Content uploaded by Waleed Abdulraheem
Author content
All content in this area was uploaded by Waleed Abdulraheem on Dec 26, 2019
Content may be subject to copyright.
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 10, No. 4, 2019
275 | P a g e
www.ijacsa.thesai.org
Improving the Performance of {0,1,3}-NAF Recoding
Algorithm for Elliptic Curve Scalar Multiplication
Waleed K. AbdulRaheem1, Sharifah Bte Md Yasin2, Nur Izura Binti Udzir3, Muhammad Rezal bin Kamel Ariffin4
Faculty of Computer Science and Information Technology, University Putra Malaysia, Selangor, Malaysia1, 2, 3
Institute for Mathematical Research, University Putra Malaysia, Selangor, Malaysia4
Abstract—Although scalar multiplication is highly
fundamental to elliptic curve cryptography (ECC), it is the most
time-consuming operation. The performance of such scalar
multiplication depends on the performance of its scalar recoding
which can be measured in terms of the time and memory
consumed, as well as its level of security. This paper focuses on
the conversion of binary scalar key representation into {0, 1, 3}-
NAF non-adjacent form. Thus, we propose an improved {0, 1, 3}-
NAF lookup table and mathematical formula algorithm which
improves the performance of {0, 1, 3}-NAF algorithm. This is
achieved by reducing the number of rows from 15 rows to 6
rows, and reading two (instead of three) digits to produce one.
Furthermore, the improved lookup table reduces the recoding
time of the algorithm by over 60% with a significant reduction in
memory consumption even with an increase in key size.
Specifically, the improved lookup table reduces the memory
consumption by as much as 75% for the big key, which shows its
higher level of resilience to side channel attacks.
Keywords—Elliptic Curve Cryptosystem (ECC); scalar
multiplication algorithm; {0, 1, 3}-NAF method; Non-Adjacent
Form (NAF)
I. INTRODUCTION
Elliptic curves cryptosystem (ECC) was proposed by Neal
Koblitz and Victor Miller independently in 1985 to design the
public-key cryptographic system [1]. Similar to other public
key cryptographic algorithms, elliptic curve cryptosystem
deploys a public key and private key. The public key is used
for encryption to provide data confidentiality during
communication. ECC is implemented in smart card because of
its smaller key size and less computational complexity relative
to RSA cryptosystem [2]. This makes it attractive and suitable
for such applications.
Scalar multiplication is a fundamental and time-consuming
operation in ECC [3]. The scalar multiplication involves
computing where is an integer and P, Q are points
on an elliptic curve. It is performed by repeating point
addition/subtraction and point doubling operations. The
representation of scalar k plays an important role in improving
the performance of this operation. Hamming weight of scalar
involves the number of the non-zero digits. As such, it
determines the number of the required point
addition/subtraction operation. Therefore, hamming weight is
one of the performance factor for the scalar multiplication
operation. Many researchers have tried to improve the
performance of the scalar multiplication by representing in
other forms with minimal hamming weight [4]. However, these
works does not improve the hamming weight for the
{0,1,3}method, but improving the timing, memory consuming
and security for the previous method since it is working on
existing lookup table.
In literature, it is proven that reducing the Hamming weight
of the scalar k can improve the performance of scalar
multiplication [5],[6] and [7]. Additionally, the scalar k can be
represented in base 2 or otherwise or by using combination of
different bases. In base 2, is in binary, NAF or -NAF. In
bases other than 2, can be represented in -NAF [8] or -
NAF[9]. Examples of combination of different bases include
mixed ternary/binary[10], DBNS [11], [12], and mbNAF [13].
Various recoding algorithms used in the literature include
complement recoding technique [14], hybrid complementary
and 1’s complement recoding technique [15].
In the aforementioned methods, the hamming weight and
its effect on the performance of the scalar multiplication were
well discussed. For example, width w-NAF is more efficient.
However, it increases the value [6], which implies more time
and memory is consumed as it requires more operation during
pre-computation. It is important to make a trade-off between
the performances categories according to the target objective
for implementation [16].
The contributions of this paper are as follows: The {0, 1,
3}-NAF method is introduced to convert the binary digit {0, 1}
using a proposed lookup table or mathematical formula. The
existing lookup table is of size 15 rows and 6 columns and
contains special cases, which reads three digits during the
recoding to produce one. In this paper, a new lookup table of
size 6 rows and 5 columns is proposed to recode the scalar. The
proposed lookup table reads two digits to produce one and
contains no special cases. The proposed is better than the
original in terms of time, memory and security. The remainder
of this paper is organized as follows: Section 2 discusses the
related work, while Section 3 introduces the {0, 1, 3}-NAF
method. The proposed method and the performance analysis
are presented in Section 4 and Section 5, respectively. Finally,
conclusion and the future works are presented in Section 6.
II. RELATED WORKS
In literature, recoding algorithm is used to change the
representation of k to another form without changing the
magnitude of the scalar. There are two types of recoding
algorithm [17]: left-to-right (L2R) and right-to-left (R2L). L2R
recoding is done by scanning digit of k from the most
significant bit (MSB) and the latter is by scanning digit from
Least Significant Bit (LSB). L2R recoding saves memory and
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 10, No. 4, 2019
276 | P a g e
www.ijacsa.thesai.org
is mostly preferred for memory constrained devices [18]. It
depends on the number of rows of the lookup table and number
of required digits read while recoding.
However, the performance of recoding algorithms depends
on the hardware system implementation and memory storage
[16] and [19]. Efficient recoding must have recoding rules that
are efficient, simple, and consumes less memory [20]. An
optimal recoding strategy must provide a trade-off between
high nonzero density and low memory consumption [6].
Selection of radix or digit set for a scalar must also satisfy the
characteristics of the scalar multiplication algorithm or
implementation technology. According to [21], proper
selection of radix and digit set for the scalar can promote an
increase of the frequency of useful digits such as zero and a
reduction in the total number of nonzero digits to represent a
number.
Reitwiesner (1960) proposed a R2L with non-adjacent form
(NAF) recoding which converts a binary number {0,1} into
NAF with digit {-1,0,1}-NAF [22] as shown in Algorithm 1. A
non-adjacent form means that there is no consecutive non-zero
digit in the scalar k. In {-1, 0, 1}-NAF recoding, a binary
number of form with {0, 1}
converted into a canonical form
) with
{-1, 0, -1} using Algorithm 1. The average hamming
weight of NAF is .
Algorithm 1: R2L NAF Recoding
Input:
Output:
1
;
2
For i from 0 to m do
3
← (Ci + Xi + Xi-1)/2
4
Yi ← Ci + Yi + 2.Ci+1
5
Return Y= (Ym,Ym-2, ..., Y0)NAF
Example 1: Convert the binary number
into NAF method using the Algorithm 1.
Solution:
It is worthy of note that the hamming weight (number of
non-zeroes) reduced from 5 into 2.
Joye and Yen [23] proposed an optimal L2R recoding
algorithm for the binary number, The recoding however does
not have NAF property as shown in Algorithm 2. They also use
the lookup table to convert the binary to {-1, 0, 1} form as
shown in Table I.
TABLE I. L2R SIGNED-DIGIT RECODING (X = 0 OR 1)
0
0
0
x
0
0
0
0
1
0
0
0
0
0
1
1
1
1
0
1
0
x
0
1
1
0
1
x
1
-1
1
1
0
0
0
-1
1
1
0
1
1
0
1
1
1
x
1
0
Algorithm 2: L2R Signed Digit Recoding
Input:
Output:
1
bm0; Xm0; X-10; X-20
2
For i from m down to 0 do
3
bi-1 (bm + Xi-1 + Xi-2)/2
4
Yi -2bi +Xi +bi-1
5
Return Y
Note that in Example 1, using Algorithm 1, 2 or the lookup
Table I will give the same result (10000-1), but there is a
considered difference in the time and memory consumed.
Rezai et.al [24] proposed an L2R recoding algorithm while
deploying Markov chain to measure the hamming weight.
They identified that their L2R method has a hamming weight
of 3n/13.
III. EXISTING{0, 1, 3}-NAF RECODING ALGORITHM
Yasin [25] proposed a recoding algorithm based on the idea
from Reitwiesner's (R2L) [22] and Joye and Yen (L2R) [23].
The algorithm is also an L2R recoding and it converts a binary
into a non-adjacent form in base 2 with digit {0, 1, 3} using
Table II. The author has been proven that the representation
follows the non-adjacent form (NAF) property. Algorithm 3 is
used to convert the binary into {0, 1, 3}-NAF
Table II is a lookup table used together with Algorithm 3.
Table II consists of 15 rows, and the algorithm starts with
scanning three digits L2R. There are also special cases for
certain conditions.
Algorithm 3: L2R {0,1,3}-NAF Recoding
Input:
Output:
1
bm0; rm0; r-10; r-20; r’m0
2
For i from m-1 downto 0 do
3
scan two digits r from MSB i.e. ri and ri+1
4
Compute bi (bi+1 + ri + ri-1)/2
5
Compare (bi+1,ri+1,ri,ri-1,bi) with values from
lookup table row by row:
If [(bi+1,ri+1,ri,ri-1,bi)≡{(row1) or (row3) or (row5)
or (row6) or (row8) or (row9) or (row10) or
(row13) or (row15)}] then r’i = 0
6
If [(bi+1,ri+1,ri,ri-1,bi)
≡{(row2) or (row4) or (row7)}] then r’i = 1
7
if [(bi+1,ri+1,ri,ri-1,bi)
≡{(row11) or (row12) or (row14)}] then r’i = 3
8
return ( )
Example 2: Convert the number (1101101101) from binary
into {0,1,3}-NAF method.
Solution: applying the lookup Table II or Algorithm 3 by
reading 3 digits from L2R will give the result
(0300300301){0,1,3}-NAF, which reduce the hamming weight
from 7 into 4.
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 10, No. 4, 2019
277 | P a g e
www.ijacsa.thesai.org
TABLE II. L2R {0,1,3}-NAF RECODING (X= 0 OR 1)
No
Special Case
1
0
0
0
x
0
0
2
0
0
1
0
1
0
3
0
0
1
1
if consecutive
#1's is even
0
1
4
0
0
1
1
if consecutive
#1's is odd
1
1
5
0
1
0
x
0
0
6
0
1
1
1
If r’i+1= 1 OR 3
0
1
7
1
0
1
0
1
1
8
1
0
1
1
1
1
9
1
1
0
0
0
0
10
1
1
0
1
If r’i+1=1 OR 3
0
1
11
1
1
0
1
If r’i+1=0
3
1
12
1
1
1
0
If r’i+1=0
3
1
13
1
1
1
0
If r’i+1=1
0
1
14
1
1
1
1
If r’i+1=0
3
1
15
1
1
1
1
If r’i+1=1 OR 3
0
1
IV. PROPOSED ALGORITHM
So we proposed Table III which converts a binary into
{0,1,3}-NAF with high performance. Table III consists of 6
rows and it is used together with Algorithm 4. The algorithm
starts with scanning two digits from R2L
Table III is an improved version of Table II. The table size
is reduced from 15 rows to 6 rows. Algorithm 4 is used
together with Table III to converts a binary into {0,1,3}-NAF.
Algorithm 4: Improved R2L {0,1,3}-NAF Recoding
Input:
Output:
1
C0 ← 0; Xm ← 0
2
For i from 0 to m do
3
Scan two digit X from LSB ( )
4
Use lookup table, find Yi that match
5
Use lookup table, find
6
Return Y
In Algorithm 3, line 4 computes for each iteration. Also,
line 5 do comparison of function
) with the values in a row in the lookup table. In
Algorithm 4, comparison of function
is done in line 4. It is worthy of note that number of
comparison is minimal than the one in Algorithm 3, since size
of lookup table for Algorithm 3 is bigger than the size of
lookup table used in Algorithm 4.
TABLE III. IMPROVED LOOKUP TABLE OF {0,1, 3}-NAF RECODING
No
1
0
0
0
0
0
2
0
1
0
0
0
3
0
0
1
1
0
4
0
1
1
3
1
5
1
0
1
0
0
6
1
1
1
0
0
In Table III, a new mathematical formula can be introduced
to recode the digit without using the lookup table as presented
in Algorithm 5.
Algorithm 5: Improved NAF Recoding R2L.
Input:
Output:
1.
2. For do
3.
4.
5. return
In the proposed Algorithm 5, the value of can be
calculated using the values of mathematically as
in step 3, while the value of can be computed using the
values of mathematically as in step 4.
In general, lookup table is more efficient in terms of time
and memory since lookup table contains no mathematical
operations such as multiplication and division as in
Algorithm 5.
V. PERFORMANCE ANALYSIS
In terms of performance, we will compare between the
proposed lookup table and the original lookup table [25] in
terms of response time, memory usage and security. We
implemented the two tables in JAVA (NetBeans IDE 8.0.2).
The conversion from binary expansion to a new {0,1,3}-NAF
representation is run successfully.
Table IV shows the time in seconds for different bit sizes of
24, 28, 32, and 36 bits. As the bit sizes decreases, the level of
reduction in percentage is also decreases.
It is clear that the proposed lookup table is faster than
current lookup table. The conversion processes also consume
less time. Fig. 1 shows the reduction time between the two
lookup tables.
Fig. 1 shows that our proposed lookup table is more
efficient for larger bit size due to its higher reduction
percentage.
In terms of the memory performance, the proposed
algorithm consumes less memory with higher percentage for
large bit key sizes as shown in Table V and Fig. 2.
In Fig. 1 and Fig. 2, the performance achied due the small
lookup table size. While recoding, two digits only need to scan
so as to produce one digits. Also this can be more efficient with
key of big size.
TABLE IV. CONVERSION TIME FROM BINARY TO {0,1,3}-NAF FOR L2R
AND MODIFIED R2L {0,1,3}-NAF ALGORITHMS
Size of
bits
L2R {0,1,3}-NAF
Recoding(Seconds)
Proposed R2L {0,1,3}-
NAF Recoding (Seconds)
Reduction
Percentage
36
123650
49918
60%
32
6839
2897
58%
28
389
173
56%
24
22
11
50%
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 10, No. 4, 2019
278 | P a g e
www.ijacsa.thesai.org
Fig. 1. Reduction Percentage of Time Related to Bit Size for the Proposed
Lookup Table.
Fig. 2. Reduction Percentage of Time Related to Bit Size for the Proposed
Lookup Table.
TABLE V. CONVERSION MEMORY BY KBYTES FROM BINARY TO {0,1,3}-
NAF FOR L2R AND MODIFIED R2L {0,1,3}-NAF ALGORITHMS
Size of
bits
L2R {0,1,3}-NAF
Recoding (Kbytes)
Proposed R2L {0,1,3}-
NAF Recoding (Kbytes)
Reduction
Percentage
36
75416
18897
75%
32
41837
13691
67%
28
30937
11511
63%
24
25112
10164
60%
So, it is clear that the proposed is better than the original
{0, 1, 3}-NAF algorithm.
To achieve better ECC security, a larger bit size is desired
which makes the proposed lookup table more efficient in terms
of time and the memory usage. It is thus more suitable for
implementation in ECC.
In term of security, the original lookup table is vulnerable
to side channel attack such as simple power attack SPA and
timing attack TA due to its non-constant time execution [26].
The original lookup has two exceptional cases to the count
number of 1’s in line 4 & 5 in Table II. While using the lookup
table, if there is a consecutive 1’s is consumes more memory
and time while recoding the original lookup table which makes
it vulnerable to attacks. For instance, a hacker can guess that
there is a consequent 1’s at a part of the key [27].
VI. CONCLUSION AND FUTURE WORKS
In this paper, a new lookup table and mathematical formula
have been proposed to improve the {0, 1, 3}-NAF method. The
proposed method shows improvement in terms of time,
memory and security aspects compared to the original {0, 1,
3}-NAF method, since it reduces the lookup table size from 15
rows into 6, and reads two digits during the recoding to
produce one instead of three. Time and memory are reduced
while recoding execution with a percentage up to 60% and
75% respectively. The performance of the proposed lookup is
more efficient while key size is bigger.
We suggest that this scalar recoding is applied in scalar
multiplication either using Montgomery Ladder to achieve
better security or using τNAF with Koblitz curves for higher
efficiency. The digit 3 can be precomputed using different
coordinates such as projective and affine over different curves
such as binary, Edward and prime curves.
ACKNOWLEDGMENT
This work was supported by Ministry of Higher Education
under FRGS Grant no. 5524822.
REFERENCES
[1] K. E. Abdullah and N. H. M. Ali, “Security Improvement in Elliptic
Curve Cryptography,” Int. J. Adv. Comput. Sci. Appl., vol. 9, no. 5, pp.
122–131, 2018.
[2] Z. U. A. Khan and M. Benaissa, “High Speed and Low Latency ECC
Processor Implementation over GF ( 2 m ) on FPGA,” IEEE Trans. Very
Large Scale Integr. Syst., vol. 25, no. 1, p. 165–176., 2017.
[3] N. Thangarasu and A. A. L. Selvakumar, “Improved elliptical curve
cryptography and Abelian group theory to resolve linear system problem
in sensor-cloud cluster computing,” Cluster Comput., pp. 1–10, 2018.
[4] M. M. Ahmad, S. M. Yasin, R. Mahmod, and M. A. Mohamed, “X-
Tract Recoding Algorithm for Minimal Hamming Weight Digit Set
Conversion,” J. Theor. Appl. Inf. Technol., vol. 75, no. 1, pp. 109–114,
2015.
[5] O. Ugus, D. Westhoff, R. Laue, A. Shoufan, and S. A. Huss, “Optimized
Implementation of Elliptic Curve Based Additive Homomorphic
Encryption for Wireless Sensor Networks,” arXiv Prepr.
arXiv0903.3900., 2009.
[6] K. Okeya and T. Takagi, “The Width- w NAF Method Provides Small
Memory and Fast Elliptic Scalar Multiplications,” pp. 328–343, 2003.
[7] A. Rezai and P. Keshavarzi, “CCS Representation : A new non-adjacent
form and its application in ECC,” J. Basic Appl. Sci. Res., vol. 2, no. 5,
pp. 4577–4586, 2016.
[8] T. Takagi, S. Yen, and B. Wu, “Radix- r Non-adjacent Form,” Springer-
Verlag Berlin Heidelb., pp. 99–100, 2004.
[9] M. Joye and S. Yen, “New Minimal Modified Radix- r Representation
with Applications to Smart Cards,” in International Workshop on Public
Key Cryptography, 2002, pp. 375–383.
[10] M. Joye, “Trading Inversions for Multiplications in Elliptic,” Des. codes
Cryptogr., pp. 189–206, 2006.
[11] V. Dimitrov, L. Imbert, and P. K. Mishra, “The double-base number
system and its application to elliptic curve cryptography,” Math.
Comput., vol. 77, no. 262, pp. 1075–1104, 2008.
[12] C. Doche and L. Habsieger, “A Tree-Based Approach for Computing
Double-Base Chains A Tree-Based Approach for Computing Double-
Base Chains,” Australas. Conf. Inf. Secur. Priv. (pp. 433-446). Springer,
Berlin, Heidelberg., no. June 2008, 2016.
[13] P. Longa and C. Gebotys, “Setting Speed Records with the ( Fractional )
Multibase Non-Adjacent Form Method for Efficient Elliptic Curve
Scalar Multiplication . Setting Speed Records with the ( Fractional )
Multibase Non-Adjacent Form Method for Efficient Elliptic Curve
Scalar Mult,” IACR Cryptol. ePrint Arch., no. February, 2015.
45%
47%
49%
51%
53%
55%
57%
59%
61%
36 32 28 24
Reduction percentage %
Bit Size
50%
55%
60%
65%
70%
75%
80%
1234
Reduction percentage %
Bit Size
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 10, No. 4, 2019
279 | P a g e
www.ijacsa.thesai.org
[14] P. Balasubramaniam and E. Karthikeyan, “Elliptic curve scalar
multiplication algorithm using complementary recoding,” Appl. Math.
Comput., vol. 190, pp. 51–56, 2007.
[15] X. Huang, P. G. Shah, and D. Sharma, “Minimizing Hamming Weight
Based on 1 ’ s Complement of Binary Numbers Over GF ( 2 m ),” in In
Advanced Communication Technology (ICACT), 2010 The 12th
International Conference on (Vol. 2, pp. 1226-1230). IEEE., 2010, pp.
1226–1230.
[16] M. Bafandehkar, S. M. Yasin, R. Mahmod, and Z. M. Hanapi,
“Comparison of ECC and RSA algorithm in resource constrained
devices,” 2013 Int. Conf. IT Converg. Secur. ICITCS 2013, pp. 0–2,
2013.
[17] H. Cohen, G. Frey, and R. Avanzi, Handbook of Elliptic and
Hyperelliptic Curve Cryptography. 2006.
[18] M. Khabbazian, T. A. Gulliver, S. Member, and V. K. Bhargava, “A
New Minimal Average Weight Representation for Left-to-Right Point
Multiplication Methods,” IEEE Trans. Comput. 54(11), 1454-1459., pp.
1–7, 2005.
[19] W. K. A. Abdulraheem, “Comparative Analysis of the Performance for
Cloud Computing Hypervisors with Encrypted Algorithms,” 2014.
[20] D. F. Aranha and K. Karabina, “Efficient Software Implementation of
Laddering Algorithms Over Binary Elliptic Curves Efficient software
implementation of laddering algorithms over binary elliptic curves,” Int.
Conf. Secur. Privacy, Appl. Cryptogr. Eng. (pp. 74-92). Springer, Cham,
no. December, 2017.
[21] E. Guerrini, L. Imbert, and T. Winterhalter, “Randomized Mixed-Radix
Scalar Multiplication,” IEEE Trans. Comput., vol. 67, no. 3, pp. 418–
431, 2018.
[22] G. W. Reitwiesnert, “The Determination of Carry Propagation Length
for Binary Addition *,” IRE Trans. Electron. Comput. (1), 35 -38., vol. 0,
pp. 35–38, 1960.
[23] M. Joye and S. Yen, “Optimal Left-to-right Binary Signed-Digit
Recoding,” vol. 49, no. 7, pp. 1–8, 2000.
[24] A. Rezai and P. Keshavarzi, “A New Left-to-Right Scalar Multiplication
Algorithm Using a New Recoding A New Left-to-Right Scalar
Multiplication Algorithm Using a New Recoding Technique,” Int. J.
Secur. its Appl., vol. 8, no. 3, pp. 31–38, 2015.
[25] S. M. Yasin, “New signed-digit {0, 1, 3}-NAF scalar multiplication
algorithm for elliptic curve over binary field.,” 2011.
[26] N. Tuveri, S. ul Hassan, C. P. Garcia, and B. B. Brumley, “Side-Channel
Analysis of SM2: A Late-Stage Featurization Case Study,” in
Proceedings of the 34th Annual Computer Security Applications
Conference on - ACSAC ’18, 2018, pp. 147–160.
[27] J. Fan, X. Guo, E. De Mulder, P. Schaumont, B. Preneel, and I.
Verbauwhede, “State-of-the-art of secure ECC implementations : a
survey on known side-channel attacks and countermeasures,” in In
Hardware-Oriented Security and Trust (HOST), IEEE International
Symposium on, 2010, pp. 76–87.
