A Review of Techniques for Implementing Elliptic Curve Point Multiplication on Hardware

Abstract

Cryptography is considered indispensable among security measures applied to data concerning insecure means of transmission. Among various existent algorithms on asymmetric cryptography, we may cite Elliptic Curve Cryptography (ECC), which has been widely used due to its security level and reduced key sizes. When compared to Rivest, Shamir and Adleman (RSA), for example, ECC can maintain security levels with a shorter key. Elliptic Curve Point Multiplication (ECPM) is the main function in ECC, and is the component with the highest hardware cost. Lots of ECPM implementations have been applied on hardware targeting the acceleration of its calculus. This article presents a systematic review of literature on ECPM implementations on both Field-Programmable Gate Array (FPGA) and Application-Specific Integrated Circuit (ASIC). The obtained results show which methods and technologies have been used to implement ECPM on hardware and present some findings of the choices available to the hardware designers.

1. Introduction

The rapid development and widespread application of information technology have deeply affected the entire economy and society. Many electronic devices need to exchange confidential information securely, and one of the best defenses to preserve the data secrecy and confidentiality from unpermitted users is cryptography. One approach to provide public-key cryptography relies on the use of Elliptic Curve Cryptography (ECC), which is based on the algebraic structure of elliptic curves over finite fields. ECC was proposed by Neal Koblitz [1] and Victor Miller [2], and requires smaller keys to obtain the same security level when compared to other algorithms. For instance, considering a 3072-bit Rivest, Shamir and Adleman (RSA) key, ECC will need a 256-bit key to ensure the same security level [3]. As the keys for ECC are smaller than those for other algorithms, ECC’s requirements are also smaller and conform to the requirements of size- and resource-constrained devices.

ECC is widely implemented on software and hardware approaches to increase security when sharing information through unsafe networks. Software applications involve Bitcoin digital signature scheme [4], OpenSSL protocols [5], image encryption [6,7], and others. Hardware implementations of ECC for size constraint devices, such as the Internet of Things (IoT), include Radio Frequency Identification (RFID) [8], wireless medical devices [9], Android chat applications [10], and others. Its applications can be made in devices with or without limited resources; the manner they are implemented will vary depending on the environment. Thus, IoT applications are suitable for devices with limited hardware resources, unlike other cryptographic schemes.

Applications of ECC under hardware approaches usually aim to speed up critical operations. Elliptic Curve Point Multiplication (ECPM), also referred to in the literature as scalar multiplication, is the main operation and most computing-intensive part of the algorithm [11]. So, it has been subjected to countless attempts to improve its performance when applied to hardware. Depending on the purpose of implementation, different sets of techniques can be utilized on ECC over prime and binary fields. These techniques include area reduction [12], performance and efficiency increase [13,14], adjustments to fit size constraint devices [12,15], and development of custom crypto-processors [11,14,16]. For instance, Hossain, Saeedi, and Kong [13] proposed an architecture to speed up ECPM utilizing Jacobian projective coordinates and a combination of Point Addition (PA) and Point Doubling (PD) in parallel. Liu, Liu, and Zou [16] proposed a flexible processor with multi-algorithm support, which enables different fields and curves with random point generation. Salarifard, Bayat-Sarmadi, and Mosanaei-Boorani [17] implemented a fixed-base-comb method in two architectures and reached significant results in energy and latency reduction on ECPM, and the implementation is Simple Power Analysis (SPA) and timing attack resistant.

While similarities can be found among sets of algorithms for ECC in literature, a roadmap of desired characteristics must be previously traced based on the purpose of the implementation. An algorithm applied to aim area reduction is usually slower than another that is not recommended for resource-constrained devices. Several parameters must be defined once the roadmap is constructed, including finite field, algorithms for field arithmetic, a curve selection, point representation, and algorithms to perform Elliptic Curve (EC) arithmetic, among others [18]. The perfect selection can be a little tricky; thus, it should always be done considering the environment first of all. If the environment requires a small code due to area limitations, the chosen algorithms must fit this requirement or lose efficiency and performance. In view of this, it is difficult to reach a custom best set of algorithms to apply on hardware implementations with no size constraints, in which the focus lies over efficiency and performance values. Papers often trace a customized set of algorithms for their own purposes, whereas different possibilities can be found on books or surveys without recommendations of the best choice.

In this paper, we present a comparison involving recently selected ECPM implementations over hardware approaches. Focusing on implementations of ECPM over binary fields on Integrated Circuit (IC) technologies such as Field-programmable Gate Array (FPGA) and Application-specific Integrated Circuit (ASIC), our comparison aims to find the techniques that favor reaching the best efficiency. While environments and purposes differ in each work, thus, affecting the selection of algorithms and techniques, it is possible to trace similarities among some sets of algorithms and trace a basic roadmap. The sets of algorithms these works implemented were cataloged to provide a recommendation of a path to follow. Thus, as the main contribution, this paper indicates which combinations of methods and technologies reach the best efficiency, thus pointing out directions for hardware implementations of ECPM over binary fields.

The remainder of this paper is organized as follows. Section 2 presents an approach to the context of the research, involving finite fields, curves, point multiplication, coordinates, and existing attacks on ECC. Section 3 describes the methodology applied in this study, including research questions, document search, paper selection, and data extraction. Next, Section 4 discusses the gathered information on the selected papers, describing the techniques applied to those and making a comparative analysis of silicon cost and performance. Finally, Section 5 presents the final remarks.

2. Background

The development process of embedded systems mainly includes the design of hardware and software. The system must ensure reliability, maintainability, availability, safety, and security [19]. A system designer must take precautions regarding energy consumption, code size, usage of resources, weight, and cost to enhance efficiency [20]. Since the code must be compact, designers must select the functions properly to provide efficiency without compromising the primary function.

It is well-known that selecting the best cryptographic scheme and algorithms has a preponderant role in the design task. According to Loi and Ko [21], ECC needs smaller keys than RSA to provide the same level of security. Therefore, this aspect is why we defined ECC as our object of study. While smaller keys do not guarantee smaller code, the advantages of ECC rely on the security aspect.

ECC uses the Discrete Logarithm Problem (DLP), which is classified as a one-way function because it is easy to calculate but challenging to reverse. According to Ciet and Joye [22], there is no sub-exponential algorithm capable of solving Elliptic Curve Discrete Logarithm Problem (ECDLP), although one of the algorithms that can be applied is Pollard’s Rho method [23]. Other methods, such as brute-force, have an impractical performance.

2.1. The Elliptic Curve over Finite Fields

ECC is an approach for public-key cryptography on the algebraic structure of elliptic curves $\mathcal{E}$ over finite fields or Galois fields, ${\mathbb{F}}_q$.

The elliptic curve $\mathcal{E}$ over ${\mathbb{F}}_q$, here denoted by $\mathcal{E}/{\mathbb{F}}_q$ or $\mathcal{E}\left({\mathbb{F}}_q\right)$, is defined by the general Weierstrass equation [24]:

$$y^3+{\alpha }_{1}xy+{\alpha }_{3}y=x^3+{\alpha }_2{x}^2+{\alpha }_{4}x+{\alpha }_6,$$

(1)

in which ${\alpha }_1,{\alpha }_2,{\alpha }_3,{\alpha }_4,{\alpha }_6\in {\mathbb{F}}_q$. Prime fields are usually called ${\mathbb{F}}_{p^m}$, with $q=p^m$, where p is a prime number and $m\in \mathbb{N}$. We denote Binary fields by ${\mathbb{F}}_{2^m}$, with $q=2^m$. There also exist elliptic curves defined over other fields for cryptography, which are not discussed in this paper.

The set of all points on the elliptic curve and the point at infinity, $I_{\infty }$, forms an Abelian group in which $I_{\infty }$ is the identity element. An Abelian group is a nonempty set $\mathcal{A}$ with a binary operation + defined on $\mathcal{A}$ such that the following conditions hold:

i.

Identity: $P+I_{\infty }=I_{\infty }+P=P$, $\forall P\in \mathcal{E}\left({\mathbb{F}}_q\right)$

ii.

Negatives: If $P\in \mathcal{E}\left({\mathbb{F}}_q\right)$, then $P+(-P)=I_{\infty }$ and $-P$ is called the negative of P and $-P\in \mathcal{E}/{\mathbb{F}}_q$. Also, $-I_{\infty }=I_{\infty }$.

iii.

Point addition: Let $P,Q\in \mathcal{E}\left({\mathbb{F}}_q\right)$, where $P\ne \pm Q$, then, $P+Q=R\in \mathcal{E}\left({\mathbb{F}}_q\right)$.

iv.

Point doubling: Let $P\in \mathcal{E}\left({\mathbb{F}}_q\right)$ where $P\ne -P$. Then $2P=S\in \mathcal{E}\left({\mathbb{F}}_q\right)$.

A hierarchy must be followed to define the sets of algorithms needed to create an ECC cryptographic scheme. Figure 1 demonstrates this hierarchy. First, it is necessary to select the type of protocol to be used, Elliptic Curve Diffie-Hellman (ECDH) or Elliptic Curve Digital Signature Algorithm (ECDSA). In sequence, the algorithms to perform ECPM must be defined, followed by the algorithms to perform field arithmetic.

Finite field requires that a basis is selected to perform field arithmetic. Figure 2 represents what needs to be defined accordingly to the chosen basis. For binary field, if the polynomial basis is chosen, each element is a polynomial, and therefore, field operations make use of polynomial arithmetic [25]. A reduction polynomial must be defined to reduce the results of its arithmetic into elements of Galois field [26]. Reduction polynomial will ensure that the given result belongs to the field.

Normal basis is defined for any finite field ${\mathbb{F}}_{2^m}$. An example of a normal basis is Gaussian normal basis, commonly utilized on ECC. Optimal Normal Basis (ONB) aims at reducing hardware complexity when multiplying field elements [18]. In a normal basis representation, elements of ${\mathbb{F}}_{2^m}$ are expressed in terms of a basis of the form $\{\beta ,{\beta }_{2^2},\dots ,{\beta }_{2^{m-1}}\}$. One advantage of a normal basis representation is that squaring a field element is a simple rotation of its vector representation [25]. Mullin et al. [27] introduced the concept of an ONB to reduce the hardware complexity of multiplying field elements in ${\mathbb{F}}_{2^m}$.

Table 1. Summary of the Optimal Normal Basis (ONB).

Type I ONB	Type II ONB
If $(m+1)$ in ${\mathbb{F}}_{2^m}$ is prime and 2 is a primitive element of the field ${\mathbb{F}}_{(m+1)}$.	If $(2m+1)$ is a prime that $2m+1\equiv 3(mod4)$ and 2 results in quadratic residues in the field ${\mathbb{F}}_{2m+1}$.
	If $(2m+1)$ is prime and 2 is a primitive element of ${\mathbb{F}}_{2m+1}.$

presents two types of ONB, concerning the value of m [25]. If m does not satisfy any of three statements mentioned in the table, then ${\mathbb{F}}_{2^m}$ does not contain an ONB [25]. According to Hankerson, Menezes, and Vanstone [18], ONB does not have any significant advantages over a polynomial basis for hardware implementation. Furthermore, field multiplication in software for normal basis representations is very slow compared to multiplication with a polynomial basis. In this way, the polynomial basis is the best choice for hardware implementation.

2.2. Curves over Binary Fields

An elliptic curve over binary fields $\mathcal{E}\left({\mathbb{F}}_{2^m}\right)$ is defined by:

$$y^2+xy=x^3+{\alpha }_1{x}^2+{\alpha }_2.$$

(2)

There are two types of a curve over a binary field ${\mathbb{F}}_{2^m}$: (i) random elliptic curves over a binary field ${\mathbb{F}}_{2^m}$; and ($ii$) Koblitz elliptic curves over a binary field ${\mathbb{F}}_{2^m}$. Some parameters must be defined previously to generate a curve over binary fields. According to the authors of [18], the domain parameters for both are the following:

• m, which is the extension degree of the binary field ${\mathbb{F}}_{2^m}$.
• $f\left(z\right)$, which is the reduction polynomial of degree m.
• The coefficients of the elliptic curve ${\alpha }_1,{\alpha }_2\in {\mathbb{F}}_{2^m}$.
• The prime order of the base point P, which is given by n.
• The cofactor is given by $h=\#\mathcal{E}\left({\mathbb{F}}_{2^m}\right)/n$, in which $\#\mathcal{E}\left({\mathbb{F}}_{2^m}\right)$ is the order of $\mathcal{E}$ over ${\mathbb{F}}_{2^m}$.
• The $(x_P,y_P)\in \mathcal{E}\left({\mathbb{F}}_q\right)$, which are the coordinates of the base point P.

In addition to these parameters, if random curves are being used, a seed will be applied to randomly generate the elliptic curve’s coefficients.

A.

Random Elliptic Curve (REC) (REC is part of National Institute of Standards and Technology (NIST)’s recommended curves [25].): Its advantages lie in the security aspect, in which the coefficients of the curve are randomly generated. Once the randomness requires more computational processing power, this curve may not be the better implementation choice [25].

B.

Koblitz Curve (KEC) (KEC is part of NIST’s recommended curves and easy to create [25].): Also known as anomalous binary curves, this curve is defined over binary fields and is a non-supersingular elliptic curve. ECPM in KEC is fastest than in REC [18]. Because KEC is presented on NIST’s recommendations, it is a popular chosen curve [13,28].

Regardless of the curve selection, domain parameters must be carefully chosen. Brown [29] presents an efficient generation for the Elliptic curve domain parameters over ${\mathbb{F}}_{2^m}$, in which the output of the presented steps is the septuple $T=(m,f\left(z\right),{\alpha }_1,{\alpha }_2,P,n,h)$. In such a way, the logarithm derivation on the associated elliptic curve requires approximately $2^t$ operations, where t is the security level in bits required from the elliptic curve domain parameters.

2.3. Elliptic Curve Point Multiplication

To generate the public key, cryptosystems based on elliptic curves must perform point multiplication, also called scalar multiplication. Elliptic Curve Point Multiplication (ECPM) is the most computationally expensive part of ECC and consists of repeated steps of point adding and point doubling to reach:

$$Q=kP,$$

(3)

in which P is a point of the curve $\mathcal{E}\left({\mathbb{F}}_{2^m}\right)$, k is a randomly selected integer from the range of $[1,m-1]$ defining the private key, and Q is the public key resultant of the multiplication [18]. From Equation (3), the private key is defined, and posteriorly the public key is created. Thus, both keys are related to each other. There are numerous ECPM algorithms, although the simplest algorithm is composed of point adding and point doubling operations. We can define the point adding and point doubling operations as follows:

A.

Point Addition: Consists in adding a point with another point. Assume two points $P=(x_P,y_P)$ and $Q=(x_Q,y_Q)$, in which $P\ne Q$ and $P,Q\ne I_{\infty }$. Then, $P+Q=-R=(x_R,-y_R)$ [25]. Point $-R$ should be reflected the in x-axis to compute point R. Figure 3 shows the point addition on ECC.

B.

Point Doubling: Is the addition to a point with itself, when $P=Q$. Let $P=(x_P,y_P)$, where $P\ne -P$, then $2P=2(x_P,y_P)$ [18]. Point doubling is evaluated in the same way as point addition, as also generates first $-2P$, which is reflected in x-axis to compute point $2P$. Figure 4 shows the point doubling on ECC.

Double-and-Add method is a known algorithm for scalar multiplication. According to [25], the scalar should be written as $k=(k_{r-1},...,k_0)$ in binary notation and consider $r=\left({log}_{2}k\right)+1$. Finally, the result follows of the sum $kP=P+P+...+P$. The Double-and-Add method requires $(r-1)$ doubling operations and likely $(r-1)/2$ additions. This method is one of the most basic algorithms to perform scalar multiplication and can be modified or combined with other techniques to accelerate it. As other algorithms, we can mention the addition-subtraction method using Nonadjacent form (NAF), Right-to-left binary method, Left-to-right binary method, Montgomery, Fixed-base comb, and Window methods [18]. The best algorithm is selected based on the project environment, whereas the indicated algorithm for one project will not necessarily be indicated for another.

2.4. Projective Coordinates

The projective coordinates systems offer an alternative method for the efficient performance of the arithmetic of the elliptic curve [30]. These methods avoid the expensive cost of the field multiplication inversion involved in both points doubling and point addition operation with the arithmetic of the affine coordinates $(x,y)$. In these methods, the elliptic curve points are usually substituted with the projective coordinates system as follows.

In standard projective coordinates, the projective point $(x,y,z)$, in which $z\ne 0$, corresponds to the affine point $(x/z,y/z)$ [31]. Therefore, $\mathcal{E}\left({\mathbb{F}}_{2^m}\right)$ in (2) can be rewritten as

$$y^{2}z+xyz=x^3+{\alpha }_1{x}^{2}z+{\alpha }_2{z}^3.$$

(4)

In the Jacobian coordinates system, a point $(x,y)$ in affine coordinates system is recovered as $(x/z^2,y/z^3)$, in which $z\ne 0$ [31], in (2) yields

$$y^2+xyz=x^3+{\alpha }_1{x}^2{z}^2+{\alpha }_2{z}^6.$$

(5)

Using López–Dahab (LD) projective coordinates system, in which $(x/z,y/z^2)$, in which $z\ne 0$ [31], $\mathcal{E}\left({\mathbb{F}}_{2^m}\right)$ in (2) is given by

$$y^2+zxy=z{x}^3+{\alpha }_1{x}^2{z}^2+{\alpha }_2{z}^4.$$

(6)

These operations directly impact efficiency and performance metrics. Therefore, before selecting the projective coordinates, we need to know the context of ECPM.

2.5. Attacks on ECC

For any cryptosystem, there will always be an attempt to break it and steal information. For instance, although ECC is a very secure cryptographic scheme, attacks aim to break it. Some examples are divided into [25]:

i.

Algorithms on DLP: Shank’s Baby-step-Giant-step, Pohlig-Hellman’s method, Pollard’s $\rho$-method, $\lambda$-method, Index-calculus algorithm, Number field sieve algorithm, and function field sieve algorithm.

ii.

Algorithms on ECDLP: Shank’s Baby-step-Giant-step, Pollard’s $\rho$-method, Pohlig-Hellman’s method, method of solving multiple ECDLP, and Index-calculus method.

iii.

Weil pairing and MOV reduction attack.

iv.

Semaev-Smart-Satoh-Araki (SSA) attack.

v.

Differential and power attacks: SPA and Differential Power Analysis (DPA).

vi.

Electromagnetic Analysis Attack (EAA).

vii.

Error message analysis.

Some approaches for mitigating attacks have been studied [32]. These countermeasures heavily depend on the hardware platform’s characteristics, operating environment, and invaders’ skills. These aspects must be evaluated on a case-by-case basis.

In implementations of ECC, point multiplication algorithms are particularly vulnerable because the usual formulas for adding and doubling points are quite different and, therefore, may have its power traces readily be distinguished by SPA [25]. However, some precautions can be taken to prevent these attacks. In this case, a modified algorithm uses the power alignment for the adding and doubling points operation [18]. Thus, the equals power traces are certainly no longer distinguishable by SPA.

3. Materials and Methods

In this paper, we applied the Systematic Literature Review (SLR) method. According to Kitchenham et al. [33], this method is a secondary study on a subject to identify, analyze, and interpret all possible evidence related to the main studies on that subject. The motivation behind these studies is to gather knowledge about a particular field of study.

A systematic review of the literature has some requirements to succeed. The first step should be to define a subject and its motivation. In second, the search strategy must be well-defined. Similarly, the selection method must lead to the primary studies in the literature and its contribution to the current research [33].

In this paper, we present an analytical discussion about the previous research based on ECPM to identify the possible opportunities and challenges where new studies may be applied. The strategies applied in this systematic review of the literature relied on: (i) the database and research query used; and ($ii$) the inclusion and exclusion criteria. Both are presented in the following subsections.

3.1. Research Strategy

Our work brings a new contribution to the discussion about ECPM implementation by providing a study of the most efficient algorithms on hardware.

Table 2. Research Question.

Research Question	Goals
Which techniques have been used to perform ECPM?	To identify the main algorithms currently used to perform ECPM.
	To identify the techniques used in the works which obtained the best results.

presents the research question for this study.

3.2. Research Query

As the primary database, we selected Elsevier’s Scopus, the largest abstract and citation database of peer-reviewed literature. We focused on the most recent publications, ranging from 2015 to 2020. The Scopus query was performed using the following expression:

TITLE-ABS-KEY ((elliptic AND curve AND point AND multiplication) AND (fpga)) AND (LIMIT-TO (PUBYEAR, 2020) OR LIMIT-TO (PUBYEAR, 2019) OR LIMIT-TO (PUBYEAR, 2018) OR LIMIT-TO (PUBYEAR, 2017) OR LIMIT-TO (PUBYEAR, 2016) OR LIMIT-TO(PUBYEAR, 2015)) AND (LIMIT-TO(DOCTYPE, “ar”)).

3.3. Inclusion and Exclusion Criteria

To assess the relevance of the journal in which each paper was published, we used SCImago Journal Rank (SJR) indicator [34]. SJR measures the scientific influence of scholarly journals by accounting for both: (i) the number of citations received by a journal; and ($ii$) the prestige of the journals from where the citations come. Then, the set of journals is ranked according to their SJR and divided into four equal groups, four quartiles. Our study considered only articles published in journals classified in the two upper quartiles, i.e., Q1 and Q2.

After selecting the papers retrieved from the query, we analyzed their abstracts, results, and conclusions. We then selected only the works presenting implementations over 163-bit binary curves and single point multiplication. This constraint enabled us to make a fair comparison among the works analyzed in this review. We also applied a set of exclusion criteria to reduce the number of papers to the most representative set of works for a full analysis. The inclusion and exclusion criteria are summarized in

Table 3. Inclusion and Exclusion Criteria.

Inclusion Criteria	Exclusion Criteria
The paper was published in a journal ranked in Q1 or Q2 quartiles of SJR.	The work uses other integrated circuit technologies rather than FPGA.
The work presents results on ECPM over 163 bits.	The authors implement a non-single point multiplication algorithm for the elliptic curve.
	The work builds EC over ${\mathbb{F}}_p$ instead of ${\mathbb{F}}_{2^m}$.
	The work does not present quantitative results.

.

4. Results

The review protocol returned 55 papers. After applying the inclusion and exclusion criteria (Table 3), we selected 13 works for analysis, including: [11,13,14,16,17,28,35,36,37,38,39,40,41]. For each paper, we gathered information (when available) about its curve, field, coordinates, inversion, multiplier, and other techniques applied to ECPM itself. We observed that most papers implemented a customized algorithm with enhanced functions to speed up point multiplication. It is worth to mention that we collected data about the entire environment, covering all the information provided, as every technique influences the final result. This section presents a review of the techniques applied to each primary study concerning the whole used environment. It should be underlined that information about all the techniques used is not always available for all papers. Thus, we elaborated on the following description based on the available information.

4.1. Curves

Table 4. Summary of implemented curves.

Curves	[11]	[13]	[14]	[16]	[17]	[35]	[28]	[36]	[37]	[38]	[39]	[40]	[41]
Generic	•			•	•	•						•	•
Binary Huff	•
Koblitz		•					•				•
Random		•
Generalized Hessian			•
Binary Edwards			•
Does not specify								•	•	•

presents the curves utilized by each of the selected papers. We can see that most papers made use of generic curves, while others did not specify. For the works concerned about the choice of the curve, most of them used the Koblitz curve. For a better understanding, we present below a brief description of each other curves.

• Koblitz curves: According to Hankerson, Menezes, and Vanstone [18], the primary advantage of the Koblitz curves consists of the opportunity of implementing ECC without point doublings when performing ECPM.
• Generic curves: They are non-supersingular elliptic curves defined over the general Weierstrass Equation (1). Generic elliptic curves are the most general form of curves found in literature and can be defined over prime or binary fields.
• Random curves: This type of curve is generated randomly due to the parameters’ choice. The curve’s coefficients are generated from the output of a seeded cryptographic hash [42], thus providing more security to the cryptosystem [43]. According to Hankerson, Menezes, and Vanstone [18], when the curve is generated randomly, it is provided some assurance to the user as proof that the curve was not generated with intentional weaknesses that could be exploited lately. Even though the curve’s randomness increases security, other questions must be considered, such as the area of the device where the encryption will be applied.
• Hessian curves: Hessian curves are defined over a symmetric cubic equation. Its addition formulas can also be used for doubling and subtraction when generating points on the curve, making this an interesting choice against side-channel attacks. Generalized Hessian curves have some differences from Hessian curves, covering more isomorphic classes of elliptic curves. The equation for Generalized Hessian curves can be written as

  $$x^3+y^3+{\alpha }_1{z}^3={\alpha }_{2}xyz,$$

  (7)

  where ${\alpha }_1$, ${\alpha }_2\in \mathbb{F}$, ${\alpha }_1\ne 0$ and ${\alpha }_2^3\ne 27{\alpha }_1$ [43].
• Binary Edwards Curves (BEC): These curves are defined over the equation

  $$\mathcal{E}\left({\mathbb{F}}_{2^m}\right):{\alpha }_1(x+y)+{\alpha }_2(x^2+y^2)=xy+xy(x+y)+x^2{y}^2,$$

  (8)

  where ${\alpha }_1,{\alpha }_2\in {\mathbb{F}}_{2^m}$ and ${\alpha }_1\ne 0$ and ${\alpha }_2\ne {\alpha }_1^2+{\alpha }_1$. This curve is symmetric in x-axis and y-axis, i.e., if $(x_1,y_1)\in \mathcal{E}\left({\mathbb{F}}_{2^m}\right)$, then $(y_1,x_1)\in \mathcal{E}\left({\mathbb{F}}_{2^m}\right)$ [44].
• Binary Huff Curves (BHC): These curves are defined over the equation

  $$\mathcal{E}\left({\mathbb{F}}_{2^m}\right):{\alpha }_{1}x(y^2+yz+z^2)={\alpha }_{2}y(x^2+xz+z^2),$$

  (9)

  where ${\alpha }_1,{\alpha }_2\in {\mathbb{F}}_{2^m}$ and ${\alpha }_1\ne {\alpha }_2$. This equation is related to the curve when using projective coordinates, although there exists an equation directed to the use of affine coordinates [45].

The curves chosen by the authors vary due to the purpose of each implementation. While some of them opted for NIST recommended curves (Koblitz, Random, and others, which belong to the “did not specify” row, were referred only as “NIST recommended”), others preferred to construct a curve based on other equations, such as binary Edwards or Hessian curves. Li and Li [28] state that Koblitz curves could execute ECPM faster than generic curves when utilizing Frobenius mapping. According to Azarderakhsh and Reyhani-Masoleh [14], binary Edwards curves belong to a special type of generic elliptic curves defined over binary fields. Imran et al. [11] showed that BHC requires less computation than BEC, even though both require more computation than generic EC.

4.2. IC Technologies

All selected papers had prototyped their ECC implementations on Xilinx FPGA devices, and some included ASIC deployments, both using different lithographies.

Table 5. Type of Integrated Circuit (IC) technology used for $\mathcal{E}\left({\mathbb{F}}_{2^{163}}\right)$ implementations.

Curves	[11]	[13]	[14]	[16]	[17]	[35]	[28]	[36]	[37]	[38]	[39]	[40]	[41]
Virtex-II (150 nm)												•
Virtex-4 (90 nm)	•		•			•		•	•			•
Virtex-5 (65 nm)	•				•	•	•	•	•		•	•	•
Virtex-6 (40 nm)		•										•
Virtex-7 (28 nm)		•			•				•	•	•	•	•
ASIC (180 nm)												•
ASIC (65 nm)		•			•
ASIC (55 nm)				•

shows the circuit technologies used in each work. While it is preferred to implement the circuit in newer devices, such as the Virtex-7 family, for fair comparisons among related works, we also consider older FPGAs.

4.3. Basis

As

Table 6. Basis for the field.

Curves	[11]	[13]	[14]	[16]	[17]	[35]	[28]	[36]	[37]	[38]	[39]	[40]	[41]
Polynomial	•	•		•	•	•	•	•	•		•	•
Gaussian Normal			•							•			•

shows, 71% of the works analyzed in this review employ a polynomial basis. This evidence suggests that the polynomial basis is more suitable for hardware implementation. At this point, we note that the Gaussian normal basis provides an efficient implementation of field multiplication that requires simple hardware for the shift, rotation, and XOR operations [38]. The squaring operation is simple as it needs only the right cyclic shift [14].

A polynomial basis requires smaller hardware than a Gaussian basis. On the other hand, a Gaussian basis enables substantial gain in area and performance for inversion operations. Furthermore, both bases can be implemented with a small footprint and provide high performance for square operations. While there may exist small differences in these results, the differences in performance are caused mainly by inversion operations. This effect results from the fact that affine coordinates need many inversions, and projective coordinates need only one inversion [46].

Thus, if we use affine coordinates in a Gaussian basis, the performance will be superior compared to a polynomial basis. For projective coordinates, both bases have similar performance. However, a polynomial basis hardware implementation is more area efficient than a normal basis.

4.4. Coordinates

Table 7. Coordinates used in each ECC environment.

Curves	[11]	[13]	[14]	[16]	[17]	[35]	[28]	[36]	[37]	[38]	[39]	[40]	[41]
Lopez–Dahab Projective Coordinates	•				•		•	•	•	•		•	•
Jacobian Projective Coordinates		•
Affine Coordinates			•	•							•
Does not specify						•

shows the coordinates utilized by the works we address in this paper. We can see that most of them (71%) made use of projective coordinates (Lopez–Dahab or Jacobian), which we briefly described in Section 2.4.

Correlating the results presented in Table 6 and Table 7, we note that 61% of the analyzed works (i.e., 8 of 13) applied polynomial basis and projective coordinates, which indicates that this combination is a good strategy to obtain the best results.

4.5. Inversion

Table 8. Inversion algorithm.

Curves	[11]	[13]	[14]	[16]	[17]	[35]	[28]	[36]	[37]	[38]	[39]	[40]	[41]
Itoh-Tsujii	•					•	•		•		•	•	•
Existent components in the architecture					•			•
Does not specify		•	•	•						•

relates to the use of algorithms to speed up inversion operation. Even though most works use projective coordinates, which requires a single inversion at the end of scalar multiplication, an algorithm to speed up this operation can be utilized. In this case, most works use the Itoh-Tsujii algorithm [47]. While this algorithm requires intermediate results storage, it is the most efficient to compute inversion [25].

4.6. Multiplication

In Section 2.1, we discussed multiplication as an arithmetic operation in a field. In this case, efficiency and speed are fundamental for the performance in applications that use the field multiplication operation [48]. Field multiplications involving integers and polynomials are used in finite field arithmetic, and there are different algorithms to solve field multiplication, which depend on the size of the numbers.

Table 9. Multiplication methods.

Curves	[11]	[13]	[14]	[16]	[17]	[35]	[28]	[36]	[37]	[38]	[39]	[40]	[41]
DPLSBOM	•
CMM		•
HDC			•
R4IM				•
KOA					•		•
DSM						•		•
MDSM									•
FF MAC							•
TPBFPM											•
MSBSM												•
HBPKOA													•
Does not specify										•

where: CMM—Custom Multiplication Module; DPLSBOM—Digit Parallel Least Significant Bit Order Multiplier; DSM—Digit Serial Multiplier; FF MAC—Pipelined Bit-Parallel Finite Field Multiplier Accumulator; HBPKOA—Hybrid Bit-Parallel KOA; HDC—Hybrid-Double Multiplication; KOA—Karatsuba-Ofman Algorithm; MDSM—Most Significant Digit Serial Multiplier; MSBSM—Most-Significant Bit-Serial Multiplier; R4IM—Radix-4 Interleaved Multiplication; TPFPM—Two Parallel Balanced Full-Precision Multipliers.

presents the multiplication methods applied to each selected paper. We note that there are several methods to perform field multiplication. In the works analyzed in this review, the field multiplications are specific implementations. Karatsuba-Ofman Algorithm (KOA) was the only algorithm to speed up field multiplication that was applied. In our analysis, we encounter KOA in single [17] and combined versions [28].

4.7. Point Multiplication

Point multiplication, ECPM, or scalar multiplication is the repeated PA and PD operations. Specifically, these are methods to compute $kP$, being k the private key and P a point in the curve. This operation will generate, as output, the public key [49].

Table 10. Elliptic Curve Point Multiplication (ECPM) methods.

Curves	[11]	[13]	[14]	[16]	[17]	[35]	[28]	[36]	[37]	[38]	[39]	[40]	[41]
Montgomery	•					•		•	•		•		•
Double-and-add	•											•
Combined PDPA		•
Double-hybrid multiplier			•
Double-and-add-always				•
Fixed-base comb point multiplication					•
Right-to-left							•
Parallel SM										•

identifies the ECPM methods used in the works analyzed in this review. We can see that the Montgomery algorithm is prevalent for point multiplication, probably because it is well-known for providing faster modular multiplication on hardware and software implementations.

4.8. Efficiency Analysis

Based on the results presented above, we shall use some metric to compare the primary studies fairly. Considering the implementations over 163-bits, we calculate the efficiency of each analyzed work by applying the equation presented in [17], which is given by

$$\mathrm{Efficiency}=m/(a\times t)$$

(10)

where m is the order of the finite field (number of bits), a is the area, and t is the processing time. This metric indicates the processing throughput achieved by each slice (or gate) used. Its unit of measurement is Kbps/slice (or Kbps/gate). Efficiency enables us to compare implementations that use different orders of finite field. In principle, the higher the order, the greater the efficiency. However, increasing it also leads to an increase in area and processing time. So, a trade-off must be found. Moreover, the equation also enables comparison of implementations that use the same finite field order (as done in this paper) but explore different architectures to increase performance (i.e., use of barrier registers, pipelining, and spatial parallelism). Some solutions reduce processing time but increase the area of the circuit (and, consequently, the dissipated power), which does not necessarily result in increased efficiency. For a given order of the finite field, the most efficient circuits reach the lowest processing time using fewer resources.

Table 11. Field-Programmable Gate Array (FPGA)-based implementations for ${\mathbb{F}}_{2^{163}}$.

Method	FPGA Family	a (Kslices)	${\mathit{F}}_{max}$ (MHz)	ℓ (Cycles)	t (μs)	Efficiency (Kbps/Slice)
LC [17]	Virtex-7	2.435	264	795	3.01	22.24
LDM [41]	Virtex-7	2.132	389	1447	3.72	20.55
LL [17]	Virtex-7	5.753	214	321	1.50	18.89
$\tau$-NAF [28]	Virtex-5	3.672	292	614	2.50	17.77

and

Table 12. Application-Specific Integrated Circuit (ASIC) (65 nm)-based implementation for ${\mathbb{F}}_{2^{163}}$.

Method/Curves	a (mm${}^2$)	a (Kgates)	${\mathit{F}}_{max}$(MHz)	ℓ (Cycles)	t (μs)	Efficiency (Kbps/Gate)
PDPA/Koblitz [13]	3.43	1.65	353	163	0.46	214.07
PDPA/Random [13]	3.47	1.67	353	163	0.46	211.63
LC/Generic [17]	42.50	20.43	6.81	793	116	0.0685
LL/Generic [17]	60.10	28.89	4.09	322	194	0.0717

summarizes the works which obtained the higher efficiency for each IC technology. The tables show the area of the circuits—a (in Kslices or Kgates), the maximum operating frequency—$F_{max}$ (in MHz), the processing latency—ℓ (in cycles), the processing time—t (in $\mu$s), and the efficiency (in kbps/slice ou kbps/gate). Except for efficiency, which is computed by (10), we obtained the other indicators from the primary studies. Considering the FPGA-based implementations, we note that Low Complexity (LC) in Virtex-7 is the best choice—it would be expected that the implementation using Virtex-7 would produce a better result due to the smaller lithography used in this device family (i.e., 28 nm). The next two methods that obtained high efficiency were Lopez–Dahab Montgomery (LDM), which combines the Lopez–Dahab projective coordinate system and the Montgomery scalar multiplication method, and Low Latency (LL). The use of $\tau$-adic nonadjacent form ($\tau$-NAF) in Virtex-5 [28] also provided good efficiency. Regarding the ASIC-based implementations, the best results were obtained using the 65 nm lithography. Combined Point Doubling and Point Addition (PDPA) for Koblitz and Random curves [13] achieved higher efficiency. On the other hand, Salarifard, Bayat-Sarmadi, and Mosanaei-Borani [17] obtained a higher efficiency for generic curves.

By analyzing the hardware implementations, we note that the combinations that provided the higher efficiency are the ones used in works [17] for FPGA- and [13] for ASIC-based implementations. The former combined generic curves, polynomial basis, and Lopez–Dahab projective coordinates and employed the Itoh-Tsujii algorithm to implement the inversion, the KOA method to perform field multiplication, and the fixed-base comb for ECPM. The latter also used polynomial basis but employed different curves (Koblitz and Random), projective coordinates (Jacobian), and field and point multiplication methods (Custom Multiplication Module (CMM) and Combined PDPA, respectively). It is worth noting that standardization in the choice of metrics for comparison and the difficulty of reproducing results due to the used devices makes a fair comparison unfeasible. A sensitivity analysis would help to understand the real effects of choosing together methods of inversion, multiplication, and ECPM.

5. Conclusions

In this article, we presented a review of techniques for implementing elliptic curve point multiplication on FPGA and ASIC devices. We note that the analyzed works use different types of curves according to the implementation goals. However, most studies use the polynomial basis and the projective coordinates, which points out that this combination is the most suitable for hardware implementation. Concerning the operations, we have not identified any preferred method for implementing field or point multiplications. On the other hand, most of the works used the Itoh-Tsujii algorithm to accelerate the inversion. However, there is no sufficient evidence to indicate its use to produce a gain in efficiency or performance. From the study, we also note that the best combination of algorithms, techniques, and IC technologies depends on the project’s goal, and a system designer must take into account the requirements of the target application to select the choices that best fit those requirements. For instance, if we use affine coordinates, we should know that the algorithm uses more inversion operations than projective coordinates, requiring enhancements in implementation to compensate for this cost. Moreover, resource-constrained devices may need algorithms that enable cost reduction; however, such algorithms may exhibit lower efficiency and performance. Finally, although this article has presented an analysis of ECPM implementations on hardware, further studies are needed to define a set of guidelines to aid designers in choosing the best combination of methods and algorithms for different application classes.