AUTHOREA
Log in Sign Up Browse Preprints

Scott Fluhrer edited untitled.tex  almost 9 years ago

Commit id: 2eecdff5d579e8228a82df1917309753cad423a4

deletions | additions      

       

However, for primes with special structure, this turns out not to work as well. The order of the curve is always within the Hasse Interval; that is, we have:  $$p + 1 - 2\sqrt{p} < hn < p + 1 + 2\sqrt{p}$$  where $h$ is the cofactor of the curve, and is usually a small power of 2. What this implies is that $n \approx p/h$, and if the upper bits of $p$ have a sparse structure, then the upper bits of $n$ will also have a sparse structure. In other words, if $p$ is a special structure prime, and if $r $t  < \sqrt{p}$, then some of the bits of $nt+k$ will be strongly correlated to some bits of $k$, and hence this supposed blinding operation does leak some information about $k$. This would appear to imply that primes with special structure would require significantly larger $t$ values than random primes. And because the time taken to do a point multiplication is proportional to the length of the integer being multiplied, this would appear to imply that primes with special structure can be slower than random primes when implemented on hardware. \section{Scalar randomization with fields with special structure}  One common way to compute the point multiplication $kG$ is to express $k$ in base $b$, as: 

00 00 00 20 27 27 28 29 29 08 23 23 19 19 11 05 16 04 19 03 03 09 14\  15 11 20 31 13  Note the long string of zero's at the beginning; these are what makes scalar randomization less effective. As one might expect, $rn $tn  \approx r2^{252} t2^{252}  + r2^{124.4}$, t2^{124.4}$,  and if $r $t  < 2^{128}$, then bits 251 and below of $k + nr$ nt$  will be strongly correlated to the corresponding bits of $k$ (because the bits of $nr$ $nt$  with nontrivial contributions to those bits of the sum will be zero). Other special form primes don't have quite as striking of a form (I chose Curve25519 because the form of its $n$ is striking), but they too the other special form primes also  have long strings of 0's or $b-1$ digits at the beginning, which yields the corresponding weakness. However, let us consider what happens if we consider a $b$ which is not a power of 2. For example, if we were to take the same $n$ expressed in base $b=48$, we get:  01 28 34 41 23 00 42 31 16 04 20 44 19 13 01 16 37 17 42 41 16 36 22\  39 40 06 14 29 09 44 17 13 24 04 31 28 46 05 19 16 46 07 18 12 42 13  Here, we don't get any regular pattern, and this value would, at first glance, appear random. And, in fact, if we look at the digits of $k+nr$ $k+nt$  (for modest random $r$) $t$)  expressed in base 48, we don't detect any correlation between the digits of that and the digits of $k$ expressed in base 48. This implies that blinding with this value (in base 48) is likely as effective as blinding based on a random prime in base 32. This is not only true of Curve25519; the same thing happens for the special prime curve P256, which has $n$ in base $b=32$ as: