橢圓曲線加密演算法(ECC)是屬於公開加密演算法(PKC)的一種。跟其他加密演算法比較起來，其優勢為使用較少的金鑰長度就可以達到較高的安全性。隨著物聯網議題的興起，對於相關之攜帶式及無線裝置的需求也日漸增加，而密碼學在無線射頻識別系統(RFID)之應用是一個重要議題，其目的是要讓通訊系統中訊息的傳輸能夠受到適當之加密保護。而為了配合RFID在硬體上實現之需求，我們選擇二位元體GF(2m)來實現橢圓曲線處理器架構。
本論文提出了應用位移暫存器之RFID橢圓曲線處理器硬體架構，其處理器包含了五組資料暫存器、一組有限體加法器、一組有限體平方器及一組位元序列有限體乘法器。使用位移暫存器架構之優勢為其設計能大幅度減少多工器之邏輯閘面積及繞線之複雜度。在此設計中，我們選用López-Dahab Montgomery Ladder演算法及GF(2163)的有限體長度來實現橢圓曲線加密系統。此外，我們也根據國家標準技術研究所(NIST)所推薦之橢圓曲線參數來優化我們的運算，使我們所設計之電路排程達到最佳化。
最後，本論文使用門控時鐘(Clock Gating)技術來減少電路之動態功率消耗並且使用TSMC CMOS 130nm標準製程之邏輯閘資料庫來作合成。我們電路之面積為12919 gates，而電路功耗為4.78μJ。與其他論文所提出之設計做比較，我們在功耗跟面積達到了最好的平衡。

Elliptic Curve Cryptography (ECC) is an efficient Public Key Cryptography (PKC) because it can use less bit key size to achieve a higher security level compared with other algorithms. As the growing discussion of Internet of Things (IoT), there are more
requirements for portable and wireless devices. In order to make sure the message transmission in the communication system is safe, the cryptography for RFID system is an important issue. We choose ECC over GF(2m) to implement because it’s suitable for hardware implementation.
We propose the ECC core with shift register architecture, and it includes five data registers, a finite field adder, a finite field squarer and a digit serial finite field multiplier. The advantage of shift register architecture is that it can substantially reduce the gate area of the mux. In this design, we choose Lopez-Dahab Montgomery Ladder algorithm and field size GF(2163) to implement. We optimize the operation based on the elliptic curve parameters which recommended by National Institute of Standards and Technology (NIST).
Next, we use clock gating technique to decrease the dynamic power and synthesis the circuit with TSMC 130nm standard CMOS technology. Our design’s area is 12919 gates and energy consumption is 4.78J. Compared with other related works, we achieve the best balance between energy and area.

1 Introduction 1
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Main Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Mathematical background 5
2.1 Cryptography systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1 Private Key Cryptography . . . . . . . . . . . . . . . . . . . . . . 6
2.1.2 Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . . 6
2.2 Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Elliptic Curve Point Operations . . . . . . . . . . . . . . . . . . . . . . . 10
2.4 Elliptic Curve Scalar Multiplication . . . . . . . . . . . . . . . . . . . . . 11
2.4.1 LR algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4.2 LR algorithm with NAF . . . . . . . . . . . . . . . . . . . . . . . 12
2.4.3 Lopez-Dahab Montgomery Ladder algorithm . . . . . . . . . . . . 14
2.5 Finite Field Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.5.1 Finite Field Addition . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.5.2 Finite Field Multiplication . . . . . . . . . . . . . . . . . . . . . . 19
2.5.3 Finite Field Squaring . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.5.4 Finite Field Inversion . . . . . . . . . . . . . . . . . . . . . . . . 20
3 System Architecture 23
3.1 Specification of the system . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2 Acrhitecture of the ECC core . . . . . . . . . . . . . . . . . . . . . . . . 25
3.3 Hardware Implemention of Finite Field operation . . . . . . . . . . . . . 28
3.3.1 Finite Field Adder . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3.2 Finite Field Multiplier . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3.3 Finite Field Squarer . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.3.4 Finite Field Invertor . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.4 Architecture of Arithmetic Unit . . . . . . . . . . . . . . . . . . . . . . . 34
3.4.1 Architecture of AU . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.4.2 Architecture of AU with shift registers . . . . . . . . . . . . . . . 35
3.5 Scheduling of the ECC core . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.5.1 Finite State Machine of the ECC core . . . . . . . . . . . . . . . 36
3.5.2 Scheduling of the normal architecture . . . . . . . . . . . . . . . . 37
3.5.3 Scheduling of the shift register architecture . . . . . . . . . . . . 39
4 Experiment Result 47
4.1 Experiment Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.2 Radix selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.3 Implementation Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.3.1 Clock Gating technique . . . . . . . . . . . . . . . . . . . . . . . 50
4.3.2 Implementation Result . . . . . . . . . . . . . . . . . . . . . . . . 51
4.4 Comparison with Related Works . . . . . . . . . . . . . . . . . . . . . . 53
5 Conclusions and Future Works 55
5.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.2 Future Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

[1] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE transactions on Information Theory, vol. 22, no. 6, pp. 644–654, 1976.
[2] J. Jonsson, K. Moriarty, B. Kaliski, and A. Rusch, “Pkcs# 1: Rsa cryptography specifications version 2.2,” 2016.
[3] N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of computation, vol. 48, no. 177, pp. 203–209, 1987.
[4] V. S. Miller, “Use of elliptic curves in cryptography,” in Conference on the Theory and Application of Cryptographic Techniques. Springer, 1985, pp. 417–426.
[5] E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid, “Recommendation for key management part 1: General (revision 3),” NIST special publication, vol. 800, no. 57, pp. 1–147, 2012.
[6] IEEE Std 1363-2000: IEEE Standard Specifications for Public-Key Cryptography. IEEE, 2000. [Online]. Available: https://books.google.com.tw/books?id=KKc8nQAACAAJ
[7] ISO/IEC, 18000-3:2010 Information technology – Radio frequency identification for item management – Part 3: Parameters for air interface communications at 13,56 MHz, 2010.
[8] D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digital signature algorithm (ecdsa),” International Journal of Information Security, vol. 1, no. 1, pp. 36–63, 2001.
[9] S. SEC, “2: Recommended elliptic curve domain parameters,” Standards for Efficient Cryptography Group, Certicom Corp, 2000.
[10] J. López and R. Dahab, “Fast multiplication on elliptic curves over gf (2 m) without precomputation,” in Cryptographic Hardware and Embedded Systems. Springer, 1999, pp. 724–724.
[11] National and N. I. S. T. Technology, Recommended elliptic curves for federal government use, 1999.
[12] K. Sakiyama, L. Batina, B. Preneel, and I. Verbauwhede, “Multicore curve-based cryptoprocessor with reconfigurable modular arithmetic logic units over gf (2^ n),” IEEE Transactions on Computers, vol. 56, no. 9, 2007.
[13] Y. K. Lee, K. Sakiyama, L. Batina, and I. Verbauwhede, “Elliptic-curve-based security processor for rfid,” IEEE Transactions on Computers, vol. 57, no. 11, pp. 1514–1527, 2008.
[14] T. Itoh and S. Tsujii, “A fast algorithm for computing multiplicative inverses in gf (2m) using normal bases,” Information and computation, vol. 78, no. 3, pp. 171–177, 1988.
[15] Y. Chang, “Energy efficient architecture for elliptic curve cryptography over binary fields,” Department of Computer Science, National Tsing Hua University, Oct. 2011.
[16] P. Luo, X. Wang, J. Feng, and Y. Xu, “Low-power hardware implementation of ecc processor suitable for low-cost rfid tags,” in Solid-State and Integrated-Circuit Technology, 2008. ICSICT 2008. 9th International Conference on. IEEE, 2008, pp. 1681–1684.
[17] M. Feldhofer and J. Wolkerstorfer, “Strong crypto for rfid tags-a comparison of low-power hardware implementations,” in Circuits and Systems, 2007. ISCAS 2007. IEEE International Symposium on. IEEE, 2007, pp. 1839–1842.
[18] H. Bock, M. Braun, M. Dichtl, E. Hess, J. Heyszl, W. Kargl, H. Koroschetz, B. Meyer, and H. Seuschek, “A milestone towards rfid products offering asymmetric authentication based on elliptic curve cryptography,” Invited talk at RFIDsec, 2008.
[19] D. M. Hein, J. Wolkerstorfer, and N. Felber, “Ecc is ready for rfid-a proof in silicon.” in Selected Areas in Cryptography, vol. 5381. Springer, 2008, pp. 401–413.