Programmable and Parallel ECC Coprocessor Architecture: Tradeoffs between Area, Speed and Security

  • Xu Guo
  • Junfeng Fan
  • Patrick Schaumont
  • Ingrid Verbauwhede
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5747)


Elliptic Curve Cryptography implementations are known to be vulnerable to various side-channel attacks and fault injection attacks, and many countermeasures have been proposed. However, selecting and integrating a set of countermeasures targeting multiple attacks into an ECC design is far from trivial. Security, performance and cost need to be considered together. In this paper, we describe a generic ECC coprocessor architecture, which is scalable and programmable. We demonstrate the coprocessor architecture with a set of countermeasures to address a collection of side-channel attacks and fault attacks. The programmable design of the coprocessor enables tradeoffs between area, speed, and security.


  1. 1.
    Alrimeih, H., Rakhmatov, D.: Security-Performance Trade-offs in Embedded Systems Using Flexible ECC Hardware. IEEE Design & Test of Computers 24(6), 556–569 (2007)CrossRefGoogle Scholar
  2. 2.
    Kocher, C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  3. 3.
    Dominguez-Oviedo, A.: On Fault-based Attacks and Countermeasures for Elliptic Curve Cryptosystems. PhD Thesis, University of Waterloo (2008)Google Scholar
  4. 4.
    Verbauwhede, I., Schaumont, P.: Design Methods for Security and Trust. In: Proceedings of the conference on Design, automation and test in Europe –DATE 2007, pp. 1–6 (2007)Google Scholar
  5. 5.
    Yen, S.-M., Kim, S., Lim, S., Moon, S.-J.: A Countermeasure against One Physical Cryptanalysis May Benefit Another Attack. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 414–427. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Baek, Y.-J., Vasyltsov, I.: How to prevent DPA and fault attack in a unified way for ECC scalar multiplication – ring extension method. In: Dawson, E., Wong, D.S. (eds.) ISPEC 2007. LNCS, vol. 4464, pp. 225–237. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Schaumont, P., Hwang, D., Yang, S., Verbauwhede, I.: Multilevel Design Validation in a Secure Embedded System. IEEE Transactions on Computers 55(11), 1380–1390 (2006)CrossRefGoogle Scholar
  8. 8.
    Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer, Heidelberg (2004)MATHGoogle Scholar
  9. 9.
    López, J., Dahab, R.: Fast multiplication on elliptic curves over GF(2m). In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 316–327. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  10. 10.
    Großschädl, J.: A low-power bit-serial multiplier for finite fields GF(2m). In: ISCAS 2001, vol. IV, pp. 37–40. IEEE, Los Alamitos (2001)Google Scholar
  11. 11.
    Kumar, S., Wollinger, T., Paar, C.: Optimum Digit Serial GF(2m) Multipliers for Curve-Based Cryptography. IEEE Transactions on Computers 55(10), 1306–1311 (2006)CrossRefGoogle Scholar
  12. 12.
    Rodríguez-Henríquez, F., Saqib, N.A., Díaz-Pérez, A., Koç, Ç.K.: Cryptographic Algorithms on Reconfigurable Hardware. Springer, Heidelberg (2006)Google Scholar
  13. 13.
    Koschuch, M., Lechner, J., Weitzer, A., Großschädl, J., Szekely, A., Tillich, S., Wolkerstorfer, J.: Hardware/Software co-design of elliptic curve cryptography on an 8051 microcontroller. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 430–444. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Sakiyama, K., Batina, L., Preneel, B., Verbauwhede, I.: Superscalar Coprocessor for High-Speed Curve-Based Cryptography. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 415–429. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Amiel, F., Villegas, K., Feix, B., Marcel, L.: Passive and Active Combined Attacks: Combining Fault Attacks and Side Channel Analysis. In: FDTC 2007, pp. 92–102. IEEE, Los Alamitos (2007)Google Scholar
  16. 16.
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  17. 17.
    Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM side-channel(s). In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Ciet, M., Neve, M., Peeters, E., Quisquater, J.: Parallel FPGA implementation of RSA with residue number systems - can side-channel threats be avoided? In: IEEE International Symposium on Micro-NanoMechatronics and Human Science, vol. 2, pp. 806–810. IEEE Computer Society Press, Los Alamitos (2003)Google Scholar
  19. 19.
    Fouque, P.-A., Valette, F.: The Doubling Attack - Why Upwards Is Better than Downwards. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 269–280. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. 20.
    Ciet, M., Joye, M.: Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults. Design, Codes and Cryptography 36, 33–43 (2005)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Blömer, J., Otto, M., Seifert, J.-P.: Sign change fault attacks on elliptic curve cryptosystems. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 36–52. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. 22.
    Yen, S.-M., Joye, M.: Checking before output not be enough against fault-based cryptanalysis. IEEE Trans. on Computers 49(9), 967–970 (2000)CrossRefMATHGoogle Scholar
  23. 23.
    Biehl, I., Meyer, B., Müller, V.: Differential Fault Attacks on Elliptic Curve Cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  24. 24.
    Fouque, P.-A., Lercier, R., Real, D., Valette, F.: Fault Attack on Elliptic Curve with Montgomery Ladder Implementation. In: FDTC2008, pp. 92–98. IEEE, Los Alamitos (2008)Google Scholar
  25. 25.
    Kim, C.H., Quisquater, J.-J.: How can we overcome both side channel analysis and fault attacks on RSA-CRT? In: FDTC 2007, pp. 21–29. IEEE, Los Alamitos (2007)Google Scholar
  26. 26.
    Joye, M.: On the Security of a Unified Countermeasure. In: FDTC 2008, pp. 87–91. IEEE, Los Alamitos (2008)Google Scholar
  27. 27.
    Joye, M., Ciet, M. (Virtually) Free Randomization Techniques for Elliptic Curve Cryptography. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 348–359. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. 28.
    De Mulder, E., Ors, S.B., Preneel, B., Verbauwhede, I.: Electromagnetic Analysis Attack on an FPGA Implementation of an Elliptic Curve Cryptosystem. In: EUROCON 2005, vol. 2, pp. 1879–1882. IEEE, Los Alamitos (2005)Google Scholar
  29. 29.
    Guo, X., Schaumont, P.: Optimizing the HW/SW Boundary of an ECC SoC Design Using Control Hierarchy and Distributed Storage. In: DATE 2009, pp. 454–459. EDAA (2009)Google Scholar
  30. 30.
    Guo, X., Schaumont, P.: Optimizing the Control Hierarchy of an ECC Coprocessor Design on an FPGA based SoC Platform. In: Becker, J., Woods, R., Athanas, P., Morgan, F. (eds.) ARC 2009. LNCS, vol. 5453, pp. 169–180. Springer, Heidelberg (2009)Google Scholar
  31. 31.
    Malkin, T.G., Standaert, F.-X., Yung, M.: A Comparative Cost/Security Analysis of Fault Attack Countermeasures. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 159–172. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  32. 32.
    Hwang, D., Tiri, K., Hodjat, A., Lai, B.C., Yang, S., Schaumont, P., Verbauwhede, I.: AES-Based Security Coprocessor IC in 0.18um CMOS with resistance to differential power analysis side-channel attacks. IEEE Journal of Solid-State Circuits 41(4), 781–791 (2006)CrossRefGoogle Scholar
  33. 33.
    Chen, Z., Zhou, Y.: Dual-Rail Random Switching Logic: A Countermeasure to Reduce Side-Channel Leakage. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 242–254. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  34. 34.
    Giraud, C.: An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis. IEEE Trans. on Computers 55(9), 1116–1120 (2006)CrossRefGoogle Scholar
  35. 35.
    Koschuch, M., Großschädl, J., Payer, U., Hudler, M., Krüger, M.: Workload Characterization of a Lightweight SSL Implementation Resistant to Side-Channel Attacks. In: Franklin, M.K., Hui, L.C.K., Wong, D.S. (eds.) CANS 2008. LNCS, vol. 5339, pp. 349–365. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  36. 36.
    Sakiyama, K., Batina, L., Schaumont, P., Verbauwhede, I.: HW/SW Co-design for TA/SPA-resistant Public-Key Cryptosystems. In: ECRYPT Workshop on Cryptographic Advances in Secure Hardware (2005)Google Scholar
  37. 37.
    Batina, L., Mentens, N., Preneel, B., Verbauwhede, I.: Balanced point operations for side-channel protection of elliptic curve cryptography. IEE Proceedings of Information Security 152(1), 57–65 (2005)CrossRefMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Xu Guo
    • 1
  • Junfeng Fan
    • 2
  • Patrick Schaumont
    • 1
  • Ingrid Verbauwhede
    • 2
  1. 1.Bradley Department of Electrical and Computer EngineeringVirginia TechBlacksburgUSA
  2. 2.ESAT/SCD-COSICKatholieke Universiteit Leuven and IBBTLeuven-HeverleeBelgium

Personalised recommendations