由於科技的進步，網路的資料傳輸量已經大大提高，不論是金錢交易或訊息傳遞都與網路息息相關。為了使我們的資料不被有心人士利用，必須要有一套系統來保護資料避免外洩，因此更加突顯密碼學的重要性。在非對稱式密碼系統中，橢圓曲線密碼系統(Elliptic Curve Cryptosystem, ECC)擁有金鑰長度較短的優勢，且加解密速度快，更適合在體積小的電子裝置上實現，近年來ECC已經有逐漸取代RSA的趨勢。
ECC中最核心的概念為所有有限場的算術都是圍繞在點乘運算下進行，也就是點跟點之間的運算，且ECC的運算又可分為質數域與二元域，本論文則是以二元域作為主要的研究方向。我們採用射影座標下的蒙哥馬利點乘演算法作為主要架構，並使用高基數蒙哥馬利模數乘法器進行二元域乘法運算。蒙哥馬利模數乘法器使用加法及位移來達到模數乘法運算，在硬體上較容易實現，面積也較小，可達到低成本的目標。二元域倒數運算則是採用蒙哥馬利倒數器，其原理也是利用簡單的加法及位移來實現，雖然執行時間較長，但是倒數在整體點乘運算只需要做一次，因此並不會對效能造成太大的影響，且可與其他運算器共用暫存器以進一步減少面積。
本論文將一個算術單元(Arithmetic Unit, AU)定義為一個加法器及一個乘法器，倒數器則與乘法器共用暫存器，並以不同個數的算術單元搭配不同基數之乘法器進行點乘運算的模擬，實作結果顯示2AU搭配Radix-2^4模數乘法器的面積最小，與相關文獻相比降低約23%，時脈週期數也減少約26%。

Since the technology has developed rapidly, the amount of data transmitted on the Internet has greatly increased. Whether money transactions or message transmission is closely related to the Internet. To protect our data from people with bad intentions, a system is required to deal with this problem. So the cryptography is essential. In asymmetric cryptosystem, the Elliptic Curve Cryptosystem (ECC) has the advantages of shorter key length and faster encryption/decryption speed. It is more suitable for being implemented on small electronic devices.
The core operation in ECC is called point multiplication, which is calculation between point and point on curve. The operation of ECC can be divided into two parts, prime field and binary field. This thesis focuses on binary field. We use the Montgomery point multiplication algorithm under projective coordinate as the main architecture, and the high-radix Montgomery modular multiplier for multiplication operation in binary field. The Montgomery algorithm is based on addition and shifting to achieve modulo multiplication, which is easier to be implemented on hardware. It can also achieve the low-cost design because of the smaller area. We adopt the Montgomery Inversion for the inverse operation in binary field. It also uses the simple addition and shifting to implement the operation on hardware. Although its execution time is longer, the inverse operation is only needed once in overall point multiplication. So it does not have much influence on performance. The registers can be shared with other arithmetic units to further reduce the area.
In this thesis, we define an Arithmetic Unit (AU) as a binary adder and a modular multiplier. The inversion operator will share the registers with the multiplier. We simulate the point multiplication operation with different number of AUs and high-radix modular multipliers. The results show that the 2AU architecture with radix-2^4 modular multiplier has the smallest area. Compared with previous designs, the area is reduced about 23% and the number of cycles is also reduced by about 26%.

論文審定書 i
誌謝 ii
論文提要 iii
中文摘要 iv
Abstract v
目錄 vii
圖目錄 x
表目錄 xii
第一章 緒論 1
1.1 研究動機 1
1.2 論文大綱 2
第二章 研究背景 3
2.1 密碼系統簡介 3
2.2 橢圓曲線密碼系統介紹 4
2.2.1 橢圓曲線數學背景 5
2.2.2 二元域之仿射座標系統 7
2.2.3 射影(Projective Coordinate)座標系統介紹 8
2.3 純量點乘演算法 11
2.4 橢圓曲線密碼系統運作原理 13
2.5 橢圓曲線密碼系統之架構 14
第三章 二元域模數算術與硬體實現 15
3.1 有限場二元域加法運算 15
3.1.1 多項式加法運算 15
3.1.2 加法硬體架構 16
3.1.3 雙場域加法器之硬體架構 17
3.2 有限場二元域乘法運算 18
3.2.1 多項式乘法運算 18
3.2.2 蒙哥馬利乘法模數演算法 19
3.2.3 傳統高基數蒙哥馬利演算法 21
3.2.4 二元域改良高基數蒙哥馬利演算法 22
3.2.5 高基數蒙哥馬利模數乘法器硬體架構 24
3.3 有限場二元域倒數運算 26
3.3.1 多項式倒數運算 26
3.3.2 蒙哥馬利倒數演算法 27
3.3.3 二元域蒙哥馬利倒數演算法 29
3.3.4 倒數器硬體架構與實現 31
第四章 提出的演算法與硬體架構設計 33
4.1 蒙哥馬利點乘演算法 33
4.2 算術單元排程與分析 35
4.3 蒙哥馬利點乘演算法硬體架構 39
4.3.1 3AU硬體架構 40
4.3.2 2AU硬體架構 43
4.4 Transform演算法與硬體架構 47
4.5 倒數運算共用暫存器設計 51
第五章 硬體驗證與實驗數據 52
5.1 驗證方式 52
5.2 實驗數據 54
第六章 未來展望 59
6.1 結論 59
6.2 未來研究方向 59
參考文獻 60

[1] A. Lenstra, and E. Verheul, “Selecting Cryptographic Key Sizes,” Journal of Cryptology, Vol. 14, No. 4, pp. 255-293, 2001.
[2] Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid, “Recommendation for Key Management–Part 1:
General(Revised), ” NIST Special Publication 800-57 Part 1, March 2007.
[3] National Bureau of Standards, Data Encryption Standard, U.S. Departmant of Commerce, FIPS pub. 46, Junuary 1977.
[4] American National Standards Institute, Triple Data Encryption Algorithm Modes of Operation, X9.52 (Working Draft), 1998.
[5] J. Daemen, and V. Rijmen, “The Design of Rijndael : AES–The Advanced Encryption Standard,” Springer-Verlag, 2002.
[6] R. L. Revest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public key cryptosystems,” Commun.ACM,
Vol. 21, No. 2, pp. 120-126, Feb. 1978.
[7] N. Koblitz, “Elliptic curve cryptosystems, ” Mathematics of Computation, Vol. 48, No. 177, pp. 203-209, 1987.
[8] V. Miller, “Use of Elliptic Curves in Cryptography,” in Advances in Cryptography-Crypto ’85, LNCS, Vol. 218, pp. 417-426, 1986.
[9] S. Sutikno, A. Surya, and R. Effendi, “An implementation of ElGamal Elliptic Curves Cryptosystems,” Proc. 1998 IEEE Asia-Pacific
Conf. Circuits and Systems , pp.483-486, Nov. 1998.
[10] J. H. Silverman, and J. Tate,“Rational Points on Elliptic Curves. Undergraduate Texts in Mathematics,”Springer-Verlag, New York,
1992.
[11] D. Hankerson, A. Menezes, and S. Vanstone, “Guide to Elliptic Curve Cryptography”, Springer-Verlag New York, Inc., Secaucus,
NJ, USA, 2003.
[12] Qingwei Li, Zhongfeng Wang, and Xingcheng Liu, “Fast point operation architecture for Elliptic Curve Cryptography”, IEEE Asia
Pacific Conference on Circuits and Systems, pp. 184-188, 2008.
[13] J.-H. Hong, and W.-C. Wu, “The design of high performance elliptic curve cryptographic”, in Proc. IEEE Int. Midwest Symp.
Circuits Syst., pp.527-530, Aug. 2009.
[14] W. Diffie, and M.E. Hellman, “New Directions in Cryptography,” IEEE Trans. Information Theory, Vol. 22, pp. 644-654, 1976.
[15] P. L. Montgomery, “Modular Multiplication without Trial Division,” Math. Computing, Vol. 44, No. 170, pp. 519-521, Apr. 1985.
[16] P. Kornerup, “High-Radix Modular Multiplication for Cryptosystems,” Proc. 11th IEEE Symp. Computer Arithmetic, pp. 277-283,
Jun 1993.
[17] H. Orup, “ Simplifying Quotient Determination in High-Radix Modular Multiplication, ” Proc. 12th IEEE Symp. Computer Arithmetic,
pp. 193-199, Jul. 1995.
[18] H. Brunner, A. Curiger, and M. Hofstetter, “On computing multiplicative inverses in GF(2m)” , IEEE Transactions on Computers,
Vol. 42, No.8, pp. 1010-1015, Aug. 1993.
[19] M. Schmalisch, and D.Timmermann, “A reconfigurable arithmetic logic unit for elliptic curve cryptosystems over GF (2m)”, in
Proc. 46th IEEE Midwest Symp. on Circuits and Systems, Vol. 2, pp 831–834. 2004.
[20] S. Moon, J. Park, and Y. Lee, “Fast VLSI Arithmetic Algorithms for High-Security Elliptic Curve Cryptographic Applications,” IEEE
Trans. Consumer Electron., Vol. 47, No. 3, pp. 700-708, Aug. 2001.
[21] T. Itoh , and S. Tsujii, “A fast algorithm for computing multiplicative inverses in
GF(2m) using normal bases,” Inform. and Comput., Vol.78, No. 3, pp 171–177,1988.
[22] B. S. Kaliski Jr., “The Montgomery inverse and its applications,” IEEE Trans. Comput., Vol. 44, No. 8, pp. 1064–1065, Aug. 1995.
[23] J.-Y. Lai and C.-T. Huang, “A highly efficient cipher processor for dual-field elliptic curve cryptography,” IEEE Trans. Circuits Syst.
II, Exp. Briefs, Vol. 56, No. 5, pp. 394–398, May 2009.
[24] J. L´opez and R. Dahab, “Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation,” Cryptographic Hardware
and Embedded Systems – CHES ’99, Vol.1717 of LNCS, pp. 316-327, Aug. 1999.
[25] P. L. Montgomery, “Speeding the Pollard and Elliptic Curve Methods of Factorization,” Mathematics of Computation, Vol. 48, No.
177, pp. 243-264, January 1987.
[26] G. Orlando , and C. Paar, “A High-Performance Reconfigurable Elliptic Curve Processor for GF(2m),” Cryptographic Hardware
and Embedded Systems – CHES 2000. Springer-Verlag , LNCS 1965, pp. 44-56, 2000.
[27] O. Arazi and H. Qi, “On Calculating Multiplicative Inverses Modulo 2m,” IEEE Transactions on Computers, Vol. 57, No. 10, pp.
1435-1438, October 2008.
[28] E. Al-Daoud, R. Mahmod, M. Rushdan, and A. Kilicman, “A new addition formula for elliptic curves over GF(2n),” IEEE Trans. on
Computers, Vol. 51, pp.972–975, Aug 2002.
[29] 徐偉強, “運用於橢圓曲線加解密系統之高速純量乘法運算架構,” 國立中山大學, 碩士論文, 2011.
[30] 廖苡竹, “運用於橢圓曲線密碼系統之高效能蒙哥馬利點乘演算法硬體架構, ”國立中山大學, 碩士論文, 2013.
[31] 陳冠華, “低成本可調式高基數字組式蒙哥馬利模數乘法器設計, ” 國立中山大學, 碩士論文, 2017.
[32] 李柏翰, “快速RSA加解密系統之低成本模指數架構, ” 國立中山大學, 碩士論文, 2017.
[33] 盧冠州, 李程輝, “橢圓曲線密碼系統於有限場GF(p)和GF(2^m)之硬體實現 ” 國立交通大學, 碩士論文, 2003.
[34] J.-W. Lee, S.-C. Chung, H.-C. Chang, and C.-Y. Lee, “Efficient Power-Analysis-Resistant Dual-Field Elliptic Curve Cryptographic
Processor Using Heterogeneous Dual-Processing-Element Architecture,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., Vol.
22, No. 1, pp. 49-61, Jan. 2014.
[35] J.-Y. Lai, and C.-T. Huang, “Energy-Adaptive Dual-Field Processor for High-Performance Elliptic Curve Cryptographic
Applications,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., Vol. 19, No. 8, pp. 1512-1517, Aug. 2011.
[36] K. Sakiyama, L. Batina, B. Preneel, and I. Verbauwhede, “Multi-core curve-based cryptoprocessor with reconfiguarable modular
arithmetic logic units over GF(2^n),” IEEE Trans. Computers, Vol. 56, No. 9, pp. 1269–1282, Sep. 2007.
[37] Z. Liu, D. Liu, and X. Zou, “An Efficient and Flexible Hardware Implementation of the Dual-Field Elliptic Curve Cryptographic
Processor,” IEEE Trans. Ind. Electron., Vol. 39, No. 3, pp. 2353-2362, Mar. 2017.
[38] Kimmo Järvinen, Juha Forsten, and Jorma Skyttä, “Efficient Circuitry for Computing τ-adic Non-Adjacent Form,” IEEE
International Conference on Electronics, Circuits and Systems, pp. 232-235, Dec. 2006.
[39] 陳冠穎,“高效能雙場域之高基數蒙哥馬利模數乘法器, ” 國立中山大學, 碩士論文, 2018.