U.S. patent application number 09/931013 was filed with the patent office on 2002-05-16 for method for accelerating cryptographic operations on elliptic curves.
Invention is credited to Gallant, Robert, Lambert, Robert J., Vanstone, Scott A..
Application Number | 20020057796 09/931013 |
Document ID | / |
Family ID | 25680683 |
Filed Date | 2002-05-16 |
United States Patent
Application |
20020057796 |
Kind Code |
A1 |
Lambert, Robert J. ; et
al. |
May 16, 2002 |
Method for accelerating cryptographic operations on elliptic
curves
Abstract
This invention provides a method for accelerating multiplication
of an elliptic curve point Q(x,y) by a scalar k, the method
comprising the steps of selecting an elliptic curve over a finite
field Fq where q is a prime power such that there exists an
endomorphism .psi., where .psi. (Q)=.lambda.-Q for all points
Q(x,y) on the elliptic curve; and using smaller representations
k.sub.i of the scalar k in combination with the mapping .psi. to
compute the scalar multiple of the elliptic curve point Q.
Inventors: |
Lambert, Robert J.;
(Cambridge, CA) ; Gallant, Robert; (Mississauga,
CA) ; Vanstone, Scott A.; (Campbellville,
CA) |
Correspondence
Address: |
Finnegan, Henderson, Farabow,
Garrett & Dunner, L.L.P.
1300 I Street, N.W.
Washington
DC
20005-3315
US
|
Family ID: |
25680683 |
Appl. No.: |
09/931013 |
Filed: |
August 17, 2001 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
09931013 |
Aug 17, 2001 |
|
|
|
09885959 |
Jun 22, 2001 |
|
|
|
09885959 |
Jun 22, 2001 |
|
|
|
PCT/CA99/01222 |
Dec 23, 1999 |
|
|
|
Current U.S.
Class: |
380/28 |
Current CPC
Class: |
H04L 9/3073 20130101;
G06F 7/725 20130101 |
Class at
Publication: |
380/28 |
International
Class: |
H04L 009/00 |
Foreign Application Data
Date |
Code |
Application Number |
Dec 24, 1998 |
CA |
2,257,008 |
Claims
We claim:
1. A method for multiplying an elliptic curve point Q(x,y) by a
scalar to provide a point kQ, the method comprising the steps of:
a) selecting an elliptic curve over a finite field F such that
there exists an endomorphism .psi. where
.psi.(Q)=.lambda..multidot.Q for all points Q(x,y) on the elliptic
curve, and .lambda. is an integer, b) establishing a representation
of said scalar k as a combination of components k.sub.i and said
integer .lambda.c) combining said representation and said point Q
to form a composite representation of a multiple corresponding to
kQ and d) computing a value corresponding to said point kQ from
said composite representation of kQ.
2. A method according to claim 1 wherein each of said components
k.sub.i is shorter than said scalar k.
3. A method according to claim 1 wherein said components k.sub.i
are initially selected and subsequently combined to provide said
scalar k.
4. A method according to claim 1 wherein said representation is of
the form 5 k i = i = 0 i = k i i mod n where n is the number of
points on the elliptic curve.
5. A method according to claim 4 wherein said representation is of
the form k.sub.0+k.sub.1.
6. A method according to claim 1 wherein said scalar k has a
predetermined value and said components k.
7. A method according to claim 3 wherein said value of said
multiple kQ is calculated using simultaneous multiple addition.
8. A method according to claim 7 wherein grouped terms G.sub.I
utilized in said simultaneous multiple addition are
precomputed.
9. A method according to claim 6 wherein said components k.sub.i
are obtained by obtaining short basis vectors (u.sub.0, u.sub.1) of
the field F, designating a vector v as (k,O), converting v from a
standard, orthonomal basis to the (u.sub.0,u.sub.1) basis, to
obtain fractions f.sub.0f.sub.1 representative of the vector v,
applying said fractions to k to obtain a vector z, calculating an
efficient equivalent v' to the vector v and using components of the
vector v' in the composite representation of kQ.
10. A method of generating in an elliptic curve cryptosystem a key
pair having a integer k providing a private key and a public key
kQ, where Q is a point on the curve, a) selecting an elliptic curve
over a finite field F such that there exists an endomorphism .psi.
where .psi.(Q)=.lambda.Q for all points Q (x,y) on the elliptic
curve, .lambda. is an integer, b) establishing a representation of
said key k as a combination of components k.sub.i and said integer
.lambda., c) combining said representation and said point Q to form
a composite representation of a multiple corresponding to the
public key kQ and d) computing a value corresponding to said key kQ
from said composite representation of kQ.
11. A method according to claim 10 including a method according to
any one of claims 2 to 9.
12. A method of computing a coordinate of a point kP on an elliptic
curve resulting from a point multiplication of an initial point P
by a scalar k, said method comprising the steps of: a) decomposing
said scalar k into a pair of components k.sub.0, k.sub.1 for point
multiplication to obtain respective points on said curve which when
combined provide said point kP; b) determining a signed
representation in non-adjacent form of each of said first and
second components; c) generating a table having a plurality of
signed bit combinations contained in said representations and
corresponding point multiples of said combinations to provide
portions of said respective points; d) establishing for each of
said representations a window having a width less then the length
of each of said representations; e) initiating a sequential
examination of said representations by said windows to obtain a
position for one of said windows in one of said representations
contaning a respective one of said combinations in said table; f)
retrieving from said table the one of said point multiples
corresponding to said respective one of said signed bit
combinations in said table to obtain therefrom one of said
portions; g) accumulating said portion and continuing examination
of said representations with a doubling of said accumulator for
each bit-wise shift of said windows to obtain a representation of
said coordinate of said point kP in said accunulator.
13. A method according to claim 12, wherein one of said respective
points is derived from said initial point P and one of said
components using an endomorphism of said curve.
14. A method according to claim 13, wherein said portions of said
one of said respective points are derived from portions of the
other of said respective points using said endomorphism.
15. A method according to claim 12, wherein one of said respective
points is derived from said initial point P, one of said
components, and a private key.
16. A method according to claim 15, wherein said portions of said
respective points are precomputed and stored in said table.
Description
[0001] This invention relates to a method for performing
computations in cryptographic systems utilizing elliptic
curves.
[0002] This application is a continuation-in-pat of U.S. patent
application Ser. No. 09/885,959, filed on Jun. 22, 2001, which is a
continuation of International Application No. PCT/CA99/01222, filed
on Dec. 23, 1999, and claims the priority of Canadian Patent
Application No. 2,257,008, filed on Dec. 24, 1998, the content of
all of which is incorporated herein by reference.
BACKGROUND OF THE INVENTION
[0003] A public-key data communication system may be used to
transfer information between a pair of correspondents. At least
part of the information exchanged is enciphered by a predetermined
mathematical operation by the sender and the recipient may perform
a complementary mathematical operation to decipher the
information.
[0004] Each correspondent has a private key and a public key that
is mathematically related to the private key. The relationship is
such that it is not feasible to determine the private key from
knowledge of the public key. The keys are used in he transfer of
data, either to encrypt data that is to be transferred or to attach
a signature to allow verification of the authenticity of the
data.
[0005] For encryption, one correspondent uses the public key of the
recipient to encrypt the message and sends it to the recipient. The
recipient then uses her private key to decipher the message.
[0006] A common key may also be generated by combining one parties
public key with the other parties private key. It is usual in such
cases to generate new private and corresponding public keys for
each communication session, usually referred to as session keys or
ephemeral keys, to avoid the long-term keys of the parties being
compromised.
[0007] The exchange of messages and generation of the public keys
may therefore involve significant computation involving
exponentiation when the cryptographic system utilizes in Z*p, the
finite field of integers mod p where p is a prime or the analogous
operation of point multiplication when the system utilizes an
elliptic curve. In an elliptic curve system, an ephemeral key pair
is obtained by generating a secret integer, k and performing a
point multiplication in the seed point Q to provide the ephemeral
public key kQ. Similarly, the generation of a common ephemeral
session key will require multiplication of a public key k.sub.aQ,
which is a point on the curve, with a secret integer kb of the
other correspondent so that point multiplication is again
required.
[0008] A similar procedure is used to sign a message except that
the sender applies his private key to the message. This permits any
recipient to recover and verify the message using the senders
public key.
[0009] Various protocols exist for implementing such a scheme and
some have been widely used. In each case, however, the sender is
required to perform a computation to sign the information to be
transferred and the receiver is required to perform a computation
to verify the signed information.
[0010] In a typical implementation a signature component s has the
form:--
s=ae+k (mod n)
[0011] where; in an elliptic curve crypto system,
[0012] P is a point on the underlying curve which is a predefined
parameter of the system;
[0013] k is a random integer selected as a short term private or
session key;
[0014] R=kP is the corresponding short term public key,
[0015] a is the long term private key of the sender;
[0016] Q=aP is the senders corresponding public key;
[0017] e is a secure hash, such as the SHA-1 hash function, of a
message m and the short term public key R; and
[0018] n is the order of the curve.
[0019] The sender sends to the recipient a message including m, s,
and R and the signature is verified by computing the value
R.sup.1=(sP-eQ) which should correspond to R. If the computed
values correspond then the signature is verified.
[0020] In order to perform the verification it is necessary to
compute the point multiplications to obtain sP and eQ, each of
which is computationally complex. Where the recipient has adequate
computing, power this does not present a particular problem but
where the recipient has limted computing power, such as in a secure
token or a "Smart card" application, the computations may introduce
delays in the verification process.
[0021] Key generation and signature protocols may therefore be
computationally intensive. As cryptography becomes more widely used
there is an increasing demand to implement cryptographic systems
that arm faster and that use limited computing power, such as may
be found on a smart card or wireless device.
[0022] Elliptic curve cryptography (ECC) provides a solution to the
computation issue. ECC permits reductions in key and certificate
size that translates to smaller memory requirements, and
significant cost savings. ECC can not only significantly reduce the
cost, but also accelerate the deployment of smart cards in
next-generation applications. Additionally, although the ECC
algorithm allows for a reduction in key size, the same level of
security as other algorithms with larger keys is maintained.
[0023] However, there is still a need to perform faster
calculations on the keys so as to speed up the information transfer
while maintaining a low cost of production of cryptographic
devices.
[0024] Computing multiples of a point on an elliptic curve is one
of the most frequent computations performed in elliptic curve
cryptography, One method of speeding up such computations is to use
tables of precomputed multiples of a point. This technique is more
useful when a point is known beforehand. However, there are cases
when multiples of previously unknown points are required (for
example, in ECDSA verification). Thus there is a need for a system
and method for facilitating point multiplications.
SUMMARY OF THE INVENTION
[0025] In general terms, the present invention represents the
scalar k as a combination of components k.sub.i and an integer
.lambda. derived from an endomonphisim in the underlying curve.
[0026] The method is based on the observation that, given an
elliptic curve (EC) having complex multiplication mapping over a
finite field, there is an .lambda., which is he solution to
aquadratic, for which the complex multiplication mapping is
equivalent to multiplying a point Q by .lambda.. It will often be
less computationally expensive to compute .lambda.Q via the complex
multiplication map, compared to treating .lambda. as a integer and
performing the EC multiplication. In practice, point multiplication
by other scalars (not just .lambda.) is required. It is also shown
how the multiplication mapping may be used to compute other
multiples of the point.
[0027] In accordance with this invention there is provided a method
for accelerating multiplication of an elliptic curve point Q(xy) by
a scalar k, the method comprising the steps of: selecting an
elliptic curve over a finite field F such that there exists an
endomorphismn .psi., where .psi.(Q)=.lambda.-Q for all points
Q(xjy) on the elliptic curve; and using smaller representation
k.sub.i of the scalar k in combination with the mapping .psi. to
compute the scalar multiple of the elliptic curve point Q.
BRIEF DESCRIPTION OF THE DRAWINGS
[0028] These and other features of the preferred embodiments of the
invention will become more apparent in the following detailed
description in which reference is made to the appended drawings
wherein:
[0029] FIG. 1 is a schematic diagram of a communication system;
[0030] FIG. 2 is a flow chart showing the steps of implementing a
first embodiment of the present invention.
[0031] FIG. 3 is a flow chart showing the steps of providing
parameters required to implement the method of FIG. 2.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
[0032] For convenience in the following description, like numerals
refer to like structures in the drawings. Referring to FIG. 1, a
data communication system 10 includes a pair of correspondents,
designated as a sender 12, and a recipient 14, connected by a
communication channel 16. Each of the correspondents 12,14 includes
a cryptographic processor 18,20 respectively that may process
digital information and prepare it for transmission through the
channel 16 as will be described below. Each of the correspondents
12,14 also includes a computational unit 19,21 respectively to
perform mathematical computations related to the cryptographic
processors 18,20. The processors 18,20 maybe embodied in an
integrated circuit incorporated in the processor or may be
implemented as instructions encoded on a data carrier to implement
a predetermined protocol in conjunction with a general purpose
processor. For the purpose of illustration it will be assumed that
the correspondent 12 is in the form of a smart card having a
dedicated processor 18 with relatively limited computing power. The
processor 20 may be a central server communicating with the card by
channel 16 and channel 16 may be a wireless communication channel
if preferred.
[0033] The cryptographic processors 18 implement an elliptic curve
cryptographic system, of ECC, and one of the functions of the
cryptographic processor 18 is to perform point multiplications of
the form k-Q, where k is an integer and Q a point on the underlying
elliptic curve, so that they may be used as a key pair k, kQ in a
cryptographic scheme. As noted above, cryptographic computations
such as the multiplication of an elliptic curve point by a scalar
value are computationally expensive.
[0034] A method for accelerating scalar multiplication of an
elliptic curve point Q(xy) is shown in FIG. 2 and indicated
generally by the numeral 50. The subject algorithm increases the
speed at which the processors 12 can for example sign and verify
messages for specific classes of elliptic curves. The method is
based on the observation that given the general equation for an
elliptic curve E:
y.sup.2+a.sub.1xy+a.sub.3y=x.sup.3+a.sub.2x.sup.2+a.sub.4x+a.sub.6
(1)
[0035] over a finite field, exemplified as F.sub.q (q is a prime
power) and when there exists an endomorphism .psi., where
.psi.(Q)=.lambda.-Q for all points Q(x,y) on the elliptic curve,
then multiplication of the point Q by an integer k may be
accelerated by utilizing combinations of smaller representations
k.sub.i of k in combination with the mapping .psi.. The mapping
.psi. also allows precomputation of group elements and combinations
thereof, which maybe used in subsequent calculation of kQ.
[0036] Referring now to FIG. 2, a flow chart of a general
embodiment for accelerating point multiplication on an elliptic
curve, is shown by numeral 50. The system parameters are first
selected. As an initial step an underlying elliptic curve E is
selected to have certain characteristics. In a first embodiment of
the invention the generalized elliptic curve (1) may be expressed
in the following form:
E:y.sup.2=x.sup.3+b mod p; where p is a prime. (2)
[0037] Firstly, the modulus p can be determined such that there is
a number, .gamma. where .gamma. .di-elect cons. F.sub.p (F.sub.p is
the field of size p consisting of all integers mod p), and
.gamma..sup.3.ident.1 mod p (a cube root of unity). If for example
p=7, then .gamma.=2, since 2.sup.3 mod 7=1. Such a .gamma. does not
necessarily exist for all p, and therefore this must be taken into
consideration when choosing the value of p. Typically, the chosen p
should be at least 160 bits in length for adequate cryptographic
strength.
[0038] After the curve E has been selected, a mapping function
.psi. is determined. The mapping function .psi.:
(x,y).fwdarw.(.gamma.x, y), simply maps one set of points on the
curve to another set of points on the curve. There exists an
integer .lambda. such that .psi.(Q)=.lambda.-Q for all points
Q(x,y) of interest on the elliptic curve, E. This integer .lambda.
may be found by noting that .lambda..sup.3.ident.1 mod n, where n
is the number of points on the elliptic curve E over F.sub.p i.e.
the number of points on E(F.sub.p). There may exist more than one
solution for .lambda. in .lambda..sup.3.ident.1 mod n, but only one
of those solutions will satisfy the mapping function .psi.. It is
important to note that since .lambda..sup.3 mod p=1, both Q and
.psi.(Q) satisfy the equation for E. Therefore, instead of having
to perform lengthy calculations to determine the results of
multiplication by .lambda., it can be done very efficiently using
the results of the mapping function so that multiplication by
.lambda. can be done very efficiently.
[0039] A seed point Q is selected and the system parameters E, p,
Q, .lambda., .psi.(Q), and .gamma. are stored in the card 12, as
indicated at 52, at manufacture time for use by the cryptographic
processor 18. To implement a cryptographic procedure such as
encryption, key agreement or signature it is necessary to select an
integer k for use as an ephemeral private key k and generate a
corresponding public key kQ.
[0040] The value of k may be expressed as:--
k=(k.sub.0+k.sub.1.lambda.)mod n (3)
[0041] where n is the number of points on E(F.sub.p) and k.sub.0
and k.sub.1 are integers. The point k-Q then becomes:
k-Q=(k.sub.0Q+k.sub.1.lambda.Q)mod n (4)
[0042] For some cryptographic operations the value of k may be
chosen at random and in these cases, rather than select k it is
possible to select values for k.sub.0 and k.sub.1 at random, having
a length of [log.sub.2(n)]/2 not including sign bits, (i.e. the
length of the k.sub.1's are chosen to be at least one half the
length k) and then calculate the value for k using equation (3).
Having selected the values of k.sub.0, k.sub.1 as indicated a 54 in
FIG. 2, the right side of equation (4) can be calculated quickly
using an algorithm analogous to the "Simultaneous Multiple
Exponentiation" as described in the "Handbook of Applied
Cryptography" (HAC) by Menezes et. al.(Algorithm 14.88) and
indicated at 56. For convenience the algorithm is reproduced below.
It may be noted that in an additive group exponentiation is
analogous to addition, thus replacing the multiplication in the
algorithm with addition, yields the following:
1 Algorithm 1 Simultaneous Multiple Addition INPUT; group elements
g.sub.0, g.sub.1, ..., g.sub.l-1 and non negative t-bit integers
e.sub.0, e.sub.1, ..., e.sub.l-1. OUTPUT: g.sub.0e.sub.0 +
g.sub.1e.sub.1 + ... + g.sub.l-1e.sub.l-1. step 1. Precomputation.
For i from 0 to (2.sup.l - 1): G.sub.i .rarw.
.SIGMA..sub.j=0.sup.l-1g.sub.ji.sub.j where i = (i.sub.l-1 ...
i.sub.0).sub.2 step2. A .rarw. 0 step3. For i from 1 to t do the
following: A .rarw. A + A,A .rarw. A + G.sub.i.sub..sub.t step4.
Return (A) where A = g.sub.0e.sub.0 + g.sub.1e.sub.1 + ... +
g.sub.l-1e.sub.l-1
[0043] Applying this algorithm to equation (4) it can be seen that
there are two group elements, g.sub.0, g.sub.1 namely Q and
.lambda.Q, so that 1=2 and two integers e.sub.0, e.sub.1 namely
k.sub.0k.sub.1. The algorithm permits precomputation of some of the
values and initially G.sub.i is precomputed. The results of
precomputation of G.sub.i with t=2 is shown in table 1.
2TABLE 1 i 0 1 2 3 G.sub.i 0 g.sub.0 g.sub.1 g.sub.0 + g.sub.1
[0044] After performing a point addition to construct the point:
Q+.psi.(Q). It is possible to fill in table 1 with the computed
elements to yield table 2. These elements may be pre-computed and
stored in memory as shown at step 58 in FIG. 2.
3TABLE 2 i 0 1 2 3 G.sub.i 0 Q .psi.(Q) Q + .psi.(Q)
[0045] Before step of the algorithm can be performed, G.sub.I, has
to be determined and accordingly I.sub.l through I.sub.t have to be
found as indicated at 60. A notional matrix or combing table may be
constructed using the binary representation of k.sub.i. If, for
example, k.sub.0=30 and k.sub.1=10, then t has the value five since
the maximum number of bits in the binary representation of k.sub.0
through k.sub.1 is five and the notional matrix constructed from
their binary representation is shown in Table 3. I.sub.i is
determined by the number represented in the i.sup.th column where
the first row contains the least significant bit, the second row
contains the next significant bit etc. Therefore it can be seen
from table 3 that I.sub.1=I.sub.2(11)=3, I.sub.3=(01)=1, I.sub.4=3,
and I.sub.5=0.
4 TABLE 3 i 1 2 3 4 5 k.sub.0 1 1 1 1 0 k.sub.1 0 1 0 1 0 I.sub.i 1
3 1 3 0
[0046] All the components needed to complete the algorithm are
available and the iteration of step three is performed as shown at
62.
[0047] Initially A.rarw.O and i is set to 1.
[0048] I.sub.i=I.sub.1 which from table 3 is equal to 1.
G.sub.I.sub..sub.1 is therefore G.sub.1 which from table 2 is Q.
The value of A from the iteration for I=1 is therefore O+Q=Q.
[0049] For the next iteration where i=2 the initial value of A is Q
so A.rarw.Q+Q=2Q I.sub.i=I.sub.2=3 from table 3. G.sub.I.sub..sub.2
therefore equates to G.sub.3 from table 2 which is Q+.psi.(Q).
[0050] A+G.sub.I.sub..sub.1 therefore is computed as
2Q+Q+.psi.Q=3Q+.psi.Q.
[0051] The iterations continue for each value of i set out in table
4 until after the 5.sup.th iteration the value for koq=k,
.lambda.Q, i.e. kQ is computed.
5 TABLE 4 i A 1 Q 2 3Q + .psi.(Q) 3 7Q + 2.psi.(Q) 4 15Q +
5.psi.(Q) 5 30Q + 10.psi.(Q)
[0052] Each iteration requires a point doubling (A+A) and a point
addition (A+G.sub.I.sub..sub.1) although in some cases the value of
G.sub.I.sub..sub.1 may be 0 that will reduce the computation.
[0053] Thus it may be seen that this method will require a number
of point doubles equal to max {log.sub.2(k.sub.i)}, and almost as
many point additions. The number of point additions can be reduced
using windowing (Alg. 14.85 HAC) and exponent recoding techniques.
Since the value of i and G.sub.i can be precomputed, the point
additions are easily performed by retrieving the appropriate
precomputed element G.sub.I from table 2. Once kP has been
computed, it maybe used as the correspondents 12 ephemeral public
key in encrypting or signing transmissions over the channel 16.
[0054] To summarize, for cryptographic operations like encryption
and Diffie-Hellman, signature, an integer k is required with a
corresponding public key kQ, computed. The values k.sub.0 and
k.sub.1 are chosen at random, each having a length one half the
length of n and the term kQ=k.sub.1.lambda.Q generated using a
suitable algorithm. When the k's are chosen in this way, the method
seems to be as secure as the random generation of k itself. Of
course it is possible to choose the k.sub.i's to have fewer bits in
order to improve efficiency.
[0055] In the above technique, the method of writing
k=k.sub.0+k.sub.1.lambda. in conjunction with simultaneous combing
achieves a speed up of the simultaneous multiple addition
algorithm. The technique of writing k=k.sub.0+k.sub.1.lambda. may
also be used with the scalar multiplication techniques to
advantage, namely with winding, combing ,etc.
[0056] For some mappings .psi., it is also possible to use more
than two sub k's. It is possible for some .psi.'s to write
k=k.sub.0+.sub.1.lambda- .+k.sub.2.lambda..sup.2 allowing the value
of k to be computed by applying the simultaneous multiple addition
algorithm.
[0057] In a second embodiment of the invention a different form of
the generalized elliptic curve equation (1) is used, namely:
y.sup.2=(x.sup.3-ax) mod p (5)
[0058] Once again, p will be a prime number having at least 160
bits. For this type of curve, the properties required for .gamma.
are different. It is now required to find a value such that
.gamma..sup.2=-1 mod p. A change in the property of .gamma.
requires a different mapping function .psi.' to be used, In this
embodiment the mapping takes the form .psi.': (x, y).fwdarw.(-x,
.gamma.y). If (x,y) is on the curve, then .psi.'(x,y) is also on
the curve. In this case .lambda..sup.4.ident.1 mod n (n is still
the number of points on E(F.sub.p)), and therefore .lambda. can be
calculated. The mapping .psi.'(Q)=.lambda.-Q is performed as before
and once again multiplication by .lambda. can be done very
efficiently for this curve. The equation for k in this embodiment
is the same as in the first embodiment and is represented by:
k=(k.sub.0+k.sub.1.lambda.) mod n (6)
[0059] This equation is the same as in the previous embodiment,
having only two group elements. Thus using the group elements Q and
Q+.psi.'(Q) in the algorithm 1, the point k-Q may be calculated.
This computation will require a number of point doubles equal to
max {log.sub.2(k.sub.i)}, and a similar number of point additions.
As described earlier the number of point additions can be reduced
using windowing and exponent recoding techniques.
[0060] This method applies to other elliptic curves, so long as
there exists an efficiently computable endomorphism, .psi..
[0061] The above embodiments assume that k can be chosen at random
and therefore k.sub.0 and k.sub.1 can be selected instead and
determine k. For cryptographic protocols, where it is not possible
to choose k, it is first necessary to find k.sub.0, k.sub.1 of the
desired "short" form from the given value of k such that
k=(k.sub.0+k.sub.1.lambda.) mod n. In some cases, more than two k's
can be used to advantage.
[0062] As may be seen in tie embodiments described above when a
point is known beforehand, tables can be built to speed
multiplication. However, there are cases when multiples of
previously unlmown points are required (for example, this can occur
in ECDSA verification) and it is then necessary to take the value
of k as provided and then determine suitable representations for
k.sub.i.
[0063] Thus in a third embodiment, system parameters and a value k
is provided, the point Q, the required multiple k, and the complex
multiplication multiple .lambda. are known. It is necessary to
determine the "short" k.sub.i's from the value for k, which is
predetermined. A method for doing this described as follows and
illustrated in the flow chart of FIG. 3. As a pre-computation (not
requiring k) we compute two relations:
a.sub.0+b.sub.0.lambda..ident.0 mod n
a.sub.1+b.sub.1.lambda..ident.0 mod n
[0064] such that a.sub.i and b.sub.i are numbers smaller than n. It
is preferable that a.sub.i and b.sub.i are as small as possible,
however, the present method has advantages even when a.sub.i and
b.sub.i are not minimal. The pair, a.sub.i and b.sub.i, where
a.sub.i and b.sub.i are both small, can be viewed as a vector,
u.sub.i with a smnall Euclidean length, Typically the method
described below produces k.sub.0 and k.sub.1 having representations
one half the size of the original k.
[0065] In the present embodiment, kQ can be computed efficiently by
utilizing precomputed, short vector representations to obtain an
expression of the form:
k.sub.0Q+.lambda.k.sub.1Q
[0066] This is accomplished by using precomputed vectors to derive
fractions f.sub.0 and f.sub.1 that do not require knowledge of k. A
vector z is generated from the combination of fractions f.sub.0 and
f.sub.1 and k. The vector z is used to calculate a second vector v'
where v'=(vo,v.sub.1) and the value of kQ calculated as
vo.sup.1Q+.lambda.v.sub.1.sup.1Q (8)
[0067] The method of achieving this solution is described below in
greater detail.
[0068] To produce small a.sub.i and b.sub.i, it is possible to make
use of the L.sup.3--lattice basis reduction algorithm (HAC p.118),
which would directly result in short basis vectors. However, in
this preferred embodiment the simple extended Euclidean algorithm
is employed on the pair (n, .lambda.). The extended Euclidean
algorithm on (n, .lambda.) produces linear combinations
c.sub.in+d.sub.i.lambda.=r.sub.i, where the representation of
r.sub.i (e.g. bit-length) decreases and the representation of
c.sub.i and d.sub.i increases with i.
[0069] The two smallest values of .vertline.(d.sub.i,
r.sub.i).vertline. resulting from using the extended Euclidean
algorithm are saved. The size of these vectors are measured with
the squared Euclidean norm
.vertline.(d.sub.i,).vertline.=d.sub.i.sup.2+r.sub.1.sup.2. The
terms in these minimal relations are denoted {circumflex over
(d)}.sub.0, {circumflex over (r)}.sub.0 and {circumflex over
(d)}.sub.1, {circumflex over (r)}.sub.1. And will typically occur
in the middle of the algorithm. Even if the minimal relations are
not retained, suboptimal relations may still give the method an
advantage in the calculation of point multiples.
[0070] The values of a.sub.i and b.sub.i are constructed by
defining a.sub.0=-{circumflex over (r)}.sub.0, b.sub.0={circumflex
over (d)}.sub.0 and a.sub.1=-{circumflex over (r)}.sub.1,
b.sub.1=d.sub.0 all of which may be precomputed. The next task is
to find a small representation for the multiple k.
[0071] Given the computation of a.sub.0,b.sub.0 and a.sub.i,b.sub.i
it is possible to designate the vectors u.sub.0,u1, where
u.sub.0=(a.sub.0, b.sub.0) and u.sub.1=(a.sub.1, b.sub.1). These
vectors satisfy a.sub.i+b.sub.i.lambda.=0 (mod n). The
multiplication of the group elements Q by the vector v=(v.sub.0,
v.sub.1) is defined as (v.sub.0+v.sub.1.lambda.)Q. Since
a.sub.i+b.sub.i.lambda.0 (mod n), u.sub.0R=u.sub.1R=0 for any group
element R. Hence for any integers z.sub.0 and z.sub.1,
v'R=(v-z.sub.0u.sub.0-z.sub.1u.sub.1)R for any group element R.
[0072] Integers z.sub.0 and z.sub.1 may be chosen such that the
vector v'=v-z.sub.0u.sub.0-z.sub.1u.sub.1 has components that are
as small as possible. Again, this method will have an advantage if
the components of v' are small, but not necessarily minimally
so.
[0073] The appropriate z.sub.0 and z.sub.1 are calculated by
converting the basis of v into the basis {u.sub.0, u.sub.1}. The
conversion between basis involves matrix multiplication. To convert
the vector v=(v.sub.0, v.sub.1) from the {u.sub.0, u.sub.1} basis
to the standard orthonormnal basis {(1,0),(0,1)}, 1 v { ( 1 , 0 ) ,
( 0 , 1 ) } = v ( u 0 , u 1 ) M = ( v 0 , v 1 ) [ a 0 b 0 a 1 b 1
]
[0074] To convert in the other direction, from the standard
orthonormal basis {(1,0),(0,1)} to the (u.sub.0, u.sub.1) basis,
the multiplication is simply by the inverse of M, 2 v ( u 0 , u 1 )
= v { ( 1 , 0 ) , ( 0 , 1 ) } inverse ( M ) = v { ( 1 , 0 ) , ( 0 ,
1 ) } 1 a 0 b 1 - a 1 b 0 [ b 1 - b 0 - a 1 a 0 ]
[0075] Since the vector v=k, 0) has a zero component, the bottom
row of inverse(M) is not required, and therefore to convert to the
{u.sub.0, u.sub.1} basis only the fractions 3 f 0 = b 1 a 0 b 1 - a
1 b 0 and f 1 = b 0 a 0 b 1 - a 1 b 0
[0076] are needed.
[0077] The fractions f.sub.0 and f.sub.1 may be precomputed to
enough precision so that this operation may be effected only with
multiplication. It should be noted that the computations leading to
these fractions do not depend upon k, therefore they can be
computed once when the elliptic curve is chosen as a system
parameter, and do not need to be recalculated for each k. Similarly
the vectors v, u.sub.0 and u.sub.1 may be precomputed and
stored.
[0078] Once a value of k is selected or determined the value of kQ
may be computed by first calculating z=(z.sub.0, z.sub.1), where z
is defined as (z.sub.0, z.sub.1)=(round(kf.sub.0),
round(kf.sub.1)). Other vectors near to z will also be useful,
therefore rounding could be replaced with floor or ceiling
functions or some other approximation.
[0079] Once a suitable z has been deteried, an efficient equivalent
to v (k,0) is calculated by v'=(v.sub.0',
v.sub.1')=v-z.sub.0u.sub.0-z.sub.1u.- sub.1. The phrase "efficient
equivalent" implies a vector v' such that v'P=vP and v' has small
coefficients. The value kQ is then calculated as
v.sub.0'Q+v.sub.1'.lambda.Q. This value can be calculated using
simultaneous point addition as described above, with enhanced
efficiency obtained from the use of non-adjacent form (NAF)
recoding as described above and as described in H.A.C. 14.7 at page
627, Thus, even where k is predetermined, values of k.sub.0 and
k.sub.1 can be computed and used with the mapping function to
obtain a value of kQ and hus he key pair k, kQ.
[0080] For the case where k is to be separated into 3 portions
k=k.sub.0+k.sub.1.lambda.+k.sub.2.lambda..sup.2, small vectors can
be obtained from L.sup.3-row-reducing 4 [ 1 0 - 2 0 1 - 0 0 - n ]
to [ u 2 u 1 u 0 ]
[0081] A small vector equivalent (three-dimensional row) can be
obtained in a similar way to the two-dimensional case.
[0082] Using these methods to determine the value of k-Q greatly
reduces the processing power required by the cryptographic
processors 12. It also increases the speed at which these
repetitive calculations can be done which, in turn, reduces the
time to transfer information.
[0083] It will be appreciated that once the scalar multiple k has
been represented in terms of shortened components
k=k.sub.0+k.sub.1.lambda.+k.- sub.2.lambda.+. . .
k.sub.m-1.lambda..sup.m-1, other options for efficient elliptic
curve scalar multiplication may be used in place of or in
conjunction with the simultaneous multiple addition algorithm.
These options include windowing (fixed and sliding), combing, bit
recoding and combinations of these techniques.
[0084] One particularly beneficial technique permits tables built
for one component of the multiplication, say k.sub.0, to be reused
for other components k.sub.1 etc. This is accomplished by
transforming the computed table elements by applying the mapping
.gamma. as required.
[0085] As a further exemplification, an embodiment where k can be
recast as k=k.sub.0+k.sub.1.lambda.+k.sub.2.lambda..sup.2, where k
has m-bits and k.sub.i have roughly m/3 bits is described
below.
[0086] Once the components ki have been determined, they may be
recoded from the binary representation to the signed binary
representation having less non-zero bits. This recoding can take
the Non-Adjacent-Form (NAF), where every 1 or -1 bit in the
representation if k.sub.i is non-adjacent to another non-zero in
the signed binary string. This recoding is described in H.A.C. 14.7
p. 627.
[0087] Once each k.sub.i has been recoded, a table can be
constructed to aid in computing k.sub.i.lambda..sup.iP.
[0088] A NAF windowing table precomputes certain short-bit length
multiples of .lambda..sup.iP. The width of the window determines
the size of the table. As k.sub.i has been recordedto have no
adjacent non zeros, odd window widths are suitable. A 3-bit wide
NAF window would contain
6 1 101 10 - 1
[0089] The recoded k.sub.i values are built by concatenating these
windows, and padding where necessary with zeros (H.A.C., p.
616).
[0090] The required number of additions can be reduced with use of
this table, since it is necessary to add or subtract an EC point
only for every window encountered instead of for every non zero
bit.
[0091] Initially therefore this technique is applied to the
computation of k.sub.0P.
[0092] The table built for the k.sub.0P calculation can be applied
to the k,.lambda.P calculation if the table elements are mapped
with the .psi. mapping using the operator .gamma.. Similarly,
k.sub.2.lambda..sup.2P can be accelerated by using the table built
for k.sub.0P, but mapping the table elements with
.gamma..sup.2.
[0093] In applying the sliding window technique to the components,
only one set of doublings need be performed.
[0094] To illustrate this example of a preferred embodiment the
following example will be used:
If k=[1011010111101].sub.2+[111010101101].sub.2.lambda.,
[0095] then recoding
[0096] k=[10-100-10-100-101]+[1000-10-10-10-101].lambda.,
=k.sub.0'=k.sub.1'.lambda.
[0097] A 3-bit window table on P is precomputed containing
1.multidot.P, [10-1].multidot.P, [101].multidot.P. This requires
two EC additions, and two EC doublings.
[0098] After this, kP can be calculated as
kP=[10-100-10-100-101]P+[1000-10-10-10-101].multidot..lambda.P
[0099] by adding/subtracting elements from the table.
[0100] This can be done using an accumulator A as follows:
7 A .rarw. 0 ; initialize A += .psi.(1 .multidot. P) ; consuming
the top bit of k.sub.0.sup.r A .rarw. 2A ; double A A .rarw. 2A A
.rarw. [10 - 1] P ; consuming the top 3 bits of k.sub.0.sup.r A
.rarw. 2.sup.4A ; A -= [101].psi.P ; consuming a 3 bit window of
k.sub.1.sup.r A .rarw. 2A ; double A A -= [101]P ; consuming 3 bits
of k.sub.1.sup.r A .rarw. 2.sup.4A A -= [101].psi.P ; consuming 3
bits of k.sub.1.sup.r A .rarw. 2.sup.2A A -= [10 - 1]P ; consuming
the last of k.sub.0.sup.r A += .psi.P ; producing kP.
[0101] It will be recognized from the above example that the
windows in k.sub.0 and k.sub.1 need not be aligned. This is
evidenced by the fact that the accumulator is doubled between
computations of the windows in k.sub.0 and the computations of the
windows in k.sub.1, indicating a shift of window between evaluating
k.sub.0P and k.sub.1P.
[0102] In summary, the previously described technique is as
follows. Given an elliptic curve E and an endomorphism .psi., there
corresponds an integer .lambda. such that .lambda.Q=.psi.(Q) for
all points Q.di-elect cons.E. Select an integer m and compute an
equivalent number m of "short basis vectors" b.sub.1, b.sub.2, . .
. , bm . . . Each such basis vector corresponds to an integer, and
each such integer is divisible by the number of points
n=#E(F.sub.p.sup.m) (i.e. the number of points). Now, given an
integer k, (0<k<n), we write k=.SIGMA.k.sub.i.multidot..la-
mbda..sup.1, where the k.sub.i's are chosen to be "short". This is
done by finding the difference between a certain vector (which
represents k) and a nearby vector in the lattice generated by
b.sub.1, b.sub.2, . . . , b.sub.m.
[0103] The following embodiment explicitly describes an application
of the previously described technique (endomorphism and basis
conversion and "Shamir's trick") to elliptic curves defined over
composite fields. In particular, we describe an application to
curves E(F.sub.p.sup.m) where p is an odd prime is described. The
following embodiments exemplify techniques for such curves.
[0104] This technique is described in the case where the map .psi.
is the Frobenius map .psi.(x,y)=(x.sup.p,y.sup.p) and
E'.sub.A,B(F.sub.p.sup.m) where A,B.di-elect cons.F.sub.p.
[0105] In this case, it is known that the Frobenius map satisfies
the .psi..sup.2-t.psi.+p=0, where t=p+1-#E(F.sub.p.sup.m).
[0106] It follows that .lambda..sup.2-t.lambda.+p=0 mod n and so
.lambda..sup.2-I-p.lambda..sup.i=0 mod n.
[0107] Note that the vectors;
8 (.lambda..sup.m-1 . . . .lambda..sup.2, .lambda..sup.1,
.lambda..sup.0) b.sub.1 (0, 0, 0, . . . 0, 1, -t, p) b.sub.2 ( 1,
-t, p, 0) (1, -t, p, 0, 0, . . . . . ., 0) (-t, p, 0, 0, . . . . .
., 0, 1) b.sub.m (p, 0, 0, 0, . . . 0, 1, -t)
[0108] consist of m "short" basis vectors of the vector space
Q.sup.n. It follows that to compute k-Q on such a curve we can
proceed using the vectors b.sub.1,b.sub.2. . . b.sub.m and the
technique described previously.
[0109] In the above embodiments it will be appreciated that
k,.lambda.Q can be obtained from .psi.(kQ) is the mapping is more
efficient than addition.
[0110] In a firther embodiment, the above methods are used to
verify a digital signature on a message. A sender sends a message
m, a signature component s, and a short term public key R=kP. As
indicated above, in a typical digital signature protocol, the
signature component s is generated using the formula s=ae+k. The
value a is a long term private key of the sender, and e is a hash
of the message m.
[0111] Verification requires computing the value sP=eQ which should
correspond to R, where Q=aP is a long term public key of the
sender. This is the case since k=s-ae.
[0112] Accordingly, Algorithm 1 may be applied to compute a sum
g.sub.0e.sub.0+g.sub.1e.sub.1 of scalar multiples of two group
elements go and go, where the scalars are s and -e and the group
elements are P and Q. A further improvement is obtained by using
the NAF as above.
[0113] For ease of explanation, the method will be illustrated for
computing .alpha.P+.beta.Q. In the preferred embodiment of verfying
a signature, .alpha.=s and .beta.=-e.
[0114] In this case, it may no longer be possible to reuse tables
built for one component of the multiplication for other components,
unless the relationship between the points P and Q is known to the
verifier. Usually, the verifier knows P and Q, but not the scalar a
that related P and Q (i.e. Q=aP). In this case, it is necessary to
use a table for each of P and Q. Then a sliding window method may
be used by adding/subtracting elements from the tables.
[0115] The following example illustrates this embodiment:
If .alpha.=[101101011101].sub.2 and
.beta.=[111010101101].sub.2,
then k=[1011010111].sub.2+[111010101101].sub.2 a,
and recoding .alpha.=[10-100-10-100-101].sub.2 and
.beta.=[1000-10-10-10-1- 01].sub.2,
[0116] A 3-bit window table on P and a 3-bit window table on Q are
precomputed containing 1.multidot.P, [10-1].multidot.P,
[101].multidot.P and 1.multidot.Q, [10-1].multidot.Q,
[101].multidot.Q respectively. This requires two EC additions, and
two EC doublings for each table.
[0117] After this, kP can be calculated as
kP=.alpha.P+.beta.Q=[10-100-10-100-101]P
+[1000-10-10-10-101].multidot.Q
[0118] by adding/subtracting elements from the tables.
[0119] This can be done using an accumulator A as follows:
9 A .rarw. 0 ; initialize A += 1 .multidot. Q ; consuming the top
bit of .beta. A .rarw. 2A ; double A A .rarw. 2A A += [10 - 1]P ;
consuming the top 3 bits of .alpha. A .rarw. 2.sup.4A ; A -= [101]Q
; consuming a 3 bit window of .beta. A .rarw. 2A ; double A A -=
[101]P ; consuming 3 bits of .beta. A .rarw. 2.sup.4A A -= [101]Q ;
consuming 3 bits of .beta. A .rarw. 2.sup.2A A -= [10 - 1]P ;
consuming the last of .alpha. A += Q ; producing kP.
[0120] The signature is accepted as originating from the sender if
the calculated value of kP is equal to the value of R received with
the signature.
[0121] Again, it will be appreciated that the windows need not be
aligned and that shiting of the windows produces a double of the
accumulator for each bit shift of the window.
[0122] Although the invention has been described with reference to
certain specific embodiments, various modifications thereof will be
apparent to those skilled in the art without departing from the
spirit and scope of the invention as outlined in the claims
appended hereto.
* * * * *