Analysis of Fractional Window Recoding
Methods and Their Application to
Elliptic Curve Cryptosystems
片斷視窗編碼法的分析及應用到ECC
IEEE Transactions on Computers, VOL. 55, NO. 1, JAN 2006
Author:Katja Schmidt-Samoa, Olivier Semay, and Tsuyoshi Takagi
Adviser:鄭錦楸,郭文中 教授
Reporter:林彥宏
1
Outline
Introduction
Elliptic curve cryptography (ECC)
Nonadjacent Form (NAF)
window NAF (wNAF)
mutual opposite form (MOF)
window MOF (wMOF)
Fractional wNAF
Fractional wMOF
Conclusions
2
Introduction(1/13)
Elliptic curve cryptography (ECC)
shorter key-size and faster computation
suitable for small-memory device
Time of crack (ns) RSA bit-length
104
108
1011
1020
1078
512
768
1024
2048
2100
ECC bit-length
106
132
160
210
600
RSA/ECC
5:1
6:1
7:1
10:1
35:1
3
Introduction(4/13)
Elliptic curve on prime field
y 2 x 3 ax b
x3 2 x1 x2
y3 ( x1 x3 ) y1
y1 y2
x x
12 2
3 x1 a
2 y1
P1 ( x1, y1 )
ECADD
P3 P1 P2
P2 ( x2 , y2 )
( x3 , y3 )
( x1 x2 )
( x1 x2 , y1 y2 0)
ECDBL
4
Introduction(2/13)
P1 ( x1 , y1 ), P2 ( x2 , y2 ), P3 ( x3 , y3 ) E (GF ( p))
EC Doubling (ECDBL)
P3 P1 P1 2P1
EC Addition (ECADD)
P3 P1 P2
( P1 P2 )
5
Introduction(3/13)
Scalar Multiplication
dP
– Binary Method P E, d (dn 1 d0 )2 , dn 1 1
binary representation
1. Q P
2. For i n 2 down to 0
Q 2Q
ECDBL
if d i 1, Q Q P ECADD
3. Return Q
Ex. 51P (110011)2 P
P D 2 P A 3P D 6P D 12 P D 24 P A 25P
50P A 51P
D
6
Introduction(5/13)
Example: E / GF ( p) : y x x 6
2
3
a 1, b 6, p 11
E( 1,6 )/GF (11) {O, (2,4), (2,7), (3,5), (3,6), (5,2), (5,9), (7,2), (7,9)
, (8,3), (8,8), (10,2), (10,9)}
ECADD : (2,4) and (10,9)
(9 - 4)/(10 - 2) mod 11 2
(2,4) (10,9) ((2 2 - 2 - 10),2(2 - 3) - 4) (3,5)
ECDBL : (8,8) and (8,8)
(3 82 1)/(2 8) mod 11 10
(8,8) (8,8) 2(8,8) (10 2 - (8 8),10(8 - 7) - 8) (7,2)
7
Introduction(6/13)
Nonadjacent Form (NAF)
Input: A positive integer k (k n kn-1...k1k0 )2 , kn-1 kn 0 .
Output: A signed digit representation (d n ...d1d 0 ) SD
1.
c0 0
2.
For i from 0 to n do
2.1. ci 1 (k i k i 1 ci )/2 ; d i ki ci - 2ci 1
3.
Return (d n ...d1d 0 ) SD
8
Introduction(7/13)
Example:
1.
(1111) 2 15 (1000 1 ) 2 16 - 1 (10000 - 00001) 2
2.
1011011001= 10 1 00 1 0 1 001
(1 0)/2 0, d 0 1 0 - 0 1
(0 0)/2 0, d1 0 0 - 0 0
(1 0)/2 0, d 2 0 0 - 0 0
(1 1)/2 1, d 3 1 0 - 2 -1
9
Introduction(8/13)
window NAF (wNAF)
– The most significant non-zero bit is positive.
– Among any w consecutive digits, at most one is nonzero.
– Each non-zero digit is odd and less than 2 w-1 in
absolute value.
10
Introduction(9/13)
11
Introduction(10/13)
Example:
w=5
1011011001 10000 9 0000 7
729 is odd - 7 729 mods 25 ;
d 729 7 736
d 368 736/2
368 is even 0
d 184 368/2
184 is even 0
d 92 184/2
12
Introduction(11/13)
mutual opposite form (MOF)
recoding stage can be done Left-to-Right
– The signs of adjacent non-zero bits (without
considering 0 bits) are opposite.
– The most non-zero bit and the least non-zero bit are 1
and -1, respectively.
13
Introduction(12/13)
Example:
Input :110110000
Output : (1 - 0)(1 - 1)(0 - 1)(1 - 0)(1 - 1)(0 - 1)(0 - 0)(0 - 0)(0 - 0)(0 - 0)
Result : 10 1 10 1 0000
14
Introduction(13/13)
window MOF(wMOF)
-The most significant non-zero bit is positive.
-Each non-zero digit is odd and less than 2 w-1 in
absolute value.
EX:
100 100
111
10 1
003
1 00 1 00
111
1 01
1 1 0 010 1 10 0 1 0
00 3
1000 1000 1 000 1 000 1 1 00 0100 1 100 0 1 00
1 1 10
10 1 0
0030
1110
1 010
00 3 0
15
Fractional wNAF
1 1 0 1 0 1 1 0 0 1 1 0 0 1 1 1 0 1 0 0 1 1 0 1
w=2
| 0 3| 0| 1 0| 0 3| 0 0| 0 3| 0 0| 0 3| 1 0| 1 0| 0| 0 3| 0 1
w=3
| 0 3 0| 0 0 5| 1 0 0| 0 3 0| 0| 0 0 7| 0 |1 0 0| 0 3 0| 1
16
Fractional wMOF
First Phase: the table entries are precompute
Second Phase: merges recoding and evaluation
17
conclusions
proved that the proposed Frac-wMOF has the same
nonzero density as Frac-wNAF using identical table sizes
Frac-wMOF recoding requiring less working memory than
the Frac-wNAF approach
18
© Copyright 2026 Paperzz