Results 11  20
of
81
Optimal Lefttoright Binary SignedDigit Recoding
, 2000
"... This paper describes new methods for producing optimal binary signeddigit representations. This can be useful in the fast computation of exponentiations. Contrary to existing algorithms, the digits are scanned from left to right (i.e., from the most significant position to the least significant ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
This paper describes new methods for producing optimal binary signeddigit representations. This can be useful in the fast computation of exponentiations. Contrary to existing algorithms, the digits are scanned from left to right (i.e., from the most significant position to the least significant position). This may lead to better performances in both hardware and software.
A Fast Parallel Elliptic Curve Multiplication Resistant against Side Channel Attacks
, 2002
"... Abstract. This paper proposes a fast elliptic curve multiplication algorithm applicable for any types of curves over finite fields Fp (p a prime), based on [Mon87], together with criteria which make our algorithm resistant against the side channel attacks (SCA). The algorithm improves both on an add ..."
Abstract

Cited by 32 (6 self)
 Add to MetaCart
Abstract. This paper proposes a fast elliptic curve multiplication algorithm applicable for any types of curves over finite fields Fp (p a prime), based on [Mon87], together with criteria which make our algorithm resistant against the side channel attacks (SCA). The algorithm improves both on an addition chain and an addition formula in the scalar multiplication. Our addition chain requires no table lookup (or a very small number of precomputed points) and a prominent property is that it can be implemented in parallel. The computing time for nbit scalar multiplication is one ECDBL + (n − 1) ECADDs in the parallel case and (n − 1) ECDBLs + (n − 1) ECADDs in the single case. We also propose faster addition formulas which only use the xcoordinates of the points. By combination of our addition chain and addition formulas, we establish a faster scalar multiplication resistant against the SCA in both single and parallel computation. The improvement of our scalar multiplications over the previous method is about 37 % for two processors and 5.7 % for a single processor. Our scalar multiplication is suitable for the implementation on smart cards. 1
Efficient Implementation of Public Key Cryptosystems on Mote Sensors (Short Paper
 In International Conference on Information and Communication Security (ICICS), LNCS 4307
, 2006
"... Abstract. We report our implementation of the RSA and ECC publickey cryptosystem on Berkeley Motes. We detail the implementation of 1024bit RSA and 160bit ECC cryptosystems on MICA mote sensors. We have achieved the performance of 0.79s for RSA public key operation and 21.5s for private operation, ..."
Abstract

Cited by 31 (9 self)
 Add to MetaCart
Abstract. We report our implementation of the RSA and ECC publickey cryptosystem on Berkeley Motes. We detail the implementation of 1024bit RSA and 160bit ECC cryptosystems on MICA mote sensors. We have achieved the performance of 0.79s for RSA public key operation and 21.5s for private operation, and 1.3s for ECC signature generation and 2.8s for verification. For comparison, we also show our new ECC implementation on TelosB motes with a signature time 1.60s and a verification time 3.30s. For the detailed description of the implementation, we refer to our technical report[13]. 1
Efficient Scalar Multiplication by Isogeny Decompositions
, 2005
"... On an elliptic curve, the degree of an isogeny corresponds essentially to the degrees of the polynomial expressions involved in its application. The multiplication by ℓ map [ℓ] has degree ℓ², therefore the complexity to directly evaluate [ℓ](P) is O(ℓ²). For a small prime ℓ ( = 2, 3) such that the a ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
On an elliptic curve, the degree of an isogeny corresponds essentially to the degrees of the polynomial expressions involved in its application. The multiplication by ℓ map [ℓ] has degree ℓ², therefore the complexity to directly evaluate [ℓ](P) is O(ℓ²). For a small prime ℓ ( = 2, 3) such that the additive binary representation provides no better performance, this represents the true cost of application of scalar multiplication. If an elliptic curves admits an isogeny ϕ of degree ℓ then the costs of computing ϕ(P) should in contrast be O(ℓ) field operations. Since we then have a product expression [ℓ] = ˆϕϕ, the existence of an ℓisogeny ϕ on an elliptic curve yields a theoretical improvement from O(ℓ 2) to O(ℓ) operations for the evaluation of [ℓ](P) by naïve application of the defining polynomials. In this work we investigate actual improvements for small ℓ of this asymptotic complexity. For this purpose, we describe the general construction of families of curves with a suitable decomposition [ℓ] = ˆϕϕ, and provide explicit examples of such a family of curves with simple decomposition for [3]. Finally we derive a new tripling algorithm to find complexity improvements to triplication on a curve in certain projective coordinate systems, then combine this new operation to nonadjacent forms for ℓadic expansions in order to obtain an improved strategy for scalar multiplication on elliptic curves.
Distribution results for lowweight binary representations for pairs of integers
 THEORET. COMPUT. SCI
, 2004
"... We discuss an optimal method for the computation of linear combinations of elements of Abelian groups, which uses signed digit expansions. This has applications in elliptic curve cryptography. We compute the expected number of operations asymptotically (including a periodically oscillating second o ..."
Abstract

Cited by 20 (15 self)
 Add to MetaCart
We discuss an optimal method for the computation of linear combinations of elements of Abelian groups, which uses signed digit expansions. This has applications in elliptic curve cryptography. We compute the expected number of operations asymptotically (including a periodically oscillating second order term) and prove a central limit theorem. Apart from the usual righttoleft (i.e., least significant digit first) approach we also discuss a lefttoright computation of the expansions. This exhibits fractal structures that are studied in some detail.
Randomized signedscalar multiplication of ECC to resist power attacks
 In Cryptographic Hardware and Embedded Systems – CHES ’02, LNCS
, 2002
"... Abstract. Recently it has been shown that smart cards as cryptographic devices are vulnerable to power attacks if they have no defence against them. Randomization on ECC scalar multiplication is one of the fundamental concepts in methods of defence against sidechannel attacks. In this paper by usin ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
Abstract. Recently it has been shown that smart cards as cryptographic devices are vulnerable to power attacks if they have no defence against them. Randomization on ECC scalar multiplication is one of the fundamental concepts in methods of defence against sidechannel attacks. In this paper by using the randomization concept together with the NAF recoding algorithm, we propose an efficient countermeasure for ECCs against power attacks. The countermeasure provides a randomized signedscalar representation at every scalar multiplication to resist DPA. To protect against SPA it additionally employs a simple SPAimmune additionsubtraction multiplication algorithm. Our analysis shows that it needs no additional computation load compared to the ordinary binary scalar multiplication, where the average number of doublings plus additions for a bit length n is 1.5n+O(1).
Alternative digit sets for nonadjacent representations, Selected areas in cryptography
 Lecture Notes in Comput. Sci
, 2004
"... Abstract. It is known that every positive integer n can be represented as a finite sum of the form n = P ai2 i, where ai ∈ {0, 1, −1} for all i, and no two consecutive ai’s are nonzero. Such sums are called nonadjacent representations. Nonadjacent representations are useful in efficiently implement ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
Abstract. It is known that every positive integer n can be represented as a finite sum of the form n = P ai2 i, where ai ∈ {0, 1, −1} for all i, and no two consecutive ai’s are nonzero. Such sums are called nonadjacent representations. Nonadjacent representations are useful in efficiently implementing elliptic curve arithmetic for cryptographic applications. In this paper, we investigate if other digit sets of the form {0, 1, x}, where x is an integer, provide each positive integer with a nonadjacent representation. If a digit set has this property we call it a nonadjacent digit set (NADS). We present an algorithm to determine if {0, 1, x} is a NADS; and if it is, we present an algorithm to efficiently determine the nonadjacent representation of any positive integer. We also present some necessary and sufficient conditions for {0, 1, x} to be a NADS. These conditions are used to exhibit infinite families of integers x such that {0, 1, x} is a NADS, as well as infinite families of x such that {0, 1, x} is not a NADS. 1
Extended doublebase number system with applications to elliptic curve cryptography
 In Indocrypt 2006 [1
, 2006
"... Abstract. We investigate the impact of larger digit sets on the length of DoubleBase Number system (DBNS) expansions. We present a new representation system called extended DBNS whose expansions can be extremely sparse. When compared with doublebase chains, the average length of extended DBNS expa ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
Abstract. We investigate the impact of larger digit sets on the length of DoubleBase Number system (DBNS) expansions. We present a new representation system called extended DBNS whose expansions can be extremely sparse. When compared with doublebase chains, the average length of extended DBNS expansions of integers of size in the range 200– 500 bits is approximately reduced by 20 % using one precomputed point, 30 % using two, and 38 % using four. We also discuss a new approach to approximate an integer n by d2 a 3 b where d belongs to a given digit set. This method, which requires some precomputations as well, leads to realistic DBNS implementations. Finally, a lefttoright scalar multiplication relying on extended DBNS is given. On an elliptic curve where operations are performed in Jacobian coordinates, improvements of up to 13 % overall can be expected with this approach when compared to window NAF methods using the same number of precomputed points. In this context, it is therefore the fastest method known to date to compute a scalar multiplication on a generic elliptic curve. Keywords: Doublebase number system, Elliptic curve cryptography. 1
The Doubling Attack Why Upwards is better than
 Downwards, Workshop on Cryptographic Hardware and Embedded Systems 2003 (CHES 2003), LNCS 2779
, 2003
"... Abstract. The recent developments of side channel attacks have lead implementers to use more and more sophisticated countermeasures in critical operations such as modular exponentiation, or scalar multiplication in the elliptic curve setting. In this paper, we propose a new attack against a classica ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
Abstract. The recent developments of side channel attacks have lead implementers to use more and more sophisticated countermeasures in critical operations such as modular exponentiation, or scalar multiplication in the elliptic curve setting. In this paper, we propose a new attack against a classical implementation of these operations that only requires two queries to the device. The complexity of this socalled “doubling attack ” is much smaller than previously known ones. Furthermore, this approach defeats two of the three countermeasures proposed by Coron at CHES ’99. Keywords. SPAbased analysis, modular exponentiation, scalar multiplication, DPA countermeasures, multiple exponent single data attack. 1
ANALYSIS OF LINEAR COMBINATION ALGORITHMS IN CRYPTOGRAPHY
 TRANSACTIONS ON ALOGORITHMS 1 (2005), 123–142
, 2005
"... Several cryptosystems rely on fast calculations of linear combinations in groups. One way to achieve this is to use joint signed binary digit expansions of small “weight.” We study two algorithms, one based on non adjacent forms of the coefficients of the linear combination, the other based on a cer ..."
Abstract

Cited by 16 (11 self)
 Add to MetaCart
Several cryptosystems rely on fast calculations of linear combinations in groups. One way to achieve this is to use joint signed binary digit expansions of small “weight.” We study two algorithms, one based on non adjacent forms of the coefficients of the linear combination, the other based on a certain joint sparse form specifically adapted to this problem. Both methods are sped up using the sliding windows approach combined with precomputed lookup tables. We give explicit and asymptotic results for the number of group operations needed assuming uniform distribution of the coefficients. Expected values, variances and a central limit theorem are proved using generating functions. Furthermore, we provide a new algorithm which calculates the digits of an optimal expansion of pairs of integers from left to right. This avoids storing the whole expansion, which is needed with the previously known right to left methods, and allows an online computation.