wNAF - Known Solutions: The Case Where Inversion Is Easy

5.3 Known Solutions: The Case Where Inversion Is Easy

5.3.2 wNAF

The natural generalization of NAF is wNAF which is defined as follows⁵.

5Alternative generalizations of Reitwiesner’s NAF recoding idea can be found in [Pro00, Avi61].

5.3 Known Solutions: The Case Where Inversion Is Easy 89

Definition 5.1 (wNAF) A sequence of signed digits is called wNAF iff the following three properties hold:

1. The most significant non-zero bit is positive.

2. Among any w consecutive digits, at most one is non-zero.

3. Each non-zero digit is odd and less than 2^w−1 in absolute value.

It seems that wNAF has first been described by Miyaji, Ono and Cohen [MOC97]. The algorithm proposed in [MOC97] is rather involved, and Solinas gave a more elegant descrip-tion [Sol00]. Instead of applying window methods to signed binary representadescrip-tions, wNAF is constructed directly from unsigned binary using a generalization of Procedure NAF.

Note that the original NAF is the same as wNAF for w = 2.

Procedure NAF(d, w)

Recently, Muir and Stinson proved the well-known fact that the wNAF of an integer is at most one digit longer than its binary representation [MS06]. In addition, Muir and Stinson were able to show that wNAF provides the minimal number of non-zero digits of all {±1, ±3, . . . , ±2^w−1− 1}-representations (an alternative proof has been given by Avanzi [Ava04]). This fact has been assumed to be true for years, but a formal proof was only known for the case w = 2. Note that this property does not imply superiority of wNAF compared with sliding window on NAF (see Section 5.3.1), because the latter requires a larger digit set for the same width w. This results in a higher precomputation effort, but it turns out that the evaluation stage is slightly faster than for wNAF. Indeed, to compare both methods rigorously, one has to develop explicite formulae for the num-ber of group operations necessary in precomputation and evaluation stage, moreover the precomputation effort has to be adjusted for a fair comparison. This has been done by Blake, Seroussi and Smart [BSS99] with the conclusion that wNAF is preferable for w > 3, though the margin of difference is slim. The crucial point for determining the estimated number of group additions in a wNAF supported evaluation stage is the observation that the asymptotic non-zero density of wNAF equals 1/(w + 1). This result has been indepen-dently proved by Miyaji, Ono and Cohen [MOC97] on the one hand and by Solinas [Sol00]

on the other hand.

As the class wNAF is of high relevance for the subsequent chapters, we summarize its most important features in

Theorem 5.1 wNAF as defined in Definition 5.1 has the following properties:

1. Each positive integer possesses a wNAF representation.

2. The length of the wNAF representation exceeds the binary representation by at most one digit.

3. wNAF provides the minimal number of non-zero digits of all T -representations for T = {±1, ±3, . . . , ±2^w−1− 1}.

4. The asymptotic non-zero density of wNAF equals 1/(w + 1).

For the sake of completeness, Algorithm 11 illustrates the scalar multiplication with wNAF. Again, the recoding stage is done right-to-left, therefore it is not possible to merge recoding and evaluation.

Algorithm 11: Scalar multiplication with width-w NAF [BSS99]

Input: a point g, a non-zero n-bit scalar d, a width w Output: the point dg

Precomputation:

g1← g; g₂ ← 2g₁;

for j from 1 to 2^w−2− 1 do g_2j+1 ← g_2j−1+ g₂;

/*g_2j+1 contains (2j + 1)g for each j in {0, . . . , 2^w−2− 1} */

Recoding:

(ν_w[n], . . . , ν_w[0]) ← NAF(d, w);

Evaluation:

Let c be the largest integer with νw[c] 6= 0;

if ν_w[c] > 0 then h ← g_ν_w_[c];

if ν_w[c] < 0 then h ← −g_|ν_w_[c]|;

for i from c − 1 down to 0 do

h ← 2h;

if νw[i] > 0 then h ← h + g_ν_w_[i];

if νw[i] < 0 then h ← h − g_|ν_w_[i]|;

return h

Chapter 6

MOF—A New Canonical Signed Binary Representation With

Applications to Elliptic Curve Cryptography

The most common method for computing scalar multiplication of random elements in Abelian groups are sliding window schemes, which enhance the efficiency of the binary method at the expense of some precomputation (see Chapter 5). In groups where inver-sion is easy, signed representations of the exponent are meaningful because they decrease the amount of required precomputation. The asymptotic best signed method is wNAF, because it minimizes the precomputation effort whilst its non-zero density is optimal. Un-fortunately, wNAF can be computed only from the least significant bit, i. e., right-to-left.

In connection with memory constraint devices, however, left-to-right recoding schemes are by far more valuable.

In this chapter, we define the MOF (Mutually Opposite Form), a new canonical rep-resentation of signed binary strings, which can be computed in any order. Therefore we obtain the first left-to-right signed recoding scheme for general width w by applying the width w sliding window conversion on MOF left-to-right. Moreover, the analogue right-to-left conversion on MOF yields wNAF, which indicates that the new class is the natural left-to-right analogue to the useful wNAF. Indeed, the new class inherits the outstand-ing properties of wNAF, namely the required precomputation and the achieved non-zero density are exactly the same.

6.1 Introduction

As the ubiquitous computing devices are penetrating our daily life, the importance of memory constraint devices (e. g., smart cards) in cryptography is increasing. Note that in connection with these devices, the most popular cryptosystems are based on elliptic curve point groups [Kob87, Mil85], because elliptic curve cryptosystems (ECC) provide high security with moderate key-lengths. Hence, ECC seems to be the future standard, especially for hand-held devices which have scarce resources. The most important operation

in ECC is scalar multiplication (i. e., the multiplication of an integer with a point of the curve) which has been discussed in the preceeding chapter. Recall that scalar multiplication of a random point is split into three phases: first, a fairly small amount of precomputation depending on the particular point and the set T determined by the selected window method has to be performed, then – in the recoding phase – the scalar is rewritten to a T -representation, and finally – in the evaluation stage – the multiplication is done.

6.1.1 New Motivation for Memory-saving Scalar Multiplication

In document Contributions to Provable Security and Efficient Cryptography (Page 100-104)