橢圓曲線加密是一種非對稱式的加密演算法，近年來已受到學術界以及業界的高度注目。在同樣的加密層級下和現今廣為使用的RSA演算法作為比較，橢圓曲線加密擁有較短的金鑰長度，因此，橢圓曲線加密較適合使用在對於面積以及能量消耗有嚴格要求的RFID系統。
在本論文中，我們提出了一種低成本的架構來計算橢圓曲線中重要的運算，也就是純量乘法。我們的架構包含了算術單元、控制器以及儲存設備。其中算術單元是由一個高基數的乘法器、一個加法器以及一個平方器所組成。我們希望藉由減少多工器的數目以及複雜度來達到降低面積的目的，因此將算術單元的各個元件連結在一起來減少各個元件的輸入選擇，此外也利用循環限制暫存器來減少存取。為了降低能量消耗必須在低頻率下運作，我們藉由Montgomery Ladder 演算法配合提出的架構規劃出有效率的排程結果，而在算術單元中使用平方器可以降低47%的週期數。除此之外，我們也探討對於暫存器排程控制給予不同的限制下對面積以及能量消耗的影響。
最後實作的結果所使用的是台積電65nm製程的邏輯閘資料庫，橢圓曲線核心的面積為12,859 gates，而在算一個純量乘法的時間限制為250ms的情況下，在頻率為102kHz執行一個純量乘法需要4.64μW的能量消耗。以此結果與其他設計做比較，可以看出我們在硬體成本的優點比其他橢圓曲線加密的硬體設計來的好。

Elliptic curve cryptography (ECC) become one of the most popular public-key cryptography recently. On the same security level with RSA, ECC has shorter key length. Base on this property, ECC is more suitable for RFID tags which has limitations in space and power.
In our approach, we propose an low-cost architecture to support the crucial operation over GF(2m) of ECC, that is to say, the point scalar multiplication. The core consists
of Arithmetic Unit (AU), a controller, and storage devices. The proposed AU includes a high-radix multiplier, an adder and a bit-parallel squarer. In order to minimize the space
resource by decreasing complexity of multiplexers, we integrate the components of AU to eliminate selections of input and use circular register file architecture to limit the register access. To attain low power consumption, the design need to work at low clock frequency. Based on the Montgomery ladder algorithm, we carefully schedule the field operation of point scalar multiplication to simplify register management. Also, the use of bit-parallel squarer decreases about 47% of the number of cycles. Besides, we find trade-off between space and power with register management restrictions.
The implementation result with TSMC 65nm CMOS technology shows that the proposed design requires an area of 12,859 gates, and has a power consumption of 4.64 μW to perform
a scalar multiplication over GF(2163) in 250ms at 102kHz. The advantage of hardware cost is much favorable compared with previous similar works.

[1] W. Diffie and M. Hellman, “New directions in cryptography,” in IEEE Transcations on Information Theory, vol. 22, pp. 644-654, Nov 1976.
[2] RSA Laboratories, PKCS #1 v2.1: RSA Cryptography Standard, June 2002.
[3] N. Koblitz, “Elliptic Curve Cryptosystems,” in Mathematics of Computation, vol. 48, pp. 203-209, 1987.
[4] V. Miller, “Uses of elliptic curves in cryptography,” in Advances in Cryptology: proceedings of Crypto’85, Lecture Notes in Computer Science, vol. 218, pp. 417-426, 1986.
[5] E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid, Recommendation for Key Management - Part 1: General, National Institute of Standards and Technology (NIST), Mar. 2007.
[6] ANSI X9.62: The Elliptic Curve Digital Signature Algorithm (ECDSA), Sep. 1998.
[7] IEEE, IEEE 1363 Standard Specifications for Public-Key Cryptography, Jan. 2000.
[8] ISO/IEC 18000-3: Information Technology - Radio Frequency Identification (RFID) for Item Management - Part 3: Parameters for air interface communications at 13.56
MHz, 2004.
[9] SECG, SEC 2: Recommended Elliptic Curve Domain Parameters, Standards for Efficient
Cryptography Group (SECG), Sep. 2000.
[10] Recommended Elliptic Curves for Federal Government Use, National Institute of Standards and Technology (NIST), July 1999.
[11] M. Burmester, B. Medeiros, and R. Motta, “Robust AnonymousRFID Authentication with Constant Key Lookup,” in Proc. ACM Symp. Information, Computer and Comm. Security (ASIACCS), 2008.
[12] M. Feldhofer, S. Dominikus, and J. Wolkerstorfer, “Strong Authentication for RFID Systems Using the AES Algorithm,” in Proc. CHES, pp. 357-370, 2004.
[13] C.-P. Schnorr, “Efficient Identification and Signatures for Smart Cards,” in Proc. Ninth Ann. Intl Cryptology Conf. (CRYPTO), pp. 239-252, 1989.
[14] P. Kocher, J. Jaffe, and B. Jun, “Introduction to Differential Power Analysis and Related Attacks,” 1998.
[15] P. Montgomery, “Speeding the Pollard and elliptic curve methods of factorization,” in Mathematics of Computation vol. 48, pp. 243-264, 1987.
[16] J. L´opez and R. Dahab, “Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation,” in Cryptographic Hardware and Embedded Systems (CHES) vol.
1717, pp. 316-327, Aug. 1999.
[17] Y. K. Lee, K. Sakiyama, L. Batina, and I. Verbauwhede, “Elliptic-Curve-Based Security Processor for RFID,” in IEEE Trans. on Comput., vol. 57, pp. 1514-1527, Nov. 2008.
[18] H. Wu, “Bit-Parallel Finite Field Multiplier and Squarer Using Polynomial Basis,” in IEEE Trans. on Comput., pp. 750-758 Jul 2002.
[19] Yueh Chang, “Energy Efficient Architecture for Elliptic Curve Cryptography over Binary Fields,” Oct. 2011.
[20] P. Luo, X. Wang, J. Feng, and Y. Xu, “Low-Power Hardware Implementation of ECC Processor suitable for Low-Cost RFID Tags,” in Solid-State and Integrated Circuit Technology (ICSICT) pp. 1681-1684 Oct. 2008.
[21] M. Feldhofer and J. Wolkerstorfer, “Strong Crypto for RFID Tags - A Compariosn of Low-Power Hardware Implementations,” in Proc. ISCAS, pp. 1839-1842, 2007.
[22] S. S. Kumar and C. Paar, “Are standards compliant Elliptic Curve Cryptosystems feasible on RFID?” in RFIDSec., July 2006.
[23] D. Hein, J. Wolkerstorfer, and N. Felber, “ECC is Ready for RFID - A Proof in Silicon,” in RFIDSec., 2008.
[24] H. Bock, M. Braun, M. Dichtl, E. Hess, J. Heyszl, W. Kargl, H. Koroschetz, B. Meyer, and H. Seuschek, “A Milestone Towards RFID Products Offering Asymmetric Authentication Based on Elliptic Curve Cryptography,” in RFIDSec., 2008.
[25] K. Sakiyama, L. Batina, B. Mentens, B. Preneel, and I. Verbauwhede, “Small-footprint ALU for public-key processors for pervasive security,” in Workshop on RFID Security, 2006.
[26] J. Wolkerstorfer, “Is elliptic-curve cryptography suitable to secure RFID tags,” in Workshop on RFID and Lightweight Crypto, 2005.
[27] T. Kern and M. Feldhofer, “Low-Resource ECDSA Implementation for Passive RFID Tags,” in Electronics, Circuit, and Systems (ICECS) pp. 1236-1239 Dec. 2010.