Fast Implementation of NIST P-256 Elliptic Curve Cryptography on 8-Bit AVR Processor

Abstract

In this paper, we present a highly optimized implementation of elliptic curve cryptography (ECC) over NIST P-256 curve for an 8-bit AVR microcontroller. For improving the performance of ECC implementation, we focus on optimizing field arithmetics. In particular, we optimize the modular multiplication and squaring method exploiting the state-of-the-art optimization technique, namely range shifted representation (RSR). With optimized field arithmetics, we significantly improve the performance of scalar multiplication and set the speed record for execution time of variable base scalar multiplication over NIST P-256 curve. When compared with previous works, we achieve a performance gain of 17.3% over the best previous result on the same platform. Moreover, the execution time of our result is even faster than that over the NIST P-192 curve of the well-known TinyECC library. Our result shows that RSR can be applied to all field arithmetics and evaluate the impact of the adoption of RSR over the performance of scalar multiplication. Additionally, our implementation provides a high degree of regularity to withstand side-channel attacks.

1. Introduction

Wireless sensor networks (WSNs) that consist of a numerous number of resource-constrained sensor devices have attracted substantial attraction due to the rapid advancement of Internet of Things (IoT). In various IoT applications, such as monitoring physical and environmental conditions (temperature, sound, and pollution levels), battlefield reconnaissance, home automation, etc., many constrained devices are employed as wireless sensor nodes for their low cost and energy efficiency. When compared with traditional cable networks, it is difficult to ensure secure and reliable communications in WSNs, since those wireless sensor nodes are often deployed in unattended environments. Hence, it can be easily accessed and manipulated by malicious adversaries. Thus, the cryptographic mechanism is required in order to provide sufficient security in WSNs. However, it is hard to deploy cryptographic schemes (especially of public key cryptography) on wireless sensor nodes due to their construction in resources, such as computation power, memory, energy, and even storage space, since they usually assumed to be operated with battery-power. For example, MICAz mote, which is recognized as one of most widely used constrained 8-bit devices, is equipped with an AVR ATmega128 processor that has 128 KB of programmable flash memory and 4 KB of RAM with a clock frequency of 7.3728 MHz.

In early days, it is considered that Public-Key Cryptosystems (PKCs) are infeasible in resource-constrained devices due to its significant amount of computation. In order to overcome the restrictions of resource-constrained device, a lot of cryptograpy techniques have been proposed to apply PKCs for securing communication in WSNs [1,2,3,4].

When compared to conventional PKCs, Elliptic curve cryptography (ECC) has a smaller key size providing equivalent security. Hence, ECC is regarded as a better choice for WSNs than other PKCs, such as Rivest-Shamir-Adleman (RSA) and Digital Signature Algorithm (DSA). For example, the RSA scheme with 1024-bit key provides the same level of security in ECC with the 160-bit key. In addition, it is considered that a scalar multiplication, whic is the most expensive operation in ECC, only requires 5% of the execution time of main operation in RSA [1,3,5].

A scalar multiplication requires elliptic curve point arithmetic operations, such as point addition and doubling. These point arithmetic operations require field operations, including multiplication, squaring, reduction, addition, and inversion. In particular, it is considered that the most time-consuming operation in field operation is multiplication accounting for almost $80\%$ of execution time of scalar multiplication. Hence, many researches have naturally focused on optimizing the multiplication technique in order to improve the performance of scalar multiplication.

1.1. Related Work

In [1], Gura et al. presented the first ECC implementation on an 8-bit AVR processor. Before this result, it is believed that ECC is infeasible to be implemented for constrained devices, since it requires a significant amount of computation. This work focuses on numerous data transport to and from memory during multi-precision multiplication of large integers in limited register space. For minimizing the number of load instruction on a processor with a large register file, they proposed the new hybrid method, which combines the advantage of conventional byte-wise multiplication techniques, such as the row-wise and the column-wise methods. They could compute a scalar multiplication in 2.19 s for NIST P-224 curve at a frequency of 8 MHz, i.e., 17.52 $\times {10}^6$ clock cycles on AVR processor. In 2008, Liu et al. presented TinyECC [2], which is a first well-known and widely used cryptographic library containing various platforms, such as 8-bit AVR-based, 16-bit MSP-based, and 32-bit ARM-based devices. TinyECC includes a set of optimization switches for flexible configuration by developer’s needs, which gives different execution time and memory consumption. TinyECC supports all 128-bit, 160-bit, and 192-bit NIST-recommended elliptic curves. TinyECC is evaluated on MICAz, TelosB, Tmote Sky, and Imote2, which provide the measurement of performance and resource consumption from the low-end devices to high-end devices. They also used the hybrid method for optimizations for the multiplication and squaring operation.

Recently, researches on ECC implementations over NIST prime curves on an 8-bit AVR processor were conducted in [3,6]. Liu et al. implemented ECC over NIST P-192 curve on 8-bit AVR processor [3] and achieved an execution time of 8.62 $\times {10}^6$ clock cycles for scalar multiplication, which is the best result. With respect to NIST P-256 curve, Zhou et al. [6] achieved the fastest performance, with an execution time of 25.38 $\times {10}^6$ clock cycles. Both of the works adopted the Karatsuba method that was proposed by Hutter and Schwabe [7] for the optimization of multiplication and squaring operations, which leads to the best performance with respect to scalar multiplication. Hence, this Karatsuba method is considered to be the best way for the implementation of multiplication.

In summary, many researches showed that ECC implementations can be feasible for resource-constrained devices and their main purpose is to optimize the performance of a scalar multiplication by using fast multiplication techniques. However, they did not consider modular reduction operation as a crucial part for improving performance, despite it always following every multiplication and squaring. The reduction operation introduces huge memory access by recalling the previous results of multiplication and squaring. In the context of modular multiplication, Park et al. [8] introduced new Karatsuba technique while using new integer representation, namely, Range Shifted Representation (RSR). Their work achieved the best performance for 192-bit modular multiplication over NIST P-192 prime. Because their optimization technique is highly prime-dependent, different optimization approaches are required to adopt their technique to modular multiplication over other primes. Moreover, in order to apply RSR to other field operations i.e., squaring, addition, and inversion, new attempts need to be considered for efficient implementation.

In addition, resistance against side channel attacks is required to ensure secure ECC implementation. Traditional ECC implementations did not consider any countermeasures for preventing side-channel attacks, such as Simple Power Analysis (SPA), which might cause security threats on embedded devices [9,10,11]. SPA attacks usually exploit the conditional statements in ECC implementation, which leak secret information. In practice, SPA attacks use conditional subtraction in field operation and irregular execution pattern of scalar multiplication, which reveal key related information [12,13,14,15,16]. Hence, constant field operation and regular scalar multiplication algorithms are required for developing resistance to SPA attack.

1.2. Our Contributions

The contributions of this paper are summarized, as follows:

• We present an efficient algorithm for 256-bit modular multiplication over NIST P-256 prime for 8-bit AVR processor taking advantage of the optimization technique of modular multiplication on RSR in [8]. Because the technique presented in [8] is highly prime-dependent, it cannot be directly adopted to other prime field multiplications and it requires different approaches to other bigger operand lengths considering the limited number of registers. Because the 256-bit intermediate result of multiplication occupies 32 registers, it cannot be held in working registers at a time during the modular multiplication. Hence, careful scheduling of accumulation for processing the intermediate result is required in order to avoid unnecessary memory access, i.e., load/store instructions, which is known to be the most time-consuming instructions for modular multiplication on constrained devices. In order to extend the optimization technique on RSR in [8] for the 256-bit modular multiplication, we propose a new algorithm, which divides the reduction process into two 128-bit parts and carefully schedules the accumulation of the intermediate results of multiplication. Consequently, we significantly reduce the number of load/store instructions during modular multiplication.
• In [8], they only introduce modular multiplication on RSR not including other field operations, such as squaring, addition, and inversion. We focus on applying all field operations on RSR in order to improve the performance of scalar multiplication. Firstly, we propose a new modular squaring over NIST P-256 prime, which is based on the optimization of our 256-bit modular multiplication resulting in a dramatic optimization. This modular squaring set the speed record for 256-bit modular squaring over NIST P-256 prime for 8-bit AVR processor, providing about $24\%$ of improved performance as compared with the state-of-the-art method. Moreover, we propose a modular addition on RSR providing a constant execution time in order to protect from SPA attacks. Finally, we present conversion algorithms from the original integer representation to RSR, and vice versa, which are required for applying RSR to field operations.
• We present a highly optimized ECC implementation over NIST P-256 curve providing 128-bit security on an 8-bit AVR ATmega128 processor. The result of our work only requires $20.98\times {10}^6$ cycles, which is faster than previous work in [6]. Our proposed implementation achieves the best performance for P-256 curve on an AVR processor.

The rest of this paper is organized, as follows. In Section 2, we briefly review the basic ECC, including NIST curve P-256, and also describe the main features of the 8-bit AVR ATmega128 microcontroller. In Section 3, we overview RSR for modular multiplication applied to the NIST P-256 prime. In Section 4, we describe the optimization technique for field operations on RSR. In particular, we propose modular multiplication and squaring method that is optimized for 8-bit AVR processor. Section 5 compares our implementation of scalar multiplication with other previous works. Finally, we conclude this work in Section 6.

2. Preliminaries

2.1. Elliptic Curve Cryptography

ECC has been the most popular public key cryptosystem since Neal Koblitz [17] and S. Miller [18] first introduced EEC in 1985, due to the short key sizes and low computational cost as compared to RSA, DSA, or Diffie-Hellman. Its security is based on Elliptic Curve Discrete Logarithm Problem (ECDLP), which is hard to be solved by general purpose subexponential algorithms. An elliptic curve E over finite field ${\mathbb{F}}_P$ can be defined by a short Weierstraß equation, as follows:

$$\begin{array}{c}\hfill y^2=x^3+ax+b,\end{array}$$

where $a,b\in {\mathbb{F}}_P$ and $4a^3+27b^2\ne 0$. It is common practice to choose the curve parameter a as $-3$ in order to improve the performance of point arithmetic in scalar multiplication.

In 1999, NIST proposed five prime-field curves for standardization [19], which adopts this approach. Hence, the NIST curves E can be defined by a short Weierstraß equation as $y^2=x^3-3x+b$. The NIST P-256 curve use prime field ${\mathbb{F}}_{P_{256}}$, defined by prime $P_{256}=2^{256}-2^{224}+2^{192}+2^{96}-1$. This prime has a specific form, such that the prime is represented with addition or subtraction of several number of power of 2 and all of the exponents are multiples of 8, which are the advantages of manipulating on 8-bit devices. With this special form, modular reduction operation can be easily conducted by some additions while using the congruence $2^{256}\equiv 2^{224}-2^{192}-2^{96}+1(mod{P}_{256})$.

2.2. 8-Bit AVR ATmega Microcontroller

We used the ATmega128 as our target platform, which is a representative of the AVR family based on a modern highly structured RISC design. The ATmega128 features 128 KB of programmable flash memory and 4 KB SRAM, a 4 KB EEPROM, a 9-channel 10-bit A/D converter, and a JTAG interface for on-chip debugging. This AVR microcontroller provides 133 various instructions; most of them take a single clock cycle, but multiplication and memory access (Load, Save) instructions require two clock cycles. There is a set of $32\times 8$-bit working registers, where six registers (R26-R31) are for addressing pointers X, Y, and Z, and the remaining 26 registers (R0-R25) are for general purposes. Especially, the least significant registers (R0-R1) holds the result of $8\times 8$-bit multiplication.

There are many development and compile tools that are available for the ATmel family. The ATmel corporation offers a free AVR Studio development environment, which includes a compiler, an assembler, and a convenient graphical simulator for Visual Studio environments.

3. Range Shifted Representation for Modular Multiplication

In this section, we introduce the RSR proposed in [8] and apply it to 256-bit integer representation. We assume that input operand size is 256-bit for the simple explanation of RSR.

3.1. Range Shifted Representation

We can apply RSR to represent 256-bit integers $X,Y$ range from $2^{-128}$ to $2^{128-1}$, and their multiplication $Z=X·Y$ with 8-bit word size $(W=2^8)$, as the following:

$$\begin{array}{cc}\hfill X=& \sum _{i=0}^{i=31}{x}_i{W}^{i-16}=x_0{W}^{-16}+\cdots +x_{31}{W}^{15},\hfill \end{array}$$

(1)

$$\begin{array}{cc}\hfill Y=& \sum _{i=0}^{i=31}{y}_i{W}^{i-16}=y_0{W}^{-16}+\cdots +y_{31}{W}^{15},\hfill \end{array}$$

(2)

$$\begin{array}{cc}\hfill Z=& X·Y=\sum _{i=0}^{i=63}{z}_i{W}^{i-32}=z_0{W}^{-32}+\cdots +z_{63}{W}^{31},\hfill \end{array}$$

(3)

where $x_i,y_i,z_i\in [0,2^8-1]$. The result Z of multiplication $X·Y$ is expanded to both sides, where the shape of it is symmetric with respect to $W^0$. In order to reduce the result Z into the range from $2^{-128}$ to $2^{128}-1$, we use shifted prime $P_{256}·2^{-128}=2^{128}-2^{96}+2^{64}+2^{-32}-2^{-128}$. Subsequently, we can reduce it at both sides, where $z_0{W}^{-32}+z_1{W}^{-31}+\cdots +z_{15}{W}^{-15}$ and $z_{48}{W}^{12}+z_{37}{W}^{13}+\cdots +z_{47}{W}^{23}$ in Equation (3) is reduced while using the congruence relations

$$\begin{array}{cc}\hfill W^{16}\equiv W^{12}-W^8-W^{-4}+W^{-16}& (mod{P}_{256}·W^{-16}),\hfill \\ \hfill W^{-32}\equiv 1-W^{-4}+W^{-8}+W^{-20}& (mod{P}_{256}·W^{-16}).\hfill \end{array}$$

(4)

For example, let

$$\begin{array}{cc}\hfill Z_A& =z_0+z_{1}W+\cdots +z_{15}{W}^{15},\hfill \\ \hfill Z_B& =z_{16}+z_{17}W+\cdots +z_{47}{W}^{31},\hfill \\ \hfill Z_C& =z_{48}+z_{49}W+\cdots +z_{63}{W}^{15},\hfill \\ \hfill Z=& Z_A·W^{-32}+Z_B·W^{-16}+Z_C·W^{16},\hfill \end{array}$$

where $z_i\in [0,2^8-1]$. Subsequently, we can reduce Z, as follows:

$$\begin{array}{cc}\hfill Z\equiv & Z_A-Z_A·W^{-4}+Z_A·W^{-8}+Z_A·W^{-20}\hfill \\ \hfill & +Z_B·W^{-16}\hfill \\ \hfill & +Z_C·W^{12}-Z_C·W^8-Z_C·W^{-4}+Z_C·W^{-16}\hfill \\ \hfill & (mod{P}_{256}·W^{-16}).\hfill \end{array}$$

(5)

Note that this is not a complete reduction. The part of result in (5) is not included in the range from $2^{-128}$ to $2^{128-1}$. Here, we omit the complete step for simplicity.

3.2. Modular Multiplication on RSR

We perform modular multiplication on RSR using the subtractive Karatsuba method, as in [8]. Let $X,Y\in {\mathbb{F}}_{P_{256}}$ be represented with RSR, and $Z=X·Y$.

Let

$$\begin{array}{cc}\hfill X_A& =x_0+x_{1}W+\cdots +x_{15}{W}^{15},\hfill \end{array}$$

(6)

$$\begin{array}{cc}\hfill X_B& =x_{16}+x_{17}W+\cdots +x_{31}{W}^{15},\hfill \end{array}$$

(7)

$$\begin{array}{cc}\hfill Y_A& =y_0+y_{1}W+\cdots +y_{15}{W}^{15},\hfill \end{array}$$

(8)

$$\begin{array}{cc}\hfill Y_B& =y_{16}+y_{17}W+\cdots +y_{31}{W}^{15},\hfill \end{array}$$

(9)

where $x_i,y_i\in [0,2^8-1]$.

Subsequently, $X,Y,Z$ can be represented as

$$\begin{array}{cc}\hfill X& =X_A·W^{-16}+X_B,\hfill \end{array}$$

(10)

$$\begin{array}{cc}\hfill Y& =Y_A·W^{-16}+Y_B,\hfill \end{array}$$

(11)

$$\begin{array}{cc}\hfill Z& =X·Y=(X_A·W^{-16}+X_B)·(Y_A·W^{-16}+Y_B)\hfill \\ \hfill & =X_A{Y}_A·W^{-32}+X_B{Y}_B+(X_A{Y}_B+X_B{Y}_A)W^{-16}\hfill \\ \hfill & =X_A{Y}_A·W^{-32}+X_B{Y}_B\hfill \\ \hfill & +(X_A{Y}_A+X_B{Y}_B-(X_A-X_B)·(Y_A-Y_B))W^{-16}.\hfill \end{array}$$

(12)

Let L, H and M denote $X_A{Y}_A,X_B{Y}_B$ and $(X_A-X_B)·(Y_A-Y_B)$, as follows:

$$\begin{array}{cc}\hfill L=& X_A{Y}_A=l_0+\cdots +l_{31}{W}^{31}=L_A+L_B·W^{16},\hfill \\ \hfill (L_A& =l_0+\cdots +l_{15}{W}^{15},L_B=l_{16}+\cdots +l_{31}{W}^{15})\hfill \end{array}$$

(13)

$$\begin{array}{cc}\hfill H=& X_B{Y}_B=h_0+\cdots +h_{31}{W}^{31}=H_A+H_B·W^{16},\hfill \\ \hfill (H_A& =h_0+\cdots +h_{15}{W}^{15},H_B=h_{16}+\cdots +h_{31}{W}^{15})\hfill \end{array}$$

(14)

$$\begin{array}{cc}\hfill M& =(X_A-X_B)·(Y_A-Y_B)=m_0+\cdots +m_{31}{W}^{31}.\hfill \end{array}$$

(15)

Afterwards, Z can be represented by $L,H,M$ as

$$\begin{array}{cc}\hfill Z& \equiv L·W^{-32}+H+(L+H-M)W^{-16}\hfill \\ \hfill & \equiv (L_A+L_B·W^{16})W^{-32}+H_A+H_B·W^{16}+(H_A\hfill \\ \hfill & +H_B·W^{16}+L_A+L_B·W^{16}-M)W^{-16}\hfill \\ \hfill & (mod{P}_{256}·W^{-16}).\hfill \end{array}$$

(16)

In Equation (16), only two parts, $L_A·W^{-32}$ and $H_B·W^{16}$, are overflow on both sides of our range. By reducing them, we can compute $Z(mod{P}_{256}·W^{-16})$, as follows:

$$\begin{array}{cc}\hfill & Z\equiv L_A-L_A·W^{-4}+L_A·W^{-8}+L_A·W^{-20}\hfill \\ \hfill & +L_B·W^{-16}+H_A+H_B·W^{12}-H_B·W^8\hfill \\ \hfill & -H_B·W^{-4}+H_B·W^{-16}+(H_A+H_B·W^{16}\hfill \\ \hfill & +L_A+L_B·W^{16}-M)W^{-16}\hfill \\ \hfill & \equiv -L_A·W^{-4}+L_A·W^{-8}+L_A·W^{-20}\hfill \\ \hfill & +H_B·W^{12}-H_B·W^8-H_B·W^{-4}\hfill \\ \hfill & +(L_A+L_B+H_A+H_B)\hfill \\ \hfill & +(L_A+L_B+H_A+H_B-M)W^{-16}\hfill \\ \hfill & (mod{P}_{256}·W^{-16}).\hfill \end{array}$$

(17)

In Equation (17), $(L_A+L_B+H_A+H_B)$ is computed twice. Hence, only one computation is required for these duplicated accumulations and the result can be used twice.

4. Optimization of Finite Field Operation

4.1. Modular Multiplication

We propose a 256-bit modular multiplication over ${\mathbb{F}}_{P_{256}·W^{-16}}$, as shown in Algorithm 1, which is composed of a $product$ $part$, an $accumulation$ $part$, and two $reduction$ $parts$. At first, three 128-bit multiplications are computed for L, H, and M, as represented in Equations (13)–(15), which basically follows the same scheduling of 128-bit Karatsuba multiplication, as in [7]. Thanks to the proposed technique presented in [8], in $accumulation$ $part$, $(L_A+L_B+H_A+H_B)$ is only computed once for the duplicated accumulations in Equation (17) and saved in 17 registers, which are represented by $(T,carr{y}_2)=(t_0,\cdots ,t_{15},carr{y}_2)$. The result can be used twice in each $reduction$ $part$. We cannot hold the intermediate result of 256-bit multiplication for reduction operation due to the limited number of registers. Thus, the reduction process is divided into two 128-bit size of $reduction$ $parts$. In $reduction$ $part$ 1, the left half side of intermediate result is computed for a reduction of $L_A$ and $H_B$, whereas $reduction$ $part$ 2 computes the right half side, as shown in Figure 1b.

We rearrange the order of computation from $L\to H\to M$ in Algorithm 2 to $M\to L\to H$ as in [8]. Subsequently, we can directly use $H_B$ without any memory access for the computation of $H_A+H_B$ at Step 7, because it is kept in registers after the previous computation of H at Step 5.

We can find the duplicated computations of $L_A+L_B+H_A+H_B$ in Figure 1b, which can be computed in the $accumulation$ $part$ in Algorithm 1, as mentioned in Section 3. We can avoid unnecessary memory access that is related with these computations by reusing the result of first computation in $reduction$ $part$ 2. After the $accumulation$ $part$, the result $(t_0,\cdots ,t_{15},carr{y}_2)$ of duplicated computation is stored at Step 9 and loaded in $reduction$ $part$ 2. This $accumulation$ $part$ corresponds to the Step 4, 9, 10, 11, and 12 in Algorithm 2, except the subtraction with $M_A$ and $M_B$ in Step 9 and 11, respectively. When comparing the number of load and store instructions for manipulating $L_A,L_B,H_A,H_B$, and T during each accumulation part in Algorithms 1 and 2 the former requires 80 load and 48 store instructions, whereas the latter only requires 48 load and 16 store instructions even when considering additional computation for a reduction of $L_A$ and $H_B$.

Algorithm 1 256-bit $\times 256$-bit Karatsuba multiplication with reduction over ${\mathbb{F}}_{P_{256}·W^{-16}}$

Require:  $X=(x_0,\cdots ,x_{31})$, $Y=(y_0,\cdots ,y_{31})$ Ensure:  $Z=X·Y(mod{P}_{256}·W^{-16})=(z_0,\cdots ,z_{31})$ 1: Product part 2: $|X_A-X_B|$ and $|Y_A-Y_B|$ {Load: X, Y, Store:$|X_A-X_B|$,$|Y_A-Y_B|$} 3: $M\leftarrow |X_A-X_B|·|Y_A-Y_B|=(m_0,\cdots ,m_{31})$ {Load: $|X_A-X_B|$,$|Y_A-Y_B|$, Store: M} 4: $L\leftarrow X_A·Y_A=(l_0,\cdots ,l_{31})$ {Load: $X_A,Y_A$, Store: L} 5: $H\leftarrow X_B·Y_B=(h_0,\cdots ,h_{31})$ {Load: $X_B$,$Y_B$, Store: H} 6: Accumulation part 7: $(t_0,\cdots ,t_{15},carr{y}_1)\leftarrow H_A+H_B$ {Load: $H_A$} 8: $(t_0,\cdots ,t_{15},carr{y}_2)\leftarrow (t_0,\cdots ,t_{15},carr{y}_1)+L_A+L_B$ {Load: $L_A,L_B$} 9: Store $(T_R,carr{y}_2)=(t_0,\cdots ,t_{15},carr{y}_2)$ {Store: $T_R,carr{y}_2$} 10: Reduction part 1 11: $(T_L,carr{y}_3)\leftarrow (t_0,\cdots ,t_{15},carr{y}_2)+(h_{20},h_{21},\cdots ,h_{31},h_{28},h_{29},h_{30},h_{31})$ 12: $(T_L,carr{y}_4)\leftarrow T_L-(h_{28},h_{29},h_{30},h_{31},0,\cdots ,0,h_{20},h_{21},h_{22},$ $h_{23})$ 13: $(T_L,carr{y}_5)\leftarrow (T_L,carr{y}_4)-(0,\cdots ,0$ $,h_{16},h_{17},h_{18},h_{19})$ {Load: $(h_{16},h_{17},h_{18},h_{19})$} 14: $(T_L,carr{y}_6)\leftarrow (T_L,carr{y}_3)+(0,\cdots ,0,l_0,l_1,\cdots ,l_7)+(0,0,0,0,0,0,0,0,l_0,l_1,l_2,l_3,0,0,0,0)$ {Load:$(l_0,\cdots ,l_7)$} 15: $(T_L,carr{y}_7)\leftarrow (T_L,carr{y}_5)-(0,\cdots ,0,l_0,l_1,l_2,l_3)$ 16: $(T_L,carr{y}_8)\leftarrow (T_L,carr{y}_6)+(l_4,l_5,\cdots ,l_{15},0,0,0,0)$ {Load:$(l_8,l_9,\cdots ,l_{15})$} 17: $T_L\leftarrow T_L-M_A$ {Load:$M_A$, Store: $(T_L,carr{y}_7,carr{y}_8)$} 18: Reduction part 2 19: $(T_R,carr{y}_9)\leftarrow T_R-M_B$ {Load:$T_R,M_B$} 20: $(T_R,carr{y}_{10})\leftarrow (T_R,carr{y}_9)-(l_4,l_5,\cdots ,l_{15},0,0,0,0)$ 21: $(T_R,carr{y}_{11})\leftarrow T_R+(l_8,l_9,\cdots ,l_{15},0,0,0,0,l_0,l_1,l_2,l_3)$ {Load:$(l_0,l_1,l_2,l_3)$ 22: $(T_R,carr{y}_{12})\leftarrow (T_R,carr{y}_{11})+(carr{y}_8,0,0,0,l_0,l_1,l_2,l_3,0,0,0,0,h_{16},h_{17},h_{18},h_{19},carr{y}_2)$ {Load:$(h_{16},h_{17},h_{18},h_{19},carr{y}_2,carr{y}_8)$} 23: $(T_R,carr{y}_{13})\leftarrow (T_R,carr{y}_{10})-(carr{y}_7,0,0,0,0,0,0,0,l_0,l_1,l_2,l_3,h_{24},h_{25},h_{26},h_{27})$ {Load:$(h_{24},\cdots ,h_{31},carr{y}_7)$} 24: $(T_R,carr{y}_{14})\leftarrow (T_R,carr{y}_{13})-(h_{24},\cdots ,h_{31},h_{16},h_{17},h_{18},h_{19},h_{28},h_{29},h_{30},h_{31})$ 25: $(T_R,carr{y}_{15})\leftarrow (T_R,carr{y}_{14})-(h_{20},\cdots ,h_{27},h_{20},h_{21},h_{22},h_{23},$ $0,0,0,0)$ {Load:$(h_{20},h_{21},h_{22},h_{23})$} 26: Reduce $carr{y}_{12},carr{y}_{15}$ through $T=(T_L,T_R)$ {Load:$T_L$} 27: Store T to $(z_0,\cdots ,z_{31})$ Store: $T_L,T_R$}

Algorithm 2 256-bit $\times 256$-bit Karatsuba multiplication in [7]

Require:  $X=(x_0,\cdots ,x_{31})$, $Y=(y_0,\cdots ,y_{31})$ Ensure:  $Z=X·Y=(z_0,\cdots ,z_{63})$ 1: Product part 2: $L\leftarrow X_A·Y_A=(l_0,\cdots ,l_{31})$ {Load: $X_A,Y_A$, Store: $L((z_0,\cdots ,z_{15})=L_A)$} 3: $H\leftarrow X_B·Y_B=(h_0,\cdots ,h_{31})$ {Load: $X_B$,$Y_B$, Store: H} 4: $(T,carr{y}_1)\leftarrow L_B+H_A$ {Load: $L_B$,$H_A$, Store: $(t_0,\cdots ,t_{15})$} 5: Propagate $carr{y}_1$ to $H_B$ {Load: $H_B$, Store: $H_B$} 6: $|X_A-X_B|$ and $|Y_A-Y_B|$ {Load: X, Y, Store:$|X_A-X_B|$,$|Y_A-Y_B|$} 7: $M\leftarrow |X_A-X_B|·|Y_A-Y_B|=(m_0,\cdots ,m_{31})$ {Load: $|X_A-X_B|$,$|Y_A-Y_B|$, Store: M} 8: Combination of $L,H,M$ and T 9: $(z_{16},\cdots ,z_{31},carr{y}_2)\leftarrow L_A-M_A$ {Load: $L_A$,$M_A$} 10: $(z_{16},\cdots ,z_{31},carr{y}_3)\leftarrow (z_{16},\cdots ,z_{31})+T$ {Load: T, Store: $(z_{16},\cdots ,z_{31})$} 11: $(t_0,\cdots ,t_{15},carr{y}_4)\leftarrow T-M_B$ {Load: $M_B$} 12: $(z_{32},\cdots ,z_{47},carr{y}_5)\leftarrow (t_0,\cdots ,t_{15})+(h_{16},\cdots ,h_{31})$ {Load: $H_B$, Store: $(z_{32},\cdots ,z_{47})$} 13: Propagate $carr{y}_5$ to $H_B$ 14: Store $H_B$ to $(z_{48},\cdots ,z_{63})$ Store: $(z_{48},\cdots ,z_{63})$}

Generally, for a reduction operation, the result of multiplication should be first computed. Subsequently, reduction is proceeded with handling of double-sized result, such as 512-bit result $(z_0,\cdots ,z_{63})$ in Algorithm 2, which causes huge memory access, since the number of registers is limited. However, for the case of Algorithm 1, we only need to reduce $L_A$ and $H_B$ at both sides, as shown in Figure 1a. In other words, we can easily merge reduction operation into multiplication without requiring the complete result of multiplication, as shown in Figure 1b.

In $reduction$ $part$ 1 and 2, we cannot hold $L_A$ and $H_B$ altogether in registers, because 16 working registers are always occupied by the intermediate results $T_L$ or $T_R$. Hence, repeated load instructions for them are required during $reduction$ $part$ 1 and 2. In order to minimize the number of load instructions, we carefully schedule the order of load instructions for $L_A$ and $H_B$, as shown in Figure 1b. In $reduction$ $part$ 1, we can avoid load instructions that are related to $H_B$, because some of portion of the required result, i.e., $(h_{20},h_{21},\cdots ,h_{31})$, computed in Step 5 is kept in working registers. Hence, 20 load instructions are required for the remaining portion $(h_{16},h_{17},h_{18},h_{19})$ of $H_B$ and $(l_0,\cdots ,l_{15})$. In the starting point of $reduction$ $part$ 2, we can avoid load instructions for $L_A$, since $(l_0,\cdots ,l_{15})$ from the end point of $reduction$ $part$ 1 can be continuously used. Eventually, an additional 20 load instructions for $(l_0,l_1,l_2,l_3)$ and $(h_{16},\cdots ,h_{31})$ are required in order to complete $reduction$ $part$ 2.

At the end of Algorithm 1, the positive carry $carr{y}_{12}$ and the negative carry $carr{y}_{15}$ are reduced to the intermediate result $T=(T_L,T_R)$.

4.2. Modular Squaring

We propose an optimized modular squaring on RSR. Modular squaring consists of a $product$ $part$, an $accumulation$ $part$, and two $reduction$ $parts$, as shown in Algorithm 3. We adopt 2-level subtractive Karatsuba method for implementation of modular squaring. For three 128-bit squaring operations $L,H,$ and M in $product$ $part$ in Algorithm 3, the 128-bit Karatsuba technique can be applied, which make use of left shift instruction for the processing of equal cross-product terms. Note that the absolute difference of M in the subtractive Karatsuba multiplication is always positive. Thus, no calculation for the sign of M is required in $product$ $part$. Through combining squaring operation with reduction, we can get the duplicated accumulations as same as $(L_A+L_B+H_A+H_B)$ in modular multiplication (17). This can be used in order to avoid redundant memory access during modular squaring by reusing it in $reduction$ $part$ 2 in Algorithm 3. Hence, an $accumulation$ $part$ and two $reduction$ $parts$ in Algorithm 3 follow the same process of Algorithm 1.

Algorithm 3 256-bit $\times 256$-bit modular squaring over ${\mathbb{F}}_{P_{256}·W^{-16}}$

Require:  $X=(x_0,\cdots ,x_{31})$ Ensure:  $Z=X^2(mod{P}_{256}·W^{-16})=(z_0,\cdots ,z_{31})$ 1: Product part 2: $X_A-X_B$ {Load: X, Store:$(X_A-X_B)$} 3: $M\leftarrow {(X_A-X_B)}^2=(m_0,\cdots ,m_{31})$ {Load: $(X_A-X_B)$, Store: M} 4: $L\leftarrow X_A^2=(l_0,\cdots ,l_{31})$ {Load: $X_A$, Store: L} 5: $H\leftarrow X_B^2=(h_0,\cdots ,h_{31})$ {Load: $X_B$, Store: H} 6: Accumulation part and Reduction part 1,2 as in the Algorithm 1

4.3. Modular Addition

Because we use operands $X,Y\in [0,2^{128}-1]$ for modular addition, $X+Y=Z\in [0,2^{129}-2]$ needs to be subtracted by $P_{256}·W^{-16}$, at most, twice in order to ensure Z becoming less than $2^{128}$. If $Z\in [0,2^{128}-1]$, there is nothing to do. If $Z\in [2^{128},2^{128}+P_{256}·W^{-16}-1]$, only one subtraction of $P_{256}·W^{-16}$ is needed in order to ensure that the final result is smaller than $2^{128}$. If $Z\in [2^{128}+P_{256}·W^{-16},2^{129}-2]$, two subtractions of $P_{256}·W^{-16}$ are necessary. These conditional subtraction statements, depending on the range of Z, cause observable differences in the execution time that can be used to find a secret value by a side-channel attacker [20]. For the constant execution time implementation, we always execute two final subtractions after the addition $X+Y$. The two subtractions may be $-P_{256}·W^{-16}$ or $-0$.

Because the 256-bit addition result cannot be held in 32 working registers, some parts of it have to be stored and reloaded repeatedly through the following two subtractions. We can reduce memory access by minimizing unnecessary register uses. For example, the addition only consists of 32-byte additions without an additional register for the $carry$-byte that is produced from the last byte addition. The $carry$ that is held in carry flag decides whether the next subtraction is $-P_{256}·W^{-16}$ or $-0$. We only use three registers, $R0,R1,$ and $R2$, in order to hold $P_{256}·W^{-16}$, because it can only be expressed with three bytes 0x00, 0x01, and 0xFF in hexadecimal.

Let $R0,R1$, and $R2$ be zeros. Through the following instructions after the addition, we can hold $P_{256}·W^{-16}$ or 0 in $R0,R1$, and $R2$, depending on the carry flag.

$$\begin{array}{c}\hfill SBCR1R0\\ \hfill ADCR2R0\end{array}$$

After the 32-byte additions for $Z=X+Y$, if there is no $carry$, then all three registers are set to zero. Subsequently, the following two subtractions have no effect on the result. If $carry$ from the addition exists, the carry flag is set. Subsequently, the subtract-with-borrow instruction ($SBC$) sets $R1$ as 0xFF and the carry flag is set again. Afterwards, $R2$ is set to 0x01 by the following the add-with-carry ($ADC$) instruction. Through these instructions, we can hold $P_{256}·W^{-16}$ in $R0,R1$, and $R2$.

After the first 32-byte subtractions for $Z^{\prime }=Z-P_{256}·W^{-16}$, the carry flag may be set by the $borrow$ originating from the last byte subtraction. Note that this new $borrow$ means that $Z^{\prime }$ is smaller than $2^{128}$. In other words, no $borrow$ means that $Z^{\prime }$ is bigger than or equal to $2^{128}$. Through the following instructions after the first subtraction, we can hold $P_{256}·W^{-16}$ or 0 in $R0,R1$, and $R2$.

$$\begin{array}{c}\hfill ADCR1R0\\ \hfill SBCR2R0\end{array}$$

If $borrow$ from the first subtraction exists, then $ADC$ instruction sets $R1$ as 0x00 and carry flag is set again, because $R1$ was set to 0xFF from the previous step. Subsequently, $R2$ is set to 0x00 through $SBC$ instruction and we can hold zeros in $R0,R1$, and $R2$. If there was no $borrow$, $P_{256}·W^{-16}$ remains on the three registers.

Through these simple carry processes, we can always execute one addition and two final subtraction for a constant time of modular addition.

Table 1. Number of cases of carry and borrow in modular addition.

Range of Z = X + Y	Carry	First Sub	Borrow	Second Sub
$[0,2^{128}-1]$	0	$-0$	0	$-0$
$[2^{128},2^{128}+P_{256}·W^{-16}-1]$	1	$-P_{256}·W^{-16}$	1	$-0$
$[2^{128}+P_{256}·W^{-16},2^{129}-2]$	1	$-P_{256}·W^{-16}$	0	$-P_{256}·W^{-16}$

represents all of the cases of the $carry$ and the $borrow$, which decide whether the next subtraction is $-P_{256}·W^{-16}$ or $-0$.

4.4. Modular Inversion

Extended Euclidean Algorithm (EEA) is widely known as an efficient method for modular inversion. However, EEA has a non-constant execution time, depending on input, which can be exploited by side channel attack, such as timing attack. In order to prevent side channel leakage, we implement Fermat’s Little Theorem-based inversion, which has a constant execution time. For $a\in {\mathbb{F}}_{P_{256}·W^{-16}}$, the inversion of a can be computed via $a^{-1}\equiv a^{P_{256}-2}(mod{P}_{256}·W^{-16})$, which is significantly slower than EEA.

4.5. Conversion of Representation

In order to apply RSR to field operations, conversions from the original representation to RSR and vice versa are required to shift the range of integer representation. Algorithm 4 describes the conversion from the original representation to RSR, where the range is changed from $[0,P_{256}]$ to $[2^{-128},P_{256}·W^{-16}]$. This conversion consists of one 256-bit addition, two 256-bit subtractions, and final subtraction of $P_{256}·W^{-16}$. This conversion has a negligible amount of clock cycles when compared to a modular multiplication or squaring and is only required for coordinates x and y for the input point of scalar multiplication. Reversely, the conversion from RSR to the original representation is required for the output point of scalar multiplication, where the range is restored from $[2^{-128},P_{256}·W^{-16}]$ to $[0,P_{256}]$. Three 256-bit addition, two 256-bit subtractions, and final subtraction of $P_{256}$ are required, as shown in Algorithm 5. This conversion also costs negligible clock cycles, since it is only required for coordinates X and Y of the output point.

Algorithm 4 Conversion from original representation to RSR

Require:  $X=(x_0,\cdots ,x_{31})\in {\mathbb{F}}_{P_{256}}$ Ensure:  $X^{\prime }=(x_0^{\prime },\cdots ,x_{31}^{\prime })\in {\mathbb{F}}_{P_{256}·W^{-16}}$ 1: Define 256-bit integers 2: $S_1=(x_{16},x_{17},\cdots ,x_{31},x_0,x_1,\cdots ,x_{15})$ 3: $S_2=(x_{20},x_{21},\cdots ,x_{31},x_{28},x_{29},x_{30},x_{31},0,0,\cdots ,0,x_{16},x_{17},x_{18},x_{19})$ 4: $S_3=(x_{28},x_{29},x_{30},x_{31},0,0,\cdots ,0,x_{20},x_{21},\cdots ,x_{31},x_{20},x_{21},\cdots ,x_{27})$ 5: $S_4=(0,0,\cdots ,0,x_{16},x_{17},\cdots ,x_{27},x_{16},x_{17},x_{18},x_{19},x_{28},x_{29},x_{30},x_{31})$ 6: Return $X^{\prime }=S_1+S_2-S_3-S_4(mod{P}_{256}·W^{-16})$

Algorithm 5 Conversion from RSR to original representation

Require:  $X^{\prime }=(x_0^{\prime },\cdots ,x_{31}^{\prime })\in {\mathbb{F}}_{P_{256}·W^{-16}}$ Ensure:  $X=(x_0,\cdots ,x_{31})\in {\mathbb{F}}_{P_{256}}$ 1: Define 256-bit integers 2: $S_1=(x_{16}^{\prime },x_{17}^{\prime },\cdots ,x_{31}^{\prime },x_0^{\prime },x_1^{\prime },\cdots ,x_{15}^{\prime })$ 3: $S_2=(x_4^{\prime },x_5^{\prime },\cdots ,x_{15}^{\prime },x_4^{\prime },x_5^{\prime },\cdots ,x_{15}^{\prime },0,0,0,0,x_0^{\prime },x_1^{\prime },x_2^{\prime },x_3^{\prime })$ 4: $S_3=(0,0,0,0,0,0,0,0,x_0^{\prime },x_1^{\prime },x_2^{\prime },x_3^{\prime },0,0,0,0,0,0,0,0,x_0^{\prime },x_1^{\prime },x_2^{\prime },x_3^{\prime },0,0,\cdots ,0)$ 5: $S_4=(0,0,0,0,0,0,0,0,x_0^{\prime },x_1^{\prime },x_2^{\prime },x_3^{\prime },0,0,\cdots ,0)$ 6: $S_5=(0,0,\cdots ,0,x_0^{\prime },x_1^{\prime },x_2^{\prime },\cdots ,x_{15}^{\prime },0,0,0,0)$ 7: $S_6=(0,0,\cdots ,0,x_0^{\prime },x_1^{\prime },x_2^{\prime },x_3^{\prime },0,0,0,0)$ 8: Return $X^{\prime }=S_1+S_2+S_3+S_4-S_5-S_6(mod{P}_{256})$

5. Optimization of Elliptic Curve Group Arithmetic

5.1. Coordinate System for Point Arithmetic

A scalar multiplication is composed of a two point arithmetic operation, i.e., point addition and doubling. There are several ways to represent the points. Affine coordinate system uses two coordinates $x,y$ and it requires the computation of field inversion in point arithmetic. Because field inversion is a relatively expensive operation, most previous works represent the points in a projective coordinate system. There are plenty of researches that proposed an efficient projective coordinate system, such as Jacobian, Chudnovsky, and mixed coordinate system [21,22,23,24]. When comparing these projective coordinates, it is preferable to choose Jacobian coordinates for the fastest pointer arithmetic operations. While using Jacobian coordinates, the point addition requires $4M+4S+9A$ (M = modular multiplication, S = modular squaring, A = modular addition) and point doubling requires $8M+3S+7A$.

5.2. Co-Z Arithmetic

We choose the co-Z arithmetic, which was proposed by Meloni in [25], for point arithmetic. It provides a very efficient point addition in Jacobian coordinates, where the two involved points share the same Z-coordinate. The co-Z point addition is faster than a point addition in Jacobian coordinates and even faster than a point doubling. Let $P=(X_1,Y_1,Z)$ and $Q=(X_1,Y_1,Z)$, the point addition of P and Q is defined by $P+Q=(X_3,Y_3,Z_3)$, which is computed, as follows:

$$\begin{array}{cc}\hfill A& ={(X_2-X_1)}^2,B=X_{1}A,\hfill \\ \hfill C& =X_{2}A,D={(Y_2-Y_1)}^2,\hfill \\ \hfill E& =Y_1(C-B),\hfill \\ \hfill X_3& =D-B-C,\hfill \\ \hfill Y_3& =(Y_2-Y_1)(B-X_3)-E,\hfill \\ \hfill Z_3& =Z(X_2-X_1).\hfill \end{array}$$

The co-Z point addition has a computational cost of $5M+2S+7A$. Moreover, the Z-coordinate of P is updated to be equal with the Z-coordinate of $P+Q$ for free. Through the expression of B and E, we can find out that $B=X_1{(X_2-X_1)}^2=x_1{Z}_3^2$ and $E=Y_1{(X_2-X_1)}^3=y_1{Z}_3^3$, where $(x_1,y_1)=(X_1/Z^2,Y_1/Z^3)$ represents the affine coordinates of P. Thus, we have $P\equiv (B:E:Z_3)$. Such a free update allows for the subsequent use of co-Z point addition between $P+Q$ and P during scalar multiplication. In [25], it was shown that the conjugate $P-Q$ can be obtained with a small additional cost, sharing the same Z coordinate as $P+Q$. The conjugate $P-Q=(X_3^{\prime },Y_3^{\prime },Z_3)$ can be computed, as follows:

$$\begin{array}{cc}\hfill F& ={(Y_1+Y_2)}^2,\hfill \\ \hfill X_3^{\prime }& =F-(B+C),\hfill \\ \hfill Y_3^{\prime }& =(Y_1+Y_2)(X_3^{\prime }-B)-E.\hfill \end{array}$$

With computation of two co-Z points $P+Q$ and $P-Q$, we can compute the co-Z point addition with the cost of $6M+3S+16A$.

5.3. Montgomery Ladder for Regular Scalar Multiplication

For resistance against SPA attack, we consider a regular scalar multiplication algorithm, which always performs the same operations in each iteration, regardless of input scalar. For regular scalar multiplication, we choose the Montgomery ladder proposed by $Rivain$ in [26] for the short Weierstraß-form elliptic curves over large prime field. This Montgomery algorithm is based on the co-Z arithmetic, which only uses $(X,Y)$ coordinates without the computation of Z coordinate in a Jacobian coordinate system. The co-Z point addition takes the $(X,Y)$ coordinates of two co-Z points P and Q and computes the $(X,Y)$ coordinates of $P+Q$ and P at the cost of $4M+2S+7A$. On the other hand, the co-Z conjugate point addition computes the $(X,Y)$ coordinates of $P+Q$ and of $P-Q$ at the cost of $5M+3S+11A$. The Montgomery ladder algorithm computes scalar multiplication with a regular pattern, which always performs the co-Z point addition and the co-Z conjugate point addition in each iteration. Hence, our scalar multiplication provides resistance against SPA attack.

6. Performance Analysis and Comparison

We implement scalar multiplication over NIST P-256 curve on 8-bit AVR ATmega128 processor. More precisely, we optimize field level operations on RSR, including modular multiplication, modular squaring, and modular addition by assembly language. We implement the elliptic curve group operations and scalar multiplication by C language. We use the computer algebra system $Magma$ in order to validate the results of scalar multiplication. We simulate all test programs with AVR studio 7.0 in order to obtain execution time in clock cycles.

Table 2. Comparison of field arithmetic on ATmega128 processor in clock cycles.

Implementation	ADD	SUB	MUL	SQL	INV
Zhou et al. [6]	418	424	6609	4919	1,347,009
This paper	390	390	5355	3691	1,031,682

compares the execution time of the proposed field arithmetic operations with the best result previously published. A modular addition and subtraction require 390 clock cycles, while a modular multiplication and squaring need 5355 and 3691 clock cycles, respectively. When compared with the work conducted by Zhou et al. [6], our implementation of modular addition and subtraction is slightly faster, while modular multiplication and squaring provide about $20\%$ and $24\%$ of improved performance, respectively.

Table 3. A comparison of various implementations of scalar multiplication over NIST curves on ATmega128 processor in ${10}^6$ clock cycles

Implementation	Curve	SPA Resistance	Clock Cycles	Code Size (bytes)
Liu A. et al. [2]	NIST P-192	No	21.38	19,000 ${}^a$
Liu Z. et al. [3]	NIST P-192	Yes	8.62	26,000 ${}^a$
Gura et al. [1]	NIST P-224	No	17.52	4812
Wenger et al. [27]	NIST P-256	Yes	34.93	16,112
Zhou et al. [6]	NIST P-256	Yes	25.38	13,980
This paper	NIST P-256	Yes	20.98	17,776

^a roughly measured.

compares our work with other prime field ECC implementations over different NIST curves with respect to execution time, SPA resistance, and code size. Those implementations use NIST primes that range from 192-bit to 256-bit, which provide more than 80-bit security. Our ECC implementation over NIST P-256 curve only requires $20.98\times {10}^6$ cycles which is faster than previous work in [6]. Our proposed implementation achieves the best performance for the P-256 curve. The work of Zhou et al. [6] on NIST P-256 curve adopted Montgomery ladder with $(x,y)$-only co-Z addition for implementation of scalar multiplication as our work. Hence, the gap of performance between the work in [6] and our work comes from our optimization of field level operations, especially modular multiplication and modular squaring.

7. Conclusions

In this paper, we introduce the fast ECC implementation over NIST P-256 curve on an 8-bit AVR ATmega128 processor. We focus on applying RSR to all of the field operations in order to improve the performance of ECC. Firstly, we propose 256-bit modular multiplication over ${\mathbb{F}}_{P_{256}·W^{-16}}$, while taking advantage of the optimization technique in [8]. Secondly, we propose a new modular squaring over NIST P-256 prime. This modular squaring achieves the speed record providing about $24\%$ of improved performance when compared with the state-of-the-art. Besides, we also propose an efficient masking method for modular addition, which ensures constant execution time. Finally, we evaluate the impact of RSR-optimized field operations on the performance of scalar multiplication. When compared to the state-of-the-art, our ECC implementation achieves the best performance of scalar multiplication over NIST P-256 curve with $17.3\%$ improvement.

We focus on eliminating the conditional statements that SPA attack usually exploits in order to resist against SPA attack. Our implementation does not use any conditional statements throughout all field and group operations. Especially, we implement constant modular addition and regular scalar multiplication to prevent SPA attacks.

Our optimized scheduling can be similarly applied to modular multiplication and squaring over other NIST primes. In the future, we will implement ECC over other NIST curves, such as P-384 and P-512.