Hardware Accelerators for ECC and HECC by Tisserand, Arnaud
Hardware Accelerators for ECC and HECC
Arnaud Tisserand
To cite this version:
Arnaud Tisserand. Hardware Accelerators for ECC and HECC. ECC: 19th Workshop




Submitted on 30 Sep 2015
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
Hardware Accelerators for ECC and HECC
Arnaud Tisserand






• Accelerator architecture and units
• Accelerator programming
• Implementation results: comparison ECC vs HECC on FPGA
• Conclusion & current/future works
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 2/35
Current Projects on (H)ECC Accelerators
PAVOIS project 2012–2016
Arithmetic Protections Against Physical
Attacks for Elliptic Curve based Cryptography
• IRISA (Lannion)
• LIRMM (Perpignan, Montpellier & Toulon)
http://pavois.irisa.fr/
ANR 12 BS02 002
HAH project 2014–2017




































for i from 0 to t − 1 do
if ki = 1 then Q = ADD(P,Q)
P = DBL(P)
Point addition/doubling operations
sequence of finite field operations
DBL: v1 = z
2
1 , v2 = x1 − v1, . . .
ADD: w1 = z
2
1 ,w2 = z1 × w1, . . .
Fp or F2m operations
operation modulo large prime (Fp)
or irreducible polynomial (F2m )




























E : y2 = x3 + 4x + 20 over GF(1009)
points: P, Q= (x , y) or (x , y , z) or . . .
Scalar multiplication operation
for i from 0 to t − 1 do
if ki = 1 then Q = ADD(P,Q)
P = DBL(P)
Point addition/doubling operations
sequence of finite field operations
DBL: v1 = z
2
1 , v2 = x1 − v1, . . .
ADD: w1 = z
2
1 ,w2 = z1 × w1, . . .
Fp or F2m operations
operation modulo large prime (Fp)
or irreducible polynomial (F2m )




























E : y2 = x3 + 4x + 20 over GF(1009)
points: P, Q= (x , y) or (x , y , z) or . . .
coordinates: x , y , z ∈ GF(·)
Fp, F2m , t : 80–600 bits
k = (kt−1kt−2 . . . k1k0)2 ∈ N
Scalar multiplication operation
for i from 0 to t − 1 do
if ki = 1 then Q = ADD(P,Q)
P = DBL(P)
Point addition/doubling operations
sequence of finite field operations
DBL: v1 = z
2
1 , v2 = x1 − v1, . . .
ADD: w1 = z
2
1 ,w2 = z1 × w1, . . .
Fp or F2m operations
operation modulo large prime (Fp)
or irreducible polynomial (F2m )




























E : y2 = x3 + 4x + 20 over GF(1009)
points: P, Q= (x , y) or (x , y , z) or . . .
coordinates: x , y , z ∈ GF(·)
Fp, F2m , t : 80–600 bits
k = (kt−1kt−2 . . . k1k0)2 ∈ N
Scalar multiplication operation
for i from 0 to t − 1 do
if ki = 1 then Q = ADD(P,Q)
P = DBL(P)
Point addition/doubling operations
sequence of finite field operations
DBL: v1 = z
2
1 , v2 = x1 − v1, . . .
ADD: w1 = z
2
1 ,w2 = z1 × w1, . . .
Fp or F2m operations
operation modulo large prime (Fp)
or irreducible polynomial (F2m )




























E : y2 = x3 + 4x + 20 over GF(1009)
points: P, Q= (x , y) or (x , y , z) or . . .
coordinates: x , y , z ∈ GF(·)
Fp, F2m , t : 80–600 bits
k = (kt−1kt−2 . . . k1k0)2 ∈ N
Scalar multiplication operation
for i from 0 to t − 1 do
if ki = 1 then Q = ADD(P,Q)
P = DBL(P)
Point addition/doubling operations
sequence of finite field operations
DBL: v1 = z
2
1 , v2 = x1 − v1, . . .
ADD: w1 = z
2
1 ,w2 = z1 × w1, . . .
Fp or F2m operations
operation modulo large prime (Fp)
or irreducible polynomial (F2m )




























E : y2 = x3 + 4x + 20 over GF(1009)
points: P, Q= (x , y) or (x , y , z) or . . .
coordinates: x , y , z ∈ GF(·)
Fp, F2m , t : 80–600 bits
k = (kt−1kt−2 . . . k1k0)2 ∈ N
Scalar multiplication operation
for i from 0 to t − 1 do
if ki = 1 then Q = ADD(P,Q)
P = DBL(P)
Point addition/doubling operations
sequence of finite field operations
DBL: v1 = z
2
1 , v2 = x1 − v1, . . .
ADD: w1 = z
2
1 ,w2 = z1 × w1, . . .
Fp or F2m operations
operation modulo large prime (Fp)
or irreducible polynomial (F2m )





























for i from 0 to t − 1 do
if ki = 1 then Q = ADD(P,Q)
P = DBL(P)
• simple power analysis (& variants)
• differential power analysis (& variants)
• horizontal/vertical/. . . attacks





























for i from 0 to t − 1 do
if ki = 1 then Q = ADD(P,Q)
P = DBL(P)
• simple power analysis (& variants)
• differential power analysis (& variants)
• horizontal/vertical/. . . attacks




























DBL DBL DBL DBL DBL DBL
Scalar multiplication operation
for i from 0 to t − 1 do
if ki = 1 then Q = ADD(P,Q)
P = DBL(P)
• simple power analysis (& variants)
• differential power analysis (& variants)
• horizontal/vertical/. . . attacks




























DBL DBL DBL DBL DBL DBLADD ADD
Scalar multiplication operation
for i from 0 to t − 1 do
if ki = 1 then Q = ADD(P,Q)
P = DBL(P)
• simple power analysis (& variants)
• differential power analysis (& variants)
• horizontal/vertical/. . . attacks




























DBL DBL DBL DBL DBL DBLADD ADD
0 0 0 1 1 0
Scalar multiplication operation
for i from 0 to t − 1 do
if ki = 1 then Q = ADD(P,Q)
P = DBL(P)
• simple power analysis (& variants)
• differential power analysis (& variants)
• horizontal/vertical/. . . attacks




























DBL DBL DBL DBL DBL DBLADD ADD
0 0 0 1 1 0
Scalar multiplication operation
for i from 0 to t − 1 do
if ki = 1 then Q = ADD(P,Q)
P = DBL(P)
• simple power analysis (& variants)
• differential power analysis (& variants)
• horizontal/vertical/. . . attacks
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 5/35
Objectives of Our Research Group
• Study and implementation of efficient hardware supports:
I Cryptography over (hyper)-elliptic curves (H)ECC
I Operations over finite fields Fp & F2m and curve points
I Hardware targets: FPGAs and ASICs
I Flexibility  programmable in software
• Study and implementation of protections against physical attacks:
I Passive attacks: measure of power consumption, electromagnetic
radiations, timings
I Active attacks: fault injection (in progress)
• Levels: algorithm, representation, operator, architecture, circuit
• Trade-offs between: performance, cost (area/energy), security
• Study, development and distribution of an open source (H)ECC
accelerator and its programming tools































• Performances =⇒ hardware (HW)
I dedicated functional units
I internal parallelism
• Limited cost (embedded systems)
I reduced silicon area
I low energy (& power consumption)
I large area used at each clock cycle
• Flexibility =⇒ software (SW)
I curves, algorithms, representations
(points/elements), k recoding, . . .
I at design time / at run time
• Security against SCAs =⇒ HW
I secure units (F2m , Fp)
I secure key storage/management
I secure control































• Performances =⇒ hardware (HW)
I dedicated functional units
I internal parallelism
• Limited cost (embedded systems)
I reduced silicon area
I low energy (& power consumption)
I large area used at each clock cycle
• Flexibility =⇒ software (SW)
I curves, algorithms, representations
(points/elements), k recoding, . . .
I at design time / at run time
• Security against SCAs =⇒ HW
I secure units (F2m , Fp)
I secure key storage/management
I secure control































• Performances =⇒ hardware (HW)
I dedicated functional units
I internal parallelism
• Limited cost (embedded systems)
I reduced silicon area
I low energy (& power consumption)
I large area used at each clock cycle
• Flexibility =⇒ software (SW)
I curves, algorithms, representations
(points/elements), k recoding, . . .
I at design time / at run time
• Security against SCAs =⇒ HW
I secure units (F2m , Fp)
I secure key storage/management
I secure control






























• Performances =⇒ hardware (HW)
I dedicated functional units
I internal parallelism
• Limited cost (embedded systems)
I reduced silicon area
I low energy (& power consumption)
I large area used at each clock cycle
• Flexibility =⇒ software (SW)
I curves, algorithms, representations
(points/elements), k recoding, . . .
I at design time / at run time
• Security against SCAs =⇒ HW
I secure units (F2m , Fp)
I secure key storage/management
I secure control












Data: w -bit (32, . . . , 128) except for k digits, control: a few bits per unit













Data: w -bit (32, . . . , 128) except for k digits, control: a few bits per unit















Data: w -bit (32, . . . , 128) except for k digits, control: a few bits per unit




















Data: w -bit (32, . . . , 128) except for k digits, control: a few bits per unit





















Data: w -bit (32, . . . , 128) except for k digits, control: a few bits per unit























Data: w -bit (32, . . . , 128) except for k digits, control: a few bits per unit
























Data: w -bit (32, . . . , 128) except for k digits, control: a few bits per unit
























Data: w -bit (32, . . . , 128) except for k digits, control: a few bits per unit
























Data: w -bit (32, . . . , 128) except for k digits, control: a few bits per unit
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 8/35




x [i ] y [i ] r [i ]
Notation: x [i ] is the i-th w -bit word of x ∈ Fq
Units:
• Fp: addition/subtraction, multiplication (2-step, Montgomery,
variants), inversion
• F2m (polynomial basis, normal basis & variants): addition/subtraction,
multiplication (Montgomery, Mastrovito, 2-step), square, inversion
Internal parameters: nb of sub-blocks, radix, pipelining scheme,
countermeasure, mapping of local registers, output/input bypass, . . .
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 9/35
Register File (≈ Dual Port Memory)
x [i ] y [i ] r [i ]
field elements (size ≥ m bits)
word size (w bits)
Control signals: addresses (port A, port B), read/write, write enable
Specific addressing model for Fq elements (through an intermediate address
table with hardware loop)
• linear addresses, SW: LOAD @x =⇒ HW: loop x [0], x [1], . . . x [`− 1]
• randomized addresses












• On-the-fly recoding of k: binary, λ-NAF (λ ∈ {2, 3, 4, 5}), variants
(fixed/sliding), double-base [1] and multiple-base [2] number systems
(w/wo randomization), addition chains [12], other ?
• Specific private path in the interconnect (no key leaks in RF or FUs)
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 11/35
External Interface(s)
Under development:
• Basic (neither clock rate nor width adaptation)
• ARM Cortex cores in Zynq 7 FPGAs (through AXI bus)
• MicroBlaze softcore processor for Xilinx FPGAs
I AXI bus (V6+)
I PLB bus (V2 – V5)
• Specific for a “small” ASIC pad ring
Future development:
• NIOS softcore processor for Altera FPGAs
• LEON softcore processor (depending on internal demand)






















Area/time < 10 %
References:
PhD D. Pamula [8]
Articles: [11], [10], [9]






















Area/time < 10 %
References:
PhD D. Pamula [8]
Articles: [11], [10], [9]
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 13/35
Protected (Old) Accelerator for F2m




































































Warning: old dedicated accelerator (similar behavior is expected for our new one)
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 14/35
Circuit-Level Protections for Arithmetic Operators
References: [4] and [3]
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 15/35
Units Impact on Side Channel Information (1/2)
Activity traces measured with CABA1 simulations for three configurations


























































































































1 Cycle Accurate Bit Accurate
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 16/35

















































































































































































































































































A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 18/35
Instruction Set















A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 19/35
Address Model in the Register File
RF requirements :
• 5–16 registers of m-bit Fq elements
• worst case: w small (16 bits) and m large (600 bits) ⇒ 550+ words
and 10-bit physical addresses
x ∈ Fq is addressed by one entry (notation @Rid) of the intermediate
address table (IAT) with 2 values:
• offset of the first word (e.g. x [0])







A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 20/35
Address Model in the Register File
RF requirements :
• 5–16 registers of m-bit Fq elements
• worst case: w small (16 bits) and m large (600 bits) ⇒ 550+ words
and 10-bit physical addresses
x ∈ Fq is addressed by one entry (notation @Rid) of the intermediate
address table (IAT) with 2 values:
• offset of the first word (e.g. x [0])







A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 20/35
Code Memory
Behavior:
• Specific private path in the interconnect for code download (no leaks
in RF or FUs)
• Code input can be disabled (ROM mode with code in the FPGA
bitstream)
• Instruction CALL: push PC then jump to @DEST
• Instruction RET: jump to (pop) + 1
Memory mapping to be defined
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 21/35
Internal Parallelism Model
non-blocking instruction decoding (i.e. always do PC ← PC + 1 or
PC ← cst) except for WAIT instruction






















1 read fu mul 0, 0, 1 read a & b
2 launch fu mul 0 start ab
3 read fu mul 1, 3, 4 lit d & e
4 launch fu mul 1 start de
5 wait fu mul 0 wait for ab
6 write fu mul 0, 5 write ab
7 set OPMODE, 0 addition mode (+)
8 read fu add sub 0, 5, 2 read ab & c
9 launch fu add sub 0 start (ab) + c
10 wait fu mul 1 wait for de
11 write fu mul 1, 6 write de
12 wait fu add sub 0 wait for (ab) + c
13 write fu add sub 0, 5 write (ab) + c
14 read fu add sub 0, 5, 6 read (ab) + c & de
15 launch fu add sub 0 start ((ab) + c) + (de)
16 wait fu add sub 0 wait for ((ab) + c) + (de)
17 write fu add sub 0, 5 write ((ab) + c) + (de)
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 22/35
ECC Accelerator with Additions Chains











a, b, C, C′
































M optim. area freq. dura. SCA
method target slices (FF/LUT) MHz ms prot.
EAC 3
area 534 (1813/1508) 132 35.8
Y
speed 556 (1872/1523) 137 34.5
DA 2
area 429 (1243/1134) 191 30
N
speed 399 (1302/1222) 177 32.5
ML 2
area 429 (1243/1134) 191 42.5
Y
speed 399 (1302/1222) 177 45.8
UF 2
area 429 (1243/1134) 191 50.4
Y
speed 399 (1302/1222) 177 54.4
NAF-3 2
area 422 (1280/1157) 181 25.2
N
speed 423 (1321/1242) 175 26.1
NAF-4 2
area 420 (1277/1161) 158 27.3
N
speed 425 (1233/1246) 177 24.4
EAC: Euclidean addition chains, DA: dbl-and-add, ML: Montgomery ladder,
UF: unified formula
See details in [12]
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 23/35
Comparison ECC 256 vs HECC 128 (1/7)
field Fp ADD DBL




























































































































































































































































































































































































































































































































































































































































Cost: 38M + 6S
Configurations on a XC6SLX75 FPGA (details in [5]):
• w = 32 bits internal words
• 1 adder/subtracter, 1 inversion unit
• nM multipliers (Montgomery) with nB w -bit sub-blocks
• No DSP blocks
• ISE 14.6 Xilinx CAD tools, standard efforts (synthesis and P&R)
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 24/35
Comparison ECC 256 vs HECC 128 (2/7)
• Compared recoding techniques:
I BIN: standard binary from left to right
I NAF: non-adjacent form
I λ-NAF: window methods with λ ∈ {3, 4}
• Implementation results for a full ECC accelerator (nM = 1, nB = 1):
Recoding BIN NAF 3-NAF 4-NAF
area slices (FF/LUT) 565 (1321/1461) 570 (1340/1479) 571 (1344/1495) 503 (1348/1489)
freq. (MHz) 225 228 237 217
All other results are reported for 4-NAF
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 25/35
Comparison ECC 256 vs HECC 128 (3/7)





M nB = 1 nB = 2 nB = 4
area freq. area freq. area freq.




1 3 547 (1374/1460) 231 573 (1476/1625) 233 673 (1674/1875) 233
2 3 722 (1776/1903) 220 811 (1979/2210) 227 942 (2377/2701) 220
3 3 810 (2174/2236) 221 915 (2480/2698) 215 1130 (3077/3430) 214
4 3 952 (2569/2656) 215 1100 (2977/3282) 217 1512 (3771/4293) 216





1 4 514 (1336/1374) 235 549 (1434/1513) 234
2 4 646 (1716/1783) 220 737 (1912/2055) 234
3 4 732 (2092/2075) 224 826 (2386/2485) 225
4 4 870 (2476/2424) 218 1022 (2868/2987) 214
5 4 976 (2865/2773) 219 1115 (3355/3465) 210
6 4 1089 (3233/3092) 203 1240 (3821/3908) 208
7 4 1145 (3601/3426) 213 1372 (4287/4365) 205
8 4 1281 (3981/3809) 191 1552 (4765/4890) 183
9 4 1379 (4363/4051) 202 1691 (5245/5277) 199
10 4 1543 (4739/4435) 196 1856 (5719/5801) 198
11 4 1547 (5114/4750) 189 1936 (6192/6240) 198
12 4 1738 (5499/5128) 191 2100 (6675/6771) 188
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 26/35
Comparison ECC 256 vs HECC 128 (4/7)
Impact of the number/size of multipliers on the average time (ms):
nB
nM
1 2 3 4 5 6 7 8 9 10 11 12
HECC
1 15.6 8.6 5.7 4.7 3.9 3.7 3.3 3.6 3.4 3.5 3.6 3.6
2 11.9 6.2 4.5 3.6 3.2 2.8 2.8 3.0 2.7 2.7 2.8 2.9
ECC
1 28.1 15.3 12.4 12.4 12.7
2 17.7 9.6 8.3 8.0 8.4
4 11.1 6.2 5.4 5.1 5.3
Standard deviation for 1000 [k]P:
configuration ECC (1,1) ECC (3,4) HECC (1,1) HECC (6,2)
average time [ms] 28.1 5.4 15.6 2.8
standard deviation [ms] 0.289 0.056 0.324 0.045
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 27/35



















































On average HECC is 40 % faster than ECC for a similar silicon cost
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 28/35





























1,1 1,2 1,4 2,4 3,4 4,4 1,1 1,2 2,1 3,1 3,2 5,2 8,2
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 29/35
Comparison ECC 256 vs HECC 128 (7/7)
Source FPGA
area freq. duration [k]P
slices / DSP blocks MHz ms
ECC 1,2
Spartan 6
573 / 0 233 17.7
ECC 1,4 673 / 0 233 11.1
ECC 2,4 942 / 0 220 6.2
ECC 3,4 1 130 / 0 214 5.4
[7]
Virtex-5 1 725 / 37 291 0.38
Virtex-4 4 655 / 37 250 0.44
[6] Virtex-4
13 661 / 0 43 9.2
20 123 / 0 43 7.7
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 30/35
Conclusion & Current/Future Works
• HECC is efficient in hardware (40 % speedup vs ECC)
• Flexible architecture and tools for research activities
• Advanced recoding schemes are efficient in hardware
Current/future works:
• Hardware implementation of halving based method(s)
• Protections against fault injection
• HECC extensions of the accelerator (and tools)
• ASIC (CMOS 65nm) implementation of the accelerator
• Side channel evaluation of (some) proposed protections
• HW/SW Code distribution under free license
• More advanced architecture/circuit level protections
• Collaboration with other research groups
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 31/35
Our Long Term Objectives
Study the links between:
• curves
• arithmetic algorithms
• Fq, pts representations
• architecture & units
• circuit styles
to ensure
• high security against
I theoretical attacks
I physical attacks
• low design cost








A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 32/35
Our Long Term Objectives
Study the links between:
• curves
• arithmetic algorithms
• Fq, pts representations
• architecture & units
• circuit styles
to ensure
• high security against
I theoretical attacks
I physical attacks
• low design cost




area 1 1 + a
delay 1 1 + t
energy 1 1 + e
a, t, e ∈ 0%, 5%, 10%, . . . , 100%
security 1
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 32/35
Our Long Term Objectives
Study the links between:
• curves
• arithmetic algorithms
• Fq, pts representations
• architecture & units
• circuit styles
to ensure
• high security against
I theoretical attacks
I physical attacks
• low design cost




area 1 1 + a
delay 1 1 + t
energy 1 1 + e




A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 32/35
References I
T. Chabrier, D. Pamula, and A. Tisserand.
Hardware implementation of DBNS recoding for ECC processor.
In Proc. 44rd Asilomar Conference on Signals, Systems and Computers, pages 1129–1133, Pacific Grove, California,
U.S.A., November 2010. IEEE.
T. Chabrier and A. Tisserand.
On-the-fly multi-base recoding for ECC scalar multiplication without pre-computations.
In A. Nannarelli, P.-M. Seidel, and P. T. P. Tang, editors, Proc. 21st Symposium on Computer Arithmetic (ARITH), pages
219–228, Austin, TX, U.S.A, April 2013. IEEE Computer Society.
J. Chen, A. Tisserand, E. Popovici, and S. Cotofana.
Asynchronous charge sharing power consistent montgomery multiplier.
In J. Sparso and E Yahya, editors, Proc. 21st IEEE International Symposium on Asynchronous Circuits and Systems
(ASYNC), pages 132–138, Mountain View, California, USA, May 2015.
J. Chen, A. Tisserand, E. M. Popovici, and S. Cotofana.
Robust sub-powered asynchronous logic.
In J. Becker and M. R. Adrover, editors, Proc. 24th International Workshop on Power and Timing Modeling, Optimization
and Simulation (PATMOS), pages 1–7, Palma de Mallorca, Spain, September 2014. IEEE.
G. Gallin, A. Tisserand, and N. Veyrat-Charvillon.
Comparaison expe´rimentale d’architectures de crypto-processeurs pour courbes elliptiques et hyper-elliptiques.
In Actes Confe´rence d’informatique en Paralle´lisme, Architecture et Syste`me (ComPAS), Lille, France, June 2015.
Prix meilleur papier track architecture.
S. Ghosh, M. Alam, D. Roychowdhury, and I.S. Gupta.
Parallel crypto-devices for GF(p) elliptic curve multiplication resistant against side channel attacks.
Computers and Electrical Engineering, 35(2):329–338, March 2009.
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 33/35
References II
Y. Ma, Z. Liu, W. Pan, and J. Jing.
A high-speed elliptic curve cryptographic processor for generic curves over GF(p).
In Proc. 20th International Workshop on Selected Areas in Cryptography (SAC), volume 8282 of LNCS, pages 421–437,
Burnaby, BC, Canada, August 2013. Springer.
D. Pamula.
Arithmetic Operators on GF(2m) for Cryptographic Applications: Performance - Power Consumption - Security Tradeoffs.
Phd thesis, University of Rennes 1 and Silesian University of Technology, December 2012.
D. Pamula, E. Hrynkiewicz, and A. Tisserand.
Analysis of GF(2233) multipliers regarding elliptic curve cryptosystem applications.
In 11th IFAC/IEEE International Conference on Programmable Devices and Embedded Systems (PDeS), pages 252–257,
Brno, Czech Republic, May 2012.
D. Pamula and A. Tisserand.
GF(2m) finite-field multipliers with reduced activity variations.
In 4th International Workshop on the Arithmetic of Finite Fields, volume 7369 of LNCS, pages 152–167, Bochum,
Germany, July 2012. Springer.
D. Pamula and A. Tisserand.
Fast and secure finite field multipliers.
In Proc. Euromicro Conference on Digital System Design (DSD), pages 1–8, Funchal, Portugal, August 2015.
J. Proy, N. Veyrat-Charvillon, A. Tisserand, and N. Meloni.
Full hardware implementation of short addition chains recoding for ECC scalar multiplication.
In Actes Confe´rence d’informatique en Paralle´lisme, Architecture et Syste`me (ComPAS), Lille, France, June 2015.
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 34/35




• CAIRN Group http://www.irisa.fr/cairn/
• IRISA Laboratory, CNRS–INRIA–Univ. Rennes 1
6 rue Kerampont, CS 80518, F-22305 Lannion cedex, France
Thank you
A. Tisserand, CNRS–IRISA–CAIRN. Hardware Accelerators for ECC and HECC 35/35
