An Efficient General Purpose Elliptic Curve Cryptography Module for - PowerPoint PPT Presentation

An Efficient General Purpose Elliptic Curve Cryptography Module for Ubiquitous Sensor Networks Christof Paar, Axel Poschman, Leif Uhsadel Ruhr-Universität Bochum, Germany ������ ��������������� �������������������������������� ��� ���������� ��������������

Outline • Motivation • Platform • Bottlenecks I • Algorithmic Setup • Bottlenecks II • Implementation • Results 12.6.2007, Slide 2

Why high speed? past present future Ubiquitous Mainframe Personal (1 : n) (n : 1) (1 : 1) Ubiquitous = wireless + embedded + energy efficient = constrained in CPU, memory, battery 12.6.2007, Slide 3

General Purpose Module 77% long term multiplication 12.6.2007, Slide 4

Goal Asymmetric Cryptography is quite usefull for key distribution Asymmetric Cryptography is supposed to be too demanding for constrained devices TinyECC: Open source SUN: Fast but not public Goal: •Fast and free prime field for constrained devices •Main task: efficient 160-bit modular multiplication 12.6.2007, Slide 5

Platform MicaZ ������������ �������������������������������� ������������ ����������������� ����! "�#��#�������� $%&�����������$��'���#����� ATMega128L " �#��#��������� $%&���� �� ����� $��'���#����� " ���(��) ���#� *�+*�" �, (�����" �� ��� �� $�-� . �� /����������00�1 2 " 3�-� � 1� " 3�-� 1 �� ������ +� " ������� ����(���� 4� ��-� 12.6.2007, Slide 6

Bottelneck SRAM access Registers Input Output 32*8= 256 bit 160 + 160 = 320 bit 320 bit • SRAM operation: 2 clock cycles • 8-bit multiplication: 2 clock cycles 12.6.2007, Slide 7

Algorithmic Setup Standard curve secp160r1 • Primefield based on a 160-bit Mersenne Prime 10 Alternatives: 5 • Karatsuba Offman • trade 1 mul for 4 add 0 -2 0 2 4 • recursive nature -5 • Hybrid Schoolbook • optimized for low SRAM access -10 12.6.2007, Slide 8

Implementation Why are carrys a bottleneck ..? a i * b j • Addition overwrites carry flag a i * b j+1 • Add with carry not possible a i * b j+2 • Carry must be buffered a i * b j+3 • Overhead per 8-bit multiplication: C k+5 C k+4 C k+3 C k+2 C k+1 C k • More than 3 clock cycles carrybuffer • 400 8-bit multiplications are done 12.6.2007, Slide 9

Implementation Handling carrys • Overhead per 4 8-bit multiplication: a i * b j • More than 4 clock cycles a i * b j+1 • More than 1 clock cycle per 8-bit multiplication a i * b j+2 a i * b j+3 a i * b j a i * b j+2 a i * b j+2 a i * b j+1 C k+4 C k+3 C k+2 C k+1 C k 12.6.2007, Slide 10

Results 160-bit Integer M ultiplication sun this w ork assem bly assem bly 3106 clock cycles 2913 clock cycles 0.39 m s @ 8 M H z 0.36 m s @ 8 M H z Binary EC m ultiplication Sliding W indow (w =4) EC m ultiplication sun this w ork tinyecc (EC D SA sig) continued project assem bly C hybrid C 0.81s 1.15s 1.9s 0.89s 12.6.2007, Slide 11

• Questions? • Comments? uhsadel@crypto.rub.de 12.6.2007, Slide 12