2.2.3 Decryption with ECC



The process of mapping a plaintext message m to point M on the curve is important in ECC. There are several mapping schemes that are used to map a plaintext message to a point on the elliptic curve [3–7]. A good mapping scheme must follow several guidelines:

• Mapped points should be on the elliptic curve. If G is the mapping function, G (m) �! (x,y) ∈ Ep(a,b).

1. Encryption process

• Convert the text to ASCII values.

DOI: http://dx.doi.org/10.5772/intechopen.86584

872,121,480,709,807}.

2. Decryption process

47

99,104,110, 111, 108, 111, 103,121, 44}.

612,149,604,486,787,772,222,099,923}.

• B receives C1 =kP and C2=M+kQ values.

828,330,153,127,462,384,491}.

3. Fast scalar multiplication on scalar arithmetic

• Partition the ASCII value as group size of 11 ASCII values.

A Survey of Fast Scalar Multiplication on Elliptic Curve Cryptography for Lightweight…

• Its equivalent ASCII values are {78,97,116, 105, 111, 110, 97, 108, 32, 73, 110},{115, 116, 105, 116, 117, 116, 101, 32, 111, 102, 32}, and{84, 101,

• Each group is converted into big integers using FromDigits function (in Mathematica) with base 65,536. The values for "National Institute" corresponding to the two first groups are as follows: {113,999,290,923, 567,984,853,125,612,857,907,836,245,105,850,253,422} and {168,075, 275,215,227,115,988,112,137,860,778,550,742,826, 363,519,008}.

• A sends National Institute to B and computes scalar multiplication kP = C1 = {95,058,406,573,787,743,380,879,387,493 754,072,690,640,209,963, 862,157,133, 5,437,547,807,282,051,947,615, 392,556,992,837,333,921,930,

• A computes point addition M+kQ = C2 ={5,357,129,649,847,875,387,947, 498,550,298,509,562,929,834,704 857,479,081,282,775,001,499,802, 163,650,458,076,998,673,808,830,204,345,207,458,648,302,309}, {6,179,418,438,352,156,963, 426,038,838,668,574,778,107,168,582, 785,759,775,636,5,950,440,184,023,478,909,084,289,343,254,

• Using the private key d, B performs scalar multiplication dC1.

• B performs point addition operation with -kQ: M =

• Convert the subtraction operation to addition format: dC1 = kQ = 3,141,192 528,502,843,791,482,798,499,504,492,303,369,782,687,173, 663,895,377, 2,544,834 938,121,667,890,493,126,265,872,103,594,

{113,999,290,923,567,984,853 125,612,857,907,836,245,105,850, 253,422, 16,807,527,521,522,711,598,811,213,786,077 8,550,742,826,363, 519,008}, {122,768,389,944,749,391,054,808,248,629,988,098,406, 227,392,397,356, 46,769,769,584,977,140,992,804,375,150,062, 379,259,053,557,678,135}.

• Convert each bloc into ASCII values using IntegerDigits function (in

On a scalar arithmetic level, the double-and-add (DA) technique is the traditional binary algorithm, which is used and based on point operation, namely,

Mathematica) with base 65,536, and retrieve ASCII values.


There are several mapping schemes using different approaches: maps each character in the plaintext to a point on the elliptic, maps each sequence of characters in the plaintext to a point on the elliptic, maps the full plaintext to a point on the elliptic, etc. For example, as in [8], if we use 192 bit key length, the National Institute of Standards and Technology (NIST) recommended elliptic curve with the following parameters:

```
a=�3.
b =245,515,554,600,894,381,774,029,391,519,745,178,476
 9,108,058,161,191,238,065.
Prime p = 6,277,101,735,386,680,763,835,789,423,176,059,013,767,194,773,
```

```
182,842,284,081.
```

A plaintext message "National Institute of Technology" is taken as input.

A Survey of Fast Scalar Multiplication on Elliptic Curve Cryptography for Lightweight… DOI: http://dx.doi.org/10.5772/intechopen.86584

### 1. Encryption process

2.2.3 Decryption with ECC

Algorithm 3. Decryption.

1. Compute M =C2 - dC1,

Begin

3. Return (m) end

Output: m// plaintext message

2. Reverse mapping to retrieve m from M

Modern Cryptography – Current Challenges and Solutions

must follow several guidelines:

bandwidth.

following parameters:

182,842,284,081.

927,386,650,641}.

157,463,900,739}.

436,853,369.

46

9,108,058,161,191,238,065.

a=�3.

points on the map.

(m) �! (x,y) ∈ Ep(a,b).

The process of mapping a plaintext message m to point M on the curve is important in ECC. There are several mapping schemes that are used to map a plaintext message to a point on the elliptic curve [3–7]. A good mapping scheme

Input: (p, E, P, n), d, C1, C2 //public parameters, private key encrypted message

• Mapped points should be on the elliptic curve. If G is the mapping function, G

• Mapping should always be invertible so that the receiver after decryption can

• Message mapping in ECC also plays a significant role as it decides how

• A good message mapping scheme must reduce the use of unnecessary

• A good mapping scheme should not take much time to map the message to

Prime p = 6,277,101,735,386,680,763,835,789,423,176,059,013,767,194,773,

Point P ={60,204,628,237,568,865,675,821,348,058,752,611,191,669,876,636, 884,684,818,174,050,332,293,622,031,404,857,552,280,219,410,364,023,488,

Q ={2,803,000,786,541,617,331,377,384,897,435,095,499,124,748,881,890,727, 495,642, 4,269,718,021,105,944,287,201,929,298,168,253,040,958,383,009,

A plaintext message "National Institute of Technology" is taken as input.

d = 28,186,466,892,849,679,686,038,856,807,396,267,537,577,176,687,

There are several mapping schemes using different approaches: maps each character in the plaintext to a point on the elliptic, maps each sequence of characters in the plaintext to a point on the elliptic, maps the full plaintext to a point on the elliptic, etc. For example, as in [8], if we use 192 bit key length, the National Institute of Standards and Technology (NIST) recommended elliptic curve with the

(x,y).

reverse map the points to original plain text: m=G�<sup>1</sup>

b =245,515,554,600,894,381,774,029,391,519,745,178,476

vulnerable the encrypted message is to attacks.

	- B receives C1 =kP and C2=M+kQ values.
	- Using the private key d, B performs scalar multiplication dC1.
	- Convert the subtraction operation to addition format: dC1 = kQ = 3,141,192 528,502,843,791,482,798,499,504,492,303,369,782,687,173, 663,895,377, 2,544,834 938,121,667,890,493,126,265,872,103,594, 828,330,153,127,462,384,491}.
	- B performs point addition operation with -kQ: M = {113,999,290,923,567,984,853 125,612,857,907,836,245,105,850, 253,422, 16,807,527,521,522,711,598,811,213,786,077 8,550,742,826,363, 519,008}, {122,768,389,944,749,391,054,808,248,629,988,098,406, 227,392,397,356, 46,769,769,584,977,140,992,804,375,150,062, 379,259,053,557,678,135}.
	- Convert each bloc into ASCII values using IntegerDigits function (in Mathematica) with base 65,536, and retrieve ASCII values.

### 3. Fast scalar multiplication on scalar arithmetic

On a scalar arithmetic level, the double-and-add (DA) technique is the traditional binary algorithm, which is used and based on point operation, namely,

doubling of a point and addition of points. Well-known algorithms, such as nonadjacent form (NAF), window NAF, and sliding window [3, 9, 10], can reduce effectively the number of point operations. Some other algorithms, such as doublebase chains, have been developed to compute faster scalar multiplication by using binary and ternary representation [11–15]. Algorithms, based on the aforementioned algorithms, optimize faster scalar multiplication [16–18]. Optimization is done by some approaches, which also use the binary representation of the scalar k [19–21]. For other solutions, optimization is based on selecting a set of elliptic curves for cryptography (Weierstrass curve, twisted Edwards curve) on which scalar multiplication is faster than the recent implementation record on the corresponding NIST curve.

algorithm where blocks are scanned one by one, and if the value of the block is equal to 0, we perform Q=2wQ; if not (values of blocks w bits performed =Vi), we

A Survey of Fast Scalar Multiplication on Elliptic Curve Cryptography for Lightweight…

Vi is, respectively, equal to 3, 6, and 11 corresponding, respectively, to precomputed points 3P, 6P, and 11P. Thus, for this example, the scalar multiplication from

(addition) ! [379]P. Thus, five point doubling operations and two point addition

However, this algorithm involves precomputed points whose number depends on

precomputed points is (2w �2) where �2 represents the blocks for Vi= 0 or 1. If the blocks have variable size, as, for example, with three blocks of w1 bits, w2 bits, and w3 bits, the number of precomputed points <sup>p</sup> is (2w �2). It should be noted that using the window method reduces the computation time and increases the memory storage and calculation time of precomputed points. If the size of the blocks increases, the number of precomputed points increases exponentially, and the number of

performed operations decreases. Thus, the selection of the window size implies the computation time. A compromise is needed between the size of the blocks and the computation time related to precomputed points. According to NIST recommendations, the best window length is w=4. To reduce the number of precomputed points, the sliding window method of variable size with maximum digits equal to w can be used. For this method, the values Vi of blocks are odd; consecutive zeroes are taken

tively, to precomputed points 1P, 15P, and 3P. The scalar multiplication from block (m-1) to block 0 can be performed as follows: P ! [2]P(1 point doubling) ! 24[62] P(4 repeated point doublings) + [15]P(point additions)! 2.[47]P(1 point doubling) ! 22[94]P(2 repeated point doublings)+ [3]P(point addition) ! [379]P. The result

Optimization can be done by finding a representation with a minimum zero bits in order to reduce the number of addition operations: this is the objective of the

, so, Vi values are, respectively, 1, 15, and 3 corresponding, respec-

into account. Therefore, a window starts and ends with a non-zero number. For example, scalar k = 379 = (101111011)2 is partitioned into blocks

the size of the blocks. If the blocks have a fixed-size w bits, the number of

w¼4

. [11]P(3 repeated

, and [94]P(2 repeated doublings) + [3]P

// begin scanning block by block.

// compute repeated point doublings w times // compute addition with precomputed point ViP

110 |{z} w¼3

11 |{z} w¼2

, so,

For example, <sup>k</sup> = 379 = (101111011)2 partitioned into blocks1011 |ffl{zffl}

performed Q=2wQ and Q=Q+ViP as shown in Algorithm 5.

block (m-1) to block 0 can be done as follows: [11]P!23

1

CA2, P <sup>∈</sup> E (Fp)

; ::…; k5k4k<sup>3</sup> |fflfflffl{zfflfflffl} block 1 ; k2k1k<sup>0</sup> |fflfflffl{zfflfflffl} block 0

doublings) + [6]P(addition) ! 22

DOI: http://dx.doi.org/10.5772/intechopen.86584

operations are calculated.

Input: <sup>k</sup> <sup>¼</sup> kl�<sup>1</sup>kl�<sup>2</sup>kl�<sup>3</sup>kl�<sup>4</sup> |fflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflffl} block mð Þ �<sup>1</sup>

for i m � 1 to l � 1 do <sup>Q</sup> <sup>¼</sup> <sup>2</sup>wQ if Vi . 0 then jQ Q þ ViP end

> end return ð Þ Q

0 B@

Output: Q=[k]P Begin Q ∞

> � � � � � � � � � � � � � � � �

� � � � � � � � � � � � � � � � � � � � � � � � � � end

Algorithm 5. Windows algorithm.

1 |{z} w¼4

49

1111 |ffl{zffl} w¼3

11 |{z} w¼2

is eight point doublings and two additions.

solutions described in the next section.

#### 3.1 Double-and-add algorithm

The double-and-add technique is the traditional binary algorithm, which is based on point operations, namely, doubling of a point and addition of points. The double-and-add algorithm is an additive representation of the algorithms used for exponentiation. As shown on Algorithm 4, the scalar is represented in binary on l bits: ∑<sup>l</sup>�<sup>1</sup> <sup>i</sup>¼<sup>0</sup>ki2<sup>i</sup> , where ki ∈ {0, 1}. The binary method i=0 scans the bits of scalar ½ � k P ¼ ð Þ P þ P þ P þ …… þ P |fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} k times either from left to right or right to left. A doubling

operation is done for each scanned bit ki of k, followed by a point addition if the scanned bit is non-zero (ki 6¼ 0).


For a given scalar k, the number of point doubling operation is (l-1), and those of point addition operation is equal to the number of non-zero bits (denoted by hamming weight h) -1. The cost of multiplication depends on the length of the binary representation of k and the number of Harming weight (the number of 1's) of scalar in this representation. The average Harming weight on all scalar k of length l bits is approximately l/2. Thus, in an average, binary Algorithm 4 requires (l-1) doublings and (l-1)/2 additions.

For example, k = 379 = (101111011)2, l=9, and the number of non-zero bits h is equal to 7. So computation 379P requires 8 doublings and 5 additions.

The double-and-add method can be generalized by using fixed or variable size windows. The scalar k is divided into m blocks of w bit(s) (w an integer of variable size), for each block corresponds to a number Vi.

As in DA where bits are scanned one by one, and if the scanned bit is equal to 0, Q=2<sup>1</sup> Q (point doubling) is performed; if not (scanned bit equal to 1 > 0), Q=2<sup>1</sup> Q (point doubling) and Q=Q + 1P (point addition) are performed. In window

A Survey of Fast Scalar Multiplication on Elliptic Curve Cryptography for Lightweight… DOI: http://dx.doi.org/10.5772/intechopen.86584

algorithm where blocks are scanned one by one, and if the value of the block is equal to 0, we perform Q=2wQ; if not (values of blocks w bits performed =Vi), we performed Q=2wQ and Q=Q+ViP as shown in Algorithm 5.

For example, <sup>k</sup> = 379 = (101111011)2 partitioned into blocks1011 |ffl{zffl} 110 |{z} 11 |{z} , so,

w¼4 w¼3 w¼2 Vi is, respectively, equal to 3, 6, and 11 corresponding, respectively, to precomputed points 3P, 6P, and 11P. Thus, for this example, the scalar multiplication from block (m-1) to block 0 can be done as follows: [11]P!23 . [11]P(3 repeated doublings) + [6]P(addition) ! 22 , and [94]P(2 repeated doublings) + [3]P (addition) ! [379]P. Thus, five point doubling operations and two point addition operations are calculated.


However, this algorithm involves precomputed points whose number depends on the size of the blocks. If the blocks have a fixed-size w bits, the number of precomputed points is (2w �2) where �2 represents the blocks for Vi= 0 or 1. If the blocks have variable size, as, for example, with three blocks of w1 bits, w2 bits, and w3 bits, the number of precomputed points <sup>p</sup> is (2w �2). It should be noted that using the window method reduces the computation time and increases the memory storage and calculation time of precomputed points. If the size of the blocks increases, the number of precomputed points increases exponentially, and the number of performed operations decreases. Thus, the selection of the window size implies the computation time. A compromise is needed between the size of the blocks and the computation time related to precomputed points. According to NIST recommendations, the best window length is w=4. To reduce the number of precomputed points, the sliding window method of variable size with maximum digits equal to w can be used. For this method, the values Vi of blocks are odd; consecutive zeroes are taken into account. Therefore, a window starts and ends with a non-zero number.

For example, scalar k = 379 = (101111011)2 is partitioned into blocks 1 |{z} w¼4 1111 |ffl{zffl} w¼3 11 |{z} w¼2 , so, Vi values are, respectively, 1, 15, and 3 corresponding, respec-

Optimization can be done by finding a representation with a minimum zero bits in order to reduce the number of addition operations: this is the objective of the solutions described in the next section.

doubling of a point and addition of points. Well-known algorithms, such as nonadjacent form (NAF), window NAF, and sliding window [3, 9, 10], can reduce effectively the number of point operations. Some other algorithms, such as doublebase chains, have been developed to compute faster scalar multiplication by using binary and ternary representation [11–15]. Algorithms, based on the aforementioned algorithms, optimize faster scalar multiplication [16–18]. Optimization is done by some approaches, which also use the binary representation of the scalar k [19–21]. For other solutions, optimization is based on selecting a set of elliptic curves for cryptography (Weierstrass curve, twisted Edwards curve) on which scalar multiplication is faster than the recent implementation record on the

Modern Cryptography – Current Challenges and Solutions

The double-and-add technique is the traditional binary algorithm, which is based on point operations, namely, doubling of a point and addition of points. The double-and-add algorithm is an additive representation of the algorithms used for exponentiation. As shown on Algorithm 4, the scalar is represented in binary on

operation is done for each scanned bit ki of k, followed by a point addition if the

For a given scalar k, the number of point doubling operation is (l-1), and those of point addition operation is equal to the number of non-zero bits (denoted by hamming weight h) -1. The cost of multiplication depends on the length of the binary representation of k and the number of Harming weight (the number of 1's) of scalar in this representation. The average Harming weight on all scalar k of length l bits is approximately l/2. Thus, in an average, binary Algorithm 4 requires (l-1)

For example, k = 379 = (101111011)2, l=9, and the number of non-zero bits h is

The double-and-add method can be generalized by using fixed or variable size windows. The scalar k is divided into m blocks of w bit(s) (w an integer of variable

As in DA where bits are scanned one by one, and if the scanned bit is equal to 0,

Q

Q (point doubling) is performed; if not (scanned bit equal to 1 > 0), Q=2<sup>1</sup>

(point doubling) and Q=Q + 1P (point addition) are performed. In window

equal to 7. So computation 379P requires 8 doublings and 5 additions.

size), for each block corresponds to a number Vi.

, where ki ∈ {0, 1}. The binary method i=0 scans the bits of scalar

// begin scanning bits from right-to-left.

// an addition operation is performed

// a doubling operation is performed

either from left to right or right to left. A doubling

corresponding NIST curve.

l bits: ∑<sup>l</sup>�<sup>1</sup>

<sup>i</sup>¼<sup>0</sup>ki2<sup>i</sup>

Output: Q=[k]P Begin Q ∞

> � � � � � � � � � � � �

� � � � � � � � � � � � � � � � � � � � � � end

P 2P

for i 0 to l � 1 do if ki ¼ 1 then jQ Q þ P end

> end return Qð Þ

½ � k P ¼ ð Þ P þ P þ P þ …… þ P |fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} k times

scanned bit is non-zero (ki 6¼ 0).

Algorithm 4. Double-and-add LSB/MSB. Input: k=(kl-1,……….., k1,k0)2, P ∈ E (Fp)

doublings and (l-1)/2 additions.

Q=2<sup>1</sup>

48

3.1 Double-and-add algorithm

tively, to precomputed points 1P, 15P, and 3P. The scalar multiplication from block (m-1) to block 0 can be performed as follows: P ! [2]P(1 point doubling) ! 24[62] P(4 repeated point doublings) + [15]P(point additions)! 2.[47]P(1 point doubling) ! 22[94]P(2 repeated point doublings)+ [3]P(point addition) ! [379]P. The result is eight point doublings and two additions.
