Method for accelerating cryptographic operations on elliptic curves

Abstract

This invention provides a method for accelerating multiplication of an elliptic curve point Q(x,y) by a scalar k, the method comprising the steps of selecting an elliptic curve over a finite field Fq where q is a prime power such that there exists an endomorphism .psi., where .psi. (Q)=.lambda.-Q for all points Q(x,y) on the elliptic curve; and using smaller representations k.sub.i of the scalar k in combination with the mapping .psi. to compute the scalar multiple of the elliptic curve point Q.

Description

[0001] This invention relates to a method for performing computations in cryptographic systems utilizing elliptic curves.

[0002] This application is a continuation-in-pat of U.S. patent application Ser. No. 09/885,959, filed on Jun. 22, 2001, which is a continuation of International Application No. PCT/CA99/01222, filed on Dec. 23, 1999, and claims the priority of Canadian Patent Application No. 2,257,008, filed on Dec. 24, 1998, the content of all of which is incorporated herein by reference.

BACKGROUND OF THE INVENTION

[0003] A public-key data communication system may be used to transfer information between a pair of correspondents. At least part of the information exchanged is enciphered by a predetermined mathematical operation by the sender and the recipient may perform a complementary mathematical operation to decipher the information.

[0004] Each correspondent has a private key and a public key that is mathematically related to the private key. The relationship is such that it is not feasible to determine the private key from knowledge of the public key. The keys are used in he transfer of data, either to encrypt data that is to be transferred or to attach a signature to allow verification of the authenticity of the data.

[0005] For encryption, one correspondent uses the public key of the recipient to encrypt the message and sends it to the recipient. The recipient then uses her private key to decipher the message.

[0006] A common key may also be generated by combining one parties public key with the other parties private key. It is usual in such cases to generate new private and corresponding public keys for each communication session, usually referred to as session keys or ephemeral keys, to avoid the long-term keys of the parties being compromised.

[0007] The exchange of messages and generation of the public keys may therefore involve significant computation involving exponentiation when the cryptographic system utilizes in Z*p, the finite field of integers mod p where p is a prime or the analogous operation of point multiplication when the system utilizes an elliptic curve. In an elliptic curve system, an ephemeral key pair is obtained by generating a secret integer, k and performing a point multiplication in the seed point Q to provide the ephemeral public key kQ. Similarly, the generation of a common ephemeral session key will require multiplication of a public key k.sub.aQ, which is a point on the curve, with a secret integer kb of the other correspondent so that point multiplication is again required.

[0008] A similar procedure is used to sign a message except that the sender applies his private key to the message. This permits any recipient to recover and verify the message using the senders public key.

[0009] Various protocols exist for implementing such a scheme and some have been widely used. In each case, however, the sender is required to perform a computation to sign the information to be transferred and the receiver is required to perform a computation to verify the signed information.

[0010] In a typical implementation a signature component s has the form:--

s=ae+k (mod n)

[0011] where; in an elliptic curve crypto system,

[0012] P is a point on the underlying curve which is a predefined parameter of the system;

[0013] k is a random integer selected as a short term private or session key;

[0014] R=kP is the corresponding short term public key,

[0015] a is the long term private key of the sender;

[0016] Q=aP is the senders corresponding public key;

[0017] e is a secure hash, such as the SHA-1 hash function, of a message m and the short term public key R; and

[0018] n is the order of the curve.

[0019] The sender sends to the recipient a message including m, s, and R and the signature is verified by computing the value R.sup.1=(sP-eQ) which should correspond to R. If the computed values correspond then the signature is verified.

[0020] In order to perform the verification it is necessary to compute the point multiplications to obtain sP and eQ, each of which is computationally complex. Where the recipient has adequate computing, power this does not present a particular problem but where the recipient has limted computing power, such as in a secure token or a "Smart card" application, the computations may introduce delays in the verification process.

[0021] Key generation and signature protocols may therefore be computationally intensive. As cryptography becomes more widely used there is an increasing demand to implement cryptographic systems that arm faster and that use limited computing power, such as may be found on a smart card or wireless device.

[0022] Elliptic curve cryptography (ECC) provides a solution to the computation issue. ECC permits reductions in key and certificate size that translates to smaller memory requirements, and significant cost savings. ECC can not only significantly reduce the cost, but also accelerate the deployment of smart cards in next-generation applications. Additionally, although the ECC algorithm allows for a reduction in key size, the same level of security as other algorithms with larger keys is maintained.

[0023] However, there is still a need to perform faster calculations on the keys so as to speed up the information transfer while maintaining a low cost of production of cryptographic devices.

[0024] Computing multiples of a point on an elliptic curve is one of the most frequent computations performed in elliptic curve cryptography, One method of speeding up such computations is to use tables of precomputed multiples of a point. This technique is more useful when a point is known beforehand. However, there are cases when multiples of previously unknown points are required (for example, in ECDSA verification). Thus there is a need for a system and method for facilitating point multiplications.

SUMMARY OF THE INVENTION

[0025] In general terms, the present invention represents the scalar k as a combination of components k.sub.i and an integer .lambda. derived from an endomonphisim in the underlying curve.

[0026] The method is based on the observation that, given an elliptic curve (EC) having complex multiplication mapping over a finite field, there is an .lambda., which is he solution to aquadratic, for which the complex multiplication mapping is equivalent to multiplying a point Q by .lambda.. It will often be less computationally expensive to compute .lambda.Q via the complex multiplication map, compared to treating .lambda. as a integer and performing the EC multiplication. In practice, point multiplication by other scalars (not just .lambda.) is required. It is also shown how the multiplication mapping may be used to compute other multiples of the point.

[0027] In accordance with this invention there is provided a method for accelerating multiplication of an elliptic curve point Q(xy) by a scalar k, the method comprising the steps of: selecting an elliptic curve over a finite field F such that there exists an endomorphismn .psi., where .psi.(Q)=.lambda.-Q for all points Q(xjy) on the elliptic curve; and using smaller representation k.sub.i of the scalar k in combination with the mapping .psi. to compute the scalar multiple of the elliptic curve point Q.

BRIEF DESCRIPTION OF THE DRAWINGS

[0028] These and other features of the preferred embodiments of the invention will become more apparent in the following detailed description in which reference is made to the appended drawings wherein:

[0029] FIG. 1 is a schematic diagram of a communication system;

[0030] FIG. 2 is a flow chart showing the steps of implementing a first embodiment of the present invention.

[0031] FIG. 3 is a flow chart showing the steps of providing parameters required to implement the method of FIG. 2.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0032] For convenience in the following description, like numerals refer to like structures in the drawings. Referring to FIG. 1, a data communication system 10 includes a pair of correspondents, designated as a sender 12, and a recipient 14, connected by a communication channel 16. Each of the correspondents 12,14 includes a cryptographic processor 18,20 respectively that may process digital information and prepare it for transmission through the channel 16 as will be described below. Each of the correspondents 12,14 also includes a computational unit 19,21 respectively to perform mathematical computations related to the cryptographic processors 18,20. The processors 18,20 maybe embodied in an integrated circuit incorporated in the processor or may be implemented as instructions encoded on a data carrier to implement a predetermined protocol in conjunction with a general purpose processor. For the purpose of illustration it will be assumed that the correspondent 12 is in the form of a smart card having a dedicated processor 18 with relatively limited computing power. The processor 20 may be a central server communicating with the card by channel 16 and channel 16 may be a wireless communication channel if preferred.

[0033] The cryptographic processors 18 implement an elliptic curve cryptographic system, of ECC, and one of the functions of the cryptographic processor 18 is to perform point multiplications of the form k-Q, where k is an integer and Q a point on the underlying elliptic curve, so that they may be used as a key pair k, kQ in a cryptographic scheme. As noted above, cryptographic computations such as the multiplication of an elliptic curve point by a scalar value are computationally expensive.

[0034] A method for accelerating scalar multiplication of an elliptic curve point Q(xy) is shown in FIG. 2 and indicated generally by the numeral 50. The subject algorithm increases the speed at which the processors 12 can for example sign and verify messages for specific classes of elliptic curves. The method is based on the observation that given the general equation for an elliptic curve E:

y.sup.2+a.sub.1xy+a.sub.3y=x.sup.3+a.sub.2x.sup.2+a.sub.4x+a.sub.6 (1)

[0035] over a finite field, exemplified as F.sub.q (q is a prime power) and when there exists an endomorphism .psi., where .psi.(Q)=.lambda.-Q for all points Q(x,y) on the elliptic curve, then multiplication of the point Q by an integer k may be accelerated by utilizing combinations of smaller representations k.sub.i of k in combination with the mapping .psi.. The mapping .psi. also allows precomputation of group elements and combinations thereof, which maybe used in subsequent calculation of kQ.

[0036] Referring now to FIG. 2, a flow chart of a general embodiment for accelerating point multiplication on an elliptic curve, is shown by numeral 50. The system parameters are first selected. As an initial step an underlying elliptic curve E is selected to have certain characteristics. In a first embodiment of the invention the generalized elliptic curve (1) may be expressed in the following form:

E:y.sup.2=x.sup.3+b mod p; where p is a prime. (2)

[0037] Firstly, the modulus p can be determined such that there is a number, .gamma. where .gamma. .di-elect cons. F.sub.p (F.sub.p is the field of size p consisting of all integers mod p), and .gamma..sup.3.ident.1 mod p (a cube root of unity). If for example p=7, then .gamma.=2, since 2.sup.3 mod 7=1. Such a .gamma. does not necessarily exist for all p, and therefore this must be taken into consideration when choosing the value of p. Typically, the chosen p should be at least 160 bits in length for adequate cryptographic strength.

[0038] After the curve E has been selected, a mapping function .psi. is determined. The mapping function .psi.: (x,y).fwdarw.(.gamma.x, y), simply maps one set of points on the curve to another set of points on the curve. There exists an integer .lambda. such that .psi.(Q)=.lambda.-Q for all points Q(x,y) of interest on the elliptic curve, E. This integer .lambda. may be found by noting that .lambda..sup.3.ident.1 mod n, where n is the number of points on the elliptic curve E over F.sub.p i.e. the number of points on E(F.sub.p). There may exist more than one solution for .lambda. in .lambda..sup.3.ident.1 mod n, but only one of those solutions will satisfy the mapping function .psi.. It is important to note that since .lambda..sup.3 mod p=1, both Q and .psi.(Q) satisfy the equation for E. Therefore, instead of having to perform lengthy calculations to determine the results of multiplication by .lambda., it can be done very efficiently using the results of the mapping function so that multiplication by .lambda. can be done very efficiently.

[0039] A seed point Q is selected and the system parameters E, p, Q, .lambda., .psi.(Q), and .gamma. are stored in the card 12, as indicated at 52, at manufacture time for use by the cryptographic processor 18. To implement a cryptographic procedure such as encryption, key agreement or signature it is necessary to select an integer k for use as an ephemeral private key k and generate a corresponding public key kQ.

[0040] The value of k may be expressed as:--

k=(k.sub.0+k.sub.1.lambda.)mod n (3)

[0041] where n is the number of points on E(F.sub.p) and k.sub.0 and k.sub.1 are integers. The point k-Q then becomes:

k-Q=(k.sub.0Q+k.sub.1.lambda.Q)mod n (4)

[0042] For some cryptographic operations the value of k may be chosen at random and in these cases, rather than select k it is possible to select values for k.sub.0 and k.sub.1 at random, having a length of [log.sub.2(n)]/2 not including sign bits, (i.e. the length of the k.sub.1's are chosen to be at least one half the length k) and then calculate the value for k using equation (3). Having selected the values of k.sub.0, k.sub.1 as indicated a 54 in FIG. 2, the right side of equation (4) can be calculated quickly using an algorithm analogous to the "Simultaneous Multiple Exponentiation" as described in the "Handbook of Applied Cryptography" (HAC) by Menezes et. al.(Algorithm 14.88) and indicated at 56. For convenience the algorithm is reproduced below. It may be noted that in an additive group exponentiation is analogous to addition, thus replacing the multiplication in the algorithm with addition, yields the following:

1 Algorithm 1 Simultaneous Multiple Addition INPUT; group elements g.sub.0, g.sub.1, ..., g.sub.l-1 and non negative t-bit integers e.sub.0, e.sub.1, ..., e.sub.l-1. OUTPUT: g.sub.0e.sub.0 + g.sub.1e.sub.1 + ... + g.sub.l-1e.sub.l-1. step 1. Precomputation. For i from 0 to (2.sup.l - 1): G.sub.i .rarw. .SIGMA..sub.j=0.sup.l-1g.sub.ji.sub.j where i = (i.sub.l-1 ... i.sub.0).sub.2 step2. A .rarw. 0 step3. For i from 1 to t do the following: A .rarw. A + A,A .rarw. A + G.sub.i.sub..sub.t step4. Return (A) where A = g.sub.0e.sub.0 + g.sub.1e.sub.1 + ... + g.sub.l-1e.sub.l-1

[0043] Applying this algorithm to equation (4) it can be seen that there are two group elements, g.sub.0, g.sub.1 namely Q and .lambda.Q, so that 1=2 and two integers e.sub.0, e.sub.1 namely k.sub.0k.sub.1. The algorithm permits precomputation of some of the values and initially G.sub.i is precomputed. The results of precomputation of G.sub.i with t=2 is shown in table 1.

2TABLE 1 i 0 1 2 3 G.sub.i 0 g.sub.0 g.sub.1 g.sub.0 + g.sub.1

[0044] After performing a point addition to construct the point: Q+.psi.(Q). It is possible to fill in table 1 with the computed elements to yield table 2. These elements may be pre-computed and stored in memory as shown at step 58 in FIG. 2.

3TABLE 2 i 0 1 2 3 G.sub.i 0 Q .psi.(Q) Q + .psi.(Q)

[0045] Before step of the algorithm can be performed, G.sub.I, has to be determined and accordingly I.sub.l through I.sub.t have to be found as indicated at 60. A notional matrix or combing table may be constructed using the binary representation of k.sub.i. If, for example, k.sub.0=30 and k.sub.1=10, then t has the value five since the maximum number of bits in the binary representation of k.sub.0 through k.sub.1 is five and the notional matrix constructed from their binary representation is shown in Table 3. I.sub.i is determined by the number represented in the i.sup.th column where the first row contains the least significant bit, the second row contains the next significant bit etc. Therefore it can be seen from table 3 that I.sub.1=I.sub.2(11)=3, I.sub.3=(01)=1, I.sub.4=3, and I.sub.5=0.

4 TABLE 3 i 1 2 3 4 5 k.sub.0 1 1 1 1 0 k.sub.1 0 1 0 1 0 I.sub.i 1 3 1 3 0

[0046] All the components needed to complete the algorithm are available and the iteration of step three is performed as shown at 62.

[0047] Initially A.rarw.O and i is set to 1.

[0048] I.sub.i=I.sub.1 which from table 3 is equal to 1. G.sub.I.sub..sub.1 is therefore G.sub.1 which from table 2 is Q. The value of A from the iteration for I=1 is therefore O+Q=Q.

[0049] For the next iteration where i=2 the initial value of A is Q so A.rarw.Q+Q=2Q I.sub.i=I.sub.2=3 from table 3. G.sub.I.sub..sub.2 therefore equates to G.sub.3 from table 2 which is Q+.psi.(Q).

[0050] A+G.sub.I.sub..sub.1 therefore is computed as 2Q+Q+.psi.Q=3Q+.psi.Q.

[0051] The iterations continue for each value of i set out in table 4 until after the 5.sup.th iteration the value for koq=k, .lambda.Q, i.e. kQ is computed.

5 TABLE 4 i A 1 Q 2 3Q + .psi.(Q) 3 7Q + 2.psi.(Q) 4 15Q + 5.psi.(Q) 5 30Q + 10.psi.(Q)

[0052] Each iteration requires a point doubling (A+A) and a point addition (A+G.sub.I.sub..sub.1) although in some cases the value of G.sub.I.sub..sub.1 may be 0 that will reduce the computation.

[0053] Thus it may be seen that this method will require a number of point doubles equal to max {log.sub.2(k.sub.i)}, and almost as many point additions. The number of point additions can be reduced using windowing (Alg. 14.85 HAC) and exponent recoding techniques. Since the value of i and G.sub.i can be precomputed, the point additions are easily performed by retrieving the appropriate precomputed element G.sub.I from table 2. Once kP has been computed, it maybe used as the correspondents 12 ephemeral public key in encrypting or signing transmissions over the channel 16.

[0054] To summarize, for cryptographic operations like encryption and Diffie-Hellman, signature, an integer k is required with a corresponding public key kQ, computed. The values k.sub.0 and k.sub.1 are chosen at random, each having a length one half the length of n and the term kQ=k.sub.1.lambda.Q generated using a suitable algorithm. When the k's are chosen in this way, the method seems to be as secure as the random generation of k itself. Of course it is possible to choose the k.sub.i's to have fewer bits in order to improve efficiency.

[0055] In the above technique, the method of writing k=k.sub.0+k.sub.1.lambda. in conjunction with simultaneous combing achieves a speed up of the simultaneous multiple addition algorithm. The technique of writing k=k.sub.0+k.sub.1.lambda. may also be used with the scalar multiplication techniques to advantage, namely with winding, combing ,etc.

[0056] For some mappings .psi., it is also possible to use more than two sub k's. It is possible for some .psi.'s to write k=k.sub.0+.sub.1.lambda- .+k.sub.2.lambda..sup.2 allowing the value of k to be computed by applying the simultaneous multiple addition algorithm.

[0057] In a second embodiment of the invention a different form of the generalized elliptic curve equation (1) is used, namely:

y.sup.2=(x.sup.3-ax) mod p (5)

[0058] Once again, p will be a prime number having at least 160 bits. For this type of curve, the properties required for .gamma. are different. It is now required to find a value such that .gamma..sup.2=-1 mod p. A change in the property of .gamma. requires a different mapping function .psi.' to be used, In this embodiment the mapping takes the form .psi.': (x, y).fwdarw.(-x, .gamma.y). If (x,y) is on the curve, then .psi.'(x,y) is also on the curve. In this case .lambda..sup.4.ident.1 mod n (n is still the number of points on E(F.sub.p)), and therefore .lambda. can be calculated. The mapping .psi.'(Q)=.lambda.-Q is performed as before and once again multiplication by .lambda. can be done very efficiently for this curve. The equation for k in this embodiment is the same as in the first embodiment and is represented by:

k=(k.sub.0+k.sub.1.lambda.) mod n (6)

[0059] This equation is the same as in the previous embodiment, having only two group elements. Thus using the group elements Q and Q+.psi.'(Q) in the algorithm 1, the point k-Q may be calculated. This computation will require a number of point doubles equal to max {log.sub.2(k.sub.i)}, and a similar number of point additions. As described earlier the number of point additions can be reduced using windowing and exponent recoding techniques.

[0060] This method applies to other elliptic curves, so long as there exists an efficiently computable endomorphism, .psi..

[0061] The above embodiments assume that k can be chosen at random and therefore k.sub.0 and k.sub.1 can be selected instead and determine k. For cryptographic protocols, where it is not possible to choose k, it is first necessary to find k.sub.0, k.sub.1 of the desired "short" form from the given value of k such that k=(k.sub.0+k.sub.1.lambda.) mod n. In some cases, more than two k's can be used to advantage.

[0062] As may be seen in tie embodiments described above when a point is known beforehand, tables can be built to speed multiplication. However, there are cases when multiples of previously unlmown points are required (for example, this can occur in ECDSA verification) and it is then necessary to take the value of k as provided and then determine suitable representations for k.sub.i.

[0063] Thus in a third embodiment, system parameters and a value k is provided, the point Q, the required multiple k, and the complex multiplication multiple .lambda. are known. It is necessary to determine the "short" k.sub.i's from the value for k, which is predetermined. A method for doing this described as follows and illustrated in the flow chart of FIG. 3. As a pre-computation (not requiring k) we compute two relations:

a.sub.0+b.sub.0.lambda..ident.0 mod n

a.sub.1+b.sub.1.lambda..ident.0 mod n

[0064] such that a.sub.i and b.sub.i are numbers smaller than n. It is preferable that a.sub.i and b.sub.i are as small as possible, however, the present method has advantages even when a.sub.i and b.sub.i are not minimal. The pair, a.sub.i and b.sub.i, where a.sub.i and b.sub.i are both small, can be viewed as a vector, u.sub.i with a smnall Euclidean length, Typically the method described below produces k.sub.0 and k.sub.1 having representations one half the size of the original k.

[0065] In the present embodiment, kQ can be computed efficiently by utilizing precomputed, short vector representations to obtain an expression of the form:

k.sub.0Q+.lambda.k.sub.1Q

[0066] This is accomplished by using precomputed vectors to derive fractions f.sub.0 and f.sub.1 that do not require knowledge of k. A vector z is generated from the combination of fractions f.sub.0 and f.sub.1 and k. The vector z is used to calculate a second vector v' where v'=(vo,v.sub.1) and the value of kQ calculated as

vo.sup.1Q+.lambda.v.sub.1.sup.1Q (8)

[0067] The method of achieving this solution is described below in greater detail.

[0068] To produce small a.sub.i and b.sub.i, it is possible to make use of the L.sup.3--lattice basis reduction algorithm (HAC p.118), which would directly result in short basis vectors. However, in this preferred embodiment the simple extended Euclidean algorithm is employed on the pair (n, .lambda.). The extended Euclidean algorithm on (n, .lambda.) produces linear combinations c.sub.in+d.sub.i.lambda.=r.sub.i, where the representation of r.sub.i (e.g. bit-length) decreases and the representation of c.sub.i and d.sub.i increases with i.

[0069] The two smallest values of .vertline.(d.sub.i, r.sub.i).vertline. resulting from using the extended Euclidean algorithm are saved. The size of these vectors are measured with the squared Euclidean norm .vertline.(d.sub.i,).vertline.=d.sub.i.sup.2+r.sub.1.sup.2. The terms in these minimal relations are denoted {circumflex over (d)}.sub.0, {circumflex over (r)}.sub.0 and {circumflex over (d)}.sub.1, {circumflex over (r)}.sub.1. And will typically occur in the middle of the algorithm. Even if the minimal relations are not retained, suboptimal relations may still give the method an advantage in the calculation of point multiples.

[0070] The values of a.sub.i and b.sub.i are constructed by defining a.sub.0=-{circumflex over (r)}.sub.0, b.sub.0={circumflex over (d)}.sub.0 and a.sub.1=-{circumflex over (r)}.sub.1, b.sub.1=d.sub.0 all of which may be precomputed. The next task is to find a small representation for the multiple k.

[0071] Given the computation of a.sub.0,b.sub.0 and a.sub.i,b.sub.i it is possible to designate the vectors u.sub.0,u1, where u.sub.0=(a.sub.0, b.sub.0) and u.sub.1=(a.sub.1, b.sub.1). These vectors satisfy a.sub.i+b.sub.i.lambda.=0 (mod n). The multiplication of the group elements Q by the vector v=(v.sub.0, v.sub.1) is defined as (v.sub.0+v.sub.1.lambda.)Q. Since a.sub.i+b.sub.i.lambda.0 (mod n), u.sub.0R=u.sub.1R=0 for any group element R. Hence for any integers z.sub.0 and z.sub.1, v'R=(v-z.sub.0u.sub.0-z.sub.1u.sub.1)R for any group element R.

[0072] Integers z.sub.0 and z.sub.1 may be chosen such that the vector v'=v-z.sub.0u.sub.0-z.sub.1u.sub.1 has components that are as small as possible. Again, this method will have an advantage if the components of v' are small, but not necessarily minimally so.

[0073] The appropriate z.sub.0 and z.sub.1 are calculated by converting the basis of v into the basis {u.sub.0, u.sub.1}. The conversion between basis involves matrix multiplication. To convert the vector v=(v.sub.0, v.sub.1) from the {u.sub.0, u.sub.1} basis to the standard orthonormnal basis {(1,0),(0,1)}, 1 v { ( 1 , 0 ) , ( 0 , 1 ) } = v ( u 0 , u 1 ) M = ( v 0 , v 1 ) [ a 0 b 0 a 1 b 1 ]

[0074] To convert in the other direction, from the standard orthonormal basis {(1,0),(0,1)} to the (u.sub.0, u.sub.1) basis, the multiplication is simply by the inverse of M, 2 v ( u 0 , u 1 ) = v { ( 1 , 0 ) , ( 0 , 1 ) } inverse ( M ) = v { ( 1 , 0 ) , ( 0 , 1 ) } 1 a 0 b 1 - a 1 b 0 [ b 1 - b 0 - a 1 a 0 ]

[0075] Since the vector v=k, 0) has a zero component, the bottom row of inverse(M) is not required, and therefore to convert to the {u.sub.0, u.sub.1} basis only the fractions 3 f 0 = b 1 a 0 b 1 - a 1 b 0 and f 1 = b 0 a 0 b 1 - a 1 b 0

[0076] are needed.

[0077] The fractions f.sub.0 and f.sub.1 may be precomputed to enough precision so that this operation may be effected only with multiplication. It should be noted that the computations leading to these fractions do not depend upon k, therefore they can be computed once when the elliptic curve is chosen as a system parameter, and do not need to be recalculated for each k. Similarly the vectors v, u.sub.0 and u.sub.1 may be precomputed and stored.

[0078] Once a value of k is selected or determined the value of kQ may be computed by first calculating z=(z.sub.0, z.sub.1), where z is defined as (z.sub.0, z.sub.1)=(round(kf.sub.0), round(kf.sub.1)). Other vectors near to z will also be useful, therefore rounding could be replaced with floor or ceiling functions or some other approximation.

[0079] Once a suitable z has been deteried, an efficient equivalent to v (k,0) is calculated by v'=(v.sub.0', v.sub.1')=v-z.sub.0u.sub.0-z.sub.1u.- sub.1. The phrase "efficient equivalent" implies a vector v' such that v'P=vP and v' has small coefficients. The value kQ is then calculated as v.sub.0'Q+v.sub.1'.lambda.Q. This value can be calculated using simultaneous point addition as described above, with enhanced efficiency obtained from the use of non-adjacent form (NAF) recoding as described above and as described in H.A.C. 14.7 at page 627, Thus, even where k is predetermined, values of k.sub.0 and k.sub.1 can be computed and used with the mapping function to obtain a value of kQ and hus he key pair k, kQ.

[0080] For the case where k is to be separated into 3 portions k=k.sub.0+k.sub.1.lambda.+k.sub.2.lambda..sup.2, small vectors can be obtained from L.sup.3-row-reducing 4 [ 1 0 - 2 0 1 - 0 0 - n ] to [ u 2 u 1 u 0 ]

[0081] A small vector equivalent (three-dimensional row) can be obtained in a similar way to the two-dimensional case.

[0082] Using these methods to determine the value of k-Q greatly reduces the processing power required by the cryptographic processors 12. It also increases the speed at which these repetitive calculations can be done which, in turn, reduces the time to transfer information.

[0083] It will be appreciated that once the scalar multiple k has been represented in terms of shortened components k=k.sub.0+k.sub.1.lambda.+k.- sub.2.lambda.+. . . k.sub.m-1.lambda..sup.m-1, other options for efficient elliptic curve scalar multiplication may be used in place of or in conjunction with the simultaneous multiple addition algorithm. These options include windowing (fixed and sliding), combing, bit recoding and combinations of these techniques.

[0084] One particularly beneficial technique permits tables built for one component of the multiplication, say k.sub.0, to be reused for other components k.sub.1 etc. This is accomplished by transforming the computed table elements by applying the mapping .gamma. as required.

[0085] As a further exemplification, an embodiment where k can be recast as k=k.sub.0+k.sub.1.lambda.+k.sub.2.lambda..sup.2, where k has m-bits and k.sub.i have roughly m/3 bits is described below.

[0086] Once the components ki have been determined, they may be recoded from the binary representation to the signed binary representation having less non-zero bits. This recoding can take the Non-Adjacent-Form (NAF), where every 1 or -1 bit in the representation if k.sub.i is non-adjacent to another non-zero in the signed binary string. This recoding is described in H.A.C. 14.7 p. 627.

[0087] Once each k.sub.i has been recoded, a table can be constructed to aid in computing k.sub.i.lambda..sup.iP.

[0088] A NAF windowing table precomputes certain short-bit length multiples of .lambda..sup.iP. The width of the window determines the size of the table. As k.sub.i has been recordedto have no adjacent non zeros, odd window widths are suitable. A 3-bit wide NAF window would contain

6 1 101 10 - 1

[0089] The recoded k.sub.i values are built by concatenating these windows, and padding where necessary with zeros (H.A.C., p. 616).

[0090] The required number of additions can be reduced with use of this table, since it is necessary to add or subtract an EC point only for every window encountered instead of for every non zero bit.

[0091] Initially therefore this technique is applied to the computation of k.sub.0P.

[0092] The table built for the k.sub.0P calculation can be applied to the k,.lambda.P calculation if the table elements are mapped with the .psi. mapping using the operator .gamma.. Similarly, k.sub.2.lambda..sup.2P can be accelerated by using the table built for k.sub.0P, but mapping the table elements with .gamma..sup.2.

[0093] In applying the sliding window technique to the components, only one set of doublings need be performed.

[0094] To illustrate this example of a preferred embodiment the following example will be used:

If k=[1011010111101].sub.2+[111010101101].sub.2.lambda.,

[0095] then recoding

[0096] k=[10-100-10-100-101]+[1000-10-10-10-101].lambda., =k.sub.0'=k.sub.1'.lambda.

[0097] A 3-bit window table on P is precomputed containing 1.multidot.P, [10-1].multidot.P, [101].multidot.P. This requires two EC additions, and two EC doublings.

[0098] After this, kP can be calculated as

kP=[10-100-10-100-101]P+[1000-10-10-10-101].multidot..lambda.P

[0099] by adding/subtracting elements from the table.

[0100] This can be done using an accumulator A as follows:

7 A .rarw. 0 ; initialize A += .psi.(1 .multidot. P) ; consuming the top bit of k.sub.0.sup.r A .rarw. 2A ; double A A .rarw. 2A A .rarw. [10 - 1] P ; consuming the top 3 bits of k.sub.0.sup.r A .rarw. 2.sup.4A ; A -= [101].psi.P ; consuming a 3 bit window of k.sub.1.sup.r A .rarw. 2A ; double A A -= [101]P ; consuming 3 bits of k.sub.1.sup.r A .rarw. 2.sup.4A A -= [101].psi.P ; consuming 3 bits of k.sub.1.sup.r A .rarw. 2.sup.2A A -= [10 - 1]P ; consuming the last of k.sub.0.sup.r A += .psi.P ; producing kP.

[0101] It will be recognized from the above example that the windows in k.sub.0 and k.sub.1 need not be aligned. This is evidenced by the fact that the accumulator is doubled between computations of the windows in k.sub.0 and the computations of the windows in k.sub.1, indicating a shift of window between evaluating k.sub.0P and k.sub.1P.

[0102] In summary, the previously described technique is as follows. Given an elliptic curve E and an endomorphism .psi., there corresponds an integer .lambda. such that .lambda.Q=.psi.(Q) for all points Q.di-elect cons.E. Select an integer m and compute an equivalent number m of "short basis vectors" b.sub.1, b.sub.2, . . . , bm . . . Each such basis vector corresponds to an integer, and each such integer is divisible by the number of points n=#E(F.sub.p.sup.m) (i.e. the number of points). Now, given an integer k, (0<k<n), we write k=.SIGMA.k.sub.i.multidot..la- mbda..sup.1, where the k.sub.i's are chosen to be "short". This is done by finding the difference between a certain vector (which represents k) and a nearby vector in the lattice generated by b.sub.1, b.sub.2, . . . , b.sub.m.

[0103] The following embodiment explicitly describes an application of the previously described technique (endomorphism and basis conversion and "Shamir's trick") to elliptic curves defined over composite fields. In particular, we describe an application to curves E(F.sub.p.sup.m) where p is an odd prime is described. The following embodiments exemplify techniques for such curves.

[0104] This technique is described in the case where the map .psi. is the Frobenius map .psi.(x,y)=(x.sup.p,y.sup.p) and E'.sub.A,B(F.sub.p.sup.m) where A,B.di-elect cons.F.sub.p.

[0105] In this case, it is known that the Frobenius map satisfies the .psi..sup.2-t.psi.+p=0, where t=p+1-#E(F.sub.p.sup.m).

[0106] It follows that .lambda..sup.2-t.lambda.+p=0 mod n and so .lambda..sup.2-I-p.lambda..sup.i=0 mod n.

[0107] Note that the vectors;

8 (.lambda..sup.m-1 . . . .lambda..sup.2, .lambda..sup.1, .lambda..sup.0) b.sub.1 (0, 0, 0, . . . 0, 1, -t, p) b.sub.2 ( 1, -t, p, 0) (1, -t, p, 0, 0, . . . . . ., 0) (-t, p, 0, 0, . . . . . ., 0, 1) b.sub.m (p, 0, 0, 0, . . . 0, 1, -t)

[0108] consist of m "short" basis vectors of the vector space Q.sup.n. It follows that to compute k-Q on such a curve we can proceed using the vectors b.sub.1,b.sub.2. . . b.sub.m and the technique described previously.

[0109] In the above embodiments it will be appreciated that k,.lambda.Q can be obtained from .psi.(kQ) is the mapping is more efficient than addition.

[0110] In a firther embodiment, the above methods are used to verify a digital signature on a message. A sender sends a message m, a signature component s, and a short term public key R=kP. As indicated above, in a typical digital signature protocol, the signature component s is generated using the formula s=ae+k. The value a is a long term private key of the sender, and e is a hash of the message m.

[0111] Verification requires computing the value sP=eQ which should correspond to R, where Q=aP is a long term public key of the sender. This is the case since k=s-ae.

[0112] Accordingly, Algorithm 1 may be applied to compute a sum g.sub.0e.sub.0+g.sub.1e.sub.1 of scalar multiples of two group elements go and go, where the scalars are s and -e and the group elements are P and Q. A further improvement is obtained by using the NAF as above.

[0113] For ease of explanation, the method will be illustrated for computing .alpha.P+.beta.Q. In the preferred embodiment of verfying a signature, .alpha.=s and .beta.=-e.

[0114] In this case, it may no longer be possible to reuse tables built for one component of the multiplication for other components, unless the relationship between the points P and Q is known to the verifier. Usually, the verifier knows P and Q, but not the scalar a that related P and Q (i.e. Q=aP). In this case, it is necessary to use a table for each of P and Q. Then a sliding window method may be used by adding/subtracting elements from the tables.

[0115] The following example illustrates this embodiment:

If .alpha.=[101101011101].sub.2 and .beta.=[111010101101].sub.2,

then k=[1011010111].sub.2+[111010101101].sub.2 a,

and recoding .alpha.=[10-100-10-100-101].sub.2 and .beta.=[1000-10-10-10-1- 01].sub.2,

[0116] A 3-bit window table on P and a 3-bit window table on Q are precomputed containing 1.multidot.P, [10-1].multidot.P, [101].multidot.P and 1.multidot.Q, [10-1].multidot.Q, [101].multidot.Q respectively. This requires two EC additions, and two EC doublings for each table.

[0117] After this, kP can be calculated as

kP=.alpha.P+.beta.Q=[10-100-10-100-101]P +[1000-10-10-10-101].multidot.Q

[0118] by adding/subtracting elements from the tables.

[0119] This can be done using an accumulator A as follows:

9 A .rarw. 0 ; initialize A += 1 .multidot. Q ; consuming the top bit of .beta. A .rarw. 2A ; double A A .rarw. 2A A += [10 - 1]P ; consuming the top 3 bits of .alpha. A .rarw. 2.sup.4A ; A -= [101]Q ; consuming a 3 bit window of .beta. A .rarw. 2A ; double A A -= [101]P ; consuming 3 bits of .beta. A .rarw. 2.sup.4A A -= [101]Q ; consuming 3 bits of .beta. A .rarw. 2.sup.2A A -= [10 - 1]P ; consuming the last of .alpha. A += Q ; producing kP.

[0120] The signature is accepted as originating from the sender if the calculated value of kP is equal to the value of R received with the signature.

[0121] Again, it will be appreciated that the windows need not be aligned and that shiting of the windows produces a double of the accumulator for each bit shift of the window.

[0122] Although the invention has been described with reference to certain specific embodiments, various modifications thereof will be apparent to those skilled in the art without departing from the spirit and scope of the invention as outlined in the claims appended hereto.

Claims

We claim:

1. A method for multiplying an elliptic curve point Q(x,y) by a scalar to provide a point kQ, the method comprising the steps of: a) selecting an elliptic curve over a finite field F such that there exists an endomorphism .psi. where .psi.(Q)=.lambda..multidot.Q for all points Q(x,y) on the elliptic curve, and .lambda. is an integer, b) establishing a representation of said scalar k as a combination of components k.sub.i and said integer .lambda.c) combining said representation and said point Q to form a composite representation of a multiple corresponding to kQ and d) computing a value corresponding to said point kQ from said composite representation of kQ.

2. A method according to claim 1 wherein each of said components k.sub.i is shorter than said scalar k.

3. A method according to claim 1 wherein said components k.sub.i are initially selected and subsequently combined to provide said scalar k.

4. A method according to claim 1 wherein said representation is of the form 5 k i = i = 0 i = k i i mod n where n is the number of points on the elliptic curve.

5. A method according to claim 4 wherein said representation is of the form k.sub.0+k.sub.1.

6. A method according to claim 1 wherein said scalar k has a predetermined value and said components k.

7. A method according to claim 3 wherein said value of said multiple kQ is calculated using simultaneous multiple addition.

8. A method according to claim 7 wherein grouped terms G.sub.I utilized in said simultaneous multiple addition are precomputed.

9. A method according to claim 6 wherein said components k.sub.i are obtained by obtaining short basis vectors (u.sub.0, u.sub.1) of the field F, designating a vector v as (k,O), converting v from a standard, orthonomal basis to the (u.sub.0,u.sub.1) basis, to obtain fractions f.sub.0f.sub.1 representative of the vector v, applying said fractions to k to obtain a vector z, calculating an efficient equivalent v' to the vector v and using components of the vector v' in the composite representation of kQ.

10. A method of generating in an elliptic curve cryptosystem a key pair having a integer k providing a private key and a public key kQ, where Q is a point on the curve, a) selecting an elliptic curve over a finite field F such that there exists an endomorphism .psi. where .psi.(Q)=.lambda.Q for all points Q (x,y) on the elliptic curve, .lambda. is an integer, b) establishing a representation of said key k as a combination of components k.sub.i and said integer .lambda., c) combining said representation and said point Q to form a composite representation of a multiple corresponding to the public key kQ and d) computing a value corresponding to said key kQ from said composite representation of kQ.

11. A method according to claim 10 including a method according to any one of claims 2 to 9.

12. A method of computing a coordinate of a point kP on an elliptic curve resulting from a point multiplication of an initial point P by a scalar k, said method comprising the steps of: a) decomposing said scalar k into a pair of components k.sub.0, k.sub.1 for point multiplication to obtain respective points on said curve which when combined provide said point kP; b) determining a signed representation in non-adjacent form of each of said first and second components; c) generating a table having a plurality of signed bit combinations contained in said representations and corresponding point multiples of said combinations to provide portions of said respective points; d) establishing for each of said representations a window having a width less then the length of each of said representations; e) initiating a sequential examination of said representations by said windows to obtain a position for one of said windows in one of said representations contaning a respective one of said combinations in said table; f) retrieving from said table the one of said point multiples corresponding to said respective one of said signed bit combinations in said table to obtain therefrom one of said portions; g) accumulating said portion and continuing examination of said representations with a doubling of said accumulator for each bit-wise shift of said windows to obtain a representation of said coordinate of said point kP in said accunulator.

13. A method according to claim 12, wherein one of said respective points is derived from said initial point P and one of said components using an endomorphism of said curve.

14. A method according to claim 13, wherein said portions of said one of said respective points are derived from portions of the other of said respective points using said endomorphism.

15. A method according to claim 12, wherein one of said respective points is derived from said initial point P, one of said components, and a private key.

16. A method according to claim 15, wherein said portions of said respective points are precomputed and stored in said table.