On the Hardware Design of an Elliptic Curve Cryptosystem Miguel Morales-Sandoval and Claudia Feregrino-Uribe National Institute for Astrophisics, Optics and Electronics Computer Science Department Luis Enrique Erro No. 1, Sta. Ma. Tonantzintla, Pue, 72840 Puebla, M´ exico {mmorales, cferegrino}@inaoep.mx Abstract We present a hardware architecture for an Ellip- tic Curve Cryptography System performing the three basic cryptographic schemes: DH key generation, encryp- tion and digital signature. The architecture is described by using hardware description languages, specifically Han- del C and VHDL. Because of the sequential nature of the cryptographic algorithms, they are written in Handel C lan- guage. The critical part of the cryptosystem is a module performing the scalar multiplication operation. This mod- ule has been written in VHDL to let further improvements. The points of the elliptic curve are represented in projec- tive coordinates working over the two-characteristic finite field and using polynomial basis. A prototype of this hard- ware architecture is implemented on a Xilinx Virtex II FPGA device. 1. Introduction Because of the information processing and telecommu- nications revolutions, there is an increasing demand for techniques to keep information secret, to determine that in- formation has not been forged and to determine who au- thored pieces of information. Cryptographic techniques are currently being utilized for these purposes. Elliptic Curve Cryptography (ECC) [12] has been receiving a lot of attention in the last years be- cause of the benefits it offers. ECC employs smaller length keys than other cryptosystems like RSA, what implies less space for key storage and less costly modular operations. Furthermore, it has been shown in the literature [12] that ECC’s security is higher than that provided by RSA, which is the most widely used public key cryptosystem. Although ECC offers the same security level than RSA using smaller length key, among scientists and mathematicians still exists skepticism for using ECC in practical applications. ECC’s security has not been proved; its strength is based on the in- ability to find attacks. International organizations such as ISO, ANSI, IEEE and NIST have been working to standardize the use of ECC. Also, several enterprises like Certicom, Sun Microsystems, Motorola and others have been investing in research; these enterprises consider ECC as the cryptosystem of the future. The main area where ECC is applied is to implement cryp- tographic functions in constrained environments. Main ap- plications of ECC are in the wireless market where security is required but devices have limited resources (memory and computational power) to implement any other public key cryptosystem. Since performance of all elliptic curve cryp- tosystems depends on the efficiency to perform field arith- metic operations, most of the reported papers are related to the improvement of such arithmetic units. In this work, we present a hardware implementation of an elliptic curve cryptosystem. We have implemented the three basic cryptographic schemes: ECDH for key genera- tion [4], ECIES scheme [19] to encrypt data and ECDSA [1] to generate a digital signature. Also, the SHA-1 al- gorithm [20] was implemented for authentication; in the ECDSA scheme it is necesary to get the hash value of the message to be signed and in the ECIES scheme it is required to generate a bit string which is used to encrypt the mes- sage. A hardware implementation is well suited since el- liptic curve cryptography implies complex field and elliptic curve operations. To the best of our knowledge, a hardware architecture that implements the three cryptographic algo- rithms mentioned above has not been reported. The most time consuming operation in an elliptic curve cryptosystem is the so-called scalar multiplication opera- tion. In the DH key generation scheme it is necessary to perform one scalar multiplication operation; in the ECIES scheme, scalar multiplication is required twice in the en- cryption process and once in the decryption process; in the ECDSA scheme, this operation is required once in signature generation and twice in signature verification. We have im- plemented a coprocessor in VHDL for performing the scalar Proceedings of the Fifth Mexican International Conference in Computer Science (ENC’04) 0-7695-2160-6/04 $20.00 © 2004 IEEE