## Hardware/Software Co-design for Hyperelliptic Curve Cryptography (HECC) on the 8051 µP (2005)

Venue: | Proceedings of 7th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), number 3659 in Lecture Notes in Computer Science |

Citations: | 2 - 1 self |

### BibTeX

@INPROCEEDINGS{Batina05hardware/softwareco-design,

author = {Lejla Batina and Alireza Hodjat and Bart Preneel and Ingrid Verbauwhede},

title = {Hardware/Software Co-design for Hyperelliptic Curve Cryptography (HECC) on the 8051 µP},

booktitle = {Proceedings of 7th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), number 3659 in Lecture Notes in Computer Science},

year = {2005},

pages = {106--118},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. Implementing public-key cryptography on platforms with limited resources, such as microprocessors, is a challenging task. Hardware/software co-design is often the only answer to implement the computationally intensive operations with limited memory and power at an acceptable speed. This contribution describes such a solution for Hyperelliptic Curve Cryptography (HECC). The proposed hardware/software co-design of the HECC system was implemented and co-simulated using the GEZEL design environment [3]. As a low-cost platform, we chose an 8-bit 8051 microprocessor to which one small hardware co-processor was added for field multiplication. We show that the Jacobian scalar multiplication can be computed in 2.488 sec at 12 MHz on this platform if a minimal hardware module is added i.e. a hardware multiply-add unit. This optimal solution provides a factor of 26 speed-up over a softwareonly solution. Keywords: HECC, GF(2 m), genus 2 curves, hardware/software codesign, embedded implementation. 1

### Citations

2499 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1997
(Show Context)
Citation Context ... SSL/TLS, IPsec, SSH). The best-known and most commonly used public-key cryptosystems are based on factoring (RSA) and on the discrete logarithm problem in GF(p)(DiffieHellman, ElGamal, Schnorr, DSA) =-=[18]-=-. They allow secure communications over insecure channels without prior exchange of a secret key and they also enable digital signatures. Elliptic Curve Cryptography (ECC), which was proposed in the m... |

703 |
Elliptic Curve Cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...ver insecure channels without prior exchange of a secret key and they also enable digital signatures. Elliptic Curve Cryptography (ECC), which was proposed in the mid 1980s by Miller [20] and Koblitz =-=[14]-=-, is based on a different algebraic structure. ECC offers shorter certificates, lower power consumption and better performance on some platforms. Besides that, ECC offers more “security per bit” as no... |

536 |
Use of elliptic curves in cryptography
- MILLER
- 1986
(Show Context)
Citation Context ... communications over insecure channels without prior exchange of a secret key and they also enable digital signatures. Elliptic Curve Cryptography (ECC), which was proposed in the mid 1980s by Miller =-=[20]-=- and Koblitz [14], is based on a different algebraic structure. ECC offers shorter certificates, lower power consumption and better performance on some platforms. Besides that, ECC offers more “securi... |

152 | Software Implementation of Elliptic Curve Cryptography Over Binary Fields
- Hankerson, Menezes
- 2000
(Show Context)
Citation Context ...n and reduction functions. As a first improvement the multiplication routine is replaced by an assembly code. Multiplication: In the software implementation, we used a modified form of Algorithm 4 of =-=[11]-=- to implement fast software multiplication. The algorithm is a fast comb-based multiplication method with windows implemented for a 32-bit processor with window size of 4. Based upon initial simulatio... |

135 | Comparing elliptic curve cryptography and rsa on 8-bit cpus
- GURA, PATEL, et al.
- 2004
(Show Context)
Citation Context ...] showed that EC point multiplication can be performed on an 8051 microcontroller in less than 2 sec as a pure software solution. However, they used a 134-bit OEF at lower security level. Gura et al. =-=[10]-=- compared ECC and RSA on 8-bit CPUs and proved that Public-key Cryptography is viable on small devices. For hardware/software co-design the only relevant work that we are aware of is the one of Kumar ... |

80 | An algorithm for solving the discrete log problem on hyperelliptic curves
- Gaudry
- 2000
(Show Context)
Citation Context ...a very good choice for platforms with limited resources. Almost all existing HECC implementations consider binary fields and curves of genus two or three; this choice is motivated by security reasons =-=[9]-=-. Software implementations were developed on general purpose processors and on embedded microprocessors e.g. on an ARM [21,26] and some research has been performed on a hardware implementation. Howeve... |

58 |
An Elementary Introduction to Hyperelliptic Curves
- Menezes, Wu, et al.
- 1998
(Show Context)
Citation Context ...resent the mathematical background for hyperelliptic curves including the algorithms for efficient arithmetic in the Jacobian group. More details on the theory of hyperelliptic curves can be found in =-=[19]-=-. 3.1 Hyperelliptic Curves Let GF(2 m ) be an algebraic closure of the field GF(2 m ). Here we consider a hyperelliptic curve C of genus g =2overGF(2 m ), which is given with an equation of the form:s... |

49 | Formulae for Arithmetic on Genus 2 Hyperelliptic Curves,” September 2003. http://www.ruhr-uni-bochum.de/itsc/ tanja/preprints/expl sub.pdf
- Lange
(Show Context)
Citation Context ...ous Work Algorithms for HECC and implementations have been studied intensively in the past years. A significant amount of work has been performed on investigating the formulae for the group operation =-=[17,24,22,8]-=-. Explicit formulae for genus 2 curves are given by Lange [17] for arbitrary fields and for various types of coordinates. There exist practical results for both software platforms (general purpose ors... |

42 |
A family of jacobians suitable for discrete log cryptosystems
- KOBLITZ
- 1990
(Show Context)
Citation Context ...ew years has ECC started replacing some of the RSA applications. In 1988 Koblitz suggested to use the generalization of Elliptic Curves (EC) for cryptography, the so-called Hyperelliptic Curves (HEC) =-=[15]-=-. While ECC applications are highly developed in practice, the use of HEC is still of pure academic interest. However, one advantage of HECC resides on the fact that the operand size for HECC is at le... |

41 | Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves
- Pelzl, Wollinger, et al.
(Show Context)
Citation Context ...nd curves of genus two or three; this choice is motivated by security reasons [9]. Software implementations were developed on general purpose processors and on embedded microprocessors e.g. on an ARM =-=[21,26]-=- and some research has been performed on a hardware implementation. However, this article describes the first HECC implementation using a hardware/software co-design. More precisely, we have implement... |

36 | Elliptic curve cryptography on smart cards without coprocessors
- Woodbury, Bailey, et al.
- 2000
(Show Context)
Citation Context ...erent architectures on a FPGA have been examined for vast area of applications. With respect to the platform, we mention here other relevant experiences with curve-based cryptography. Woodbury et al. =-=[27]-=- showed that EC point multiplication can be performed on an 8051 microcontroller in less than 2 sec as a pure software solution. However, they used a 134-bit OEF at lower security level. Gura et al. [... |

20 | Genus Two Hyperelliptic Curve Coprocessor
- Boston, Clancy, et al.
- 2002
(Show Context)
Citation Context ...nd for various types of coordinates. There exist practical results for both software platforms (general purpose ors108 L. Batina et al. embedded processor) [26,21] and hardware devices, such as FPGAs =-=[7,13]-=-. The most detailed and complete reference dealing with software as well as hardware implementations is [24]. For embedded processors, a large amount of work has been performed for the ARM platform [2... |

18 | Software and Hardware Implementation of Hyperelliptic Curve Cryptosystems. Europäischer Universitätsverlag
- Wollinger
- 2004
(Show Context)
Citation Context ...ous Work Algorithms for HECC and implementations have been studied intensively in the past years. A significant amount of work has been performed on investigating the formulae for the group operation =-=[17,24,22,8]-=-. Explicit formulae for genus 2 curves are given by Lange [17] for arbitrary fields and for various types of coordinates. There exist practical results for both software platforms (general purpose ors... |

13 | High Performance Arithmetic for Hyperelliptic Curve Cryptosystems of Genus Two
- Pelzl, Wollinger, et al.
(Show Context)
Citation Context ...ous Work Algorithms for HECC and implementations have been studied intensively in the past years. A significant amount of work has been performed on investigating the formulae for the group operation =-=[17,24,22,8]-=-. Explicit formulae for genus 2 curves are given by Lange [17] for arbitrary fields and for various types of coordinates. There exist practical results for both software platforms (general purpose ors... |

12 | Reconfigurable instruction set extension for enabling ecc on an 8-bit processor
- KUMAR, PAAR
(Show Context)
Citation Context ... ECC and RSA on 8-bit CPUs and proved that Public-key Cryptography is viable on small devices. For hardware/software co-design the only relevant work that we are aware of is the one of Kumar and Paar =-=[16]-=-. They implemented ECC on an 8-bit AVR microcontroller with some extra hardware for field multiplications. They show that a 163-bit point multiplication can be calculated in 0.113 sec with a microcont... |

10 | Elliptic & hyperelliptic curves on embedded µp
- Wollinger, Pelzl, et al.
(Show Context)
Citation Context ...nd curves of genus two or three; this choice is motivated by security reasons [9]. Software implementations were developed on general purpose processors and on embedded microprocessors e.g. on an ARM =-=[21,26]-=- and some research has been performed on a hardware implementation. However, this article describes the first HECC implementation using a hardware/software co-design. More precisely, we have implement... |

8 | Hyperelliptic Curve Coprocessors on a FPGA
- Kim, Wollinger, et al.
- 2004
(Show Context)
Citation Context ...nd for various types of coordinates. There exist practical results for both software platforms (general purpose ors108 L. Batina et al. embedded processor) [26,21] and hardware devices, such as FPGAs =-=[7,13]-=-. The most detailed and complete reference dealing with software as well as hardware implementations is [24]. For embedded processors, a large amount of work has been performed for the ARM platform [2... |

7 |
Special Hyperelliptic Curve Cryptosystems of Genus Two: Efficient Arithmetic and Fast Implementation, chapter
- Pelzl, Wollinger, et al.
- 2004
(Show Context)
Citation Context ...3]. The most detailed and complete reference dealing with software as well as hardware implementations is [24]. For embedded processors, a large amount of work has been performed for the ARM platform =-=[26,23,4,21]-=-. Pelzl et al. [21] have implemented the group operation of genus 2 and 3 for HECC on an ARM7 processor. They compared the results with ECC implementation (with corresponding security) and showed that... |

6 |
Effective recursive algorithm for computing multiplicative inverses
- Itoh, Tsujii
- 1988
(Show Context)
Citation Context ...s. First by means of Fermat’s little theorem we have: a −1 = a 2m −2 =(a 2 m−1 −1 ) 2 , for all a ∈ GF(2 m ). The technique to compute this in optimal way is the basis for the idea of Itoh and Tsujii =-=[12]-=-. Their method is especially suited for normal basis but can be applied on polynomial basis as well. Here we consider the case for m odd, so m − 1 is even. Then we can write: a2m−1−1 (2 =a m−1 2 −1)(2... |

6 |
Classification of genus 2 curves over F2n and optimization of their arithmetic. Cryptology ePrint Archive: Report 2004/107
- Byramjee, Duquesne
(Show Context)
Citation Context ...ar the inversion and multiplication in the binary field. We conclude that even with very limited hardware resources one can obtain an attractive performance. We used formulae of Byramjee and Duquesne =-=[8]-=- to achieve optimized divisor doubling operation. For the optimal hardware/software co-design we used GEZEL as a design environment. GEZEL is especially suitable for the exploration of domainspecific ... |

5 | Optimal Tower Fields for Hyperelliptic Curve Cryptosystems
- Baktir, Pelzl, et al.
(Show Context)
Citation Context ...3]. The most detailed and complete reference dealing with software as well as hardware implementations is [24]. For embedded processors, a large amount of work has been performed for the ARM platform =-=[26,23,4,21]-=-. Pelzl et al. [21] have implemented the group operation of genus 2 and 3 for HECC on an ARM7 processor. They compared the results with ECC implementation (with corresponding security) and showed that... |

4 | Finding optimum parallel coprocessor design for genus 2 hyperelliptic curve cryptosystems
- Bertoni, Breveglieri, et al.
- 2004
(Show Context)
Citation Context ...as given by Boston et al. [7]. Wollinger et al. [25] investigated HECC implementation on a VLSI coprocessor. They used projective coordinates and completed their research on VLSI platforms started in =-=[6,5]-=-. They compared co-processors using affine and projective coordinates and concluded that the latter should be preferred for hardware implementations. They used a curve of a special form (y 2 + xy = x ... |

4 |
Hyperelliptic Curve Cryptosystem: What is the Best Parallel Hardware Architecture?, chapter
- Bertoni, Breveglieri, et al.
- 2004
(Show Context)
Citation Context ...as given by Boston et al. [7]. Wollinger et al. [25] investigated HECC implementation on a VLSI coprocessor. They used projective coordinates and completed their research on VLSI platforms started in =-=[6,5]-=-. They compared co-processors using affine and projective coordinates and concluded that the latter should be preferred for hardware implementations. They used a curve of a special form (y 2 + xy = x ... |

3 | Performance of HECC coprocessors using inversionfree formulae
- Wollinger, Bertoni, et al.
(Show Context)
Citation Context ...a PowerPC. In addition, they provided the first thorough comparison of ECC andHECConthoseplatforms. The first complete hardware implementation of HECC was given by Boston et al. [7]. Wollinger et al. =-=[25]-=- investigated HECC implementation on a VLSI coprocessor. They used projective coordinates and completed their research on VLSI platforms started in [6,5]. They compared co-processors using affine and ... |

2 |
Classification of genus 2 curves over F2 n and optimization of their arithmetic. Cryptology ePrint Archive: Report 2004/107
- Byramjee, Duquesne
(Show Context)
Citation Context ...ar the inversion and multiplication in the binary field. We conclude that even with very limited hardware resources one can obtain an attractive performance. We used formulae of Byramjee and Duquesne =-=[8]-=- to achieve optimized divisor doubling operation. For the optimal hardware/software co-design we used GEZEL as a design environment. GEZEL is especially suitable for the exploration of domain-specific... |

1 |
semiconductor ds89c420 ultra-high-speed microcontroller
- Dallas
(Show Context)
Citation Context ...ck. Thus, a 12-MHz external clock would produce an 8051 with a 1-MHz machine clock cycle, with most instructions requiring 1 or 2 machine cycles. Newer 8051 cores attempt to reduce the clock division =-=[1]-=-. The clock division principle can serve as an advantage to codesigned systems in that the coprocessor circuitry can inherently operate at 12x the internal 8051 machine rate. 4.2 Various Implementatio... |