US 20020057796 A1 Abstract This invention provides a method for accelerating multiplication of an elliptic curve point Q(x,y) by a scalar k, the method comprising the steps of selecting an elliptic curve over a finite field Fq where q is a prime power such that there exists an endomorphism ψ, where ψ (Q)=λ−Q for all points Q(x,y) on the elliptic curve; and using smaller representations k
_{i }of the scalar k in combination with the mapping ψ to compute the scalar multiple of the elliptic curve point Q. Claims(16) 1. A method for multiplying an elliptic curve point Q(x,y) by a scalar to provide a point kQ, the method comprising the steps of:
a) selecting an elliptic curve over a finite field F such that there exists an endomorphism ψ where ψ(Q)=λ·Q for all points Q(x,y) on the elliptic curve, and λ is an integer, b) establishing a representation of said scalar k as a combination of components k _{i }and said integer λc) combining said representation and said point Q to form a composite representation of a multiple corresponding to kQ and d) computing a value corresponding to said point kQ from said composite representation of kQ. 2. A method according to _{i }is shorter than said scalar k. 3. A method according to _{i }are initially selected and subsequently combined to provide said scalar k. 5. A method according to _{0}+k_{1. } 6. A method according to 7. A method according to 8. A method according to _{I }utilized in said simultaneous multiple addition are precomputed. 9. A method according to _{i }are obtained by obtaining short basis vectors (u_{0}, u_{1}) of the field F, designating a vector v as (k,O), converting v from a standard, orthonomal basis to the (u_{0},u_{1}) basis, to obtain fractions f_{0}f_{1 }representative of the vector v, applying said fractions to k to obtain a vector z, calculating an efficient equivalent v′ to the vector v and using components of the vector v′ in the composite representation of kQ. 10. A method of generating in an elliptic curve cryptosystem a key pair having a integer k providing a private key and a public key kQ, where Q is a point on the curve,
a) selecting an elliptic curve over a finite field F such that there exists an endomorphism ψ where ψ(Q)=λQ for all points Q (x,y) on the elliptic curve, λ is an integer, b) establishing a representation of said key k as a combination of components k _{i }and said integer λ, c) combining said representation and said point Q to form a composite representation of a multiple corresponding to the public key kQ and d) computing a value corresponding to said key kQ from said composite representation of kQ. 11. A method according to 12. A method of computing a coordinate of a point kP on an elliptic curve resulting from a point multiplication of an initial point P by a scalar k, said method comprising the steps of:
a) decomposing said scalar k into a pair of components k _{0}, k_{1 }for point multiplication to obtain respective points on said curve which when combined provide said point kP; b) determining a signed representation in non-adjacent form of each of said first and second components; c) generating a table having a plurality of signed bit combinations contained in said representations and corresponding point multiples of said combinations to provide portions of said respective points; d) establishing for each of said representations a window having a width less then the length of each of said representations; e) initiating a sequential examination of said representations by said windows to obtain a position for one of said windows in one of said representations contaning a respective one of said combinations in said table; f) retrieving from said table the one of said point multiples corresponding to said respective one of said signed bit combinations in said table to obtain therefrom one of said portions; g) accumulating said portion and continuing examination of said representations with a doubling of said accumulator for each bit-wise shift of said windows to obtain a representation of said coordinate of said point kP in said accunulator. 13. A method according to 14. A method according to 15. A method according to 16. A method according to Description [0001] This invention relates to a method for performing computations in cryptographic systems utilizing elliptic curves. [0002] This application is a continuation-in-pat of U.S. patent application Ser. No. 09/885,959, filed on Jun. 22, 2001, which is a continuation of International Application No. PCT/CA99/01222, filed on Dec. 23, 1999, and claims the priority of Canadian Patent Application No. 2,257,008, filed on Dec. 24, 1998, the content of all of which is incorporated herein by reference. [0003] A public-key data communication system may be used to transfer information between a pair of correspondents. At least part of the information exchanged is enciphered by a predetermined mathematical operation by the sender and the recipient may perform a complementary mathematical operation to decipher the information. [0004] Each correspondent has a private key and a public key that is mathematically related to the private key. The relationship is such that it is not feasible to determine the private key from knowledge of the public key. The keys are used in he transfer of data, either to encrypt data that is to be transferred or to attach a signature to allow verification of the authenticity of the data. [0005] For encryption, one correspondent uses the public key of the recipient to encrypt the message and sends it to the recipient. The recipient then uses her private key to decipher the message. [0006] A common key may also be generated by combining one parties public key with the other parties private key. It is usual in such cases to generate new private and corresponding public keys for each communication session, usually referred to as session keys or ephemeral keys, to avoid the long-term keys of the parties being compromised. [0007] The exchange of messages and generation of the public keys may therefore involve significant computation involving exponentiation when the cryptographic system utilizes in Z*p, the finite field of integers mod p where p is a prime or the analogous operation of point multiplication when the system utilizes an elliptic curve. In an elliptic curve system, an ephemeral key pair is obtained by generating a secret integer, k and performing a point multiplication in the seed point Q to provide the ephemeral public key kQ. Similarly, the generation of a common ephemeral session key will require multiplication of a public key k [0008] A similar procedure is used to sign a message except that the sender applies his private key to the message. This permits any recipient to recover and verify the message using the senders public key. [0009] Various protocols exist for implementing such a scheme and some have been widely used. In each case, however, the sender is required to perform a computation to sign the information to be transferred and the receiver is required to perform a computation to verify the signed information. [0010] In a typical implementation a signature component s has the form:— s=ae+k (mod n) [0011] where; in an elliptic curve crypto system, [0012] P is a point on the underlying curve which is a predefined parameter of the system; [0013] k is a random integer selected as a short term private or session key; [0014] R=kP is the corresponding short term public key, [0015] a is the long term private key of the sender; [0016] Q=aP is the senders corresponding public key; [0017] e is a secure hash, such as the SHA-1 hash function, of a message m and the short term public key R; and [0018] n is the order of the curve. [0019] The sender sends to the recipient a message including m, s, and R and the signature is verified by computing the value R [0020] In order to perform the verification it is necessary to compute the point multiplications to obtain sP and eQ, each of which is computationally complex. Where the recipient has adequate computing, power this does not present a particular problem but where the recipient has limted computing power, such as in a secure token or a “Smart card” application, the computations may introduce delays in the verification process. [0021] Key generation and signature protocols may therefore be computationally intensive. As cryptography becomes more widely used there is an increasing demand to implement cryptographic systems that arm faster and that use limited computing power, such as may be found on a smart card or wireless device. [0022] Elliptic curve cryptography (ECC) provides a solution to the computation issue. ECC permits reductions in key and certificate size that translates to smaller memory requirements, and significant cost savings. ECC can not only significantly reduce the cost, but also accelerate the deployment of smart cards in next-generation applications. Additionally, although the ECC algorithm allows for a reduction in key size, the same level of security as other algorithms with larger keys is maintained. [0023] However, there is still a need to perform faster calculations on the keys so as to speed up the information transfer while maintaining a low cost of production of cryptographic devices. [0024] Computing multiples of a point on an elliptic curve is one of the most frequent computations performed in elliptic curve cryptography, One method of speeding up such computations is to use tables of precomputed multiples of a point. This technique is more useful when a point is known beforehand. However, there are cases when multiples of previously unknown points are required (for example, in ECDSA verification). Thus there is a need for a system and method for facilitating point multiplications. [0025] In general terms, the present invention represents the scalar k as a combination of components k [0026] The method is based on the observation that, given an elliptic curve (EC) having complex multiplication mapping over a finite field, there is an λ, which is he solution to aquadratic, for which the complex multiplication mapping is equivalent to multiplying a point Q by λ. It will often be less computationally expensive to compute λQ via the complex multiplication map, compared to treating λ as a integer and performing the EC multiplication. In practice, point multiplication by other scalars (not just λ) is required. It is also shown how the multiplication mapping may be used to compute other multiples of the point. [0027] In accordance with this invention there is provided a method for accelerating multiplication of an elliptic curve point Q(xy) by a scalar k, the method comprising the steps of: selecting an elliptic curve over a finite field F such that there exists an endomorphismn ψ, where ψ(Q)=λ−Q for all points Q(xjy) on the elliptic curve; and using smaller representation k [0028] These and other features of the preferred embodiments of the invention will become more apparent in the following detailed description in which reference is made to the appended drawings wherein: [0029]FIG. 1 is a schematic diagram of a communication system; [0030]FIG. 2 is a flow chart showing the steps of implementing a first embodiment of the present invention. [0031]FIG. 3 is a flow chart showing the steps of providing parameters required to implement the method of FIG. 2. [0032] For convenience in the following description, like numerals refer to like structures in the drawings. Referring to FIG. 1, a data communication system [0033] The cryptographic processors [0034] A method for accelerating scalar multiplication of an elliptic curve point Q(xy) is shown in FIG. 2 and indicated generally by the numeral y [0035] over a finite field, exemplified as F [0036] Referring now to FIG. 2, a flow chart of a general embodiment for accelerating point multiplication on an elliptic curve, is shown by numeral E:y [0037] Firstly, the modulus p can be determined such that there is a number, γ where γ ∈ F [0038] After the curve E has been selected, a mapping function ψ is determined. The mapping function ψ: (x,y)→(γx, y), simply maps one set of points on the curve to another set of points on the curve. There exists an integer λ such that ψ(Q)=λ−Q for all points Q(x,y) of interest on the elliptic curve, E. This integer λ may be found by noting that λ [0039] A seed point Q is selected and the system parameters E, p, Q, λ, ψ(Q), and γ are stored in the card [0040] The value of k may be expressed as:— k=(k [0041] where n is the number of points on E(F k−Q=(k [0042] For some cryptographic operations the value of k may be chosen at random and in these cases, rather than select k it is possible to select values for k
[0043] Applying this algorithm to equation (4) it can be seen that there are two group elements, g
[0044] After performing a point addition to construct the point: Q+ψ(Q). It is possible to fill in table 1 with the computed elements to yield table 2. These elements may be pre-computed and stored in memory as shown at step 58 in FIG. 2.
[0045] Before step of the algorithm can be performed, G
[0046] All the components needed to complete the algorithm are available and the iteration of step three is performed as shown at 62. [0047] Initially A←O and i is set to 1. [0048] I [0049] For the next iteration where i=2 the initial value of A is Q so A←Q+Q=2Q I [0050] A+G [0051] The iterations continue for each value of i set out in table 4 until after the 5
[0052] Each iteration requires a point doubling (A+A) and a point addition (A+G [0053] Thus it may be seen that this method will require a number of point doubles equal to max {log [0054] To summarize, for cryptographic operations like encryption and Diffie-Hellman, signature, an integer k is required with a corresponding public key kQ, computed. The values k [0055] In the above technique, the method of writing k=k [0056] For some mappings ψ, it is also possible to use more than two sub k's. It is possible for some ψ's to write k=k [0057] In a second embodiment of the invention a different form of the generalized elliptic curve equation (1) is used, namely: y [0058] Once again, p will be a prime number having at least 160 bits. For this type of curve, the properties required for γ are different. It is now required to find a value such that γ k=(k [0059] This equation is the same as in the previous embodiment, having only two group elements. Thus using the group elements Q and Q+ψ′(Q) in the algorithm 1, the point k−Q may be calculated. This computation will require a number of point doubles equal to max {log [0060] This method applies to other elliptic curves, so long as there exists an efficiently computable endomorphism, ψ. [0061] The above embodiments assume that k can be chosen at random and therefore k [0062] As may be seen in tie embodiments described above when a point is known beforehand, tables can be built to speed multiplication. However, there are cases when multiples of previously unlmown points are required (for example, this can occur in ECDSA verification) and it is then necessary to take the value of k as provided and then determine suitable representations for k [0063] Thus in a third embodiment, system parameters and a value k is provided, the point Q, the required multiple k, and the complex multiplication multiple λ are known. It is necessary to determine the “short” k a a [0064] such that a [0065] In the present embodiment, kQ can be computed efficiently by utilizing precomputed, short vector representations to obtain an expression of the form: k [0066] This is accomplished by using precomputed vectors to derive fractions f vo [0067] The method of achieving this solution is described below in greater detail. [0068] To produce small a [0069] The two smallest values of |(d [0070] The values of a [0071] Given the computation of a [0072] Integers z [0073] The appropriate z [0074] To convert in the other direction, from the standard orthonormal basis {(1,0),(0,1)} to the (u [0075] Since the vector v=k, 0) has a zero component, the bottom row of inverse(M) is not required, and therefore to convert to the {u [0076] are needed. [0077] The fractions f [0078] Once a value of k is selected or determined the value of kQ may be computed by first calculating z=(z [0079] Once a suitable z has been deteried, an efficient equivalent to v (k,0) is calculated by v′=(v [0080] For the case where k is to be separated into 3 portions k=k [0081] A small vector equivalent (three-dimensional row) can be obtained in a similar way to the two-dimensional case. [0082] Using these methods to determine the value of k−Q greatly reduces the processing power required by the cryptographic processors [0083] It will be appreciated that once the scalar multiple k has been represented in terms of shortened components k=k [0084] One particularly beneficial technique permits tables built for one component of the multiplication, say k [0085] As a further exemplification, an embodiment where k can be recast as k=k [0086] Once the components ki have been determined, they may be recoded from the binary representation to the signed binary representation having less non-zero bits. This recoding can take the Non-Adjacent-Form (NAF), where every 1 or −1 bit in the representation if k [0087] Once each k [0088] A NAF windowing table precomputes certain short-bit length multiples of λ
[0089] The recoded k [0090] The required number of additions can be reduced with use of this table, since it is necessary to add or subtract an EC point only for every window encountered instead of for every non zero bit. [0091] Initially therefore this technique is applied to the computation of k [0092] The table built for the k [0093] In applying the sliding window technique to the components, only one set of doublings need be performed. [0094] To illustrate this example of a preferred embodiment the following example will be used: If k=[1011010111101] [0095] then recoding [0096] k=[10−100−10−100−101]+[1000−10−10−10−101]λ, =k [0097] A 3-bit window table on P is precomputed containing 1·P, [10−1]·P, [101]·P. This requires two EC additions, and two EC doublings. [0098] After this, kP can be calculated as kP=[10−100−10−100−101]P+[1000−10−10−10−101]·λP [0099] by adding/subtracting elements from the table. [0100] This can be done using an accumulator A as follows:
[0101] It will be recognized from the above example that the windows in k [0102] In summary, the previously described technique is as follows. Given an elliptic curve E and an endomorphism ψ, there corresponds an integer λ such that λQ=ψ(Q) for all points Q∈E. Select an integer m and compute an equivalent number m of “short basis vectors” b [0103] The following embodiment explicitly describes an application of the previously described technique (endomorphism and basis conversion and “Shamir's trick”) to elliptic curves defined over composite fields. In particular, we describe an application to curves E(F [0104] This technique is described in the case where the map ψ is the Frobenius map ψ(x,y)=(x [0105] In this case, it is known that the Frobenius map satisfies the ψ [0106] It follows that λ [0107] Note that the vectors;
[0108] consist of m “short” basis vectors of the vector space Q [0109] In the above embodiments it will be appreciated that k,λQ can be obtained from ψ(kQ) is the mapping is more efficient than addition. [0110] In a firther embodiment, the above methods are used to verify a digital signature on a message. A sender sends a message m, a signature component s, and a short term public key R=kP. As indicated above, in a typical digital signature protocol, the signature component s is generated using the formula s=ae+k. The value a is a long term private key of the sender, and e is a hash of the message m. [0111] Verification requires computing the value sP=eQ which should correspond to R, where Q=aP is a long term public key of the sender. This is the case since k=s−ae. [0112] Accordingly, Algorithm 1 may be applied to compute a sum g [0113] For ease of explanation, the method will be illustrated for computing αP+βQ. In the preferred embodiment of verfying a signature, α=s and β=−e. [0114] In this case, it may no longer be possible to reuse tables built for one component of the multiplication for other components, unless the relationship between the points P and Q is known to the verifier. Usually, the verifier knows P and Q, but not the scalar a that related P and Q (i.e. Q=aP). In this case, it is necessary to use a table for each of P and Q. Then a sliding window method may be used by adding/subtracting elements from the tables. [0115] The following example illustrates this embodiment: If α=[101101011101] then k=[1011010111] and recoding α=[10−100−10−100−101] [0116] A 3-bit window table on P and a 3-bit window table on Q are precomputed containing 1·P, [10−1]·P, [101]·P and 1·Q, [10−1]·Q, [101]·Q respectively. This requires two EC additions, and two EC doublings for each table. [0117] After this, kP can be calculated as kP=αP+βQ=[10-100-10-100-101]P +[1000-10-10-10-101]·Q [0118] by adding/subtracting elements from the tables. [0119] This can be done using an accumulator A as follows:
[0120] The signature is accepted as originating from the sender if the calculated value of kP is equal to the value of R received with the signature. [0121] Again, it will be appreciated that the windows need not be aligned and that shiting of the windows produces a double of the accumulator for each bit shift of the window. [0122] Although the invention has been described with reference to certain specific embodiments, various modifications thereof will be apparent to those skilled in the art without departing from the spirit and scope of the invention as outlined in the claims appended hereto. Referenced by
Classifications
Legal Events
Rotate |