Low complexity montgomery multiplication architecture for elliptic curve cryptography over GF(p<sup>m</sup>)

Abstract

In this paper, a scalable VLSI multiplication architecture based on Montgomery multiplication (MM) algorithm for elliptic curve cryptography (ECC) over GF(p <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">m</sup> ), where p is a positive prime and m is the degree of extension of the base field GF(p), is presented. The elements of the GF(p <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">m</sup> ) are in polynomial basis (PB) representation. The coefficients of the polynomials are represented in Montgomery residue format to simplify the multiplications over GF(p). The proposed algorithm of MM over GF(p <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">m</sup> ) requires m(m+1) MMs and m <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sup> additions over GF(p). However, the proposed architecture takes {m(m+1)N <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">mm</sub> +N <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">add</sub> +1} cycles to compute MM over GF(p <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">m</sup> ), where N <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">mm</sub> > N <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">add</sub> = 2, and N <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">mm</sub> and N <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">add</sub> are the numbers of cycles to complete an MM and an addition over GF(p), respectively. The security of an ECC scheme depends on the number of elements in GF(p <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">m</sup> ). Hence, for a p with nominal bit length (p≫2), the value of m can be small, but the GF(p <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">m</sup> ) still contains almost equal number of elements to a GF(2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">k</sup> ), where k is positive integer. The complexity of the MM architecture over GF(p) is reduced by using carry-save-adder (CSA) based implementation, where N <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">PE</sub> is the depth of the CSA. Analysis shows that the area complexity of the proposed architecture is significantly less. Implementation in AMS-0.35um technology, with L=30 (for p=536872717), m=23 and N <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">PE</sub> =8, yields a clock frequency of 20.885 MHz, throughput of 6243.68 multiplications per second and power consumption of 86.8 mW (at 20 MHz).