橢圓曲線密碼學被認為是公開金鑰加密的最佳選擇之一。和RSA演算法做為比較，橢圓曲線密碼學使用較小的金鑰長度，卻能提供相同的加密層級。如此使用較少的資料長度、記憶體的使用以及較低的功率消耗。根據橢圓曲線密碼學的運算複雜度，橢圓曲線密碼學是比較適合應用在受限的裝置上，像是RFID標籤。將橢圓曲線密碼學整合在RFID標籤上以確保資料的安全性在受限制的功率消耗、能量、面積下仍然是一個挑戰。

在本論文中，我們提出一種低成本的橢圓曲線引擎來支持RFID標籤驗證。我們提出一個包含了乘法器、加法器以及平方器的複合運算元件。並且利用循環限制站存器來減少運算元件的輸入選擇。我們藉由Montgomery Ladder演算法以線性規劃的方式大大縮小橢圓運算的時間。

為了找到最低成本的橢圓曲線引擎，我們評估了橢圓曲線引擎中不同大小的乘法器。最後實作的結果使用台積電65nm製程的邏輯閘資料庫，橢圓曲線引擎的面積為10,504個邏輯閘，而在算一個橢圓曲線純量乘法的時間限制為250ms的情況下，在頻率為273kHz執行一個純量乘法需要4.68μW的功率消耗以及總共1.17μ焦耳的能量。以此結果其他設計結果比較，可以看出這是目前最佳的低成本橢圓曲線引擎。

Elliptic Curve Cryptography (ECC) is considered as one of the best candidates for public key cryptographic systems. ECC oers equivalent security as RSA for much smaller parameter sizes. As a result, it exhibits the smaller data-paths, less memory usage and lower power consumption. Based on its computational complexity, ECC is suitable for constrained devices such as RFID tags. However, integrating ECC on RFID tags to ensure the secure information transaction is still a challenge for limited power consumption, energy and area resources.
In this thesis, we propose low cost ECC engines to support the secure RFID-tag authentication protocol. The critical operation in the authentication protocol is the EC scalar multiplication. We present the arithmetic unit integrating a digit-serial multiplier, an adder, and a bit-parallel squarer. The proposed circular shift register can eciently reduce the complexity of input selection of our arithmetic unit. Based on the Montgomery ladder algorithm over binary elds, we also present the optimal operation scheduling using integer linear programming (ILP) technique that can further minimize the latency of EC scalar multiplication with little control overhead.
In order to find the trade-offon digit size, we evaluate sixteen digit sizes, ranging from 1 to 16 bits of multiplier in our ECC engine. Finally, the synthesis result using TSMC 65nm CMOS technology shows that our ECC engine with digit size of 2 implemented with 10,504 gates, total power around 4.68 μW at 273 KHz within 250 ms and the energy consumption 1.17 μJ for one EC calar multiplication is the best between power, area, and energy consumption among current low cost design.

1 Introduction
1.1 Introduction to RFID systems
1.2 Secure RFID-Tag Authentication Protocols
1.3 Motivation
1.4 Previous Works
1.5 Contribution
1.6 Thesis Organization
2 Mathematical Background
2.1 Elliptic Curves
2.2 Scalar Multiplication Algorithms
2.2.1 LR Algorithm
2.2.2 Montgomery Ladder Algorithm
2.2.3 Montgomery Ladder Algorithm with Lopez-Dahab Method
2.3 Finite Field Arithmetic over GF(2m)
2.3.1 Field Addition
2.3.2 Field multiplication
2.3.3 Field squaring
3 Design Methodology and Optimization
3.1 Overview of Elliptic Curve Cryptographic Engine
3.2 Preliminary Arrangement of Scalar Multiplication
3.2.1 Selecting Methodology for Hardware-adopted Algorithm
3.2.2 Basic Process for Lopez-Dahabs Algorithm
3.2.3 Optimization for Lopez-Dahabs Algorithm
3.3 Operation Scheduling using the ILP technique
3.3.1 Global Constraint for an ILP optimization
3.3.2 Local Constraint for an ILP optimization
3.3.3 Scheduling Result of the Kernel Function
4 Hardware Architecture
4.1 Elliptic Curve Cryptography Engine
4.2 Circular Shift Register File
4.3 Arithmetic Unit
4.3.1 Adder Architecture
4.3.2 Multiplier Architecture
4.3.3 Squarer Architecture
4.4 Scheduling Result Based on ECC Engine
4.4.1 Eliminate Reading Overhead
4.4.2 Register File Management
5 Experiment Result
5.1 Synthesis Result and Performance Analysis
5.2 Comparison with Related Works
6 Conclusion and Future Work
6.1 Conclusion
6.2 Future Work

[1] W. Die and M. Hellman, "New directions in cryptography," in IEEE Transactions on Information Theory, vol. 22, pp. 644-654, Nov 1976.
[2] J. Jonsson and B. Kaliski, Public-key cryptography standards (PKCS)# 1: RSA cryptography specications version 2.1, June 2002.
[3] N. Koblitz, "Elliptic Curve Cryptosystems," in Mathematics of Computation, vol. 48, pp. 203-209, 1987.
[4] IEEE, IEEE Std 1363-2000: Standard Specications for Public Key Cryptography, Jan. 2000.
[5] ANSI X9.62-199x: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), Sep. 1998.
[6] Recommended Elliptic Curves for Federal Government Use, National Institute of Standards and Technology (NIST), July 1999.
[7] SECG, SEC 2: Recommended Elliptic Curve Domain Parameters, Standards for Efficient Cryptography Group (SECG), Sep. 2000.
[8] E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid, Recommendation for key management{part 1: General (revision 3), National Institute of Standards and Technology (NIST), vol. 800, pp. 57, 2011.
[9] V. Miller, "Uses of elliptic curves in cryptography," in Advances in Cryptology: proceedings of Crypto'85, Lecture Notes in Computer Science, vol. 218, pp. 417-426, 1986.
[10] C. Schnorr, "Ecient Identication and Signatures for Smart Cards," in Advances in Cryptology: proceedings of Crypto89, Lecture Notes in Computer Science, vol. 435, pp. 239-252, Springer New York, 1990.
[11] ISO/IEC 18000-3: Information Technology - Radio Frequency Identication (RFID) for Item Management - Part 3: Parameters for air interface communications at 13.56 MHz, 2004.
[12] J. H. Lee, Y. C. Hsu, and Y. L. Lin, "LIP: A data-path scheduler using linear integer programming," in IEEE International Symposium on VLSI Technology, Systems and Applications,, pp. 247251, May 1989.
[13] T. Itoh, and S. Tsujii, "A fast algorithm for computing multiplicative inverses in GF(2m) using normal bases" in Information and Computation, vol. 78, Issue 3, pp. 171-177, Sep. 1988.
[14] J. Lopez and R. Dahab, "Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation," in Cryptographic Hardware and Embedded Systems (CHES) vol. 1717, pp. 316-327, Springer, Aug. 1999.
[15] K. Sakiyama, L. Batina, N. Mentens, B. Preneel, and I. Verbauwhede, "Small-footprint ALU for Public-Key Processors for Pervasive Security, in Workshop on RFID Security, vol. 12, 2006.
[16] H. Wu, "Bit-Parallel Finite Field Multiplier and Squarer Using Polynomial Basis," in IEEE Transactions on Computers, vol. 51, pp. 750-758, July 2002.
[17] S. Kumar, and C. Paar, "Are standards compliant Elliptic Curve Cryptosystems feasible on RFID?" in Workshop on RFID Security, , pp. 12-14, July 2006.
[18] L. Batina, J. Guajardo, T. Kerins, N. Mentens, P. Tuyls, and I. Verbauwhede, "An Elliptic Curve Processor Suitable For RFID-Tags." IACR Cryptology ePrint Archive, vol. 2006, pp. 227, 2006.
[19] Y. K. Lee, K. Sakiyama, L. Batina, and I. Verbauwhede, "Elliptic-Curve-Based Security Processor for RFID," in IEEE Transactions on Computers, vol. 57, pp. 1514-1527, Nov. 2008.
[20] P. Montgomery, "Speeding the Pollard and elliptic curve methods of factorization," in Mathematics of Computation, vol. 48, pp. 243-264, 1987.
[21] M. Feldhofer, and J. Wolkerstorfer, "Strong Crypto for RFID Tags - A Compariosn of Low-Power Hardware Implementations," in IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1839-1842, 2007.
[22] P. Luo, X. Wang, J. Feng, and Y. Xu, "Low-Power Hardware Implementation of ECC Processor suitable for Low-Cost RFID Tags," in Solid-State and Integrated Circuit Technology (ICSICT) pp. 1681-1684 Oct. 2008.
[23] H. Bock, M. Braun, M. Dichtl, E. Hess, J. Heyszl, W. Kargl, H. Koroschetz, B. Meyer, and H. Seuschek, "A Milestone Towards RFID Products Oering Asymmetric Authentication Based on Elliptic Curve Cryptography," in Workshop on RFID Security, 2008.
[24] Yueh Chang, "Energy Ecient Architecture for Elliptic Curve Cryptography over Binary Fields," Oct. 2011.
[25] P.W. Chang, "Low-Cost Design for Elliptic Curve Cryptography over Binary Field," Nov. 2012.
[26] L. Batina, N. Mentens, K. Sakiyama, B. Preneel, and I. Verbauwhede, "Public-Key Cryptography on the Top of a Needle," in IEEE International Symposium on Circuits and Systems (ISCAS), pp.1831-1834, 2007.
[27] H.R. Ahmadi and A. Afzali-Kusha, "Low-Power Low-Energy Prime-Field ECC Processor Based on Montgomery Modular Inverse Algorithm", in Euromicro Conference on Digital System Design, Architectures, Methods and Tools (DSD), pp.817-822, 2009.
[28] D. Hein, J. Wolkerstorfer, and N. Felber, "ECC is Ready for RFID - A Proof in Silicon," in Selected Areas in Cryptography, pp. 401{413, Springer, 2009.
[29] U. Kocabas, J. Fan, and I. Verbauwhede, "Implementation of binary edwards curves for very-constrained devices," in IEEE International Conference on Application-specific Systems Architectures and Processors (ASAP), pp.185-191, 2010.
[30] T. Kern, and M. Feldhofer, "Low-Resource ECDSA Implementation for Passive RFID Tags," in IEEE International Conference on Electronics, Circuit, and Systems (ICECS), pp. 1236-1239 Dec. 2010.