Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
A Study of Elliptic Curves’s Implementations Suitable for Embedded Systems

A Study of Elliptic Curves’s Implementations Suitable for Embedded Systems

Ratings: (0)|Views: 23 |Likes:
Published by ijcsis
The Elliptic Curve Cryptography (ECC) covers all relevant asymmetric cryptographic primitives like digital signatures and key agreement algorithms. ECC is considered as the best candidate for Public-Key Cryptosystems. Recently, Elliptic Curve Cryptography based on Binary Edwards Curves (BEC) has been proposed and it shows several interesting properties, e.g., completeness and security against certain exceptional-points attacks. In this paper, we present a study of the different methods to implement ECC in hardware, we study the implementation of the BEC to make it suitable for programmable devices, and we given as application a hardware design of elliptic curve operations over binary Fields GF(2m). The function used for this purpose is the scalar multiplication kP which is the core operation of ECCs. Where k is an integer and P is a point on an elliptic curve.
The Elliptic Curve Cryptography (ECC) covers all relevant asymmetric cryptographic primitives like digital signatures and key agreement algorithms. ECC is considered as the best candidate for Public-Key Cryptosystems. Recently, Elliptic Curve Cryptography based on Binary Edwards Curves (BEC) has been proposed and it shows several interesting properties, e.g., completeness and security against certain exceptional-points attacks. In this paper, we present a study of the different methods to implement ECC in hardware, we study the implementation of the BEC to make it suitable for programmable devices, and we given as application a hardware design of elliptic curve operations over binary Fields GF(2m). The function used for this purpose is the scalar multiplication kP which is the core operation of ECCs. Where k is an integer and P is a point on an elliptic curve.

More info:

Published by: ijcsis on Feb 19, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

05/13/2014

pdf

text

original

 
A Study of Elliptic Curves’s ImplementationsSuitable for Embedded Systems
Moncef Amara
#1
and Amar Siad
#
#
 LAGA Laboratory, University of Paris 8 (Vincennes Saint-Denis)Saint-Denis / FRANCE.
1
amara_moncef@yahoo.fr
1
moncef.amara02@etud.univ-paris8.fr
 Abstract
—The Elliptic Curve Cryptography (ECC) covers allrelevant asymmetric cryptographic primitives like digital signa-tures and key agreement algorithms. ECC is considered as thebest candidate for Public-Key Cryptosystems. Recently, EllipticCurve Cryptography based on Binary Edwards Curves (BEC)has been proposed and it shows several interesting properties,e.g., completeness and security against certain exceptional-pointsattacks. In this paper, we present a study of the different methodsto implement ECC in hardware, we study the implementation of the BEC to make it suitable for programmable devices, and wegiven as application a hardware design of elliptic curve operationsover binary Fields
GF 
(2
m
)
. The function used for this purposeis the scalar multiplication
kP 
which is the core operation of ECCs. Where
k
is an integer and
is a point on an ellipticcurve.
 Index Terms
—Cryptography, Elliptic curves, Binary Edwardscurve, Scalar multiplication, Binary arithmetic, Cryptosystems,Programmable devices, FPGA.
I. I
NTRODUCTION
Elliptic Curve Cryptography (ECC) is a relatively newcryptosystem, suggested independently, from the second half oh 19th century, by Neals Koblitz [6] and Victor Miller [7]. Atpresent, ECC has been commercially accepted, and has alsobeen adopted by many standardizing bodies such as ANSI,IEEE, ISO and NIST [2]. Since then, it has been the focusof a lot of attention and gained great popularity due to thesame level of security they provide with much smaller keysizes than conventional public key cryptosystems have.The ECC covers all relevant asymmetric cryptographicprimitives like digital signatures (ECDSA), key exchange andagreement protocols (ECDH). Point multiplication serves asthe basic building block in all ECC primitives and is thecomputationally most expensive operation.The best known and most commonly used public-key cryp-tosystems are RSA [8] and Elliptic Curve Cryptography (ECC)[7], [6]. The main benefit of ECC is that it offers equivalentsecurity as RSA for much smaller parameter sizes. Theseadvantages result in smaller data-paths, less memory usageand lower power consumption. ECC is widely considered asthe best candidate for embedded systems.Integrating a Public Key Cryptosystem into a embeddedsystems such as ASIC, FPGA and RFID-tag is a challenge dueto the limitations in costs, area and power. On the other hand,security is required, in particular to prevent cloning or tracing.It was widely believed that devices with such constrained re-sources cannot carry out strong cryptographic operations suchas Elliptic Curve Scalar Multiplication (ECSM). However, thefeasibility of integrating PKCs into such devices have beenrecently proven by several implementations.Standard formulas for adding two points, say P and Q, on aWeierstrass-form elliptic curves fail if P is at infinity, or if Qis at infinity, or if P+Q is at infinity. Binary Edwards curvesprovides a different equation to define an Elliptic Curve whichno longer has points at infinity [1]. This feature is known ascompleteness.The aim of this work is to present a study of state of theart of the different methods to implement ECC in hardware,intended to the conception of the hardware cryptographicapplications. We present a complete study of binary Edwardscurves to make it suitable for programmable devices, andwe given a hardware design of elliptic curve operations overbinary Fields
GF 
(2
m
)
.The paper is organized as follows. After a brief introduction,an overview of the use of elliptic curve in cryptography appli-cation is given in section 2. The point multiplication methodis explained in Section 3, and binary Edwards curves arepresented in Section 4. The EC Point multiplication processorgiven in Section 5. Finally, conclusion and open problems aresummarized in Section 6.II. E
LLIPTIC
C
URVE
C
RYPTOGRAPHY
Elliptic Curves, Fig.1, defined over a finite-field provide agroup structure that is used to implement the cryptographicschemes. The elements of the group are the rational points onthe elliptic curve, together with a special point
O
(called the
point at infinity
).
Fig. 1. Graphs of elliptic curves
y
2
=
x
3
4
x
+ 1
(on the left) and
y
2
=
x
3
5
x
+ 5
(on the right) over
R
.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 11, November 20111http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
A major building block of all elliptic curve cryptosystemsis the scalar point multiplication, an operation of the form
k.P 
where
k
is a positive integer and
is a point on theelliptic curve. Computing
k.P 
means adding the point
exactly
k
1
times to itself, which results in another point
Q
on the elliptic curve. The inverse operation, i.e., to recover
k
when the points
and
Q
=
k.P 
are given, is knownas the
Elliptic Curve Discrete Logarithm Problem
(ECDLP).To date, no subexponential-time algorithm is known to solvethe ECDLP in a properly selected elliptic curve group. Thismakes Elliptic Curve Cryptography a promising branch of public key cryptography which offers similar security to other"traditional" DLP-based schemes in use today, with smallerkey sizes and memory requirements, e.g., 160 bits instead of 1024 bits
 A. Elliptic Curves over 
F
2
m
In this section, a group operations on elliptic curves over
F
2
m
is described. A non-supersingular elliptic curve
over
F
2
m
,
(
F
2
m
)
is the set of all solutions to the followingequation [5]:
y
2
+
xy
=
x
3
+
a
2
x
2
+
a
6
(1)where
a
2
,a
6
F
2
m
, and
a
6
= 0
. Such an elliptic curve is afinite abelian group. The number of points in this group isdenoted by
#(
(
F
2
m
))
.
1)
Curve Addition
:
If 
= (
x
1
,y
1
)
and
Q
= (
x
2
,y
2
)
arepoints on the elliptic curve [i.e., satisfy (1)] and
=
Q
,then
(
x
3
,y
3
) =
R
=
+
Q
can be defined geometrically,Fig.2.In the case that
=
Q
(i.e., point addition), a lineintersecting the curve at points
and
Q
and must alsointersect the curve at a third point
R
= (
x
3
,
y
3
)
.
2)
Curve Doubling
:
If 
=
Q
(point doubling), the tangentline is used, Fig.3.
Fig. 2. Group law of elliptic curve (Point Addition).Fig. 3. Group law of elliptic curve (Point Doubling).
For
given in affine coordinates:if 
=
Q
:
x
3
=
λ
2
+
λ
+
x
1
+
x
2
+
ay
3
=
λ
(
x
1
+
x
3
) +
x
3
+
y
1
λ
=
(
y
2
+
y
1
)(
x
2
+
x
1
)
(2)if 
=
Q
:
x
3
=
λ
2
+
λ
+
ay
3
=
x
21
+ (
λ
+ 1)
x
3
λ
=
x
1
+
y
1
x
1
(3)III. E
LLIPTIC
C
URVE
P
OINT
M
ULTIPLICATION
There are different ways to implement point multiplica-tion: binary, signed digit representation (NAF), Montgomerymethod,
...
, etc. A scalar multiplication is performed in threedifferent stages, Fig.4. At the top level, the method forcomputing the scalar multiplication must be selected, in thesecond level, the coordinates to represent elliptic points mustbe defined. From this representation, the Add operation isdefined. Possible coordinates are : affine, projective, Jacobeansand L’opez-Dahab. The lower level, but the most important,involves the primitive field operations on which the curveis defined. Basic field operations are sum, multiplication,squaring and division.
Fig. 4. Different method to compute scalar multiplication
k.P 
 A. Binary Method 
The most simplest and straightforward implementation isthe binary method, as shown in Algorithm.1. The binarymethod scans every bit of scalar
k
and, depending on itsvalue, 0 or 1, it performs an ECC-DOUBLE operation or botha ECC-DOUBLE and an ECC-ADD operation. Algorithm.1,scans every bit of 
k
from right to left.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 11, November 20112http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
For an elliptic curve defined on
F
2
m
using affine coor-dinates, the operations ECC-ADD and ECC-DOUBLE areperformed according to equations (2) and (3) respectively.The operation ECC-ADD requires one inversion, two mul-tiplications, one squaring and eight additions. The operationECC-DOUBLE requires five additions, two squaring, twomultiplications and one inversion, all of them, operations on
F
2
m
.
Algorithm 1
Binary method: right to left 
[5]
Input:
(
x,y
)
,x,y
GF 
(2
m
)
,k
= (
k
m
1
,k
m
2
,...,k
0
)
Output:
R
=
k.P 
1:
R
0
2:
3:
for
i
0
,m
1
do
4:
if 
k
i
= 1
then
5:
if 
R
= 0
then
6:
R
7:
else
8:
R
R
+
9:
end if 
10:
end if 
11:
2
12:
end for
13:
return
R
 B. Coordinates Systems
Table.I, summarizes the properties of the different coordi-nates systems; affine, projective, Jacobeans,
...
, etc. It shouldbe noted that in all the cases the opposite of the point
(
:
:
)
is written
(
:
:
)
.
TABLE IT
ABLE
S
UMMARIZING THE
P
ROPERTIES OF THE
V
ARIOUS
P
ROJECTIVE
C
OORDINATES
S
YSTEMS
.Coordinates
(
x,y
) =
Curve equation
(
X/Z,Y/Z 
)
2
=
X
3
+
aXZ 
2
+
bZ 
3
(
X/Z 
2
,Y/Z 
3
)
2
=
X
3
+
aXZ 
4
+
bZ 
6
m
(
X/Z 
2
,Y/Z 
3
)
2
=
X
3
+
aXZ 
4
+
bZ 
6
The choice of the coordinate system is determined by thenumber of modular operations to carry out to calculate thedoubling and the addition of points. Table.II, compares the costof the doubling and the addition for each projective coordinate.
TABLE IIC
OST OF THE
D
OUBLING AND THE
A
DDITION FOR
E
ACH
P
ROJECTIVE
C
OORDINATES
S
YSTEMS
.Coordinates Cost of Double operation Cost of Add operation
A
+ 4
M
+ 3
12
14M
10
16
m
8M
19
IV. E
DWARDS
C
URVES
A new form for elliptic curves was added to the mathemat-ical literature with Edwards curves. Edwards showed in [3]that all elliptic curves over number fields can be transformedto
x
2
+
y
2
=
c
2
(1 +
x
2
y
2
)
, with
(0
,c
)
as the neutral elementand with a simple and a symmetric addition law:
(
x
1
,y
1
)
,
(
x
2
,y
2
)
(
x
1
y
2
+
y
1
x
2
c
(1 +
x
1
x
2
y
1
y
2
)
y
1
y
2
+
x
1
x
2
c
(1
x
1
x
2
y
1
y
2
))
(4)
 A. Binary Edwards Curves
This section contains complete addition formulas for binaryelliptic curves, i.e., addition formulas that work for all inputpairs, with no exceptional cases. First, the need for Edwardscurves is explained, and then the theorems and formulas willbe shown in order.The points on a Weierstrass-form elliptic curve:
y
2
+
a
1
xy
+
a
3
y
=
x
3
+
a
2
x
2
+
a
4
x
+
a
6
(5)include not only the affine point
(
x
1
,y
1
)
, but also an extrapoint at infinity serving as neutral element. The standardformulas for elliptic curve to compute a sum
1
+
2
failif 
1
,
2
, or
1
+
2
is at infinity, or if 
1
is equal to
2
.Each of these possibilities should be tested separately beforegenerating any elliptic curve cryptosystem.
 Definition 1:
(Binary Edwards Curve) Let
k
be a field with
char
(
k
) = 2
. Let
d
1
,d
2
be elements of 
k
with
d
1
= 0
and
d
2
=
d
21
+
d
1
, then the binary Edwards curve with coefficients
d
1
and
d
2
is the affine curve:
B,d
1
,d
2
=
d
1
(
x
+
y
)+
d
2
(
x
2
+
y
2
) =
xy
+
xy
(
x
+
y
)+
x
2
y
2
(6)This curve is symmetric in
x
and
y
and thus it has the propertythat if 
(
x
1
,y
1
)
is a point on the curve then so is
(
y
1
,x
1
)
. Thepoint
(0
,
0)
will be the neutral element of the addition law,while
(1
,
1)
will have order 2.
 B. Binary Edwards Curves Addition Law
Binary Edwards curves,
B,d
1
,d
2
, addition law is given asin follows, and it is proven that the addition law corresponds tothe elliptic curve in Weierstrass form similarly. It can be usedfor doubling with two identical inputs. The sum of two points
(
x
1
,y
1
)
,
(
x
2
,y
2
)
on
B,d
1
,d
2
is the point
(
x
3
,y
3
)
defined asfollows:
x
3
=
d
1
(
x
1
+
x
2
)+
d
2
(
x
1
+
y
1
)(
x
2
+
y
2
)+(
x
1
+
x
21
)(
x
2
(
y
1
+
y
2
+1)+
y
1
y
2
)
d
1
+(
x
1
+
x
21
)(
x
2
+
y
2
)
(7)
y
3
=
d
1
(
y
1
+
y
2
)+
d
2
(
x
1
+
y
1
)(
x
2
+
y
2
)+(
y
1
+
y
21
)(
y
2
(
x
1
+
x
2
+1)+
x
1
x
2
)
d
1
+(
y
1
+
y
21
)(
x
2
+
y
2
)
(8)If the denominators:
d
1
+ (
x
1
+
x
21
)(
x
2
+
y
2
)
and
d
1
+ (
y
1
+
y
21
)(
x
2
+
y
2
)
are non-zero then the sum
(
x
3
,y
3
)
is a point on
B,d
1
,d
2
: i.e.,
d
1
(
x
3
+
y
3
)+
d
2
(
x
23
+
y
23
) =
x
3
.y
3
+
x
3
.y
3
(
x
3
+
y
3
)+
x
23
.y
23
Here, if the points are inserted like
(0
,
0)
into the additionlaw, it is shown that
(0
,
0)
is the neutral element. Similarly,
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 11, November 20113http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->