Research Article A Novel Elliptic Curve Scalar ...

Hindawi Publishing CorporationMathematical Problems in EngineeringVolume 2013 Article ID 862508 7 pageshttpdxdoiorg1011552013862508

Research ArticleA Novel Elliptic Curve Scalar Multiplication Algorithm againstPower Analysis

Hongming Liu Yujie Zhou and Nianhao Zhu

Shanghai Jiao Tong University Shanghai 200240 China

Correspondence should be addressed to Hongming Liu liuhongmingsjtueducn

Received 13 November 2012 Revised 10 March 2013 Accepted 12 March 2013

Academic Editor Jun-Juh Yan

Copyright copy 2013 Hongming Liu et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Nowadays power analysis attacks are becoming more and more sophisticated Through power analysis attacks an attacker canobtain sensitive data stored in smart cards or other embedded devices more efficiently than with any other kind of physicalattacks Among power analysis simple power analysis (SPA) is probably the most effective against elliptic curve cryptosystembecause an attacker can easily distinguish between point addition and point doubling in a single execution of scalar multiplicationTo make elliptic curve scalar multiplication secure against SPA attacks many methods have been proposed using special pointrepresentations In this paper a simple but efficient SPA-resistant multiscalar multiplication is proposed The method is to convertthe scalar into a nonadjacent form (NAF) representation at first and then constitute it in a new signed digit representation Thisnew representation is undertaken at a small precomputation cost as each representation needs just one doubling and 12 additionsfor each bit In addition when combined with randomization techniques the proposed method can also guard against differentialpower analysis (DPA) attack

1 Introduction

Since being proposed independently by Koblitz [1] andMiller[2] in the mid 1980s elliptic curve cryptosystem (ECC) hasbeen widely applied in public key cryptography especiallyin pairing cryptosystems [3 4] This is due to ECC usinga much shorter key size than other traditional public keycryptosystems such as RSA to provide a correspondinglevel of security For instance 160 bit ECC provides aboutthe equivalent level of security as 1024 bit RSA [5] Dueto the shorter key length higher speed and lower powerconsumption ECC has been attractive for wireless and smartcard applications which have limited bandwidth and storageresourcesThe security of ECC is based on the hardness of thediscrete logarithm problem (DLP) on an elliptic curve calledelliptic curve discrete logarithmproblem (ECDLP) [6] Givena scalar multiplication 119896119875 = 119876 where 119896 is an integer and119875 119876 are the points on an elliptic curve according to ECDLPif 119896 is large enough then it is unable to calculate 119896 when thevalues of 119875 and 119876 are given When ECC is implemented inthe wireless or smart card devices they are very vulnerable topower analysis attacks [7 8]

In power analysis attacks which were proposed byKocher et al [8] an attacker can obtain the secret key storedinside a device by monitoring the cryptographic devicersquospower consumption Generally speaking simple power anal-ysis (SPA) [7] and differential power analysis (DPA) [8] arethe twomain types of power analysis attacks SPA can observesecret information through analysis on a single executionof a cryptographic operation while DPA may need manyexecutions and to analyze them using a statistical processAs different operations executed by the device consumedifferent amounts of time and power the different timeand power consumptions can be used to determine whichoperations were performed in what order In the case ofscalar multiplication it may be possible for an attacker todistinguish which parts of the operation were performed bya point doubling and which parts were performed by a pointaddition although he has no knowledge about the privatekeys With this the attacker can obtain the secret key fromthe acquired information for using as the scalar in the ellipticcurve scalar multiplication

In the past decade various scalar multiplication algo-rithms that resist SPA or DPA have been proposed for

2 Mathematical Problems in Engineering

example [9ndash17] In [10] Coron first generalized a DPA attackto the elliptic curve cryptosystem and introduced double-and-add always algorithm to resist SPA and randomizationmethod to resist DPA Since then many countermeasureswhich are based on randomization and scalar recoding havebeen proposed Reference [11] proposed the randomizedaddition-subtraction chains method and [17] introducedthe randomized window method Lee first proposed a SPA-resistant countermeasure based onmultiscalarmultiplication[13] Then [14ndash16] not only introduced multi-scalar multi-plication to resist SPA but also used randomization methodto resist DPA However those methods provide security atthe cost of efficiency In this paper we propose a novelefficient SPA-resistant multi-scalar multiplication methodand combine it with a randomization method to resist DPA

The rest of the paper is organized as follows Section 2gives a brief introduction to ECC scalar multiplication andprevious SPA-resistant algorithms Section 3 describes theproposed scalarmultiplication algorithm Section 4 comparesthe performance of our strategies with the previous counter-measures Finally Section 5 concludes this paper

2 Preliminaries

21 Elliptic Curve Arithmetic This subsection presents abrief introduction to ECC For extended details the readercan refer to [6 18] Let 119866119865(119901) be a finite prime field Anelliptic curve 119864 over 119866119865(119901) can be defined by the Weierstrassequation

1199102+ 1198861119909119910 + 119886

3119910 = 119909

3+ 11988621199092+ 1198864119909 + 1198866 (1)

where 1198861 1198862 1198863 1198864 1198866isin 119866119865(119901) The set of points on an

elliptic curve 119864 and the point at infinity (denoted by 119874)form an Abelian group under a point addition operationThe formula for computing point operation consists of twobasic operations the elliptic curve addition (ECADD) whencomputing119875+119876 according to a group addition rule when twopoints 119875 and119876 on the curve are given and 119875 is not equal to119876and the elliptic doubling (ECDBL) when computing 2119875whena point 119875 is givenThis needs expensive filed inversions in thecomputation of point operations when using (119909 119910) knownas affine coordinates to represent the points on the curve 119864So the most efficient implementations adopt representationsof the form (119883 119884 119885) known as projective coordi-nates including standard projective coordinates Jacobianprojective coordinates Chudnovsky Jacobian coordinatesand Lopez-Dahab projective coordinates [6]

22 Scalar Multiplication Scalar multiplication is the basicoperation in ECDSA signature [19] and ECDHkey agreement[20] protocols The operation calculates the multiples of apoint 119896119875 = 119875 + 119875 + sdot sdot sdot + 119875 (119896 times) where 119875 is a point oncurve 119864 and 119896 is an integer scalar As the most time consum-ing operation in the previously mentioned protocols manyalgorithms have been proposed to improve the efficiency ofscalar multiplication during the past decade Among them

Input Positive integer 119896 119896 = (119896119897minus1 119896119897minus2 119896

0)2

Output 119896NAF 119896NAF = (119896119897 119896119897minus1 119896119897minus2 1198960)NAF(1) i = 0(2) While (k gt 0) do

(21) if (k is odd) then(22) 119896

119894= 2 minus (kmod 4)

(23) else(24) 119896

119894= 0

(25) k = (119896 minus 119896119894)2

(26) 119894 = 119894 + 1(3) Return (k)

Algorithm 1 NAF of a positive integer 119896

Input Positive integer 119896 119875 isin 119864Output 119876 = 119896119875(1) Use Algorithm 1 to compute 119896NAF(2) 119876 = 119874(3) For 119894 from 119897 minus 1 downto 0 do

(31) Q = 2Q(32) If 119896

119894= 1 then 119876 = 119876 + 119875

(33) If 119896119894= minus1 then 119876 = 119876 minus 119875

(4) Return (Q)

Algorithm 2 Binary NAF method for scalar multiplication

the nonadjacent form (NAF) [21] is the standard one AnNAFof a positive integer 119896 is an expression

119896NAF =119897minus1

sum

119894=0

1198961198942119894 (2)

where 119896119894isin 0 plusmn1 119896

119897minus1= 0 and no two consecutive digits

of 119896119894are nonzero The computation of NAF of a positive

integer 119896 is described as in Algorithm 1 Then it is possibleto compute the scalar multiplication using NAF methodfollowing Algorithm 2

Each positive 119896 has a unique NAF Among all signedbinary representations NAF(119896) has the fewest nonzero digitsIt is known that the average density of nonzero bits of NAF isapproximately 13Thismeans that scalarmultiplication usingNAF needs 119899 ECDBL + (1198993) ECADD

23 Previous Algorithms

231 Ciet and Joyersquos Algorithm This algorithm [14] uses thevariant of Shamirrsquos double ladder to compute themulti-scalarmultiplication 1198961119875 + 1198962119876 The main difference is to insert adummy operation in the computation So each loop includesone doubling and one addition and the operation order isDADADADADA in Algorithm 3 Hence one point doublingand one point addition per bit is needed

232 Leersquos Algorithm To resist SPA Lee improved the simul-taneous scalar multiplication [21] in [13] He changed the

Mathematical Problems in Engineering 3

Table 1 Transformation rules of Leersquos algorithm

(119896119894+1 119898119894+1) (119896

119894 119898119894) (119896

1015840

119894+1 1198981015840

119894+1) (119896

1015840

119894 1198981015840

119894)

(0 0) (0 0) (0 1) (0 minus2)(0 1) (0 0) (0 2) (0minus2)(1 0) (0 0) (1 1) (0 minus2)(1 1) (0 0) (1 0) (0 2)

values of (119896119894 119898119894) when (119896

119894 119898119894) = (0 0) to construct another

adequate digit pair with at least one non-zero digit Of coursethe adjacent pair (119896

119894+1119898119894+1

) should be modified as well Thetransformation rules can be described as in Table 1

After the transformation the digit pair (119896119894 119898119894) cannot be

all zero Therefore the modified simultaneous scalar multi-plication was proposed by Lee to resist SPA see Algorithm 4Obviously the cost of Leersquos algorithm is also one pointdoubling and one point addition per bit

233 Zhang Chen Xiaorsquos Algorithm This algorithm [16]proposes four scalar multiplication algorithms against poweranalysisThose algorithms are all based on the highest-weightbinary form (HBF) of the scalars and randomization toresist power analysis Although those four countermeasureshave no dummy operations the efficiency of them is similarto Ciet and Joyersquos algorithm They also almost need onepoint doubling and one point addition per bit One of thesealgorithms can be seen as follows in Algorithm 5

234 Liu Tan and Dairsquos Algorithm Liu et al also proposea multi-scalar multiplication to resist SPA in [15] The differ-ence is that they use a joint sparse form (JSF) to representa pair of integers and process two or three JSF columnseach time Although the processed column number may bedifferent the algorithm always performs four point doublingsand two point additions in each loopThismeans that it is notpossible for useful information related to the private key to beobtained by the attacker through SPA

Next 119896 = 213119898 = 408 are selected as a simple exampleThe JSF of (213 408) is

213 = (0 1 0 0 minus1 0 minus1 minus1 0 1)

408 = (1 0 0 minus1 minus1 0 minus1 0 0 0)

(3)

Then this algorithm processes the JSF columns as follows

(0 1 0) (0 minus1) (0 minus1 minus1) (0 1)

(1 0 0) (minus1 minus1) (0 minus1 0) (0 0)

(4)

That is to say it needs four iterations to complete thewhole operation so sixteen point doubling and eight pointaddition operations are requiredThe theoretical analysis andsimulation results show that this algorithm needs 1384 pointdoublings and 0692 point additions per bit

3 The New Algorithm

Based on the algorithms mentioned earlier a simple butefficient scalar multiplication algorithm is proposed to resist

Input 119875 119896 = (119896119897minus1 119896119897minus2 119896

0)2 119878

119889 = (119889119897minus1 119889119897minus2 119889

0)2

Output 119876 = [119896]119875 + [119889]119878(1) 119877

1= 119875 119877

2= 119878 119877

3= 119875 + 119878

(2) 119895 = 2119889119897minus1+ 119896119897minus1 1198770= 119877119895

(3) For 119894 from 119897 minus 2 downto 0 do(31) 119877

0= 21198770 1198771= 119875

(32) c = (119896119894|| 119889119894) 119895 = 2119889

119894+ 119896119894

(33) 119877119888= 119877119888+ 119877119895

(4) Return (1198770)

Algorithm 3 Ciet and Joyersquos algorithm

Input 119875 119896 = (119896119897minus1 119896119897minus2 119896

0)2 119878 119898 = (119898

119897minus1 119898119897minus2 119898

0)2

Output 119876 = [119896]119875 + [119898]119878(1) (119896119898) is transformed to (1198961015840 1198981015840) as Table 1 rule(2) Pre-computation

119879 [0 1] = 119878 119879 [1 0] = 119875 119879[1 1] = 119875 + 119878119879[0 2] = 2119878 119879[0 minus2] = minus2119878

(3) 119877 = 119879[1198961015840119897minus1 1198981015840

119897minus1]

(4) For 119894 from 119897 minus 2 downto 0 do(41) 119877 = 2119877(42) 119877 = 119877 + 119879[1198961015840

119894 1198981015840

119894]

(5 ) Return (119877)

Algorithm 4 Leersquos algorithm

Input 119875 119896 = (119896119897minus1 119896119897minus2 119896

0)2

Output 119876 = [119896]119875(1) Select a random 119903

119903 = (119903119897minus1 119903119897minus2 119903

0)2

1198961015840= 119896 minus 119903

(2) HBF(119903 119897)(3) For 119894 from 0 downto 119897 minus 1

If 119903 + 1198961015840119894= 0

(1198961015840119897minus1 119896

1015840

119894+1) +1198961015840119894 1198961015840

119894= minus1198961015840119894

(4) Construct a pre-computation table 119879119879 = 119874 119879[1] = 119875 119879[minus1] = minus119875119879[2] = 2119875 119879[minus2] = minus2119875

(5) For 119894 from 119897 minus 1 downto 0 do(51) 119879 = 2119879(52) 119879 = 119879 + 119879[119903 + 1198961015840

119894]

(6) Return (119879)

Algorithm 5 Zhang Chen Xiaorsquos algorithm

knownpower analysis attacks in this sectionThemethodfirsttransforms the NAF of the multi-scalar (119896119898) then combinesit with the window method and modifies the value of thedigit pair with all zero digits so the new algorithm can beobtained

31 Scalar Representation In a scalar multiplication it can beseen that each bit requires at least a point doubling while

4 Mathematical Problems in Engineering

Table 2 Values of SHW(119908) and SPN(119908) for different window sizes

119908 2 3 4 5 6SHW(119908) 1 2 2 3 3SPN(119908) 2 5 10 21 42

Table 3 Values of MHW(119908) and MPN(119908) for different windowsizes

119908 2 3 4 5 6MHW(119908) 2 4 4 6 6MPN(119908) 12 60 220 924 3612

the number of point addition varies in different algorithmsTherefore the best way to improve the efficiency of the scalarmultiplication is to reduce the number of point addition Inthis approach a window method with the NAF form is usedto reduce the number of point addition

First the windowmethod with the NAF form for a singlescalar 119896 is described Let 119908 be the window size SHW(119908)the maximum Hamming weight and SPN(119908) the pointnumber of the precomputation table in each window TheNAF of a scalar 119896 is denoted by 119896NAF and generally it canbe represented as (2) where 119897 is the bit length of the NAF of119896 When using the window method it can be represented assum119898minus1

119894=01198961015840

1198942119894 where119898 = 119897119908 and119908 bit 1198961015840 isin 119878

119908 inwhich 119878

119908is the

set of all possible 119908-bit parts of the NAF integers Consider

SHW(119908) =

119908

2(119908 is even)

lfloor119908

2rfloor + 1 (119908 is odd)

(5)

SPN(119908) = 2(119908minus1)

+ 2(119908minus3)

+ sdot sdot sdot + 21

(119908 is even) 2(119908minus1)

+ 2(119908minus3)

+ sdot sdot sdot + 20

(119908 is odd) (6)

In Table 2 we only list the values of SHW(119908) and SPN(119908) for119908 from 2 to 6 but from (6) it can be seen that SPN(119908) risesby times with the increase of 119908

Next the window method with the NAF form for multi-scalar (119896119898) is introduced where 119908 is the window sizeMHW(119908) is the maximum Hamming weight and MPN(119908)is the point number of pre-computation table in each window(Table 3) Now in each window there are two scalars soMHW(119908) is double SHW(119908) but MPN(119908) is much largerthan SPN(119908) MPN(119908) is the combination of two numbers(SPN119896(119908) SPN

119898(119908)) Consider

MHW(119908) =

119908

2(119908 is even)

lfloor119908

2rfloor + 1 (119908 is odd)

(7)

MPN(119908) = SPN119896(119908) + SPN

119898(119908)

+ SPN119896(119908) lowast SPN

119898(119908) lowast 2

(8)

Table 4 Transformation rules of new algorithm

(119898119894+3 119898119894+2) (119898

119894+1 119898119894) (119898

1015840

119894+3 1198981015840

119894+2) (119898

1015840

119894+1 1198981015840

119894)

(0 0) (0 0) (0 1) (minus2 0)(0 minus1) (0 0) (minus1 0) (2 0)(0 1) (0 0) (1 0) (minus2 0)(minus1 0) (0 0) (0 minus1) (minus2 0)(1 0) (0 0) (0 1) (2 0)

From (8) it can be seen thatMPN(119908) rises exponentially withan increase of 119908 So in this paper 119908 = 2 was selected as thewindow size

When (119896119894+1 119896119894) = (0 0) and (119898

119894+1 119898119894) = (0 0) no point

addition is performed Hence an attacker can determinethis case through SPA To assist SPA (119896

119894+1 119896119894) = (0 0) and

(119898119894+1 119898119894) = (0 0) should be converted so that a real point

addition happens This is to say that (119896119894+1

119896119894) = (0 0) and

(119898119894+1 119898119894) = (0 0) are converted to another digit pair with at

least one non-zero digit In this paper we select to transform(119898119894+1 119898119894) = (0 0) Of course the adjacent pair (119898

119894+3 119898119894+2)

should be considered as well According to the NAF codingrule there are five possible cases related to the digit pair(119898119894+3 119898119894+2) The transformation rules can be described as in

Table 4After the transformation the digit pair (1198981015840

119894+1 1198981015840

119894) adds

two more cases but the pre-computation table only adds onemore point due to the different symbol between the two cases

32 Proposed New Multiscalar Multiplication AlgorithmNow the new algorithm to calculate [119896]119875 + [119898]119878 based onthe new representation mentioned earlier can be describedThe algorithm has a uniform doubling and adding operationbut no dummy operation

FromAlgorithm6 it can be found that two doublings andone addition are performed in each window It is assumedthat the power consumption of subtraction is the same asthe addition There are fifteen points in the pre-computationtable

Next a simple example that shows how Algorithm 6works is described and the NAF of (209 416) is

209 = (0 1 0 minus1 0 1 0 0 0 1)

416 = (1 0 minus1 0 1 0 0 0 0 0)

(9)

After transformation according to Table 4 the newrepresentation of (209 416) is

209 = (0 1 0 minus1 0 1 0 0 0 1)

416 = (1 0 minus1 0 0 1 2 0 0 0)

(10)

Then the process of Algorithm 6 computing 209119875 + 416119878 isillustrated in Table 5

33 Proposed DPA-Resistant Scalar Multiplication AlgorithmAmong the various DPA countermeasures [22] random keysplitting is the most common method to resist DPA Thescalar 119896 can be split in at least two different ways one is

Mathematical Problems in Engineering 5

Table 5 Example of Algorithm 6

119894(119896119894minus1 119896119894minus2)

(119898119894minus1 119898119894minus2)

Operation 119877

9 (0 1)(1 0) 119877 = 119879[1 2] P + 2S

7 (0 minus1)(minus1 0)

119877 = 2119877119877 = 2119877

119877 = 119877 minus 119879[1 2]

3P + 6S

5 (0 1)(0 1)

119877 = 2119877119877 = 2119877

119877 = 119877 + 119879[1 1]

13P + 25S

3 (0 0)(2 0)

119877 = 2119877119877 = 2119877

119877 = 119877 + 119879[0 4]

52P + 104S

1 (0 1)(0 0)

119877 = 2119877119877 = 2119877

119877 = 119877 + 119879[1 0]

209P +416S

Table 6 Performance comparison of algorithms

Point number inPre-Computation

table

Computations per bit

Doublings AdditionsAlgorithm in [14] 3 1 1Algorithm in [13] 5 1 1Algorithm in [16] 5 1 1Algorithm in [15] 5 1384 0692Algorithm 7 4 1 05

119896 = (119896minus119903)+119903 and the other is 119896 = lfloor119896119903rfloor119903+ (119896 mod 119903) where119903 is random and the length of 119903 is the same of 119896 In this paperthe first way 119896 = 1198961+1198962was chosen where 1198961 = 119896minus119903 1198962 = 119903It can be observed that thismethod is the same asmulti-scalarapproach Then a similar method as in Algorithm 6 can beused to compute the scalar multiplication The difference isthat the point 119878 is equal to 119875 Of course the transformationrule and pre-computation table are also different To assistan SPA 1198961 and 1198962 when (1198961

119894+1 1198961119894) + (1198962

119894+1 1198962119894) = (0 0)

should be converted so that a real point addition happensAlgorithm 7 describes this in detail

It can be seen that there are only four points in thepre-computation table for Algorithm 7 but the programsequence is also DDA Therefore due to the uniform opera-tion sequence it can resist SPA and to ensure that there is nocorrelation between two times a random 119903 was inserted Ofcourse the attacker cannot obtain any information throughDPA

4 Performance Comparison

In this section the performance of Algorithm 7 is analyzedand compared with previous algorithms In Algorithm 7each loop processes two bits and has two point doublingand one point addition Each bit needs one point doublingand 12 point addition In order to show the performance of

Input 119875 119896 119878 119898Output 119876 = [119896]119875 + [119898]119878(1) Compute the NAF form of (119896119898)(2) Add leading 0rsquos in (119896119898) so that the number of bits in

(119896119898) is multiple of 2 119896 = (119896119897minus1 119896119897minus2 119896

0)NAF

119898 = (119898119897minus1 119898119897minus2 119898

0)NAF

(3) 119894 = 0(4) While (119894 lt (119897 minus 2)) do

(41) if ((119896119894+1 119896119894) = (0 0) and (119898

119894+1 119898119894) = (0 0)) then

(42) if ((119898119894+3 119898119894+2) = (0 0)) then

(43) set (119898119894+3 119898119894+2) = (0 1) and (119898

119894+1 119898119894)

= (minus2 0)(44) else if((119898

119894+3 119898119894+2) = (0 minus1)) then

(45) set (119898119894+3 119898119894+2) = (minus1 0) and (119898

119894+1 119898119894)

= (2 0)(46) else if ((119898

119894+3 119898119894+2) = (0 1)) then

(47) set (119898119894+3 119898119894+2) = (1 0) and (119898

119894+1 119898119894)

= (minus2 0)(48) else if ((119898

119894+3 119898119894+2) = (minus1 0) then

(49) set (119898119894+3 119898119894+2) = (0 minus1) and (119898

119894+1 119898119894)

= (minus2 0)(410) else(411) set (119898

119894+3 119898119894+2) = (0 1) and (119898

119894+1 119898119894)

= (2 0)(412) else(413) 119894 = 119894 + 2

(5) Pre-computation119879[0 1] = 119878 119879[0 2] = 2119878 119879[0 4] = 4119878 119879[1 0] = 119875

119879[2 0] = 2119875 119879 [1 1] = 119875 + 119878 119879 [1 2] = 119875 + 2119878

119879 [1 minus1] = 119875 minus 119878 119879 [1 minus2] = 119875 minus 2119878 119879 [2 1] = 2119875 + 119878119879 [2 2] = 2119875 + 2119878 119879 [2 minus1] = 2119875 minus 119878119879 [2 minus2] = 2119875 minus 2119878

(6) 119877 = 119879[(119896119897minus1 119896119897minus2) (119898119897minus1 119898119897minus2)]

(7) For 119894 from 119897 minus 2 downto 0 119894 = 119894 minus 2 do(71) 119877 = 2119877(72) 119877 = 2119877(73) if ((119896

119894minus1 119896119894minus2) lt 0) then

(74) 119877 = 119877 minus 119879[minus(119896119894minus1 119896119894minus2) minus(119898

119894minus1 119898119894minus2)]

(75) else if ((119896119894minus1 119896119894minus2) == 0) then

(76) if ((119898119894minus1 119898119894minus2) lt 0) then

(77 ) 119877 = 119877 minus 119879[(119896119894minus1 119896119894minus2) minus(119898

119894minus1 119898119894minus2)]

(78) else(79) 119877 = 119877 + 119879[(119896

119894minus1 119896119894minus2) (119898119894minus1 119898119894minus2)]

(710) else(711) 119877 = 119877 + 119879[(119896

119894minus1 119896119894minus2) (119898119894minus1 119898119894minus2)]

(8) Return (119877)

Algorithm 6 New multi-scalar multiplication algorithm

Algorithm 7 a comparison with previous methods is listed inTable 6

According to [23] one projective elliptic doubling inprime case needs 4S (S denotes module square) and 4M (Mdenotes module multiplication) and one projective ellipticaddition on prime case needs 4S and 12M We resume S asymp08M [24] Then algorithm in [13 14 16] needs 8S + 16M asymp

224Mper bit and algorithm in [15] needs about 204MwhileAlgorithm 7 only needs 6S + 10M asymp 148M per bit Henceit Algorithm 7 can improve performance by at least 25

6 Mathematical Problems in Engineering

Input P kOutput Q = [k]P(1) Select a random r 1198961 = 119896 minus 119903 1198962 = 119903(2) Compute the NAF form of (1198961 1198962)(3) Add leading 0rsquos in (1198961 1198962) so that the number of bits in(1198961 1198962) is multiple of 2 1198961 = (1198961

119897minus1 1198961119897minus2 1198961

0)NAF

1198962 = (1198962119897minus1 1198962119897minus2 1198962

0)NAF

(4) 119894 = 0(5) While (119894 lt (119897 minus 2)) do

(51) set 119888 = (1198961119894+1 1198961119894) + (1198962

119894+1 1198962119894)

(52) if (119888 = 0) then(53) if ((1198962

119894+3 1198962119894+2) gt 0) then

(54) set (1198962119894+3 1198962119894+2) minus = (0 1) and (1198962

119894+1 1198962119894)

= (minus2 0)(55) else(56) set (1198962

119894+3 1198962119894+2) + = (0 1) and (1198962

119894+1 1198962119894)

= (2 0)(57) else(58) 119894 = 119894 + 2

(6) Pre-computation119879[1] = 119875 119879[2] = 2119875 119879[3] = 3119875 119879[4] = 4119875

(7) if ((1198961119897minus1 1198961119897minus2) + (1198962

119897minus1 1198962119897minus2) = 0) then

119877 = 119874else119877 = 119879[(1198961

119897minus1 1198961119897minus2) + (1198962

119897minus1 1198962119897minus2)]

(8) For 119894 from 119897 minus 2 downto 0 119894 = 119894 minus 2 do(81) 119888 = (1198961

119894minus1 1198961119894minus2) + (1198962

119894minus1 1198962119894minus2)

(82) 119877 = 2119877(83) 119877 = 2119877(84) if (119888 lt 0) then(85) 119877 = 119877 minus 119879[minus119888](86) else(87) 119877 = 119877 + 119879[119888]

(9) Return (119877)

Algorithm 7 DPA-resistant scalar multiplication algorithm

compared with previous algorithms and sacrifices a smallamount of memory to store pre-computation points

5 Conclusion

In this paper a simple but efficient elliptic scalar multipli-cation against power analysis attacks has been presentedFirst we analyze previous algorithms which can resist SPAorDPAThen we present the newmulti-scalarmultiplicationto endure SPAThis algorithm is based onNAF and processestwo columns each loop When computing scalar multiplica-tion 119896119875 we adopt a random number 119903 to split scalar 119896 andcombine it with the multi-scalar multiplication So the newDPA-resistant scalar multiplication algorithm is proposed inthis work The proposed DPA-resistant scalar multiplicationalgorithm not only can resist SPA and DPA but also providesgood performance at a cost of only a few storage spaces

References

[1] N Koblitz ldquoElliptic curve cryptosystemsrdquo Mathematics ofComputation vol 48 no 177 pp 203ndash209 1987

[2] V S Miller ldquoUse of elliptic curves in cryptographyrdquo inAdvancesin Cryptology Proceedings of Crypto rsquo85 vol 218 of Lecture Notesin Computer Science pp 417ndash426 Springer Berlin Germany1986

[3] K A Shim and S SWoo ldquoCryptanalysis of tripartite andmulti-party authenticated key agreement protocolsrdquo Information Sci-ences vol 177 no 4 pp 1143ndash1151 2007

[4] LWang Z Cao X Li andHQian ldquoSimulatability and securityof certificateless threshold signaturesrdquo Information Sciences vol177 no 6 pp 1382ndash1394 2007

[5] H Cohen A Miyaji and T Ono ldquoEfficient elliptic curveexponentiation using mixed coordinatesrdquo in Advances in Cryp-tology (ASIACRYPT rsquo98) vol 1514 of Lecture Notes in ComputerScience pp 51ndash65 Springer Berlin Germany 1998

[6] D Hankerson A Menezes and S Vanstone Guide to Ellip-tic Curve Cryptography Springer Professional ComputingSpringer New York NY USA 2004

[7] P Kocher ldquoTiming attacks on implementations of Diffie-Hellman RSA DSS and other systemrdquo in Proceedings of the16th Annual International Cryptology Conference on Advancesin Cryptology (CRYPTO rsquo96) vol 1109 of Lecture Notes inComputer Science pp 104ndash113 Springer 1996

[8] P Kocher J Jaffe and B Jun ldquoDifferential power analysisrdquoin Proceedings of the 19th Annual International CryptologyConference on Advances in Cryptology (CRYPTO rsquo99) vol 1666of Lecture Notes in Computer Science pp 388ndash397 Springer1999

[9] T Izu and T Takagi ldquoA fast parallel elliptic curve multiplicationresistant against side channel attacksrdquo in Public Key Cryptogra-phy (PKC 2002) vol 2274 of Lecture Notes in Computer Sciencepp 280ndash296 Springer 2002

[10] J Coron ldquoResistance against differential power analysis forelliptic curve cryptosystemsrdquo in Proceedings of the 1st Inter-national Workshop on Cryptographic Hardware and EmbeddedSystems (CHES rsquo99) vol 1717 of Lecture Notes in ComputerScience pp 292ndash302 Springer 1999

[11] E Oswald and M Aigner ldquoRandomized addition-subtractionchains as a countermeasure against power attacksrdquo in Pro-ceedings of the 3rd International Workshop on CryptographicHardware and Embedded Systems (CHES rsquo01) vol 2001 ofLecture Notes in Computer Science pp 39ndash50 Springer 2001

[12] B Moller ldquoSecuring elliptic curve point multiplication againstside-channel attacksrdquo in Proceedings of the 4th InternationalInformation Security Conference (ISC rsquo01) vol 2200 of LectureNotes in Computer Science pp 324ndash334 Springer October 2001

[13] M K Lee ldquoSPA-resistant simultaneous scalar multiplicationrdquoin Proceedings of the International Conference on ComputationalScience and Its Applications (ICCSA rsquo05) vol 3481 pp 314ndash321Singapore May 2005

[14] M Ciet andM Joye ldquo(virtually) Free randomization techniquefor elliptic curve cryptographyrdquo in Proceedings of the 5thInternational Conference on Information and CommunicationsSecurity (ICICS rsquo03) vol 2836 pp 348ndash359 2003

[15] D Liu and Z Tan Y Dai ldquoNew elliptic curve multi-scalarmultiplication algorithm for a pair of integers to resist SPArdquo inProceedings of the 4th International Conference on InformationSecurity and Cryptology (Inscrypt rsquo08) vol 5487 of Lecture Notesin Computer Science pp 253ndash264 Springer December 2008

[16] N Zhang Z Chen and G Xiao ldquoEfficient elliptic curvescalar multiplication algorithms resistant to power analysisrdquoInformation Sciences vol 177 no 10 pp 2119ndash2129 2007

Mathematical Problems in Engineering 7

[17] P Y Liardet and N P Smart ldquoPreventing SPADPA in ECCsystems using the Jacobi formrdquo in Proceedings of the 3rd Inter-national Workshop on Cryptographic Hardware and EmbeddedSystems (CHES rsquo01) vol 2162 of Lecture Notes in ComputerScience pp 391ndash401 Springer May 2001

[18] Advances in Elliptic Curve Cryptography Cambridge UniversityPress Cambridge UK 2005

[19] ANSI X9622005 Public Key Cryptography for the FinancialService Industry The Elliptic Curve Digital Signature Algorithm(ECDSA) American National Standards Institute 2005

[20] ANSI X9632001 Public Key Cryptography for the FinancialService Industry KeyAgreement andKeyTransportUsing EllipticCurve Cryptography American National Standards Institute2001

[21] A JMenezes P C vanOorschot and S AVanstoneHandbookof AppliedCryptography CRCPress BocaRaton FlaUSA 1997

[22] J Fan and I Verbauwhede ldquoAn Updated survey on secureECC implementations attacks countermeasures and costrdquoin Cryptography and Security From Theory to Applicationsvol 6805 of Lecture Notes in Computer Science pp 265ndash282Springer 2012

[23] IEEE Std 1363-2000 IEEE Standard Specifications for Public-KeyCryptography Institute of Electrical and Electronics EngineersNew York NY USA 2000

[24] C H Lim and H S Hwang ldquoFast implementation of ellip-tic curve arithmetic in GF(P119899)rdquo in Proceedings of the 3rdInternational Workshop on Practice and Theory in Public KeyCryptosystem (PKC rsquo00) vol 1751 of Lecture Notes in ComputerScience pp 405ndash421 Springer January 2000

Submit your manuscripts athttpwwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Mathematical PhysicsAdvances in

Complex AnalysisJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

OptimizationJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Operations ResearchAdvances in

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Algebra

Discrete Dynamics in Nature and Society

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Decision SciencesAdvances in

Discrete MathematicsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of