. There are three types of arithmetical operations performed in Scalar Multiplication – Point arithmetic, Field Arithmetic & Scalar Arithmetic [7]. In this paper, we concentrate on Point and Scalar Arithmetic. The point arithmetic involves two basic operations - Elliptic Curve Addition (ECADD) & Elliptic Curve Point Doubling (ECDBL). But in scalar arithmetic level our efforts will be to find out the efficient expression of scalar k such that the operations required for scalar multiplication will be minimized. Here operations (efficiency) of Scalar multiplication depend upon minimization of Hamming weight (The number of non-zero symbols in a binary string i.e, number of ‘1’ present in the string). Presence of 1 in a binary string, scalar multiplication requires two types of operations-ECDBL and ECADD whereas presence of 0 requires only ECDBL , which has been shown later. Signed Digit Representation (SDR) of low Hamming weight are important in various branches of Computer Science like Coding theory, efficient arithmetic & Cryptography. Non-

Aditya Bhattacharyya and Sanjit Kr. Setua 47 International Journal of Computer Engineering and Applications, Volume X, Issue VII, July 16 www.ijcea.com ISSN 2321-3469

Adjacent Form (NAF) representations for integers have been extensively studied for decades as an alternative to the usual binary number system where digits are {0,1} [9] [16]. In this paper, computation of kP has been shown in different ways using Signed Digit Representation technique. For convenient operation and implementation of the algorithms, we assume the length of the binary string be ‘m’ for all algorithms. In the algorithm where we will write ki , there ‘i’ means the bit-index of the number. Also when we compute the complexity of the algorithms, there A and D stands for number of operations required for ECADD and ECDBL respectively. In each method our target is to minimize the Hamming weight. Rest of the paper is organized as follows: In section 2, we describe two algorithms Left- to-right & Right-to-left method related to Binary method using scalar multiplication. Subsequently it describes the running time complexity of Binary method. Section 3 reports a kind of Signed Digit Representation form named Mutual Opposite Form (MOF) . The related algorithm with example has been discussed here. Section 4 carries the so-called minimum hamming weight representation method- Non-Adjacent Form (NAF) representation. It contains three algorithms – Right- to-left NAF recoding, Left-to-right NAF recoding & at last Left-to- right NAF for scalar multiplication. Section 5 describes our proposed method -the Splitting method in NAF. It is described with example. The comparison with other algorithms is also made in this section. Finally in section 6, the paper gives the concluding remarks. And also predicts that this method will play a significant role in future in practical sector of ECC.

[2] BINARY METHOD The traditional method [13],[4] in scalar multiplication is binary method which has the scalar k with binary expansion using {0, 1} i.e., k can be written as (km-1,km-2,………….k1,k0)2 . m−1 m−1 i k= ∑ ❑ ∑ ❑ ki2 . Hence i=0 i=0 m−1 i 1 2 m-1 kP= ∑ ❑ ki2 P =k0P+k12 P+k22 P+……+km-12 P …….………..(1) i=0

=k0P+2(k1P+2(k2P +…….+2(km-2P + 2 (km-1P)))) …………….(2) Equation (1) can be treated as the method known by Double and ADD method or Right-to-Left binary method as it starts from k0 ends with km-1 . Again equation (2) can be treated as the method known by ADD and Double method or Left -to

– Right binary method as it starts from km-1 ends with k0.

Algorithm 1: Right-to-Left binary method Algorithm 2: Left-to-Right binary method for for scalar multiplication scalar multiplication

Input: (k0,k1……km-1)2 and the given point Input: (km-1, km-2 …… k0)2 and the given P. point P. Output: Kp Output: kP 1. Q=P , i=m-1 [Initialization] 1. Q=0 , i=0 [Initialization] 2. while (i > 0) do 2. while ( i < m ) do { { Q=2Q

P=2P if ki=1 then Q=Q+P if ki=1 then Q=Q+P [ECADD & ECDBL both] [ECADD & ECDBL both] else Q=2Q [Only ECDBL] else Q=Q Aditya Bhattacharyya and Sanjit Kr. i=i-1 Setua 48 i=i+1 } } 3. Return(Q) 3. Return (Q). International Journal of Computer Engineering and Applications, Volume X, Issue VII, July 16 www.ijcea.com ISSN 2321-3469

Ex. Let k=29=(11101)2 . We can compute kP using above algorithms as follows- Using algorithm (1),

i 4 3 2 1 0

ki 1 1 1 0 1

Q P 2P+P 2(3P)+P 2(7P) 2(14P)+P =3P =7P =14P =29P

Using algorithm (2),

i 0 1 2 3 4

ki 1 0 1 1 1

P P 2P 4P 8P 16P

Q 0+P P P+4P 5P+8P 13P+16P =P =5P =13P =29P

If we consider the time complexity of the algorithms, we have to find how many numbers of 1 present in the binary representation of k . We know that expected numbers of ones is at most (m/2) if length of binary representation be m , then total number of addition required be ( m/2)A and maximum number of doubling operation required be m i.e., mD. Hence the expected running time be ( m/2)A + mD. Here A & D be the unit operation related to the addition and doubling operation respectively.

[3] MUTUAL OPPOSITE FORM (MOF)

It is a kind of signed digit representation (SDR) was developed by Katsuyuki Okeya in 2004 [4]. It is a canonical representation for signed binary string. Here recoding starts from the most-significant bit (MSB) in order to reduce the number of elementary elliptic calculation [13]. The n -bit mutual opposite form (MOF) is an n-bit signed binary string that satisfies the following properties: 1. The signs of adjacent non-zero bits (without considering zero bits) are opposite. 2. The most non-zero bit and the least non-zero bit are 1 and 1, respectively, unless all bits are zero.

Algorithm 3 : Mutual Opposite Form

1. mkd=kd-1,i=d-1,mk0=-k0

[ Initialization] 2. while ( i > 0) do { mki = ki-1- ki i=i-1 }

Ex. Let k=29=(11101)2 . We can compute the MOF of k in following way.

From the algorithm we get, mk5=k4=1 & mk0= -1

i 4 3 2 1

mki 1 0 -1 1

Hence MOF of k = (100-11-1).

[4] NON-ADJACENT FORM Non-Adjacent Form(NAF) is one type of signed digit representation which reduces number of multiplications needed for performing exponentiation. It is also a unique integer representation which can be defined as follows. m−1 Let k be a positive integer , then there exist at least one signed binary expansion k= ∑ ❑ i=0 l−1 i ∑ ❑ ki2 , where ki €{-1,0,1} such that kj kj+1 =0 for all j ≥ 0 [9]. It is called the Non-Adjacent i=0 Form (NAF) of k. It minimizes the Hamming weight amongst all signed binary expansions with digit {-1,0,1} of k. NAF(k) will satisfy following properties –  In NAF(k) , non zero values cannot be adjacent .

 NAF(k) has the fewest non-zero digits of any signed binary representation of k . [14]  The expected value of number of the ones of NAF(k) over the length of NAF(k) is 1/3. [15]  The length of NAF(k) is at most one more than the length of the binary representation of k [15].

Algorithm 4: Right-to-Left NAF recoding Algorithm 5: Left-to-Right NAF method for Scalar Multiplication

Input: k=(km-1,km-2,……………k1,k0)2 Input: NAF(k)= (km-1,km-2,……k1,k0) Output : k=(Zm, Zm-1,…………Z1,Z0)NAF and the point P Output: kP 1. i=0 [ Initialization] 1. Q=0,i=m-1 [Initialization] 2. while (k>0) do 2. While (i> 0) do { { if k is odd then Zi=2-(k mod 4) Q=2Q else Zi=0 if ki = 1, then Q= Q+P k=(k-Zi)/2 if ki= -1, then Q=Q-P. i=i+1 i=i-1 } } 3. Return (Zm,Zm-1,…………Z1,Z0) 3. Return (Q)

So the expected running time be (m/3)A + mD , which is significantly less than binary methods. Now we will illustrate the different NAF algorithms by giving the recoding of the given integer k [4], [8]. Ex. If we consider a small number k=29, we get

29= (100101)NAF where 1 represents (0-1)= -1. Now if we compare algorithm 4 with the algorithm 1, 2 & 3 (Hamming weight=4), we can easily conclude that the algorithm has minimum hamming weight (=3). From the above mentioned 2 algorithms, the running time of the NAF algorithms is (m/3) A + mD. Though there are no change in NAF representation, the only factor is that Left- to-Right NAF scalar multiplication is better than Right-to-Left NAF scalar multiplication in terms of their memory consumption.

[5] SPLITTING METHOD OF NAF ECADD or ECDBL is the common operations for scalar multiplication in NAF, but the speed of the computation lies in the fact that how speedy we perform the NAF computation. In our proposed algorithm we take the advent of splitting up the entire bit string and consider the look up table up to the value of the integer 255. Size of the each part be 8 bits and the point multiplication can be performed by using the algorithm 5.

Algorithm 6: Splitting method for Scalar Multiplication

Input: An integer k of m bits. Output: NAF(k)

1. Split up the entire binary string into two parts having equal size of bits (Size of bit string be odd , increase by assuming the bit size of original bit string by 1 & then split the string having equal size of bits by adding sufficient 0’s to the left to make it equal no. of bits)

2. Select the rightmost bit string as lower part and other left most bit string as upper part.

3. Obtain the NAF for the parts.

4. Starting from right to left , perform the boundary addition of MSB of lower part with LSB of upper part.

5. Return (km,km-1,…….k1,k0)NAF

Ex: Let k = 996 . Now k = (1111100100)2 Using algorithm 7 , we get Part1= 00100 and part2= 11111 Now NAF of Part 2=10000-1 [ Using algorithm 6] Part1=000100[adding sufficient 0 to the left ]

Hence making boundary addition we get , 1 0 0 0 0 -1

+ 0 0 0 1 0 0 Result is ( 1 0 0 0 0 -1 0 0 1 0 0 ) In binary representation Hamming weight was 6, whereas in our proposed algorithm it becomes 3. As minimum number of Hamming weight makes low cost as well as minimum number of iterations, our proposed algorithm can make NAF representation more simpler and faster. The following example set can support our views.

K MOF NAF Split method (Proposed) 63 100000-1 100000-1 100000-1 527 1-100001000-1 100001000-1 100001000-1 996 10000-101-00 1000-1100100 10000-100100

[6] CONCLUSION As the scalar multiplication in ECC treated as the basic operation and it is also a most time consuming operation, our intention should be emphasized on operational efficiency. Splitting method (Proposed) has undoubtedly proved its computing efficiency by theoretical and numerical tests. So we think that it has the more practical significance for the implementation of ECC over other conventional algorithms.

REFERENCES

[1] N.Koblitz, Elliptic curve cryptosystem, Mathematics of computation,48(1987) 203-209 [2] K.Okeya, Signed binary representations revisited, Proceedings of CRYPTO’04 123-129. [3] M.Joye,S.Yen,Optimal left to right bnary signed digit recoding, IEEE Transactions on Computers, 49(2000), 740-748 [4] P.Balasubramanium,E. KARTHIKEYAN, Fast Simultaneous Scalar multiplication, Applied Mathematics and Computation, 192(2007) , 399-404 [5] Raja Ghosal & Peter H.Cole, “Elliptic Curve Cryptography”,Auto-ID-Labs,2004. [6] G.N.Purohit & Asmita Singh Rawat “Efficient implementation of Arithmetic operations in ECC over Binary fields”, International Journal of Computer Applications, Vol.6-No.2, September 2010. [7] Patrick Longa “Accelerating the Scalar Multiplication on Elliptic Curve Cryptosystems over Prime Fields” (2007) [8] Christophe Giraud and Vincent Verneuil , “Atomicity Improvement for Elliptic Curve Scalar Multiplication” 2010. [9] Y. Hao, S.Ma, G.Chen, X.Zhang, H. Chen and W.Zeng , “Optimization Algorithm for Scalar Multiplication in the Elliptic Curve Cryptography over Prime Field” 2008. [10] B.Moller, Improved Techniques for Fast Exponentiation , LNCS 2587, 298312, 2002. [11] A.Menzes, P.Van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, FL,1996. [12] L.C.Washington, Elliptic Curves: Number Theory and Cryptography, CRC Press,2003. [13] H.K.Pathak & Manju Sanghi Speeding up Communication of Scalar Multiplication in Elliptic Curve Cryptosystem (2010), IJCSE. [14] G. W. Reitwiesner, Binary arithmetic, Advances in computers, vol. 1, Academic Press, New York, 1960, pp. 231–308. [15] Marc Joye and Christophe Tymen. “Compact Encoding of Non-Adjacent Forms with Applications to Elliptic Curve Cryptography- Public Key Cryptography”, vol. 1992 of Lecture Notes in Computer Science, pp. 353–364, Springer-Verlag, 2001. [16] Aditya Bhattacharyya , S.K. Setua. Design of ECSEPP: Elliptic Curve Based Secure E-cash Payment Protocol. In: Proceedings of 3rd ICACNI, 2015, Smart Innovation, Systems and Technologies 44, (Springer) DOI 10.1007/978-81-322-2529-4_35.

Aditya Bhattacharyya- pursuing Ph.D from Vidyasagar University, West Bengal. His research area is on Network Security.

Prof. Sanjit Kumar Setua. – is an Asst. professor in Dept. Of Computer Science and Engineering, University of Calcutta, West Bengal. His areas of interest are Network Security, Cloud Computing, Grid Computing, Distributed processing etc.

Aditya Bhattacharyya and Sanjit Kr. Setua 53