|Views: 23
|Likes: 0

Published by ijcsis

The Elliptic Curve Cryptography (ECC) covers all relevant asymmetric cryptographic primitives like digital signatures and key agreement algorithms. ECC is considered as the best candidate for Public-Key Cryptosystems. Recently, Elliptic Curve Cryptography based on Binary Edwards Curves (BEC) has been proposed and it shows several interesting properties, e.g., completeness and security against certain exceptional-points attacks. In this paper, we present a study of the different methods to implement ECC in hardware, we study the implementation of the BEC to make it suitable for programmable devices, and we given as application a hardware design of elliptic curve operations over binary Fields GF(2m). The function used for this purpose is the scalar multiplication kP which is the core operation of ECCs. Where k is an integer and P is a point on an elliptic curve.

The Elliptic Curve Cryptography (ECC) covers all relevant asymmetric cryptographic primitives like digital signatures and key agreement algorithms. ECC is considered as the best candidate for Public-Key Cryptosystems. Recently, Elliptic Curve Cryptography based on Binary Edwards Curves (BEC) has been proposed and it shows several interesting properties, e.g., completeness and security against certain exceptional-points attacks. In this paper, we present a study of the different methods to implement ECC in hardware, we study the implementation of the BEC to make it suitable for programmable devices, and we given as application a hardware design of elliptic curve operations over binary Fields GF(2m). The function used for this purpose is the scalar multiplication kP which is the core operation of ECCs. Where k is an integer and P is a point on an elliptic curve.

See more

See less

A Study of Elliptic Curves’s ImplementationsSuitable for Embedded Systems

Moncef Amara

#1

and Amar Siad

#

#

LAGA Laboratory, University of Paris 8 (Vincennes Saint-Denis)Saint-Denis / FRANCE.

1

amara_moncef@yahoo.fr

1

moncef.amara02@etud.univ-paris8.fr

Abstract

—The Elliptic Curve Cryptography (ECC) covers allrelevant asymmetric cryptographic primitives like digital signa-tures and key agreement algorithms. ECC is considered as thebest candidate for Public-Key Cryptosystems. Recently, EllipticCurve Cryptography based on Binary Edwards Curves (BEC)has been proposed and it shows several interesting properties,e.g., completeness and security against certain exceptional-pointsattacks. In this paper, we present a study of the different methodsto implement ECC in hardware, we study the implementation of the BEC to make it suitable for programmable devices, and wegiven as application a hardware design of elliptic curve operationsover binary Fields

GF

(2

m

)

. The function used for this purposeis the scalar multiplication

kP

which is the core operation of ECCs. Where

k

is an integer and

P

is a point on an ellipticcurve.

Index Terms

—Cryptography, Elliptic curves, Binary Edwardscurve, Scalar multiplication, Binary arithmetic, Cryptosystems,Programmable devices, FPGA.

I. I

NTRODUCTION

Elliptic Curve Cryptography (ECC) is a relatively newcryptosystem, suggested independently, from the second half oh 19th century, by Neals Koblitz [6] and Victor Miller [7]. Atpresent, ECC has been commercially accepted, and has alsobeen adopted by many standardizing bodies such as ANSI,IEEE, ISO and NIST [2]. Since then, it has been the focusof a lot of attention and gained great popularity due to thesame level of security they provide with much smaller keysizes than conventional public key cryptosystems have.The ECC covers all relevant asymmetric cryptographicprimitives like digital signatures (ECDSA), key exchange andagreement protocols (ECDH). Point multiplication serves asthe basic building block in all ECC primitives and is thecomputationally most expensive operation.The best known and most commonly used public-key cryp-tosystems are RSA [8] and Elliptic Curve Cryptography (ECC)[7], [6]. The main beneﬁt of ECC is that it offers equivalentsecurity as RSA for much smaller parameter sizes. Theseadvantages result in smaller data-paths, less memory usageand lower power consumption. ECC is widely considered asthe best candidate for embedded systems.Integrating a Public Key Cryptosystem into a embeddedsystems such as ASIC, FPGA and RFID-tag is a challenge dueto the limitations in costs, area and power. On the other hand,security is required, in particular to prevent cloning or tracing.It was widely believed that devices with such constrained re-sources cannot carry out strong cryptographic operations suchas Elliptic Curve Scalar Multiplication (ECSM). However, thefeasibility of integrating PKCs into such devices have beenrecently proven by several implementations.Standard formulas for adding two points, say P and Q, on aWeierstrass-form elliptic curves fail if P is at inﬁnity, or if Qis at inﬁnity, or if P+Q is at inﬁnity. Binary Edwards curvesprovides a different equation to deﬁne an Elliptic Curve whichno longer has points at inﬁnity [1]. This feature is known ascompleteness.The aim of this work is to present a study of state of theart of the different methods to implement ECC in hardware,intended to the conception of the hardware cryptographicapplications. We present a complete study of binary Edwardscurves to make it suitable for programmable devices, andwe given a hardware design of elliptic curve operations overbinary Fields

GF

(2

m

)

.The paper is organized as follows. After a brief introduction,an overview of the use of elliptic curve in cryptography appli-cation is given in section 2. The point multiplication methodis explained in Section 3, and binary Edwards curves arepresented in Section 4. The EC Point multiplication processorgiven in Section 5. Finally, conclusion and open problems aresummarized in Section 6.II. E

LLIPTIC

C

URVE

C

RYPTOGRAPHY

Elliptic Curves, Fig.1, deﬁned over a ﬁnite-ﬁeld provide agroup structure that is used to implement the cryptographicschemes. The elements of the group are the rational points onthe elliptic curve, together with a special point

O

(called the

”

point at inﬁnity

”

).

Fig. 1. Graphs of elliptic curves

y

2

=

x

3

−

4

x

+ 1

(on the left) and

y

2

=

x

3

−

5

x

+ 5

(on the right) over

R

.

(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 11, November 20111http://sites.google.com/site/ijcsis/ISSN 1947-5500

A major building block of all elliptic curve cryptosystemsis the scalar point multiplication, an operation of the form

k.P

where

k

is a positive integer and

P

is a point on theelliptic curve. Computing

k.P

means adding the point

P

exactly

k

−

1

times to itself, which results in another point

Q

on the elliptic curve. The inverse operation, i.e., to recover

k

when the points

P

and

Q

=

k.P

are given, is knownas the

Elliptic Curve Discrete Logarithm Problem

(ECDLP).To date, no subexponential-time algorithm is known to solvethe ECDLP in a properly selected elliptic curve group. Thismakes Elliptic Curve Cryptography a promising branch of public key cryptography which offers similar security to other"traditional" DLP-based schemes in use today, with smallerkey sizes and memory requirements, e.g., 160 bits instead of 1024 bits

A. Elliptic Curves over

F

2

m

In this section, a group operations on elliptic curves over

F

2

m

is described. A non-supersingular elliptic curve

E

over

F

2

m

,

E

(

F

2

m

)

is the set of all solutions to the followingequation [5]:

y

2

+

xy

=

x

3

+

a

2

x

2

+

a

6

(1)where

a

2

,a

6

∈

F

2

m

, and

a

6

= 0

. Such an elliptic curve is aﬁnite abelian group. The number of points in this group isdenoted by

#(

E

(

F

2

m

))

.

1)

Curve Addition

:

If

P

= (

x

1

,y

1

)

and

Q

= (

x

2

,y

2

)

arepoints on the elliptic curve [i.e., satisfy (1)] and

P

=

−

Q

,then

(

x

3

,y

3

) =

R

=

P

+

Q

can be deﬁned geometrically,Fig.2.In the case that

P

=

Q

(i.e., point addition), a lineintersecting the curve at points

P

and

Q

and must alsointersect the curve at a third point

−

R

= (

x

3

,

−

y

3

)

.

2)

Curve Doubling

:

If

P

=

Q

(point doubling), the tangentline is used, Fig.3.

Fig. 2. Group law of elliptic curve (Point Addition).Fig. 3. Group law of elliptic curve (Point Doubling).

For

E

given in afﬁne coordinates:if

P

=

Q

:

x

3

=

λ

2

+

λ

+

x

1

+

x

2

+

ay

3

=

λ

(

x

1

+

x

3

) +

x

3

+

y

1

où

λ

=

(

y

2

+

y

1

)(

x

2

+

x

1

)

(2)if

P

=

Q

:

x

3

=

λ

2

+

λ

+

ay

3

=

x

21

+ (

λ

+ 1)

x

3

où

λ

=

x

1

+

y

1

x

1

(3)III. E

LLIPTIC

C

URVE

P

OINT

M

ULTIPLICATION

There are different ways to implement point multiplica-tion: binary, signed digit representation (NAF), Montgomerymethod,

...

, etc. A scalar multiplication is performed in threedifferent stages, Fig.4. At the top level, the method forcomputing the scalar multiplication must be selected, in thesecond level, the coordinates to represent elliptic points mustbe deﬁned. From this representation, the Add operation isdeﬁned. Possible coordinates are : afﬁne, projective, Jacobeansand L’opez-Dahab. The lower level, but the most important,involves the primitive ﬁeld operations on which the curveis deﬁned. Basic ﬁeld operations are sum, multiplication,squaring and division.

Fig. 4. Different method to compute scalar multiplication

k.P

A. Binary Method

The most simplest and straightforward implementation isthe binary method, as shown in Algorithm.1. The binarymethod scans every bit of scalar

k

and, depending on itsvalue, 0 or 1, it performs an ECC-DOUBLE operation or botha ECC-DOUBLE and an ECC-ADD operation. Algorithm.1,scans every bit of

k

from right to left.

(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 11, November 20112http://sites.google.com/site/ijcsis/ISSN 1947-5500

For an elliptic curve deﬁned on

F

2

m

using afﬁne coor-dinates, the operations ECC-ADD and ECC-DOUBLE areperformed according to equations (2) and (3) respectively.The operation ECC-ADD requires one inversion, two mul-tiplications, one squaring and eight additions. The operationECC-DOUBLE requires ﬁve additions, two squaring, twomultiplications and one inversion, all of them, operations on

F

2

m

.

Algorithm 1

Binary method: right to left

[5]

Input:

P

(

x,y

)

,x,y

∈

GF

(2

m

)

,k

= (

k

m

−

1

,k

m

−

2

,...,k

0

)

Output:

R

=

k.P

1:

R

←

0

2:

S

←

P

3:

for

i

←

0

,m

−

1

do

4:

if

k

i

= 1

then

5:

if

R

= 0

then

6:

R

←

S

7:

else

8:

R

←

R

+

S

9:

end if

10:

end if

11:

S

←

2

S

12:

end for

13:

return

R

B. Coordinates Systems

Table.I, summarizes the properties of the different coordi-nates systems; afﬁne, projective, Jacobeans,

...

, etc. It shouldbe noted that in all the cases the opposite of the point

(

X

:

Y

:

Z

)

is written

(

X

:

−

Y

:

Z

)

.

TABLE IT

ABLE

S

UMMARIZING THE

P

ROPERTIES OF THE

V

ARIOUS

P

ROJECTIVE

C

OORDINATES

S

YSTEMS

.Coordinates

(

x,y

) =

Curve equation

P

(

X/Z,Y/Z

)

Y

2

Z

=

X

3

+

aXZ

2

+

bZ

3

J

(

X/Z

2

,Y/Z

3

)

Y

2

=

X

3

+

aXZ

4

+

bZ

6

J

m

(

X/Z

2

,Y/Z

3

)

Y

2

=

X

3

+

aXZ

4

+

bZ

6

The choice of the coordinate system is determined by thenumber of modular operations to carry out to calculate thedoubling and the addition of points. Table.II, compares the costof the doubling and the addition for each projective coordinate.

TABLE IIC

OST OF THE

D

OUBLING AND THE

A

DDITION FOR

E

ACH

P

ROJECTIVE

C

OORDINATES

S

YSTEMS

.Coordinates Cost of Double operation Cost of Add operation

A

I

+ 4

M I

+ 3

M

P

12

M

14M

J

10

M

16

M

J

m

8M

19

M

IV. E

DWARDS

C

URVES

A new form for elliptic curves was added to the mathemat-ical literature with Edwards curves. Edwards showed in [3]that all elliptic curves over number ﬁelds can be transformedto

x

2

+

y

2

=

c

2

(1 +

x

2

y

2

)

, with

(0

,c

)

as the neutral elementand with a simple and a symmetric addition law:

(

x

1

,y

1

)

,

(

x

2

,y

2

)

→

(

x

1

y

2

+

y

1

x

2

c

(1 +

x

1

x

2

y

1

y

2

)

y

1

y

2

+

x

1

x

2

c

(1

−

x

1

x

2

y

1

y

2

))

(4)

A. Binary Edwards Curves

This section contains complete addition formulas for binaryelliptic curves, i.e., addition formulas that work for all inputpairs, with no exceptional cases. First, the need for Edwardscurves is explained, and then the theorems and formulas willbe shown in order.The points on a Weierstrass-form elliptic curve:

y

2

+

a

1

xy

+

a

3

y

=

x

3

+

a

2

x

2

+

a

4

x

+

a

6

(5)include not only the afﬁne point

(

x

1

,y

1

)

, but also an extrapoint at inﬁnity serving as neutral element. The standardformulas for elliptic curve to compute a sum

P

1

+

P

2

failif

P

1

,P

2

, or

P

1

+

P

2

is at inﬁnity, or if

P

1

is equal to

P

2

.Each of these possibilities should be tested separately beforegenerating any elliptic curve cryptosystem.

Deﬁnition 1:

(Binary Edwards Curve) Let

k

be a ﬁeld with

char

(

k

) = 2

. Let

d

1

,d

2

be elements of

k

with

d

1

= 0

and

d

2

=

d

21

+

d

1

, then the binary Edwards curve with coefﬁcients

d

1

and

d

2

is the afﬁne curve:

E

B,d

1

,d

2

=

d

1

(

x

+

y

)+

d

2

(

x

2

+

y

2

) =

xy

+

xy

(

x

+

y

)+

x

2

y

2

(6)This curve is symmetric in

x

and

y

and thus it has the propertythat if

(

x

1

,y

1

)

is a point on the curve then so is

(

y

1

,x

1

)

. Thepoint

(0

,

0)

will be the neutral element of the addition law,while

(1

,

1)

will have order 2.

B. Binary Edwards Curves Addition Law

Binary Edwards curves,

E

B,d

1

,d

2

, addition law is given asin follows, and it is proven that the addition law corresponds tothe elliptic curve in Weierstrass form similarly. It can be usedfor doubling with two identical inputs. The sum of two points

(

x

1

,y

1

)

,

(

x

2

,y

2

)

on

E

B,d

1

,d

2

is the point

(

x

3

,y

3

)

deﬁned asfollows:

x

3

=

d

1

(

x

1

+

x

2

)+

d

2

(

x

1

+

y

1

)(

x

2

+

y

2

)+(

x

1

+

x

21

)(

x

2

(

y

1

+

y

2

+1)+

y

1

y

2

)

d

1

+(

x

1

+

x

21

)(

x

2

+

y

2

)

(7)

y

3

=

d

1

(

y

1

+

y

2

)+

d

2

(

x

1

+

y

1

)(

x

2

+

y

2

)+(

y

1

+

y

21

)(

y

2

(

x

1

+

x

2

+1)+

x

1

x

2

)

d

1

+(

y

1

+

y

21

)(

x

2

+

y

2

)

(8)If the denominators:

d

1

+ (

x

1

+

x

21

)(

x

2

+

y

2

)

and

d

1

+ (

y

1

+

y

21

)(

x

2

+

y

2

)

are non-zero then the sum

(

x

3

,y

3

)

is a point on

E

B,d

1

,d

2

: i.e.,

d

1

(

x

3

+

y

3

)+

d

2

(

x

23

+

y

23

) =

x

3

.y

3

+

x

3

.y

3

(

x

3

+

y

3

)+

x

23

.y

23

Here, if the points are inserted like

(0

,

0)

into the additionlaw, it is shown that

(0

,

0)

is the neutral element. Similarly,

(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 11, November 20113http://sites.google.com/site/ijcsis/ISSN 1947-5500