Journal of Cryptographic Engineering

, Volume 2, Issue 3, pp 179–188 | Cite as

Analysis of performance versus security in hardware realizations of small elliptic curves for lightweight applications

  • Vladimir Trujillo-Olaya
  • Timothy Sherwood
  • Çetin Kaya  Koç
Regular Paper


In this paper, we report the results of a comprehensive study of the security level versus the execution performance (and resource requirements) for hardware implementations of small elliptic curves, particularly targeted for lightweight applications, such as RFID tags and sensor nodes. The case study was performed for small elliptic curves (41–163 bits) over GF(\(2^m\)), where finite field elements are represented using polynomial and Gaussian normal bases. The idea behind using elliptic curves in this range is that we obtain small implementations suitable for the mentioned applications, however, this would be at the cost of less security since the Elliptic Curve Discrete Logarithm Problem (ECDLP) would be easier to break, i.e., would require fewer resources and less time for such small curves. Therefore, one must investigate both sides of the coin: first, hardware resources to implement such elliptic curves and the resulting total execution time for a single point multiplication; second, hardware resources to break such a curve and the resulting cost in terms of a defined metric, such as the total amount devices or dollars to solve the ECDLP in a given time duration. Following this reasoning, we studied the hardware (FPGA) implementations of small elliptic curves and determined the amount of resources (number of ALUTs, MEMs, REGs, the duration of clock, the total number of clock cycles and the total execution time) needed for a single point multiplication operation. We also studied the security level of each one of these curves, based on an attack model an associated cost metric. Under our proposed attack model, which we believe is very innovative; we considered three different platforms, namely PC, FPGA, and cloud computing. Due to the complexity of Cloud Computing configurations, we considered two different performance instances, namely, small (low budget) and high performance (relatively high budget). We then calculated the amount of resources and the total amount of dollars needed to solve each particular ECDLP, under different assumptions. We believe the results of our study will allow designers to select the appropriate curve for each application and the device, based on the perceived (or real) threat models that device is operating and the performance requirements of the elliptic curve protocol, such as ECDH, ECDH, or ECIES.


ECC ECDLP Polynomial basis  Normal basis FPGA VHDL 


  1. 1.
    Batina, L., Mentens, N., Sakiyama, K., Preneel, B., Verbauwhede, I.: Low-cost elliptic curve cryptography for wireless sensor networks. In: Proceedings of Third European Workshop on Security and Privacy in Ad Hoc and Sensor Networks, vol. 4357 of LNCS, pp. 6–17. Springer, Berlin (2006)Google Scholar
  2. 2.
    Sakiyama, K.: Secure design methodology and implementation for embedded public-key cryptosystems. PhD Thesis, Katholieke Universiteit Leuven (2007)Google Scholar
  3. 3.
    Liu, A., Ning, P.: Tiny ECC a configurable library for elliptic curve cryptography in wireless sensor networks. In: 2008 International Conference on Information Processing in Sensor Networks IPSN 2008, IEEE, pp. 245–256 (2008)Google Scholar
  4. 4.
    Wolkerstorfer, J.: Scaling ECC hardware to a minimum. In: Austrochip 2005 Mikroelektronik Tagung, Nikolaus Kerö und Peter Rössler, pp. 207–214 (2005)Google Scholar
  5. 5.
    Bla, E., Zitterbart, M.: Towards acceptable public-key encryption in sensor networks. In: The 2nd International Workshop on Ubiquitous Computing, ACM SIGMIS, pp. 88–93 (2005)Google Scholar
  6. 6.
    Batina, L., Guajardo, J., Kerins, T., Mentens, N., Tuyls, P., Verbauwhede, I.: Public-key cryptography for RFID-tags. In: Fifth Annual IEEE International Conference on Pervasive Computing and Communications—Workshops (PerCom Workshops 2007), 19–23 March 2007, pp. 217–222. White Plains, New York (2007)Google Scholar
  7. 7.
    Roman, R., Alcaraz, C., Lopez, J.: A survey of cryptographic primitives and implementations for hardware-constrained sensor network nodes. Mob. Netw. Appl. 12(4), 231–244 (2007)CrossRefGoogle Scholar
  8. 8.
    Gaubatz, G., Kaps, J., ztrk, E., Sunar, B.: State of the art in ultra-low power public key cryptography for wireless sensor networks. In: 2nd IEEE International Workshop on Pervasive Computing and Communication Security (PerSec 2005), pp. 146–150, Kauai Island (2005)Google Scholar
  9. 9.
    Gaubatz, G., Kaps, J., Sunar, B.: Public key cryptography in sensor networks—revisited. In: 1st European Workshop on Security in Ad-Hoc and Sensor Networks (ESAS 2004), pp. 2–18 (2004)Google Scholar
  10. 10.
    Eisenbarth, T., Kumar, S., Paar, C., Poschmann, A., Uhsadel, L.: A survey of lightweight-cryptography implementations. IEEE Des. Test Comput. 24(6), 522–533 (2007)Google Scholar
  11. 11.
    Seroussi, G.: Table of low-weight binary irreducible polynomials. Tech. Report, Computer Systems Laboratory, August (1998)Google Scholar
  12. 12.
    FIPS 186–2, Digital Signature Standard (DSS).
  13. 13.
    Itoh, T., Tsujii, S.: A fast algorithm for computing multiplicative inverses in GF(\(2^m\)) using normal bases. Inf. Comput. 78, pp. 171–177 (1988)Google Scholar
  14. 14.
    López, J., Dahab, R.: Fast multiplication on elliptic curves over GF(\(2^m\)) without precomputation. In: Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems CHES ’99, pp. 316–327 (1999)Google Scholar
  15. 15.
    Wiener, M.J., Zuccherato, R.J.: Faster attacks on elliptic curve cryptosystems. In: Proceedings of the Selected Areas in Cryptography SAC ’98, pp. 190–200 (1999) Google Scholar
  16. 16.
    Taverne, J., Faz-Hernández, A., Aranha, D.F., Rodríguez-Henríquez, F., Hankerson, D., López, J.: Software implementation of binary elliptic curves: impact of the carry-less multiplier on scalar multiplication. Cryptology ePrint Archive, Report 2011/170 (2011)Google Scholar
  17. 17.
    Bailey, D.V., Batina, L., Bernstein, D.J., Birkner, P., Bos, J.W., Chen, H.C., Cheng, C.M., van Damme, G., de Meulenaer, G., Dominguez Perez, L.J., Fan, J., Gneysu, T., Gurkaynak, F., Kleinjung, T., Lange, T., Mentens, N., Niederhagen, R., Paar, C., Regazzoni, F., Schwabe, P., Uhsadel, L., Van Herrewege A., Yang, B.Y.: Breaking ECC2K-130. Cryptology ePrint Archive, Report 2009/541 (2009)Google Scholar
  18. 18.
    Kleinjung, T., Lenstra, A.K., Page, D., Smart, N.P.: Using the cloud to determine key strengths. Cryptology ePrint Archive, Report 2011/254 (2011)Google Scholar
  19. 19.

Copyright information

© Springer-Verlag 2012

Authors and Affiliations

  • Vladimir Trujillo-Olaya
    • 1
  • Timothy Sherwood
    • 2
  • Çetin Kaya  Koç
    • 2
    • 3
  1. 1.Bionanoelectronics Research GroupUniversidad del ValleCaliColombia
  2. 2.University of CaliforniaSanta BarbaraUSA
  3. 3.Istanbul Şehir UniversityIstanbulTurkey

Personalised recommendations