Abstract
For security-critical embedded applications Elliptic Curve Cryptography (ECC) has become the predominant cryptographic system for efficient key agreement and digital signatures. However, ECC still involves complex modular arithmetic that is a particular burden for small processors. In this context, Bernstein proposed the highly efficient ECC instance Curve25519 that particularly enables efficient software implementations at a security level comparable to AES-128 with inherent resistance to simple power analysis (SPA) and timing attacks. In this work, we show that Curve25519 is likewise competitive on FPGAs even when countermeasures to thwart side-channel power analysis are included. Our basic multicore DSP-based architectures achieves a maximal performance of more than 32,000 point multiplications per second on a Xilinx Zynq 7020 FPGA. Including a mix of side-channel countermeasures to impede simple and differential power analysis, we still achieve more than 27,500 point multiplications per second with a moderate increase in logic resources.
- ANSI X9.62-2005. 2005. American National Standard X9.62: The Elliptic Curve Digital Signature Algorithm (ECDSA). Technical Report. Accredited Standards Committee X9. Retrieved from http://www.x9.org.Google Scholar
- Daniel J. Bernstein. 2006. Curve25519: New Diffie-Hellman speed records. In Public Key Cryptography (Lecture Notes in Computer Science), Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin (Eds.), Vol. 3958. Springer, 207--228. Google ScholarDigital Library
- Jean-Sébastien Coron. 1999. Resistance against differential power analysis for elliptic curve cryptosystems. In Cryptographic Hardware and Embedded Systems. Springer, 292--302. Google ScholarDigital Library
- Guerric Meurice de Dormale and Jean-Jacques Quisquater. 2007. High-speed hardware implementations of Elliptic curve cryptography: A survey. J. Syst. Archit. 53, 2--3 (2007), 72--84. DOI:http://dx.doi.org/10.1016/j.sysarc.2006.09.002 Google ScholarDigital Library
- Elke De Mulder, Siddika Berna Örs, Bart Preneel, and Ingrid Verbauwhede. 2007. Differential power and electromagnetic attacks on a FPGA implementation of elliptic curve cryptosystems. Comput. Electr. Eng. 33, 5 (2007), 367--382. Google ScholarDigital Library
- W. Diffie and M. Hellman. 1976. New directions in cryptography. IEEE Trans. Inf. Theory 22 (1976), 644--654. Google ScholarDigital Library
- ECRYPT. 2007. eBATS: ECRYPT Benchmarking of Asymmetric Systems. Technical Report. Retrieved from http://www.ecrypt.eu.org/ebats/.Google Scholar
- T. ElGamal. 1985. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31 (1985), 469--472. Google ScholarDigital Library
- Junfeng Fan and Ingrid Verbauwhede. 2012. An updated survey on secure ECC implementations: Attacks, countermeasures and cost. In Cryptography and Security: From Theory to Applications. Springer, 265--282. Google ScholarDigital Library
- Tim Güneysu and Christof Paar. 2008. Ultra high performance ECC over NIST primes on commercial FPGAs. In Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems -- CHES 2008 (Lecture Notes in Computer Science), Vol. 5154. Springer-Verlag, 62--78. Google ScholarDigital Library
- N. Koblitz. 1987. Elliptic curve cryptosystems. Math. Comp. 48 (1987), 203--209.Google ScholarDigital Library
- Paul Kocher, Joshua Jaffe, and Benjamin Jun. 1999. Differential power analysis. In Advances in Cryptology CRYPTO99. Springer, 388--397. Google ScholarDigital Library
- A. K. Lenstra and E. R. Verheul. 2001. Selecting cryptographic key sizes. J. Cryptology 14, 4 (2001), 255--293. Google ScholarDigital Library
- Yuan Ma, Zongbin Liu, Wuqiong Pan, and Jiwu Jing. 2013. A High-speed elliptic curve cryptographic processor for generic curves over mathrm p. In Selected Areas in Cryptography. 421--437.Google Scholar
- Stefan Mangard, Elisabeth Oswald, and Thomas Popp. 2008. Power Analysis Attacks: Revealing the Secrets of Smart Cards. Vol. 31. Springer. Google ScholarDigital Library
- C. McIvor, M. McLoone, and J. McCanny. 2004. An FPGA elliptic curve cryptographic accelerator over GF(p). In Irish Signals and Systems Conference (ISSC). 589--594.Google Scholar
- V. Miller. 1986. Uses of elliptic curves in cryptography. In Advances in Cryptology — CRYPTO'85, H. C. Williams (Ed.), Vol. LNCS 218. Springer-Verlag, Berlin, 417--426. Google ScholarDigital Library
- Peter L. Montgomery. 1987. Speeding the pollard and elliptic curve methods of factorization. Math. Comp. 48, 177 (1987), 243--264. DOI:http://dx.doi.org/10.2307/2007888Google ScholarCross Ref
- G. Orlando and C. Paar. 2001. A scalable GF(p) elliptic curve processor architecture for programmable hardware. In Cryptographic Hardware and Embedded Systems (CHES), Vol. LNCS 2162. 356--371. Google ScholarDigital Library
- Sıddıka Berna Ors, Lejla Batina, Bart Preneel, and Joos Vandewalle. 2003. Hardware implementation of an elliptic curve processor over GF (p). In Proceedings of the 2003 International Conference on Application-Specific Systems, Architectures, and Processors. IEEE, 433--443.Google ScholarCross Ref
- Kazuo Sakiyama, Nele Mentens, Lejla Batina, Bart Preneel, and Ingrid Verbauwhede. 2006. Reconfigurable modular arithmetic logic unit for high-performance public-key cryptosystems. In ARC (Lecture Notes in Computer Science), Koen Bertels, João M. P. Cardoso, and Stamatis Vassiliadis (Eds.), Vol. 3985. Springer, 347--357.Google Scholar
- Pascal Sasdrich and Tim Güneysu. 2014. Efficient elliptic-curve cryptography using Curve25519 on reconfigurable devices. In Reconfigurable Computing: Architectures, Tools, and Applications, Diana Goehringer, MarcoDomenico Santambrogio, JooM.P. Cardoso, and Koen Bertels (Eds.). Lecture Notes in Computer Science, Vol. 8405. Springer International Publishing, 25--36. DOI:http://dx.doi.org/10.1007/978-3-319-05960-0_3Google Scholar
Index Terms
- Implementing Curve25519 for Side-Channel--Protected Elliptic Curve Cryptography
Recommendations
Compact and Flexible FPGA Implementation of Ed25519 and X25519
Special Issue on Cryptographic Engineering for IoT: Security Foundations, Lightweight Solutions, and Attacks and Regular PapersThis article describes a field-programmable gate array (FPGA) cryptographic architecture, which combines the elliptic curve--based Ed25519 digital signature algorithm and the X25519 key establishment scheme in a single module. Cryptographically, these ...
Low-latency X25519 hardware implementation
In the past few years, there has been a growing interest in Curve25519 due to its elegant design aimed at both high-security and high-performance, making it one of the most promising candidates to secure IoT applications. Until now Curve25519 hardware ...
A tightly coupled finite field arithmetic hardware in an FPGA-based embedded processor core for elliptic curve cryptography
This work presents the implementation of a tightly-coupled hardware architectural enhancement to the Altera FPGA-based Nios II embedded processor. The goal is to accelerate finite field arithmetic operations in the binary fields of F<SUB align=right&...
Comments