## Cryptology ePrint Archive: Report 2015/556

Lightweight Coprocessor for Koblitz Curves: 283-bit ECC Including Scalar Conversion with only 4300 Gates

Sujoy Sinha Roy and Kimmo Järvinen and Ingrid Verbauwhede

Abstract: We propose a lightweight coprocessor for 16-bit microcontrollers that implements high security elliptic curve cryptography. It uses a 283-bit Koblitz curve and offers 140-bit security. Koblitz curves offer fast point multiplications if the scalars are given as specific $\tau$-adic expansions, which results in a need for conversions between integers and $\tau$-adic expansions. We propose the first lightweight variant of the conversion algorithm and, by using it, introduce the first lightweight implementation of Koblitz curves that includes the scalar conversion. We also include countermeasures against side-channel attacks making the coprocessor the first lightweight coprocessor for Koblitz curves that includes a set of countermeasures against timing attacks, SPA, DPA and safe-error fault attacks. When the coprocessor is synthesized for 130 nm CMOS, it has an area of only 4,323 GE. When clocked at 16 MHz, it computes one 283-bit point multiplication in 98 ms with a power consumption of 97.70 $\mu$W, thus, consuming 9.56 $\mu$J of energy.

Category / Keywords: implementation / elliptic curve cryptosystem, implementation, public-key cryptography, smart cards

Original Publication (with minor differences): IACR-CHES-2015