Mathematical Problems in Engineering

Volume 2013, Article ID 862508, 7 pages

http://dx.doi.org/10.1155/2013/862508

## A Novel Elliptic Curve Scalar Multiplication Algorithm against Power Analysis

Shanghai Jiao Tong University, Shanghai 200240, China

Received 13 November 2012; Revised 10 March 2013; Accepted 12 March 2013

Academic Editor: Jun-Juh Yan

Copyright © 2013 Hongming Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Nowadays, power analysis attacks are becoming more and more sophisticated. Through power analysis attacks, an attacker can obtain sensitive data stored in smart cards or other embedded devices more efficiently than with any other kind of physical attacks. Among power analysis, simple power analysis (SPA) is probably the most effective against elliptic curve cryptosystem, because an attacker can easily distinguish between point addition and point doubling in a single execution of scalar multiplication. To make elliptic curve scalar multiplication secure against SPA attacks, many methods have been proposed using special point representations. In this paper, a simple but efficient SPA-resistant multiscalar multiplication is proposed. The method is to convert the scalar into a nonadjacent form (NAF) representation at first and then constitute it in a new signed digit representation. This new representation is undertaken at a small precomputation cost, as each representation needs just one doubling and 1/2 additions for each bit. In addition, when combined with randomization techniques, the proposed method can also guard against differential power analysis (DPA) attack.

#### 1. Introduction

Since being proposed independently by Koblitz [1] and Miller [2] in the mid 1980s, elliptic curve cryptosystem (ECC) has been widely applied in public key cryptography, especially in pairing cryptosystems [3, 4]. This is due to ECC using a much shorter key size than other traditional public key cryptosystems such as RSA to provide a corresponding level of security. For instance, 160 bit ECC provides about the equivalent level of security as 1024 bit RSA [5]. Due to the shorter key length, higher speed, and lower power consumption, ECC has been attractive for wireless and smart card applications which have limited bandwidth and storage resources. The security of ECC is based on the hardness of the discrete logarithm problem (DLP) on an elliptic curve called elliptic curve discrete logarithm problem (ECDLP) [6]. Given a scalar multiplication , where is an integer, and , are the points on an elliptic curve, according to ECDLP, if is large enough, then it is unable to calculate when the values of and are given. When ECC is implemented in the wireless or smart card devices, they are very vulnerable to power analysis attacks [7, 8].

In power analysis attacks, which were proposed by Kocher et al. [8], an attacker can obtain the secret key stored inside a device by monitoring the cryptographic device’s power consumption. Generally speaking, simple power analysis (SPA) [7] and differential power analysis (DPA) [8] are the two main types of power analysis attacks. SPA can observe secret information through analysis on a single execution of a cryptographic operation, while DPA may need many executions and to analyze them using a statistical process. As different operations executed by the device consume different amounts of time and power, the different time and power consumptions can be used to determine which operations were performed in what order. In the case of scalar multiplication, it may be possible for an attacker to distinguish which parts of the operation were performed by a point doubling, and which parts were performed by a point addition, although he has no knowledge about the private keys. With this the attacker can obtain the secret key, from the acquired information, for using as the scalar in the elliptic curve scalar multiplication.

In the past decade, various scalar multiplication algorithms that resist SPA or DPA have been proposed, for example, [9–17]. In [10], Coron first generalized a DPA attack to the elliptic curve cryptosystem and introduced double-and-add always algorithm to resist SPA and randomization method to resist DPA. Since then, many countermeasures, which are based on randomization and scalar recoding, have been proposed. Reference [11] proposed the randomized addition-subtraction chains method, and [17] introduced the randomized window method. Lee first proposed a SPA-resistant countermeasure based on multiscalar multiplication [13]. Then, [14–16] not only introduced multi-scalar multiplication to resist SPA, but also used randomization method to resist DPA. However, those methods provide security at the cost of efficiency. In this paper, we propose a novel efficient SPA-resistant multi-scalar multiplication method and combine it with a randomization method to resist DPA.

The rest of the paper is organized as follows. Section 2 gives a brief introduction to ECC, scalar multiplication, and previous SPA-resistant algorithms. Section 3 describes the proposed scalar multiplication algorithm. Section 4 compares the performance of our strategies with the previous countermeasures. Finally, Section 5 concludes this paper.

#### 2. Preliminaries

##### 2.1. Elliptic Curve Arithmetic

This subsection presents a brief introduction to ECC. For extended details, the reader can refer to [6, 18]. Let be a finite prime field. An elliptic curve over can be defined by the Weierstrass equation: where . The set of points on an elliptic curve and the point at infinity (denoted by ) form an Abelian group under a point addition operation. The formula for computing point operation consists of two basic operations: the elliptic curve addition (ECADD) when computing according to a group addition rule when two points and on the curve are given and is not equal to , and the elliptic doubling (ECDBL) when computing when a point is given. This needs expensive filed inversions in the computation of point operations when using known as affine coordinates to represent the points on the curve . So, the most efficient implementations adopt representations of the form , known as projective coordinates, including standard projective coordinates, Jacobian projective coordinates, Chudnovsky Jacobian coordinates, and Lopez-Dahab projective coordinates [6].

##### 2.2. Scalar Multiplication

Scalar multiplication is the basic operation in ECDSA signature [19] and ECDH key agreement [20] protocols. The operation calculates the multiples of a point ( times), where is a point on curve and is an integer scalar. As the most time consuming operation in the previously mentioned protocols, many algorithms have been proposed to improve the efficiency of scalar multiplication during the past decade. Among them, the nonadjacent form (NAF) [21] is the standard one. An NAF of a positive integer is an expression where , , and no two consecutive digits of are nonzero. The computation of NAF of a positive integer is described as in Algorithm 1. Then, it is possible to compute the scalar multiplication using NAF method following Algorithm 2.

Each positive has a unique NAF. Among all signed binary representations, NAF() has the fewest nonzero digits. It is known that the average density of nonzero bits of NAF is approximately 1/3. This means that scalar multiplication using NAF needs ECDBL + (/3) ECADD.

##### 2.3. Previous Algorithms

###### 2.3.1. Ciet and Joye’s Algorithm

This algorithm [14] uses the variant of Shamir’s double ladder to compute the multi-scalar multiplication . The main difference is to insert a dummy operation in the computation. So, each loop includes one doubling and one addition, and the operation order is DADADADADA in Algorithm 3. Hence, one point doubling and one point addition per bit is needed.

###### 2.3.2. Lee’s Algorithm

To resist SPA, Lee improved the simultaneous scalar multiplication [21] in [13]. He changed the values of (, ) when (, ) = (0, 0) to construct another adequate digit pair with at least one non-zero digit. Of course, the adjacent pair (, ) should be modified as well. The transformation rules can be described as in Table 1.

After the transformation, the digit pair cannot be all zero. Therefore, the modified simultaneous scalar multiplication was proposed by Lee to resist SPA; see Algorithm 4. Obviously, the cost of Lee's algorithm is also one point doubling and one point addition per bit.

###### 2.3.3. Zhang, Chen, Xiao’s Algorithm

This algorithm [16] proposes four scalar multiplication algorithms against power analysis. Those algorithms are all based on the highest-weight binary form (HBF) of the scalars and randomization to resist power analysis. Although those four countermeasures have no dummy operations, the efficiency of them is similar to Ciet and Joye’s algorithm. They also almost need one point doubling and one point addition per bit. One of these algorithms can be seen as follows in Algorithm 5.

###### 2.3.4. Liu, Tan, and Dai’s Algorithm

Liu et al. also propose a multi-scalar multiplication to resist SPA in [15]. The difference is that they use a joint sparse form (JSF) to represent a pair of integers and process two or three JSF columns each time. Although the processed column number may be different, the algorithm always performs four point doublings and two point additions in each loop. This means that it is not possible for useful information related to the private key to be obtained by the attacker through SPA.

Next, , are selected as a simple example. The JSF of (213, 408) is Then, this algorithm processes the JSF columns as follows: That is to say, it needs four iterations to complete the whole operation; so, sixteen point doubling and eight point addition operations are required. The theoretical analysis and simulation results show that this algorithm needs 1.384 point doublings and 0.692 point additions per bit.

#### 3. The New Algorithm

Based on the algorithms mentioned earlier, a simple but efficient scalar multiplication algorithm is proposed to resist known power analysis attacks in this section. The method first transforms the NAF of the multi-scalar then combines it with the window method and modifies the value of the digit pair with all zero digits; so, the new algorithm can be obtained.

##### 3.1. Scalar Representation

In a scalar multiplication, it can be seen that each bit requires at least a point doubling, while the number of point addition varies in different algorithms. Therefore, the best way to improve the efficiency of the scalar multiplication is to reduce the number of point addition. In this approach, a window method with the NAF form is used to reduce the number of point addition.

First, the window method with the NAF form for a single scalar is described. Let be the window size, the maximum Hamming weight, and the point number of the precomputation table in each window. The NAF of a scalar is denoted by , and generally it can be represented as (2), where is the bit length of the NAF of . When using the window method, it can be represented as , where and bit , in which is the set of all possible -bit parts of the NAF integers. Consider In Table 2, we only list the values of and for from 2 to 6, but from (6), it can be seen that rises by times with the increase of .

Next, the window method with the NAF form for multi-scalar is introduced, where is the window size, is the maximum Hamming weight, and is the point number of pre-computation table in each window (Table 3). Now, in each window, there are two scalars; so, is double , but is much larger than . is the combination of two numbers (, ). Consider From (8), it can be seen that rises exponentially with an increase of . So, in this paper, was selected as the window size.

When and , no point addition is performed. Hence, an attacker can determine this case through SPA. To assist SPA, and should be converted, so that a real point addition happens. This is to say that , and are converted to another digit pair with at least one non-zero digit. In this paper, we select to transform . Of course, the adjacent pair should be considered as well. According to the NAF coding rule, there are five possible cases related to the digit pair . The transformation rules can be described as in Table 4.

After the transformation, the digit pair () adds two more cases, but the pre-computation table only adds one more point due to the different symbol between the two cases.

##### 3.2. Proposed New Multiscalar Multiplication Algorithm

Now, the new algorithm to calculate based on the new representation mentioned earlier can be described. The algorithm has a uniform doubling and adding operation, but no dummy operation.

From Algorithm 6, it can be found that two doublings and one addition are performed in each window. It is assumed that the power consumption of subtraction is the same as the addition. There are fifteen points in the pre-computation table.

Next, a simple example that shows how Algorithm 6 works is described, and the NAF of (209, 416) is

After transformation according to Table 4, the new representation of (209, 416) is Then, the process of Algorithm 6 computing is illustrated in Table 5.

##### 3.3. Proposed DPA-Resistant Scalar Multiplication Algorithm

Among the various DPA countermeasures [22], random key splitting is the most common method to resist DPA. The scalar can be split in at least two different ways; one is , and the other is , where is random and the length of is the same of . In this paper, the first way was chosen, where , . It can be observed that this method is the same as multi-scalar approach. Then, a similar method as in Algorithm 6 can be used to compute the scalar multiplication. The difference is that the point is equal to . Of course, the transformation rule and pre-computation table are also different. To assist an SPA, and when should be converted, so that a real point addition happens. Algorithm 7 describes this in detail.

It can be seen that there are only four points in the pre-computation table for Algorithm 7, but the program sequence is also DDA. Therefore, due to the uniform operation sequence, it can resist SPA, and to ensure that there is no correlation between two times, a random was inserted. Of course, the attacker cannot obtain any information through DPA.

#### 4. Performance Comparison

In this section, the performance of Algorithm 7 is analyzed and compared with previous algorithms. In Algorithm 7, each loop processes two bits and has two point doubling and one point addition. Each bit needs one point doubling and 1/2 point addition. In order to show the performance of Algorithm 7, a comparison with previous methods is listed in Table 6.

According to [23], one projective elliptic doubling in prime case needs 4S (S denotes module square) and 4M (M denotes module multiplication), and one projective elliptic addition on prime case needs 4S and 12M. We resume [24]. Then, algorithm in [13, 14, 16] needs per bit, and algorithm in [15] needs about , while Algorithm 7 only needs per bit. Hence, it Algorithm 7 can improve performance by at least 25% compared with previous algorithms, and, sacrifices a small amount of memory to store pre-computation points.

#### 5. Conclusion

In this paper, a simple but efficient elliptic scalar multiplication against power analysis attacks has been presented. First, we analyze previous algorithms which can resist SPA or DPA. Then, we present the new multi-scalar multiplication to endure SPA. This algorithm is based on NAF and processes two columns each loop. When computing scalar multiplication , we adopt a random number to split scalar and combine it with the multi-scalar multiplication. So, the new DPA-resistant scalar multiplication algorithm is proposed in this work. The proposed DPA-resistant scalar multiplication algorithm not only can resist SPA and DPA, but also provides good performance at a cost of only a few storage spaces.

#### References

- N. Koblitz, “Elliptic curve cryptosystems,”
*Mathematics of Computation*, vol. 48, no. 177, pp. 203–209, 1987. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - V. S. Miller, “Use of elliptic curves in cryptography,” in
*Advances in Cryptology: Proceedings of Crypto '85*, vol. 218 of*Lecture Notes in Computer Science*, pp. 417–426, Springer, Berlin, Germany, 1986. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - K. A. Shim and S. S. Woo, “Cryptanalysis of tripartite and multi-party authenticated key agreement protocols,”
*Information Sciences*, vol. 177, no. 4, pp. 1143–1151, 2007. View at Publisher · View at Google Scholar · View at Scopus - L. Wang, Z. Cao, X. Li, and H. Qian, “Simulatability and security of certificateless threshold signatures,”
*Information Sciences*, vol. 177, no. 6, pp. 1382–1394, 2007. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - H. Cohen, A. Miyaji, and T. Ono, “Efficient elliptic curve exponentiation using mixed coordinates,” in
*Advances in Cryptology (ASIACRYPT '98)*, vol. 1514 of*Lecture Notes in Computer Science*, pp. 51–65, Springer, Berlin, Germany, 1998. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - D. Hankerson, A. Menezes, and S. Vanstone,
*Guide to Elliptic Curve Cryptography*, Springer Professional Computing, Springer, New York, NY, USA, 2004. View at Zentralblatt MATH · View at MathSciNet - P. Kocher, “Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other system,” in
*Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO '96)*, vol. 1109 of*Lecture Notes in Computer Science*, pp. 104–113, Springer, 1996. - P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in
*Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO '99)*, vol. 1666 of*Lecture Notes in Computer Science*, pp. 388–397, Springer, 1999. - T. Izu and T. Takagi, “A fast parallel elliptic curve multiplication resistant against side channel attacks,” in
*Public Key Cryptography (PKC 2002)*, vol. 2274 of*Lecture Notes in Computer Science*, pp. 280–296, Springer, 2002. View at Google Scholar - J. Coron, “Resistance against differential power analysis for elliptic curve cryptosystems,” in
*Proceedings of the 1st International Workshop on Cryptographic Hardware and Embedded Systems (CHES '99)*, vol. 1717 of*Lecture Notes in Computer Science*, pp. 292–302, Springer, 1999. - E. Oswald and M. Aigner, “Randomized addition-subtraction chains as a countermeasure against power attacks,” in
*Proceedings of the 3rd International Workshop on Cryptographic Hardware and Embedded Systems (CHES '01)*, vol. 2001 of*Lecture Notes in Computer Science*, pp. 39–50, Springer, 2001. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - B. Moller, “Securing elliptic curve point multiplication against side-channel attacks,” in
*Proceedings of the 4th International Information Security Conference (ISC '01)*, vol. 2200 of*Lecture Notes in Computer Science*, pp. 324–334, Springer, October 2001. View at Publisher · View at Google Scholar - M. K. Lee, “SPA-resistant simultaneous scalar multiplication,” in
*Proceedings of the International Conference on Computational Science and Its Applications (ICCSA '05)*, vol. 3481, pp. 314–321, Singapore, May 2005. View at Publisher · View at Google Scholar · View at Scopus - M. Ciet and M. Joye, “(virtually) Free randomization technique for elliptic curve cryptography,” in
*Proceedings of the 5th International Conference on Information and Communications Security (ICICS '03)*, vol. 2836, pp. 348–359, 2003. View at Publisher · View at Google Scholar - D. Liu and Z. Tan Y Dai, “New elliptic curve multi-scalar multiplication algorithm for a pair of integers to resist SPA,” in
*Proceedings of the 4th International Conference on Information Security and Cryptology (Inscrypt '08)*, vol. 5487 of*Lecture Notes in Computer Science*, pp. 253–264, Springer, December 2008. View at Publisher · View at Google Scholar · View at Scopus - N. Zhang, Z. Chen, and G. Xiao, “Efficient elliptic curve scalar multiplication algorithms resistant to power analysis,”
*Information Sciences*, vol. 177, no. 10, pp. 2119–2129, 2007. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - P. Y. Liardet and N. P. Smart, “Preventing SPA/DPA in ECC systems using the Jacobi form,” in
*Proceedings of the 3rd International Workshop on Cryptographic Hardware and Embedded Systems (CHES '01)*, vol. 2162 of*Lecture Notes in Computer Science*, pp. 391–401, Springer, May 2001. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet *Advances in Elliptic Curve Cryptography*, Cambridge University Press, Cambridge, UK, 2005. View at Publisher · View at Google Scholar · View at MathSciNet*ANSI X9.62:2005, Public Key Cryptography for the Financial Service Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)*, American National Standards Institute, 2005.*ANSI X9.63:2001, Public Key Cryptography for the Financial Service Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography*, American National Standards Institute, 2001.- A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone,
*Handbook of Applied Cryptography*, CRC Press, Boca Raton, Fla, USA, 1997. View at MathSciNet - J. Fan and I. Verbauwhede, “An Updated survey on secure ECC implementations: attacks, countermeasures and cost,” in
*Cryptography and Security: From Theory to Applications*, vol. 6805 of*Lecture Notes in Computer Science*, pp. 265–282, Springer, 2012. View at Google Scholar *IEEE Std 1363-2000, IEEE Standard Specifications for Public-Key Cryptography*, Institute of Electrical and Electronics Engineers, New York, NY, USA, 2000. View at Publisher · View at Google Scholar- C. H. Lim and H. S. Hwang, “Fast implementation of elliptic curve arithmetic in GF(
*P*^{n}),” in*Proceedings of the 3rd International Workshop on Practice and Theory in Public Key Cryptosystem (PKC '00)*, vol. 1751 of*Lecture Notes in Computer Science*, pp. 405–421, Springer, January 2000. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet