Advertisement

Designs, Codes and Cryptography

, Volume 58, Issue 2, pp 173–202 | Cite as

Redundant τ-adic expansions I: non-adjacent digit sets and their applications to scalar multiplication

  • Roberto Avanzi
  • Clemens Heuberger
  • Helmut Prodinger
Article

Abstract

This paper investigates some properties of τ-adic expansions of scalars. Such expansions are widely used in the design of scalar multiplication algorithms on Koblitz curves, but at the same time they are much less understood than their binary counterparts. Solinas introduced the width-w τ-adic non-adjacent form for use with Koblitz curves. This is an expansion of integers \({z = \sum_{i=0}^\ell z_i \tau^i}\) , where τ is a quadratic integer depending on the curve, such that z i ≠ 0 implies z w+i-1 = . . . = z i+1 = 0, like the sliding window binary recodings of integers. It uses a redundant digit set, i.e., an expansion of an integer using this digit set need not be uniquely determined if the syntactical constraints are not enforced. We show that the digit sets described by Solinas, formed by elements of minimal norm in their residue classes, are uniquely determined. Apart from this digit set of minimal norm representatives, other digit sets can be chosen such that all integers can be represented by a width-w non-adjacent form using those digits. We describe an algorithm recognizing admissible digit sets. Results by Solinas and by Blake, Murty, and Xu are generalized. In particular, we introduce two new useful families of digit sets. The first set is syntactically defined. As a consequence of its adoption we can also present improved and streamlined algorithms to perform the precomputations in τ-adic scalar multiplication methods. The latter use an improvement of the computation of sums and differences of points on elliptic curves with mixed affine and López–Dahab coordinates. The second set is suitable for low-memory applications, generalizing an approach started by Avanzi, Ciet, and Sica. It permits to devise a scalar multiplication algorithm that dispenses with the initial precomputation stage and its associated memory space. A suitable choice of the parameters of the method leads to a scalar multiplication algorithm on Koblitz Curves that achieves sublinear complexity in the number of expensive curve operations.

Keywords

Koblitz curves Frobenius endomorphism Scalar multiplication τ-adic expansions Non-adjacent-forms Digit sets Point halving Efficient implementation 

Mathematics Subject Classification (2000)

11A63 94A60 14H52 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Al-Daoud E., Mahmod R., Rushdan M., Kilicman A.: A new addition formula for elliptic curves over GF(2n). IEEE Trans. Comput. 51(8), 972–975 (2002)CrossRefMathSciNetGoogle Scholar
  2. 2.
    Avanzi R.: Delaying and merging operations in scalar multiplication: applications to curve-based cryptosystems. In: Biham E., Youssef A.M. (eds.) Selected Areas in Cryptography: 13th International Workshop, SAC 2006, Montreal, Quebec, Canada, August 17–18, 2006, Revised Selected Papers, Lecture Notes in Comput. Sci., vol. 4356, pp. 203–219. Springer, Berlin (2007).Google Scholar
  3. 3.
    Avanzi R., Ciet M., Sica F.: Faster scalar multiplication on Koblitz curves combining point halving with the Frobenius endomorphism. In: Bao F., Deng R.H., Zhou J. (eds.) Public Key Cryptography—PKC 2004, 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, March 1–4, 2004, Lecture Notes in Comput. Sci., vol. 2947, pp. 28–40. Springer (2004).Google Scholar
  4. 4.
    Avanzi R., Cohen H., Doche C., Frey G., Lange T., Nguyen K.: Handbook of Elliptic and Hyperelliptic Curve Cryptography. CRC Press Series on Discrete Mathematics and its Applications, vol. 34. Chapman & Hall/CRC, Boca Raton, FL (2005).Google Scholar
  5. 5.
    Avanzi R., Dimitrov V., Doche C., Sica F.: Extending scalar multiplication using double bases. In: Lai X., Chen K. (eds.) Advances in Cryptology—ASIACRYPT 2006, 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, China, December 3–7, 2006, Proceedings Lecture Notes in Comput. Sci., vol. 4284, pp. 130–144. Springer (2006).Google Scholar
  6. 6.
    Avanzi R., Heuberger C., Prodinger H.: Minimality of the Hamming weight of the τ-NAF for Koblitz curves and improved combination with point halving. In: Preneel B., Tavares St. (eds.) Selected Areas in Cryptography: 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11–12, 2005, Revised Selected Papers, Lecture Notes in Comput. Sci., vol. 3897, pp. 332–344. Springer, Berlin (2006).Google Scholar
  7. 7.
    Avanzi R., Heuberger C., Prodinger H.: Scalar multiplication on Koblitz curves. Using the Frobenius endomorphism and its combination with point halving: Extensions and mathematical analysis. Algorithmica 46, 249–270 (2006)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Avanzi R., Heuberger C., Prodinger H.: On redundant τ-adic expansions and non-adjacent digit sets. In: Biham E., Youssef A.M. (eds.) Selected Areas in Cryptography: 13th International Workshop, SAC 2006, Montreal, Quebec, Canada, August 17–18, 2006, Revised Selected Papers, Lecture Notes in Comput. Sci., vol. 4356, pp. 285–301. Springer, Berlin (2007).Google Scholar
  9. 9.
    Avanzi R., Sica F.: Scalar multiplication on Koblitz curves using double bases. In: Nguyen P.Q. (ed.) Progress in Cryptology—VIETCRYPT 2006, First International Conference on Cryptology in Vietnam, Hanoi, Vietnam, September 25–28, 2006, Revised Selected Papers, Lecture Notes in Comput. Sci., vol. 4341, pp. 131–146. Springer (2006).Google Scholar
  10. 10.
    Avanzi R., Thériault N.: Effects of optimizations for software implementations of small binary field arithmetic. In: Carlet C., Sunar B. (eds.) WAIFI 2007: International Workshop on the Arithmetic of Finite Fields, Lecture Notes in Comput. Sci., vol. 4547, pp. 69–84. Springer, Berlin (2007).Google Scholar
  11. 11.
    Avanzi R., Thériault N., Wang Z.: Rethinking low genus hyperelliptic Jacobian arithmetic over binary fields: interplay of field arithmetic and explicit formulæ. J. Math. Cryptol. 2(3), 227–255 (2008)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Avoine G., Monnerat J., Peyrin, Th.: Advances in alternative non-adjacent form representations. Progress in cryptology—INDOCRYPT 2004, Lecture Notes in Comput. Sci., vol. 3348, pp. 260–274. Springer, Berlin (2004).Google Scholar
  13. 13.
    Blake I.F., Murty V.K., Xu G.: A note on window τ-NAF algorithm. Inform. Process. Lett. 95, 496–502 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Corless R.M., Gonnet G.H., Hare D.E.G., Jeffrey D.J., Knuth D.E.: On the Lambert W function. Adv. Comput. Math. 5(4), 329–359 (1996)zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Coron J.-S., M’Raïhi D., Tymen C.: Fast generation of pairs (k,[k]P) for Koblitz elliptic curves. In: Vaudenay S., Youssef A.M. (eds.) Selected Areas in Cryptography, 8th Annual International Workshop, SAC 2001 Toronto, Ontario, Canada, August 16–17, 2001, Revised Papers, Lecture Notes in Comput. Sci., vol. 2259, pp. 151–164. Springer, Berlin (2001).Google Scholar
  16. 16.
    Gilbert W.J.: Radix representations of quadratic fields. J. Math. Anal. Appl. 83(1), 264–274 (1981)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Heuberger C.: Redundant τ-adic expansions II: Non-optimality and chaotic behaviour. Math. Comput. Sci. 3, 141–157 (2010)CrossRefMathSciNetGoogle Scholar
  18. 18.
    Heuberger C., Prodinger H.: Analysis of alternative digit sets for nonadjacent representations. Monatsh. Math. 147, 219–248 (2006)zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    IEEE Std 1363-2000: IEEE standard specifications for public-key cryptography. IEEE Computer Society, August 29 (2000).Google Scholar
  20. 20.
    Kátai I., Kovács B.: Canonical number systems in imaginary quadratic fields. Acta Math. Hungar. 37, 159–164 (1981)zbMATHCrossRefGoogle Scholar
  21. 21.
    Kátai I., Szabó J.: Canonical number systems for complex integers. Acta Sci. Math. (Szeged) 37, 255–260 (1975)zbMATHMathSciNetGoogle Scholar
  22. 22.
    Knudsen E.W.: Elliptic scalar multiplication using point halving. In: Lam K.-Y., Okamoto E., Xing C. (eds.) Advances in Cryptology— ASIACRYPT ’99, International Conference on the Theory and Applications of Cryptology and Information Security, Singapore, November 14–18, 1999, Proceedings, Lecture Notes in Comput. Sci., vol. 1716, pp. 135–149. Springer, Berlin (1999).Google Scholar
  23. 23.
    Koblitz N.: Elliptic curve cryptosystems. Math. Comp. 48(177), 203–209 (1987)zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    Koblitz N.: CM-curves with good cryptographic properties. In: Feigenbaum J. (ed.) Advances in Cryptology—CRYPTO ’91, 11th Annual International Cryptology Conference, Santa Barbara, California, USA, August 11–15, 1991, Proceedings, Lecture Notes in Comput. Sci., vol. 576, pp. 279–287. Springer, Berlin (1992).Google Scholar
  25. 25.
    López J., Dahab R.: Improved algorithms for elliptic curve arithmetic in \({{GF}\left(2^n\right)}\) . Selected areas in cryptography (Kingston, ON, 1998), Lecture Notes in Comput. Sci., vol. 1556, pp. 201–212. Springer, Berlin (1999).Google Scholar
  26. 26.
    Matula D.W.: Basic digit sets for radix representation. J. Assoc. Comput. Mach. 29(4), 1131–1143 (1982)zbMATHMathSciNetGoogle Scholar
  27. 27.
    Meier W., Staffelbach O.: Efficient multiplication on certain nonsupersingular elliptic curves. In: Brickell E.F. (ed.) Advances in Cryptology—CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16–20, 1992, Proceedings, Lecture Notes in Comput. Sci., vol. 740, pp. 333–344. Springer, Berlin (1993).Google Scholar
  28. 28.
    Miller V.S.: Use of elliptic curves in cryptography. In: Williams H.C. (ed.) Advances in Cryptology—CRYPTO ’85, Santa Barbara, California, USA, August 18–22, 1985, Proceedings, Lecture Notes in Comput. Sci., vol. 218, pp. 417–426. Springer, Berlin (1986).Google Scholar
  29. 29.
    Muir J.A., Stinson D.R.: Alternative digit sets for nonadjacent representations. In: Matsui M., Zuccherato R.J. (eds.) Selected Areas in Cryptography, 10th Annual International Workshop, SAC 2003, Ottawa, Canada, August 14–15, 2003, Revised Papers, Lecture Notes in Comput. Sci., vol. 3006, pp. 306–319. Springer, Berlin (2004).Google Scholar
  30. 30.
    Muir J.A., Stinson D.R.: Alternative digit sets for nonadjacent representations. SIAM J. Discrete Math. 19, 165–191 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  31. 31.
    National Institute of Standards and Technology: Digital signature standard, FIPS Publication, vol. 186–2, February (2000).Google Scholar
  32. 32.
    Okeya K., Takagi T., Vuillaume C.: Short memory scalar multiplication on Koblitz curves. In: Rao J.R., Sunar B. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2005, 7th International Workshop, Edinburgh, UK, August 29–September 1, 2005, Proceedings, Lecture Notes in Comput. Sci., vol. 3659, pp. 91–105. Springer, Berlin (2005).Google Scholar
  33. 33.
    Park D.J., Sim S.G., Lee P.J.: Fast scalar multiplication method using change-of-basis matrix to prevent power analysis attacks on koblitz curves. In: Chae K., Yung M. (eds.) Information Security Applications 4th International Workshop, WISA 2003, Jeju Island, Korea, August 25–27, 2003, Revised Papers, Lecture Notes in Comput. Sci., vol. 2908, pp. 474–488. Springer (2004).Google Scholar
  34. 34.
    Schroeppel R.: Elliptic curve point ambiguity resolution apparatus and method. International Application Number PCT/US00/31014, filed 9 November (2000).Google Scholar
  35. 35.
    Schroeppel R.: Point halving wins big, Talk at the ECC 2001 Workshop, University of Waterloo, Ontario, Canada, October 29–31, (2001).Google Scholar
  36. 36.
    Solinas J.A.: An improved algorithm for arithmetic on a family of elliptic curves. In: Kaliski B.S., Jr. (ed.) Advances in Cryptology—CRYPTO ’97. 17th Annual International Cryptology Conference. Santa Barbara, CA, USA. August 17–21, 1997. Proceedings, Lecture Notes in Comput. Sci., vol. 1294, pp. 357–371. Springer, Berlin (1997).Google Scholar
  37. 37.
    Solinas J.A.: Efficient arithmetic on Koblitz curves, Des. Codes Cryptogr. 19, 195–249 (2000)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Roberto Avanzi
    • 1
  • Clemens Heuberger
    • 2
  • Helmut Prodinger
    • 3
  1. 1.Faculty of Mathematics and Horst Görtz Institute for IT SecurityRuhr-UniversityBochumGermany
  2. 2.Institut für Mathematik BTechnische UniversitätGrazAustria
  3. 3.Department of MathematicsUniversity of StellenboschStellenboschSouth Africa

Personalised recommendations