Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
3Activity
0 of .
Results for:
No results containing your search query
P. 1
Efficient Implementation of Elliptic Curve Cryptography Using Low-power Digital Signal Processor

Efficient Implementation of Elliptic Curve Cryptography Using Low-power Digital Signal Processor

Ratings: (0)|Views: 140|Likes:
Published by Yasir Malik
elliptic curves, implementation, efficient, digital signal processor, elliptic curve cryptography, cryptography
elliptic curves, implementation, efficient, digital signal processor, elliptic curve cryptography, cryptography

More info:

Published by: Yasir Malik on Dec 23, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

01/03/2013

pdf

text

original

 
EfficientImplementation
of
EllipticCurveCryptographyUsingLow-powerDigitalSignalProcessor
MuhammadYasirMalik
NationalUniversity
of
ScienceandTechnology
(NUST)
,Pakistan
yasir_alf@yahoo.com
Figure1.Asimpleellipticcurve
P+Q
AsdescribedearlierthedisadvantageofRSAistheuseoflargenumbers(andhencelargekeys)foritsoperation.MoresecurewewantaRSApublickeycryptosystemtobe;thelargerwouldbethenumbersinvolved.Thiswillincreasethekeysizetoalargeextent.
If
wedon'twanttocompromiseonthesecurity
of
ourinformationthenwehavetouseamoreefficientmethodinvolvinglessnumberofbits(andlesserkeysize).Thisnewcryptosystemmustbestrongenoughtoensuresameorevengreaterlevel
of
securityforourinformation.BasedontheseconcernsECCclearlystandsoutasamuchbetterandefficientmethodforpublickeycryptosystems.Thenovelideabehinditsapplication,thestrengthofECDLPanditsmucheasierandmemoryefficientimplementationmakesitthechoiceofthepresentandnewpublickeyprotocolsandsystems.SOECCcanbecalledthefuturegenerationofpublickeysystems.FundamentalsofECCaregivencomprisingofbasicequations,fieldsusedinECCandtheproblemonwhichthesesystemsrely.
A.Basics
of
ECC
Anellipticcurve'E'isacurvegivenbyanequation(foracubicorquadraticpolynomial
f(x»
:
(1)
:y2
=/(x)
Keywords-
EfficientImplementationofECC,EllipticCurveDiscreteLogarithmicProblem,AdvantagesofECC,Scalarmultiplication,Montgomerymodularmultiplication,Lowpower,Digitalsignalprocessor
Abstract-
RSA(Rivest,ShamirandAdleman)isbeingusedasapublickeyexchangeandkeyagreementtoolformanyyears.DuetolargenumbersinvolvedinRSA,thereisneedformoreefficientmethodsinimplementationforpublickeycryptosystems.EllipticCurveCryptography(ECC)isbasedonellipticcurvesdefinedoverafinitefield.Ellipticcurvecryptosystems(ECC)werediscoveredbyVictorMiller[1)andNealKoblitz[2)in1985.Thispapercomprisesoffivesections.SectionIisintroductiontoECCanditscomponents.SectionIIdescribesadvantagesofECCschemesanditscomparisonwithRSA.Section
III
isaboutsomeoftheapplicationsofECC.SectionIVgivessomeembeddedimplementationsofECC.SectionVcontainsECCimplementationonfixedpointDigitalSignalProcessor(TMS320VC5416).ECCwasimplementedusinggeneralpurposemicrocontrollersandFieldProgrammableGateArrays(FPGA)beforethiswork.DSPismorepowerfulthanmicrocontrollersandmucheconomicalthanFPGA.Sothisimplementationcanbeefficientlyutilizedinlow-powerapplications.
I.
INTRODUCTION
StrengthofRSA[3]liesinintegerfactorizationproblem.Thatiswhenwearegivenanumbern;wehavetofinditsprimefactors.Itbecomesquitecomplicatedwhendealingwithlargenumbers.ThisisthestrengthofRSAandtoanextent,isthedisadvantageassociatedwithit.Ellipticcurveisacurvethatisagroup.ECCutilizesthisgroupforitsfunctioning.Itsstrengthistheprobleminvolvingellipticcurves;EllipticCurveDiscreteLogarithmicProblem(ECDLP).ThatiswhenanellipticcurveEandpointsPand
Q
onEaregiven,find'x'whenQ=xP.AsimpleellipticcurvewithpointsisshowninFigure1.Wewantthatthepolynomialf(x)hasnodoublerootstoensurethatthecurveisnon-singular.Afterachange
of
variables,theequationtakesthesimplerform(cubic):
ISBN
978-89-5519-146-2
-1464-Feb.7-10,2010
ICACT
2010
Authorized licensed use limited to: Seoul National University. Downloaded on July 27,2010 at 08:05:09 UTC from IEEE Xplore. Restrictions apply.
 
Extrapoint
e
"atinfinity"isaddedtotheaboveequationsothatEisreallytheset.
If
wehavetwopoints
PI(XbYI)
andP
2(X2,Y2)
onanyellipticcurveandwewanttofindP
3(X3,Y3)
suchthatP3=PI+P
2.
ThisisknownasPointAdditionanditcanbedoneas:
Let
;{
=
yl
+Y2,
then
x3
=
a
+
;{
+
;{
2+
xl
+
x2
xl+x2
SymmetricDiscreteLogRSAECC(DSA,DH)
80L
=
1024N
=
1601024160-233112L
=
2048N
=
2562048224-255128L
=
3072N
=
2563078256-383
B.Involvement
of
LessNumber
of
Bits
ECCrequiresmuchlessernumbers(andthuslessnumber
of
bits)foritsoperationthankstoECDLP.Thesecuritylevel
of
a160-bitECC,1024-bitRSA,and(160/1024)-bitDSAaresimilar.Table1showsthecomparisonbetweenECCandRSA.
Table
1.
ECCvs,RSA
E.ComputationalEfficiency
Implementingscalarmultiplicationinsoftwareandhardwareismuchmorefeasiblethanperformingmultiplicationsorexponentiationsinthem.AsECCmakesuse
of
scalarmultiplicationssoitismuchmorecomputationallyefficientthanRSAandDiffie-Hellman(DH)publicschemes.SowecansaywithoutanydoubtthatECCisthestrongerandthefaster(efficient)amongstthepresenttechniques.
Table2.ComparableKeySizes(InBits)
C.
WideSelection
of
FiniteFields
and
Curves
DifferentfinitefieldscanbeusedforECCaccordingtosecurityrequirements.FinitefieldswhichcanbeusedforECCaredefmedinStandardsforEfficientCryptographyl[4].ForGF(p)thefmitefieldsusedcanbefromthefollowingdefmedset:p
E
{112;128;160;192;224;256;384;512;1024}ForGF
(21\m)
thefinitefieldsusedcanbefromthefollowingdefinedset:m
s
{113;131;163;193;233;239;283;409;571}Manydifferentcurvescanbechosenforthesamefieldbydifferentusers.ManysuchcurvesandtheirdomainparametersaredefmedinStandardsforEfficientCryptography2[5].
D.PowerConsumption
ECCrequireslesspowerforitsfunctioningsoitismoresuitableforlowpowerapplicationssuchashandheldandmobiledevices.muchstrongerthanotherpublickeyagreementandsignatureauthenticationmethods.
III.
APPLICATIONS
OF
ECC
DuetoitssmallkeysizesECCisbecomingawidelyutilizedandattractivepublic-keycryptosystem.ComparedtocryptosystemssuchasRSA,DSA,andDH,ECCvariationsontheseschemesofferequivalentsecuritywithsmallerkeysizes.ThisisillustratedinTable2.Lissize
of
field,Nissub-fieldsize.
ECC(bits)RSA(bits)KeysizeAESratio(bits)
16010241:6
--
25630241:1212838476801:2019251216,3601:30256
(2)(4)(5)
E:y2
=
x3
+
a
x
+
b
and
y3
=
(x2
+
x3);{
+
x3
+
x2
E
=
{(x,y):y2
=
x3
+
a
x
+
b}
U
{e}
(3)
If
wehaveapoint
PI(XI,YI)
onanyellipticcurveandwewanttofmdP
2(X2,Y2)
suchthatP2=2PI.ThisisknownasPointDoublinganditcanbedoneas:
yl
Let
X
=
xl
+
xl
'thenx2
=
a
+;{
+;{2
and
y2
=
(xl
+
x2);{
+
x2
+
yl
ECCinvolvesellipticcurvesdefmedoverafmitefield.Therearetwotypes
of
fields
of
interestPrimefieldsGF(p)Binaryfmitefields
GF(2I\m)
PointsontheellipticcurveiswrittenasP(x,y)wherexand
yare
elements
of
GF(p).Thesize
of
aset
of
ellipticcurvedomainparametersonaprimecurveisdefinedasthenumber
of
bitsinthebinaryrepresentation
of
thefieldorder;commonlydenotedp.Sizeonacharacteristric-2curveisdefmedasthenumber
of
bitsinthebinaryrepresentation
of
thefield,commonlydenoted
asm.
B.EllipticCurveDiscreteLogarithmicProblem(ECDLP)
ECDLPhasfollowingcomponents:AwelldefinedfinitefieldGF(p)or
GF(2I\m).
AnellipticcurveEdefmedoverany
of
thesetwodefmedfmitefieldsApointP,
of
higherorder,presentonellipticcurve
E
Ascalarmultiple
of
P,let'ssayk,suchthatk.P=P+P+P+...+P(ktimes)SoECDLPinvolvesscalarmultiplication.NowwhenwehavekandPthenitisquiteeasiertofmdk.P.ButwhenwehavetofmdkforgivenPandk.P,thetaskisbitstudious.
II.ADVANTAGES
OF
ECC
Some
of
theadvantagesthatcomewithECCsystemsarebrieflyexplainedhere.
A.MoreComplex
Inspite
of
multiplicationorexponentiationinfinitefield,ECCusesscalarmultiplication.SolvingQ=k.P(utilizedbyECC)ismoredifficultthansolvingfactorization(usedbyRSA)anddiscretelogarithm(usedbyDiffie-Hellman(DH),EIGamal,DigitalSignatureAlgorithm(DSA)).SoECCis
ISBN
978-89-5519-146-2
-1465-Feb.
7-10,
2010ICACT2010
Authorized licensed use limited to: Seoul National University. Downloaded on July 27,2010 at 08:05:09 UTC from IEEE Xplore. Restrictions apply.
 
BOB
ALICE
Co
mp
ute
bQ
A/
ice
Co
mp
ute
aQ
Sob
Bo
bandAl
ice
havethes
ha
redva
l
ue
bQAice
=
abP
=
aQ
SOb
SymmetricDiscreteLogRSA
ECC
~ D S A , D H )
192L-7680N-3847680384-511256
L-15
360N
-51215360512+
PublicKeyPublicKey(RemoteKeys)
ECMQV
SharedSecretKeyKeyPairKeyPair(LocalKeys)
Figure3.
ECMQV
C.
EllipticCurveDigitalSignatureAlgorithm(ECDSA)
Adigitalsignatureisanumberdependentonsomesecretknownonlytothesigner(thesigner'sprivatekey),andadditionallyonthecontents
of
themessagebeingsigned.ECDSAistheellipticcurveanalogue
of
theDigitalSignatureAlgorithm(DSA).KeypairinECDSAisgeneratedthesamewayas
of
thatinECDH.ECDSAuseshashing
of
messageandoperationsonpointstogeneratesignatures.IV.HARDWAREIMPLEMENTATIONSInthissectionsome
of
thenotableimplementations
of
ECCongeneralpurposemicrocontrollersandFPGAaregiven.Publickeycryptographyinvolveslargenumbersandhenceisconsideredtobeslow.Most
of
thepublic-keycryptographyisimplementedonsmalldevicesinconjunctionwithspecialpurposecryptographichardware.Acceleratorsformanycryptofunctionsareusedalongwithsmallprocessors.Howeverin[6],authorsimplementedECCwithoutanyspecialhardware.Withthehelpoftheirnewalgorithmthatreducesmemoryaccesses,theyachieved160-bitECCpointmultiplicationonanAtmelATmegal28at8MHzat0.81s.Thatisthebestknowntimeforsuchanoperationwithoutusingspecializedhardware.Softwareandhardwareco-designofECC{GF(2
191)}
wasimplementedin[7]usingDalton8051andspecialhardware.Thehardwarepartconsists
of
anellipticcurveaccelerationunit(ECAU)andaninterfacewithdirectmemoryaccess(DMA)toenablefastdatatransferbetweentheECAUandtheexternalRAM(XRAM)attachedtothe8051microcontroller.TheECAUallowstoperformafullscalarmultiplicationoverthefieldGF(2
191)
inabout1I8msec,assumingthattheDalton8051isclockedwith12MHz,ascalarmultiplicationoverthefieldGF(2
163)
takeslessthan100msec.SystemblockdiagramforthisconfigurationisshowninFigure4.
Se
ndQ
J
ice
to
Bo
b
Co
mp
ute
QAhce
=
aP
C
hoosesec
ret
0
<
a
<
n
Se
nd
Q
Bob
toAli
ce
Co
mpute
Q
Sob
=
bP
C
hoosesecret
0<b
<
n
Smallerkeysizesresultinlesspower,bandwidth,andcomputationalrequirements.ThismakesECCagoodchoiceforlowpowerenvironments.ECChasgotapplicationsasapublickeysharingschemeandasdigitalsignatureauthenticationscheme.Theapplications
ofECC
are:A.EllipticCurveDiffie-Hellman(ECDH)KeyExchangeB.EllipticCurveMenezes-Qu-Vanstone(ECMQV)KeyExchangeandVerificationC.EllipticCurveDigitalSignatureAlgorithm(ECDSA)
A.EllipticCurveDiffie-Hellman(ECDH)KeyExchange
ECDHoperatesbyprovidingthetwopartiessharingasecretkeywithapublickey,whichinthiscaseisapointPonellipticcurveE.AliceperformsscalarmultiplicationusingthispointPandascalarmultiplea,whichissecretkey
of
Alice.a.Pnowbecomespublickey
of
Alicewhichshecansharewiththeotherparty.Ontheotherend,BobperformsscalarmultiplicationusingpointPandascalarmultiple
of
hischoicei.e.b,whichissecretkey
of
Bob.b.Pbecomespublickey
of
BobwhichheshareswithAlice.Aliceperformsscalarmultiplication
of
publickey
of
Alice(b.P)withhersecretkeyatogeta.b.P.Bobalsodoesthesamewithhissecretkeybandpublickey
of
Alicea.Ptogetthesamea.b.P.Thisentityi.e.a.b.Pissameforboththepartiesandistheirsharedkey.
Pub
licK
no
w
edge
:Agroup
E(
F
pl
a
nd
apointPofordern.
Figure2.Elliptic
Curv
eDiffie-Hellman(ECDH)
B.EllipticCurveMenezes-Qu-Vanstone(ECMQV)KeyExchangeandVerification
ECMQVkeyexchangealgorithmisusedtogenerateasharedsecretkeyfromtwoellipticcurvekeypairsownedbyoneentityandtwoellipticcurvepublickeysownedbyanotherentity.Bothentitieshavetheanalogousroleinthealgorithm.Eachentitymakesuse
of
itskeypairsandotherentity'spublickeystogetitssecretkey.Asthesecretkeyobtainedbyeachsidebyusingthisalgorithmisthesame,keyexchangeandverificationisachievedbythisprocess.
ExternalDMA
~
DaltonRAM
8051
i
i
ttt
ECAU
-
ECAUdatapathcontrolECAccelerationUnit(ECAU)
Figure4.Systemblockdiagram
ISBN
978-89-5519-146-2
-1466-Feb.
7-10
,2010
ICACT
2010
Authorized licensed use limited to: Seoul National University. Downloaded on July 27,2010 at 08:05:09 UTC from IEEE Xplore. Restrictions apply.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->