1. Introduction Preparation Proposal Conclusion
An Improvement of Scalar Multiplication
on Elliptic Curve Defined over Extension
Field
Khandaker Md. Al-Amin (PhD Student) & Dr. Yasuyuki
Nogami
Secure Wireless System Lab
Department of Information and Communication Systems
Faculty of Engineering, Okayama University, Japan
2. Outline
Introduction
• Background
• Motivation
Preparation
• Preparing extension field arithmetic
• Finding out good parameters
Our Proposal
• Construction procedure
• Result evaluation
Conclusion and Future work
Introduction Preparation Proposal Conclusion
2
3. Background
Public key cryptography
• Elliptic curve cryptography
• Pairing-based cryptographic applications
Introduction Preparation Proposal Conclusion
RSA is
widely
used.
Public key cryptography
• Elliptic curve cryptography
• Pairing-based cryptographic applications
ECC has faster key
generation, shorter
key size with same
security level than
RSA.
3
4. Background
Public key cryptography
• Elliptic curve cryptography
• Pairing-based cryptographic applications
ID-based cryptography, Group signature, Broadcast encryption
Finite field
• Prime field
• Extension field
Introduction Preparation Proposal Conclusion
Need arithmetic
operations in a
certain extension
field.
ECDLP
encourages
Elliptic Curve Scalar
Multiplication is the most
time consuming operation
4
5. Background
Paring Based cryptography requires
• Paring friendly curve
• Barreto-Naehrig (BN) curve is well known
Introduction Preparation Proposal Conclusion
where
• Systematically generated parameters
Here t is almost
half size of r
5
7. Background
Introduction Preparation Proposal Conclusion
Their addition , where
Coordinates of is calculated as follows.
P Q, then P + Q = R is elliptic curve addition (ECA).
P = Q, then P +Q =2P = R is elliptic curve doubling (ECD).7
Elliptic Curve cryptography
Let two rational points on
8. Background
Elliptic Curve cryptography
• Elliptic Curve Addition
Introduction Preparation Proposal Conclusion
8
ECA
Draw the line throw P and Q
Intersects at point -R
Symmetric to -R is R
R is the result of P+Q
9. Background
Elliptic Curve cryptography
Introduction Preparation Proposal Conclusion
9
ECD
Tangent through P,Q
Intersects curve at point -R
Symmetric to -R is R
R is the result of P+Q=2Q
Elliptic Curve cryptography
• Elliptic Curve Doubling
10. Motivation
Introduction Preparation Proposal Conclusion
Scalar Multiplication of EC defined over ,
here n is a natural number
ECA
• If n has k binary digits, then complexity
• Better performance in Double and Add algorithm.
• But still also required (k-1) doubling.
That is why we tried to make it efficient in BN curve
by applying Frobenius Mapping.
10
11. Preparation
Preparation Proposal Conclusion
11
We need extension field arithmetic operations.
We need to find good parameter in BN curve.
Finally we need find certain rational point in .
Rational
point groups
Multiplicative
group
over
12. Getting Rational Point in G2
Proposal Conclusion
• Randomly obtained rational
point .
• If
• Then is the rational
point whose order
becomes r
• Using we can get certain rational
point in .
13
13. • Check if
• Then belongs to
Getting Rational Point in G2
Proposal Conclusion
• Frobenius mapping of ,
14
14. Proposed Scalar Multiplication
Proposal Conclusion
• Let, is a scalar and is the Scalar Multiplication
• Here
• Taking mod r,
• From BN- curve,
• -adic representation
15
From BN curve t is
almost half size of p
15. Proposed Scalar Multiplication
Proposal Conclusion
• Let, is a scalar and is the Scalar Multiplication
• Here
• -adic representation
• Resulted Scalar Multiplication
16
16. Example of Previous Scalar Multiplication
Proposal Conclusion
1 2 3 4 5 6 7 14
S 1 0 1 1 0 1 1 … 1
(Q)2(Q)2(2(Q))+Q2(2(2(Q))+Q)+Q
17
• Let, is a scalar and is the Scalar Multiplication
Let S is 14 bit
ECD is 13 times, which is about the size of S
17. Example of Efficient Scalar Multiplication
Proposal Conclusion
S0 1 0 1 1 0 1 1
S1 1 1 0 1 1 0 1
(C)2(C)+B2(2(C)+B)+A2(2(2(C)+B)+A)+C
18
Let S is 14 bit and then S0,S1
will have half of the size of S.
ECD is about half of total bit size of
S
1 2 3 4 5 6 7
18. Result Evaluation
Proposal Conclusion
Size of
scalar bit
Existing Method Proposed Method Percentile
#ECA #ECD #ECA #ECD
72 37 71 25 36
~40% to
50%
254 124 253 43 127 ~50%
Bit size
of
S
Execution time for 1 Scalar Multiplication
in Second
Existing Method Proposed Method Percentile
72 0.077651 0.042132 55.55%
254 0.323006 0.156368 48.30%
19
19. Conclusion
Conclusion
Our proposed approach reduces the number of
ECD by half of existing approach
Future work
Test and evaluate the performance in Paring based protocol
implementation.
20
Good morning, This is Khandaker Md. Al-Amin, I am a PhD student of Okayama university, Japan under the supervision of Professor Dr. Yasuyuki Nogami. Today, I will give my presentation on this title “An Improvement of Scalar Multiplication on Elliptic Curve Defined over Extension Field Fq2 ”
This is the top-level outline of my presentation. First, I will introduce some background of ECC and our motivation behind making scalar multiplication efficient. Then, I will give a brief overview to prepare for efficient scalar multiplication. After that, I will describe out proposal of scalar multiplication by Frobenius mapping with (t-1) adic representation of Scalar. Finally give result evaluation .
The emerging information security of computer system stands on the strong base of public key cryptography. Among the PKC’s RSA is mostly used technique. But compared to RSA cryptography, elliptic curve cryptography gained much attention for its faster key generation, shorter key size with same security level and less memory and computing power consumption.
Intractability of Elliptic Curve Discrete Logarithm Problem (ECDLP) encourages many innovative cryptographic protocols. Recently, several unique and innovative pairing based cryptographic applications such as Identity based encryption scheme group signature authentication and broadcast encryption increased the popularity of pairing based cryptography. Some of these applications needs arithmetic operations in a certain extension field.
Among all the operations elliptic curve scalar multiplication is the most time consuming operation.
In pairing based cryptography we need pairing friendly curve. but it is difficult to find good pairing friendly curve. Barreto-Naehrig (BN) curve is well studied such kind of curve of embedding degree 12. Its parameters are systematically given by these equations where p is the characteristics, r is the order and t is the trace function.
The most important property that will be useful in our proposal is trace is almost half size of the r and p.
Let us consider two rational point P, Q, then the tangent lamda can be calculated as like this equation. Here O is considered to be the unity which is the point at infinity of the curve.
coordinates of R can be obtained by this equation. when the rational point P not equal Q then we perform elliptic curve addition.
when p=q then we do elliptic curve doubling.
Draw the line through P and Q. The line intersects a third point -R. The point symmetric to it ,is R, is the result of P+Q.
Let is consider p=q. so the tangent to q intersects the curve at point -R. . The point symmetric to it ,is R, is the result of P+Q.
Scalar Multiplication of EC defined over Fq2 ,..here n is natural number. so it seems that to multiply we need n number of additions. so if n is k binary digit then this will be its complexity.
To implement efficient scalar multiplication we need arithmetic operation in extension field of degree 12.
We also need to find good parameters in BN curve.
Finally we will find certain rational point in in G2 by some calculation procedure.
At first we randomly obtained rational point R in BN curve. To get rational point in in G2 we divide the total number of rational points of BN curve by the square of order r. It will return another rational point T. Then we will check if T ’s order is r or not. Now T will be used to obtain G2 rational point.
Frobenius mapping of T minus 1 gives the Q. If Q is a G2 rational point then will have this property. So we check if Frobenius mapping of Q minus scalar multiplication of Q equal point at infinity then we confirm Q is G2 point.
(phi-1)(phi-p)R
G1 ,G2
Now let us consider S is scalar that is smaller than order r. From BN curve we know this relation order r is = characteristics + 1 minus trace. If we take mod r of this equation then we get p is congruent to t-1. After that we get the t-1 adic representation of the scalar. here S0,S1 will be less than (t-1) and we already know from bn curve know that t is half of P from BN curve.
So the final scalar multiplication we get from these equations. here Scalar mul of Q = s0 mul Q and s1(t-1)Q
That’s all of my presentation. Thank you for your attention.