wNAF and ECC

1
wNAF and ECC
The wNAF pre-computes points 3P, 5P,, (2w-1-1)P.
How can we compute them for a given point P
(x,y)?
For w4, 2P ECDBL(P) (X2Y2Z2), 3P
ECADD(P,2P) (X3Y3Z3), 5P ECADD(3P,2P)
(X5Y5Z5), 7P ECADD(5P,2P) (X7Y7Z7).
Left-to-right wNAF Input scalar d, point P
(x,y) Output dP Convert d to its wNAF
dw Pre-compute 3P, 5P,, (2w-1-1)P Q0 P,
for in-2 down to 0 Q0 ECDBL(Q0) Q0
ECADD(Q0,dwiP) return(Q0)
If these points are not represented in the
affine coordinate, then we can not use the
efficient addition formula ECADD with Z1 in
the evaluation stage.
They should be converted to the affine
coordinate.
2
Montgomery Trick
For w4, we should compute 3 inversions Z3-1,
Z5-1, and Z7-1. 3P ECADD(P,2P) (X3Y3Z3)
? (X3/Z32,Y3/Z33) 5P ECADD(3P,2P)
(X5Y5Z5) ? (X5/Z52,Y5/Z53) 7P
ECADD(5P,2P) (X7Y7Z7) ? (X7/Z72,Y7/Z73)
Montgomery trick Input a, b, c in G Output
a-1, b-1, c-1 1. x ab 2. y xc 2. z
y-1 4. c-1 zx 5. w zc 6. b-1
wa 7. a-1 wb
Montgomery trick reduces 3I to 6M 1I. (3I
60M and 6M 1I 26M)
z a-1b-1c-1
In general, Montgomery trick computes n
inversions with 3(n-1) multiplications 1
inversion.
Exercise
3
Optimization of Pre-Computation
Imagine that a smart card has only 1,000 bits for
additional memory. Then we can store only a few
points even for ECC due to 1606 960.
However, wNAF method allows us to take only
discrete values, width
2, 3 , 4, 5, 6, 7, .
of pre-computed point 1, 3, 7, 15,
31, 63, .
Can we develop a window method that allows us to
take a continuous value of the pre-computed
points with reasonable non-zero density?
Yes. fractional window methods.
4
Fraction Window Methods
The main idea of fraction window methods is to
use a degenerated conversion table for the
standard window methods. The non-zero density
is increased, but of pre-computation is
degreased.
How to develop a width 2.5 sliding window method?
1 1 0 1 0 1 1 0 0 1 1
0 0 1 1 1 0 1 0 0 1 1 0 1 w2
0 3 0 1 0 0 3 0 0 0 3 0 0 0 3 1
0 1 0 0 0 3 0 1 w3 0 3 0 0
0 5 1 0 0 0 3 0 0 0 0 7 0 1 0 0
0 3 0 1 w2.5 0 3 0 0 0 5 1 0 0
0 3 0 0 0 3 0 0 5 0 0 0 3 0 1 If
digit 7 appears in the conversion with w3, then
we reduce it width w2.
The required digit set is only0,1,3,5.
5
Non-Zero Density of FW Method
fwTable with w2.5 can be simulated by a finite
automaton with statuses (0), (100), (101),
(110), and (11) of binary strings.

• From the construction, the transition matrix of
  these statuses is as follows
• (0) (100) (101) (110) (11)
• (0) 1/2 1/8 1/8 1/8
  1/8
• 1/2 1/8 1/8 1/8 1/8
• (101) 1/2 1/8 1/8 1/8 1/8
• (110) 1/2 1/8 1/8 1/8 1/8
  
• (11) 0 1/4 1/4 1/4
  1/4

These statuses asymptotically distribute with
probability 3/7, 1/7,1/7,1/7,1/7.
Thus the average non-zero density is
asymptotically (1(4/7)) / (1(3/7)3(3/7)2
(1/7)) 2/7 1/(12.5) 0.286, which is
between 0.333 (w2) and 0.250 (w3).
6
Side Channel Attacks
Left-to-right binary method Input C, n,
d Output Cd mod n X M For ik-2 to 0 X
XX mod n if di1, then XXM mod n Return
X
The time or the power to execute Squaring and
Multiplication are different (side-channel
information).
Cited from Clavier et. al, Universal
exponentiation algorithm A first step towards
provable SPA-resistance, CHES 2001, LNCS 2162,
pp. 300-308, 2001
7
Non-Zero Digit Methods
We try to represent d using fixed pattern of zero
and non-zero digits, e.g., 0...0x0...0x.0..
.0x for some non-zero digits x.
Secure against simple power analysis (SPA)
2w-ary non-zero digit method Input k-bit
integer d, width w Output 2w-ary non-zero digit
representation of d i ? 0 While iltk do the
following ui ? d mod 2w, ui1?0,,uiw-1?
0 d ? d ui d ? d/2w if ui0 then d
? d1 and ui ? -2w. i ? iw Return
uk,k-1,,u1,u0
This step is the right-to-left 2w-ary method
conversion.
The zero digit is converted to non-zero digit
-2w with carry.
8
Some Properties of 2w-ary Non-Zero Digit Method
Exponent recording with w2 1 0
0 1 0 0 0 1 1 0 1 1 0 0
1 0 0 0 1 1 0 1 1 0 0 1
0 0 0 0 3 0 1 1 0 0 1 1
0 -4 0 3 0 1 1 0 0 0 3 0
-4 0 3 0 1 1 0 0 -4 0 3 0 -4
0 3 0 1 0 2 0 -4 0 3 0 -4 0
3 0 1
The fix pattern is 00x, where x in 1, 2, ,
2w-1, -2w. 2w-1 multiplications in the
pre-computation stage. about (11/w)k
multiplications in the evaluation stage.
9
wNAF Non-Zero Digit Method
Can we reduce the size of the pre-computed table?
Yes. wNAF based non-zero digit method.
wNAF non-zero digit method Input k-bit odd
integer d, width w Output 2w-ary non-zero digit
representation of d i ? 0 While iltk do the
following ui ? d mod 2w, ui1?0,,uiw-1?
0 d ? d ui d ? d/2w if ui is even,
then ui?ui1 and ui-w ? ui-w-2w
i ? iw Return uk,k-1,,u1,u0
This step is wNAF conversion of w-consecutive
bits.
The even digits are converted to odd digits with
carry.
10
Some Properties of wNAF Non-Zero Digit Method
Exponent recording with w2 1 0
0 1 0 0 0 1 1 0 1 1 0 0
1 0 0 0 1 1 0 1 1 0 0 1
0 0 0 0 3 0 1 1 0 0 1 0
0 1 0 -1 0 1 1 0 0 0 3 0
-3 0 -1 0 1 1 0 1 0 -1 0 -3
0 -1 0 1 1 0 1 0 -1 0 -3 0
-1 0 1
The fix pattern is 00x, where x in 1, 3, ,
2w-1. 2w-1-2 multiplications in the
pre-computation stage. about (11/w)k
multiplications in the evaluation stage.
11
Call for Students
HiWi for implementation of side channel attacks.
Diplomarbeit/Studienarbeit on side channel
attacks (SCA).
(1)We theoretically analyze SCA (2)We implement
cryptosystems on smart cards. (3)We analyze
their security against SCA
Smartcard is an inevitable technology for
IT, e.g. tag identification, ubiquitous
computing,
You can re-use this experience later in the
industry or for PhD
Contact Daniel Schepers or Tsuyoshi Takagi
http//www.informatik.tu-darmstadt.de/KP/