Improving the performance of {0,1,3}-NAF recoding algorithm for elliptic curve scalar multiplication

Abstract: Although scalar multiplication is highly fundamental to elliptic curve cryptography (ECC), it is the most time-consuming operation. The performance of such scalar multiplication depends on the performance of its scalar recoding which can be measured in terms of the time and memory consumed, as well as its level of security. This paper focuses on the conversion of binary scalar key representation into {0, 1, 3}-NAF non-adjacent form. Thus, we propose an improved {0, 1, 3}-NAF lookup table and mathematical formula algorithm which improves the performance of {0, 1, 3}-NAF algorithm. This is achieved by reducing the number of rows from 15 rows to 6 rows, and reading two (instead of three) digits to produce one. Furthermore, the improved lookup table reduces the recoding time of the algorithm by over 60% with a significant reduction in memory consumption even with an increase in key size. Specifically, the improved lookup table reduces the memory consumption by as much as 75% for the big key, which shows its higher level of resilience to side channel attacks.


I. INTRODUCTION
Elliptic curves cryptosystem (ECC) was proposed by Neal Koblitz and Victor Miller independently in 1985 to design the public-key cryptographic system [1].Similar to other public key cryptographic algorithms, elliptic curve cryptosystem deploys a public key and private key.The public key is used for encryption to provide data confidentiality during communication.ECC is implemented in smart card because of its smaller key size and less computational complexity relative to RSA cryptosystem [2].This makes it attractive and suitable for such applications.
Scalar multiplication is a fundamental and time-consuming operation in ECC [3].The scalar multiplication involves computing where is an integer and P, Q are points on an elliptic curve.It is performed by repeating point addition/subtraction and point doubling operations.The representation of scalar k plays an important role in improving the performance of this operation.Hamming weight of scalar involves the number of the non-zero digits.As such, it determines the number of the required point addition/subtraction operation.Therefore, hamming weight is one of the performance factor for the scalar multiplication operation.Many researchers have tried to improve the performance of the scalar multiplication by representing in other forms with minimal hamming weight [4].However, these works does not improve the hamming weight for the {0,1,3}method, but improving the timing, memory consuming and security for the previous method since it is working on existing lookup table.
In literature, it is proven that reducing the Hamming weight of the scalar k can improve the performance of scalar multiplication [5], [6] and [7].Additionally, the scalar k can be represented in base 2 or otherwise or by using combination of different bases.In base 2, is in binary, NAF or -NAF.In bases other than 2, can be represented in -NAF [8] or -NAF [9].Examples of combination of different bases include mixed ternary/binary [10], DBNS [11], [12], and mbNAF [13].Various recoding algorithms used in the literature include complement recoding technique [14], hybrid complementary and 1's complement recoding technique [15].
In the aforementioned methods, the hamming weight and its effect on the performance of the scalar multiplication were well discussed.For example, width w-NAF is more efficient.However, it increases the value [6], which implies more time and memory is consumed as it requires more operation during pre-computation.It is important to make a trade-off between the performances categories according to the target objective for implementation [16].
The contributions of this paper are as follows: The {0, 1, 3}-NAF method is introduced to convert the binary digit {0, 1} using a proposed lookup table or mathematical formula.The existing lookup table is of size 15 rows and 6 columns and contains special cases, which reads three digits during the recoding to produce one.In this paper, a new lookup table of size 6 rows and 5 columns is proposed to recode the scalar.The proposed lookup table reads two digits to produce one and contains no special cases.The proposed is better than the original in terms of time, memory and security.The remainder of this paper is organized as follows: Section 2 discusses the related work, while Section 3 introduces the {0, 1, 3}-NAF method.The proposed method and the performance analysis are presented in Section 4 and Section 5, respectively.Finally, conclusion and the future works are presented in Section 6.

II. RELATED WORKS
In literature, recoding algorithm is used to change the representation of k to another form without changing the magnitude of the scalar.There are two types of recoding algorithm [17]: left-to-right (L2R) and right-to-left (R2L).L2R recoding is done by scanning digit of k from the most significant bit (MSB) and the latter is by scanning digit from Least Significant Bit (LSB).L2R recoding saves memory and www.ijacsa.thesai.org is mostly preferred for memory constrained devices [18].It depends on the number of rows of the lookup table and number of required digits read while recoding.
However, the performance of recoding algorithms depends on the hardware system implementation and memory storage [16] and [19].Efficient recoding must have recoding rules that are efficient, simple, and consumes less memory [20].An optimal recoding strategy must provide a trade-off between high nonzero density and low memory consumption [6].Selection of radix or digit set for a scalar must also satisfy the characteristics of the scalar multiplication algorithm or implementation technology.According to [21], proper selection of radix and digit set for the scalar can promote an increase of the frequency of useful digits such as zero and a reduction in the total number of nonzero digits to represent a number.

Solution: ( ) ( )
It is worthy of note that the hamming weight (number of non-zeroes) reduced from 5 into 2.
Joye and Yen [23] proposed an optimal L2R recoding algorithm for the binary number, The recoding however does not have NAF property as shown in Algorithm 2. They also use the lookup table to convert the binary to {-1, 0, 1} form as shown in Table I.

TABLE I.
L2R SIGNED-DIGIT RECODING (X = 0 OR 1) Algorithm 2: L2R Signed Digit Recoding Input: ( ) 2 For i from m down to 0 do Note that in Example 1, using Algorithm 1, 2 or the lookup Table I will give the same result (10000-1), but there is a considered difference in the time and memory consumed.
Rezai et.al [24] proposed an L2R recoding algorithm while deploying Markov chain to measure the hamming weight.They identified that their L2R method has a hamming weight of 3n/13.III.EXISTING{0, 1, 3}-NAF RECODING ALGORITHM Yasin [25] proposed a recoding algorithm based on the idea from Reitwiesner's (R2L) [22] and Joye and Yen (L2R) [23].The algorithm is also an L2R recoding and it converts a binary into a non-adjacent form in base 2 with digit {0, 1, 3} using Table II.The author has been proven that the representation follows the non-adjacent form (NAF) property.Algorithm 3 is used to convert the binary into {0, 1, 3}-NAF In Table III, a new mathematical formula can be introduced to recode the digit without using the lookup table as presented in Algorithm 5.In the proposed Algorithm 5, the value of can be calculated using the values of ( ) mathematically as in step 3, while the value of can be computed using the values of ( ) mathematically as in step 4.
In general, lookup table is more efficient in terms of time and memory since lookup table contains no mathematical operations such as multiplication and division as in Algorithm 5.

V. PERFORMANCE ANALYSIS
In terms of performance, we will compare between the proposed lookup table and the original lookup table [25] in terms of response time, memory usage and security.We implemented the two tables in JAVA (NetBeans IDE 8.0.2).The conversion from binary expansion to a new {0,1,3}-NAF representation is run successfully.
Table IV shows the time in seconds for different bit sizes of 24, 28, 32, and 36 bits.As the bit sizes decreases, the level of reduction in percentage is also decreases.
It is clear that the proposed lookup table is faster than current lookup table.The conversion processes also consume less time.Fig. 1 shows the reduction time between the two lookup tables.Fig. 1 shows that our proposed lookup table is more efficient for larger bit size due to its higher reduction percentage.
In terms of the memory performance, the proposed algorithm consumes less memory with higher percentage for large bit key sizes as shown in Table V and Fig. 2.
In Fig. 1 and Fig. 2, the performance achied due the small lookup table size.While recoding, two digits only need to scan so as to produce one digits.Also this can be more efficient with key of big size.| P a g e www.ijacsa.thesai.orgSo, it is clear that the proposed is better than the original {0, 1, 3}-NAF algorithm.
To achieve better ECC security, a larger bit size is desired which makes the proposed lookup table more efficient in terms of time and the memory usage.It is thus more suitable for implementation in ECC.
In term of security, the original lookup table is vulnerable to side channel attack such as simple power attack SPA and timing attack TA due to its non-constant time execution [26].The original lookup has two exceptional cases to the count number of 1's in line 4 & 5 in Table II.While using the lookup table, if there is a consecutive 1's is consumes more memory and time while recoding the original lookup table which makes it vulnerable to attacks.For instance, a hacker can guess that there is a consequent 1's at a part of the key [27].

VI. CONCLUSION AND FUTURE WORKS
In this paper, a new lookup table and mathematical formula have been proposed to improve the {0, 1, 3}-NAF method.The proposed method shows improvement in terms of time, memory and security aspects compared to the original {0, 1, 3}-NAF method, since it reduces the lookup table size from 15 rows into 6, and reads two digits during the recoding to produce one instead of three.Time and memory are reduced while recoding execution with a percentage up to 60% and 75% respectively.The performance of the proposed lookup is more efficient while key size is bigger.
We suggest that this scalar recoding is applied in scalar multiplication either using Montgomery Ladder to achieve better security or using τNAF with Koblitz curves for higher efficiency.The digit 3 can be precomputed using different coordinates such as projective and affine over different curves such as binary, Edward and prime curves.

Fig. 1 .
Fig. 1.Reduction Percentage of Time Related to Bit Size for the Proposed Lookup Table.

Fig. 2 .
Fig. 2. Reduction Percentage of Time Related to Bit Size for the Proposed Lookup Table.

Table
II is a lookup table used together with Algorithm 3. TableIIconsists of 15 rows, and the algorithm starts with scanning three digits L2R.There are also special cases for certain conditions.
3}-NAF with high performance.TableIIIconsists of 6 rows and it is used together with Algorithm 4. The algorithm starts with scanning two digits from R2L Table III is an improved version of Table II.The table size is reduced from 15 rows to 6 rows.Algorithm 4 is used together with Table III to converts a binary into {0,1,3}-NAF.It is worthy of note that number of comparison is minimal than the one in Algorithm 3, since size of lookup table for Algorithm 3 is bigger than the size of lookup table used in Algorithm 4.