Paper 2015/556

Lightweight Coprocessor for Koblitz Curves: 283-bit ECC Including Scalar Conversion with only 4300 Gates

Sujoy Sinha Roy, Kimmo Järvinen, and Ingrid Verbauwhede


We propose a lightweight coprocessor for 16-bit microcontrollers that implements high security elliptic curve cryptography. It uses a 283-bit Koblitz curve and offers 140-bit security. Koblitz curves offer fast point multiplications if the scalars are given as specific $\tau$-adic expansions, which results in a need for conversions between integers and $\tau$-adic expansions. We propose the first lightweight variant of the conversion algorithm and, by using it, introduce the first lightweight implementation of Koblitz curves that includes the scalar conversion. We also include countermeasures against side-channel attacks making the coprocessor the first lightweight coprocessor for Koblitz curves that includes a set of countermeasures against timing attacks, SPA, DPA and safe-error fault attacks. When the coprocessor is synthesized for 130 nm CMOS, it has an area of only 4,323 GE. When clocked at 16 MHz, it computes one 283-bit point multiplication in 98 ms with a power consumption of 97.70 $\mu$W, thus, consuming 9.56 $\mu$J of energy.

Available format(s)
Publication info
A minor revision of an IACR publication in CHES 2015
elliptic curve cryptosystemimplementationpublic-key cryptographysmart cards
Contact author(s)
kimmo jarvinen @ esat kuleuven be
2015-06-15: received
Short URL
Creative Commons Attribution


      author = {Sujoy Sinha Roy and Kimmo Järvinen and Ingrid Verbauwhede},
      title = {Lightweight Coprocessor for Koblitz Curves: 283-bit ECC Including Scalar Conversion with only 4300 Gates},
      howpublished = {Cryptology ePrint Archive, Paper 2015/556},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.