Refined Computations for Points of the Form 2kP Based on Montgomery Trick

HIRATA, Tomio, ADACHI, Daisuke

01 January 2006

No description available.

window method

Montgomery trick

elliptic curve arithmetic

scalar multiplication

High Speed Scalar Multiplication Architecture for Elliptic Curve Cryptosystem

Hsu, Wei-Chiang

28 July 2011

An important advantage of Elliptic Curve Cryptosystem (ECC) is the shorter key length in public key cryptographic systems. It can provide adequate security when the bit length over than 160 bits. Therefore, it has become a popular system in recent years. Scalar multiplication also called point multiplication is the core operation in ECC. In this thesis, we propose the ECC architectures of two different irreducible polynomial versions that are trinomial in GF(2167) and pentanomial in GF(2163). These architectures are based on Montgomery point multiplication with projective coordinate. We use polynomial basis representation for finite field arithmetic. All adopted multiplication, square and add operations over binary field can be completed within one clock cycle, and the critical path lies on multiplication. In addition, we use Itoh-Tsujii algorithm combined with addition chain, to execute binary inversion through using iterative binary square and multiplication. Because the double and add operations in point multiplication need to run many iterations, the execution time in overall design will be decreased if we can improve this partition. We propose two ways to improve the performance of point multiplication. The first way is Minus Cycle Version. In this version, we reschedule the double and add operations according to point multiplication algorithm. When the clock cycle time (i.e., critical path) of multiplication is longer than that of add and square, this method will be useful in improving performance. The second way is Pipeline Version. It speeds up the multiplication operations by executing them in pipeline, leading to shorter clock cycle time. For the hardware implementation, TSMC 0.13um library is employed and all modules are organized in a hierarchy structure. The implementation result shows that the proposed 167-bit Minus Cycle Version requires 156.4K gates, and the execution time of point multiplication is 2.34us and the maximum speed is 591.7Mhz. Moreover, we compare the Area x Time (AT) value of proposed architectures with other relative work. The results exhibit that proposed 167-bit Minus Cycle Version is the best one and it can save up to 38% A T value than traditional one.

Elliptic Curve Cryptosystem

Polynomial Basis

Irreducible Polynomial

Montgomery Scalar Multiplication

Finite Field

Energy-Efficient Scalable Serial-Parallel Multiplication Architecture for Elliptic Curve Cryptosystem

Su, Chuan-Shen

25 July 2012

In asymmetric cryptosystems, an important advantage of Elliptic Curve Cryptosystem (ECC) is the shorter key lengths than other cryptosystems. It can provide a level of security when the bit length over than 160 bits. So it has become a popular public key cryptographic system in recent year. Multiplier needs to run many times in scalar multiplication and it plays an essential role in ECC. Since the registers in multiplier are shifted every iteration, it will consume a lot of power in the computing process. So in this thesis, we propose five methods to save multiplication¡¦s energy consumption based on a scalable serial-parallel algorithm[1]. The first method is to design a low-power shift-register by modifying shift-register B to reduce the frequency of registers shifted. The second method is to use a frequency divider circuit. It can make registers to access a value every two clock cycles by modifying RA units. The third method is to introduce the gated clock circuit, and the clock signal of register will be disabled if its value is the same. The fourth method is to skip redundant operations and it can decrease the number of clock cycles for completing a multiplication operation. The last method raises multiplier¡¦s throughput by modifying RA units. The former three methods focus on low-power design, and the latter two methods emphasize on improving performance. Reducing power consumption and improving performance will save multiplication¡¦s energy consumption. Finally, we propose a Half Cycles schedule to raise scalar multiplication¡¦s performance. It is based on Montgomery scalar multiplication algorithm with projective coordinate[22][26]. For the hardware implementation, TSMC 0.13um library is employed and all modules are organized in a hierarchy structure. The implementation results show that the proposed multipliers have less energy consumption than traditional multiplier. It can get 5% ~ 24% energy saving. For Montgomery scalar multiplication, it can also reduce 12% ~ 47% energy consumption and is suitable for portable electronic products because its low area complexity and low energy.

Shift Registers

Serial/Parallel Multiplier

Frequency Divider Circuit

Elliptic Curve Cryptosystem

Scalar Multiplication On Elliptic Curves

Yayla, Oguz

01 August 2006

Elliptic curve cryptography has gained much popularity in the past decade and has been challenging the dominant RSA/DSA systems today. This is mainly due to elliptic curves offer cryptographic systems with higher speed, less memory and smaller key sizes than older ones. Among the various arithmetic operations required in implementing public key cryptographic algorithms based on elliptic curves, the elliptic curve scalar multiplication has probably received the maximum attention from the research community in the past a few years. Many methods for efficient and secure implementation of scalar multiplication have been proposed by many researchers. In this thesis, many scalar multiplication methods are studied in terms of their mathematical, computational and implementational points.

Cryptographie à base de courbes elliptiques et sécurité de composants embarqués / Elliptic curve cryptography and security of embedded devices

Verneuil, Pierre

13 June 2012

Les systèmes cryptographiques à base de courbes elliptiques sont aujourd'hui de plus en plus employés dans les protocoles utilisant la cryptographie à clef publique. Ceci est particulièrement vrai dans le monde de l'embarqué qui est soumis à de fortes contraintes de coût, de ressources et d'efficacité, car la cryptographie à base de courbes elliptiques permet de réduire significativement la taille des clefs utilisées par rapport aux systèmes cryptographiques précédemment employés tels que RSA (Rivest-Shamir-Adleman). Les travaux qui suivent décrivent dans un premier temps l'implantation efficace et sécurisée de la cryptographie à base de courbes elliptiques sur des composants embarqués, en particulier des cartes à puce. La sécurisation de ces implantations nécessite de prendre en compte les attaques physiques dont un composant embarqué peut être la cible. Ces attaques incluent notamment les analyses par canaux auxiliaires qui consistent à observer le comportement d'un composant pendant qu'il manipule une valeur secrète pour en déduire de l'information sur celle-ci, et les analyses par faute dans lesquelles un attaquant peut perturber un composant dans le même but.Dans la seconde partie de ce mémoire de thèse, nous étudions ces attaques et leurs implications concernant l'implantation des systèmes cryptographiques à clef publique les plus répandus. De nouvelles méthodes d'analyse et de nouvelles contre-mesures sont en particulier proposées. Une étude spécifique de certaines attaques appliquées à l'algorithme de chiffrement par bloc AES est également présentée. / Elliptic curve based cryptosystems are nowadays increasingly used in protocols involving public-key cryptography. This is particularly true in the context of embedded devices which is subject to strong cost, resources, and efficiency constraints, since elliptic curve cryptography requires significantly smaller key sizes compared to other commonly used cryptosystems such as RSA.The following study focuses in a first time on secure and efficient implementation of elliptic curve cryptography in embedded devices, especially smart cards. Designing secure implementations requires to take into account physical attacks which can target embedded devices. These attacks include in particular side-channel analysis which may infer information on a secret key manipulated by a component by monitoring how it interacts with its environment, and fault analysis in which an adversary can disturb the normal functioning of a device in the same goal.In the second part of this thesis, we study these attacks and their impact on the implementation of the most used public-key cryptosystems. In particular, we propose new analysis techniques and new countermeasures for these cryptosystems, together with specific attacks on the AES block cipher.

Cryptographie

Analyse par canaux auxilliaires

Courbes elliptiques

Rsa

Multiplication scalaire

Exponentiation

Cryptography

Side-channel analysis

Elliptic curves

Rsa

Scalar multiplication

Exponentiation

Contrer l'attaque Simple Power Analysis efficacement dans les applications de la cryptographie asymétrique, algorithmes et implantations / Thwart simple power analysis efficiently in asymmetric cryptographic applications, algorithms and implementations

Robert, Jean-Marc

08 December 2015

Avec le développement des communications et de l'Internet, l'échange des informations cryptées a explosé. Cette évolution a été possible par le développement des protocoles de la cryptographie asymétrique qui font appel à des opérations arithmétiques telles que l'exponentiation modulaire sur des grands entiers ou la multiplication scalaire de point de courbe elliptique. Ces calculs sont réalisés par des plates-formes diverses, depuis la carte à puce jusqu'aux serveurs les plus puissants. Ces plates-formes font l'objet d'attaques qui exploitent les informations recueillies par un canal auxiliaire, tels que le courant instantané consommé ou le rayonnement électromagnétique émis par la plate-forme en fonctionnement.Dans la thèse, nous améliorons les performances des opérations résistantes à l'attaque Simple Power Analysis. Sur l'exponentiation modulaire, nous proposons d'améliorer les performances par l'utilisation de multiplications modulaires multiples avec une opérande commune optimisées. Nous avons proposé trois améliorations sur la multiplication scalaire de point de courbe elliptique : sur corps binaire, nous employons des améliorations sur les opérations combinées AB,AC et AB+CD sur les approches Double-and-add, Halve-and-add et Double/halve-and-add et l'échelle binaire de Montgomery ; sur corps binaire, nous proposons de paralléliser l'échelle binaire de Montgomery ; nous réalisons l'implantation d'une approche parallèle de l'approche Right-to-left Double-and-add sur corps premier et binaire, Halve-and-add et Double/halve-and-add sur corps binaire. / The development of online communications and the Internet have made encrypted data exchange fast growing. This has been possible with the development of asymmetric cryptographic protocols, which make use of arithmetic computations such as modular exponentiation of large integer or elliptic curve scalar multiplication. These computations are performed by various platforms, including smart-cards as well as large and powerful servers. The platforms are subject to attacks taking advantage of information leaked through side channels, such as instantaneous power consumption or electromagnetic radiations.In this thesis, we improve the performance of cryptographic computations resistant to Simple Power Analysis. On modular exponentiation, we propose to use multiple multiplications sharing a common operand to achieve this goal. On elliptic curve scalar multiplication, we suggest three different improvements : over binary fields, we make use of improved combined operation AB,AC and AB+CD applied to Double-and-add, Halve-and-add and Double/halve-and-add approaches, and to the Montgomery ladder ; over binary field, we propose a parallel Montgomery ladder ; we make an implementation of a parallel approach based on the Right-to-left Double-and-add algorithm over binary and prime fields, and extend this implementation to the Halve-and-add and Double/halve-and-add over binary fields.

Cryptographie

Protocole asymétrique

Arithmétique des corps finis

Exponentiation modulaire

Opération combinée

Implantation parallèle

Échelle binaire de Montgomery

Cryptography

Asymmetric protocol

Finite field arithmetic

Modular exponentiation

Elliptic curve scalar multiplication

Opération combinée

Parallel implementation

Montgomery's binary ladder

005.8

Elliptic curve cryptography algorithms resistant against power analysis attacks on resource constrained devices / Algorithmes cryptographiques à base de courbes elliptiques résistant aux attaques par analyse de consommation

Houssain, Hilal

21 December 2012

Les systèmes de cryptographie à base de courbe elliptique (ECC) ont été adoptés comme des systèmes standardisés de cryptographie à clé publique (PKC) par l'IEEE, ANSI, NIST, SEC et WTLS. En comparaison avec la PKC traditionnelle, comme RSA et ElGamal, l'ECC offre le même niveau de sécurité avec des clés de plus petites tailles. Cela signifie des calculs plus rapides et une consommation d'énergie plus faible ainsi que des économies de mémoire et de bande passante. Par conséquent, ECC est devenue une technologie indispensable, plus populaire et considérée comme particulièrement adaptée à l’implémentation sur les dispositifs à ressources restreintes tels que les réseaux de capteurs sans fil (WSN). Le problème majeur avec les noeuds de capteurs chez les WSN, dès qu'il s'agit d’opérations cryptographiques, est les limitations de leurs ressources en termes de puissance, d'espace et de temps de réponse, ce qui limite la capacité du capteur à gérer les calculs supplémentaires nécessaires aux opérations cryptographiques. En outre, les mises en oeuvre actuelles de l’ECC sur WSN sont particulièrement vulnérables aux attaques par canaux auxiliaires (SCA), en particulier aux attaques par analyse de consommation (PAA), en raison de l'absence de la sécurité physique par blindage, leur déploiement dans les régions éloignées et le fait qu’elles soient laissées sans surveillance. Ainsi, les concepteurs de crypto-processeurs ECC sur WSN s'efforcent d'introduire des algorithmes et des architectures qui ne sont pas seulement résistants PAA, mais également efficaces sans aucun supplément en termes de temps, puissance et espace. Cette thèse présente plusieurs contributions dans le domaine des cryptoprocesseurs ECC conscientisés aux PAA, pour les dispositifs à ressources limitées comme le WSN. Premièrement, nous proposons deux architectures robustes et efficaces pour les ECC conscientisées au PAA. Ces architectures sont basées sur des algorithmes innovants qui assurent le fonctionnement de base des ECC et qui prévoient une sécurisation de l’ECC contre les PAA simples (SPA) sur les dispositifs à ressources limitées tels que les WSN. Deuxièmement, nous proposons deux architectures additionnelles qui prévoient une sécurisation des ECC contre les PAA différentiels (DPA). Troisièmement, un total de huit architectures qui incluent, en plus des quatre architectures citées ci-dessus pour SPA et DPA, deux autres architectures dérivées de l’architecture DPA conscientisée, ainsi que deux architectures PAA conscientisées. Les huit architectures proposées sont synthétisées en utilisant la technologie des réseaux de portes programmables in situ (FPGA). Quatrièmement, les huit architectures sont analysées et évaluées, et leurs performances comparées. En plus, une comparaison plus avancée effectuée sur le niveau de la complexité du coût (temps, puissance, et espace), fournit un cadre pour les concepteurs d'architecture pour sélectionner la conception la plus appropriée. Nos résultats montrent un avantage significatif de nos architectures proposées par rapport à la complexité du coût, en comparaison à d'autres solutions proposées récemment dans le domaine de la recherche. / Elliptic Curve Cryptosystems (ECC) have been adopted as a standardized Public Key Cryptosystems (PKC) by IEEE, ANSI, NIST, SEC and WTLS. In comparison to traditional PKC like RSA and ElGamal, ECC offer equivalent security with smaller key sizes, in less computation time, with lower power consumption, as well as memory and bandwidth savings. Therefore, ECC have become a vital technology, more popular and considered to be particularly suitable for implementation on resource constrained devices such as the Wireless Sensor Networks (WSN). Major problem with the sensor nodes in WSN as soon as it comes to cryptographic operations is their extreme constrained resources in terms of power, space, and time delay, which limit the sensor capability to handle the additional computations required by cryptographic operations. Moreover, the current ECC implementations in WSN are particularly vulnerable to Side Channel Analysis (SCA) attacks; in particularly to the Power Analysis Attacks (PAA), due to the lack of secure physical shielding, their deployment in remote regions and it is left unattended. Thus designers of ECC cryptoprocessors on WSN strive to introduce algorithms and architectures that are not only PAA resistant, but also efficient with no any extra cost in terms of power, time delay, and area. The contributions of this thesis to the domain of PAA aware elliptic curve cryptoprocessor for resource constrained devices are numerous. Firstly, we propose two robust and high efficient PAA aware elliptic curve cryptoprocessors architectures based on innovative algorithms for ECC core operation and envisioned at securing the elliptic curve cryptoprocessors against Simple Power Analysis (SPA) attacks on resource constrained devices such as the WSN. Secondly, we propose two additional architectures that are envisioned at securing the elliptic curve cryptoprocessors against Differential Power Analysis (DPA) attacks. Thirdly, a total of eight architectures which includes, in addition to the two SPA aware with the other two DPA awareproposed architectures, two more architectures derived from our DPA aware proposed once, along with two other similar PAA aware architectures. The eight proposed architectures are synthesized using Field Programmable Gate Array (FPGA) technology. Fourthly, the eight proposed architectures are analyzed and evaluated by comparing their performance results. In addition, a more advanced comparison, which is done on the cost complexity level (Area, Delay, and Power), provides a framework for the architecture designers to select the appropriate design. Our results show a significant advantage of our proposed architectures for cost complexity in comparison to the other latest proposed in the research field.

Attaques par canaux auxiliaires

Attaques par analyse de consommation

Multiplication scalaire

Wireless Sensor Networks

Elliptic Curve Cryptography

Side Channel Attacks

Power Analysis Attacks

Simple Power Analysis Attacks

Differential Power Analysis Attacks

Scalar Multiplication

Elliptic Curve Cryptography for Lightweight Applications.

Hitchcock, Yvonne Roslyn

January 2003

Elliptic curves were first proposed as a basis for public key cryptography in the mid 1980's. They provide public key cryptosystems based on the difficulty of the elliptic curve discrete logarithm problem (ECDLP) , which is so called because of its similarity to the discrete logarithm problem (DLP) over the integers modulo a large prime. One benefit of elliptic curve cryptosystems (ECCs) is that they can use a much shorter key length than other public key cryptosystems to provide an equivalent level of security. For example, 160 bit ECCs are believed to provide about the same level of security as 1024 bit RSA. Also, the level of security provided by an ECC increases faster with key size than for integer based discrete logarithm (dl) or RSA cryptosystems. ECCs can also provide a faster implementation than RSA or dl systems, and use less bandwidth and power. These issues can be crucial in lightweight applications such as smart cards. In the last few years, ECCs have been included or proposed for inclusion in internationally recognized standards. Thus elliptic curve cryptography is set to become an integral part of lightweight applications in the immediate future. This thesis presents an analysis of several important issues for ECCs on lightweight devices. It begins with an introduction to elliptic curves and the algorithms required to implement an ECC. It then gives an analysis of the speed, code size and memory usage of various possible implementation options. Enough details are presented to enable an implementer to choose for implementation those algorithms which give the greatest speed whilst conforming to the code size and ram restrictions of a particular lightweight device. Recommendations are made for new functions to be included on coprocessors for lightweight devices to support ECC implementations Another issue of concern for implementers is the side-channel attacks that have recently been proposed. They obtain information about the cryptosystem by measuring side-channel information such as power consumption and processing time and the information is then used to break implementations that have not incorporated appropriate defences. A new method of defence to protect an implementation from the simple power analysis (spa) method of attack is presented in this thesis. It requires 44% fewer additions and 11% more doublings than the commonly recommended defence of performing a point addition in every loop of the binary scalar multiplication algorithm. The algorithm forms a contribution to the current range of possible spa defences which has a good speed but low memory usage. Another topic of paramount importance to ECCs for lightweight applications is whether the security of fixed curves is equivalent to that of random curves. Because of the inability of lightweight devices to generate secure random curves, fixed curves are used in such devices. These curves provide the additional advantage of requiring less bandwidth, code size and processing time. However, it is intuitively obvious that a large precomputation to aid in the breaking of the elliptic curve discrete logarithm problem (ECDLP) can be made for a fixed curve which would be unavailable for a random curve. Therefore, it would appear that fixed curves are less secure than random curves, but quantifying the loss of security is much more difficult. The thesis performs an examination of fixed curve security taking this observation into account, and includes a definition of equivalent security and an analysis of a variation of Pollard's rho method where computations from solutions of previous ECDLPs can be used to solve subsequent ECDLPs on the same curve. A lower bound on the expected time to solve such ECDLPs using this method is presented, as well as an approximation of the expected time remaining to solve an ECDLP when a given size of precomputation is available. It is concluded that adding a total of 11 bits to the size of a fixed curve provides an equivalent level of security compared to random curves. The final part of the thesis deals with proofs of security of key exchange protocols in the Canetti-Krawczyk proof model. This model has been used since it offers the advantage of a modular proof with reusable components. Firstly a password-based authentication mechanism and its security proof are discussed, followed by an analysis of the use of the authentication mechanism in key exchange protocols. The Canetti-Krawczyk model is then used to examine secure tripartite (three party) key exchange protocols. Tripartite key exchange protocols are particularly suited to ECCs because of the availability of bilinear mappings on elliptic curves, which allow more efficient tripartite key exchange protocols.

Elliptic curve (EC)

elliptic curve cryptosystem (ECC)

discrete logarithm problem (DLP)

speed

code size

memory usage

ram usage

fixed curve

random curve

Pollard's rho method

Canetti-Krawczyk proof model

key exchange protocols

security proof

tripartite key exchange

pairings

password-based authentication

point addition

projective coordinates

Jacobian coordinates

Chudnovsky Jacobian coordinates

modified Jacobian coordinates

binary method

simultaneous multiple exponentiation

two-in-one scalar multiplication

coprocessor

smart card

lightweight device

simple power analysis (spa)

side channel attack

equivalent security.