Elliptic curve scalar multiplier using karatsuba

Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)
30 – 31, December 2014, Ernakulam, India
145
ELLIPTIC CURVE SCALAR MULTIPLIER USING
KARATSUBA
Ashna Paul1
, Divya.S2
1
M.Tech VLSI & Embedded Systems, ECE, SNGCE, Ernakulam, India
2
Assistant Professor, ECE, SNGCE, Ernakulam, India
ABSTRACT
Elliptic Curve Cryptography (ECC) provides similar level of security to conventional integer-based public-key
algorithms, but with much shorter keys. ECC over binary field is of special interest because the operations in binary field
are thought more space and time efficient. However, the software implementations of ECC over binary that are used in
small computing devices such as sensor nodes. It replaces RSA because of its increased security with lesser number of
key bits. Elliptic Curve scalar multiplication module will be available in majority of secure communication systems. The
most important operation in Elliptic Curve Cryptosystem is the computation of scalar multiplication using karatsuba
multiplier. In scalar multiplication of kP for given integer k and point P on elliptic curve. This work aims to design and
implement elliptic curve scalar multiplier on a single field programmable gate array (FPGA).The hardware complexity is
reduced using polynomial basis presentation of finite field and projective co-ordinate representation of elliptic curves.
Keywords: Classical Multiplier, Cryptography, FPGA, Galois Multiplier I.
I. INTRODUCTION
Elliptic Curve Cryptography (ECC), proposed independently in 1985 by Neal Koblitz [1] and VictorMiller [2],
has been used in cryptographic algorithms for a variety of security purposes such as key exchangeand digital signature.
Compared to traditional integer based public-key algorithms, ECC algorithms canachieve the same level of security with
much shorter keys. For example, 160-bit Elliptic-curve DigitalSignature Algorithm (ECDSA) has a security level
equivalent to 1024-bit Digital Signature Algorithm(DSA) [3]. Because of the shorter key length, ECC algorithms run
faster, require less space, and consumeless energy. These advantages make ECC a better choice of public-key
cryptography, especially in resource constrained systems such as sensor nodes and mobile devices for pervasive
computing Commonly-used elliptic curves are defined in either a prime field GF(p) or a finite field of characteristic
twoGF(2m), which is also called a binary field [13]. The elliptic curves over binary field are of special interest
tocryptography because the operations in a binary field are faster and easier to implement than those in primefields. We
will focus on ECC over binary field in this paper. This is especially interesting for high performance system because of
its carry free property. To reduce the complexity of simple karatsuba Multiplier, multiplier with less complexity over GF
(2m
) based on simple and classical Karatsuba Multiplier is used. Furthermore, the experimental results on FPGAs for
simple Karatsuba Multiplier and proposed karatsuba multiplier were shown and the comparison table is provided. In the
first part of the paper we present our implementation of an Elliptic Curve scalarmultiplier is based on the projective
coordinate system [5] and the Karatsuba [2] algorithm. The second part of the paper discusses our implementations of the
important mathematical background.
INTERNATIONAL JOURNAL OF ELECTRONICS AND
COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)
ISSN 0976 – 6464(Print)
ISSN 0976 – 6472(Online)
Volume 5, Issue 12, December (2014), pp. 145-151
© IAEME: http://www.iaeme.com/IJECET.asp
Journal Impact Factor (2014): 7.2836 (Calculated by GISI)
www.jifactor.com
IJECET
© I A E M E

146
II. PRELIMINARIES
When defined in a binary field, an elliptic curve can be represented by y2
+ x•y = x3
+ a•x2
+ b, (1) where a and
b are constants in GF(2m
) and b ≠ 0. The set E(GF(2m
)) includes all the points on the curve and aspecial point Ο, which
is defined as the identity element For any point P = (x, y) in E, we have:P + Ο = Ο + P = P,
Algorithm 1: Elliptic Curve Scalar Multiplier
Input : An integer k ¹ 0 of length l bits and base point P
Output : Q = kP
1. begin
2. Q = O
3. for i = l - 2 downto 0 do
4. Q = Double(Q)
5. if k = 0 then
6. Q = Add(Q, P)
7. end
The cost of an inversion in affine coordinates is much more expensive in scalar multiplication . Inversions can
be reduced by using a projective coordinator representation. A point P in projective coordinates is represented using
three coordinates. In Lopez Dahab (LD) projective coordinates representation is given by
Y2
+ XYZ = X 3
Z + aX2
Z2
+ bZ4
(1)
The equation for point addition in LD coordinate for the projective point P = (X1, Y1, Z1) and the affine point Q
(x2, y2) is shown in (1). The result is the point on the curve
(P + Q) = (X3, Y3, Z3)
A = y2 · Z2
+ Y1
B = x2
· Z1 + X1
C = Z1 · B,
D = B2 · (C + a · Z12)
Z3 = C2
, E = A · C
X3 = A2
+ D + E,
F = X3
+x2
· Z3
G = (x2 + y2) · Z 3
Y3 = (E + Z3) · F + G.
To make it more efficient the scalar multiplication is the main operation in elliptic curve cryptography.
Scalarmultiplication involves plenty of point addition and point doubling. In affine coordinates each point addition
anddoubling involves a multiplicative inverse operation. Multiplicative inverse is a costly operation in finite fieldsTwo
types of operations are done in finite field. They are prime field F(q) and binary field F(2m). Representing the points in
projective coordinate systems can be eliminated the multiplicative inverse operation in point addition and point doubling
and thereby increasing the efficiency of point multiplication operation. Before point multiplication the projective
coordinate in elliptic curve to convert the given point in affine coordinate. Then projective coordinate convert it back to
affine coordinate after point multiplication. The entire process requires only one multiplicative inverse operation. The
operation in projective coordinate involves more scalar multiplication than in affine coordinate. ECC on projective
coordinate will be efficient than affine coordinates .when the implementation of scalar multiplication using projective is
much faster than multiplicative inverse operation.
III. MATHEMATICAL BACKGROUND
A finite field is also known as a Galois field. A Galois field in which the elements can take q is the prime
number different values is referred to as GF(q). The formal properties of a finite field are:
(a) There are two defined operations, namely point addition and point multiplication.
(b) The result of adding or multiplying two elements from the field is always an element in the finite field.
(c) One element of the field is the element zero, such that a + 0 = a for any element a in the
field.
(d) One element of the field is unity, so a • 1 = a for any element a in the field.

147
(e) For every element a in the field, there is an additive inverse element -a, such that a + ( - a) = 0. This allowsthe
operation of subtraction to be defined as addition of the inverse.
(f) For every non-zero element d in the field there is a multiplicative inverse element d-1 such that d.d-1= 1. Thisallows
the operation of division to be defined as multiplication by the Inverse.
(g) The associative [a + (b + c) = (a + b) + c, a • (b • c) = [(a • b) • c], commutative [a + b = b + a, a • b = b • a], and
distributive [a • (b + c) = a • b + a • c] laws apply. These properties cannot be satisfied for all possible finitefield. They
can, however, be satisfied if the field size is an prime number or any integer power of a prime. If theirreducible
polynomial in binary field implementation is chosen to be trinomial the implementation of ECC on binary field can be
made efficient than the prime field implementation. NIST specified domain parameters, theirreducible polynomials are
either trinomial or pentanomial. These chosen polynomials cause the polynomial reduction in binary field to run much
faster than the modular reduction in prime field. Irreducible polynomial is a polynomial of degree m that cannot be
expressed as the product of two polynomials of lesser degree. If in any polynomial arithmetic operation the resultant
polynomial is having degree greater than or equal to m, it is reduced to a polynomial of degree less than m by the
irreducible polynomial.
A. Point Addition
Point addition is the addition of two points J and K on an elliptic curve to obtain another point L on the same
elliptic curve.
Fig 1: Point Addition
Consider two points J and K on an elliptic curve as shown in figure (a). If K ≠ -J then a line drawn through the
points J and K will intersect the elliptic curve at exactly one more point –L. The reflection of the point –L with respect to
xaxis gives the point L, which is the result of addition of points J and K. Thus on an elliptic curve L = J + K. If K = -J the
line through this point intersect at a point at infinity O. Hence J + (-J) = O. This is shown in figure (b). O is the additive
identity of the elliptic curve group. A negative of a point is the reflection of that point with respect to x-axis.
Consider two distinct points J and K such that J = (xJ, yJ) and K = (xK, yK) Let L = J + K where L = (xL, yL), then
xL = s2 - xJ – XkyL = -yJ + s (xJ – xL) s = (yJ – yK)/(xJ – xK), s is the slope of the line through J and K. If K = -J i.e.
K = (xJ, -yJ) then J + K = O. where O is the point at infinity. If K = J then J + K = 2J then point doubling equations are
used. Also J + K = K + J.
B. Point Doubling
Point doubling is the addition of a point J on the elliptic curve to itself to obtain another point L on the same
ellipticcurve To double a point J to get L, i.e. to find L = 2J, consider a point J on an elliptic curve as shown in figure
(a).If y coordinate of the point J is not zero then the tangent linea J will intersect the elliptic curve at exactly one more
point–L. The reflection of the point –L with respect to x-axisgives the point L, which is the result of doubling the point
J.Thus L = 2J. If y coordinate of the point J is zero then thetangent at this point intersects at a point at infinity O. Hence
2J = O when yJ = 0. This is shown in figure (2)

148
Fig 2: Point Doubling
Consider a point J such that J = (xJ, yJ), where yJ≠ 0 Let L = 2J where L = (xL, yL), Then
xL = s2 – 2xJ
yL = -yJ + s(xJ - xL)
s = (3xJ+ a) / (2yJ), s is the tangent at point J and a is one of the parameters chosen with the lliptic curve .If yJ = 0 then
2J = O, where O is the point at infinity.
IV. PROPOSED METHDOLOGY
Finite field multiplication of two elements in the field (2m)is defined a C(x) = A(x) · B(x)mod P(x) . where
C(x), A(x),and B(x) are in GF(2m) and P(x) is the irreduciblepolynomial that generates the field GF(2m).
Implementingthe multiplication requires two steps. First, the polynomialproduct C′(x) = A(x) · B(x) is determined, then
the modulooperation is done on C′(x). The Karatsuba multiplier uses adivide and conquers approach to multiply A(x) and
B(x). Them term polynomials are recursively split into two. Witheach split the size of the multiplication required
reducesby half.In the Karatsuba multiplier, the m bit multiplicands A(x)and B(x) represented in polynomial basis are
split as shownin Equation 2 For brevity, the equations that followrepresent the polynomials Ah(x), Al(x), Bh(x), and
Bl(x) byAh ,A l, Bh, and Bl respectively.
A(x) = Ahxm/2
+ Al
B(x) = Bhxm/2
+ Bl
The multiplication is then done using three m/2 bitmultiplications
C′(x) = (Ahxm/2
+ Al)(Bhxm/2
+ Bl)
= AhBhxm
+ (AhBl + AlBh)xm/2
+ AlBl
= AhBhxm
+ ((Ah + Al)(Bh + Bl) + AhBh +AlBl)xm/2
+ AlBl (2)
The Karatsuba multiplier can be applied recursively to eachm/2 bit multiplication . Ideally this multiplier is best
suitedwhen mis a power of 2, this allows the multiplicands to bebroken down until they reach 2 bits. The final
recursionconsisting of 2 bit multiplications can be achieved by ANDgates. Such a multiplier with m a power of 2 is
called thebasic Karatsuba multiplier.

149
Fig:3: bit parallel karatsuba multiplier
The classical Karatsuba multiplier is more efficient forsmall sizes of multiplicands, while the bit parallel
Karatsuba multiplier is efficient for large multiplicands. In our proposed Karatsuba multiplier, all recursions are done
usingthe the bit parallel Karatsuba multiplier except the finalrecursion. The final recursion is done using a classical
Karatsuba multiplier when the multiplicands have a size lessthan 29 bits. The initial recursions using the Simple
Karatsuba multiplier result in low gate count, while the finalrecursion using the classical Karatsuba multiplier results in
low LUT requirements. For a163-bit proposed Karatsuba multiplier as shown in Figure 1, the initial four recursions are
done using the Simple Karatsuba multiplier, while the final recursion is done with 20-bit and 21-bit General Karatsuba
multipliers.
Fig 4: proposed karatsuba multiplier

150
V. COMPARISON
The summary of the comparison between two scalar multipliers is tabulated as shown below. From the table the
conclusion is proposed karatsuba multiplier has an area efficient design. That is, the second one has almost considerable
reduction in area in terms of total equivalent gate count.
TABLE: COMPARISON
a. AREA ANALYSIS
The synthesis report generated by the Xilinx ISE software tool can be used to analyze the area utilized by the
two versions of the Montgomery karatsuba scalar multiplier. Device utilization summary is shown here for comparison.
This report includes total number of 4 input LUTs, flipflops, the equivalent gate count etc.
b. SIMULATION RESULT FOR SCALAR MULTIPLIER

151
V. CONCLUSION
The table the conclusion is proposed karatsuba multiplier has an area efficient design. That is, the second one
has almost considerable reduction in area in terms of total equivalent gate count. The most important factorcontributing
the performance is the finite field multiplication and finite field inversion. A Karatsuba multiplier is proposed for finite
field multiplication, which has been shown to possess the best area time product compared to reported Karatsuba
implementations. The Karatsuba multiplier is a recursive algorithm which does the initial recursions using the simple
Karatsuba multiplier, while the final recursion is done using the classical Karatsuba multiplier. The classical Karatsuba
has large gate counts; however it is more compact for small sizedmultiplications due to the better LUT utilization. The
simple Karatsuba multiplier is more efficient for large sized multiplications. After a thorough search, a threshold of 29
was found. Multiplications smaller than 29 bits is done using the classical Karatsuba multiplier, while larger
multiplications are done with the the bit parallel Karatsuba multiplier.
ACKNOWLEDGMENT
I owe my most sincere gratitude to Ms. Divya S (Assistant Professor, ECE) for the great support and
co-operation, whose guidance I could complete the thesis work to the level we had planned, for the regular reviews and
suggestions. Last but not the least; I extend my sincere thanks to other staff members and my beloved friends for their
suggestions and support.
REFERENCES
[1] SujoySinha Roy, Chester Rebeiro and DebdeepMukhopadhyay Theoretical Modeling of Elliptic Curve
ScalarMultiplier on LUT-Based FPGAs for Area and Speed IEEETransactions On Very Large Scale Integration
(Vlsi) Systems, VOL. 21, NO. 5, MAY 2013.
[2] C.Grabbe, M.Bednara, J.Teich, J.vonzurGathen, and J.Shokrollahi, FPGA designs of parallel high performance
GF (2233) multipliers,ǁ in Proc.Int.Symp. Circuits Syst.(ISCAS), May 2003, pp.268-271.
[3] P.L.Montgomery,ǁ Five, six and seven-term Karatrsuba –like formulae, IEEE Trans. Comput., vol.54, no.3,
pp.362-369, Mar.2005.
[4] C.Paar,ǁA new architecture for a parallel finite fieldmultiplier with low complexity based on composite
fields,ǁIEEE Trans.Comput., vol.45, no.7, pp.856-861, 1996.
[5] C.Rebeiro and D.Mukhopadhyay,ǁ Power attack resistant efficient FPGA architecture for karatsuba multiplier,ǁ
in Proc.Int. Conf. VLSI Des., 2008, pp.706-711 N.S.Kim, T.Mudge, and R.Brown, ―A 2.3 Gb/s fully
integrated and synthesizable AES rinjdael core,ǁ in proc. IEEE CustomIntegrated Circuits Conf., 2003,
pp. 193-196.
[6] A.Reyhani-Masoleh and A.Hasan,ǁ Low complexity bitparallel architecture for polynomial basis multiplication
over GF(2m), IEEE Trans.Comput., vol.53, no.8, pp .945-995, Aug. 2004.
[7] F.Rodriguez-Henriquez and C.K.Koc,ǁ On fully parallel karatsuba multipliers for GF(2m),ǁ in Proceeding (394)
Computer Sciences and Technology. Cancun, Mexico: ACTA Press, 2003 Matthew P.Young June 1, 2006
―Basics of Elliptic curvesǁ.
[8] B.Sunar,ǁA generalization method for constructing subquadratic complexity GF (2K) multipliers,ǁ IEEE Trans.
Comput., vol.53, no.9, pp.1097-1105, sep.2004.
[9] VictorMiller, “Uses of Elliptic Curves in Cryptography, “Advances in Cryptology, Crypto’85, vol. 218,
pp. 417–426,1986.
[10] Alfred J. Menezes, Paul C. van Oorschot, and Scott A.Vanstone, Handbook of Applied Cryptography, CRC
Press.
[11] Anatoly A. Karatsuba and Y. Ofman, “Multiplication of Multidigit Numbers on Automata,” Soviet Physics
Doklady, l. 7, pp. 595–596, 1963.
[12] Varun Shukla and Abhishek Choubey, “A Comparative Analysis of the Possible Attacks on RSA
Cryptosystem”, International Journal of Electronics and Communication Engineering & Technology (IJECET),
Volume 3, Issue 1, 2012, pp. 92 - 97, ISSN Print: 0976- 6464, ISSN Online: 0976 –6472.

Elliptic curve scalar multiplier using karatsuba

More Related Content

What's hot (19)

Similar to Elliptic curve scalar multiplier using karatsuba (20)

More from IAEME Publication (20)

Recently uploaded (20)

Elliptic curve scalar multiplier using karatsuba