52 Things: Number 26: Describe the NAF scalar multiplication algorithm.
52 Things: Number 26: Describe the NAF scalar multiplication algorithm.
52件事:第26件:描述NAF标量乘法算法。
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know' to do Cryptography: a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. In this week, we describe the NAF scalar multiplication algorithm.
这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的52件事”做密码学:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。本周,我们将介绍NAF标量乘法算法。
这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的52件事”做密码学:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。本周,我们将介绍NAF标量乘法算法。
The NAF scalar multiplication algorithm is an enhanced form of scalar multiplication, in which the use of Non-Adjacent Form (NAF) representation decreases the expected running time of the algorithm. In more detail:
NAF标量乘法算法是标量乘法的一种增强形式,其中使用非相邻形式(NAF)表示减少了算法的预期运行时间。更详细地说:
Let k be a positive integer and P a point on an elliptic curve E over the field Fq. The operation that computes the multiplication Q=k⋅P is known as the elliptic curve scalar multiplication (or point multiplication) and dominates the execution time of elliptic curve cryptographic schemes.
设k是正整数,P是场 Fq 上椭圆曲线E上的点。计算乘法 Q=k⋅P 的运算被称为椭圆曲线标量乘法(或点乘法),并且支配椭圆曲线密码方案的执行时间。One of the most basic methods to compute a scalar multiplication is based on a double-and-add variant of Horner's rule, known as the binary method. As the name suggests, the two most prominent building blocks of this method are the point doubling and point addition primitives. More particularly, to calculate k⋅P, integer k is represented as k=kn−12n−1+kn−22n−2+⋯+k1+k0 , where ki∈{0,1}, i=0,1,2...,n−1 (binary representation form). The following algorithms form the additive versions of the basic repeated-square-and-multiply methods for exponentiation [1,2].
计算标量乘法的最基本方法之一是基于Horner规则的双加变体,即二进制方法。顾名思义,这种方法的两个最突出的构建块是点加倍和点添加基元。更具体地,为了计算 k⋅P ,整数k被表示为 k=kn−12n−1+kn−22n−2+⋯+k1+k0 ,其中 ki∈{0,1} , i=0,1,2...,n−1 (二进制表示形式)。以下算法形成了幂的基本重复平方和乘法方法的加法版本[1,2]。
NAF标量乘法算法是标量乘法的一种增强形式,其中使用非相邻形式(NAF)表示减少了算法的预期运行时间。更详细地说:
Let k be a positive integer and P a point on an elliptic curve E over the field Fq. The operation that computes the multiplication Q=k⋅P is known as the elliptic curve scalar multiplication (or point multiplication) and dominates the execution time of elliptic curve cryptographic schemes.
设k是正整数,P是场 Fq 上椭圆曲线E上的点。计算乘法 Q=k⋅P 的运算被称为椭圆曲线标量乘法(或点乘法),并且支配椭圆曲线密码方案的执行时间。One of the most basic methods to compute a scalar multiplication is based on a double-and-add variant of Horner's rule, known as the binary method. As the name suggests, the two most prominent building blocks of this method are the point doubling and point addition primitives. More particularly, to calculate k⋅P, integer k is represented as k=kn−12n−1+kn−22n−2+⋯+k1+k0 , where ki∈{0,1}, i=0,1,2...,n−1 (binary representation form). The following algorithms form the additive versions of the basic repeated-square-and-multiply methods for exponentiation [1,2].
计算标量乘法的最基本方法之一是基于Horner规则的双加变体,即二进制方法。顾名思义,这种方法的两个最突出的构建块是点加倍和点添加基元。更具体地,为了计算 k⋅P ,整数k被表示为 k=kn−12n−1+kn−22n−2+⋯+k1+k0 ,其中 ki∈{0,1} , i=0,1,2...,n−1 (二进制表示形式)。以下算法形成了幂的基本重复平方和乘法方法的加法版本[1,2]。
INPUT: k = (kt−1,..., k1, k0)2, P ∈ E(Fq).
INPUT:k=(k−1,…,k1,k0)2,P∈E( Fq )。
OUTPUT: k ⋅ P. 输出:k ⋅ P。
Q←∞.
For i from 0 to
从0到t−1 do 1做
If ki = 1 then =1那么Q←Q+P.
P←2P. P←2P。
Return(Q). 返回(Q)。
The first algorithm processes the bits of k from right to left, while the second processes the bits from left to right. The expected number of ones in the binary representation of k for both algorithms is t/2≈m/2, therefore the expected running time of both algorithms is approximately m/2 point additions and m point doublings [1]:
第一种算法从右到左处理k的比特,而第二种算法从左到右处理比特。对于两种算法,k的二进制表示中的预期1个数为t/2≈m/2,因此两种算法的预期运行时间约为m/2点加法和m点加倍[1]:
INPUT:k=(k−1,…,k1,k0)2,P∈E( Fq )。
OUTPUT: k ⋅ P. 输出:k ⋅ P。
Q←∞.
For i from 0 to
从0到t−1 do 1做
If ki = 1 then =1那么Q←Q+P.
P←2P. P←2P。
Return(Q). 返回(Q)。
INPUT: k = (kt−1,..., k1, k0)2, P ∈ E(Fq).
INPUT:k=(k−1,…,k1,k0)2,P∈E( Fq )。
OUTPUT: k ⋅ P. 输出:k ⋅ P。
Q←∞.
For i from t−1 down to 0 do
对于i,从−1到0 do
Q←2Q. Q←2Q。
If ki = 1 then Q←Q+P.
如果ki=1,则Q←Q+P。
Return(Q). 返回(Q)。
INPUT:k=(k−1,…,k1,k0)2,P∈E( Fq )。
OUTPUT: k ⋅ P. 输出:k ⋅ P。
Q←∞.
For i from t−1 down to 0 do
对于i,从−1到0 do
Q←2Q. Q←2Q。
If ki = 1 then Q←Q+P.
如果ki=1,则Q←Q+P。
Return(Q). 返回(Q)。
The first algorithm processes the bits of k from right to left, while the second processes the bits from left to right. The expected number of ones in the binary representation of k for both algorithms is t/2≈m/2, therefore the expected running time of both algorithms is approximately m/2 point additions and m point doublings [1]:
第一种算法从右到左处理k的比特,而第二种算法从左到右处理比特。对于两种算法,k的二进制表示中的预期1个数为t/2≈m/2,因此两种算法的预期运行时间约为m/2点加法和m点加倍[1]:
m2⋅A+m⋅D.
In 1951, Booth [3] proposed a new scalar binary representation called signed binary method and later Rietweisner [4] proved that every integer could be uniquely represented in this format [5]. More particularly, If P=(x,y)∈E(Fq) then −P=(x,x+y) if Fq is a binary field, and −P=(x,−y) if Fq has characteristic > 3. Thus subtraction of points on an elliptic curve is just as efficient as addition. This motivates us to use a signed digit representation k=∑l−1i=0ki⋅2i, where ki∈{0,±}. A particularly useful signed digit representation is the non-adjacent form (NAF). A NAF representation of a positive integer k is an expression k=∑l−1i=0ki⋅2i , where ki∈{0,±} , kl−1≠0 , and no two consecutive digits ki are non-zero. The length of the NAF is l [1].
1951年,Booth[3]提出了一种新的标量二进制表示,称为有符号二进制方法,后来Rieweesner[4]证明了每个整数都可以用这种格式唯一表示[5]。更具体地说,如果P=(x,y) ∈ E( Fq ),则如果 Fq 是二进制字段,则−P=(x,x+y);如果#3的特性>3,则−P=(x、−y)。因此,椭圆曲线上的点的减法和加法一样有效。这促使我们使用带符号的数字表示#4,其中 ki∈{0,±} 。一种特别有用的有符号数字表示是非相邻形式(NAF)。正整数k的NAF表示是表达式 k=∑l−1i=0ki⋅2i ,其中 ki∈{0,±} 、 kl−1≠0 和没有两个连续数字ki是非零的。NAF的长度为l[1]。
Properties of NAF [1]: NAF[1]的性质:
1951年,Booth[3]提出了一种新的标量二进制表示,称为有符号二进制方法,后来Rieweesner[4]证明了每个整数都可以用这种格式唯一表示[5]。更具体地说,如果P=(x,y) ∈ E( Fq ),则如果 Fq 是二进制字段,则−P=(x,x+y);如果#3的特性>3,则−P=(x、−y)。因此,椭圆曲线上的点的减法和加法一样有效。这促使我们使用带符号的数字表示#4,其中 ki∈{0,±} 。一种特别有用的有符号数字表示是非相邻形式(NAF)。正整数k的NAF表示是表达式 k=∑l−1i=0ki⋅2i ,其中 ki∈{0,±} 、 kl−1≠0 和没有两个连续数字ki是非零的。NAF的长度为l[1]。
Properties of NAF [1]: NAF[1]的性质:
- k has a unique NAF denoted NAF(k).
k具有表示为NAF(k)的唯一NAF。 - NAF(k) has the fewest non-zero digits of any signed digit representation of k.
NAF(k)具有k的任何有符号数字表示中最少的非零数字。 - The length of NAF(k) is at most one more than the length of the binary representation of k.
NAF(k)的长度至多比k的二进制表示的长度多一个。 - If the length of NAF(k) is l, then 2l /3 < k < 2l+1/3.
如果NAF(k)的长度为l,则2l/3<k<2+1/3。 - The average density of non-zero digits among all NAFs of length l is approximately 1/3.
长度为l的所有NAF中非零数字的平均密度约为1/3。
NAF(k) can be efficiently computed using the following algorithm [1]:
可以使用以下算法[1]有效地计算NAF(k):
可以使用以下算法[1]有效地计算NAF(k):
INPUT: A positive integer k.
INPUT:一个正整数k。
OUTPUT: NAF(k). 输出:NAF(k)。
i←0.
While k≥1 do 当k≥1 do时
If k is odd then: ki ←2−(k mod 4), k←k−ki;
如果k是奇数,那么:ki←2−(k mod 4),k←k−ki;
Else: ki ←0. 其他:ki←0.
k←k/2, i←i+1. k←k/2,←+1.
Return(ki−1, ki−2,..., k1, k0).
返回(k−1,k−2,…,k1,k0)。
INPUT:一个正整数k。
OUTPUT: NAF(k). 输出:NAF(k)。
i←0.
While k≥1 do 当k≥1 do时
If k is odd then: ki ←2−(k mod 4), k←k−ki;
如果k是奇数,那么:ki←2−(k mod 4),k←k−ki;
Else: ki ←0. 其他:ki←0.
k←k/2, i←i+1. k←k/2,←+1.
Return(ki−1, ki−2,..., k1, k0).
返回(k−1,k−2,…,k1,k0)。
The last algorithm presents the way we can modify the left-to-right binary method for scalar multiplication by using NAF(k) instead of the binary representation of k [1]:
最后一个算法提出了一种方法,我们可以通过使用NAF(k)而不是k[1]的二进制表示来修改标量乘法的从左到右二进制方法:
最后一个算法提出了一种方法,我们可以通过使用NAF(k)而不是k[1]的二进制表示来修改标量乘法的从左到右二进制方法:
INPUT: Positive integer k, P ∈ E(Fq).
INPUT:正整数k,P∈E( Fq )。
OUTPUT: k ⋅ P.
输出:k ⋅ P。
Based on previous algorithm compute NAF(k) =∑l−1i=0ki⋅2i.
基于先前的算法计算NAF(k)= ∑l−1i=0ki⋅2i 。
Q←∞.
For i from l−1 down to 0 do
对于i,从−1到0 do
Q←2Q. Q←2Q。
If ki = 1 then Q←Q+P.
如果ki=1,则Q←Q+P。
If ki = −1 thenQ←Q−P.
如果ki=−1,则Q←Q−P。
Return(Q). 返回(Q)。
Based on the third and fifth properties of NAF, the expected running time of the NAF scalar multiplication algorithm is approximately [1]:
基于NAF的第三和第五性质,NAF标量乘法算法的预期运行时间约为[1]:
INPUT:正整数k,P∈E( Fq )。
OUTPUT: k ⋅ P.
输出:k ⋅ P。
Based on previous algorithm compute NAF(k) =∑l−1i=0ki⋅2i.
基于先前的算法计算NAF(k)= ∑l−1i=0ki⋅2i 。
Q←∞.
For i from l−1 down to 0 do
对于i,从−1到0 do
Q←2Q. Q←2Q。
If ki = 1 then Q←Q+P.
如果ki=1,则Q←Q+P。
If ki = −1 thenQ←Q−P.
如果ki=−1,则Q←Q−P。
Return(Q). 返回(Q)。
Based on the third and fifth properties of NAF, the expected running time of the NAF scalar multiplication algorithm is approximately [1]:
基于NAF的第三和第五性质,NAF标量乘法算法的预期运行时间约为[1]:
m3⋅A+m⋅D.
The Working Class Must Lead!