Memory-Constrained Implementations of Elliptic Curve Cryptography in Co-Z Coordinate Representation

  • Michael Hutter
  • Marc Joye
  • Yannick Sierra
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6737)


It has been recently shown that sharing a common coordinate in elliptic curve cryptography implementations improves the performance of scalar multiplication. This paper presents new formulæ for elliptic curves over prime fields that provide efficient point addition and doubling using the Montgomery ladder. All computations are performed in a common projective Z-coordinate representation to reduce the memory requirements of low-resource implementations. In addition, all given formulæ make only use of out-of-place operations therefore insuring that it requires no additional memory for any implementation of the underlying finite-field operations whatsoever. Our results outperform existing solutions in terms of memory and speed and allow a fast and secure implementation suitable for low-resource devices and embedded systems.


Public-key cryptography elliptic curves co-Z coordinates out-of-place formulæ Montgomery ladder embedded systems 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Blakely, G.R.: A computer algorithm for calculating the product ab modulo m. IEEE Transactions on Computers 32(5), 497–500 (1983)CrossRefGoogle Scholar
  2. 2.
    Brier, E., Joye, M.: Weierstraß elliptic curves and side-channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 335–345. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  3. 3.
    Brier, E., Joye, M.: Fast point multiplication on elliptic curves through isogenies. In: Fossorier, M., Høholdt, T., Poli, A. (eds.) AAECC 2003. LNCS, vol. 2643, pp. 43–50. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  5. 5.
    Ebeid, N.M., Lambert, R.: Securing the elliptic curve Montgomery ladder against fault attacks. In: Breveglieri, L., et al. (eds.) Fault Diagnosis and Tolerance in Cryptography (FDTC 2009), pp. 46–50. IEEE Computer Society, Los Alamitos (2009)CrossRefGoogle Scholar
  6. 6.
    Explicit-formulas database (EFD),
  7. 7.
    Fischer, W., Giraud, C., Knudsen, E.W., Seifert, J.-P.: Parallel scalar multiplication on general elliptic curves over \(\mathbb{F}_p\) hedged against non-differential side-channel attacks. Cryptology ePrint Archive, Report 2002/007 (2002)Google Scholar
  8. 8.
    Fouque, P.-A., Lercier, R., Réal, D., Valette, F.: Fault attack on elliptic curve Montgomery ladder implementation. In: Breveglieri, L., et al. (eds.) Fault Diagnosis and Tolerance in Cryptography (FDTC 2008), pp. 92–98. IEEE Computer Society, Los Alamitos (2008)Google Scholar
  9. 9.
    Giraud, C., Verneuil, V.: Atomicity improvement for elliptic curve scalar multiplication. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 80–101. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Goundar, R.R., Joye, M., Miyaji, A.: Co-Z addition formulæ and binary ladders on elliptic curves. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 65–79. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  12. 12.
    Hein, D., Wolkerstorfer, J., Felber, N.: ECC is ready for RFID – A proof in silicon. In: 4th Workshop on RFID Security 2008 (RFIDsec 2008), July 9–11 (2008)Google Scholar
  13. 13.
    IEEE Std 1363-2000. IEEE Standard Specifications for Public-Key Cryptography. IEEE Computer Society (August 2000) Google Scholar
  14. 14.
    Izu, T., Möller, B., Takagi, T.: Improved elliptic curve multiplication methods resistant against side channel attacks. In: Menezes, A., Sarkar, P. (eds.) INDOCRYPT 2002. LNCS, vol. 2551, pp. 296–313. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  15. 15.
    Izu, T., Takagi, T.: A fast parallel elliptic curve multiplication resistant against side channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 280–296. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  16. 16.
    Joye, M., Yen, S.-M.: The Montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Koblitz, N.: Elliptic curve cryptosystems. Mathematics of Computation 48, 203–209 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Koç, Ç.K.: RSA Hardware Implementation. Technical report, RSA Laboratories, RSA Data Security, Inc. 100 Marine Parkway, Suite 500 Redwood City, CA 94065-1031 (1995)Google Scholar
  19. 19.
    Koç, Ç.K., Acar, T., Kaliski Jr., B.S.: Analyzing and comparing Montgomery multiplication algorithms. IEEE Micro. 16, 26–33 (1996)CrossRefGoogle Scholar
  20. 20.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  21. 21.
    Lee, Y.K., Sakiyama, K., Batina, L., Verbauwhede, I.: Elliptic-curve-based security processor for RFID. IEEE Transactions on Computers 57(11), 1514–1527 (2008)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Lee, Y.K., Verbauwhede, I.: A compact architecture for montgomery elliptic curve scalar multiplication processor. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 115–127. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Lim, C.H., Hwang, H.S.: Fast implementation of elliptic curve arithmetic in GF(p n). In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 405–421. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  24. 24.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks – Revealing the Secrets of Smartcards. Springer, Heidelberg (2007)zbMATHGoogle Scholar
  25. 25.
    Meloni, N.: New point addition formulae for ECC applications. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 189–201. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  26. 26.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  27. 27.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  28. 28.
    Montgomery, P.L.: Speeding up the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48(177), 243–264 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    National Institute of Standards and Technology. FIPS 186-3 – Digital Signature Standard (DSS) (June 2009),
  30. 30.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21, 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Schmidt, J.-M.: Implementation Attacks – Manipulating Devices to Reveal Their Secrets. PhD thesis, Graz University of Technology (2009)Google Scholar
  32. 32.
    Skorobogatov, S.P.: Semi-Invasive Attacks – A New Approach to Hardware Security Analysis. PhD thesis, University of Cambridge (2005),
  33. 33.
    Sloan, K.R.: Comments on “A computer algorithm for calculating the product AB modulo M”. IEEE Transactions on Computers 34, 290–292 (1985)CrossRefGoogle Scholar
  34. 34.
    Wolkerstorfer, J.: Dual-field arithmetic unit for GF(p) and GF(2m). In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 500–514. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  35. 35.
    Yen, S.-M., Joye, M.: Checking before output may not be enough against fault-based cryptanalysis. IEEE Transactions on Computers 49(9), 967–970 (2000)CrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Michael Hutter
    • 1
  • Marc Joye
    • 2
  • Yannick Sierra
    • 3
  1. 1.Institute for Applied Information Processing and CommunicationsTU GrazGrazAustria
  2. 2.Technicolor, Security & Content Protection LabsCesson-Sévigné CedexFrance
  3. 3.Oberthur TechnologiesNanterre CedexFrance

Personalised recommendations