Digit set randomization in elliptic curve cryptography

We introduce a new approach for randomizing the digit sets of binary integer representations used in elliptic curve cryptography, and present a formal analysis of the sparsity of such representations. The motivation is to improve the sparseness of integer representations and to provide a tool for defense against side channel attacks. Existing alternative digit sets D such as D = {0,1, -1} require a certain non-adjacency property (no two successive digits are non-zero) in order to attain the desired level of sparseness. Our digit sets do not rely on the non-adjacency property, which in any case is only possible for a certain very restricted class of digit sets, but nevertheless achieve better sparsity. For example, we construct a large explicit family of digit sets for which the resulting integer representations consist on average of 74% zeros, which is an improvement over the 67% sparsity available using non-adjacent form representations. Our proof of the sparsity result is novel and is dramatically simpler than the existing analyses of non-adjacent form representations available in the literature, in addition to being more general. We conclude with some performance comparisons and an analysis of the resilience of our implementation against side channel attacks under an attack model called the open representation model. We emphasize that our side channel analysis remains preliminary and that our attack model represents only a first step in devising a formal framework for assessing the security of randomized representations as a side channel attack countermeasure. © Springer-Verlag Berlin Heidelberg 2007.