Abstract
Recent elliptic curve scalar multiplication algorithms are based on efficient co-\(Z\) arithmetics. These arithmetics were initially introduced by Meloni in 2007 where addition of projective points share the same \(Z\)-coordinate. The co-\(Z\) version algorithms are sufficiently fast and secure against a large variety of implementation attacks. This paper analyses the performance of these algorithms in hardware and then compares them against software and hardware–software co-design environments on FPGA, in terms of speed, memory, power and energy consumption. Specifically, this paper presents a survey and performance comparison of implementations of co-\(Z\) versions of the Montgomery ladder and the Joye’s double-add algorithm in an embedded system environment.
Similar content being viewed by others
Notes
The prime symbol \(^{\prime }\) is used to denote operations that do not involve the \(Z\)-coordinate.
References
National Institute of Advanced Industrial Science and Technology (AIST), Research Center for Information Security (RCIS), Sidechannel Attack Standard, Evaluation Board (SASEBO) (2009)
Avanzi, R., Cohen, H., Doche, C., Frey, G., Lange, T., Nguyen, K., Vercauteren, F.: Handbook of Elliptic and Hyperelliptic Curve Cryptography. CRC Press, Boca Raton (2005)
Avanzi, R.M.: Side channel attacks on implementations of curve-based cryptographic primitives. Cryptology ePrint Archive, Report 2005/017 (2005). http://eprint.iacr.org/
Blake, I.F., Seroussi, G., Smart, N.P. (eds.): Advances in Elliptic Curve Cryptography. London Mathematical Society Lecture Note Series, vol. 317. Cambridge University Press, Cambridge (2005)
Brier, E., Joye, M.: Weierstraß Elliptic curve and side-channel attacks. In: Naccache, D., Paillier, P. (eds.) Public key cryptography—PKC 2002. Lecture Notes in Computer Science, vol. 2274, pp. 335–345. Springer, Berlin (2002)
Byrne, A., Meloni, N., Crowe, F., Marnane, W.P., Tisserand, A., Popovici, E.M.: SPA resistant elliptic curve cryptosystem using addition chains. Int. J. High Perform. Syst. Archit. 1(2), 133–142 (2007)
Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Square always exponentiation. In: Springer (ed.) 12th International Conference on Cryptology in India—INDOCRYPT 2011. LNCS, Chennai, India (2011). http://hal.inria.fr/inria-00633545
Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) Advances in Cryptology—ASIACRYPT ’98. Lecture Notes in Computer Science, vol. 1514, pp. 51–65. Springer, Berlin (1998)
Coron, J.S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems (CHES ’99). Lecture Notes in Computer Science, vol. 1717, pp. 292–302. Springer, Berlin (1999)
European Network of Excellence in Cryptology II: ECRYPT II Yearly Report on Algorithms and Keysizes (2010)
Fischer, W., Giraud, C., Knudsen, E.W., Seifert, J.P.: Parallel scalar multiplication on general elliptic curves over \(\mathbb{F}_p\) hedged against non-differential side-channel attacks. Cryptology ePrint Archive, Report 2002/007 (2002). http://eprint.iacr.org/
Galbraith, S., Lin, X., Scott, M.: A faster way to do ECC. In: Presented at 12th Workshop on Elliptic Curve Cryptography (ECC 2008), Utrecht, The Netherlands (2008). Slides available at URL http://www.hyperelliptic.org/tanja/conf/ECC08/slides/Mike-Scott.pdf
Giraud, C., Verneuil, V.: Atomicity improvement for elliptic curve scalar multiplication. Computing Research Repository abs/1002.4, 80–101 (2010). doi:10.1007/978-3-642-12510-2-7
Goundar, R.R., Joye, M., Miyaji, A.: Co-\(Z\) addition formulæ and binary ladders on elliptic curves. In: Mangard, S., Standaert, F.X. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2010. Lecture Notes in Computer Science, vol. 6225, pp. 65–79. Springer, Berlin (2010)
Goundar, R.R., Joye, M., Miyaji, A.: Co-\(Z\) addition formulæ and binary ladders on elliptic curves. Cryptology ePrint Archive, Report 2010/309 (2010). http://eprint.iacr.org/
Goundar, R.R., Joye, M., Miyaji, A., Rivain, M., Vanelli, A.: A scalar multiplication on weierstraß elliptic curves from co-\(z\) arithmetic. J. Cryptogr. Eng. 1(2), 161–176 (2011)
Hutter, M., Joye, M., Sierra, Y.: Memory-constrained implementations of elliptic curve cryptography in co-\(z\) coordinate representation. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT. Lecture Notes in Computer Science, vol. 6737, pp. 170–187. Springer, Berlin (2011)
Izu, T., Möller, B., Takagi, T.: Improved elliptic curve multiplication methods reistant against side-channel attacks. In: Menezes, A., Sarkar, P. (eds.) Progress in Cryptology—INDOCRYPT 2002. Lecture Notes in Computer Science, vol. 2551, pp. 296–313. Springer, Berlin (2002)
Izu, T., Takagi, T.: A fast parallel elliptic curve multiplication resistant against side channel attacks. In: Naccache, D., Paillier, P. (eds.) Public Key Cryptography (PKC 2002). Lecture Notes in Computer Science, vol. 2274, pp. 280–296. Springer, Berlin (2002)
Joye, M.: Highly regular right-to-left algorithms for scalar multiplication. In: Paillier, P. Verbauwhede, I. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2007. Lecture Notes in Computer Science, vol. 4727, pp. 135–147. Springer, Berlin (2007)
Joye, M., Yen, S.M.: The Montgomery powering ladder. In: Kaliski, B.S. Jr., et al. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2002. Lecture Notes in Computer Science, vol. 2523, pp. 291–302. Springer, Berlin (2003)
Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)
Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. pp. 104–113. Springer, Berlin (1996)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) Advances in Cryptology—CRYPTO ’99. Lecture Notes in Computer Science, vol. 1666, pp. 388–397. Springer, Berlin (1999)
Longa, P., Gebotys, C.H.: Novel precomputation schemes for elliptic curve cryptosystems. In: Abdalla, M., et al. (eds.) Applied Cryptography and Network Security (ACNS 2009). Lecture Notes in Computer Science, vol. 5536, pp. 71–88. Springer, Berlin (2009)
Longa, P., Miri, A.: New composite operations and precomputation for elliptic curve cryptosystems over prime fields. In: Cramer, R. (ed.) Public Key Cryptography—PKC 2008. Lecture Notes in Computer Science, vol. 4939, pp. 229–247. Springer, Berlin (2008)
López, J., Dahab, R.: Fast multiplication on elliptic curves over \({GF}(2^m)\) without precomputation. In: Koç, Ç.K., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems (CHES ’99). Lecture Notes in Computer Science, vol. 1717, pp. 316–327. Springer, Berlin (1999)
McIvor, C.J., McLoone, M., McCanny, J.V.: Hardware elliptic curve cryptographic processor over GF(\(p\)). IEEE Trans. Circuits Syst. 53, 1946–1957 (2006)
Meloni, N.: New point addition formulæ for ECC applications. In: Carlet, C., Sunar, B. (eds.) Arithmetic of Finite Fields (WAIFI 2007). Lecture Notes in Computer Science, vol. 4547, pp. 189–201. Springer, Berlin (2007)
Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) Advances in Cryptology—CRYPTO ’85. Lecture Notes in Computer Science, vol. 218, pp. 417–426. Springer, Berlin (1985)
Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44, 519–521 (1985)
Montgomery, P.L.: Speeding up the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)
NIST: Advanced Encryption Standard (AES) (FIPS-197). National Institute of Standards and Technology (2001)
NIST: Recommendation for Key Management-Part 1 (2007)
Orlando, G., Paar, C.: A scalable gf(p) elliptic curve processor architecture for programmable hardware. Lect. Notes Comput. Sci. 2162, 348–363 (2001)
Research, C.: Sec 2: Recommended elliptic curve domain, parameters (2000)
Rivain, M.: Fast and regular algorithms for scalar multiplication over elliptic curves. Cryptology ePrint Archive, Report 2011/338 (2011). http://eprint.iacr.org/
Slla, A.M., Drabek, V.: An efficient list-based scheduling algorithm for high-level synthesis. In: Proceedings of the Euromicro Symposium on Digital Systems Design, pp. 316–323. IEEE Computer Society, New York (2002)
Venelli, A., Dassance, F.: Faster side-channel resistant elliptic curve scalar multiplication. Contemp. Math. 521, 29–40 (2010)
Walter, C.D.: Montgomery exponentiation needs no final subtractions. Electron. Lett. 35(21), 1831–1832 (1999)
Xilinx: Microblaze soft processor core. http://www.xilinx.com/tools/microblaze.htm
Yen, S.M., Joye, M.: Checking before output may not be enough against fault-based cryptanalysis. IEEE Trans. Comput. 49(9), 967–970 (2000)
Yen, S.M., Kim, S., Lim, S., Moon, S.J.: A countermeasure against one physical cryptanalysis may benefit another attack. In: Kim, K. (ed.) Information Security and Cryptology—ICISC 2001. Lecture Notes in Computer Science, vol. 2288, pp. 414–427. Springer, Berlin (2002)
Author information
Authors and Affiliations
Corresponding author
Additional information
This material is based upon works supported by the Science Foundation Ireland under Grant No. 06/MI/006.
Research supported by Profs. Francisco Rodríguez-Henríquez and Çetin K. Koç through UC MEXUS Grant, administered by UCSB and CINVESTAV-IPN.
Appendix
Appendix
1.1 Co-\(Z\) Algorithms
In this section we present some of the Co-\(Z\) operations defined in this paper, presented as Algorithm 12–Algorithm 18.
1.2 Point doubling formulæ with update in homogeneous coordinates
A double of point \({\varvec{P}} = (X_1:Y_1:Z_1)\) on \(E_\mathcal{H }\), denoted \(DBL_\mathcal{H }\), is computed as \({\varvec{2P}}=(X_3:Y_3:Z_3)\) with
where \(A=a Z_1^2+3X_1^2\), \(B=Y_1Z_1\), \(C=X_1(Y_1B)\), and \(D=A^2-8C\). The cost of it is \(\underline{6\mathsf M + 5\mathsf S + 1\mathsf c }\). We optimised \(DBL_\mathcal{H }\) by trading one multiplication with one squaring which results in a cost of \(\underline{5\mathsf M + 6\mathsf S + 1\mathsf c }\) and is given as
where \(A=2(a Z_1^2+3X_1^2)\), \(B=Y_1Z_1\), \(C=2[(X_1+Y_1B)^2-X_1^2-(Y_1B)^2]\), and \(D=A^2-8C\). If \(Z_1 = 1\), the cost drops to \(\underline{3\mathsf M +5\mathsf S }\), with
where \(A=2(a+3X_1^2)\), \(\alpha =Y_1^2\), \(B=\alpha ^2\), \(C=2[(X_1+\alpha )^2-X_1^2-B]\), and \(D=A^2-8C\). We notice that together with \({\varvec{2P}}\) we obtain a representation of a point \({\varvec{P}}\) having the same \(Z\) coordinate at a cost of only one multiplication.
We let \((\varvec{\tilde{P}}, 2{\varvec{P}}) \leftarrow DBLU_\mathcal{H }({\varvec{P}})\) denote the corresponding operation, where \(\varvec{\tilde{P}} \sim {\varvec{P}}\) and \(\mathrm Z (\varvec{\tilde{P}}) = \mathrm Z (2{\varvec{P}})\). The cost of \(DBLU_\mathcal{H }\) operation (doubling with update) is \(\underline{4\mathsf M + 5\mathsf S }\).
Furthermore, for implementation purpose of Algorithm 4 we define an \((X,Z)\)-only point doubling with an update in homogeneous coordinate, denoted as \(DBLU_\mathcal{H }^{*}\) as \(DBLU_\mathcal{H }^{*}({\varvec{P}})\leftarrow (X(\varvec{\tilde{P}}):X({\varvec{2P}}):Z({\varvec{2P}}))= (X_1\cdot 64 Y_1\alpha : 4Y_1D: 64Y_1\alpha )\). The cost of \(DBLU_\mathcal{H }^{*}\) operation is \(\underline{3\mathsf M +5\mathsf S }\).
1.3 Full coordinate recovery
The formula for the recovery of the full projective coordinates of the output point \({\varvec{Q}}=k{\varvec{P}}\), from the \(x\)-coordinates \({\varvec{R}}_\mathbf 0 = (X_1,Z)\) and \({\varvec{R}}_\mathbf 1 ,{\varvec{Z}} = (X_2,Z)\) at the end of the Montgomery ladder is described in Algorithm 19.
Note that \(D=(x_D,y_D)\) represents the invariant, input point \({\varvec{P}}\), of the Montgomery ladder in affine coordinates. The cost of this formula is \(\underline{8\mathsf M +2\mathsf S +1M_a+1M_{4b}+8add}\) and its implementation requires \(11\) registers as detailed in algorithm 7 of [17].
The full coordinates recovery formula given by Algorithm 4 is evaluated in Algorithm 20.
The cost of which is \(\underline{10\mathsf M +3\mathsf S +8add}\) and its implementation requires \(13\) registers as detailed in algorithm 8 of [17].
1.4 Point doubling and tripling with co-\(Z\) update
Algorithms 3, 7, 8, 9 and 10 require a point doubling or a point tripling operation for their initialisation. We describe here how this can be implemented.
Initial Point Doubling The double of a point is computed using the DBLU operation below.
with \(M = 3B + a\), \(S = 2((X_1+E)^2 - B - L)\), \(L = E^2\), \(B = {X_1}^2\), and \(E = {Y_1}^2\). Since \(Z(2{\varvec{P}}) = 2Y_1\), it follows that
is an equivalent representation for point \({\varvec{P}}\). Updating point \({\varvec{P}}\) such that its \(Z\)-coordinate is equal to that of \(2{\varvec{P}}\) comes thus for free [29]. We let \((2{\varvec{P}}, \varvec{\tilde{P}}) \leftarrow \text{ DBLU}({\varvec{P}})\) denote the corresponding operation, where \(\varvec{\tilde{P}} \sim {\varvec{P}}\) and \(\mathrm Z (\varvec{\tilde{P}}) = \mathrm Z (2{\varvec{P}})\). The cost of DBLU operation (doubling with update) is \(\underline{1\mathsf M + 5\mathsf S }\).
Initial Point Tripling The triple of \({\varvec{P}} = (X_1:Y_1:1)\) can be evaluated as \(3{\varvec{P}} = {\varvec{P}} + 2{\varvec{P}}\) using co-\(Z\) arithmetic [26]. From \((2{\varvec{P}}, \varvec{\tilde{P}}) \leftarrow \text{ DBLU}({\varvec{P}})\), this can be obtained as ZADDU\((\varvec{\tilde{P}}, 2{\varvec{P}})\) with \(5\mathsf M + 2\mathsf S \) and no additional cost to update \({\varvec{P}}\) for its \(Z\)-coordinate becoming equal to that of \(3{\varvec{P}}\). The corresponding operation, tripling with update, is denoted TPLU\(({\varvec{P}})\) and its total cost is of \(\underline{6\mathsf M + 7\mathsf S }\).
Concerning the memory requirements, the two algorithms, namely DBLU and TPLU, can be implemented using at most \(6\) field registers [16].
Rights and permissions
About this article
Cite this article
Baldwin, B., Goundar, R.R., Hamilton, M. et al. Co-\(Z\) ECC scalar multiplications for hardware, software and hardware–software co-design on embedded systems. J Cryptogr Eng 2, 221–240 (2012). https://doi.org/10.1007/s13389-012-0042-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-012-0042-2