1. Introduction

2. Elliptic Curve Cryptography Algorithms

2.1. ECC Point Addition and Doubling in Affine Coordinates

Affine coordinates use two coordinates $[x,y]$ to represent an elliptic curve point, as shown by, for example, $P=[x_p,y_p]$ and $-P=[x_p,-y_p]$. We will see that the ECC point addition and point doubling in affine coordinates require expensive divisions.

2.1.1. ECC Point Addition in Affine Coordinates

Figure 2 shows the point addition $R=P+Q$ on an elliptic curve $y^2=x^3+ax+b$. Given two distinct points $P=[x_p,y_p]$ and $Q=[x_q,y_q]$ on the curve, if the line $L_1$ through P and Q intersects the curve in $S=[x_s,y_s]$, then $R=[x_r,y_r]=P+Q$ is defined as $x_r=x_s$ and $y_r=-y_s$. Because $x_r=x_s$, the line $L_2$ through S and R is a vertical line.

Below we show how to get formulas to calculate $x_r$ and $y_r$ based on $x_p$, $y_p$, $x_q$, and $y_q$ for $y^2=x^3+ax+b$. The formula of the line $L_1$ through P and Q is

$$y=\lambda (x-x_p)+y_p$$

(2)

where $\lambda$ is the slope of the line $L_1$. Squaring both the left side and right side of (2), we get $y^2={(\lambda (x-x_p)+y_p)}^2$. Then replacing $y^2$ of (1) with ${(\lambda (x-x_p)+y_p)}^2$, we have

$$x^3-{\lambda }^2{x}^2+(a-2y_p\lambda +2x_p{\lambda }^2)x+(b-{(y_p-\lambda x_p)}^2)=0$$

(3)

Because P, Q, and S are three points on the curve, meaning that $x_p$, $x_q$, and $x_s$ are three roots of (3), based on Vieta’s formulas, we have

$$(x-x_p)(x-x_q)(x-x_s)=0$$

(4)

Expanding (4) gives:

$$x^3-(x_p+x_q+x_s)x^2+(x_p{x}_q+x_q{x}_s+x_s{x}_p)x-x_p{x}_q{x}_s=0$$

(5)

Then from (3) and (5) we have $x_p+x_q+x_s={\lambda }^2$. That is, $x_s={\lambda }^2-x_p-x_q$ and $y_s=\lambda (x_s-x_p)+y_p$. Considering the $L_1$ line slope $\lambda =(y_q-y_p)/(x_q-x_p)$, $x_r=x_s$, and $y_r=-y_s$, we summarize the formulas for point addition $R=P+Q=(x_r,y_r)$ on elliptic curve $y^2=x^3+ax+b$ as follows.

$${\displaystyle \lambda =\frac{y_q-y_p}{x_q-x_p}}$$

(6)

$$x_r={\lambda }^2-x_p-x_q$$

(7)

$$y_r=\lambda (x_p-x_r)-y_p$$

(8)

For $Q=-P$, the line through P and $-P$ does not intersect the elliptic curve at the third point. For this reason, the point O at infinity is included in the group of elliptic curves and defined as $P+(-P)=O$. By this definition, $P+O=P$.

In practice, a group of elliptic curves over a finite field of $F_m$ or $F_{2^n}$ is used, where $F_m$ contains numbers from 0 to $m-1$ and $F_{2^n}$ uses n-bit binary numbers. In the case of $F_m$, the results of all the above calculations are modularized by m, where m is usually a prime number. For example, Secp256k1 [4] elliptic curve used in Bitcoin uses a 256-bit $m=2^{256}-2^{32}-2^9-2^8-2^7-2^6-2^4-1$. Secp256k1 defines $y^2=x^3+ax+b=x^3+7$ and gives a point $P=[x,y]$ on the elliptic curve as follows.

a = 0x0000000000000000000000000000000000000000000000000000000000000000

b = 0x0000000000000000000000000000000000000000000000000000000000000007

m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f

x = 0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798

y = 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8

By considering $P+O=P$, we give the point addition $R=P+Q$ algorithm over the finite field of $F_m$ in Algorithm 1. In our implementation, O is denoted as $[-1,-1]$. In the case of $Q=P$, we perform the point doubling $R=2P$ (line 6 in the algorithm).

An example of point addition $R=P+Q$ on the Secp256k1 curve is shown below where $[P_x,P_y]=P$, $[Q_x,Q_y]=Q$, and $[R_x,R_y]=R$ in affine coordinates.

Px = 0xe493dbf1c10d80f3581e4904930b1404cc6c13900ee0758474fa94abe8c4cd13

Py = 0x51ed993ea0d455b75642e2098ea51448d967ae33bfbdfe40cfe97bdc47739922

Qx = 0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798

Qy = 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8

Rx = 0x2f8bde4d1a07209355b4a7250a5c5128e88b84bddc619ab7cba8d569b240efe4

Ry = 0xd8ac222636e5e3d6d4dba9dda6c9c426f788271bab0d6840dca87d3aa6ac62d6

2.1.2. ECC Point Doubling in Affine Coordinates

Figure 3 shows the point doubling $R=2P$ on an elliptic curve $y^2=x^3+ax+b$. Compared to the point addition shown in Figure 2, here we have $Q=P$ and $R=P+Q=2P$. Given a point $P=[x_p,y_p]$ on the curve, if the tangent line $L_1$ through P intersects the curve in $S=[x_s,y_s]$, then $R=[x_r,y_r]=2P$ is defined as $x_r=x_s$ and $y_r=-y_s$.

Below we show how to get formulas to calculate $x_r$ and $y_r$ based on $x_p$, $y_p$, and a for $y^2=x^3+ax+b$. The formula of the line $L_1$ through P is

$$y=\lambda (x-x_p)+y_p$$

(9)

where $\lambda$ is the slope of the line $L_1$. Squaring both the left side and right side of (9), we get $y^2={(\lambda (x-x_p)+y_p)}^2$. Then replacing $y^2$ of (1) with ${(\lambda (x-x_p)+y_p)}^2$, we have

$$x^3-{\lambda }^2{x}^2+(a-2y_p\lambda +2x_p{\lambda }^2)x+(b-{(y_p-\lambda x_p)}^2)=0$$

(10)

Because P, Q ($=P$), and S are three points on the curve, meaning that $x_p$, $x_q$, and $x_s$ are three roots of (10), based on Vieta’s formulas, we have

$${(x-x_p)}^2(x-x_s)=0$$

(11)

Expanding (11) gives:

$$x^3-(2x_p+x_s)x^2+(x_p^2+2x_p{x}_s)x-x_p^2{x}_s=0$$

(12)

Then from (10) and (12) we have $2x_p+x_s={\lambda }^2$. That is, $x_s={\lambda }^2-2x_p$ and $y_s=\lambda (x_s-x_p)+y_p$. The slope of tangent line $L_1$ of $y^2=x^3+ax+b$ at P can be obtained as follows.

$$\frac{d}{dx}\left(y^2\right)=\frac{d}{dx}(x^3+ax+b)$$

(13)

$$2y\frac{dy}{dx}=3x^2+a$$

(14)

$$\frac{dy}{dx}=(3x^2+a)/\left(2y\right)$$

(15)

$$\lambda =(3x_p^2+a)/\left(2y_p\right)atP$$

(16)

Considering $x_r=x_s$ and $y_r=-y_s$, we summarize the formulas for point doubling $R=2P$ on elliptic curve $y^2=x^3+ax+b$ as follows.

$${\displaystyle \lambda =\frac{3x_p^2+a}{2y_p}}$$

(17)

$$x_r={\lambda }^2-2x_p$$

(18)

$$y_r=\lambda (x_p-x_r)-y_p$$

(19)

We give the point doubling $R=2P$ algorithm over the finite field of $F_m$ in Algorithm 2. For $P_y=0$, the tangent at P is vertical and does not intersect the elliptic curve at any other point. By definition, $2P=O$ for such a point P (line 2 in the algorithm).

An example of point doubling $R=2P$ on the Secp256k1 curve is shown below where $[P_x,P_y]=P$, and $[R_x,R_y]=R$ in affine coordinates.

Px = 0xb91dc87409c8a6b81e8d1be7f5fc86015cfa42f717d31a27d466bd042e29828d

Py = 0xc35b462fb20bec262308f9d785877752e63d5a68e563e898b4f82f47594680fc

Rx = 0x2d4fca9e0dff8dec3476a677d555896a0980ebccc6bc595a23675496dcc33bb5

Ry = 0xcce413eee9496094256e446b22fd234c03d9258330d77fc8b0d318a6aedba8cb

2.2. ECC Point Addition and Doubling in Projective Coordinates

Point addition and point doubling in affine coordinates require modular inversion (division) to calculate the line slope $\lambda$. We can eliminate the expensive modular inversion during calculations by using projective coordinates. In projective coordinates, a point is defined as $P=[X,Y,Z]$. Initially, we can convert a point $[X,Y]$ in affine coordinates to a point in projective coordinates by $P=[X,Y,1]$. Then we calculate $R=[X_r,Y_r,Z_r]$ in projective coordinates using formulas that do not contain division. At the very final step, we can get the point $[x_r,y_r]$ in affine coordinates with the transformation of $x_r=X_r/Z_r$ and $y_r=Y_r/Z_r$, which require divisions.

The formulas for ECC point addition and doubling in projective coordinates can be derived based on the formulas in affine coordinates. A point P in projective coordinates is represented by the triple $P=[X,Y,Z]$, corresponding to the point $[x_p,y_p]=[X/Z,Y/Z]$ in affine coordinates. That is, $x_p=X/Z$ and $y_p=Y/Z$. We derive the point doubling formulas for $R=[X_r,Y_r,Z_r]=2P$ in projective coordinates as follows.

  From (17), we have

  ${\displaystyle \lambda =\frac{3x_p^2+a}{2y_p}=\frac{3{(X/Z)}^2+a}{2(Y/Z)}=\frac{3X^2/Z^2+a}{2Y/Z}=\frac{3X^2+a{Z}^2}{2YZ}}$

  From (18), we have

  ${\displaystyle x_r={\lambda }^2-2x_p={\left(\frac{3X^2+a{Z}^2}{2YZ}\right)}^2-2X/Z=\frac{{(3X^2+a{Z}^2)}^2}{{\left(2YZ\right)}^2}-\frac{8X{Y}^{2}Z}{{\left(2YZ\right)}^2}}$

  Let $Z_r={\left(2YZ\right)}^3$. Because $x_r=X_r/Z_r=X_r/{\left(2YZ\right)}^3$, i.e., $X_r={\left(2YZ\right)}^3{x}_r$, then

  $X_r=2YZ({(3X^2+a{Z}^2)}^2-8X{Y}^{2}Z)$

  From (19), we have

${\displaystyle y_r=\lambda (x_p-x_r)-y_p=\frac{3X^2+a{Z}^2}{2YZ}(X/Z-\frac{{(3X^2+a{Z}^2)}^2-8X{Y}^{2}Z}{{\left(2YZ\right)}^2})-Y/Z}$

  ${\displaystyle =\frac{(3X^2+a{Z}^2)(4X{Y}^{2}Z-({(3X^2+a{Z}^2)}^2-8X{Y}^{2}Z))}{{\left(2YZ\right)}^3}-\frac{8Y^4{Z}^2}{{\left(2YZ\right)}^3}}$

  Because $y_r=Y_r/Z_r=Y_r/{\left(2YZ\right)}^3$, i.e., $Y_r={\left(2YZ\right)}^3{y}_r$, then

  $Y_r=(3X^2+a{Z}^2)(4X{Y}^{2}Z-({(3X^2+a{Z}^2)}^2-8X{Y}^{2}Z))-8Y^4{Z}^2$

  Given $P=[X,Y,Z]$, the formulas for point doubling $R=2P$ in projective coordinates are summarized below.

$$X_r=2YZ({(3X^2+a{Z}^2)}^2-8X{Y}^{2}Z)$$

(20)

$$Y_r=(3X^2+a{Z}^2)(4X{Y}^{2}Z-({(3X^2+a{Z}^2)}^2-8X{Y}^{2}Z))-8Y^4{Z}^2$$

(21)

$$Z_r={\left(2YZ\right)}^3$$

(22)

We can use the similar method to derive the formulas for point addition in projective coordinates. The derivation is omitted here but the calculations are shown in the following algorithm. It can be seen that the calculations require many more multiplications. Algorithm 3 gives the algorithm for point addition in projective coordinates. And Algorithm 4 gives the algorithm for point doubling in projective coordinates.

An example of point addition $R=P+Q$ on the Secp256k1 curve is shown below where $[P_x,P_y,P_z]=P$, $[Q_x,Q_y,Q_z]=Q$, and $[R_x,R_y,R_z]=R$ in projective coordinates.

Px = 0x61bac660b055382e5906bd6e56e316542194b799b7bcf5ad05ee2171fd81735a

Py = 0xbe44ac0a2b712ccb6bb3ea933e4db0a4213c139078aef594cf8c2c5c2924d54d

Pz = 0x2b6da6fb02877584dc4d5111c88783772d7be5ac2866cce3707d53913384bf49

Qx = 0x6789c1137724f1f3f585337a1814eebc23ea329a0390fd9b1b9ece7af3e71ce1

Qy = 0xc9563c5035ccafec8673f56185141f720073ab3063bb417bf0e70e9d9128c232

Qz = 0x58990cd022b711912676c0451bdab6be04a06c1871b0139214bdbe81fd965555

Rx = 0xf4e9cb9ba9c18876b7b0ad000ce921b35e23139456f4f6c3f70e2fea149500a0

Ry = 0xc06176a9221b6d8b49a22130fb934b21358a1775df68d93ec308aca3ece072b5

Rz = 0x878fb153f0690416ba0ee136ec663debf8472f3ee92d350f9b3a42b4fd53fb27

An example of point doubling $R=2P$ on the Secp256k1 curve is shown below where $[P_x,P_y,P_z]=P$ and $[R_x,R_y,R_z]=R$ in projective coordinates.

Px = 0x24fd537e9a5125438a02848f6b74725f678723f5c1450b8fb82a68f0c88c9764

Py = 0xe42e83a1d3d7c2241535b5c0ba5f2462c24bd87aaf9f15b05f3775d168b9bf6c

Pz = 0xe00794d20b32e0e94472c36b89cf5e5d6ec769b53dd6c1422e9467090c272305

Rx = 0x24d00c48ac8bbe61ceb0ac5daf5defd913af9220a07650642a3a41cad9030ee6

Ry = 0x75d429714ea6ce1ab3811d9adc16961a219e2812210fa8465042c18ecd5a0de6

Rz = 0x644a5a2964435364b74d7fa79fe0f06a5b1d2782e7f7b8d1e835db6d6b8786bc

2.5. Scalar Point Multiplication

Scalar point multiplication performs $Q=dP$ where P and Q are elliptic curve points and $d=\langle d_{n-1}\cdots d_1{d}_0\rangle$ is an n-bit scalar. Scalar point multiplication is also called point multiplication, it can be done with “double-and-add” method [3]. Algorithm 5 formally gives the algorithm for scalar point multiplication. The algorithm invokes point addition and point doubling. Point doubling can be calculated simultaneously with point addition.

Below we give a small example to show the calculation steps of the scalar point multiplication. For a 4-bit $d={1101}_2=13$, we calculate $Q=dP$ in 4 steps to get $Q=13P$.

	Weight	Point addition	Point doubling
Initial		$Q=O$	$R=P$
$d_0=1$	1	$Q=Q+R=O+P=P$	$R=2R=2P$
$d_1=0$	2		$R=2R=4P$
$d_2=1$	4	$Q=Q+R=P+4P=5P$	$R=2R=8P$
$d_3=1$	8	$Q=Q+R=5P+8P=13P$	$R=2R=16P$

3. Modular Multiplication Algorithms

3.1. Interleaved Modular Multiplication Algorithm

The IMM algorithm [6] is formally given in Algorithm 6. It computes $p=ab\mathrm{mod}m$ where $R=2^n$, $a,b<m<R$, and m is an n-bit odd number. That is, the ($n-1$)th bit and 0th bit of n-bit m are 1. IMM begins with checking the ($n-1$)th bit of multiplier b. Therefore, in each iteration, the product p is shifted to the left by one bit (line 3). Because $a,b<m$, $2p+a<3m$ (lines 3 and 4). Therefore, it is enough to subtract $2m$ from $2p+a$ (lines 5 and 6), ensuring $p<m$.

Figure 4 shows a possible hardware implementation of Algorithm 6. Red squares are registers, others are combinational circuits. Clearly, the critical path is the right part that computes the new p in each iteration. It consists of three carry-propagate adders (CPAs) and three multiplexers. The most significant bit of the adder output (sign) can be used as the select signal of multiplexers. Note that $2p$ can be realized by suitable wiring.

3.2. Montgomery Modular Multiplication Algorithm

The MMM algorithm [7] performs modular multiplication in Montgomery domain. It is very efficient for modular exponentiation used by RSA cryptography. MMM calculates $p=ab{R}^{-1}\mathrm{mod}m$, where $R=2^n$, $a,b<m<R$, and m is an n-bit odd number with $m_{n-1}=m_0=1$. It performs reduction $R^{-1}$ during the multiplication $ab$ because a and b are represented in Montgomery domain as follows.

$$a=a^{\prime }R\mathrm{mod}m$$

$$b=b^{\prime }R\mathrm{mod}m$$

where $a^{\prime }$ and $b^{\prime }$ are the operands in the conventional domain. Such a reduction ensures that the product p is an operand still in Montgomery domain:

$$p=ab{R}^{-1}\mathrm{mod}m=a^{\prime }R{b}^{\prime }R{R}^{-1}\mathrm{mod}m=a^{\prime }{b}^{\prime }{R}^2{R}^{-1}\mathrm{mod}m=a^{\prime }{b}^{\prime }R\mathrm{mod}m$$

MMM is widely used in RSA cryptography where the modular exponentiation is realized with the repeated modular multiplications. MMM algorithm is formally given in Algorithm 7. We perform $R^{-1}=1/2^n={\prod }_{i=0}^{n-1}1/2$ in n iterations and divide p by 2 in each iteration. Line 3 performs multiplication. Line 4 makes p even for the reduction where $p_0$ is the least significant bit of p. Line 5 shifts p to right by one bit ($p/2$). Line 6 ensures $p<m$. The reason is shown below. Suppose $p=a$ after the 0th iteration. For $i\ge 1$, $p=p+a<2m$, $p=p+m<3m$, $p=p/2<2m$, $p-m<m$ if $p>=m$.

Figure 5 shows a possible hardware implementation of Algorithm 7. Red squares are registers, others are combinational circuits. Clearly, the critical path is the right part that computes the new p in each iteration. It consists of three CPAs and three multiplexers. The most significant bit of the adder output (sign) or the least significant bit $p_0$ of p can be used as the select signal of multiplexers. Note that $p/2$ can be realized by suitable wiring.

3.3. Shift-Sub Modular Multiplication Algorithm

The SSMM algorithm [8,9] is given in Algorithm 8. It begins with checking the 0th bit of multiplier b to calculate $p=ab\mathrm{mod}m$. Therefore, in each iteration, the multiplicand u ($=a$) is shifted to the left by one bit (line 5). Because $a,b<m$, $p+u<2m$ (line 3). Therefore, it is enough to subtract m from $p+u$ (line 4), ensuring $p<m$. Because $a,b<m$, $2u<2m$ (line 5). Therefore, it is enough to subtract m from $2u$ (line 6), ensuring $u<m$.

Figure 6 shows a possible hardware implementation of Algorithm 8. Red squares are registers, others are combinational circuits. Compared to Figure 4 and Figure 5, here we reduce critical path to two CPAs and two multiplexers. The bit $b_i$ (b[cnt] in the figure) is used as a selection signal for the last (bottom) multiplexer. If it is a 0, the value in register p is selected (unchanged). The register u and its corresponding combinational circuits are added for performing lines 5 and 6 in Algorithm 8. Note that the implementation is slightly different from the algorithm. Regardless of $b_i$, we calculate $p+u$ and $p+u-m$ first. If $p+u-m$ is non-negative, select it, otherwise select $p+u$. Finally, the value selected by $b_i$ is written to register p.

Note that instead of using a multiplexer in the bottom, the bit $b_i$ can be used as a write enable for register p. That is, if $b_i=0$, we just keep the content of register p unchanged.

3.4. Shift-Sub Modular Multiplication with Advance Preparation Algorithm

From the implementation of the SSMM algorithm, we can see that the critical path is the computation of $p+u-m=p+(u-m)$. m is a modulus and does not change during the multiplication. u is the multiplicand and doubles with each iteration. Then we can prepare $u-m$ in advance in the previous iteration. u is generated as follows. If $2u^{\prime }-m$ is non-negative, $2u^{\prime }-m$ is written to register u; otherwise, $2u^{\prime }$ is written to register u, where $u^{\prime }$ is the value of u in the previous iteration. In the current iteration, we have two cases for $u-m$. Case 1: $u-m=2u^{\prime }-m$ if $2u^{\prime }-m$ is negative. Case 2: $u-m=2u^{\prime }-m-m=2u^{\prime }-2m$ if $2u^{\prime }-m$ is non-negative. Then we just prepare $x=2u^{\prime }-m$ and $y=2u^{\prime }-2m$, and store them in registers. That is, if $x<0$, $p+(u-m)=p+x$; otherwise $p+(u-m)=p+y$. The algorithm SSMMPRE is formally given in Algorithm 9.

Figure 7 shows the hardware implementation of Algorithm 9. Registers x and y hold $2u^{\prime }-m$ and $2u^{\prime }-2m$, respectively, where $u^{\prime }$ is the value of u in the previous iteration.

3.5. Shift-Sub Modular Multiplication with CSAs and Sign Detection Algorithm

The algorithm SSMMCSA (SSMM with CSAs and sign detection) is formally given in Algorithm 10. Figure 8 shows the implementation of SSMMCSA. The two CPAs in Figure 6 are replaced with CSAs. Through our hardware implementation, we find that the part of CSAs that generates c and s is no longer the critical path. We use another register q to store $c+s$ calculated with a CPA, and generate p from q. The critical path of this circuit contains a CPA and a multiplexer. The output of CSAs consists of carry c and sum s. The result value p will be $(c+s)\mathrm{mod}m$. We will later propose an easy way to determine the sign of $c+s$ from c and s without using CPA to calculate $c+s$. The upper CSA performs $(g,h)\leftarrow CSA(c,s,u)$ and the other CSA performs $(x,y)\leftarrow CSA(g,h,-m)$, corresponding to $p+u$ and $p+u-m$ in Figure 6. One CSA’s output will be selected with the “csasign” (CSA’s sign) signal and stored to the CS register.

Note that we can get $-m$ from m quickly. Usually $-m=\overline{m}+1$ where $+1$ needs a CPA. But here m is an n-bit odd value ($m\left[0\right]=1$), so that we can invert the left $n-1$ bits of m and leave the least-significant-bit unchanged, that is, $-m=\{\overline{m[n-1:1]},1$’b$1\}$.

Now we describe how to generate the signal of “csasign”. Figure 9 shows an example of determining the sign of $C+S$ from 17-bit C and S for a 16-bit $ab\mathrm{mod}m$ when using CSAs. We divide the 17 bits to 4 windows, namely $W3$, $W2$, $W1$, and $W0$. $W3$ has 5 bits and each of $W2$, $W1$, and $W0$ has 4 bits. We use one 5-bit and three 4-bit CPAs, carry-lookahead adders (CLAs) for instance, to perform additions in 4 windows simultaneously as follows. Note that each of adders generates a 5-bit result.

$W3[4:0]$	=	$C[16:12]$	+	$S[16:12]$		(Add 5-bit, 5-bit sum)
$W2[4:0]$	=	$C[11:8]$	+	$S[11:8]$		(Add 4-bit, 5-bit sum)
$W1[4:0]$	=	$C[7:4]$	+	$S[7:4]$		(Add 4-bit, 5-bit sum)
$W0[4:0]$	=	$C[3:0]$	+	$S[3:0]$		(Add 4-bit, 5-bit sum)

We summarize the three cases shown in Figure 9 as follows. The signal “sign_inverse” is true means that the original sign ($W3\left[4\right]$) is inverted when $W3[3:0]==4$’b1111.

sign_inverse	=	$\left(W2\right[4]==1)$						Case 2
	|	$(W2==5$’b$01111)$	&	$\left(W1\right[4]==1)$				Case 1
	|	$(W2==5$’b$01111)$	&	$(W1==5$’b$01111)$	&	$\left(W0\right[4]==1)$		Case 0

  The sign bit is a 1 if $P=C+S$ is negative; a 0 otherwise. When $W3\left[4\right]$ is a 0 and “sign_inverse” is true, the sign will be 1 at the condition of $W3[3:0]==4$’b1111. Similarly, when $W3\left[4\right]$ is a 1 and “sign_inverse” is true, the sign will be 0 at the condition of $W3[3:0]==4$’b1111. Thus we have the following expression for determining the “csasign”.

$$\begin{array}{ccccccccc}\hfill \mathrm{csasign}& =& W3\left[4\right]\hfill & \oplus & (\mathrm{sign}\_\mathrm{inverse}& \&& \left(W3\right[3:0]& ==& 4^{\prime }b1111\left)\right)\end{array}$$

(26)

  The symbol ⊕ denotes an eXclusive OR (XOR) operation. When $W3[3:0]\ne 4$’b1111, the sign equals $W3\left[4\right]$, regardless any case for $W2$, $W1$, or $W0$. Note that $W2$, $W1$, and $W0$ are sums of two 4-bit values c and s, so they do not have the pattern 5’b11111. The maximum sum is 5’b11110 when both c and s have a maximum value of 4’b1111.

In the example described above, the window size is 4. We can let the window size be 2 or 8. Then we can use eight 2-bit adders or two 8-bit adders to determine the sign of $P=C+S$. The former has a shorter latency introduced by adders, but the logic equation for determining the sign is more complicated. On the other hand, the latter has a simpler logic equation but the adder has a longer latency to determine the sign.

For a 256-bit ECC, there are more options for the number of adder bits and the number of windows. In order to design a low-cost and high-performance circuit, we instigate the cost (the number of ALMs) and performance (the circuit frequency) of the sign detection circuit for using CSAs in 256-bit ECC on FPGA (Field-programmable gate array) chip. There are 7 configurations. The experimental results are shown in Table 2 and Figure 10.

In general, decreasing CPA bits increases frequency. However, in our simulations, the frequency of the last configuration (128 windows and 2-bit adder) is lower than the configuration with 64 windows and 4-bit adder. This is because the logic equation for sign detection becomes complicated. We can also see that larger adders require more ALMs.

Based on the experimental results, our 256-bit ECC implementations use 4-bit adders, so there are 64 windows ($4\times 64=256$). A frequency of 392.46 MHz is measured when the FPGA chip implements only the sign detection circuitry. Implementing both the sign detection circuit and the CSAs results in a frequency of 343.76 MHz, lower than 392.46 MHz. The latency of the CSAs is the same as that of a 1-bit full adder. Clearly, it is less than that of the sign detection circuit. These experimental results imply that the frequency decreases as the circuit gets larger.

Note that the sign detection circuit itself is a combinational circuit. If we want to test its latency we can add registers on both the input and output sides. These registers are for testing purposes only and should be removed for ECC implementations. Otherwise, there will be a delay of two clock cycles, resulting in incorrect timing.

4. Hardware Implementations of Modular Multiplications and ECC

5. Concluding Remarks

References

1. Koblitz, N. Elliptic curve cryptosystems. Mathematics of Computation 1987, 48, 203–209. https://www.ams.org/journals/mcom/1987-48-177/S0025-5718-1987-0866109-5/S0025-5718-1987-0866109-5.pdf.
2. Miller, V.S. Use of Elliptic Curves in Cryptography. In Proceedings of the Advances in Cryptology — CRYPTO ’85 Proceedings, Berlin, Heidelberg, 1986; pp. 417–426. https://link.springer.com/content/pdf/10.1007/3-540-39799-X_31.pdf?pdf=inline%20link.
3. Hankerson, D.; Menezes, A.; Vanstone, S. Guide to Elliptic Curve Cryptography; Springer-Verlag: New York Inc, 2004. [CrossRef]
4. Certicom Corp. Standards for Efficient Cryptography. SEC 2: Recommended Elliptic Curve Domain Parameters; http://www.secg.org/sec2-v2.pdf, 2010.
5. Barker, E.; Chen, L.; Roginsky, A.; Vassilev, A.; Davis, R. SP 800-56A Rev. 3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography; National Institute of Standards and Technology, 2018. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf.
6. Blakely, G.R. A Computer Algorithm for Calculating the Product AB Modulo M. IEEE Transactions on Computers 1983, C-32, 497–500. [CrossRef]
7. Montgomery, P.L. Modular Multiplication Without Trial Division. Mathematics of Computation 1985, 44, 519–521. https://www.ams.org/journals/mcom/1985-44-170/S0025-5718-1985-0777282-X/S0025-5718-1985-0777282-X.pdf.
8. Li, Y.; Chu, W. Shift-Sub Modular Multiplication Algorithm and Hardware Implementation for RSA Cryptography. In Proceedings of the 17th International Conference on Information Assurance and Security, Lecture Notes in Networks and Systems, Cham, 2021; pp. 541–552. [CrossRef]
9. Li, Y.; Chu, W. Verilog HDL Implementation for an RSA Cryptography using Shift-Sub Modular Multiplication Algorithm. Journal of Information Assurance and Security 2022, 17, 113–121. http://www.mirlabs.org/jias/secured/Volume17-Issue3/Paper11.pdf.
10. Bunimov, V.; Schimmler, M. Area and time efficient modular multiplication of large integers. In Proceedings of the Proceedings IEEE International Conference on Application-Specific Systems, Architectures, and Processors, 2003, pp. 400–409. [CrossRef]
11. Chen, L.; Moody, D.; Regenscheid, A.; Robinson, A.; Randall, K. Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters. NIST Special Publication NIST SP 800-186, 2023. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf. [CrossRef]