Double-Base Chains for Scalar Multiplications on Elliptic Curves Wei - - PowerPoint PPT Presentation

Double-Base Chains for Scalar Multiplications

• n Elliptic Curves

Wei Yu, Saud Al Musa, and Bao Li

Institute of Information Engineering, Chinese Academy of Sciences yuwei_1_yw@163.com

May, 2020

Abstract

Introduction

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Abstract

Introduction The Number of Double-Base Chains

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Abstract

Introduction The Number of Double-Base Chains Hamming Weight of Double-Base Chains

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Abstract

Introduction The Number of Double-Base Chains Hamming Weight of Double-Base Chains Dynamic Programming to Generate Optimal Double-Base Chains

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Abstract

Introduction The Number of Double-Base Chains Hamming Weight of Double-Base Chains Dynamic Programming to Generate Optimal Double-Base Chains Scalar Multiplication using Double-Base Chains

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Introduction:Double-Base Chain

Double-base chains (DBCs) are used to speed up scalar multiplications on elliptic curves. A DBC represents an integer n as

l

• i=1

ci2bi3ti ci ∈ C = {±1},bl ≥ bl−1 ≥ ... ≥ b1 ≥ 0 and tl ≥ tl−1 ≥ ... ≥ t1 ≥ 0. 2bi3ti: a term 2bl3tl: the leading term l: the Hamming weight

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Introduction:Double-Base Chain

1

Dimitrov, Imbert, and Mishra: The canonic DBCs of a positive integer n are the ones with minimal Hamming weight.

2

An optimal DBC of n is the DBC with the smallest value in the set {val(w)|w ∈ X} where X is the set containing all DBCs of n. w is defined by the cost of scalar multiplication.

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Introduction:Contributions

Contributions structure, iterative algorithm number of DBCs asymptotic lower bound Hamming weights of DBCs dynamic programming generate an optimal DBC the first polynomial time algorithm answer an open question 6 times faster

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

The Number of DBCs

Counting the number of DBCs:

1

To show DBC is redundant

2

To generate an optimal DBC Each positive integer has at least one DBC such as binary representation. Imbert and Philippe 2010: an elegant algorithm to compute the number of unsigned DBCs for a given integer.

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

The Number of DBCs

Doche 2014

1

calculate the number of DBCs with a leading term dividing 2b3t for a positive integer

2

efficient for less than 70−bit integers with a leading term dividing 2b3t for the most b and t

3

exponential time algorithm

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

The Number of DBCs:The Structure of the Set Containing All DBCs

Φ(b,t,n): the set containing all DBCs of an integer n ≥ 0 with a

leading term strictly dividing 2b3t.

¯ Φ(b,t,n): the set containing all DBCs of an integer n ≤ 0 with a

leading term strictly dividing 2b3t.

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

The Number of DBCs:The Structure of the Set Containing All DBCs

Let n be a positive integer, b ≥ 0, t ≥ 0, and b+t > 0. The structure of Φ(b,t) and that of ¯

Φ(b,t) are described as follows. Figure: The Structure of DBCs

Φ(b,t), ¯ Φ(b,t) Φ(b−1,t), ¯ Φ(b−1,t) Φ(b,t −1), ¯ Φ(b,t −1)

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

The Number of DBCs:The Structure of the Set Containing All DBCs

Figure: The Cardinality of the Set Containing All DBCs

|Φ(b,t)|, | ¯ Φ(b,t)| |Φ(b−1,t)|, | ¯ Φ(b−1,t)| |Φ(b,t −1)|, | ¯ Φ(b,t −1)| |Φ(b−1,t −1)|, | ¯ Φ(b−1,t −1)|

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

The Number of DBCs: Iterative Algorithm

Input: A positive integer n, b ≥ 0, and t ≥ 0 Output: |Φ(b,t)|, | ¯

Φ(b,t)|

1.

|Φ(0,0)| ← 1, | ¯ Φ(0,0)| ← 0

2. For i from 0 to b, |Φ(i,−1)| = | ¯

Φ(i,−1)| ← 0

3. For j from 0 to t, |Φ(−1,j)| = | ¯

Φ(−1,j)| ← 0

4. For j from 0 to t 5. For i from 0 to b 6. If i+j > 0, compute |Φ(i,j)| and | ¯

Φ(i,j)|

7. return |Φ(b,t)|, | ¯

Φ(b,t)|

The time complexity of our iterative algorithm is in O

logn 3

bit

• perations when both b and t are O

logn .

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

The Number of DBCs

1

100 has 2590 DBCs with a leading term dividing 23034.

2

1000 has 28364 DBCs with a leading term dividing 23036.

3

the number of DBCs of

• π×10120 with a leading term

dividing 22403120 is 40569451268980332857047527244802033238443617954504 67273281157843672719846213086211542270726702592261 7970361 05303878574879.

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Hamming Weight of DBCs:Open Question

Open question Whether the average Hamming weight of DBCs produced by the greedy approach is O

• logn

loglogn

• r not

Doche and Habsieger 2008

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Hamming Weight of DBCs

Efforts to investigate the lower bound of DBCs

1

Dimitrov and Howe: there exist infinitely many integers n whose shortest double-base number system representations have Hamming weights Ω

• logn

loglognlogloglogn

• .

2

Lou, Sun, and Tartary: there exists at least one

logn

• −bit

integer such that any DBC representing this integer needs at least Ω

logn terms.

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Hamming Weight of DBCs

1

The number of DBCs of a positive integer is infinite

2

The leading term of its DBC may be infinite

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Hamming Weight of DBCs:The Range of the Leading Term of Optimal DBCs and Canonic DBCs

Disanto, Imbert, and Philippe 2014 showed 2bl3tl > n

2.

Let n be a positive integer represented as a DBC. This work shows

1

n 2 < 2bl3tl < 2n when w is an optimal DBC

2

16n 21 < 2bl3tl < 9n 7 when w is a canonic DBC

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Hamming Weight of DBCs

An asymptotic lower bound of the average Hamming weights of canonic DBCs for (logn)−bit integers is logn

8.25 .

This answers Doche’s open question.

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Hamming Weight of DBCs

Figure: The Hamming weight of canonic DBCs of integers

1 2 3 4 5 6 7 8 9 10 0.18 0.19 0.2 hundred bits of integers (logn) Hamming weight divided by logn

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Hamming Weight of DBCs

1

0.182887logn for 1000−bit integers,

2

0.181101logn for 2000−bit integers,

3

0.179822logn for 3000−bit integers. This value of the Hamming weight given for 3000−bit integers still has a distance from the theoretical lower bound logn

8.25 .

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Dynamic Programming Algorithm to Produce Optimal DBCs

algorithm time complexity (O) space complexity (O) Doche 2014 exponential

logn 2

Capuñay and Thériault 2015

logn 4 logn 3

Bernstein, Chuengsatiansup, and Lange 2017

logn 2.5 logn 2.5

Dynamic Programming (new)

logn 2 loglogn logn 2

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Dynamic Programming Algorithm to Produce Optimal DBCs

Dynamic programming solves problems by combining the solutions of subproblems. Two key characteristics

1

• ptimal substructure

2

• verlapping subproblems

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Dynamic Programming Algorithm to Produce Optimal DBCs:Blueprint

Characterize the structure of an optimal solution Recursively define the value of an optimal solution Compute a DBC with the smallest Hamming weight in a bottom-up fashion Construct an optimal DBC from computed information

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Dynamic Programming Algorithm to Produce Optimal DBCs

b t 1 2 3 . . .

log3 n−1 log3 n log3 n+1

1 2 3 4 5 6 7 8

...

logn

b+log3·t = logB

requires O

logn bit operations

O logn 3

bit operations

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Dynamic Programming Algorithm to Produce Optimal DBCs:Reduced Representatives

b t 1 . . .

β′ −1 β′ β′ +1

. . .

2β′ −1 2β′ 2β′ +1

. . .

log3 n log3 n+1 1 2 ...

α′ −2 α′ −1 α′ α′ +1 α′ +2 ... 2α′ −1 2α′ 2α′ +1 ... logn

b+log3·t = logB

requires O

logn bit operations

requires O

logn 0.5

bit operations

O logn 2.5

bit operations

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Dynamic Programming Algorithm to Produce Optimal DBCs:Equivalent Representative

Bernstein, Chuengsatiansup, and Lange’s reduced representatives for large numbers do not work for logn+log3n boundary nodes. Our equivalent representatives will solve this problem.

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Dynamic Programming Algorithm to Produce Optimal DBCs:Equivalent Representative

b t

1

. . .

β1 −1

β1

β1 +1

. . .

β2

1 −1

β2 1

β2

1 +1

. . .

log3 n log3 n+1

. . . . . .

... ...

1 2 ...

α1 −2 α1 −1

α1

α1 +1 α1 +2 ... α2

1 −2

α2

1 −1

α2 1

α2

1 +1

α2

1 +2... logn

b+log3·t = logB

requires O(logn) bit operations requires O

logn 2/3

bit operations requires O

logn 1/3

bit operations

O logn 7/3

bit operations

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Dynamic Programming Algorithm to Produce Optimal DBCs:Equivalent Representative Repeatedly

Our dynamic programming algorithm terminates in

O(log2nloglogn) bit operations and in O(log2n) bits of memory.

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Dynamic Programming Algorithm to Produce Optimal DBCs: Comparisons

Our dynamic programming algorithm

1

• ver 20 times faster than Capuñay and Thériault’s

algorithm

2

• ver 6 times faster than Bernstein, Chuengsatiansup and

Lange’s algorithm As the integer becomes larger, our dynamic programming algorithm will gain more.

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Scalar Multiplication using Double-Base Chains

1

Edwards curve

2

Weierstrass curve

3

Tripling-oriented Doche-Icart-Kohel curves (DIK curves) Bernstein, Lange: Explicit-formulas database.

Table: Cost of elliptic curve point operations

curve mA D T Weierstrass 7M+4S 3M+5S 7M+7S Edwards 8M+4S 3M+4S 9M+4S DIK 7M+4S 2M+7S 6M+6S

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Scalar Multiplication using Double-Base Chains:Improvement

Table: Cost of elliptic curve point operations

curve improvement to NAF Edwards 10% Weierstrass 13% DIK 20%

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Conclusion

1

The theoretical aspects of DBCs arising from their study to speed up scalar multiplication

2

Producing an optimal DBC efficiently.

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves

Any questions please send email to:yuwei_1_yw@163.com Thanks for your time!

Wei Yu, Saud Al Musa, and Bao Li Double-Base Chains for Scalar Multiplications on Elliptic Curves