AUTHOREA
Log in Sign Up Browse Preprints

Scott Fluhrer edited untitled.tex  almost 9 years ago

Commit id: 7672292030014ec7ab8ccff4b939dc0c629b66fd

deletions | additions      

       

00 00 00 20 27 27 28 29 29 08 23 23 19 19 11 05 16 04 19 03 03 09 14\  15 11 20 31 13  Note the long string of zero's at the beginning; these are what makes scalar randomization less effective. As one might expect, $tn \approx t2^{252} + t2^{124.4}$, and if $t < 2^{128}$, then bits 251 and below of $k + nt$ will be strongly correlated to the corresponding bits of $k$ (because the bits of $nt$ with nontrivial contributions to those bits of the sum will be zero). Other special form primes don't have quite as striking of a form (I chose Curve25519 because the form of its $n$ is striking), makes it quite obvious),  but the other special form primes also have long strings of 0's or $b-1$ digits at the beginning, which yields the corresponding weakness. However, let us consider what happens if we consider a $b$ which is not a power of 2. For example, if we were to take the same $n$ expressed in base $b=48$, we get: 

27 43 25 45 05 37 02 04 08 39 09 42 06 04 27 15 01 47 30 12 25 23 01    Of course, once we consider nonpower-of-2 bases, we lose the two advantages that we formally had; let us examine how bad that makes the situation. we can make it work.  \section{Costs of point multiplication using a non-power-of-2 base}  The first thing we want to look at is how much more expensive it is to use a base which is not a power of 2. After all, a base which is a power of 2 allows us to implement that the  fixed multiplication by $b$ by using  a handful of doublings, which is the most efficient method possible. However, it turns out there are other bases that are almost as cheap. To make a concrete comparision, comparison,  we'll outline the costs with both a power-of-2 base, and a nonpower-of-2 base. In both cases we'll assume that we're dealing with an Elliptic Curve with a 256 bit subgroup, and that we'll use a 64 bit blinding value $r$, yielding an exponent which is 320 bits long. We'll use the radix method, using a balanced representation of the digits (that is, the digits are values in the range $[-b/2, b/2]$, and we'll assume that the addition-by-0 is masked somehow (whether the low-level addition routines handle it without a special case, or because in that case we'll add by an arbitrary point and discard the result). To implement this using radix $b=32$ (which is optimal over all powers-of-2 in this scenario), we'll first compute the digits $(-16G, -15G, ..., 15G, 16G)$ with 7 doublings, 7 additions\footnote{In some elliptic curve representations, the operation of adding a point to itself (doubling) is cheaper than adding two distinct points (additions), hence we track those two operations separately} and 15 negations\footnote{Negation is such a cheap operation within Elliptic Curves that we typically don't count it}. Then, we implement the actual addition chain; in this case, 320 bits is 64 digits\footnote{Normally, it would be 65, because of the signed representation; however we could assume that r is a signed value as well, and that would bring us to the 64 digit level}; this is 63 rounds of multiplying the current point by 32 (which is 5 doublings), and adding in the next digit (which is a single addition); this step takes us 315 doublings, and 63 additions, for a total of 322 doublings, 70 additions, and 15 negations.