Speed up rational point scalar multiplications on elliptic curves by Frobenius equations

Let q be a power of a prime and φ be the Frobenius endomorphism on E（Fqk）, then q = tφ - φ^2. Applying this equation, a new algorithm to compute rational point scalar multiplications on elliptic curves by finding a suitable small positive integer s such that q^s can be represented as some very sparse φ-polynomial is proposed. If a Normal Basis （NB） or Optimal Normal Basis （ONB） is applied and the precomputations are considered free, our algorithm will cost, on average, about 55% to 80% less than binary method, and about 42% to 74% less than φ-ary method. For some elliptic curves, our algorithm is also taster than Mǖller＇s algorithm. In addition, an effective algorithm is provided for finding such integer s.     

Fast Reconfigurable Elliptic Curve Cryptography Acceleration for <Emphasis Type="Italic">GF</Emphasis>(2<Superscript><Emphasis Type="Italic">m</Emphasis></Superscript>) on 32 bit Processors

This paper focuses on the design and implementation of a fast reconfigurable method for elliptic curve cryptography acceleration in GF(2 ^m ). The main contribution of this paper is comparing different reconfigurable modular multiplication methods and modular reduction methods for software implementation on Intel IA-32 processors, optimizing point arithmetic to reduce the number of expensive reduction operations through a novel reduction sharing technique, and measuring performance for scalar point multiplication in GF(2 ^m ) on Intel IA-32 processors. This paper determined that systematic reduction is best for fields defined with trinomials or pentanomials; however, for fields defined with reduction polynomials with large Hamming weight Barrett reduction is best. In GF(2⁵⁷¹) for Intel P4 2.8 GHz processor, long multiplication with systematic reduction was 2.18 and 2.26 times faster than long multiplication with Barrett or Montgomery reduction. This paper determined that Montgomery Invariant scalar point multiplication with Systematic reduction in Projective coordinates was the fastest method for single scalar point multiplication for the NIST fields from GF(2¹⁶³) to GF(2⁵⁷¹). For single scalar point multiplication on a reconfigurable elliptic curve cryptography accelerator, we were able to achieve ∼6.1 times speedup using reconfigurable reduction methods with long multiplication, Montgomery’s MSB Invariant method in projective coordinates, and systematic reduction. Further extensions were made to implement fast reconfigurable elliptic curve cryptography for repeated scalar point multiplication on the same base point. We also show that for L > 20 the LSB invariant method combined with affine doubling precomputation outperforms the LSB invariant method combined with López-Dahab doubling precomputation for all reconfigurable reduction polynomial techniques in GF(2⁵⁷¹) for Intel IA-32 processors. For L = 1000, the LSB invariant scalar point multiplication method was 13.78 to 34.32% faster than using the fastest Montgomery Invariant scalar point multiplication method on Intel IA-32 processors.     

High-performance Public-key Cryptoprocessor for Wireless Mobile Applications

We present a high-speed public-key cryptoprocessor that exploits three-level parallelism in Elliptic Curve Cryptography (ECC) over GF(2 ⁿ ). The proposed cryptoprocessor employs a Parallelized Modular Arithmetic Logic Unit (P-MALU) that exploits two types of different parallelism for accelerating modular operations. The sequence of scalar multiplications is also accelerated by exploiting Instruction-Level Parallelism (ILP) and processing multiple P-MALU instructions in parallel. The system is programmable and hence independent of the type of the elliptic curves and scalar multiplication algorithms. The synthesis results show that scalar multiplication of ECC over GF(2¹⁶³) on a generic curve can be computed in 20 and 16 μs respectively for the binary NAF (Non-Adjacent Form) and the Montgomery method. The performance can be accelerated furthermore on a Koblitz curve and reach scalar multiplication of 12 μs with the TNAF (τ-adic NAF) method. This fast performance allows us to perform over 80,000 scalar multiplications per second and to enhance security in wireless mobile applications.

Scalar Multiplication on Elliptic Curves by Frobenius Expansions

Koblitz has suggested to use “anomalous” elliptic curves defined over F₂, which are non-supersingular and allow for efficient multiplication of a point by an integer. For these curves, Meier and Staffelbach gave a method to find a polynomial of the Frobenius map corresponding to a given multiplier. Muller generalized their method to arbitrary non-supersingular elliptic curves defined over a small field of characteristic 2. In this paper, we propose an algorithm to speed up scalar multiplication on an elliptic curve defined over a small field. The proposed algorithm uses the same technique as Muller's to get an expansion by the Frobenius map, but its expansion length is half of Muller's due to the reduction step (Algorithm 1). Also, it uses a more efficient algorithm (Algorithm 3) to perform multiplication using the Frobenius expansion. Consequently, the proposed algorithm is two times faster than Muller's. Moreover, it can be applied to an elliptic curve defined over a finite field with odd characteristic and does not require any precomputation or additional memory.     

Improved Scalar Multiplication on Elliptic Curves Defined over F2mn

We propose two improved scalar multiplication methods on elliptic curves over F_qn where q = 2^m using Frobenius expansion. The scalar multiplication of elliptic curves defined over subfield F_q can be sped up by Frobenius expansion. Previous methods are restricted to the case of a small m. However, when m is small, it is hard to find curves having good cryptographic properties. Our methods are suitable for curves defined over medium‐sized fields, that is, 10 ≤ m ≤ 20. These methods are variants of the conventional multiple‐base binary (MBB) method combined with the window method. One of our methods is for a polynomial basis representation with software implementation, and the other is for a normal basis representation with hardware implementation. Our software experiment shows that it is about 10% faster than the MBB method, which also uses Frobenius expansion, and about 20% faster than the Montgomery method, which is the fastest general method in polynomial basis implementation.     

Fault-Based Attack on Montgomery��s Ladder Algorithm

In this paper we present invalid-curve attacks that apply to the Montgomery ladder elliptic curve scalar multiplication (ECSM) algorithm. An elliptic curve over the binary field is defined using two parameters, a and b. We show that with a different “value” for curve parameter a, there exists a cryptographically weaker group in nine of the ten NIST-recommended elliptic curves over \mathbbF_2^m\mathbb{F}_{2^{m}}. Thereafter, we present two attacks that are based on the observation that parameter a is not utilized for the Montgomery ladder algorithms proposed by López and Dahab (CHES 1999: Cryptographic Hardware and Embedded Systems, LNCS, vol. 1717, pp. 316–327, Springer, Berlin, 1999). We also present the probability of success of such attacks for general and NIST-recommended elliptic curves. In addition we give some countermeasures to resist these attacks.     

优化扩域上椭圆曲线标量乘的一个新算法

提出了一种优化扩域上椭圆曲线标量乘的新算法.算法基于Frobenius映射和二进制串的逻辑操作.文中对这个算法给出了细致精确的分析,而且在此基础上对新算法作了进一步改进.最后从理论分析和实际仿真两个方面就新算法和传统算法进行了比较.指出新算法执行时间比传统的φ-adic算法要少20%到40%.     

Effect of successive implantation of Ag+(Cu+) and Xe+ ions on the recombination properties of CdxHg1−x Te crystals

The effect of successive double implantation of Ag⁺(Cu⁺) and Xe⁺ ions on the recombination properties of Cd_xHg_1−x Te (0.2<x<0.3) crystals has been investigated. It is shown that after implantation of ions of one chemical element, followed by diffusion thermal annealing at temperatures below 150–200 K, recombination through local levels lying 30±5 meV below the conduction band bottom dominates. Successive double implantation of Ag⁺(Cu⁺) and Xe⁺ ions followed by diffusion thermal annealing changes the course of the temperature dependence of the lifetime of the nonequilibrium charge carriers. It was determined that for Cd_xHg_1−x Te crystals with x⋍0.20–0.25 in the temperature interval 700–200 K the lifetime of the nonequilibrium charge carriers is low (τ<0.15 μs) and does not depend on the temperature. For Cd_xHg_1−x Te crystals with x⋍0.3 recombination of nonequilibrium charge carriers occurs through two types of levels: in the temperature range 140–200 K — deep levels E _t1⋍E _c −51 meV and at lower temperatures (77–140 K) — through shallower levels E _t2⋍E _c −(16±2) meV. Fiz. Tekh. Poluprovodn. 31, 786–789 (July 1997)     

AUTOCORRELATIONS OF l-SEQUENCES WITH CERTAIN SHIFTS

In this paper, the autocorrelations of maximal period Feedback with Carry Shift Register sequences （l-sequences） are discussed. For an l-sequence a with connection integer q = p^e（e ≥ 2） and period T = p^t-1（p- 1）, and for any integer i, 1 ≤ i ≤ e/2, by calculating the number of certain sets, it is shown that the autocorrelation of a with shift τ= kT/2p^i is Ca（τ） =（-1）^k-1 T/p^2i-1, where 1 ≤ k ≤ 2p^i - 1, and gcd（k,2p^i） = 1. This result shows there do exist some shifts such that the autocorrelations of l-sequences are high although most autocorrelations are low. Such result also holds for the decimations of l-sequences.     

Transport coefficients of AlGaN/GaN heterostructures

We have experimentally determined the effective mass (m*) of GaN, the classical (τ _c), and quantum (τ _q) scattering times for a two-dimensional electron gas residing at the interface of an AlGaN/GaN heterostructure, using the Shubnikovde Haas effect. The ratio of the two scattering times, τ _c/τ _q, suggests that, at low temperatures, the scattering mechanism limiting the mobility is due to remote ionized impurities located in AlGaN. This study should provide sample growers with information useful for improving the quality of the nitride heterostuctures.     

Fast Multiplication on Elliptic Curves over Small Fields of Characteristic Two

We discuss new algorithms for multiplying points on elliptic curves defined over small finite fields of characteristic two. This algorithm is an extension of previous results by Koblitz, Meier, and Staffelbach. Experimental results show that the new methods can give a running time improvement of up to 50 % compared with the ordinary binary algorithm for multiplication. Finally, we present a table of elliptic curves, which are well suited for elliptic curve public key cryptosystems, and for which the new algorithm can be used. Received 14 January 1997 and revised 4 September 1997     

The Extended k-tree Algorithm

Consider the following problem: Given k=2 ^q random lists of n-bit vectors, L ₁,…,L _k , each of length m, find x ₁∈L ₁,…,x _k ∈L _k such that x ₁+⋅⋅⋅+x _k =0, where + is the XOR operation. This problem has applications in a number of areas, including cryptanalysis, coding theory, finding shortest lattice vectors, and learning theory. The so-called k-tree algorithm, due to Wagner, solves this problem in [(O)\tilde](2^q+n/(q+1))\tilde{O}(2^{q+n/(q+1)}) expected time provided the length m of the lists is large enough, specifically if m≥2 ^n/(q+1).     

Component Overpressure Growth and Characterization of High-Resistivity CdTe Crystals for Radiation Detectors

Spectrometer-grade CdTe single crystals with resistivities higher than 10⁹ Ω cm have been grown by the modified Bridgman method using zone-refined precursor materials (Cd and Te) under a Cd overpressure. The grown CdTe crystals had good charge-transport properties (μτ _e = 2 × 10⁻³ cm² V⁻¹, μτ _h = 8 × 10⁻⁵ cm² V⁻¹) and significantly reduced Te precipitates compared with crystals grown without Cd overpressure. The crystal growth conditions for the Bridgman system were optimized by computer modeling and simulation, using modified MASTRAPP program, and applied to crystal diameters of 14 mm (0.55′′), 38 mm (1.5′′), and 76 mm (3′′). Details of the CdTe crystal growth operation, structural, electrical, and optical characterization measurements, detector fabrication, and testing using ²⁴¹Am (60 keV) and ¹³⁷Cs (662 keV) sources are presented.     

The Improbability That an Elliptic Curve Has Subexponential Discrete Log Problem under the Menezes—Okamoto—Vanstone Algorithm

The security of elliptic curve cryptosystems is based on the presumed intractability of the discrete logarithm problem on the curve. Other than algorithms that work in an arbitrary group and are exponential in the general case, the only general-purpose algorithm that has ever been proposed for the elliptic curve discrete logarithm is that of Menezes—Okamoto—Vanstone (MOV). The MOV algorithm, which embeds an elliptic curve group of prime order l in the multiplicative group of a field F _qk, is subexponential only under special circumstances, however. In this paper we first prove that, under a mild condition that always holds in practical applications, the condition that l|(q ^k -1) , which is obviously necessary for realizing the MOV algorithm, is also sufficient. We next give an improved upper bound for the frequency of occurrence of pairs of primes l, p such that l|(p ^k -1) for k small, where l is in the Hasse interval . Received 28 November 1995 and revised 20 September 1996     

Temperature dependence of the optical properties of Hg1−xCdxTe

The alloy composition of Hg_1−xCd_xTe should be controlled during growth, so that the desired band gap and the lattice-matched layer may be obtained. In-situ spectroscopic ellipsometry, now commercially available, enables one to acquire spectral data during growth. If one knows the optical dielectric function as a function of alloy composition and temperature, the technique can be fully used to monitor and control temperature, the thickness, and the alloy composition. For this purpose, we first obtained temperature dependent spectral data of Hg_1−xCd_xTe by spectroscopic ellipsometry (SE). The spectral data of Hg_1−xCd_xTe with x = 1,0.235, and 0.344 were obtained from room temperature to 800Kin the photon energy range from 1.3 to 6 eV. The spectral data revealed distinctive critical point structures at E₀, E₀+Δ₀, E₁, E₁+Δ₁, E₂(X), and E₂(Σ). Critical point energies decreased and linewidths increased monotonically as temperature increased. The model for the optical dielectric function enabled (i) the critical point parameters to be determined accurately, and (ii) the spectral data to be expressed as a function of temperature within and outside the experimental range.     

A State-of-the-art Elliptic Curve Cryptographic Processor Operating in the Frequency Domain

We propose a novel area/time efficient elliptic curve cryptography (ECC) processor architecture which performs all finite field arithmetic operations in the discrete Fourier domain. The proposed architecture utilizes a class of optimal extension fields (OEF) GF(q ^m ) where the field characteristic is a Mersenne prime q = 2 ⁿ  − 1 and m = n. The main advantage of our architecture is that it achieves extension field modular multiplication in the discrete Fourier domain with only a linear number of base field GF(q) multiplications in addition to a quadratic number of simpler operations such as addition and bitwise rotation. We achieve an area between 25k and 50k equivalent gates for the implementations over OEFs of size 169, 289 and 361 bits. With its low area and high speed, the proposed architecture is well suited for ECC in small device environments such as sensor networks. The work at hand presents the first hardware implementation of a frequency domain multiplier suitable for ECC and the first hardware implementation of ECC in the frequency domain.

A parallel binary structured LMS algorithm for transversal adaptive filters

The adaptation process in digital filters requires extensive calculation. This computation makes adaptation a slow and time consuming process. Simple, but versatile, parallel algorithms for adaptive filters, suitable for VLSI implementation, are in demand. In this paper a regular and modular parallel algorithm for an adaptive filter is presented. This parallel structure is based on the Gradient Vector Estimation Algorithm, which minimizes the Mean Square Error. In the parallel method, the tap weights of the adaptive filter are updated everys steps, whereas in the recursive algorithms, the tap weights are updated at each step. Fors step update, bit strings of lengths are used to derive the terms with which the tap weights of the adaptive filter are calculated. The algorithm presented computes the tap weights at timen+s as a function of the tap weights at timen, the inputs from timen+1 ton+s−1, and the desired output from timen+1 ton+s−1. The algorithm also can be mapped to a VLSI architecture that is both regular and modular and allows either expansion of the order of the filter or the degree of parallelism obtainable. A comparison between the performance of the sequential LMS algorithm, Fast Exact LMS algorithm, and the parallel binary structured LMS algorithm is presented.     

Self-Testing Embedded Borden t-UED Code Checkers for t = 2 k q − 1 with q = 2 m − 1

Borden codes are optimal nonsystematic t-unidirectional error detecting (t-UED) codes. A possible method to design a Borden code checker is to map the Borden code words to words of an AN arithmetic code and to check the obtained words with an appropriate AN code checker. For t = q − 1 with q = 2 ^m  − 1 we show how this method can be modified such that the Borden code checkers achieve the self-testing property under very weak conditions. It is only required that no checker input line gets a constant signal and that the Borden code words occur in a random order, making the proposed checkers very suitable for use as embedded checkers. Based on these checkers it is then possible to design embedded Borden t-UED code checkers for t = 2 ^k q − 1 with q = 2 ^m  − 1.

Current response of a TlBr detector to <Superscript>137</Superscript>Cs γ-ray radiation

The current response of a TlBr detector to ¹³⁷Cs γ-ray radiation has been studied in the dose-rate range 0.033–3.84 Gy/min and within the voltage range 1–300 V; the detectors are based on pure and doped TlBr crystals grown from the melt by the Bridgman-Stockbarger method. The mass fraction of Pb or Ca introduced into the TlBr crystals was 1–10 ppm for Pb and 150 ppm for Ca. The current response of nominally undoped TlBr samples was nearly linear over two decades of studied dose rates. Deep hole levels associated with cationic vacancies V _c ⁻ determine the dependence of the current response on the voltage in the high electric fields. The parameters of the carriers’ transport μτ are determined. The TlBr crystals grown in vacuum and in the bromine vapor exhibit a large mobility-lifetime product of 4.3 × 10⁻⁴ and 6.4 × 10⁻⁵ cm²V⁻¹, respectively. The value of μτ is in the range (4–9) × 10⁻⁵ cm²V⁻¹ for crystals doped with a divalent cation.     

Galvanomagnetic properties of two-dimensional electron gases in strain relaxed InxGa1−xAs(x<0.40) heterostructures grown by molecular beam epitaxy on GaAs substrates

We have investigated, as a function of indium content x, the galvanomagnetic and Shubnikov de Haas (SdH) properties of two-dimensional electron gases (2DEG) formed at lattice matched, strain relaxed InAlAs/InGaAs heterojunctions. These were grown by molecular beam epitaxy on GaAs misoriented substrates with a two degree offcut toward the nearest (110) plane. Variable temperature resistivity and Hall measurements indicate an increase in the electron sheet density n_s from 0.78×10¹²cm⁻² for x=0.15 to 1.80×10¹² cm⁻² for x=0.40 at 300K, and from 0.75×10¹²cm⁻² to 1.67×10¹²cm⁻² at T=1.6K. The room temperature electron mobility, measured along the in plane [110], direction is independent of indium content and equals approximately 9500 cm²/Vs. For T<50K, the mobility is independent of temperature decreasing with increasing x from 82000 cm²/Vs for x=0.15 to 33000 cm²/Vs for x=0.40. The ratios (τ_t/τ_q) at 1.6K between the electron relaxation time τ_t and the single particle relaxation time τq, for the strain relaxed specimens, as well as for pseudomorphically strained Al_0.35Ga_0.65As/In_0.15Ga_0.85As structures grown on GaAs substrates, and In_0.52Al_0.48As/In_0.53Ga_0.47As heterostructures grown lattice matched on InP substrates. Such a study indicates the presence of inhomogeneities in the 2DEGs of the strain relaxed specimens which appear to be related to the process of strain relaxation. Such inhomogeneities, however, have little effect on the electron relaxation time τ_t which, at low temperatures, is limited principally by alloy scattering.