Hardware and Arithmetic for Hyperelliptic Curves Cryptography by Gallin, Gabriel et al.
Hardware and Arithmetic for Hyperelliptic Curves
Cryptography
Gabriel Gallin, Arnaud Tisserand, Nicolas Veyrat-Charvillon
To cite this version:
Gabriel Gallin, Arnaud Tisserand, Nicolas Veyrat-Charvillon. Hardware and Arithmetic for
Hyperelliptic Curves Cryptography. RAIM: 7e`me Rencontre Arithme´tique de l’Informatique




Submitted on 29 Mar 2015
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
HAH Project, IRISA–IRMAR
Hardware and Arithmetic for Hyperelliptic
Curves Cryptography
Gabriel Gallin, Arnaud Tisserand & Nicolas Veyrat-Charvillon


























E : y2 = x3 + 4x + 20 over GF(1009)
Points on E : P, Q= (x , y) or (x , y , z)
Coordinates: x , y , z ∈ GF(·)
GF(p), GF(2m), t : 160–600 bits
k = (kt−1kt−2 . . . k1k0)2 ∈ N
Scalar multiplication operation
for i from 0 to t − 1 do
if ki = 1 then Q = ADD(P,Q)
P = DBL(P)
Point addition/doubling operations
sequence of finite field operations
DBL: v1 = z21 , v2 = x1 − v1, . . .
ADD: w1 = z21 ,w2 = z1 × w1, . . .
GF(p) or GF(2m) operations
operation modulo large prime (GF(p))
or irreducible polynomial (GF(2m))
2. Side Channel Attacks (SCAs)
DBL DBL DBL DBL DBL DBLADD ADD







I Differential analysis (statistics)
I Templates and learning
3. Protections & Counter-Measures Against SCAs
I Uniform comp. durations




I Add noise (!)
















Random recoding: ∀i [Ri(k)]P = [k ]P
4. From ECC to HECC






























































































































































































































































































































































































































































































































































































































































Cost: 38M + 6S
Examples of computation expressions for projective coordinates
5. HAH Project Objectives
I Efficient algorithms and representations for HECC
I HECC protections against SCAs (passive and active)
I Fast, low-power and secure hardware implementations (open
source hardware code and programming tools)
I Intensive security evaluation using our SCA setup

























I Arithmetic Units (AUs): ±, ×, ÷ over GF(p)/GF(2m)
various configurations (area vs speed, internal protection)
I Various key recoding methods (and dedicated units)
I Configuration: field size, internal word size, #AUs, type(AUs)
I Circuit/architecture level protections


















8. Implementation Results on FPGA
XC6SLX75 FPGA, GF(p), 256-bit ECC or 128-bit HECC, internal word size w = 32 bits
Recoding units:
Recoding BIN NAF-2 NAF-3 NAF-4
area slices (FF/LUT) 565 (1321/1461) 570 (1340/1479) 571 (1344/1495) 503 (1348/1489)
freq. (MHz) 225 228 237 217
Area/speed trade-offs for ECC and HECC configurations:
#mult. BRAM mult. 1 col. mult. 2 col. mult. 4 col.
ECC 1 2 503 (1348/1489) 217 626 (1450/1643) 230 694 (1649/1891) 211
2 2 689 (1744/1894) 219 754 (1948/2208) 234 931 (2345/2712) 220
3 2 809 (2146/2245) 205 942 (2449/2704) 222 1105 (3046/3436) 222
HECC 1 2 522 (1344/1405) 228 520 (1434/1535) 217
2 2 634 (1746/1786) 226 689 (1926/2055) 220 area freq.
4 2 852 (2552/2531) 201 917 (2912/3045) 195 slices (FF/LUT) MHz
8 2 1347 (4145/3882) 204 1601 (4865/4928) 209
9. Algorithms and Architecture Impacts on SCAs
Activity traces from CABA1 simulations (after filtering) for several






















































































































1 Cycle Accurate Bit Accurate (i.e. simulations close to real power measurements)
http://h-a-h.inria.fr/
