Efficient scalar multiplication of ECC using SMBR and fast septuple formula for IoT

In order to solve the problem between low power of Internet of Things devices and the high cost of cryptography, lightweight cryptography is required. The improvement of the scalar multiplication can effectively reduce the complexity of elliptic curve cryptography (ECC). In this paper, we propose a fast formula for point septupling on elliptic curves over binary fields using division polynomial and multiplexing of intermediate values to accelerate the computation by more than 14%. We also propose a scalar multiplication algorithm based on the step multi-base representation using point halving and the septuple formula we proposed, which significantly reduces the computational cost. The experimental results show that our method is more efficient over binary fields and contributes to reducing the complexity of ECC.

Curve Cryptography (ECC). ECC is a kind of encryption technology based on DLP. It uses elliptic curve in finite domain to generate finite Abel group to implement public key cryptographic primitives. Unlike the RSA algorithm, which relies on the sub-exponential time algorithm to solve the integer decomposition problem, the best algorithm for solving the basic mathematical problems of ECC involves the Elliptic Curve Discrete Logarithm Problem (ECDLP). This leads to the infeasibility of solving the ECDLP algorithm, which increases rapidly with the size of the problem and is much higher than integer factorization and discrete logarithm problem. Therefore, ECC requires only smaller keys than public key cryptography (such as RSA and ElGamal), while providing the same level of security. For example, an ECC that provides the same level of security as RSA with a 1024-bit key size requires only 160 keys. Due to the high security of per key length, ECC is widely used for mobile devices and IoT. However, ECC operations are still very complex and costly for devices with poor computing power, limited energy reserves and intensive data transmission in IoT. This poses a challenge for the long-term stable function and real-time data transmission of IoT devices. Therefore, we need to improve the operation of ECC to make it lighter, thereby increasing the efficiency of cryptography and reducing costs.
The operation of the ECC works on a multiplication group over a finite field. The scalar multiplication of an elliptic curve is an operation that adds a point P on the curve k times.
where P is a point on an elliptic curve and k is a large positive integer. In any primitive implementations of ECC, scalar multiplication is the main computing operation. The key factor to improve the efficiency of ECC is how to realize fast scalar multiplication. Therefore, many researchers have proposed various studies on accelerated scalar multiplication. Morain et al. [4] proposed the non-adjacent form (NAF), which is a signed form of representation. This form ensures that at least one of any two adjacent terms is zero. Solinas et al. proposed the Joint Sparse Form (JSF) based on NAF [5]. JSF is the best signed binary representation of a pair of integers, which can generate more double-zero bits than NAF. Koblitz [6] and Solinas [7], respectively, proposed an anomalous binary curve on which Frobenius mapping can be used, and an effective scalar representation on that curve-reduced τ-adic non-adjacent form (RTNAF). The squaring on an anomalous binary curve is implemented by a displacement, which can be performed in a very short time. Under the RTNAF representation, the scalar multiplication τ P is quickly obtained by squaring on the x and y coordinates of the point P . Cohen proposed a more efficient hybrid addition operation by combining projective coordinates and affine coordinates into mixed coordinates [8]. The introduction of Jacobian coordinates eliminates expensive inversion operation in scalar multiplication under affine coordinates. In recent years, the method of expressing a large integer k by double base and multi-base has attracted widespread attention. Dimitrov [9] first proposed the Double-Base Number System (DBNS) and applied it to speed up scalar multiplication, which effectively reduces the number of point additions in scalar multiplication, by taking advantage of the sparseness and the ternary nature of DBNS. But there are some repetitive computations in DBNS. In order to solve this problem, Dimitrov [10] proposed Double-Base Q = kP = P + P + · · · + P, k times Chain (DBC) on the basis of DBNS. DBC performs computations in a nested form, so that the results of each part of the computation will be reused, reducing the occurrence of repeated computations. Mishra extended DBNS to Multi-Base Number Representation (MBNR), breaking the limitation that only two bases can be used to represent scalars, so as to bring higher redundancy in the representation of scalars [11]. But MBNS has some repetitive computations like DBNS.
In this paper, we propose an efficient formula for fast computation of the sevenfold of elliptic curve points over the binary fields, which can be used in DBNS and MBNR to compute the scalar multiplication of elliptic curves. This formula uses division polynomial and multiplexing of intermediate values in affine coordinates to increase the speed of computing the sevenfold point by more than 14%. We also proposed a scalar multiplication algorithm based on the Step Multi-Base Representation (SMBR). This algorithm uses the sevenfold point formula we proposed and replaces the traditional point doubling with the faster point halving. Experimental results show that our scalar multiplication algorithm is more efficient in affine coordinates over binary fields and contributes to reducing the cost of cryptography for devices in the IoT.
The organization of this paper is as follows. In Sect. 2, we briefly introduce the basics of elliptic curves, point halving, double-base chain and multi-base representations. In Sect. 3, we give an efficient formula for computing the sevenfold point of an elliptic curve over binary fields and provide proof of the formula and analysis of the computational cost. In Sect. 4, we propose a scalar multiplication algorithm based on SMBR and give the method of scalar k conversion to SMBR and the detailed steps of the scalar multiplication algorithm. In Sect. 5, we show experimental results, compare and analyze our algorithm with other research and demonstrate that our method is more efficient. Finally, in Sect. 6, we draw our conclusions.

Related work
In this section, we will review the concepts and research status of ECC, point halving, double-base chains and step multi-base representation.

Elliptic curve cryptography (ECC)
Definition 1 (Elliptic curve cryptography) An elliptic curve E over a finite field GF field K can be defined by the Weierstrass equation where a 1 , a 2 , a 3 , a 4 , a 6 ∈ K , and = 0,where is the discriminant of E.
In practice, adjusting the variables within the admissible range can greatly simplify the Weierstrass Eq. (1).
Over prime fields,K = F P , if the characteristic of K is not equal to 2 and 3, then Eq. (1) can be simplified to where a, b ∈ F p , = 4a 3 + 27b 2 � = 0.
(1) E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 (2) Over binary fields, K = F 2 m , the elliptic curve E is called the non-supersingular curve, and Eq. (1) can be rewritten as The set E(K ) of rational points and the infinity point O defined on an elliptic curve E over a field K form an abelian group under the operation (usually denoted by addition) defined by the law of chord and tangent. If the points on an elliptic curve E are represented in affine coordinates, such as P = (x, y) and Q = (u, v) , then both the point addition ( P + Q ) and point doubling (2P) require an expensive field inverse operation. We use [i],[s] and [m] to represent the computational cost of one inversion I , one squaring S and one multiplication M , respectively. In order to facilitate the gauging of the computational cost of inversions, the [i]/[m] ratio is defined according to the ratio of the cost between one inversion and one multiplication. It is generally assumed that 3 ≤ [i]/[m] ≤ 10 for the binary fields [12], and [i]/[m] ≥ 30 for the prime fields [13]. In addition, squaring is the least expensive of the three main operations. Over binary fields, squaring is a linear operation with negligible computational cost, and it is generally assumed that [s] ≤ 0.1[m] [12]. Over prime fields, is generally assumed, but in order to prevent side-channel attacks (SCA) from using side-channel atomicity [14], the same multiplier needs to be used to perform squarings and multiplications, then [s] = [m].

Point halving
The point halving independently proposed by Knuden [15] and Schroeppel [16] is a reverse operation of point doubling. Assume that P = (x, y) and Q = (u, v) are two points defined on the elliptic curve E Over binary field and expressed in affine coordinates, satisfying Q = 2P . If we know the affine coordinates of the point P , the coordinates of point Q can be obtained by point doubling using the following equation: Point halving is the completely opposite operation. When Q = (u, v) is known, find P = (x, y) so that Q = 2P , denoted as P = 1 2 Q . First, we need to solve 2 + = u + a according to Eq. (5) to get , then solve x 2 = v + u( + 1) from Eq. (6) to get x and finally calculate y = x + x 2 based on Eq. (4) to get y . The logic of the point halving is shown in Algorithm 1. The detailed analysis of the solving process and the calculation complexity about point halving are shown in [13]. (3) Point halving is less expensive to compute than point doubling, and the advantage is more evident when the point P is unknown in advance and the [i]/[m]-ratio is small [13]. If the doubling required in the usual double-and-add operations is all replaced by point halving, the calculation speed can be accelerated by 50% [16].

Double-base chain (DBC)
The Double-Base Number System (DBNS) was originally proposed by Dimitrov [9] as a scheme for the representation of positive integers, where each positive integer k can be expressed as the sum or difference of a number of 2-integers (the product of the powers of two relatively prime positive integers). For example, the positive integer k represented by the application of {2,3}-integers (the sub-formats are 2 b 3 t ) are In [9] Subsequently, Dimitrov [10] developed the Double-Base Chain (DBC) and specified that a DBNS can only be transformed into a DBC if the exponent of the base in the DBNS is a decreasing sequence, that is Definition 2 (Double-base chain (DBC)) Given a positive integer k > 0 , a sequence (C n ) n>0 of positive integers, if it satisfies: for some u, v ≥ 0 , such that ∃m > 0 satisfies C m = k , the sequence C m is called a doublebase chain of k , and m is the length of this double-base chain. The length of the double base chain is equal to the number of 2 b 3 t subitems in DBNS.
Double base chain make all calculated values reusable by restricting the sequence t m ≥ 0 ) and by applying recursive calculations. The double-base chain representations are highly redundant and can dramatically reduce the Hamming weights in scalar expansion. Algorithm 2 gives the process for transforming a large integer k into DBNS that conform to exponential constraints.

← −
In Algorithm 2, the maximum exponential limit on the base x is generally set to log x (k) , i.e., b max < log 2 (k) ≤ n , t max < log 3 (k) ≤ 0.65n , where n is the binary bit size of the positive integer k . With a positive integer of 160-bit size, for example, b max = 160 and t max = 103 can be specified.
The ternary/binary method for fast computation of ECC scalar multiplication proposed by Ciet [17] was subsequently applied to double-base chain to decrease the number of inversions and the execution time by efficient point doubling ( 2P ), point tripling ( 3P ) and point quadrupling ( 4P).

Step multi-base representation (SMBR)
In [11], Mishra  SMBR can be seen as a generalized extension of the DBC. If |B| = 2 , the SMBR is simplified to a DBC. Same as the DBC, all intermediate calculated values can be reused in SMBR. Thus, SMBR has a higher redundancy and can further reduce the Hamming weights in scalar expansion. As the efficient formula for point quintupling was proposed in [11], the SMBR based on B = {2, 3, 5} , i.e., k = m i=1 s i 2 b i 3 t i 5 q i , is widely used and studied [18,22]. In the scalar multiplication algorithm, the selection of the base of SMBR will determine the computational performance of the algorithm. Replacing the existing base with a more efficient multiple-point formulas can further increase the redundancy of the expression and reduce the computational cost of scalar multiplication algorithm. Therefore, in Chapter 3, we proposed an efficient septuple formulas, and in Sect. 4, we proposed a scalar multiplication algorithm based on the SMBR with B = {1 2, 3, 7}.

Septuple formula design
In this section, we give an efficient septuple formula for elliptic curve points over binary fields, a proof of the formula and an efficiency analysis.

Point septupling in elliptic curves over binary fields
In order to reduce inversions in multipoint operations, it is common practice in research work to convert points to other coordinate systems (e.g., the Jacobi coordinates). However, over binary fields, where the [i]/[m]-ratio is small, generally 3 ≤ [i]/[m] ≤ 10 , the elliptic curve group arithmetic in affine coordinates already has excellent performance.
Therefore, we propose a new point septupling formula in affine coordinates. Let P = (x, y) be a known point on an elliptic curve shown in Eq. (3) over a binary field. Assume that the sevenfold point of P is expressed as 7P = (u, v) . Then, we can obtain u and v by the following formula: Let us define a set of polynomials as follows: Then,

Proof of septuple formula over binary fields
For non-supersingular curves over the binary fields, K = F 2 m , there are division polynomials as follow: The higher degree division polynomials can be deduced from the following recursive relations: Applying these recursive relations, by sequentially assigning n = 2 in Eq. (11), n = 3 in Eq. (12), n = 3 in Eq. (11) and n = 4 in Eq. (12), we can obtain: Depending on the polynomials ψ 1 ψ 2 ψ 3 ψ 4 and the recurrence relation (11), (12), for any point P = (x, y) on a non-supersingular curve, the n-fold of this point can be derived from the formula: where, and Assuming that the affine coordinates of 7P is (u, v) , we can calculate directly from Eq. (14): However, calculating (u, v) directly using the Formulae above is not the most suitable method. In the process of calculating ψ 1 ψ 2 . . . ψ 8 and (u, v) , many intermediate values are generated. The calculation can be accelerated by transforming the formula forms and multiplexing the intermediate values. We define polynomials: , then the transformed forms of formulae ψ 1 ψ 2 . . . ψ 8 and (u, v) are as follows: Substituting these values into formula (13) and then transforming, we can get septuple formula (10). The specific transformation process is as follows:

Cost of septuple formula over binary fields
Given a point P = (x, y) on a non-supersingular curve (Eq. 3), let us check the subexpressions and costs required to compute 7P by applying Eq. (10) without any pre-computation. Table 1 lists the sub-expressions, intermediate values and costs for computing 7P . Next, we analyze the efficiency of the septuple formula. Table 2 lists the costs of various field operations over binary fields. A number of methods for computing 7P have been proposed in previous research. In [19], the authors proposed several septuple formulae over prime fields, one with 15[s] + 14[m] costs in Jacobian coordinates, and the other with 9[s] + 13[m] costs in Jquartic coordinates. In [20], the author uses  [20], the formula proposed in this paper reduces two inversion and two multiplication, resulting in a speed up of 33% at the ratio of

Methods
In order to improve the computation speed of elliptic curve scalar multiplication, we modify the MBNR based on B = {2, 3, 5} proposed in [11] and propose a SMBR based We retain the original point tripling, replace the point doubling and quadrupling with faster point halving, replace the point quintupling with the point septupling we proposed in Sect. 3 and restrict the exponential sequences (b i )(t i )(q i ) of 1/2, 3 and 5 to decreasing monotonically, respectively. The modified SMBR is defined as follows.  where the sequence of (b i )(t i )(q i ) is each monotonically decreasing. Then, the representation is called a {1 2, 3, 7}-step multi-base representation of the integer k.
Due to the inclusion of point halving, the {1 2, 3, 7}-SMBR of the large integer k has to be derived indirectly. Assuming that the size of the binary field is p , firstly we find a large exponent 2 r with base 2 that the value approximating p . Then, we multiply the original scalar k by 2 r and then model p and denote the result as k ′ , as shown in Eq. (15).
This allows us to transform finding a {1 2, 3, 7}-SMBR of k into finding a {2, 3, 7}-MBNR with exponential restrictions of k ′ . Thus, the form of the representation of k can become Subsequently, we find MBNR of k ′ with base {2, 3, 7} and restrict the exponential sequences of 3 and 7 monotonic decrease, but the exponential sequence of 2 monotonic increases. We obtain this MBNR in an iterative way. First, we find n such that k = 0 mod n , where the trial order of n is {42, 36, 32, 28, 27, 24, 21, 18, 16, 14, 12, 9, 8, 7, 6, 4, 3, 2} . If k = 0 mod 42 , then return 2 · 3 · 7 k 42 . If k = 0 mod 36 , then return 2 2 · 3 2 k 36 . If k = 0 mod 32 , then return 2 5 k 32 . And so on, if k = 0 mod n , then return 2 n 1 · 3 n 2 · 7 n 3 k n , where 2 n 1 · 3 n 2 · 7 n 3 = n . If no suitable match is found for all trials, we find a power of 2 that is closest to k denoted as k c and return the absolute value k − k c of the difference between k and k c . We chose the power of 2 as the approximation for k because point doubling will become point halving afterwards (and may also constitute half-and-add) with less cost than point tripling and point septupling. As the return value of k − k c becomes smaller and smaller, it can always be approximated in the next round by a lower power of 2. So in this MBNR, the exponents of 2 are keep monotonically decreasing. Therefore, tripleand-add are rarely required in this scalar multiplication. The iterations do not stop until k is equal to 1 or the power of 2, 3 and 7, which means that for any non-negative integer b , t and q , 2 b 3 t 7 q can represent a positive integer. The return terms of this iterative algorithm form a MBNR of k ′ and are ordered from the highest exponent of 2 multiplied by the lowest power of 3 and 7 to the lowest exponent of 2 multiplied by the highest power of 3 and 7. Then, we reverse the order of the sub-terms of the MBNR, so that the exponents of 3 and 7 decrease, and the exponents of 2 increase. Finally, by dividing the MBNR by 2 r , so that all exponents of 2 are negative, the exponents of 1/2 are monotonically decreasing. From this, we can obtain an {1 2, 3, 7}-SMBR of k as shown in Eq. (16).
Based on this representation, we can propose a scalar multiplication for elliptic curves over binary fields using {1 2, 3, 7}-SMBR, as described in Algorithm 3. The number of additions (including half-and-add and triple-and-add) is equal to the number of items in the (15) presentation minus one. Half-and-add is used instead of addition as long as the exponent of 1/2 is not zero. If the exponent of 1/2 is zero, but the exponent of 3 is not zero, then triple-and-add is used instead of addition. Since there is no formula for quadruple-and-add, we can only use the typical addition operation if the exponents of 1/2 and 3 are zero at the same time. A total of b 1 point halving (including half-and-add), t 1 point tripling (including triple-and-add) and t 1 point septupling are required in the execution of Algorithm 3.

Results and discussion
The experiments were performed on the elliptic curve recommended by the National Institute of Standards and Technology (NIST). The experiments are divided into three test groups in total, it including the elliptic curves NIST B-163, NIST B-233 and NIST B-283, and the size of the binary field was selected as 160-bit, 233-bit and 283-bit, respectively. In order to analyze the performance of the scalar multiplication algorithm proposed in this paper more visually, we compare our algorithm with the NAF proposed in [4], the DBC proposed in [10], the MBNR proposed in [11] and the MMBR proposed in [22]. For each test group, 1000 large integer scalar quantities k are selected at random, scalar multiplication is performed with each algorithm in turn without using any precomputation and pre-storage points, the average of the number of field operations of each algorithm is counted, and the number of inverse, square and multiplication are expressed in terms of I , S and M , respectively. The experimental environment is: the hardware environment is Intel (R) Core (TM) i7 CPU @ 2.20 GHz, the installed memory is 16 GB, the software environment is LINUX operating system, and the algorithms are implemented in C/C++ with the Multiprecision Integer and Rational Arithmetic C/ C++ Library. In this section, the performance of our proposed algorithm is described in detail. In order to clearly compare the total computational cost of the different algorithms, we select [i]/[m] = 8 and ignore [s] over binary fields. The comparison of the total computational cost of different scalar multiplication algorithms is shown in Fig. 1, the cost of all algorithms rises as the length of the scalar k grows. Since our algorithm and MMBR both use point halving operation, the computational cost is significantly lower than other algorithms. Compared with MMBR, our algorithm has better performance, and the greater the length of the scalar k, the more obvious the advantage of our algorithm.  Fig. 1 Comparison of the total computational cost of different scalar multiplication algorithms. Compares the performance of our method with the NAF method in [4], the DBC method in [10], the MBNR method in [11] and the MMBR method in [22] on the SMBR with B = {1 2, 3, 7} , which drastically reduces the computational cost by using point halving and the point septupling we propose. The experimental results indicate that our method can effectively reduce the cost of scalar multiplication for elliptic curves over the binary fields and contribute to the lightweight of ECC. In addition, the elliptic curve scalar multiplication method studied in this paper is still at the theoretical research stage, and future research needs to further consider the newer iterations of IoT terminal devices.