VIEWS: 98 PAGES: 7 CATEGORY: Other POSTED ON: 2/17/2012 Public Domain
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 A Study of Elliptic Curves’s Implementations Suitable for Embedded Systems Moncef Amara #1 and Amar Siad # # LAGA Laboratory, University of Paris 8 (Vincennes Saint-Denis) Saint-Denis / FRANCE. 1 amara_moncef@yahoo.fr 1 moncef.amara02@etud.univ-paris8.fr Abstract—The Elliptic Curve Cryptography (ECC) covers all to the limitations in costs, area and power. On the other hand, relevant asymmetric cryptographic primitives like digital signa- security is required, in particular to prevent cloning or tracing. tures and key agreement algorithms. ECC is considered as the It was widely believed that devices with such constrained re- best candidate for Public-Key Cryptosystems. Recently, Elliptic Curve Cryptography based on Binary Edwards Curves (BEC) sources cannot carry out strong cryptographic operations such has been proposed and it shows several interesting properties, as Elliptic Curve Scalar Multiplication (ECSM). However, the e.g., completeness and security against certain exceptional-points feasibility of integrating PKCs into such devices have been attacks. In this paper, we present a study of the different methods recently proven by several implementations. to implement ECC in hardware, we study the implementation of Standard formulas for adding two points, say P and Q, on a the BEC to make it suitable for programmable devices, and we given as application a hardware design of elliptic curve operations Weierstrass-form elliptic curves fail if P is at inﬁnity, or if Q over binary Fields GF (2m ). The function used for this purpose is at inﬁnity, or if P+Q is at inﬁnity. Binary Edwards curves is the scalar multiplication kP which is the core operation of provides a different equation to deﬁne an Elliptic Curve which ECCs. Where k is an integer and P is a point on an elliptic no longer has points at inﬁnity [1]. This feature is known as curve. completeness. Index Terms—Cryptography, Elliptic curves, Binary Edwards The aim of this work is to present a study of state of the curve, Scalar multiplication, Binary arithmetic, Cryptosystems, art of the different methods to implement ECC in hardware, Programmable devices, FPGA. intended to the conception of the hardware cryptographic applications. We present a complete study of binary Edwards I. I NTRODUCTION curves to make it suitable for programmable devices, and Elliptic Curve Cryptography (ECC) is a relatively new we given a hardware design of elliptic curve operations over cryptosystem, suggested independently, from the second half binary Fields GF (2m ). oh 19th century, by Neals Koblitz [6] and Victor Miller [7]. At The paper is organized as follows. After a brief introduction, present, ECC has been commercially accepted, and has also an overview of the use of elliptic curve in cryptography appli- been adopted by many standardizing bodies such as ANSI, cation is given in section 2. The point multiplication method IEEE, ISO and NIST [2]. Since then, it has been the focus is explained in Section 3, and binary Edwards curves are of a lot of attention and gained great popularity due to the presented in Section 4. The EC Point multiplication processor same level of security they provide with much smaller key given in Section 5. Finally, conclusion and open problems are sizes than conventional public key cryptosystems have. summarized in Section 6. The ECC covers all relevant asymmetric cryptographic II. E LLIPTIC C URVE C RYPTOGRAPHY primitives like digital signatures (ECDSA), key exchange and Elliptic Curves, Fig.1, deﬁned over a ﬁnite-ﬁeld provide a agreement protocols (ECDH). Point multiplication serves as group structure that is used to implement the cryptographic the basic building block in all ECC primitives and is the schemes. The elements of the group are the rational points on computationally most expensive operation. the elliptic curve, together with a special point O (called the The best known and most commonly used public-key cryp- ”point at inﬁnity”). tosystems are RSA [8] and Elliptic Curve Cryptography (ECC) [7], [6]. The main beneﬁt of ECC is that it offers equivalent security as RSA for much smaller parameter sizes. These advantages result in smaller data-paths, less memory usage and lower power consumption. ECC is widely considered as the best candidate for embedded systems. Integrating a Public Key Cryptosystem into a embedded Fig. 1. Graphs of elliptic curves y 2 = x3 − 4x + 1 (on the left) and systems such as ASIC, FPGA and RFID-tag is a challenge due y 2 = x3 − 5x + 5 (on the right) over R. 1 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 A major building block of all elliptic curve cryptosystems For E given in afﬁne coordinates: is the scalar point multiplication, an operation of the form k.P where k is a positive integer and P is a point on the if P = Q: elliptic curve. Computing k.P means adding the point P x3 = λ2 + λ + x1 + x2 + a exactly k − 1 times to itself, which results in another point y3 = λ(x1 + x3 ) + x3 + y1 (2) Q on the elliptic curve. The inverse operation, i.e., to recover (y2 +y où λ = (x2 +x1 ) 1) k when the points P and Q = k.P are given, is known as the Elliptic Curve Discrete Logarithm Problem (ECDLP). if P = Q: To date, no subexponential-time algorithm is known to solve x3 = λ2 + λ + a the ECDLP in a properly selected elliptic curve group. This y3 = x2 + (λ + 1)x3 1 (3) y makes Elliptic Curve Cryptography a promising branch of où λ = x1 + x1 1 public key cryptography which offers similar security to other III. E LLIPTIC C URVE P OINT M ULTIPLICATION "traditional" DLP-based schemes in use today, with smaller key sizes and memory requirements, e.g., 160 bits instead of There are different ways to implement point multiplica- 1024 bits tion: binary, signed digit representation (NAF), Montgomery method,. . ., etc. A scalar multiplication is performed in three A. Elliptic Curves over F2m different stages, Fig.4. At the top level, the method for In this section, a group operations on elliptic curves over computing the scalar multiplication must be selected, in the F2m is described. A non-supersingular elliptic curve E over second level, the coordinates to represent elliptic points must F2m , E(F2m ) is the set of all solutions to the following be deﬁned. From this representation, the Add operation is equation [5]: deﬁned. Possible coordinates are : afﬁne, projective, Jacobeans and L’opez-Dahab. The lower level, but the most important, y 2 + xy = x3 + a2 x2 + a6 (1) involves the primitive ﬁeld operations on which the curve where a2 , a6 ∈ F2m , and a6 = 0. Such an elliptic curve is a is deﬁned. Basic ﬁeld operations are sum, multiplication, ﬁnite abelian group. The number of points in this group is squaring and division. denoted by #(E(F2m )). 1) Curve Addition: If P = (x1 , y1 ) and Q = (x2 , y2 ) are points on the elliptic curve [i.e., satisfy (1)] and P = −Q, then (x3 , y3 ) = R = P + Q can be deﬁned geometrically, Fig.2. In the case that P = Q (i.e., point addition), a line intersecting the curve at points P and Q and must also intersect the curve at a third point −R = (x3 , −y3 ). 2) Curve Doubling: If P = Q (point doubling), the tangent line is used, Fig.3. Fig. 2. Group law of elliptic curve (Point Addition). Fig. 4. Different method to compute scalar multiplication k.P A. Binary Method The most simplest and straightforward implementation is the binary method, as shown in Algorithm.1. The binary method scans every bit of scalar k and, depending on its value, 0 or 1, it performs an ECC-DOUBLE operation or both a ECC-DOUBLE and an ECC-ADD operation. Algorithm.1, Fig. 3. Group law of elliptic curve (Point Doubling). scans every bit of k from right to left. 2 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 For an elliptic curve deﬁned on F2m using afﬁne coor- that all elliptic curves over number ﬁelds can be transformed dinates, the operations ECC-ADD and ECC-DOUBLE are to x2 + y 2 = c2 (1 + x2 y 2 ), with (0, c) as the neutral element performed according to equations (2) and (3) respectively. and with a simple and a symmetric addition law: The operation ECC-ADD requires one inversion, two mul- x1 y2 + y1 x2 y1 y2 + x1 x2 tiplications, one squaring and eight additions. The operation (x1 , y1 ), (x2 , y2 ) → ( ) c(1 + x1 x2 y1 y2 ) c(1 − x1 x2 y1 y2 ) ECC-DOUBLE requires ﬁve additions, two squaring, two (4) multiplications and one inversion, all of them, operations on F2m . A. Binary Edwards Curves This section contains complete addition formulas for binary Algorithm 1 Binary method: right to left [5] elliptic curves, i.e., addition formulas that work for all input Input:P (x, y),x, y ∈ GF (2m ),k = (km−1 , km−2 , . . . , k0 ) pairs, with no exceptional cases. First, the need for Edwards Output: R = k.P curves is explained, and then the theorems and formulas will 1: R ← 0 be shown in order. 2: S ← P The points on a Weierstrass-form elliptic curve: 3: for i ← 0, m − 1 do y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 (5) 4: if ki = 1 then 5: if R = 0 then include not only the afﬁne point (x1 , y1 ), but also an extra 6: R←S point at inﬁnity serving as neutral element. The standard 7: else formulas for elliptic curve to compute a sum P1 + P2 fail 8: R←R+S if P1 , P2 , or P1 + P2 is at inﬁnity, or if P1 is equal to P2 . 9: end if Each of these possibilities should be tested separately before 10: end if generating any elliptic curve cryptosystem. 11: S ← 2S 12: end for Deﬁnition 1: (Binary Edwards Curve) Let k be a ﬁeld with 13: return R char(k) = 2. Let d1 , d2 be elements of k with d1 = 0 and d2 = d2 + d1 , then the binary Edwards curve with coefﬁcients 1 d1 and d2 is the afﬁne curve: B. Coordinates Systems EB,d1 ,d2 = d1 (x + y) + d2 (x2 + y 2 ) = xy + xy(x + y) + x2 y 2 Table.I, summarizes the properties of the different coordi- (6) nates systems; afﬁne, projective, Jacobeans,. . ., etc. It should This curve is symmetric in x and y and thus it has the property be noted that in all the cases the opposite of the point that if (x1 , y1 ) is a point on the curve then so is (y1 , x1 ). The (X : Y : Z) is written (X : −Y : Z). point (0, 0) will be the neutral element of the addition law, TABLE I while (1, 1) will have order 2. TABLE S UMMARIZING THE P ROPERTIES OF THE VARIOUS P ROJECTIVE C OORDINATES S YSTEMS . B. Binary Edwards Curves Addition Law Binary Edwards curves, EB,d1 ,d2 , addition law is given as Coordinates (x, y) = Curve equation 2Z in follows, and it is proven that the addition law corresponds to P (X/Z, Y /Z) Y = X 3 + aXZ 2 + bZ 3 J (X/Z 2 , Y /Z 3 ) Y2 = X 3 + aXZ 4 + bZ 6 the elliptic curve in Weierstrass form similarly. It can be used Jm (X/Z 2 , Y /Z 3 ) Y2 = X 3 + aXZ 4 + bZ 6 for doubling with two identical inputs. The sum of two points (x1 , y1 ), (x2 , y2 ) on EB,d1 ,d2 is the point (x3 , y3 ) deﬁned as The choice of the coordinate system is determined by the follows: number of modular operations to carry out to calculate the d1 (x1 +x2 )+d2 (x1 +y1 )(x2 +y2 )+(x1 +x2 )(x2 (y1 +y2 +1)+y1 y2 ) x3 = 1 d1 +(x1 +x2 )(x2 +y2 ) doubling and the addition of points. Table.II, compares the cost 1 (7) of the doubling and the addition for each projective coordinate. 2 d1 (y1 +y2 )+d2 (x1 +y1 )(x2 +y2 )+(y1 +y1 )(y2 (x1 +x2 +1)+x1 x2 ) y3 = 2 d1 +(y1 +y1 )(x2 +y2 ) TABLE II (8) C OST OF THE D OUBLING AND THE A DDITION FOR E ACH P ROJECTIVE If the denominators: C OORDINATES S YSTEMS . d1 + (x1 + x2 )(x2 + y2 ) 1 Coordinates Cost of Double operation Cost of Add operation A I + 4M I + 3M and P 12M 14M 2 J 10M 16M d1 + (y1 + y1 )(x2 + y2 ) Jm 8M 19M are non-zero then the sum (x3 , y3 ) is a point on EB,d1 ,d2 : i.e., IV. E DWARDS C URVES 2 2 d1 (x3 + y3 ) + d2 (x2 + y3 ) = x3 .y3 + x3 .y3 (x3 + y3 ) + x2 .y3 3 3 A new form for elliptic curves was added to the mathemat- Here, if the points are inserted like (0, 0) into the addition ical literature with Edwards curves. Edwards showed in [3] law, it is shown that (0, 0) is the neutral element. Similarly, 3 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 (x1 , y1 ) + (1, 1) = (x1 + 1, y1 + 1); in particular (1, 1) + D. Binary Edwards Curves Doubling Law (1, 1) = (0, 0). Furthermore (x1 , y1 ) + (y1 , x1 ) = (0, 0), so The doubling formulas on the Edwards curve EB,d1 ,d2 is −(x1 , y1 ) = (y1 , x1 ). presented in this section. Afﬁne coordinates and inversion-free projective coordinates are given respectively. C. Explicit Addition Formulas 1) Afﬁne Doubling: Let (x1 , y1 ) be a point on EB,d1 ,d2 , In this section, we present explicit formulas for afﬁne and assume that the sum (x1 , y1 ) + (x1 , y1 ) is deﬁned. Com- addition, projective addition on the binary Edwards curves. puting (x3 , y3 ) = (x1 , y1 ) + (x1 , y1 ) we obtain: 1) Afﬁne Addition: The following formulas, given (x1 , y1 ) d1 (x1 +y1 )2 +(x1 +x2 )(x1 +y1 ) 2 x3 = 1 d1 +(x1 +y1 )(x1 +x2 ) and (x2 , y2 ) on the binary Edwards curve EB,d1 ,d2 , compute 1 d1 (x1 +y1 )+x1 y1 +x2 (1+x1 +y1 ) the sum (x3 , y3 ) = (x1 , y1 ) + (x2 , y2 ) if it is deﬁned: = 1 d1 +x1 y1 +x2 (1+x1 +y1 ) (9) 1 d1 (1+x1 +y1 ) = 1 + d1 +x1 y1 +y2 (1+x1 +y1 ) 1 Algorithm 2 Afﬁne Addition 1: w1 = x1 + y1 , Also we obtain: 2: w2 = x2 + y2 , d1 (1 + x1 + y1 ) 3: A = x2 + x1 , 1 y3 = 1 + 2 (10) 2 d1 + x1 y1 + y1 (1 + x1 + y1 ) 4: B = y1 + y1 , 5: C = d2 w1 w2 , Note that, the afﬁne formulas is computed with one inversion, 6: D = x2 y2 , as the product of the denominators of x3 and y3 is: 7: x3 = y1 + (C + d1 (w1 + x2 ) + A(D + x2 ))/(d1 + Aw2 ), 8: y3 = x1 + (C + d1 (w1 + y2 ) + B(D + y2 ))/(d1 + Bw2 ). 2 (d1 + x1 y1 + x2 (1 + x1 + y1 ))(d1 + x1 y1 + y1 (1 + x1 + y1 )) 1 2 2 = d2 + (x2 + y1 )(d1 (1 + x1 + y1 ) + x1 y1 (1 + x1 + y1 ) + x2 y1 ) 1 1 1 These formulas use 2I + 8M + 2S + 3D, where I is the 2 2 = d2 + (x2 + y1 )(d1 + d2 (x2 + y1 )) 1 1 1 cost of inversion, M is the cost of multiplication, S is the 2 4 = d1 (d1 + x2 + y1 + (d2 /d1 )(x4 + y1 )) 1 1 cost of squaring, D is the cost of a multiplication by a curve (11) parameter. The 3D here are two multiplications by d1 and where the curve equation is used again. This leads to the one multiplication by d2 [1]. doubling formulas: 2) Projective Addition: The following formulas, given 2 d1 + d2 (x2 + y1 ) + y1 + y1 1 2 4 x3 = 1 + (12) (X1 : Y1 : Z1 ) and (X2 : Y2 : Z2 ) on the binary Edwards d1 + x2 + y1 + (d2 /d1 )(x4 + y1 ) 1 2 1 4 curve EB,d1 ,d2 , compute the sum (X3 : Y3 : Z3 ) = (X1 : Y1 : Z1 ) + (X2 : Y2 : Z2 ). d1 + d2 (x2 + y1 ) + x2 + x4 1 2 1 1 y3 = 1 + (13) 2 d1 + x2 + y1 + (d2 /d1 )(x4 + y1 ) 1 1 4 Algorithm 3 Projective Addition which needs 1I + 2M + 4S + 2D. 1: W1 = X1 + Y1 , If d1 = d2 some multiplications can be grouped as follows: 2: W2 = X2 + Y2 , 3: A = X1 .(X1 + Z1 ), 4: B = Y1 .(Y1 + Z1 ), Algorithm 4 Afﬁne Doubling 5: C = Z1 .Z2 , 1: A = x2 , 1 6: D = W2 .Z2 , 2: B = A2 , 2 7: E = d1 .C.C, 3: C = y1 , 8: F = (d1 Z2 + d2 W2 ).W1 .C, 4: D = C 2 , 9: G = d1 .C.Z1 , 5: E = A + C, 10: U = E + A.D, 6: F = 1/(d1 + E + B + D), 11: V = E + B.D, 7: x3 = (d1 E + A + B).F , 12: S = U.V , 8: y3 = x3 + 1 + d1 F . 13: X3 = S.Y1 + (F + X2 (G + A(Y2 + Z2 ))).V.Z1 , 14: Y3 = S.X1 + (F + Y2 (G + B(X2 + Z2 ))).U.Z1 , 15: Z3 = S.Z1 . These formulas use only 1I + 1M + 4S + 2D. 2) Projective Doubling: In this sub-section, explicit for- These formulas use 21M + 1S + 4D. The 4D are three mulas of projective doubling is given to compute 2(X1 : Y1 : multiplications by d1 and one multiplication by d2 . Z1 ) = (X3 : Y3 : Z3 ): 4 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 Algorithm 5 Projective Doubling 2 1: A = X1 , 2 2: B = A , 2 3: C = Y1 , 4: D = C 2 , 2 5: E = Z1 , 6: F = d1 .E 2 , 7: G = (d2 /d1 ).(B + D), 8: H = A.E, 9: I = C.E, 10: J = H + I, 11: K = G + d2 .J, 12: X3 = K + H + D, Fig. 6. Hardware implementation of point addition operation. 13: Y3 = K + I + B, 14: Z3 = F + J + G. Multiplication in GF (2m ) with polynomial basis rep- resentation is presented in this section. Inputs A = These formulas use 2M + 6S + 3D. The 3D are multipli- (a0 , a1 , . . . , am−1 ) and B = (b0 , b1 , . . . , bm−1 ) ∈ GF (2m ), cations by d1 , d2 /d1 and d2 . and the product C = AB = (c0 , c1 , . . . , cm−1 ) are treated as polynomials A(x), B(x), and C(x) with respective coef- ﬁcients. The dependence between these polynomials is given V. A N A PPLICATION OF E LLIPTIC C URVE by C(x) = A(x).B(x) mod F (x), Where F (x) is a constant I MPLEMENTATION OVER GF (2m ) irreducible polynomial of degree m. The hardware implemen- A. Field Programmable Gate Array (FPGA) tation for multiplication in GF (2m ) is presented in Fig.7. Field programmable gate array (FPGA) devices provide an excellent technology for the implementation of general purpose cryptographic devices. Compared with application speciﬁc integrated circuits (ASIC), FPGA as offer low non- recurring engineering costs, shorter design time, greater ﬂex- ibility and the ability to change the algorithm or design. Fig.5, shows a structure of ECC processor. It consists of a main control block, an ECC add and double block and an ECC block for arithmetic operations. The ECC processor we have implemented is deﬁned over the ﬁeld GF (2163 ), which is a SEC-2 recommendation [9], with this ﬁeld being deﬁned by the ﬁeld polynomial F (x) = x163 +x7 +x6 +x3 +1. The EC point multiplication processor, deﬁned in afﬁne Fig. 7. Serial Multiplier in GF (2m ). coordinates, is achieved by using a dedicated Galois Field arithmetic, implemented on FPGA using VHDL language. The Hardware implementation of inversion in GF (2m ) is presented in Fig.8. Fig. 5. Elliptic curve point multiplication processor. Fig.6, shows the hardware implementation of point addition operation, corresponding to equation (2). Fig. 8. Inverter in GF (2m ). 5 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 TABLE IV B. Simulation and Results: The use of NIST-Recommended T HE x AND y I NPUT C OORDINATES OF THE P OINT P AND AN A RBITRARY Elliptic Curves VALUE OF k. The NIST elliptic curves over F2163 and F2233 are listed in k = 0x 00000001 33E3CAE7 2CD0F448 B2954810 Table.II. The following notation is used. The elements of F2m FB75B5E3 D8F43D07 are represented using a polynomial basis representation with Px = 0x 00000003 69979697 AB438977 89566789 567F787A 7876A654 reduction polynomial f (x). The reduction polynomials for the Py = 0x 00000004 035EDB42 EFAFB298 9D51FEFC ﬁelds F2163 and F2233 are f (x) = x163 + x7 + x6 + x3 + 1 and E3C80988 F41FF883 f (x) = x233 + x74 + 1 respectively. An elliptic curve E over F2m is speciﬁed by the coefﬁcients a, b ∈ F2m of its deﬁning equation y 2 + xy = x3 + ax2 + b. The number of points on Table.3 shows the input parameters of the ECC scalar E deﬁned over F2m is nh, where n is prime, and h is called multiplication for a "163 bits" arbitrary value of k, and in the co-factor. A random curve over F2m is denoted by B-m. Table.V, we give the implementation results corresponding. TABLE III TABLE V NIST-R ECOMMENDED E LLIPTIC C URVES OVER F2163 , F2233 [4]. S YNTHESIS R ESULTS FOR E(F2163 ). point multiplication G(F2163 ) B-163: m = 163, f (z) = z 163 + z 7 + z 6 + z 3 + 1, Slice Logic Utilization: a = 1, h = 2 Number of Slice Registers: 2163 7% b = 0x 00000002 0A601907 B8C953CA Number of Slice LUTs: 2735 9% 1481EB10 512F7874 4A3205FD Number used as Logic: 2735 9% n = 0x 00000004 00000000 00000000 IO Utilization: 000292FE 77E70C12 A4234C33 Number of bonded IOBs: 330 58% x = 0x 00000003 F0EBA162 86A2D57E Maximum Frequency: 169.477MHz A0991168 D4994637 E8343E36 y = 0x 00000000 D51FBC6C 71A0094F A2CDD545 B11C5C0C 797324F1 In Table.VI, we give the implementation results for F2233 . B-233: m = 233, f (z) = z 233 + z 74 + 1, a = 1, h = 2 TABLE VI b = 0x 00000066 647EDE6C 332C7F8C S YNTHESIS R ESULTS FOR E(F2233 ). 0923BB58 213B333B 20E9CE42 81FE115F 7D8F90AD point multiplication G(F2233 ) n = 0x 00000100 00000000 00000000 Slice Logic Utilization: 00000000 0013E974 E72F8A69 Number of Slice Registers: 3073 10% 22031D26 03CFE0D7 Number of Slice LUTs: 3637 12% x = 0x 000000FA C9DFCBAC 8313BB21 Number used as Logic: 3637 12% 39F1BB75 5FEF65BC 391F8B36 IO Utilization: F8F8EB73 71FD558B Number of bonded IOBs: 470 83% y = 0x 00000100 6A08A419 03350678 Maximum Frequency: 136.323MHz E58528BE BF8A0BEF F867A7CA 36716F7E 01F81052 VI. C ONCLUSION AND O PEN P ROBLEMS C. Implementation In this work, the elliptic curve point multiplication is For implementation, the architecture has been tested on ISE considered. we have presented the different methods which 9.2i Software using XILINX FPGA xc5vlx50-3-ff1153 device can be used to implement ECC in hardware, we have given an and simulate with ISE Simulator. interesting study of the implementation of the Binary Edwards curves, and we have presented a version of an ECC crypto- hardware based on a Add and Double method, implemented on a Xilinx Virtex 5 device. This study can be extended by developing a digital signa- ture algorithm, which is very important in cryptography and internet security areas. R EFERENCES [1] D.J. Bernstein, T. Lange and R.R. Farashahi. Binary Edwards Curves. Cryptology ePrint Archive, Report 2008/171, 2008, http://eprint.iacr. org/. [2] Digital Signature Standard (DSS). Federal Information Processing Stan- dards Publication 186-2, National Institute of Standards and Technology. 2000. [3] H.M. Edwards. A Normal Form for Elliptic Curves. Bulletin of the Fig. 9. Simulation with ISE of scalar multiplication k.P for E(F2163 ) American Mathematical Society, vol. 44, no. 3, pp. 393–422, July 2007. 6 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 [4] D. Hankerson, J. L’opez Hernandez and A. Menezes. Software Im- plementation of Elliptic Curve Cryptography over Binary Fields. In Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems (CHES), volume 1965 of Lecture Notes in Computer Science. 2001. [5] D. Hankerson, A. Menezes and S. Vanstone. Guide to Elliptic Curve Cryptography. Springer, 2004. [6] N. Koblitz. Elliptic Curve Crytosystems. Mathematics of Computation, Vol. 48, pages 203-209, 1987. [7] V.S. Miller. Use of Elliptic Curves in Cryptography. Advances in Cryptology-CRYTO ’85, Lecture Notes in Computer Science, vol. 128, Springer-Verlag, pages 417-426, 1985, Hugh C. Williams (Ed.). [8] R.L. Rivest, A. Shamir and L.M. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Commun. ACM, vol. 21, no. 2, pp. 120–126, 1978. [9] SEC 2: Recommended Elliptic Curve Domain Parameters. Standard for Efﬁcient Cryptography. The SECG Group. 2000. 7 http://sites.google.com/site/ijcsis/ ISSN 1947-5500