Design of a Fully Balanced ASIC Coprocessor Implementing Complete Addition Formulas on Weierstrass Elliptic Curves

This paper discusses the first design of an ASIC coprocessor for Elliptic Curve Cryptography (ECC) using the complete addition law of Renes et al. The main reason for using the complete addition law is the reduced vulnerability to side-channel analysis (SCA) attacks, since point addition and point doubling can be performed with the same addition formulas. Further, all inputs are valid, so there is no need for conditional statements handling special cases such as the point at infinity. The proposed hardware architecture is optimized for area efficiency, targeting applications such as smart cards and RFID tags. A bottom-up design approach is used, minimizing the total implementation area by optimizations in each abstraction layer. The design implements a full-word Montgomery Multiplier ALU (MMALU) with built-in adder functionality. Additionally, an exploration is done on the design parameters of the MMALU and the scheduling of the modular operations in order to minimize the size of the register file. For point multiplication, a Montgomery ladder is implemented with the option of randomizing the execution order of the point operations as a countermeasure against SCA attacks. The post-synthesis implementation results are generated using the open source NANGATE45 library.

[1]  Florent Bernard Scalable hardware implementing high-radix Montgomery multiplication algorithm , 2007, J. Syst. Archit..

[2]  Joos Vandewalle,et al.  Hardware implementation of a Montgomery modular multiplier in a systolic array , 2003, Proceedings International Parallel and Distributed Processing Symposium.

[3]  Craig Costello,et al.  Complete Addition Formulas for Prime Order Elliptic Curves , 2016, EUROCRYPT.

[4]  Tanja Lange,et al.  Faster Addition and Doubling on Elliptic Curves , 2007, ASIACRYPT.

[5]  Lejla Batina,et al.  Arithmetic and Architectures for Secure Hardware Implementations of Public-key Cryptography Arithmetic and Architectures for Secure Hardware Implementations of Public-key Cryptography , 2005 .

[6]  C. D. Walter,et al.  Montgomery exponentiation needs no final subtractions , 1999 .

[7]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[8]  Nele Mentens,et al.  Side-channel evaluation of FPGA implementations of binary Edwards curves , 2010, 2010 17th IEEE International Conference on Electronics, Circuits and Systems.

[9]  Bart Preneel,et al.  Power-Analysis Attacks on an FPGA - First Experimental Results , 2003, CHES.

[10]  Kazumaro Aoki,et al.  SEC X.2: Recommended Elliptic Curve Domain Parameters , 2008 .

[11]  Khaled Salah,et al.  Review of Elliptic Curve Cryptography processor designs , 2015, Microprocess. Microsystems.

[12]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[13]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[14]  Tanja Lange,et al.  Twisted Edwards Curves , 2008, AFRICACRYPT.

[15]  Ingrid Verbauwhede,et al.  Balanced point operations for side-channel protection of elliptic curve cryptography , 2005 .

[16]  Tanja Lange,et al.  Twisted Hessian Curves , 2015, LATINCRYPT.

[17]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[18]  Nele Mentens,et al.  Completing the Complete ECC Formulae with Countermeasures , 2017 .

[19]  Ingrid Verbauwhede,et al.  Small footprint ALU for public-key processors for pervasive security , 2006 .

[20]  Ingrid Verbauwhede,et al.  Efficient pipelining for modular multiplication architectures in prime fields , 2007, GLSVLSI '07.

[21]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[22]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[23]  Joost Renes,et al.  Implementing Complete Formulas on Weierstrass Curves in Hardware , 2016, SPACE.