• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.4
• /
• pp.3-19
• /
• 2009

This paper proposes efficient scalar multiplication algorithms based on Montgomery ladder method. The proposed algorithm represents the scalar as ternary or quaternary and applies new composite formulas utilizing only x coordinate on affine coordinate system in order to improve performance. Furthermore, side-channel atomicity mechanism is applied on the proposed composite formulas to prevent simple power analysis. The proposed methods saves at least 26% of running time with the reduced number of storage compared with existing algorithms such as window-based methods and comb-based methods.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.19 no.6
• /
• pp.63-70
• /
• 2009

Many research results show that RSA system mounted using conventional binary exponentiation algorithm is vulnerable to some physical attacks. Recently, Schmidt and Hurbst demonstrated experimentally that an attacker can exploit secret key using faulty signatures which are obtained by skipping the squaring operations. Based on similar assumption of Schmidt and Hurbst's fault attack, we proposed new fault analysis attacks which can be made by skipping the multiplication operations or computations in looping control statement. Furthermore, we applied our attack to Montgomery ladder exponentiation algorithm which was proposed to defeat simple power attack. As a result, our fault attack can extract secret key used in Montgomery ladder exponentiation.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2022.05a
• /
• pp.246-248
• /
• 2022

Binary Edwards curves (BEdC), a new form of elliptic curves proposed by Bernstein, satisfy the complete addition law without exceptions. This paper describes an efficient hardware implementation of point scalar multiplication on BEdC using projective coordinates. Modified Montgomery ladder algorithm was adopted for point scalar multiplication, and binary field arithmetic operations were implemented using 257-bit binary adder, 257-bit binary squarer, and 32-bit binary multiplier. The hardware operation of the BEdC crypto-core was verified using Zynq UltraScale+ MPSoC device. It takes 521,535 clock cycles to compute point scalar multiplication.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2017.05a
• /
• pp.188-190
• /
• 2017

투영(projective) 좌표계를 이용한 스칼라 곱셈(scalar multiplication) 연산을 지원하는 224-비트 타원곡선 암호(Elliptic Curve Cryptography; ECC) 프로세서의 설계에 대해 기술한다. 소수체 GF(p)상의 덧셈, 뺄셈, 곱셈 등의 유한체 연산을 지원하며, 연산량과 하드웨어 자원소모가 큰 나눗셈 연산을 제거함으로써 하드웨어 복잡도를 감소시켰다. 수정된 Montgomery ladder 알고리듬을 이용하여 스칼라 곱셈 연산을 제어하였으며, 단순 전력분석에 보다 안전하다. 스칼라 곱셈 연산은 최대 2,615,201 클록 사이클이 소요된다. 설계된 ECC-P224 프로세서는 Xilinx ISim을 이용한 기능검증을 하였다. Xilinx Virtex5 FPGA 디바이스 합성결과 7,078 슬라이스로 구현되었으며, 최대 79 MHz에서 동작하였다.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2016.10a
• /
• pp.158-160
• /
• 2016

전자서명(ECDSA), 키 교환(ECDH) 등에 사용되는 233-비트 타원곡선 암호(Elliptic Curve Cryptography; ECC) 프로세서의 설계에 대해 기술한다. $GF(2^{333})$ 상의 덧셈, 곱셈, 나눗셈 등의 유한체 연산을 지원하며, 하드웨어 자원 소모가 적은 쉬프트 연산과 XOR 연산만을 이용하여 구현하였다. 스칼라 곱셈은 modified montgomery ladder 알고리듬을 이용하여 구현하였으며, 정수 k의 정보를 노출하지 않고, 단순 전력분석에 보다 안전하다. 스칼라 곱셈 연산은 최대 490,699 클록 사이클이 소요된다. 설계된 ECC 프로세서는 Xilinx ISim을 이용한 시뮬레이션 결과값과 한국인터넷진흥원(KISA)의 참조 구현 값을 비교하여 정상 동작함을 확인하였다. Xilinx Virtex5 XC5VSX95T FPGA 디바이스 합성결과 1,576 슬라이스로 구현되었으며, 189 MHz의 최대 동작주파수를 갖는다.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.21 no.7
• /
• pp.1267-1275
• /
• 2017

This paper describes a design of cryptographic processor supporting 233-bit elliptic curves over binary field defined by NIST. Scalar point multiplication that is core arithmetic in elliptic curve cryptography(ECC) was implemented by adopting modified Montgomery ladder algorithm, making it robust against simple power analysis attack. Point addition and point doubling operations on elliptic curve were implemented by finite field multiplication, squaring, and division operations over $GF(2^{233})$, which is based on affine coordinates. Finite field multiplier and divider were implemented by applying shift-and-add algorithm and extended Euclidean algorithm, respectively, resulting in reduced gate counts. The ECC processor was verified by FPGA implementation using Virtex5 device. The ECC processor synthesized using a 0.18 um CMOS cell library occupies 49,271 gate equivalents (GEs), and the estimated maximum clock frequency is 345 MHz. One scalar point multiplication takes 490,699 clock cycles, and the computation time is 1.4 msec at the maximum clock frequency.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2018.05a
• /
• pp.169-170
• /
• 2018

이진체 상의 타원곡선 B-233을 지원하는 타원곡선 암호 프로세서를 32-비트 워드기반 몽고메리 곱셈기를 이용하여 설계하였다. 스칼라 곱셈을 위해 수정된 몽고메리 래더 (Modified montgomery ladder) 알고리즘을 적용하여 단순 전력분석에 내성을 갖도록 하였으며, Lopez-Dahab 투영 좌표계와 페르마의 소정리(Fermat's little theorem)를 적용하여 하드웨어 자원 소모가 큰 나눗셈과 역원 연산을 제거하여 저면적으로 설계하였다. 설계된 ECC 프로세서는 Xilinx ISim을 이용하여 기능검증을 하였으며, $0.18{\mu}m$ CMOS 셀 라이브러리로 합성한 결과 100 MHz의 동작 주파수에서 9,614 GEs와 4 Kbit RAM으로 구현되었으며, 최대 동작 주파수는 125 MHz로 예측되었다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.5
• /
• pp.169-177
• /
• 2003

We establish the security requirements and derive a generic condition of elliptic curve scalar multiplication to resist against DPA and Goubin’s attack. Also we show that if a scalar multiplication algorithm satisfies our generic condition, then both attacks are infeasible. Showing that the randomized signed scalar multiplication using Ha-Moon's receding algorithm satisfies the generic condition, we recommend the randomized signed scalar multiplication using Ha-Moon's receding algorithm to be protective against both attacks. Also we newly design a random recoding method to Prevent two attacks. Finally, in efficiency comparison, it is shown that the recommended method is a bit faster than Izu-Takagi’s method which uses Montgomery-ladder without computing y-coordinate combined with randomized projective coordinates and base point blinding or isogeny method. Moreover. Izu-Takagi’s method uses additional storage, but it is not the case of ours.

• ETRI Journal
• /
• v.41 no.6
• /
• pp.863-872
• /
• 2019

Elliptic curve cryptography is a relatively lightweight public-key cryptography method for key generation and digital signature verification. Some lightweight curves (eg, Curve25519 and Curve Ed448) have been adopted by upcoming Transport Layer Security 1.3 (TLS 1.3) to replace the standardized NIST curves. However, the efficient implementation of Curve Ed448 on Internet of Things (IoT) devices remains underexplored. This study is focused on the optimization of the Curve Ed448 implementation on low-end IoT processors (ie, 8-bit AVR and 16-bit MSP processors). In particular, the three-level and two-level subtractive Karatsuba algorithms are adopted for multi-precision multiplication on AVR and MSP processors, respectively, and two-level Karatsuba routines are employed for multi-precision squaring. For modular reduction and finite field inversion, fast reduction and Fermat-based inversion operations are used to mitigate side-channel vulnerabilities. The scalar multiplication operation using the Montgomery ladder algorithm requires only 103 and 73 M clock cycles on AVR and MSP processors.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.21 no.6
• /
• pp.1083-1091
• /
• 2017

This paper describes a design of cryptographic processor supporting 224-bit elliptic curves over prime field defined by NIST. Scalar point multiplication that is a core arithmetic function in elliptic curve cryptography(ECC) was implemented by adopting the modified Montgomery ladder algorithm. In order to eliminate division operations that have high computational complexity, projective coordinate was used to implement point addition and point doubling operations, which uses addition, subtraction, multiplication and squaring operations over GF(p). The final result of the scalar point multiplication is converted to affine coordinate and the inverse operation is implemented using Fermat's little theorem. The ECC processor was verified by FPGA implementation using Virtex5 device. The ECC processor synthesized using a 0.18 um CMOS cell library occupies 2.7-Kbit RAM and 27,739 gate equivalents (GEs), and the estimated maximum clock frequency is 71 MHz. One scalar point multiplication takes 1,326,985 clock cycles resulting in the computation time of 18.7 msec at the maximum clock frequency.