1. Introduction
The rapid development and widespread application of information technology have deeply affected the entire economy and society. Many electronic devices need to exchange confidential information securely, and one of the best defenses to preserve the data secrecy and confidentiality from unpermitted users is cryptography. One approach to provide public-key cryptography relies on the use of Elliptic Curve Cryptography (ECC), which is based on the algebraic structure of elliptic curves over finite fields. ECC was proposed by Neal Koblitz [
1] and Victor Miller [
2], and requires smaller keys to obtain the same security level when compared to other algorithms. For instance, considering a 3072-bit Rivest, Shamir and Adleman (RSA) key, ECC will need a 256-bit key to ensure the same security level [
3]. As the keys for ECC are smaller than those for other algorithms, ECC’s requirements are also smaller and conform to the requirements of size- and resource-constrained devices.
ECC is widely implemented on software and hardware approaches to increase security when sharing information through unsafe networks. Software applications involve Bitcoin digital signature scheme [
4], OpenSSL protocols [
5], image encryption [
6,
7], and others. Hardware implementations of ECC for size constraint devices, such as the Internet of Things (IoT), include Radio Frequency Identification (RFID) [
8], wireless medical devices [
9], Android chat applications [
10], and others. Its applications can be made in devices with or without limited resources; the manner they are implemented will vary depending on the environment. Thus, IoT applications are suitable for devices with limited hardware resources, unlike other cryptographic schemes.
Applications of ECC under hardware approaches usually aim to speed up critical operations. Elliptic Curve Point Multiplication (ECPM), also referred to in the literature as scalar multiplication, is the main operation and most computing-intensive part of the algorithm [
11]. So, it has been subjected to countless attempts to improve its performance when applied to hardware. Depending on the purpose of implementation, different sets of techniques can be utilized on ECC over prime and binary fields. These techniques include area reduction [
12], performance and efficiency increase [
13,
14], adjustments to fit size constraint devices [
12,
15], and development of custom crypto-processors [
11,
14,
16]. For instance, Hossain, Saeedi, and Kong [
13] proposed an architecture to speed up ECPM utilizing Jacobian projective coordinates and a combination of Point Addition (PA) and Point Doubling (PD) in parallel. Liu, Liu, and Zou [
16] proposed a flexible processor with multi-algorithm support, which enables different fields and curves with random point generation. Salarifard, Bayat-Sarmadi, and Mosanaei-Boorani [
17] implemented a fixed-base-comb method in two architectures and reached significant results in energy and latency reduction on ECPM, and the implementation is Simple Power Analysis (SPA) and timing attack resistant.
While similarities can be found among sets of algorithms for ECC in literature, a roadmap of desired characteristics must be previously traced based on the purpose of the implementation. An algorithm applied to aim area reduction is usually slower than another that is not recommended for resource-constrained devices. Several parameters must be defined once the roadmap is constructed, including finite field, algorithms for field arithmetic, a curve selection, point representation, and algorithms to perform Elliptic Curve (EC) arithmetic, among others [
18]. The perfect selection can be a little tricky; thus, it should always be done considering the environment first of all. If the environment requires a small code due to area limitations, the chosen algorithms must fit this requirement or lose efficiency and performance. In view of this, it is difficult to reach a custom best set of algorithms to apply on hardware implementations with no size constraints, in which the focus lies over efficiency and performance values. Papers often trace a customized set of algorithms for their own purposes, whereas different possibilities can be found on books or surveys without recommendations of the best choice.
In this paper, we present a comparison involving recently selected ECPM implementations over hardware approaches. Focusing on implementations of ECPM over binary fields on Integrated Circuit (IC) technologies such as Field-programmable Gate Array (FPGA) and Application-specific Integrated Circuit (ASIC), our comparison aims to find the techniques that favor reaching the best efficiency. While environments and purposes differ in each work, thus, affecting the selection of algorithms and techniques, it is possible to trace similarities among some sets of algorithms and trace a basic roadmap. The sets of algorithms these works implemented were cataloged to provide a recommendation of a path to follow. Thus, as the main contribution, this paper indicates which combinations of methods and technologies reach the best efficiency, thus pointing out directions for hardware implementations of ECPM over binary fields.
The remainder of this paper is organized as follows.
Section 2 presents an approach to the context of the research, involving finite fields, curves, point multiplication, coordinates, and existing attacks on ECC.
Section 3 describes the methodology applied in this study, including research questions, document search, paper selection, and data extraction. Next,
Section 4 discusses the gathered information on the selected papers, describing the techniques applied to those and making a comparative analysis of silicon cost and performance. Finally,
Section 5 presents the final remarks.
2. Background
The development process of embedded systems mainly includes the design of hardware and software. The system must ensure reliability, maintainability, availability, safety, and security [
19]. A system designer must take precautions regarding energy consumption, code size, usage of resources, weight, and cost to enhance efficiency [
20]. Since the code must be compact, designers must select the functions properly to provide efficiency without compromising the primary function.
It is well-known that selecting the best cryptographic scheme and algorithms has a preponderant role in the design task. According to Loi and Ko [
21], ECC needs smaller keys than RSA to provide the same level of security. Therefore, this aspect is why we defined ECC as our object of study. While smaller keys do not guarantee smaller code, the advantages of ECC rely on the security aspect.
ECC uses the Discrete Logarithm Problem (DLP), which is classified as a one-way function because it is easy to calculate but challenging to reverse. According to Ciet and Joye [
22], there is no sub-exponential algorithm capable of solving Elliptic Curve Discrete Logarithm Problem (ECDLP), although one of the algorithms that can be applied is Pollard’s Rho method [
23]. Other methods, such as brute-force, have an impractical performance.
2.1. The Elliptic Curve over Finite Fields
ECC is an approach for public-key cryptography on the algebraic structure of elliptic curves over finite fields or Galois fields, .
The elliptic curve
over
, here denoted by
or
, is defined by the general Weierstrass equation [
24]:
in which
. Prime fields are usually called
, with
, where
p is a prime number and
. We denote Binary fields by
, with
. There also exist elliptic curves defined over other fields for cryptography, which are not discussed in this paper.
The set of all points on the elliptic curve and the point at infinity, , forms an Abelian group in which is the identity element. An Abelian group is a nonempty set with a binary operation + defined on such that the following conditions hold:
- i.
Identity: ,
- ii.
Negatives: If , then and is called the negative of P and . Also, .
- iii.
Point addition: Let , where , then, .
- iv.
Point doubling: Let where . Then .
A hierarchy must be followed to define the sets of algorithms needed to create an ECC cryptographic scheme.
Figure 1 demonstrates this hierarchy. First, it is necessary to select the type of protocol to be used, Elliptic Curve Diffie-Hellman (ECDH) or Elliptic Curve Digital Signature Algorithm (ECDSA). In sequence, the algorithms to perform ECPM must be defined, followed by the algorithms to perform field arithmetic.
Finite field requires that a basis is selected to perform field arithmetic.
Figure 2 represents what needs to be defined accordingly to the chosen basis. For binary field, if the polynomial basis is chosen, each element is a polynomial, and therefore, field operations make use of polynomial arithmetic [
25]. A reduction polynomial must be defined to reduce the results of its arithmetic into elements of Galois field [
26]. Reduction polynomial will ensure that the given result belongs to the field.
Normal basis is defined for any finite field
. An example of a normal basis is Gaussian normal basis, commonly utilized on ECC. Optimal Normal Basis (ONB) aims at reducing hardware complexity when multiplying field elements [
18]. In a normal basis representation, elements of
are expressed in terms of a basis of the form
. One advantage of a normal basis representation is that squaring a field element is a simple rotation of its vector representation [
25]. Mullin et al. [
27] introduced the concept of an ONB to reduce the hardware complexity of multiplying field elements in
.
Table 1 presents two types of ONB, concerning the value of
m [
25]. If
m does not satisfy any of three statements mentioned in the table, then
does not contain an ONB [
25]. According to Hankerson, Menezes, and Vanstone [
18], ONB does not have any significant advantages over a polynomial basis for hardware implementation. Furthermore, field multiplication in software for normal basis representations is very slow compared to multiplication with a polynomial basis. In this way, the polynomial basis is the best choice for hardware implementation.
2.2. Curves over Binary Fields
An elliptic curve over binary fields
is defined by:
There are two types of a curve over a binary field
: (
i) random elliptic curves over a binary field
; and (
) Koblitz elliptic curves over a binary field
. Some parameters must be defined previously to generate a curve over binary fields. According to the authors of [
18], the domain parameters for both are the following:
m, which is the extension degree of the binary field .
, which is the reduction polynomial of degree m.
The coefficients of the elliptic curve .
The prime order of the base point P, which is given by n.
The cofactor is given by , in which is the order of over .
The , which are the coordinates of the base point P.
In addition to these parameters, if random curves are being used, a seed will be applied to randomly generate the elliptic curve’s coefficients.
- A.
Random Elliptic Curve (REC) (REC is part of National Institute of Standards and Technology (NIST)’s recommended curves [
25].): Its advantages lie in the security aspect, in which the coefficients of the curve are randomly generated. Once the randomness requires more computational processing power, this curve may not be the better implementation choice [
25].
- B.
Koblitz Curve (KEC) (KEC is part of NIST’s recommended curves and easy to create [
25].): Also known as anomalous binary curves, this curve is defined over binary fields and is a non-supersingular elliptic curve. ECPM in KEC is fastest than in REC [
18]. Because KEC is presented on NIST’s recommendations, it is a popular chosen curve [
13,
28].
Regardless of the curve selection, domain parameters must be carefully chosen. Brown [
29] presents an efficient generation for the Elliptic curve domain parameters over
, in which the output of the presented steps is the septuple
. In such a way, the logarithm derivation on the associated elliptic curve requires approximately
operations, where
t is the security level in bits required from the elliptic curve domain parameters.
2.3. Elliptic Curve Point Multiplication
To generate the public key, cryptosystems based on elliptic curves must perform point multiplication, also called scalar multiplication. Elliptic Curve Point Multiplication (ECPM) is the most computationally expensive part of ECC and consists of repeated steps of point adding and point doubling to reach:
in which
P is a point of the curve
,
k is a randomly selected integer from the range of
defining the private key, and
Q is the public key resultant of the multiplication [
18]. From Equation (
3), the private key is defined, and posteriorly the public key is created. Thus, both keys are related to each other. There are numerous ECPM algorithms, although the simplest algorithm is composed of point adding and point doubling operations. We can define the point adding and point doubling operations as follows:
- A.
Point Addition: Consists in adding a point with another point. Assume two points
and
, in which
and
. Then,
[
25]. Point
should be reflected the in x-axis to compute point
R.
Figure 3 shows the point addition on ECC.
- B.
Point Doubling: Is the addition to a point with itself, when
. Let
, where
, then
[
18]. Point doubling is evaluated in the same way as point addition, as also generates first
, which is reflected in x-axis to compute point
.
Figure 4 shows the point doubling on ECC.
Double-and-Add method is a known algorithm for scalar multiplication. According to [
25], the scalar should be written as
in binary notation and consider
. Finally, the result follows of the sum
. The Double-and-Add method requires
doubling operations and likely
additions. This method is one of the most basic algorithms to perform scalar multiplication and can be modified or combined with other techniques to accelerate it. As other algorithms, we can mention the addition-subtraction method using Nonadjacent form (NAF), Right-to-left binary method, Left-to-right binary method, Montgomery, Fixed-base comb, and Window methods [
18]. The best algorithm is selected based on the project environment, whereas the indicated algorithm for one project will not necessarily be indicated for another.
2.4. Projective Coordinates
The projective coordinates systems offer an alternative method for the efficient performance of the arithmetic of the elliptic curve [
30]. These methods avoid the expensive cost of the field multiplication inversion involved in both points doubling and point addition operation with the arithmetic of the affine coordinates
. In these methods, the elliptic curve points are usually substituted with the projective coordinates system as follows.
In standard projective coordinates, the projective point
, in which
, corresponds to the affine point
[
31]. Therefore,
in (
2) can be rewritten as
In the Jacobian coordinates system, a point
in affine coordinates system is recovered as
, in which
[
31], in (
2) yields
Using López–Dahab (LD) projective coordinates system, in which
, in which
[
31],
in (
2) is given by
These operations directly impact efficiency and performance metrics. Therefore, before selecting the projective coordinates, we need to know the context of ECPM.
2.5. Attacks on ECC
For any cryptosystem, there will always be an attempt to break it and steal information. For instance, although ECC is a very secure cryptographic scheme, attacks aim to break it. Some examples are divided into [
25]:
- i.
Algorithms on DLP: Shank’s Baby-step-Giant-step, Pohlig-Hellman’s method, Pollard’s -method, -method, Index-calculus algorithm, Number field sieve algorithm, and function field sieve algorithm.
- ii.
Algorithms on ECDLP: Shank’s Baby-step-Giant-step, Pollard’s -method, Pohlig-Hellman’s method, method of solving multiple ECDLP, and Index-calculus method.
- iii.
Weil pairing and MOV reduction attack.
- iv.
Semaev-Smart-Satoh-Araki (SSA) attack.
- v.
Differential and power attacks: SPA and Differential Power Analysis (DPA).
- vi.
Electromagnetic Analysis Attack (EAA).
- vii.
Error message analysis.
Some approaches for mitigating attacks have been studied [
32]. These countermeasures heavily depend on the hardware platform’s characteristics, operating environment, and invaders’ skills. These aspects must be evaluated on a case-by-case basis.
In implementations of ECC, point multiplication algorithms are particularly vulnerable because the usual formulas for adding and doubling points are quite different and, therefore, may have its power traces readily be distinguished by SPA [
25]. However, some precautions can be taken to prevent these attacks. In this case, a modified algorithm uses the power alignment for the adding and doubling points operation [
18]. Thus, the equals power traces are certainly no longer distinguishable by SPA.
5. Conclusions
In this article, we presented a review of techniques for implementing elliptic curve point multiplication on FPGA and ASIC devices. We note that the analyzed works use different types of curves according to the implementation goals. However, most studies use the polynomial basis and the projective coordinates, which points out that this combination is the most suitable for hardware implementation. Concerning the operations, we have not identified any preferred method for implementing field or point multiplications. On the other hand, most of the works used the Itoh-Tsujii algorithm to accelerate the inversion. However, there is no sufficient evidence to indicate its use to produce a gain in efficiency or performance. From the study, we also note that the best combination of algorithms, techniques, and IC technologies depends on the project’s goal, and a system designer must take into account the requirements of the target application to select the choices that best fit those requirements. For instance, if we use affine coordinates, we should know that the algorithm uses more inversion operations than projective coordinates, requiring enhancements in implementation to compensate for this cost. Moreover, resource-constrained devices may need algorithms that enable cost reduction; however, such algorithms may exhibit lower efficiency and performance. Finally, although this article has presented an analysis of ECPM implementations on hardware, further studies are needed to define a set of guidelines to aid designers in choosing the best combination of methods and algorithms for different application classes.