One’s complement [4] - Related Work - 無線感測網路下適用於橢圓曲線加密機制之快速窗口純量乘法演算法

Chapter 3 Related Work

3.5 One’s complement [4]

The window method [16] is different from the above three methods. It scans a few bits at a time and divides a binary string into several blocks. The sum of each block is odd and is less than 2^w where w is the window size. Applying the window method to the elliptic curve cryptography will reduce the computation time and increase the memory usage and pre-computation time. Table 3 shows an example of K = 6599 = (1100111000111)2 with different window sizes from 2 to 13. Note that when the window size increases, the number of pre-computed points will also increase geometrically. In addition, the number of addition and doubling operations will decrease and the computation time will decrease. Consequently, the selection of a window size will affect the computation time. It requires taking a tradeoff

Table 2. Comparison of three existing scalar multiplication algorithms.

NAF [9] MOF [10] Complementary recoding [12]

Hamming weight large large small

Scanning direction right to left right to left left to right

right to left left to right Average key

generation time large medium small

combines complementary recoding with the window method will largely reduces the average key generation time. However, it will consume more pre-computation time and memory due to the number of pre-computed points.

Table 3. Comparison of the numbers of pre-computed points and doubling and addition operations under different window sizes.

Window size Number of

pre-computed points

Number of doubling operations

Number of addition operations

2 1 11 4

3 3 11 2

4 7 11 2

5 15 8 2

6 31 7 2

7 63 6 1

8 127 6 1

9 255 6 1

10 511 6 1

11 1023 2 1

12 2047 1 1

13 4095 0 0

Chapter 4 Proposed EW-MOF Algorithm

Because of limited resources in sensor nodes, we cannot use protocols with complicate computation in sensor nodes. Traditional ECC-based protocols, such as ECDH and ECDSA, take much computation time in scalar multiplication. In this paper, we propose an enhanced window-based mutual opposite form for scalar multiplication (EW-MOF) for WSNs that can largely reduce the number of pre-computed points and greatly reduce the computation time and memory usage in each sensor node. In Section 4.1, we describe why use MOF for scalar multiplication. The design of the proposed enhanced window method is described in Section 4.2. The proposed EW-MOF algorithm using the enhanced window method is described in Section 4.3.

4.1 Why use MOF for scalar multiplication

Because of using the window method, which scans several bits at a time, we need to compute 2^{w – 1}– 1 pre-computed points where w is the window size. For example, if w = 5, it requires to compute 2^{5 – 1}– 1 = 15 pre-computed points, which are 3P, 5P, 7P, 9P, 11P, 13P, 15P, 17P, 19P, 21P, 23P, 25P, 27P, 29P and 31P. We have observed that existing scalar multiplication algorithms, such as NAF, MOF and one’s complement with window method, all may need to compute many pre-computed points. A large number of pre-computed points will increase pre-computation time and memory usage. In the following, we illustrate the above three scalar multiplication algorithms combined with the window method.

4.1.1 NAF

According to the NAF algorithm, there are no two consecutive non-zero digits in any representation. Thus, if w is odd, the maximal pre-computed point using NAF is

and if w is even, it wouldbe . For example, if w = 5, the

maximal pre-computed point using NAF is and the pre-computed points are 3P, 5P, 7P, 9P, 11P, 13P, 15P, 17P, 19P, and 21P. Furthermore, if w = 6, the maximal pre-computed point using NAF is and the pre-computed points are 3P, 5P, 7P, 9P, 11P, 13P, 15P,

17P, 19P, 21P, 23P, 25P, 27P, 29P, 31P, 33P, 35P, 37P, 39P, and 41P.

4.1.2 MOF

Figure 4 shows the procedure of deriving pre-computed points for w = 5 in MOF. Note that the maximum pre-computed point is 15P and the number of pre-computed points is 7, which are 3P, 5P, 7P, 9P, 11P, 13P and 15P.

4.1.3 Complementary recording

Since complementary recording adopted one’s complement, the maximal pre-computed point would be , where means -1. For example, if w = 5, the maximal

Figure 4. An illustration of how to derive pre-computed points for w = 5 in MOF.

From the above, we found that MOF with window method has the smallest number of pre-computed points. Similarly, it has low pre-computation time and low memory usage. The comparison of number of pre-computed points under different window sizes among NAF, MOF, complementary recoding is shown in Figure 5. Note that the number of pre-computed points grows fast, especially for the complementary recording. MOF with window method has the smallest number of pre-computed points; therefore we choose MOF for scalar multiplication in order to reduce the number of pre-computed points and pre-computation time.

Figure 5. Comparison of the number of pre-computed points under different window sizes among NAF, MOF, complementary recoding.

0 100 200 300 400 500 600

3 4 5 6 7 8 9 10

Number of pre-computed points

Window size

Complementary NAF

MOF

4.2 Design of the proposed enhanced window method

In this section, we propose an enhanced window method that can significantly reduce the number of pre-computed points than the original window method. The enhanced window method only requires to compute a few essential pre-computed points which can then be used to derive the rest of pre-computed points at low cost. The enhanced window method for deriving essential pre-computed points is described in Figure 6.

We select S that can result in the smallest number of essential pre-computed points for a specific window size. Based on the essential pre-computed points, we can derive the rest of pre-computed points. That is, we can calculate remaining pre-computed points by adding or subtracting two selected essential pre-computed points. Only one extra addition time is needed to calculate a pre-computed point. Furthermore, once a pre-computed point has been derived, it will be saved in a sensor node. If we need this pre-computed point later, we do not need to calculate it again. Hence, no extra addition time is consumed. The enhanced window method can largely reduce the total number of essential pre-computed points (N_e) and

Essential pre-computed points =

The constraints are:

1) S is the number of even essential pre-computed points and S 1.

2) {The maximal essential pre-computed point + (the maximal pre-computed point).

3) w 4.

Figure 6. Enhanced window method for deriving essential pre-computed points.

In the following, we give an example to illustrate the selection of S for w = 6 using MOF.

Note that the maximal pre-computed point is 31P:

For S = 1

Essential pre-computed points = {2P} {5P, 11P, 17P, 23P, 29P} = {2P, 5P, 11P, 17P, 23P, 29P} such that (29P + 2P) 31P

The total number of essential pre-computed points = 6

For S = 2

Essential pre-computed points = {2P, 4P} {7P, 17P, 27P} = {2P, 4P, 7P, 17P, 27P}

such that (27P + 4P) 31P

The total number of essential pre-computed points = 5

For S = 3

Essential pre-computed points = {2P, 4P, 6P} {9P, 23P, 37P} = {2P, 4P, 6P, 9P, 23P, 37P} such that (37P + 6P) 31P

The total number of essential pre-computed points = 6

Since the number of essential pre-computed points for S = 2 is the smallest, S = 2 is selected. Therefore, all pre-compute points, 3P, 5P, 7P, 9P, 11P, 13P, 15P, 17P, 19P, 21P, 23P, 25P, 27P, 29P, 31P, can be derived from essential pre-computed points = {2P, 4P, 7P, 17P, 27P}. The details are as follows: Firstly, 3P, 11P can be calculated by and 5P, 9P can be calculated by . Secondly, 13P, 21P can be calculated by and 15P, 19P can be calculated by . Thirdly, 23P, 31P can be calculated by 2 and 25P, 29P can be calculated by 2 . Therefore, we have obtained all pre-computed points. By using the proposed enhanced window method, the number of essential pre-computed points that need to be derived initially has been reduced from 15 to 5. However,

extra additions will be needed for calculating the rest of pre-computed points when needed, which is a small overhead. The best selection of S under different window sizes is shown in Table 4. Figure 7 shows the comparison of the number of essential pre-computed points under different window sizes in MOF using the window method and the enhanced window method.

Note that the number of essential pre-computed points using the enhanced window method is much smaller than that of the window method. As the window size increases, the improvement will become significant.

Figure 7. Comparison of the number of essential pre-computed points under different 0

50 100 150 200 250 300

4 5 6 7 8 9 10

Number of essential pre-computed points

Window size

Window method

Enhanced window method (proposed) Table 4. Best selection of S under different window sizes.

w 4 5 6 7 8 9 10

S 1 1 2 3 4 6 8

Figure 8 shows the selection of the best window size under N (assuming 100) times of key generations. Essential pre-computed points ratio is defined as the number of essential pre-computed points divided by the total number of pre-computed points. Average number of extra additions in each key generation is defined as the number of extra addition operations divided by N (= 100, in this case). We found that the best window size is w = 6 under 100 times of key generations. If N is larger than 100, the best window size will increase.

4.3 Design the proposed EW-MOF algorithm

In this section, we propose an enhanced window-based mutual opposite form for scalar multiplication (EW-MOF) in WSNs. The proposed EW-MOF combines MOF with an enhanced window method that can significantly not only reduce the number of essential pre-computed points but also reduce memory consumption and speed up the average key generation time. The proposed EW-MOF algorithm is shown in Algorithm 1, which includes

Figure 8. Selection of the best window size under N (assuming 100) times of key generations.

three phases, essential pre-computed points pre-computation phase, signed binary representation phase and public key generation using enhanced window method phase. In the essentialpre-computed points pre-computation phase, all the essential pre-computed points will be calculated once S is selected for a specific window size. After the essential pre-computed points pre-computation phase, we start to execute the scalar multiplication algorithm to calculate the public key. In the signed binary representation phase, the private key utilizes MOF to convert the binary representation into a signed binary representation.

Then, the public key is calculated in the public key generation using enhanced window method phase. Firstly, the private key is scanned from left to right. If a digit is 0, doubling operations are executed; otherwise, remove the block based on the window size. If the sum of the block has been saved in the sensor node, addition operations are executed to calculate the public key. If the sum of the block has not been saved in the sensor node, addition operations are executed to calculate the sum of the block first by using essential pre-computed points and save it in the sensor node. Then, addition operations are executed to calculate the public key.

In addition, if we have another block with the same sum later, no more calculation is needed.

Finally, the execution will continue until the end of digits and the public key is returned.

Algorithm 1: Left-to-Right EW-MOF

Input: An n-bit binary string K = b_n-1,b_n-2, …, b₁, b₀, where K is a private key and w Output: A public key Q, where Q = KP

1. Essential pre-computed points pre-computation phase:

1.1 S = Table lookup (w)

3. Public key generation using enhanced window method phase:

3.1 Q = P If P_wsum has been calculated

Q = Q + P_wsum Else

calculate P_wsum by essential pre-computed points save P_wsum in the sensor node

Q = Q + P_wsum 3.2.3 n = g – 1

3.3 Return Q

Figure 9 shows the flowchart of selecting an elliptic curve and a base point (P(x, y)) for ECC in wireless sensor networks. Firstly, the sink selects an elliptic curve over GF(p) where a, b GF(p) and . Then, the sink selects a base point P = (x, y) on the elliptic curve, where x and y are the coordinates of E. When a sensor node receives the elliptic curve and the base point, it will determine a window size w and executes the essential pre-computed points pre-computation phase. After this phase, these essential pre-computed points will be stored in the sensor node. If the elliptic curve E or the base point P is changed, the essentialpre-computed points pre-computation phase needs to be re-executed and new essential pre-computed points are stored in the sensor node. In this paper, we assume all computations are performed in the sensor node, since it would be more secure to do key exchanges and key generations in WSNs.

Figure 10 shows the flowchart of the public key generation process for a sensor node.

The sensor node generates a private key K and executes the signed binary representation phase to convert K into m in MOF. Then, according to window size w, m is split into several blocks. Then, the sensor node checks whether the sum of the block has been saved or not. If the sum of the block has been saved, the sensor node will compute public key Q using the proposed enhanced window method. Otherwise, the sensor node will execute addition operations to derive the sum of the block from essential pre-computed points and save it in the sensor node. Then, the sensor node computes public key Q using the enhanced window method. Finally, public key Q is calculated.

 

GF b

a,  4

a



b



 

GF b

ax x y

E  ²  ³  

Figure 9. Flowchart of selecting an elliptic curve and a base point for ECC in WSNs.

In the following, we give an example to illustrate how a sensor node computes a public key Q. For w = 6, essential pre-computed points = {2P, 4P, 7P 17P, 27P}. Firstly, the sensor node randomly generates a private key K = 12434877 = (101111011011110110111101)2. Express K in MOF:

Note that 3P can be calculated by 7P – 4P, which only needs to be calculated once and 9P can be calculated by 7P + 2P, which again only needs to be calculated once. The intermediate values of Q are 3P, 6P, 12P, 24P, 48P, 96P, 192P, 384P, 768P, 759P, 1518P, 3036P, 6072P, 12144P, 24288P, 48576P, 97152P, 194304P, 194295P, 388590P, 777180P, 1554360P, 3108720P, 6217440P, 12434880P, 12434877P

Figure 10. Flowchart of the public key generation process for a sensor node.

The computation cost of arithmetic operations for the above example include 22 doubling operations, 5 addition operations, with two extra addition operations used to calculate 3P and 9P. Although two extra addition operations are needed, there is no need to calculate them again at next time. Note that the two extra addition operations will result in very small increase in the average key generation time since the average extra number of additions for w = 6 is very small, as shown previously. That is, the time required for the two extra addition operations in the average key generation time can be neglected.

Chapter 5 Performance Evaluation and Discussion

In this chapter, we evaluate the average key generation time of the proposed EW-MOF and compare it with that of one’s complement.

5.1 Simulation environment setup

We implemented the proposed EW-MOF on the 2.66 GHz Intel Core i5 and used Multiprecision Integer and Rational Arithmetic C/C++ Library (MIRACL) [13] for elliptic curves and Basicrypt which is an ECC benchmark suite [14] for ECC. MIRACL is a big number library which implements all of the primitives necessary to design big number cryptography into your real-world application [13]. It is an open source library and can be used to perform the arithmetic of elliptic curves. The Basicrypt benchmark package uses the MIRACL library and it contains standards and elliptic curve codes for Diffie-Hellman key exchange, digital signature algorithm, ElGamal and RSA encryption/decryption [14].

Furthermore, the various parameters of elliptic curves are defined in the National Institute of Standards and Technology (NIST) DSS standard FIPS 186-3 [15].

5.2 Comparison between the proposed EW-MOF and one’s complement

Figure 11 shows the average key generation time, excluding pre-computation time, of the binary, MOF, one’s complement, and the proposed EW-MOF methods under different field sizes for w = 6. The average key generation time is defined as the summation of each key generation time divided by the number of key generations (N). The field size means the

elliptic curves over prime fields that are specified in [15]. The average key generation time of Binary is the worst because Binary contains the most bits of 1 that involve addition and doubling operations. The average key generation time of MOF is better than that of Binary because MOF contains less bits of 1. As to the one’s complement, the average key generation time is better than that of MOF because one’s complement uses the window method that splits the private key into blocks so as to reduce the number of addition operations. The proposed EW-MOF is almost the same as one’s complement because their numbers of blocks are not much different. As a result, their numbers of addition operations are not much different.

Although the proposed EW-MOF requires extra addition operations, it causes little increase in the average key generation time.

Figure 12 shows the average key generation time, including pre-computation time, of the one’s complement and the proposed EW-MOF under different field sizes for w = 6. The average key generation time of the proposed EW-MOF is better than that of the one’s Figure 11. Average key generation time excluding pre-computation time under different

field sizes.

complement because the number of pre-computed points in the one’s complement is larger than that of the proposed EW-MOF, as shown in Figure 5 and Figure 7. Thus, the pre-computation time in the one’s complement is longer than that of the proposed EW-MOF.

In summary, in terms of the average key generation time, including pre-computation time, under different field sizes, for w = 6, the proposed EW-MOF is 24.69% faster than the one’s complement.

Figure 13 shows the average key generation time, excluding pre-computation time, of the one’s complement and the proposed EW-MOF under different window sizes. We found that when the window size increases the average key generation time decreases. This is because when the window size increases the number of blocks will decrease and the number of addition operations will decrease as well. The average key generation time of the one’s complement and the proposed EW-MOF are almost the same for . This matches the Figure 12. Average key generation time including pre-computation time under different

field sizes.

generations. For , the average key generation time of the proposed EW-MOF will slowly increase. This is because that the proposed EW-MOF has a smaller number of essential pre-computed points. However, for the same number of pre-computed points, the proposed EW-MOF can set a bigger window size than one’s complement. Thus, the proposed EW-MOF can be still faster than the one’s complement in terms of average key generation time, excluding pre-computation time.

Figure 14 shows the average key generation time, including pre-computation time, of the one’s complement and the proposed EW-MOF under different window sizes. The average key generation time of the proposed EW-MOF is better than that of the one’s complement because the number of pre-computed points in the one’s complement is larger than that of the proposed EW-MOF, as shown in Figure 7. Note that the average key generation time of the proposed EW-MOF increases slowly compared to that of the one’s complement as window

Figure 13. Average key generation time, excluding pre-computation time, under different window sizes.

size increases. This is because the number of essential pre-computed points does not increase complement. That is, the proposed EW-MOF is more feasible than the one’s complement for wireless sensor networks, which is battery powered, in terms of power saving. Applying the proposed EW-MOF to the ECC for wireless sensor networks can benefit associated sensor nodes in terms of less computing and memory needed, and power saving. In addition, the proposed EW-MOF is also feasible to other mobile and wireless devices for ECC security.

Figure 14. Average key generation time, including pre-computation time, under different window sizes.

Chapter 6 Conclusion

6.1 Concluding remarks

In this paper, we have presented an enhanced window-based mutual opposite form for scalar multiplication (EW-MOF) that combines MOF with an enhanced window method. The proposed EW-MOF can largely reduce average key generation time including pre-computation time and it needs less pre-computation time and memory. Moreover, the

在文檔中無線感測網路下適用於橢圓曲線加密機制之快速窗口純量乘法演算法 (頁 20-0)