TY - CHAP
T1 - The width-w NAF method provides small memory and fast elliptic scalar multiplications secure against side channel attacks
AU - Okeya, Katsuyuki
AU - Takagi, Tsuyoshi
PY - 2003
Y1 - 2003
N2 - The side channel attack (SCA) is a serious attack on wearable devices that have scarce computational resources. Cryptographic algorithms on them should be efficient using small memory - we have to make efforts to optimize the trade-off between efficiency and memory. In this paper we present efficient SCA-resistant scalar multiplications based on window method. Möller proposed an SPA-resistant window method based on 2w-ary window method, which replaces w-consecutive zeros to 1 plus w-consecutive 1 and it requires 2w points of table (or 2w-1 + 1 points if the signed 2w-ary is used). The most efficient window method with small memory is the width-w NAF, which requires 2w-2 points of table. In this paper we convert the width-w NAF to an SPA-resistant addition chain. Indeed we generate a scalar sequence with the fixed pattern, e.g. |0..0cursive Greek chi|0..0cursive Greek chi|...|0..0cursive Greek chi|, where cursive Greek chi is positive odd points < 2w. Thus the size of the table is 2w-1, which is optimal in the construction of the SPA-resistant chain based on width-2 NAF. The table sizes of the proposed scheme are 6% to 50% smaller than those of Möller's scheme for w = 2,3,4,5, which are relevant choices in the sense of efficiency for 160-bit ECC.
AB - The side channel attack (SCA) is a serious attack on wearable devices that have scarce computational resources. Cryptographic algorithms on them should be efficient using small memory - we have to make efforts to optimize the trade-off between efficiency and memory. In this paper we present efficient SCA-resistant scalar multiplications based on window method. Möller proposed an SPA-resistant window method based on 2w-ary window method, which replaces w-consecutive zeros to 1 plus w-consecutive 1 and it requires 2w points of table (or 2w-1 + 1 points if the signed 2w-ary is used). The most efficient window method with small memory is the width-w NAF, which requires 2w-2 points of table. In this paper we convert the width-w NAF to an SPA-resistant addition chain. Indeed we generate a scalar sequence with the fixed pattern, e.g. |0..0cursive Greek chi|0..0cursive Greek chi|...|0..0cursive Greek chi|, where cursive Greek chi is positive odd points < 2w. Thus the size of the table is 2w-1, which is optimal in the construction of the SPA-resistant chain based on width-2 NAF. The table sizes of the proposed scheme are 6% to 50% smaller than those of Möller's scheme for w = 2,3,4,5, which are relevant choices in the sense of efficiency for 160-bit ECC.
UR - http://www.scopus.com/inward/record.url?scp=35248865717&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=35248865717&partnerID=8YFLogxK
U2 - 10.1007/3-540-36563-x_23
DO - 10.1007/3-540-36563-x_23
M3 - Chapter
AN - SCOPUS:35248865717
SN - 3540008470
SN - 9783540008477
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 328
EP - 342
BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
A2 - Joye, Marc
PB - Springer Verlag
ER -