A SPA-resistant solution in hardware to the operations on elliptic curves in both GF (p) and GF (2m) is given in this thesis. The proposed architecture is implemented over affine coordinate using a highly integrated Galois field arithmetic. Not only elliptic curve operations, but also modular arithmetics are provided, thus a software engineer can easily use it to accelerate all kinds of elliptic curve protocols. According to comparisons above, the proposed GFAU gives an advantage in area-latency combined comparison, which gives an opportunity to put affine coordinate computations back into implementing consideration.
Besides, the proposed SPA-resistant algorithm randomly interleaves two scalar mul-tiplication k1P1 + k2P2. In this way, least hardware overhead is added than other know countermeasures. This method may also be resistant to DPA, but it has to be confirmed by further simulation. For more protection, this algorithm can also be combined with other countermeasures like windows-NAF method.
However, a big problem occurs in the auto place and route stage. The data path in the proposed design is 512 bit, there are too many wires in it. Therefore, the CAD tool cannot place them without negative timing slacks and design rule violations. We have tried it on UMC 0.18µm 1P5M, TSMC 0.18µm 1P5M and UMC 90nm 1P9M CMOS processes and enlarge the timing margin. We have also tried a 256-bit version. But all these effort are ineffective.
We suggest to use word-based architecture to solve this problem. The Montgomery multiplier can be easily modified into a pipelined word-based architecture, but its hard
to pipeline the Montgomery divider since there exist data dependency between two con-secutive iterations. So it may be worth-researching to develop a pipelined Montgomery divider architecture.
Bibliography
[1] Advanced Encryption Standard (AES), FIPS PUBS Std. 197, 2001.
[2] W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, pp. 644–654, 1976.
[3] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Commun. ACM, vol. 21, no. 2, pp. 120–126, 1978.
[4] T. E. Gamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” in Proceedings of CRYPTO 84 on Advances in cryptology. New York, NY, USA: Springer-Verlag New York, Inc., 1985, pp. 10–18.
[5] J. Cowie, B. Dodson, R. M. Elkenbracht-Huizing, A. K. Lenstra, P. L. Montgomery, and J. Zayer, “A world wide number field sieve factoring record: On to 512 bits.”
in ASIACRYPT ’96: Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security, 1996, pp. 382–394.
[6] V. S. Miller, “Use of elliptic curves in cryptography,” in Advances in Cryptology -CRYPTO ’85, ser. Lecture Notes in Computer Science, H. C. Williams, Ed., vol. 218.
Springer-Verlag, 1986, pp. 417–426.
[7] N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no.
177, pp. 203–209, January 1987.
[8] Recommendation on Key Management, NIST Special Publications Std. 800-57, 2005.
[9] Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), ANSI Std. X9.62, 2005.
[10] B. J. Paul Kocher, Joshua Jaffe, “Differential power analysis,” in Advances in Cryp-tology - Crypto 99 Proceedings, ser. Lecture Notes in Computer Science, M. Wiener, Ed., vol. 1666. Springer-Verlag, 1999, pp. 388–397.
[11] J.-S. Coron, “Resistance against differential power analysis for elliptic curve cryptog-raphy,” in CHES’99, ser. Lecture Notes in Computer Science, C¸ . K. Ko¸c and C. Paar, Eds., vol. 1717. Springer-Verlag, 1999, pp. 292–302.
[12] P. L. Montgomery, “Modular multiplication without trial division,” Mathematics of Computation, vol. 44, no. 170, pp. 519–521, April 1985.
[13] Y. J. Liu, “An implementation of universal dual-field scalar multiplication on elliptic curve cryptosystems.” Master’s thesis, National Chiao Tung University, 2007.
[14] N. Koblitz, A course in number theory and cryptography. New York, NY, USA:
Springer-Verlag New York, Inc., 1987.
[15] J. H. Silverman, The Arithmetic of Elliptic Curves. New York, NY, USA: Springer-Verlag New York, Inc., 1986.
[16] A. M. H. Cohen and T. Ono, “Efficient elliptic curve exponentiation using mixed co-ordinates,” in Advances in Cryptology-Asiacrypt’98, ser. Lecture Notes in Computer Science, K. Ohta and D. Pei, Eds., vol. 1514. Springer-Verlag, 1998, pp. 51–65.
[17] D. V. Chudnovsky and G. V. Chudnovsky, “Sequences of numbers generated by addition in formal groups and new primality and factorization tests,” in Advances in Applied Math., vol. 7. Academic Press, Inc. Orlando, FL, USA, 1986, pp. 385–434.
[18] J. A. Solinas, “Efficient arithmetic on koblitz curves,” Des. Codes Cryptography, vol. 19, no. 2-3, pp. 195–249, 2000.
[19] F. Morain and J. Olivos, “Speeding up the computations on an elliptic curve using addition-subtraction chains,” Informatique th´eorique et Applications, vol. 24, pp.
531–544, 1990.
[20] C¸ etin Kaya Ko¸c, T. Acar, and B. S. Kaliski, Jr., “Analyzing and comparing mont-gomery multiplication algorithms,” IEEE Micro, vol. 16, no. 3, pp. 26–33, June 1996.
[21] C. D. Walter, “Montgomery exponentiation needs no final subtractions,” Electronics Letters, vol. 35, no. 21, pp. 1831–1832, October 1999.
[22] C¸ . K. Ko¸c and T. Acar, “Fast software exponentiation in GF (2k),” in ARITH ’97:
Proceedings of the 13th Symposium on Computer Arithmetic (ARITH ’97). Wash-ington, DC, USA: IEEE Computer Society, 1997, p. 225.
[23] W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Trans. Info.
Theory, vol. IT-22, pp. 644–654, November 1976.
[24] D. E. Knuth, The Art of Computer Programming, 3rd ed. Addison-Wesley, 1998, vol. 2, ch. Seminumerical Algorithms.
[25] J. Stein, “Computational problems associated with racah algebra,” Joural of Com-putational Physics, pp. 397–405, January 1967.
[26] B. S. K. Jr., “The montgomery inverse and its applications,” IEEE Transactions on Computers, vol. 44, no. 8, pp. 1064–1065, Auguest 1995.
[27] S. C. Shantz, “From euclid’s gcd to montgomery multiplication to the great divide,”
Sun Microsystems laboratories, Tech. Rep. TR-2001-95, June 2001.
[28] N. Takagi, “A vlsi algorithm for modular division based on the binary GCD algo-rithm,” IEICE Trans. Fundamentals, vol. E81-A, no. 5, pp. 724–728, May 1998.
[29] A. Daly, W. P. Marnane, T. Kerins, and E. M. Popovici, “Fast modular division for application in ecc on reconfigurable logic.” in FPL, 2003, pp. 786–795.
[30] L. B. S. B. Ors and J. Vandewalle, “Hardware implementation of an elliptic curve processor over gf(p),” in 14th IEEE International Conference on the Application-Specific Systems, Architectures, and Processors (ASAP03), 2003, pp. 433–443.
[31] K. Okeya and T. Takagi, “The width-w naf method provides small memory and fast elliptic scalar multiplications secure against side channel attacks,” in CT-RSA 2003, ser. Lecture Notes in Computer Science, M. Joye, Ed., vol. 2612. Springer-Verlag, 2003, pp. 328–343.
[32] E. A. D. T. S. Messerges and R. H. Sloan, “Power analysis attacks of modular exponentiation in smartcards,” in CHES’99, ser. Lecture Notes in Computer Science, C¸ . K. Ko¸c and C. Paar, Eds., vol. 1717. Springer-Verlag, 1999, pp. 144–157.
[33] L. A. Tawalbeh, A. F. Tenca, S. Park, and C. K. Ko¸c, “Use of elliptic curves in cryp-tography,” in Thirty-Eighth Asilomar Conference on Signals, Systems, and Comput-ers, vol. 1, November 2004, pp. 483–487.
[34] A. Satoh and K. Takano, “A scalable dual-field elliptic curve cryptographic proces-sor,” IEEE Trans. Comput., vol. 52, no. 4, pp. 449–460, 2003.
[35] G. Z. Lu, “Hardware implementation of elliptic curve cryptosystem over finite fields GF (p) and GF (2m),” Master’s thesis, National Chiao Tung University, 2004.
[36] C. J. McIvor, M. McLoone, and J. V. McCanny, “Hardware elliptic curve crypto-graphic processor over GF (p),” IEEE Transactions on Circuits and Systems, vol. 53, no. 9, pp. 1946–1957, September 2006.