The width-w NAF method provides small memory and fast elliptic scalar multiplications secure against side channel attacks

Katsuyuki Okeya, Tsuyoshi Takagi

Research output: Contribution to journalArticle

56 Citations (Scopus)

Abstract

The side channel attack (SCA) is a serious attack on wearable devices that have scarce computational resources. Cryptographic algorithms on them should be efficient using small memory - we have to make efforts to optimize the trade-off between efficiency and memory. In this paper we present efficient SCA-resistant scalar multiplications based on window method. Möller proposed an SPA-resistant window method based on 2w-ary window method, which replaces w-consecutive zeros to 1 plus w-consecutive 1 and it requires 2w points of table (or 2w-1 + 1 points if the signed 2w-ary is used). The most efficient window method with small memory is the width-w NAF, which requires 2w-2 points of table. In this paper we convert the width-w NAF to an SPA-resistant addition chain. Indeed we generate a scalar sequence with the fixed pattern, e.g. |0..0cursive Greek chi|0..0cursive Greek chi|...|0..0cursive Greek chi|, where cursive Greek chi is positive odd points < 2w. Thus the size of the table is 2w-1, which is optimal in the construction of the SPA-resistant chain based on width-2 NAF. The table sizes of the proposed scheme are 6% to 50% smaller than those of Möller's scheme for w = 2,3,4,5, which are relevant choices in the sense of efficiency for 160-bit ECC.

Original languageEnglish
Pages (from-to)328-342
Number of pages15
JournalLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume2612
Publication statusPublished - Dec 1 2003

Fingerprint

Scalar multiplication
Side Channel Attacks
Table
Data storage equipment
Consecutive
Addition Chains
Signed
Convert
Odd
Trade-offs
Optimise
Attack
Scalar
Resources
Side channel attack
Zero

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

@article{4bf35fe7df204539814555993bc6263d,
title = "The width-w NAF method provides small memory and fast elliptic scalar multiplications secure against side channel attacks",
abstract = "The side channel attack (SCA) is a serious attack on wearable devices that have scarce computational resources. Cryptographic algorithms on them should be efficient using small memory - we have to make efforts to optimize the trade-off between efficiency and memory. In this paper we present efficient SCA-resistant scalar multiplications based on window method. M{\"o}ller proposed an SPA-resistant window method based on 2w-ary window method, which replaces w-consecutive zeros to 1 plus w-consecutive 1 and it requires 2w points of table (or 2w-1 + 1 points if the signed 2w-ary is used). The most efficient window method with small memory is the width-w NAF, which requires 2w-2 points of table. In this paper we convert the width-w NAF to an SPA-resistant addition chain. Indeed we generate a scalar sequence with the fixed pattern, e.g. |0..0cursive Greek chi|0..0cursive Greek chi|...|0..0cursive Greek chi|, where cursive Greek chi is positive odd points < 2w. Thus the size of the table is 2w-1, which is optimal in the construction of the SPA-resistant chain based on width-2 NAF. The table sizes of the proposed scheme are 6{\%} to 50{\%} smaller than those of M{\"o}ller's scheme for w = 2,3,4,5, which are relevant choices in the sense of efficiency for 160-bit ECC.",
author = "Katsuyuki Okeya and Tsuyoshi Takagi",
year = "2003",
month = "12",
day = "1",
language = "English",
volume = "2612",
pages = "328--342",
journal = "Lecture Notes in Computer Science",
issn = "0302-9743",
publisher = "Springer Verlag",

}

TY - JOUR

T1 - The width-w NAF method provides small memory and fast elliptic scalar multiplications secure against side channel attacks

AU - Okeya, Katsuyuki

AU - Takagi, Tsuyoshi

PY - 2003/12/1

Y1 - 2003/12/1

N2 - The side channel attack (SCA) is a serious attack on wearable devices that have scarce computational resources. Cryptographic algorithms on them should be efficient using small memory - we have to make efforts to optimize the trade-off between efficiency and memory. In this paper we present efficient SCA-resistant scalar multiplications based on window method. Möller proposed an SPA-resistant window method based on 2w-ary window method, which replaces w-consecutive zeros to 1 plus w-consecutive 1 and it requires 2w points of table (or 2w-1 + 1 points if the signed 2w-ary is used). The most efficient window method with small memory is the width-w NAF, which requires 2w-2 points of table. In this paper we convert the width-w NAF to an SPA-resistant addition chain. Indeed we generate a scalar sequence with the fixed pattern, e.g. |0..0cursive Greek chi|0..0cursive Greek chi|...|0..0cursive Greek chi|, where cursive Greek chi is positive odd points < 2w. Thus the size of the table is 2w-1, which is optimal in the construction of the SPA-resistant chain based on width-2 NAF. The table sizes of the proposed scheme are 6% to 50% smaller than those of Möller's scheme for w = 2,3,4,5, which are relevant choices in the sense of efficiency for 160-bit ECC.

AB - The side channel attack (SCA) is a serious attack on wearable devices that have scarce computational resources. Cryptographic algorithms on them should be efficient using small memory - we have to make efforts to optimize the trade-off between efficiency and memory. In this paper we present efficient SCA-resistant scalar multiplications based on window method. Möller proposed an SPA-resistant window method based on 2w-ary window method, which replaces w-consecutive zeros to 1 plus w-consecutive 1 and it requires 2w points of table (or 2w-1 + 1 points if the signed 2w-ary is used). The most efficient window method with small memory is the width-w NAF, which requires 2w-2 points of table. In this paper we convert the width-w NAF to an SPA-resistant addition chain. Indeed we generate a scalar sequence with the fixed pattern, e.g. |0..0cursive Greek chi|0..0cursive Greek chi|...|0..0cursive Greek chi|, where cursive Greek chi is positive odd points < 2w. Thus the size of the table is 2w-1, which is optimal in the construction of the SPA-resistant chain based on width-2 NAF. The table sizes of the proposed scheme are 6% to 50% smaller than those of Möller's scheme for w = 2,3,4,5, which are relevant choices in the sense of efficiency for 160-bit ECC.

UR - http://www.scopus.com/inward/record.url?scp=35248865717&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=35248865717&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:35248865717

VL - 2612

SP - 328

EP - 342

JO - Lecture Notes in Computer Science

JF - Lecture Notes in Computer Science

SN - 0302-9743

ER -