Introduction Preparation Proposal Conclusion

An Improvement of Scalar Multiplication

on Elliptic Curve Defined over Extension

Field Khandaker Md. Al-Amin (PhD Student) & Dr. Yasuyuki Nogami

Secure Wireless System LabDepartment of Information and Communication Systems

Faculty of Engineering, Okayama University, Japan

Outline Introduction

• Background• Motivation

Preparation• Preparing extension field arithmetic • Finding out good parameters

Our Proposal• Construction procedure• Result evaluation

Conclusion and Future work

Introduction Preparation Proposal Conclusion

Background Public key cryptography

• Elliptic curve cryptography• Pairing-based cryptographic applications

Introduction Preparation Proposal Conclusion

RSA is widely used.

Public key cryptography• Elliptic curve cryptography• Pairing-based cryptographic applications

ECC has faster key generation, shorter key

size with same security level than

RSA.

Background Public key cryptography

• Elliptic curve cryptography• Pairing-based cryptographic applications

ID-based cryptography, Group signature, Broadcast encryption Finite field

• Prime field• Extension field

Introduction Preparation Proposal Conclusion

Need arithmetic operations in a

certain extension field.

ECDLP encourages

Elliptic Curve Scalar Multiplication is the most

time consuming operation

Background Paring Based cryptography requires

• Paring friendly curve • Barreto-Naehrig (BN) curve is well known

Introduction Preparation Proposal Conclusion

where

• Systematically generated parameters

Here t is almost

half size of r

Background Elliptic Curve cryptography

Introduction Preparation Proposal Conclusion

Let two rational points on

is the tangent at the point on EC

is the Point at Infinity

BackgroundIntroduction Preparation Proposal Conclusion

Their addition , where

Coordinates of is calculated as follows.

P Q, then P + Q = R is elliptic curve addition (ECA).

P = Q, then P +Q =2P = R is elliptic curve doubling (ECD).

Elliptic Curve cryptography

Let two rational points on

Background Elliptic Curve cryptography

• Elliptic Curve Addition

Introduction Preparation Proposal Conclusion

ECA

Draw the line throw P and Q

Intersects at point -R

Symmetric to -R is R

R is the result of P+Q

Background Elliptic Curve cryptography

Introduction Preparation Proposal Conclusion

ECD

Tangent through P,Q

Intersects curve at point -R

Symmetric to -R is R

R is the result of P+Q=2Q

Elliptic Curve cryptography• Elliptic Curve Doubling

MotivationIntroduction Preparation Proposal Conclusion

Scalar Multiplication of EC defined over ,

here n is a natural number

ECA

• If n has k binary digits, then complexity

• Better performance in Double and Add algorithm.

• But still also required (k-1) doubling.

That is why we tried to make it efficient in BN curve by applying Frobenius Mapping.

PreparationPreparation Proposal Conclusion

We need extension field arithmetic operations.

We need to find good parameter in BN curve.

Finally we need find certain rational point in .

Rational

point groups

Multiplicative group

over

Getting Rational Point in G2Proposal Conclusion

• Randomly obtained rationalpoint .

• If

• Then is the rational point whose order becomes r

• Using we can get certain rational point in .

• Check if

• Then belongs to

Getting Rational Point in G2Proposal Conclusion

• Frobenius mapping of ,

Proposed Scalar MultiplicationProposal Conclusion

• Let, is a scalar and is the Scalar Multiplication

• Here

• Taking mod r,

• From BN- curve,

• -adic representation

From BN curve t is almost half size of p

Proposed Scalar MultiplicationProposal Conclusion

• Let, is a scalar and is the Scalar Multiplication

• Here • -adic representation

• Resulted Scalar Multiplication

Example of Previous Scalar Multiplication

Proposal Conclusion

1 2 3 4 5 6 7 14S 1 0 1 1 0 1 1 … 1

(Q)2(Q)2(2(Q))+Q2(2(2(Q))+Q)+Q

• Let, is a scalar and is the Scalar MultiplicationLet S is 14 bit

ECD is 13 times, which is about the size of S

Example of Efficient Scalar Multiplication

Proposal Conclusion

S0 1 0 1 1 0 1 1S1 1 1 0 1 1 0 1

(C)2(C)+B2(2(C)+B)+A2(2(2(C)+B)+A)+C

Let S is 14 bit and then S0,S1 will have half of the size of S.

ECD is about half of total bit size of S

1 2 3 4 5 6 7

Result EvaluationProposal Conclusion

Size of scalar bit Existing Method Proposed Method Percentile

#ECA #ECD #ECA #ECD

72 37 71 25 36 ~40% to 50%

254 124 253 43 127 ~50%

Bit sizeofS

Execution time for 1 Scalar Multiplicationin Second

Existing Method Proposed Method Percentile

72 0.077651 0.042132 55.55%254 0.323006 0.156368 48.30%

Conclusion

ConclusionOur proposed approach reduces the number ofECD by half of existing approach

Future workTest and evaluate the performance in Paring based protocol

implementation.

Thank you