Journal of Cryptology

, Volume 22, Issue 2, pp 259–281 | Cite as

Constructive and Destructive Use of Compilers in Elliptic Curve Cryptography



Although cryptographic software implementation is often performed by expert programmers, the range of performance and security driven options, as well as more mundane software engineering issues, still make it a challenge. The use of domain specific language and compiler techniques to assist in description and optimisation of cryptographic software is an interesting research challenge. In this paper we investigate two aspects of such techniques, focusing on Elliptic Curve Cryptography (ECC) in particular. Our constructive results show that a suitable language allows description of ECC based software in a manner close to the original mathematics; the corresponding compiler allows automatic production of an executable whose performance is competitive with that of a hand-optimised implementation. In contrast, we study the worrying potential for naïve compiler driven optimisation to render cryptographic software insecure. Both aspects of our work are set within the context of CACE, an ongoing EU funded project on this general topic.


Elliptic curve cryptography (ECC) Implementation Compilers Optimisation Specialisation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    D. Agrawal, B. Archambeault, J.R. Rao, P. Rohatgi, The EM Side-Channel(s). In Cryptographic Hardware and Embedded Systems (CHES), LNCS 2523, 29–45, 2002. Google Scholar
  2. [2]
    B. Alpern, C.R. Attanasio, J.J. Barton, M.G. Burke, P. Cheng, J.-D. Choi, A. Cocchi, S.J. Fink, D. Grove, M. Hind, S.F. Hummel, D. Lieber, V. Litvinov, M.F. Mergen, T. Ngo, J.R. Russell, V. Sarkar, M.J. Serrano, J.C. Shepherd, S.E. Smith, V.C. Sreedhar, H. Srinivasan, J. Whaley, The Jalapeño Virtual Machine. In IBM System Journal, 39(1), 2000. Google Scholar
  3. [3]
    ARM Limited. Jazelle White Paper. Available from:
  4. [4]
    ARM Limited. ARM946E-S Technical Reference Manual. Available from:
  5. [5]
    M. Arnold, S.J. Fink, D. Grove, M. Hind, P.F. Sweeney, Adaptive Optimization in the Jalapeño JVM. In Object-Oriented Programming Systems, Languages, and Applications (OOPSLA), 2000. Google Scholar
  6. [6]
    R.M. Avanzi, Aspects of Hyperelliptic Curves over Large Prime Fields in Software Implementations. In Cryptographic Hardware and Embedded Systems (CHES), LNCS 3156, 148–162, 2004. Google Scholar
  7. [7]
    P.D. Barrett, Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor. In Advances in Cryptology (CRYPTO), LNCS 263, 311–323, 1986. Google Scholar
  8. [8]
    M. Barbosa, D. Page, On the Automatic Construction of Indistinguishable Operations. In Cryptology ePrint Archive, Report 2005/174, 2005. Google Scholar
  9. [9]
    I.F. Blake, G. Seroussi, N.P. Smart, Elliptic Curves in Cryptography. Cambridge University Press, Cambridge, 1999. MATHGoogle Scholar
  10. [10]
    I.F. Blake, G. Seroussi, N.P. Smart, Advances in Elliptic Curve Cryptography. Cambridge University Press, Cambridge, 2004. Google Scholar
  11. [11]
    D. Boneh, D. Brumley, Remote Timing Attacks Are Practical. Available from:
  12. [12]
    D.J. Bernstein, Cache-timing Attacks on AES. Available from:
  13. [13]
    É. Brier, M. Joye, Weierstraß Elliptic Curves and Side-channel Attacks. In Public Key Cryptography (PKC), LNCS 2274, 335–345, 2002. Google Scholar
  14. [14]
    J. Camenisch, M. Rohe, A.-R. Sadeghi, Sokrates – A Compiler Framework for Zero-Knowledge Protocols. In Western European Workshop on Research in Cryptology (WEWoRC), 2005. Google Scholar
  15. [15]
    B. Chevallier-Mames, M. Ciet, M. Joye, Low-Cost Solutions for Preventing Simple Side-Channel Analysis: Side-Channel Atomicity. In IEEE Transactions on Computers, 53(6), 760–768, 2004. CrossRefGoogle Scholar
  16. [16]
    J.-S. Coron, Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems. In Cryptographic Hardware and Embedded Systems (CHES), LNCS 1717, 292–302, 1999. Google Scholar
  17. [17]
    Computational Algebra Group, University of Sydney. Magma Computational Algebra System. Available from:
  18. [18]
    C. Consel, L. Hornof, R. Marlet, G. Muller, S. Thibault, E.-N. Volanschi, J. Lawall, J. Noyá, Tempo: Specializing Systems Applications and Beyond. In ACM Computing Surveys, 30 (3), 1998. Google Scholar
  19. [19]
    P. Crescenzi, V. Kann, A Compendium of NP Optimization Problems. Available from:
  20. [20]
    G. Dueck, T. Scheuer, Threshold Accepting: A General Purpose Optimization Algorithm Appearing Superior to Simulated Annealing. In Journal of Computational Physics, 90(1), 161–175, 1990. MATHCrossRefMathSciNetGoogle Scholar
  21. [21]
    P. Gaudry, E. Thomé, The mp \({\mathbb{F}}_{q}\) Library and Implementing Curve-based Key Exchanges. In Software Performance Enhancement for Encryption and Decryption (SPEED), 49–64, 2007. Google Scholar
  22. [22]
    D. Gupta, B. Malloy, A. McRae, The Complexity of Scheduling for Data Cache Optimization. In Information Sciences, 100 (1–4), 1997. Google Scholar
  23. [23]
    D. Hankerson, A. Menezes, S. Vanstone, Guide to Elliptic Curve Cryptography. Springer-Verlag, New York, 2004. MATHGoogle Scholar
  24. [24]
    J.L. Hennessy, D.A. Patterson, Computer Architecture: A Quantitative Approach. Morgan Kaufmann, Los Altos, 2006. MATHGoogle Scholar
  25. [25]
    M. Joye, J.-J. Quisquater, Hessian Elliptic Curves and Side-Channel Attacks. In Cryptographic Hardware and Embedded Systems (CHES), LNCS 2162, 402–410, 2001. Google Scholar
  26. [26]
    D. Knuth, The Art of Computer Programming, Volume 2: Seminumerical Algorithms. Addison-Wesley, Reading, 1999. Google Scholar
  27. [27]
    N. Koblitz, Elliptic Curve Cryptosystems. In Mathematics of Computation, 48, 203–209, 1987. MATHCrossRefMathSciNetGoogle Scholar
  28. [28]
    N. Koblitz, Hyperelliptic Cryptosystems. Journal of Cryptology, 1(3), 139–150, 1989. MATHCrossRefMathSciNetGoogle Scholar
  29. [29]
    P.C. Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In Advances in Cryptology (CRYPTO), LNCS 1109, 104–113, 1996. Google Scholar
  30. [30]
    P.C. Kocher, J. Jaffe, B. Jun, Differential Power Analysis. In Advances in Cryptology (CRYPTO), LNCS 1666, 388–397, 1999. Google Scholar
  31. [31]
    M. Kowarschik, C. Wei, An Overview of Cache Optimization Techniques and Cache-Aware Numerical Algorithms. In Algorithms for Memory Hierarchies, LNCS 2625, 213–232, 2003. Google Scholar
  32. [32]
    J.R. Lewis, B. Martin, Cryptol: High Assurance, Retargetable Crypto Development and Validation. In Military Communications Conference, 2, 820–825, 2003. Google Scholar
  33. [33]
    P.-Y. Liardet, N.P. Smart, Preventing SPA/DPA in ECC Systems Using the Jacobi Form. In Cryptographic Hardware and Embedded Systems (CHES), LNCS 2162, 391–401, 2001. Google Scholar
  34. [34]
    S. Lucks, N. Schmoigl, E.I. Tatli, The Idea and the Architecture of a Cryptographic Compiler. In Western European Workshop on Research in Cryptology (WEWoRC), 2005. Google Scholar
  35. [35]
    S. Micali, L. Reyzin, Physically Observable Cryptography (Extended Abstract). In Theory of Cryptography, LNCS 2951, 278–296, 2004. Google Scholar
  36. [36]
    V. Miller, Uses of Elliptic Curves in Cryptography. In Advances in Cryptology (CRYPTO), LNCS 218, 417–426, 1985. Google Scholar
  37. [37]
    P.L. Montgomery, Modular Multiplication Without Trial Division. Mathematics of Computation, 44, 519–521, 1985. MATHCrossRefMathSciNetGoogle Scholar
  38. [38]
    S.S. Muchnick, Advanced Compiler Design and Implementation. Morgan Kaufmann, Los Altos, 1997. Google Scholar
  39. [39]
    J.D. Nielsen, M.I. Schwartzbach, A Domain-Specific Programming Language for Secure Multiparty Computation. In Programming Languages and Analysis for Security (PLAS), 2007. Google Scholar
  40. [40]
    D. Page, CAO : A Cryptography Aware Language and Compiler. Available from:
  41. [41]
    J. Sermulins, W. Thies, R. Rabbah, S. Amarasinghe, Cache Aware Optimization of Stream Programs. In ACM SIGPLAN/SIGBED Conference on Languages, Compilers, and Tools for Embedded Systems, 2005. Google Scholar
  42. [42]
    Standards for Efficient Cryptography Group (SECG). SEC 2: Recommended Elliptic Curve Domain Parameters, 2000. Available from:
  43. [43]
    V. Shoup, NTL: A Library for doing Number Theory. Available from:
  44. [44]
    J.A. Solinas, Generalized Mersenne Numbers. Technical Report CORR 99-39, University of Waterloo, 1999. Google Scholar
  45. [45]
    E. Trichina, A. Bellezza, Implementation of Elliptic Curve Cryptography with Built-In Counter Measures against Side Channel Attacks. In Cryptographic Hardware and Embedded Systems (CHES), LNCS 2523, 98–113, 2002. Google Scholar
  46. [46]
    C.D. Walter, Montgomery Exponentiation Needs No Final Subtractions. Electronics Letters, 35, 1831–1832, 1999. CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2008

Authors and Affiliations

  1. 1.Departamento de InformáticaUniversidade do MinhoBragaPortugal
  2. 2.Department of Computer ScienceUniversity of BristolBristolUK

Personalised recommendations