An End-to-End Systems Approach to Elliptic
Curve Cryptography
Nils Gura, Sheueling Chang Shantz, Hans Eberle, Sumit Gupta, Vipul Gupta,
Daniel Finchelstein, Edouard Goupy, Douglas Stebila
Sun Microsystems Laboratories
{
Nils.Gura, Sheueling.Chang, Hans.Eberle, Gupta.Sumit, Vipul.Gupta,
Daniel.F.Finchelstein, Edouard.Goupy, Douglas.Stebila
}
@sun.com
http://www.research.sun.com
Abstract.
Since its proposal by Victor Miller [17] and Neal Koblitz [15]
in the mid 1980s, Elliptic Curve Cryptography (ECC) has evolved into a
mature public-key cryptosystem. Oﬀering the smallest key size and the
highest strength per bit, its computational eﬃciency can beneﬁt both
client devices and server machines. We have designed a programmable
hardware accelerator to speed up point multiplication for elliptic curves
over binary polynomial ﬁelds
GF
(2
m
). The accelerator is based on a
scalable architecture capable of handling curves of arbitrary ﬁeld de-
grees up to
m
= 255. In addition, it delivers optimized performance for
a set of commonly used curves through hard-wired reduction logic. A
prototype implementation running in a Xilinx XCV2000E FPGA at 66.4
MHz shows a performance of 6987 point multiplications per second for
GF
(2
163
). We have integrated ECC into OpenSSL, today’s dominant
implementation of the secure Internet protocol SSL, and tested it with
the Apache web server and open-source web browsers.
1
Introduction
Since its proposal by Victor Miller [17] and Neal Koblitz [15] in the mid 1980s,
Elliptic Curve Cryptography (ECC) has evolved into a mature public-key cryp-
tosystem. Extensive research has been done on the underlying math, its security
strength, and eﬃcient implementations.
ECC oﬀers the smallest key size and the highest strength per bit of any known
public-key cryptosystem. This stems from the discrete logarithm problem in the
group of points over an elliptic curve. Among the diﬀerent ﬁelds that can un-
derlie elliptic curves, integer ﬁelds
F
(
p
) and binary polynomial ﬁelds
GF
(2
m
)
have shown to be best suited for cryptographical applications. In particular, bi-
nary polynomial ﬁelds allow for fast computation in both software and hardware
implementations.
Small key sizes and computational eﬃciency of both public- and private-key
operations make ECC not only applicable to hosts executing secure protocols
over wired networks, but also to small wireless devices such as cell phones, PDAs
and SmartCards. To make ECC commercially viable, its integration into secure