Elliptic Curve Cryptography

Another important public-key cryptosystem is the one based on elliptic curves. It is important to point out that ECC offers equivalent security as RSA for much smaller key sizes as mentioned previously. Other benefits include higher speed, lower power consumption, and smaller certificates, which is especially useful in constrained environments.

1.7.3.1 Mathematical Background

Most of the public-key algorithms require the structure of an algebraic group. In the case of ECC, the group of points on an elliptic curve is used. Public and private keys are defined as points on a curve and the one-way function is the multiplication of a point with a scalar. Therefore, Alice having a private key as some integereAcan send Bob a multiple of a pointP, soeAP, which is also a point on the same curve as

Plies on, due to the properties of a group. The problem of finding the logarithm in this group, e.g., findingefor givenPandePis called the elliptic curve discrete logarithm problem (ECDLP). So, nobody can recover the key of AliceeAin the example above, by knowingeAPand Pdue to the difficulty of

the ECDLP.

1.7.3.2 Elliptic Curves over Finite Fields

For cryptography, we need a finite cyclic group in which the group operation is efficiently computable, but the discrete logarithm problem is very difficult to solve. Elliptic curve groups appear to meet these criteria when the underlying field is finite. Elliptic curves that are used in most applications are defined overFqwithq¼pmwherepis a prime number. In standards such as IEEE [IEE99] and ANSI [ANS],

fields forq¼pandq¼2nwherep2nandn160 are recommended. Also, it appears that elliptic curve systems over both prime (Fp) and binary (F2n) fields provide the same level of security but fieldsF2nhave

some implementation advantages. Namely, arithmetic inF2ncan be implemented more efficiently than

arithmetic in Fp, at least on platforms without specialized arithmetic coprocessors. With respect to

theoretical security, it is typically recommended to use fieldsF2pwherepis a prime. The reason is that it

was shown that ifpis not a prime, ECDLP is sometimes easier than in a general case.

A set of points on an elliptic curve together with the point at infinity, denoted by1, and with point addition as binary operation has the structure of an Abelian group. The following equation

y2þa1xyþa3y¼x3þa2x2þa4xþa6

is called the Weierstrass equation for an elliptic curve. An elliptic curveEis the set of solutions to the Weierstrass equation, together with the extra point at1.

First we consider finite fields of characteristic two.

A nonsupersingular elliptic curveEoverF2nis defined as the set of solutions (x,y)2F2n3F2nto the

following equation:

y2þxy¼x3þax2þb

wherea,b2F2n,b6¼0, together with1.

In the case of a fieldFp, we get the following equation:

y2¼x3þax2þb

1.7.3.3 Algorithms for ECC

The main operation in any curve-based primitive is the scalar multiplication. The hierarchical structure for operations required for implementations of curve-based cryptography is given in Fig. 1.38. Point multiplication is at the top level. It can be implemented using Algorithm 1 which is usually called point double-and-add. At the next (lower) level are the point group operations. The lowest level consists of finite field operations such as addition, subtraction, multiplication, and inversion required to perform the group operations.

1.7.3.3.1 ECC Point Operations inFp

When Eis a curve defined with the Weierstrass equation, inverse of the point P¼(x1, y1) isP¼

(x1, y1). The sum PþQ of points P¼(x1, y1) and Q¼(x2, y2) (assume that P, Q 6¼ 1) is point R¼(x3,y3) where x3¼l2x1x2 y3¼l(x1x3)y1 l¼ y2y1 x2x1 if P6¼Q 3x2 1þa 2y1 if P¼Q ( )

The point at1plays a role analogous to that of the number 0 in ordinary addition. Thus,Pþ 1 ¼P

andPþ(P)¼ 1for all pointsP. As mentioned above, this operation is an abelian group and Fig. 1.39 shows the group law for the case of an elliptic curve over the set of real numbers. HerePandQ are arbitrary two points on an elliptic curve. Letpbe the line throughPandQandRis the third point on

p. The sum ofPandQis defined as the pointRthat is the mirror ofRwith respect tox-axis. For a point double operation of a given pointP, one has to draw the tangent line inP.

There are many types of coordinates in which an elliptic curve may be represented. In the equations above, affine coordinates are used but the so-called projective coordinates have some implementation advantages. The main advantage is that point addition can be done in projective coordinates using only field multiplications, with no inversions required. Thus, inversions become almost irrelevant as only one inversion needs to be performed at the end of a point multiplication operation. A projective point (X,Y,Z) on the curve satisfies the homogeneous Weierstrass equation:

ECC Point multiplication: kP Group operation: point add/double

Finite field arithmetic: multiplication, addition, subtraction, and inversion

Y2Z ¼X3þaX2þbZ3

and, whenZ 6¼0, it corresponds to the affine point (X=Z, Y=Z). It was shown that other projective representations result in more efficient implementations of the group operation [CMO98]. In particular, a weighted projective representation (also referred to as Jacobian representation) is preferred in the sense of faster arithmetic on elliptic curves [BSS99, IEEE]. In this representation, a triplet (X, Y, Z) corresponds to the affine coordinates (x,y)¼(X=Z2,Y=Z3) forZ6¼0. In this case, we have a weighted projective curve equation of the form:

Y2¼X3þaXZ4þbZ6

Weighted projective coordinates provide faster arithmetic than the ‘‘normal’’ projective coordinates. Conversion from projective to affine coordinates costs one inversion (I) and four multiplications (M), while vice versa is trivial. If one implements addition and doubling in a way specified in the IEEE standard [IEEE], the total costs for general addition is Iþ3M in affine coordinates and 16M in projective coordinates. Here,IandMare denoting the modular inversion and multiplication operations, respectively. In the case of doubling (witha¼p3), this relation isIþ4Min affine coordinates against 8Min projective coordinates. Thus, the choice of coordinates is determined by the ratioI:M. Therefore, multiplication in finite field is the most important operation to focus on when working with projective coordinates. On the other hand, the extra inverter is required for the affine coordinates’ representation because one inversion has to be performed for every point operation.

1.7.3.3.2 ECC Point Operations inF2n

Here we consider a finite field of characteristic 2, i.e.,F2n. For this case, we are only interested in curves

that are nonsupersingular. A nonsupersingular elliptic curveEoverF2nis defined as the set of solutions

(x,y)2F2n3F2nof the equationy2þxy¼x3þax2þb, wherea, b2F2n, b6¼0, together with1.

The point addition in affine coordinates is performed according to the following formulae. Let

P1¼(x1,y1) andP2¼(x2,y2) be two points on an elliptic curveE. AssumeP1,P26¼ 1andP16¼ P2.

The sumP3¼(x3,y3)¼P1þP2is computed as follows [BSS99], p. 57:

IfP16¼P2 l¼y2þy1 x2þx1 x3¼l2þlþx1þx2 y3¼l(x1þx3)þx3þy1 x y P Q −R R −R⬘ R⬘ P⬘

IfP1¼P2 l¼y1 x1 þx1 x3¼l2þlþa y3¼l(x1þx3)þx3þy1

Projective coordinates can be used also in this case to avoid the inversion in a binary field. 1.7.3.4 Finite Field Arithmetic for ECC

1.7.3.4.1 Modular Multiplication and Addition

Simply reducing the operation size of modular arithmetic, ECC overFpcan be implemented with the

same hardware algorithm as discussed for RSA implementations. Therefore, this section focuses on hardware architecture over F2n. The hardware complexity is simpler than modular operations inFp

because binary field arithmetic is carry free.

There are many types of basis in which elements of F2ncan be represented. A usual choice is the

polynomial basis. In this basis, the basis elements have the form 1,a,a2, . . . ,an1whereais a root in

F2nof an irreducible polynomialfof degreenoverF2. In this basis, the elements ofF2nare polynomials

of degree at mostn1 overF2n, and arithmetic is carried out modulo an irreducible polynomialfof

degreenoverF2. According to this representation, an element ofF2nis a polynomial of lengthnand can

be written as

A(x)¼X

n1

j¼0

ajxj, whereai2F2

The standard way to compute the product of two elements in this field is the one that is using convolution (Algorithm 7) [BG89]. On the other hand, addition can be implemented by means of XOR gate.

Algorithm 7: Bit-serial MSB-first polynomial-basis modular multiplication

Input: Irreducible polynomial P(x)¼xn_þnP1 j¼0 pjxj,A(x)¼ P n1 j¼0 ajxj,B(x)¼ P n1 j¼0 bjxj, with A(x), B(x)2F2n Output:T(x)¼A(x)B(x) modP(x) 1. T(x)¼0 2. fori¼n1 down to 0 do 3. T(x)¼(T(x)aiB(x)tnP(x))x 4. end for 5. returnT(x)

Algorithm 7 computes bit-serial MSB-first polyomial-basis modular multiplication. Different from the MMM, the irreducible polynomialP(x) is XORed to the intermediate result, so that the MSB (the coefficient ofxnin the polynomialT(x)) becomes 0 (Fig. 1.40).

1.7.3.4.2 Modular Inversion

As observed above for implementations of ECC one has to implement the inversion operation. For curves over prime fields the easiest solution is to use Fermat’s theorem [Kob94]. In that case inversion is performed by means of repeated multiplications and squarings. More precisely, ifpis a prime, it holds

known as Fermat’s little theorem. Then, it follows:ap2a1(mod p), which means that one can compute an inverse via a number of modular exponentiations.

In the case of affine coordinates, where many inversions have to be computed (i.e., one for each point operation) a dedicated inverter is often necessary to improve the performance. Some prominent examples from literature include [GTK02], where authors also used the idea of Montgomery. On the other hand, if projective coordinates are deployed, only one inversion is required for the whole point multiplication. In this case, using exponentiation is the most common choice.

For ECC over binary fields, the most efficient algorithm for inversion is extended Euclidean algorithm [MOV97]. The drawback is that it is very difficult to implement it in hardware. Hence, for hardware implementations one also uses Fermat’s little theorem, i.e., the following equationa1¼a2n2, for all

a2F2n. The technique to compute this in an optimal way is based on the idea of Itoh and Tsujii [IT88].

1.7.4

Architectures Supporting Both RSA and ECC

It can be concluded that elliptic curve cryptosystems also rely on efficient finite field arithmetic, especially on field multiplication. As already mentioned, typical fields are not only prime field as in the case of RSA but also binary fields. The latter is often recommended as the binary fields arithmetic is easier to implement and area and power consumption are smaller than in the case of prime fields. This is believed to be true, but only for platforms where specialized arithmetic coprocessors for finite field arithmetic are not available. On the other hand, an advantage of prime fields is in their suitability for both RSA and ECC with sharing of hardware resources. This trend can be observed mainly for some recent works as ECC has only recently proved its potential and started replacing RSA in some applica- tions. The work of Crowe et al. [CDM05] also proposed a single architecture for RSA and ECC. A hardware optimized version of Montgomery multiplication method is used for modular multiplica- tion. The so-called dual processor could operate in parallel for ECC or in a pipelined series for RSA.

The contribution presented in [BBO¨04] deals with an FPGA implementation of RSA and ECC cryptosystems over a field of prime characteristic. The authors used a systolic array to achieve arbitrary precision in bits; hence easily bridging the gap between the bit-lengths for ECC from 160-bit to 2048-(or higher) bit long moduli for RSA. There exists also some related work on so-called dual field ECC, which deals with processors that can support both type of fields for ECC. Wolkerstorfer [Wol02] proposed the unique arithmetic unit that supports addition and multiplication for prime and binary fields. A scalable dual-field ECC processor is described in the work by Satoh and Takano [ST03]. They proposed a high- speed version of the processor and another, compact one.

aiB(x)

T(x)x

n-bit register for T(x)

T(x)

tn−1P(x)

1.7.5

Concluding Remarks

Owing to not only all the previously mentioned threats but also as a result of various constraints that are imposed by security applications, special care is required when implementing a cryptographic algo- rithm. Especially, implementations of public-key cryptography present a challenge for most application platforms varying from software to hardware. The reason is that one has to deal with very long numbers (up to 2048 bits) in conditions that can be quite severe in costs, area, and power. Emerging examples are RFID tags and sensor networks. For implementations of cryptographic protocols to achieve various security applications, it is not enough to come up with an efficient implementation but it also has to be secure against side-channel attacks. With respect to this, it is well known that although software platforms offer a cost-effective and flexible solution, only hardware implementations provide a suitable level of security related to side-channel attacks.

Acknowledgments

Kazuo Sakiyama and Lejla Batina are funded by a research grant from the Katholieke Universiteit (KU) Leuven and Fund for Scientific Research-Flanders (FWO) projects G.0450.04 and G.0475.05. This work was supported in part by the Interuniversity Attraction Pole (IAP) program P6=26 Belgian Fundamental Research on Cryptology and Information Security (BCRYPT) of the Belgian State (Belgian Science Policy), by the European Union Information Society Technologies (EU IST) FP6 projects security for embedded systems on chip (SESOC) and European Network of Excellence for Cryptology (ECRYPT), by KU Leuven, and by the Interdisciplinary Institute for Broadband Technology Quality of Experience (IBBT-QoE) project of the IBBT.

References

[ANS] ANSI. ANSI X9.62 the elliptic curve digital signature algorithm (ECDSA). http:==www.ansi.org. [BBO¨04] L. Batina, G. Bruin-Muurling, and S.B. O¨rs. Flexible hardware design for RSA and elliptic curve cryptosystems. In T. Okamoto (Ed.), Topics in Cryptology-CT-RSA—The Cryptographers’ Track at the RSA Conference, No. 2964 in LNCS, pp. 250–263, Springer-Verlag, Berlin, Heidelberg, 2004.

[BDK98] J.C. Bajard, L.S. Didier, and P. Kornerup. An RNS Montgomery’s modular multiplication.IEEE Transactions on Computers, 19(2): 167–178, 1998.

[BG89] T. Beth and D. Gollmann. Algorithm engineering for public key algorithm,IEEE Journal on Selected Areas in Communications, 7(4): 458–465, 1989.

[BM02] L. Batina and G. Muurling. Montgomery in practice: How to do it more efficiently in hardware. In B. Preneel (Ed.),Topics in Cryptology-CT-RSA—The Cryptographers’ Track at the RSA Confer- ence, No. 2271 in LNCS, pp. 40–52, Springer-Verlag, Berlin, Heidelberg, 2002.

[BSS99] I. Blake, G. Seroussi, and N.P. Smart.Elliptic Curves in Cryptography. London Mathematical Society Lecture Note Series. Cambridge University Press, Cambridge, 1999.

[CDM05] F. Crowe, A. Daly, and W. Marnane. A Scalable Dual Mode Arithmetic Unit for Public Key Cryptosystems, Proceedings of IEEE International Conference on Information Technology— ITCC’05, pp. 568–573, 2005.

[CMO98] H. Cohen, A. Miyaji, and T. Ono. Efficient elliptic curve exponentiation using mixed coordinates. In K. Ohta and D. Pei (Eds.),Proceedings of ASIACRYPT 1998, No. 1514 in LNCS, pp. 51–65, Springer-Verlag, Berlin, Heidelberg, 1998.

[DH76] W. Diffie and M.E. Hellman. New directions in cryptography.IEEE Transactions on Information Theory, 22: 644–654, 1976.

[ECRYPT-AZT] ECRYPT Yearly Report on Algorithms and Keysizes (2004), Document D.SPA.10, available at www.ecrypt.eu.org.

[EW93] S.E. Eldridge and C.D. Walter. Hardware implementation of Montgomery’s modular multipli- cation algorithm.IEEE Transactions on Computers, 42: 693–699, 1993.

[Gor98] D.M. Gordon. A survey of fast exponentiation methods. Journal of Algorithms, 27: 129–146, 1998.

[GTK02] A. Gutub, A.F. Tenca, and C¸.K. Koc¸. Scalable VLSI architecture for GF(p) Montgomery modular inverse computation, Proceedings of IEEE Computer Society Annual symposium on VLSI, pp. 53–58, 2002.

[IEE99] IEEE P1363. Standard specifications for public-key cryptography, 1999.

[IT88] T. Itoh and S. Tsujii. Effective recursive algorithm for computing multiplicative inverses in GF (2m).Electronics Letters, 24(6): 334–335, 1988.

[IMI94] K. Iwamura, T. Matsumoto, and H. Imai. Montgomery modular multiplication method and systolic arrays suitable for modular exponentiation. Electronics and Communications in Japan, 77(3): 40–50, 1994.

[JHS93] K.T. Johnson, A.R. Hurson, and B. Shirazi. General-purpose systolic arrays.IEEE Computer, 26(11): 20–31, 1993.

[KJJ99] P. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In M. Wiener (Ed.),Advances in Cryptology:Proceedings of CRYPTO’99, No. 1666 in LNCS, pp. 388–397, Springer-Verlag, Berlin, Heidelberg, 1999.

[Knu98] D.E. Knuth.The Art of Computer Programming-Vol. 2—Seminumerical Algorithms. Addison- Wesley, 3rd ed., 1998.

[Kob87] N. Koblitz. Elliptic curve cryptosystem.Mathematics of Computation, 48: 203–209, 1987. [Koc95] C¸.K. Koc¸. RSA Hardware implementation, Technical Report, RSA Laboratories, 1995. [Kob94] N. Koblitz.A Course in Number Theory and Cryptography,Graduate Text in Mathematics, Vol.

114, 2nd ed., Springer-Verlag, Berlin, Heidelberg, New York, 1994.

[Koc96] P. Kocher. Timing attack on implementations of Diffie-Hellman, RSA, DSS, and other systems. In N. Koblitz (Ed.), Advances in Cryptology: Proceedings of CRYPTO’96, No. 1109 in LNCS, pp. 104–113, Springer-Verlag, Berlin, Heidelberg, 1996.

[LV00] A. Lenstra and E. Verheul. Selecting cryptographic key sizes. In H. Imai and Y. Zheng (Eds.),

Proceedings of Third International Workshop on Practice and Theory in Public Key Cryptography

(PKC 2000), No. 1751 in LNCS, pp. 446–465, Springer-Verlag, Berlin, Heidelberg, 2000.

[MK01] M.M. Mano and C.R. Kime.Logic and Computer Design Fundamentals, 2nd ed., Prentice Hall, Englewood Cliffs, NJ, 2001.

[Mil85] V. Miller. Uses of elliptic curves in cryptography, In H.C. Williams (Ed.),Advances in Cryptology: Proceedings of CRYPTO’85, No. 218 in LNCS, pp. 417–426, Springer-Verlag, Berlin, Heidelberg, 1985.

[Mon85] P. Montgomery. Modular multiplication without trial division.Mathematics of Computation, 44(170): 519–521, 1985.

[MOV97] A. Menezes, P. van Oorschot, and S. Vanstone.Handbook of Applied Cryptography. CRC Press, Boca Raton, FL, 1997.

[PP98] K.C. Posch and R. Posch. Modulo reduction in residue number systems.IEEE Transactions on Parallel and Distributed Systems, 6(5): 449–454, 1998.

[QC82] J.-J. Quisquater and C. Couvreur. Fast decipherment algorithm for RSA public-key cryptosys-

In document Digital Systems and Applications 2e pdf (Page 102-111)