# A scalable and high performance elliptic curve processor with resistance to timing attacks

## Summary (2 min read)

### 1. Introduction

- Elliptic curve cryptography (ECC) is a promising form of public key cryptography for next-generation embedded applications.
- Reference [3] provides an algorithm based on Montgomery’s method which requires a point double and point addition to occur at each scalar multiplication step, regardless of the key bit.
- This paper presents a scalable ECC hardware implementation that provides resistance to certain types of timing-based side-channel attacks.
- Moreover, through their proposed algorithm schedules, the datapath operators are running for every step of the algorithm regardless of the bit-pattern of the private key.
- Section five provides the performance results and conclusion is in section six.

### 2. Elliptic Curve Cryptosystem

- IEEE public-key standard specification (IEEE P1363) [8] defines the Elliptic Curve Cryptography algorithm.
- The elements of the Galois Field that satisfy the elliptic curve equation form a group with a specific addition operation.
- Calculating 2.P is referred to as double operation and the inverse of the addition operation is called subtraction.
- Figure 1 shows the point multiplication algorithm [8] that is based on the signed digit representation of integer k and is considered to be a faster point multiplication algorithm compared to the algorithm based on the regular binary representation [9].
- The details of these operations are presented in the next section.

### 3.1. Resistance against timing attack

- A timing attack is possible because of the data dependent if-conditions, shown in steps 3.2. and 3.3. [2].
- This security hole makes it possible to extract the bit pattern of the scalar k (key) using timing attack.
- Figure 2 shows all the possibilities of double/addition/subtraction for all the different combinations of the three bits of k and h.
- By assuming that the result of the previous calculation is S, then the new value is calculated using the value of S and the initial point P. Since P is a known point on the elliptic curve before the point multiplication algorithm starts, all the values mP are known values and can be pre-calculated and stored in the memory.
- This means that independent of Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC’05).

### 3.2. Performance optimization

- Considering three bits of the integer k at a time not only helps to hide the key pattern from the attacker, but also will provide delay optimization in the overall point multiplication algorithm.
- The speed optimization is that there will be only one addition/subtraction for every three bits of integer k while the original algorithm requires one to three repeated additions/subtractions depending of the bit pattern of k and h.
- A similar method was also presented in [10] at the algorithm level (not implementation) for the point multiplication algorithm based on the binary representation.
- In this paper the authors use the algorithm based on the signed digit representation and the hardware architecture of the proposed modified algorithm is presented.

### 3.3. Point Double/Add/Subtract schedules

- Figure 4 shows the details of the double and add/subtract operations based on the projective coordinate representation of the points of the elliptic curve [8], [11].
- In their case the authors have chosen the bit-serial implementation of the GF multiplier and squarer operations.
- Figure 5 shows the optimized schedule of three double operations (8S) that is derived using two multipliers, one squarer and one adder.
- Add/subtract is based on the equations of Figure 4b Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC’05).

### 3.4. Underlying Galois Field operations

- This section presents the architecture of underlying Galois Field operators.
- Generally there are total of n registers that contain the output R. Therefore, the result of multiplication is ready after (n+1) cycles.
- Squaring is similar to the multiplication with the difference being the two operands are the same.
- Therefore, half of the bits of the input can be loaded into the output registers and every new coefficient is shifted over two positions [12].
- The authors have chosen the odd case because for secure elliptic curve cryptography based on GF(2n), n must be a prime number.

### 4. Processor architecture

- Based on the modified point multiplication algorithm and the optimized schedules of elliptic curve three doubles and add/subtract operations that are presented in section three, a scalable and high speed elliptic curve cryptographic processor is implemented.
- This module includes a datapath that consists of the GF operators with their interconnections, the storage unit that keeps the intermediate variables (X, Y, Z, T1, T2, T3, T4), and the FSM that creates the control signals to perform the 8S ± mP operation schedule .
- Figure 10 shows the block diagram of the whole processor.
- The key scheduling unit calculates the value h = 3k and generates the decision signal for the ECC storage unit to choose the value mP for every three bits of k and h.
- Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC’05).

### 5. Performance Results

- The proposed elliptic curve crypto processor is designed using VHDL and is simulated using Modelsim.
- This processor is scalable and can be generated for any field GF(2n) where n is the size of the datapath.
- Every time frame of the schedules in Figures 5 and 6 takes (n+3) cycles.

### 6. Conclusion

- A high performance and scalable elliptic curve processor that provides resistance against timing attacks is presented.
- The dataflow schedules for the underlying operators of the modified point multiplication algorithm are optimized for maximum speed.

Did you find this useful? Give us your feedback

##### Citations

70 citations

### Cites background from "A scalable and high performance ell..."

...To the best of our knowledge, the flow fingerprinting problem was first introduced in Houmansadr and Borisov [2013b] with clear distinction to NFW....

[...]

34 citations

### Cites background from "A scalable and high performance ell..."

...Existing countermeasures include inserting dummy operations [29], using redundant representation [30], and unifying the multiplication operands [31]....

[...]

11 citations

10 citations

9 citations

### Cites background from "A scalable and high performance ell..."

...810 [8] - New 3 bits at a time Projective Polynomial NA Software...

[...]

##### References

1,113 citations

1,089 citations

### "A scalable and high performance ell..." refers background in this paper

...The main operation in a typical elliptic curve cryptosystem is called the point-multiplication which refers to calculating k.P where k is an integer and P is a point on the specific elliptic curve....

[...]

...Keywords Elliptic Curve Cryptography, side-channel attacks, Galois fields, hardware architecture, security....

[...]

1,081 citations

590 citations

567 citations

### "A scalable and high performance ell..." refers background in this paper

...Keywords Elliptic Curve Cryptography, side-channel attacks, Galois fields, hardware architecture, security....

[...]