No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Fast Multiplication on Elliptic Curves Over GF (2m) without precomputation
Abstract
This paper describes an algorithm for computing elliptic scalar multiplications on non-supersingular elliptic curves defined
over GF(2m). The algorithm is an optimized version of a method described in [1], which is based on Montgomery’s method [8]. Our algorithm is easy to implement in both hardware and software, works for any elliptic curve over GF(2m), requires no precomputed multiples of a point, and is faster on average than the addition-subtraction method described in
draft standard IEEE P1363. In addition, the method requires less memory than projective schemes and the amount of computation
needed for a scalar multiplication is fixed for all multipliers of the same binary length. Therefore, the improved method
possesses many desirable features for implementing elliptic curves in restricted environments.
... For Tate pairing, it is necessary to pay attention to the field characteristic of 2,3 and make sure the order of the group E(F p ) is appropriate, so choose the prime number n as the largest prime divisor of the group order E(F p ). In Miller's algorithm, integer n is calculated by Schoof's algorithm and using the point multiplication algorithm kP [1,4,16,[25][26][27]. ...
... DECEMBER 2022 • VOLUME 64 NUMBER 4 pairing [3,7]. In addition, the Weil pairing is also calculated according to the formula algorithm and using the point multiplication algorithm kP [1,4,16,[25][26][27]. ...
... For Tate pairing, it is necessary to pay attention to the field characteristic of 2,3 and make sure the order of the group ( ) is appropriate, so choose the prime number n as the largest prime divisor of the group order ( ). In Miller's algorithm, integer n is calculated by Schoof's algorithm and using the point multiplication algorithm kP[1,4,16,[25][26][27].According to Algorithm 1, calculating the Tate pairing⟨ , ⟩ , (with ∈ ( ), ∈ ( )) on security applications, the line coefficients ni belongs to the subfield of , the finite field is used to calculate the value of f1 with a large length field. At that time, the attacker who wants to attack the Miller algorithm must solve the problem "The point P to be found belongs to ( ) when knowing the public point Q belongs to ( ), then finding the point P is more complicated"[2,23]. ...
One option for a digital signature solution for devices with low memory and low bandwidth transmission over channels uses a short digital signature scheme based on Weil bilinear pairing aimed at short processing times, fast computation, and convenient deployment on applications. The computational technique of non-degenerate bilinear pairings uses supersingular elliptic curves over a finite field Fp
l (where p is a sufficiently large prime number) and has the advantage of being able to avoid Weil-descent, Menezes-Okamoto-Vanstone (MOV) attacks, and attacks by the Number Field Sieve algorithm. Compared to Elliptic Curve Digital Signature
Algorithm (ECDSA) digital signature schemes, generating a digital signature for a Boneh-Lynn-Shacham (BLS) scheme using Weil bilinear pairing on a supersingular elliptic curve is simple. In this study, the authors replace non-degenerate bilinear pairing calculations on a supersingular elliptic curve with a Weil pairing with PϵE(Fp ), QϵE(Fp1) and a higher security multiplier α=12 in the BLS short digital signature scheme. The execution time of the BLS short digital signature program showed improvement compared to the commercial ECDSA digital signature scheme.
... In our implementation the inputs x, y and k are up to 233 bit long binary numbers that represent elements of GF (2 233 ) with the irreducible polynomial f(t)=t 233 +t 74 +1. The hardware accelerator processes the scalar k bitwise according to the Montgomery kP algorithm using Lopez-Dahab projective coordinates [11]. Our implementation is based on Algorithm 2 presented in [10]. ...
... Detailed information about the success rate of the performed attack is given in TABLE I. The key candidates with the highest correctness were obtained using harmonics 11,14,19,20 and 21 for the power trace. Fig. 4 show the correctness of the key candidates obtained for the aforementioned harmonics in different clock cycles. ...
... for harmonics11,14, 19, 20 and 21 for the power trace only:Then we applied the remaining steps described in the previous section, i.e. we calculated i=54 mean values i A for the new ...
... In the next subsections, we will present a security analysis and look at computational costs of the following countermeasures: Unified Formula of Brier-Joye in [19] and Brier et al. [21], montgomery ladder over prime fields [19,54,81,104] and fields of characteristic two [98], Joye's double-add, addonly [85], zeroless signed-digit expansion (ZSD) in [65], Atomic Blocks [1,26,28,61,97]. ...
... This is due to a more efficient formula for point addition in montgomery curves. This was later generalized to all EC [19,65,98] and Right-to-left scalar multiplication (double-add of Joye's) [87]. The computational cost is 9M + 2S for addition algorithm and 6M + 3S for a doubling algorithm. ...
... Notice that during the computing of [k]P, the ML algorithm allows the use of the x coordinate only [19,54,81,98]. The computational cost is: a) ML of Brier-Joye [19] is [65] is n(8M + 6S) + 1I + 1M. ...
This paper presents an analysis on the state of the art of several proposals for algorithmic countermeasures to prevent passive side-channel attacks (SCA) on elliptic curve cryptography (ECC) defined over prime fields. One of the main applications of ECC is in the field of Internet of Things, where the interconnection of devices requires public-key technology with small key sizes and high security levels. Since the secure implementation of ECC on embedded devices involves many challenges for security and efficiency, this work evaluates the trade-offs between security and performance of side-channel attack countermeasures for scalar multiplication algorithms without precomputation. The main contribution is to present a panorama of explicit solutions that may be used for the implementation of ECC mechanisms suitable for embedded devices. In addition to the security problems, some countermeasures are also analyzed.
... The affine point(x,y), when z ≠ 0 corresponding to the projective point(x,y,z) in Weierstrass equation is obtained by replacing x with X where, b ≠ 0 is the curve constant. Let P be the point on elliptic curve, then the doubling point(2P) [28] is given by Eq. 7 and similarly point addition can be computed as fraction x 3 ∕z 3 given by Eq. 8 ...
... The general Lopez-Dahab Montgomery SM algorithm over GF (2 m ) is given by Algorithm (1). It consists of 3 major steps • Initialization{Affine to projective coordinate conversion} • SM done with point addition and point doubling • Reconversion of projective to affine coordinates The Algorithm 1 shows the projective-coordinate variant of the Montgomery scalar multiplication system suggested previously by Lopez and Dahab [28] for non-supersingular elliptic curves over GF (2 m ) . This algorithm comprises three steps, initialization, main-loop and finally reconversion. ...
The Elliptic curve cryptosystem is a public-key cryptosystem that receives more focus in recent years due to its higher security with smaller key size when compared to RSA. Smartcards and other applications have highlighted the importance of security in resource-constrained situations. To meet the increasing need for speed in today’s applications, hardware acceleration with cryptographic algorithms is required. In this paper, we present a novel parallel architecture for elliptic curve scalar multiplication based on a modified Lopez-Dahab–Montgomery(LDM) algorithm, to reduce the total time delay for computing scalar multiplication. It comprises three main steps: affine to projective conversion, point addition and doubling in the main loop followed by reconversion to affine coordinate. The modified parallel algorithm with new inversion in the reconversion yields lesser clock cycle and total time delay compared to existing techniques in the literature for the National Institute of Standards and Technology recommended trinomial GF(2233) . Our proposed architecture implemented on Virtex4 and Virtex7 FPGA technologies, respectively, achieved a lesser clock cycle of 956, which yields a lesser delay of 20.025 and 8.22 μs. Compared with the state-of-the-art of existing techniques, two multiplications are reduced in the reconstruction process and our processor yields 18.29% and 27.21% increase in area-time performance in Virtex 4 and Virtex 7 devices, respectively.
... The Montgomery ladder is a well-known algorithm for calculating kP [3]. The algorithm is a bitwise processing of the secret scalar k (further denoted here as the key) from its most significant bit (MSB) to its least significant bit (LSB), i.e. from left to right, see Algorithm 1. ...
... The first open source design is an implementation of the Montgomery ladder based on [3], see for example Algorithm 1. The second open source design implements a random order execution according to the algorithm proposed in [7], here given as Algorithm 2. Please note that the scalar k is denoted as m in Algorithm 2 and in [7], and the length of the scalar m is denoted as t. ...
In this paper we report on the results of selected horizontal SCA attacks against two open-source designs that implement hardware accelerators for elliptic curve cryptography. Both designs use the complete addition formula to make the point addition and point doubling operations indistinguishable. One of the designs uses in addition means to randomize the operation sequence as a countermeasure. We used the comparison to the mean and an automated SPA to attack both designs. Despite all these countermeasures, we were able to extract the keys processed with a correctness of 100%.
... In this section, performance of proposed lightweight ECC protocol is analyzed and comparative analysis is being carried out it with other few existing ECC based protocols like Liao and Hsiao, 38 He et al, 40 and Lee et al 50 in terms of parameters, that is, computational cost, communication cost, and storage requirements. Table 2. 56,57 As hash function time of both Server and Tag is very less, so, we can neglect this. Figure 14 mentions the graphical representation of the running time of operators for GF(2 m ) in microseconds using LiDIA. 56 If "T" is running time required for multiplication in Tag, then it is clear that approximate running time required for square operation is "T/5"as mentioned in Table 2, that is, for multiplication it is 10.5, and for square running time is 2.3 which is approximate one-fifth of multiplication. ...
... Table 2. 56,57 As hash function time of both Server and Tag is very less, so, we can neglect this. Figure 14 mentions the graphical representation of the running time of operators for GF(2 m ) in microseconds using LiDIA. 56 If "T" is running time required for multiplication in Tag, then it is clear that approximate running time required for square operation is "T/5"as mentioned in Table 2, that is, for multiplication it is 10.5, and for square running time is 2.3 which is approximate one-fifth of multiplication. Similarly, the approximate running time required for addition is T/20, the approximate running time for subtraction is T/20 and the approximate running time required for inversion is 9T. ...
Radio-frequency identification (RFID) technology has proliferated over the last few years and being deployed as identification technology in numerous domains like intelligent transportation systems (ITS) and Internet of Vehicles (IoV) for applications like road safety, efficient traffic management, automatic toll collection, intelligent parking, etc. As RFID devices, as well as the possible domains of ITS and IoV onto which the RFID technology can be deployed, are usually resource-constrained, thus, security and privacy become a major concern. So, public-key cryptography becomes the better choice for enhancing the security of RFID based systems. Elliptic curve cryptography (ECC) is one of the dominant and secure asymmetric-key cryptosystems being used for RFID security due to its smaller key size. Numerous RFID authentication schemes based on ECC have been suggested in literature, however, the majority has various serious security weaknesses. To bridge those existing security weaknesses, an enhanced ECC based light weight protocol for RFID systems has been proposed in this article. An extensive security analysis has been performed to demonstrate various secure features offered by our proposed protocol, and formal security analysis is being conducted using Automated Validation of Internet Security Protocols and Applications tool. The performance of our proposed RFID protocol has been compared with various existing RFID based security solutions on the basis of parameters, that is, computational cost, communication cost, and storage requirement. Simulation results indicate that the proposed lightweight protocol is more secure and performance efficient than the existing RFID protocols, and is well suited for practical applications.
... The kP operation is the most time and energy consuming operation in ECC protocols. The Montgomery kP algorithm (the Montgomery ladder) using Lopez-Dahab projective coordinates [8] is the algorithm most often used in hardware implementations for accelerating cryptographic operations for EC over extended binary fields GF(2 n ) due to its fast execution time. It requires only 6 field multiplications for processing of a key bit, whereby all other operationsfield additions and squaring operations as well as register operationscan be implemented in parallel to field multiplications. ...
... For our implementation we selected kP algorithms that are fast and in literature mentioned as resistant against simple SCA, due to the regularity and atomicity principles of the algorithms. That is the Montgomery ladder using projective Lopez-Dahab coordinates [8] for ECs over GF (2 n ) and the atomic patterns algorithm using mixed Jacobian-affine coordinates [5] for ECs over GF(p). The vulnerability of the Montgomery ladder to the horizontal address bit DPA is known [12]. ...
... In ECC-based cryptosystems, the major computation is Elliptic Curve Scalar Multiplication (ECSM). The most attractive ECSM algorithm is Montgomery Ladder Algorithm [1,2], which has the capability to resist some bypass attacks such as sign change attack [3] and simple power attack (SPA) [4]. Faults caused by natural or artificial reasons may result in data corruption and even security leakage of the cryptosystem. ...
... With the trait that the difference between Q 1 and Q 2 is always P, it is possible to have an error detection using coherency check [21] among involved variables. Additionly, considering the fact that the addition of two points in elliptic curve can be obtained without ycoordinates when knowing the difference between them, the x-coordinate of the sum Q 1 + Q 2 can be computed using only the x-coordinates of Q 1 , Q 2 and their difference P. López and Dahab [2] used projective coordinates to reduce the number of division times for applications where the multiplicative inverse is relatively expensive. The affine coordinates of point P = (x, y) is transformed to projective coordinates P = (X, Y, Z) with x = X/Z when only x-coordinate is used. ...
In this paper, an efficient hardware architecture of scalar multiplication is proposed for elliptic curve cryptography. To reduce circuit area, we propose an elliptic curve operation unit architecture for Montgomery Ladder Algorithm in projective coordinates. The basic modular arithmetic circuit in elliptic curve group operation module is reused to realize coordinates transformation and y-coordinate recovery operation. Considering concurrent error-detecting and fault-tolerant, we improve the existing error detection scheme by reusing intermediate results and predicting fault. The simulation and DC synthesis results show that the scalar multiplication circuit designed according to the proposed architecture reduces the time cost of fault detection in single iteration to 1 clock cycle at 100% fault detection rate, and the efficiency is improved 96% than the existing literature.
... For other point additions, i.e. P ± Q related computations we have used López-Dahab projective coordinates in this implementation [12]. These point additions require 13 field multiplications and 4 field squarings. ...
Koblitz curves are a special set of elliptic curves and have improved performance in computing scalar multiplication in elliptic curve cryptography due to the Frobenius endomorphism. Double-base number system approach for Frobenius expansion has improved the performance in single scalar multiplication. In this paper, we present a new algorithm to generate a sparse and joint -adic representation for a pair of scalars and its application in double scalar multiplication. The new algorithm is inspired from double-base number system. We achieve 12% improvement in speed against state-of-the-art -adic joint sparse form.
... In 1987, Montgomery introduced a point multiplication algorithm over binary extension fields [12], which only requires processing the X coordinate during point multiplication, thus reducing space requirements. In 1999, literature [13] extended the Montgomery point multiplication algorithm to LD coordinate representation, reducing the need for inversion operations in binary fields. In 2010, Ref. [14] used a bottom-up approach to optimize the ECC point multiplication algorithm, employing Jacobi coordinates, extended Twisted Edwards coordinates, and the Galbraith-LinScott (GLS) method, achieving about a 30% improvement in computational speed. ...
The SM2 public key cryptographic algorithm is widely utilized for secure communication and data protection due to its strong security and compact key size. However, the intensive large integer operations it requires pose significant computational challenges, which can limit the performance of Internet of Things (IoT) terminal devices. This paper introduces an optimized implementation of the SM2 algorithm specifically designed for IoT contexts. By segmenting large integers as polynomials within a modified Montgomery modular multiplication algorithm, the proposed method enables parallel modular multiplication and reduction, thus addressing storage constraints and reducing computational redundancy. For scalar multiplication, a Co-Z Montgomery ladder algorithm is employed alongside Single Instruction Multiple Data (SIMD) instructions to enhance parallelism, significantly improving efficiency. Experimental results demonstrate that the proposed scheme reduces the computation time for the SM2 algorithm’s digital signature by approximately 20% and enhances data encryption and decryption efficiency by about 15% over existing methods, marking a substantial performance gain for IoT applications.
... We have developed a hardware accelerator specifically designed to enhance the performance of the scalar multiplication operation on binary extended elliptic curves, denoted as kP. It is an implementation of the Montgomery algorithm using projective Lopez-Dahab coordinates with bitwise processing of the scalar k [23]. More detailed, the investigated design implements the modification of the kP algorithm corresponding to Algorithm A2 in [24]. ...
... Our design is a hardware accelerator for elliptic curve scalar multiplication (kP), utilizing the Montgomery algorithm with projective Lopez-Dahab coordinates [8] and bitwise processing of the scalar k. Specifically, it implements Algorithm A2 from [9]. ...
... Therefore, we refer to the scalar k as the key in this context. The Montgomery kP algorithm using Lopez-Dahab projective coordinates [11] is a well-known and efficient algorithm for the kP operation on ECs over GF(2 n ). The used implementation is based on Algorithm 2 from [12]. ...
... In future work, speeding up extracting the point on an elliptic curve over the Galois field which will help communication parts speed up the authentication processes. Additionally, as mentioned in the previous analysis, the ECC is a good option among various cryptography over the Galois field as recommended in [20][21]. Thus, our future work will utilize the proposed mathematical approach in the teleoperated robotic system. ...
... They are also represented as up-to-233-bit-long binary numbers. The accelerator is based on the Montgomery kP algorithm using Lopez-Dahab projective coordinates [48]. The algorithm processes each bit of the scalar k iteratively from left to right (from its Most Significant Bit (MSB) to the Least Significant Bit (LSB)) using field operations. ...
While IoT technology makes industries, cities, and homes smarter, it also opens the door to security risks. With the right equipment and physical access to the devices, the attacker can leverage side-channel information, like timing, power consumption, or electromagnetic emanation, to compromise cryptographic operations and extract the secret key. This work presents a side channel analysis of a cryptographic hardware accelerator for the Elliptic Curve Scalar Multiplication operation, implemented in a Field-Programmable Gate Array and as an Application-Specific Integrated Circuit. The presented framework consists of initial key extraction using a state-of-the-art statistical horizontal attack and is followed by regularized Artificial Neural Networks, which take, as input, the partially incorrect key guesses from the horizontal attack and correct them iteratively. The initial correctness of the horizontal attack, measured as the fraction of correctly extracted bits of the secret key, was improved from 75% to 98% by applying the iterative learning.
... In affine coordinates, PAs and PDs include several time-consuming modular inversion operations. To deal with this, we executed PAs and PDs in Lopez-Dahab (LD) projective coordinate [7]. ...
... Dominguez-Oviedo et al. presented fault detection schemes at the algorithm level for scalar multiplication on general curves [18], [19]. This research work proposed error detection schemes for the double-and-add-always [20] and Montgomery ladder ECSM algorithm for non-supersingular elliptic curves [21]. The cost of the error detection algorithm for projective coordinates was about 27.4%. ...
p>Elliptic curves cryptography, the most widely-deployed pre-quantum public key cryptography, can be implemented efficiently with Koblitz curves. The reason for these realizations is that in such efficient architectures, through using Frobenius endomorphism, the high cost of doubling can be ameliorated by simple shifting. However, in order to use this property, scalars should be represented by a τ-expansion. Such curves require integer to τ-NAF conversion, which is a prominent factor in Koblitz curves cryptography. Nevertheless, natural and malicious faults, can threaten the reliability of such constructions. In cryptosystems, verifying the correctness of the underlying computation implemented in hardware and software platforms is extremely important to detect permanent and transient errors. In this paper, for the first time to the best of our knowledge, we investigate fault detection schemes in single and double τ-NAF (nonadjacent form) conversion algorithms. To this end, we propose refined algorithms and implementation to resist both permanent and transient error occurrence using a number of fault models to make sure the performed assessments reflect the results accurately. Additionally, we simulate the proposed algorithms in Python environment with single, random, and burst fault models resulting in very high error coverage. Finally, we implement our scheme on ARMv7 and ARMv8 platforms to show the overhead of our implementation. We achieved less than 17% clock cycle overhead on Cortex-M4 and about 25% on Cortex-A72 processors. Our proposed scheme code size overhead was less than 6%. The proposed approaches make the implementations of Koblitz curves τ-NAF conversion more reliable with acceptable overheads.</p
... Dominguez-Oviedo et al. presented fault detection schemes at the algorithm level for scalar multiplication on general curves [18], [19]. This research work proposed error detection schemes for the double-and-add-always [20] and Montgomery ladder ECSM algorithm for non-supersingular elliptic curves [21]. The cost of the error detection algorithm for projective coordinates was about 27.4%. ...
p>Elliptic curves cryptography, the most widely-deployed pre-quantum public key cryptography, can be implemented efficiently with Koblitz curves. The reason for these realizations is that in such efficient architectures, through using Frobenius endomorphism, the high cost of doubling can be ameliorated by simple shifting. However, in order to use this property, scalars should be represented by a τ-expansion. Such curves require integer to τ-NAF conversion, which is a prominent factor in Koblitz curves cryptography. Nevertheless, natural and malicious faults, can threaten the reliability of such constructions. In cryptosystems, verifying the correctness of the underlying computation implemented in hardware and software platforms is extremely important to detect permanent and transient errors. In this paper, for the first time to the best of our knowledge, we investigate fault detection schemes in single and double τ-NAF (nonadjacent form) conversion algorithms. To this end, we propose refined algorithms and implementation to resist both permanent and transient error occurrence using a number of fault models to make sure the performed assessments reflect the results accurately. Additionally, we simulate the proposed algorithms in Python environment with single, random, and burst fault models resulting in very high error coverage. Finally, we implement our scheme on ARMv7 and ARMv8 platforms to show the overhead of our implementation. We achieved less than 17% clock cycle overhead on Cortex-M4 and about 25% on Cortex-A72 processors. Our proposed scheme code size overhead was less than 6%. The proposed approaches make the implementations of Koblitz curves τ-NAF conversion more reliable with acceptable overheads.</p
... In our proposed work we have employed the PA and PD expressions derived using LD projective-coordinates and are represented as [20], ...
In the present day, billions of devices communicate over the wireless networks. The massive information transmitted over open ended, and unsecured Internet architecture results in eavesdropping of private, sensitive and confidential information. Therefore, it is necessary to incorporate some data encryption techniques while communicating any sensitive information. Public key cryptography is one of the widely used data encryption technique, and elliptic curve cryptography (ECC) is the most-sought after public key cryptographic algorithm. The efficiency of ECC depends on a series of hierarchical finite field operations, and point multiplication is one of the most time-critical and resource-consuming ECC operation. Point multiplication involves a substantial number of multiplications, additions and inversion operations over finite fields of higher orders. In this article, we present a point multiplication architecture developed for a modified Montgomery-ladder algorithm. A digit-serial multiplier is employed to perform multiplication in the realization of the modified Montgomery-ladder algorithm. The area and time complexities of the proposed elliptic curve point multiplication (ECPM) architecture are computed for irreducible pentanomial GF(2163) and irreducible trinomial GF(2233) targeting Virtex-5(XC5VLX110) FPGA and compared with the similar architectures available in the literature.
... This led us to conceive and develop various projective coordinates architectures described in this work. Many works on point multiplication's hardware and software implementations exist in literature [5,6]. The aim of this work is to develop a completely parameterized and optimized EC point multiplication processor, intended to the conception of the cryptographic applications. ...
... This led us to conceive and develop various projective coordinates architectures described in this work. Many works on point multiplication's hardware and software implementations exist in literature [5,6]. The aim of this work is to develop a completely parameterized and optimized EC point multiplication processor, intended to the conception of the cryptographic applications. ...
The Elliptic Curve Cryptography covers all relevant asymmetric cryptographic primitives like digital signatures and key agreement algorithms. The function used for this purpose is the point multiplication KP. Where K is an integer and P is a point on an elliptic curve. In the present work, we will develop an optimized Elliptic Curve Point Multiplication processor over base Fields GF (2 m). Our design is aimed to operate in a polynomial basis; it is fully parameterizable in both the irreducible polynomial and the Elliptic Curve considered over any base Galois Field up to a given size. The EC Point multiplication processor defined in projective coordinates is developed and optimized. New designs of elliptic curve arithmetic's, point addition and doubling operations, are developed. A relatively high performance is achieved by using a dedicated Galois Field arithmetic implemented on FPGA. The proposed processor results in several advantages over conventional implementation with other FPGA based implementations, with respect to speed, Area occupation and power consumption.
... Inversion is the most time consuming operation in finite field operations [10]. Itoh Tsuji algorithm is used to find inversion as it is the fastest algorithm [11]. It is implemented by using Bruaer addition chains, which reduces the number of multiplications and thus latency. ...
... Als Grundlage wird die von NIST standardisierte elliptische Kurve B-233 [36] verwendet. Die Implementierung der Punkmultiplikation basiert auf dem Montgomery Algorithmus und nutzt für die Darstellung der Punkte der elliptischen Kurve projektive López-Dahab Koordinaten [37], siehe Algorithmus 1. ...
Die zunehmende Digitalisierung unserer Gesellschaft erfordert fortwährenden Schutz von kritischen Informationen mittels kryptographischer Systeme. Algorithmisch sind diese Systeme kaum anzugreifen. Allerdings ermöglichen sogenannte Seitenkanalattacken die Extraktion von geheimen Daten. Eine Art Seitenkanalattacken mit großem Angriffspotential ist die lokalisierte elektromagnetische Analyse. Bei diesem Verfahren werden durch Messung und Analyse der elektromagnetischen Abstrahlung von Teilen der Schaltung Rückschlüsse auf interne Zustände getroffen und dadurch geheime Informationen wie private Schlüssel extrahiert. Der aktuelle Stand der Forschung im Bereich lokalisierter EMA zeigt sowohl erfolgreiche Angriffe als auch Gegenmaßnahmen auf. Jedoch werden in den veröffentlichten Arbeiten keine detaillierten Untersuchungen hinsichtlich der genauen Umsetzung des Layouts der FPGA Implementierungen untersucht, welches die Ursache für den lokalisierten Leakage bildet. Stattdessen werden die Ursachen auf der algorithmischen Ebene des verwendeten kryptographischen Verfahrens betrachtet und ebenfalls eine algorithmische Gegenmaßnahme vorgeschlagen. In dieser Arbeit wird der Einfluss des Layouts von FPGA und ASIC Implementierungen auf lokalisierte EMA Angriffe untersucht. Dabei spielt insbesondere die Platzierung der Register eine wichtige Rolle. Die Untersuchungen in dieser Arbeit werden genutzt, um weiterführende Maßnahmen zum Schutz von kryptographischen Implementierungen planen zu können. Die Untersuchungsergebnisse zeigen, dass sowohl das Design selbst als auch die Implementierung als FPGA oder ASIC einen großen Einfluss auf die Angreifbarkeit der Implementierung durch eine lokalisierte EMA haben. So kann die FPGA Implementierung des betrachteten ECC Designs ebenfalls für diese Art von Angriffen verwundbar sein. Aufgrund ihrer Implementierung ist dieser ECC-Beschleuniger insgesamt weniger anfällig als ein Vergleichsdesign aus dem Stand der Forschung. Dennoch konnten potentielle Schwachstellen identifiziert werden, welche die Grundlage für die Planung und Umsetzung von Gegenmaßnahmen darstellen. Bei einer FPGA Implementierung des ECC Beschleunigers ist hauptsächlich die Lage der Flip-Flops im Layout die Ursache für die Anfälligkeit. Dem kann durch eine gleichmäßige Verteilung der Register zusammen mit permanent aktiver Logik entgegengewirkt werden, da die EM Abstrahlung der Logik die der Register überdeckt. Im Gegensatz dazu konnte bei der ASIC Implementierung keine Aussage über den Einfluss von Platzierungsvarianten getroffen werden, da die Einflüsse nicht messbar waren. Allerdings konnte die Verdrahtung auf der obersten Metallschicht als Leakagequelle bestimmt werden. Als Gegenmaßnahme dazu wird vorgeschlagen, durch Constraints die Ausgangssignale von Registern eines kryptographischen Chips nicht bis in die oberste Schicht zu routen.
... Investigated kP Designs 1987 Montgomery proposed an algorithm for the kP calculation [9]. 1998 Lopez and Dahab showed that the Montgomery kP algorithm can be performed using only the xcoordinate of the point P if P is a point on EC over GF(2 n ) [10]. Additionally, they proposed to use special projective coordinates of the EC point P to avoid the most complex operation, i.e. the division of elements of Galois fields. ...
Side-channel analysis attacks, especially horizontal DPA and DEMA attacks, are significant threats for cryptographic designs. In this paper we investigate to which extend different multiplication formulae and randomization of the field multiplier increase the resistance of an ECC design against horizontal attacks. We implemented a randomized sequence of the calculation of partial products for the field multiplication in order to increase the security features of the field multiplier. Additionally, we use the partial polynomial multiplier itself as a kind of countermeasure against DPA attacks. We demonstrate that the implemented classical multiplication formula can increase the inherent resistance of the whole ECC design. We also investigate the impact of the combination of these two approaches. For the evaluation we synthesized all these designs for a 250 nm gate library technologies, and analysed the simulated power traces. All investigated protection means help to decrease the success rate of attacks significantly: the correctness of the revealed key was decreased from 99% to 69%.
... Then, the algorithm for the scalar multiplication should be well chosen. Overall, Montgomery's algorithm is resistant to the side-channel attack because the PA and PD are indistinguishable [24], and we also consider it in this paper. ...
Along with the rapid development in security technology, the efficient implementation of a large field-size elliptic curve cryptosystem (ECC) is becoming demanding in many critical applications as small-sized cryptosystems are gradually becoming obsolete. Based on this consideration, this paper proposes a series of novel coherent interdependence efforts to propose a novel implementation of ECC hardware cryptoprocessor: (i) We firstly propose a new Montgomery point multiplication (PM) algorithm to optimize and balance the signal flow and resource utilization efficiency; (ii) Then, we have efficiently constructed a new ECC processor over GF(2m) (with the support of a series of algorithm-architecture co-implementation techniques); (iii) Finally, we have given detailed comparison and performance analysis to show that the proposed cryptographic processor has superior performance than the competing designs, i.e., smaller area-delay product (ADP) than the competing designs. The proposed large field-size ECC processor (and the proposed design strategy) can be extended and applied in many security-demanding applications.
... Our basic design is a kP accelerator for NIST EC B-233 only [6]. We implemented a modified Montgomery kP algorithm using Lopez-Dahab projective coordinates [7] as proposed in [8] to prevent revealing of the second most significant bit of the scalar k. The implemented algorithm is regular. ...
In this paper we introduce a unified field multiplier for the EC kP operation in two different types of Galois fields. The most important contributions of this paper are that the multiplier is based on the 4-segment Karatsuba multiplication method and that it is inherent resistant against selected horizontal attacks.
... The algorithm for the kP calculation has to be fast and resistant against different attacks, including SCA attacks. The Montgomery kP algorithm using Lopez-Dahab projective coordinates [3] is a bitwise processing of the scalar k. It is wellknown and the most often implemented algorithm for the kP operation for ECs over GF (2 n ). ...
This paper reports about the impact of compiler options on the resistance of cryptographic implementations against side channel analysis attacks. We evaluated four compiler option for six different FPGAs from Intel and Xilinx. In order to ensure fair assessment we synthesized always the same VHDL code, kept the measurement setup and statistical analysis method etc. constant. Our analysis clearly shows that the compiler options have an impact on the success of attacks but also that the impact is unpredictable not only between different FPGAs but also for an individual FPGA.
... Investigated kP Designs 1987 Montgomery proposed an algorithm for the kP calculation [9]. 1998 Lopez and Dahab showed that the Montgomery kP algorithm can be performed using only the xcoordinate of the point P if P is a point on EC over GF(2 n ) [10]. Additionally, they proposed to use special projective coordinates of the EC point P to avoid the most complex operation, i.e. the division of elements of Galois fields. ...
... Comme l'ont montré López et Dahab [LD99], des formules similaires à celles développées dans le cas des courbes de Montgomery existent dans le cadre des courbes dénies sur F 2 n . La principale diérence étant que toute courbe elliptique dénie sur F 2 n peut être mise sous forme de Montgomery. ...
Dans cette thèse, nous nous intéressons au problème de l'implantation de la multiplication de point par un scalaire sur les courbes elliptiques définies sur des corps premiers. Nous abordons ce problème aussi bien au niveau des algorithmes de multiplication de points, que de l'arithmétique de la courbe ou du corps sous-jacent. L'originalité des travaux présentés ici est qu'ils ne traitent pas de chaque aspects séparément. En effet nous avons toujours cherché à développer l'arithmétique à un niveau donné en gardant à l'esprit son lien avec les niveaux inférieurs ou supérieurs.La présente thèse compose de trois parties. La première partie est consacré à l'état de l'art concernant l'arithmétique des courbeselliptiques. Le chapitre 1 est un tour d'horizon des principales propriétés des courbes elliptiques et des différentes formules d'addition de points selon le système de coordonnées choisi. Dans le chapitre 2, nous présentons les principales méthodes de multiplication de points par un scalaire, aussi bien pour les courbes définies sur des corps premiers que pour les courbes définies sur des corps binaires.La deuxième partie a pour objet l'étude de nouvelles formules d'addition de points sur les courbes et les nouveaux algorithmes de multiplication de points que l'on peut en déduire. Le chapitre 3 détaille les nouvelles formules d'addition de points, ainsi que l'algorithme dit de "Fibonacci" et addition. Dans le chapitre 4 nous présentons un type de chaînes d'additions, les chaînes d'additions différentielles, naturellement adaptées auxformules introduites dans le chapitre précédent, puis, nous proposons une construction de chaînes particulières, afin d'en déduire un algorithme de multiplication de point le plus efficace possible.La troisième partie traite de la représentation RNS et de son adaptation à l'arithmétique des courbes elliptiques. Dans le chapitre 5 nous faisons un rappel des propriétés principale de la représentation RNS. Nous proposons, dans le chapitre 6, des bases RNS particulières permettant d'améliorer l'efficacité des calculs. Ensuite, dans le chapitre 7, nous proposons un algorithme d'inversion modulaire en RNS. Enfin, le chapitre 8 est consacré à l'étude de la complexité des sommes de produits modulaires en fonction du système de représentation choisi, puis à l'aménagement des formules d'additions de points sur les courbes afin de tirer avantages des spécificité du RNS.
... The methods allowing "to see" small differences are different statistical methods, for example comparison to the mean [10] or linear correlation analysis. In our early work, we showed that the Montgomery ladder using Lopez-Dahab coordinates [11], considered in the literature as resistant against simple SCA due to its regularity, is vulnerable to horizontal address-bit attacks. ...
... Because all these parameters depend on the given input and the processed key, these "side effects" can be analysed with the goal to reveal the key k. The Montgomery kP algorithm using Lopez-Dahab projective coordinates [5] corresponding to [6] is a bitwise processing of the scalar k, see Algorithm 1. ...
The Montgomery kP algorithm i.e. the Montgomery ladder is reported in literature as resistant against simple SCA due to the fact that the processing of each key bit value of the scalar k is done using the same sequence of operations. We implemented the Montgomery kP algorithm using Lopez-Dahab projective coordinates for the NIST elliptic curve B-233 . We instantiated the same VHDL code for a wide range of clock frequencies for the same target FPGA and using the same compiler options. We measured electromagnetic traces of the kP executions using the same input data, i.e. scalar k and elliptic curve point P , and measurement setup. Additionally, we synthesized the same VHDL code for two IHP CMOS technologies, for a broad spectrum of frequencies. We simulated the power consumption of each synthesized design during an execution of the kP operation, always using the same scalar k and elliptic curve point P as inputs. Our experiments clearly show that the success of simple electromagnetic analysis attacks against FPGA implementations as well as the one of simple power analysis attacks against synthesized ASIC designs depends on the target frequency for which the design was implemented and at which it is executed significantly. In our experiments the scalar k was successfully revealed via simple visual inspection of the electromagnetic traces of the FPGA for frequencies from 40 to 100 MHz when standard compile options were used as well as from 50 MHz up to 240 MHz when performance optimizing compile options were used. We obtained similar results attacking the power traces simulated for the ASIC. Despite the significant differences of the here investigated technologies the designs’ resistance against the attacks performed is similar: only a few points in the traces represent strong leakage sources allowing to reveal the key at very low and very high frequencies. For the “middle” frequencies the number of points which allow to successfully reveal the key increases when increasing the frequency.
We point to the cryptographic significance of the overlooked prime . We explain our motivation behind searching for such a prime. We present cryptographically secure elliptic curves over . We provide our speed oriented implementation of variable-base variable-scalar elliptic curve scalar multiplication using the Montgomery ladder. In this setting, a single scalar multiplication implemented with AVX2 instructions takes 85738 cycles on a Skylake 6500U processor.
The double point-multiplication (DPM) operation on elliptic curves, denoted as u.P + v.Q, where u and v are nonnegative integers and P, Q are points on the curve, is a critical operation in digital signature verification. Its computational scheme significantly impacts system performances in terms of speed, memory usage, and security. This article introduces a range of straightforward algorithms for DPM, which leverage an iterative uniform pattern based on constant-time arithmetic. This approach mitigates side-channel attacks (SCA) that exploit timing or power consumption measurements to compromise secret keys u and v. The proposed algorithms employ a w-bit windowing method to simultaneously recode the binary strings u and v and evaluate DPM on-the-fly from left-to-right. This one-pass recode/evaluation process accelerates DPM, reduces memory overhead, and enhances resilience against SCA. The new algorithms are systematically evaluated using precise analytic formulas for speed, memory usage, and security. They prioritize simplicity and flexibility, enabling easy adjustments between speed-memory and speed-security trade-offs to meet various constraints. Comparative analysis against state-of-the-art methods is conducted, comprehensively examining complexities using NIST-recommended GF(2l) curves, as well as twisted Edwards and Montgomery GF(p) curves.
Classical cluster-based side-channel analysis (SCA) uses clustering algorithms to analyze power traces and often, principal component analysis to reduce the dimension of data, resulting in that clustering may not deal well with high-dimensional traces such as cryptographic algorithm implementations with countermeasures. In this paper, we propose an intelligent framework for cluster-based SCA, which includes three steps of clustering, classification and correction, for processing large high-dimensional data. By combining unsupervised clustering and supervised deep learning techniques, the framework succeeds in mining the data for additional in-depth information. In addition, unlike traditional cluster-based SCA, our approach focuses on deep learning and deliberately avoids over-reliance on cluster labels during classification. And metrics for correction are adopted to achieve a high level of reliability in key recovery. Experiments on the RSA smart card based on Montgomery ladder implementation and FPGA-based ECC with random delay demonstrate that our framework can significantly improve the success rate with strong robustness.
Elliptic curves were first introduced to cryptography in the 80's, and since then they have become the standard for public-key cryptography in research and industry. Current applications range from efficient instantiation of the Diffie-Hellman key exchange to the zero-knowledge proofs underpinning blockchains. This talk covers the basics of Elliptic Curve Cryptography from a practical point of view, highlighting the algorithmic progress throughout the years. Special focus will be given to engineering considerations (efficiency and implementation security) and the many contributions by Latin American cryptographers. We finish by summarizing some applied research problems that hopefully illustrate just how wonderful the topic is.
Elliptic curve cryptography (ECC) is one of the most popular asymmetric key cryptography techniques used in secured data communications. The scalar multiplication is the most expensive operation in the ECC. In this paper, we propose a low cost hardware for scalar multiplication in Affine coordinates based ECC. Here, we use a reconfigurable Galois field (GF) arithmetic circuit, which performs various GF arithmetic operations such as addition, multiplication, inverse, and fused multiply add (FMA) using a same set of hardware circuit. Instead of using a number of multipliers and adders in point addition/doubling, we have used only one reconfigurable GF arithmetic circuit. The existing and proposed designs are implemented in 45 nm CMOS technology using Cadence. The synthesis results show that the affine co-ordinate based proposed GF(2163) scalar multiplier achieves 69% of reduction in the switching power dissipation as compared with the Lopez-Dahab projective co-ordinates based conventional design in 45 nm CMOS technology.
The Montgomery Ladder is widely used for implementing the scalar multiplication in elliptic curve cryptographic designs. This algorithm is efficient and provides a natural robustness against (simple) side-channel attacks. Previous works however showed that implementations of the Montgomery Ladder using Lopez-Dahab projective coordinates easily leak the value of the most significant bits of the secret scalar, which led to a full key recovery in an attack known as LadderLeak [3]. In light of such leakage, we analyse further popular methods for implementing the Montgomery Ladder. We first consider open source software implementations of the X25519 protocol which implement the Montgomery Ladder based on the ladderstep algorithm from Düll et al. [15]. We confirm via power measurements that these implementations also easily leak the most significant scalar bits, even when implementing Z-coordinate randomisations. We thus propose simple modifications of the algorithm and its handling of the most significant bits and show the effectiveness of our modifications via experimental results. Particularly, our re-designs of the algorithm do not incurring significant efficiency penalties. As a second case study, we consider open source hardware implementations of the Montgomery Ladder based on the complete addition formulas for prime order elliptic curves, where we observe the exact same leakage. As we explain, the most significant bits in implementations of the complete addition formulas can be protected in an analogous way as we do for Curve25519 in our first case study.KeywordsECCMontgomery LadderCurve25519Complete addition formulasSide-channel analysis
Elliptic Curve Cryptography is public key cryptography that features smaller keys, ciphertexts, and signatures and is faster than RSA at the same security level. Scalar multiplication is the main and the most compute-intensive operation in the generation of keys. Point Addition, Doubling and Inversion are the basic operations for scalar multiplication. Inversion is a very expensive operation as compared to multiplication, addition and squaring in the finite fields with an affine coordinate system. López-Dahab coordinates are the best alternative to reduce the inversion overhead in scalar computation. Area, Delay and Power trade-offs are the main constraints in hardware implementations of scalar multiplication. In this paper, optimization of elliptic curve scalar multiplication using constraint-based scheduling for the López-Dahab coordinate system is proposed. Data dependency graphs of point addition and doubling are modified for optimization of area and delay. The proposed architecture is implemented on Altera Stratix-II FPGA. The constraint is applied on the field multiplication operation and the considerable area is reduced. The proposed architecture computes scalar multiplication in 11.43 μs and takes 9856 ALMs. The performance comparsion with state of the art shows that area is reduced by 41.21 %, delay is reduced by 2.4% and Area-Delay-Product is improved.
Elliptic curve cryptography (ECC) is one of the commonly used standard methods for encrypting and signing messages which is especially applicable to resource-constrained devices such as sensor nodes that are networked in the Internet of Things. The same holds true for wearable sensors. In these fields of application, confidentiality and data integrity are of utmost importance as human lives depend on them. In this paper, we discuss the resistance of our fast dual-field ECDSA accelerator against side-channel analysis attacks. We present our implementation of a design supporting four different NIST elliptic curves to allow the reader to understand the discussion of the resistance aspects. For two different target platforms—ASIC and FPGA—we show that the application of atomic patterns, which is considered to ensure resistance against simple side-channel analysis attacks in the literature, is not sufficient to prevent either simple SCA or horizontal address-bit DPA attacks. We also evaluated an approach which is based on the activity of the field multiplier to increase the inherent resistance of the design against attacks performed.
The modern age has seen an enormous progress in communications. Millions of devices communicate over the web transmitting confidential information which sometimes is of national importance. Securing these devices has become prime concern in this evolutionary digital world. Elliptic curve cryptography has grabbed quite attention for securing these devices primely because of its small-key size with relatively same-level of security when compared to other cryptosystems. The high performance of ECC relies on the finite-field arithmetic operations. Point-multiplication is the most resource consuming and time critical ECC operation. Many architectures and algorithms are presented in the literature to address the area complexity and time complexity of point-multiplication. In this paper, a point-multiplication architecture for generic irreducible polynomials is proposed based on the modified Montgomery-ladder algorithm. In addition, the FF-inversion operation of point multiplication is realized by employing modified Itoh-Tsujii algorithm to achieve reduction in the computation time. The hardware complexity and delay of the proposed point multiplication architecture are estimated, and a comparison with the corresponding point multiplication architectures available in the literature is presented. It is observed that the proposed architecture achieves area-time efficiency of around 17%–86% and 42%–98%, respectively, over GF(2163) and GF(2233) when compared to the architectures available in the literature.
Internet of Vehicles (IoV) is one of the most active research disciplines in Intelligent Transportation Systems (ITS), intending to improve VANET (Vehicular-Ad-hoc Network) capabilities. The main objective of IoV is to enhance the safety of passengers by incorporating various advanced information and communication technologies thus, ease the driving experience of passengers and enhances traffic efficiency. IoV has numerous key technologies, and one of them is Radio-Frequency Identification Technology (RFID) which has a plethora of applications in IoV like automatic toll collection, intelligent parking, data dissemination, tracking the location of the vehicle, etc. which enhances the overall performance of IoV networks. Along with this, RFID devices are resource-constrained, thus security and privacy are a major concern and also IoV is a real-time sensitive network where security is of utmost importance. Keeping in mind the security perspective, the concept of Elliptic-Curve Cryptography (ECC) is taken into consideration. So, in this paper, we have proposed a Cryptographic solution-based secure ECC-enabled RFID mutual authentication protocol for IoV. The proposed protocol is comprised of three phases: Setup Phase, Tag Authentication Phase, and Server Authentication Phase. Security evaluation of the proposed protocol is performed by taking into consideration the analysis of security requirements as well as security attacks. Also, the simulation of the proposed protocol is done using the AVISPA tool and the results indicate that the proposed protocol is safe against various malevolent attacks. Performance evaluation of the proposed protocol is computed based on parameters i.e. storage requirements, communication cost, and computational cost. Results indicate that the proposed protocol contributes to high performance and security and has low computational cost than other existing authentication protocols. A novel Blockchain-based security framework for RFID-enabled IoV has also been proposed to further enhance the security of the IoV network.
Elliptic curve cryptography processor implemented for point multiplication on field programmable gate array. Segmented pipelined full-precision multiplier is used to reduce the latency and also data dependency can be avoided by modifying Lopez-Dahab Montgomery PM Algorithm, results in drastic reduction in the number of clock cycles required. The proposed ECC processor is implemented on Xilinx FPGA families i.e. virtex-4, vitrtex-5, virtex-7.single and three multiplier based designs show the fastest performance compared with reported work individually. Our three multiplier based ECC processor implementation is taking the lowest number of clock cycles on FPGA based design processor.
Cryptography, in particular public-key cryptography, has emerged in the last 20 years as an important discipline that is not only the subject of an enormous amount of research, but provides the foundation for information security in many applications. Standards are emerging to meet the demands for cryptographic protection in most areas of data communications. Public-key cryptographic techniques are now in widespread use, especially in the financial services industry, in the public sector, and by individuals for their personal privacy, such as in electronic mail. This Handbook will serve as a valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography. It is a necessary and timely guide for professionals who practice the art of cryptography. The Handbook of Applied Cryptography provides a treatment that is multifunctional: It serves as an introduction to the more practical aspects of both conventional and public-key cryptography It is a valuable source of the latest techniques and algorithms for the serious practitioner It provides an integrated treatment of the field, while still presenting each major topic as a self-contained unit It provides a mathematical treatment to accompany practical discussions It contains enough abstraction to be a valuable reference for theoreticians while containing enough detail to actually allow implementation of the algorithms discussed Now in its third printing, this is the definitive cryptography reference that the novice as well as experienced developers, designers, researchers, engineers, computer scientists, and mathematicians alike will use.
We discuss analogs based on elliptic curves over finite fields of public key cryptosystems which use the multiplicative group of a finite field. These elliptic curve cryptosystems may be more secure, because the analog of the discrete logarithm problem on elliptic curves is likely to be harder than the classical discrete logarithm problem, especially over GF(2"). We discuss the question of primitive points on an elliptic curve modulo p, and give a theorem on nonsmoothness of the order of the cyclic subgroup generated by a global point.
We discuss new algorithms for multiplying points on elliptic curves defined over small finite fields of characteristic two. This algorithm is an extension of previous results by Koblitz, Meier, and Staffelbach. Experimental results show that the new methods can give a running time improvement of up to 50% compared with the ordinary binary algorithm for multiplication. Finally, we present a table of elliptic curves, which are well suited for elliptic curve public key cryptosystems, and for which the new algorithm can be used.
We discuss analogs based on elliptic curves over finite fields of public key cryptosystems which use the multiplicative group of a finite field. These elliptic curve cryptosystems may be more secure, because the analog of the discrete logarithm problem on elliptic curves is likely to be harder than the classical discrete logarithm problem, especially over GF ( 2 n ) {\text {GF}}({2^n}) . We discuss the question of primitive points on an elliptic curve modulo p , and give a theorem on nonsmoothness of the order of the cyclic subgroup generated by a global point.
Since 1974, several algorithms have been developed that attempt to factor a large number N by doing extensive computations modulo N and occasionally taking GCDs with N. These began with Pollards p-1 and Monte Carlo methods. More recently, Williams published a p+1 method, and Lenstra discovered an elliptic curve method (ECM). We present ways to speed all of these. One improvement uses two tables during the second phases of p ± 1 and ECM, looking for a match. Polynomial preconditioning lets us search a fixed table of size n with n/2 + o(n) multiplications. A parametrization of elliptic curves lets Step 1 of ECM compute the x coordinate of nP from that of P in about 9.3 log2 n multiplications for arbitrary P.
Elliptic curves have been extensively studied for many years. Recent interest has revolved around their applicability to factoring integers, primality testing, and to cryptography. In this paper we explore the feasibility of implementing in hardware an arithmetic processor for doing elliptic curve computations over finite fields. Of special interest, for practical reasons, are the curves over fields of characteristic 2. The elliptic curve analogue of the ElGamal cryptosystem is also analyzed.
Foreword. Preface. 1. Introduction to Public Key Cryptography. 2. Introduction to Elliptic Curves. 3. Isomorphism Classes of Elliptic Curves over Finite Fields. 4. The Discrete Logarithm Problem. 5. The Elliptic Curve Logarithm Problem. 6. Implementation of Elliptic Curve Cryptosystems. 7. Counting Points on Elliptic Curves over F2m. Bibliography. Index.
From the Publisher:
A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols; more than 200 tables and figures; more than 1,000 numbered definitions, facts, examples, notes, and remarks; and over 1,250 significant references, including brief comments on each paper.
The Diffie-Hellman key exchange algorithm can be implemented using the group of points on an elliptic curve over the field \(
\mathbb{F}_{2^n }
\)
. A software version of this using n = 155 can be optimized to achieve computation rates that are slightly faster than non-elliptic curve versions with a similar level of security. The fast computation of reciprocals in \(
\mathbb{F}_{2^n }
\) is the key to the highly efficient implementation described here.
Public-key cryptographic systems often involve raising elements of some group (e.g.,GF(2n),Z/NZ, or elliptic curves) to large powers. An important question is how fast this exponentiation can be done, which often determines whether a given system is practical. The best method for exponentiation depends strongly on the group being used, the hardware the system is implemented on, and whether one element is being raised repeatedly to different powers, different elements are raised to a fixed power, or both powers and group elements vary.This problem has received much attention, but the results are scattered through the literature. In this paper we survey the known methods for fast exponentiation, examining their relative strengths and weaknesses.
This paper describes a fast software implementation of the elliptic curve version of DSA, as specifled in draft standard documents ANSI X9.62 and IEEE P1363. We did the implementations for the flelds GF(2n), using a standard basis, and GF(p). We discuss various design decisions that have to be made for the operations in the underlying fleld and the operations on elliptic curve points. In particular, we conclude that it is a good idea to use projective coordinates for GF(p), but not for GF(2n). We also extend a number of exponentiation algorithms, that result in considerable speed gains for DSA, to ECDSA, using a signed binary representation. Finally, we present timing results for both types of flelds on a PPro-200 based PC, for a C/C++ implementation with small assembly-language optimizations, and make comparisons to other signature algorithms, such as RSA and DSA. We conclude that for prac- tical sizes of flelds and moduli, GF(p) is roughly twice as fast as GF(2n). Furthermore, the speed of ECDSA over GF(p) is similar to the speed of DSA; it is approximately 7 times faster than RSA for signing, and 40 times slower than RSA for veriflcation (with public exponent 3).
It has become increasingly common to implement discrete-logarithm based public-key protocols on elliptic curves over finite
fields. The basic operation is scalar multiplication: taking a given integer multiple of a given point on the curve. The cost of the protocols depends on that of the elliptic
scalar multiplication operation.
Koblitz introduced a family of curves which admit especially fast elliptic scalar multiplication. His algorithm was later
modified by Meier and Staffelbach. We give an improved version of the algorithm which runs 50% faster than any previous version.
It is based on a new kind of representation of an integer, analogous to certain kinds of binary expansions. We also outline
further speedups using precomputation and storage.
This paper describes three contributions for efficient implementation of elliptic curve cryptosystems in GF(2n). The first is a new method for doubling an elliptic curve point, which is simpler to implement than the fastest known method, due to Schroeppel, and which favors sparse elliptic curve coefficients. The second is a generalized and improved version of the Guajardo and Paar’s formulas for computing repeated doubling points. The third contribution consists of a new kind of projective coordinates that provides the fastest known arithmetic on elliptic curves. The algorithms resulting from this new formulation lead to a running time improvement for computing a scalar multiplication of about 17% over previous projective coordinate methods.
Since the introduction of the concept of public key cryptography by Diffie and Hellman in 1976, the potential for the use of the discrete logarithm problem in public key cryptosystems has been recognized. ElGamal gave an explicit methodology for using this problem to implement a fully functional public key cryptosystem, including digital signatures. This methodolgy has been refined and incorporated with various protocols to meet a variety of applications, and one of its extensions forms the basis for a proposed U.S. digital signature standard. Although the discrete logarithm problem, as first employed by Diffie and Hellman in their public key exchange algorithm, referred explicitly to the problem of finding logarithms with respect to a primitive element in the multiplicative group of the field of integers modulo a prime p, this idea can be extended to arbitrary groups (with the difficulty of the problem apparently varying with the representation of the group). In this paper, we describe how these protocols can be efficiently implemented using the group of an elliptic curve over a finite field. In particular, we will discuss a new VLSI implementation of F2155 and the performance of elliptic curve systems over this ground field.
. We present a software implementation of arithmetic operations in a finite field GF(2 n ), based on an alternative representation of the field elements. An important application is in elliptic curve cryptosystems. Whereas previously reported implementations of elliptic curve cryptosystems use a standard basis or an optimal normal basis to perform field operations, we represent the field elements as polynomials with coefficients in the smaller field GF(2 16 ). Calculations in this smaller field are carried out using pre-calculated lookup tables. This results in rather simple routines matching the structure of computer memory very well. The use of an irreducible trinomial as the field polynomial, as was proposed at Crypto'95 by R. Schroeppel et al., can be extended to this representation. In our implementation, the resulting routines are slightly faster than standard basis routines. 1 Introduction Elliptic curve public key cryptosystems are rapidly gaining popularity [M93]. The use...
This contribution describes three algorithms for efficient implementations of elliptic curve cryptosystems. The first algorithm is an entirely new approach which accelerates the multiplications of points which is the core operation in elliptic curve public-key systems. The algorithm works in conjunction with the k-ary or sliding window method. The algorithm explores computational advantages by computing repeated point doublings directly through closed formulae rather than from individual point doublings. This approach reduces the number of inversions in the underlying finite field at the cost of extra multiplications. For many practical implementations, where field inversion is at least four times as costly as field multiplication, the new approach proofs to be faster than traditional point multiplication methods. The second algorithm deals with efficient inversion in composite Galois fields of the form GF ((2 n ) m ). Based on an idea of Itoh and Tsujii, we optimize the...
We discuss new algorithms for multiplying points on elliptic curves over small finite fields of characteristic two. This algorithm is an extension of previous results by Koblitz, Meier and Staffelbach. Practical timings show that the new methods can give a running time improvement of up to 50% compared to the ordinary binary algorithm for multiplication. Finally, we present a table of elliptic curves, which are well suited for elliptic curve public key cryptosystems, and for which the new algorithm can be used. 1 Introduction Elliptic curves over finite fields have gained a lot of attention in public key cryptography in recent years ([4], [10]). For practical reasons, elliptic curves over fields of characteristic two are of special interest. Diffie-Hellman type cryptosystems using elliptic curves over IF 2 155 were implemented and compared to RSA (see [12]). The most time consuming operation of these cryptosystems is multiplication of a point on the elliptic curve with an integer, wh...
Elliptic curves are the basis for a relative new class of public-key schemes. It is predicted that elliptic curves will replace many existing schemes in the near future. It is thus of great interest to develop algorithms which allow efficient implementations of elliptic curve crypto systems. This thesis deals with such algorithms. Efficient algorithms for elliptic curves can be classified into low-level algorithms, which deal with arithmetic in the underlying finite field and high-level algorithms, which operate with the group operation. This thesis describes three new algorithms for efficient implementations of elliptic curve cryptosystems. The first algorithm describes the application of the Karatsuba-Ofman Algorithm to multiplication in composite fields GF ((2 n ) m ). The second algorithm deals with efficient inversion in composite Galois fields of the form GF ((2 n ) m ). The third algorithm is an entirely new approach which accelerates the multiplication of points which i...
The Elliptic Curve Digital Signature Algorithm (ECDSA)
- Ansi X
ANSI X9.62: " The Elliptic Curve Digital Signature Algorithm (ECDSA) ", draft, July 1997.
Faster Elliptic Calculations in GF(2n)“, preprint
- R Schroeppel
R. Schroeppel, " Faster Elliptic Calculations in GF (2 n ), " preprint, March 6, 1998.
Editorial Contribution to Standard for Public Key Cryptography
- Ieee P
IEEE P1363: " Editorial Contribution to Standard for Public Key Cryptography ", draft, 1998.
3-A library for computational number theory. TH- Darmstadt
- Lidia Group
LiDIA Group LiDIA v1.3-A library for computational number theory. TH-
Darmstadt, 1998.
On the Performance of Signature based on Elliptic Curves
- E De Win
- S Mister
- B Prennel
- M Wiener
Efficient Algorithms for Elliptic Curve Cryptosystems
- J. Guajardo
- C. Paar
- B. Kaliski
Speeding the Pollard and elliptic curve methods of factorization
- P Montgomery
Efficient Algorithms for Elliptic Curve Cryptosystems”, Advances in Cryptology
- J Guajardo
- C Paar