在公開金鑰密碼系統中，橢圓曲線密碼系統具有較短位元長度的優勢，只要在160 位元以上就可以達到足夠的安全性強度，故成為近幾年來相當熱門的加解密方式。純量乘法運算亦稱為點乘運算，是橢圓曲線密碼系統的核心運算。
本論文提出不可約多項式在三項式GF(2167) 及五項GF(2163) 下的兩種版本，並使用在映射座標下的蒙哥瑪利點乘演算法(Montgomery Point Multiplication Algorithm)作為點乘運算的主要架構。我們使用多項式基底表示法來進行有限體算數運算，且在運算過程中使用的二元體乘法器、平方器和加法器皆可在一個時脈週期內完成運算，而運算過程的最長路徑(Critical Path)會落在乘運算上；至於二元體倒數運算，本論文採用Itoh-Tsujii 演算法並結合加法鍊的方式，利用重覆的乘法及平方運算來完成。
由於點乘運算中的點加運算(Add)和倍點運算(Double)皆需要作重覆的計算，故只要能夠修改其架構並提升他們的效能，便可改善整體的執行效能。在本論文中，我們使用兩種方法來提升點乘運算的效能。第一種方法是將點乘演算法中的點加和倍點運算作重新排程以省去最後一次加運算時脈週期的降低週期(Minus Cycle)版本，當最長路徑落在比加運算和平方運算長很多的乘法運算時，此架構就可有效的降低執行時間。第二種方法是將電路中的乘法器作管線化切割以減少最長路徑所需時間的管線化(Pipeline)版本。
在硬體實作部份，所有的模組皆採用階層化的設計，並且使用CIC 所提供的TSMC 0.13mm 製程加以實現。實作結果顯示，本論文提出的可執行完整點乘運算之167 位元架構的晶片面積為156.4K Gates，且純量乘法的運算時間為2.34ms，最高效能可至591.7 Mhz。最後分別以不同位元長度與相關文獻比較面積乘上時間的值(亦即AT 乘積)。結果顯示，167 位元的降低週期版本為最好的版本，與傳統的167 位元點乘運算架構相比，可省下約38%的AT 乘積。

An important advantage of Elliptic Curve Cryptosystem (ECC) is the shorter key length in public key cryptographic systems. It can provide adequate security when the bit length over than 160 bits. Therefore, it has become a popular system in recent years. Scalar multiplication also called point multiplication is the core operation in ECC. In this thesis, we propose the ECC architectures of two different irreducible polynomial versions that are trinomial in GF(2167) and pentanomial in GF(2163). These architectures are based on Montgomery point multiplication with projective coordinate. We use polynomial basis representation for finite field arithmetic. All adopted multiplication, square and add operations over binary field can be completed within one clock cycle, and the critical path lies on multiplication. In addition, we use Itoh-Tsujii algorithm combined with addition chain, to execute binary inversion through using iterative binary square and multiplication.
Because the double and add operations in point multiplication need to run many iterations, the execution time in overall design will be decreased if we can improve this partition. We propose two ways to improve the performance of point multiplication. The first way is Minus Cycle Version. In this version, we reschedule the double and add operations according to point multiplication algorithm. When the clock cycle time (i.e., critical path) of multiplication is longer than that of add and square, this method will be useful in improving performance. The second way is Pipeline Version. It speeds up the multiplication operations by executing them in pipeline, leading to shorter clock cycle time.
For the hardware implementation, TSMC 0.13um library is employed and all modules are organized in a hierarchy structure. The implementation result shows that the proposed 167-bit Minus Cycle Version requires 156.4K gates, and the execution time of point multiplication is 2.34us and the maximum speed is 591.7Mhz. Moreover, we compare the Area x Time (AT) value of proposed architectures with other relative work. The results exhibit that proposed 167-bit Minus Cycle Version is the best one and it can save up to 38% A T value than traditional one.

論文審定書 i
論文提要 ii
誌謝 iii
中文摘要 v
Abstract vii
目錄 ix
圖目錄 xi
表目錄 xii
第一章 緒論 1
1.1 研究動機 1
1.2 論文大綱 2
第二章 研究背景 3
2.1 密碼系統簡介 3
2.2 橢圓曲線密碼系統 4
2.3 橢圓曲線的數學背景 5
2.3.1 質數體下的運算規則 7
2.3.2 二元體下的運算規則 8
2.4 橢圓曲線的加解密方法 10
2.5 二元體基底的基本介紹 11
第三章 橢圓曲線的運算及演算法 11
3.1 橢圓曲線的整體架構 12
3.2 二元體算數運算 12
3.2.1 二元體加法運算 12
3.2.2 二元體乘法運算 13
3.2.3 二元體平方運算 14
3.2.4 二元體倒數運算 14
3.3 橢圓曲線的點乘運算架構 16
3.3.1 點乘演算法的基本介紹 16
3.3.2 Projective座標架構 18
3.3.3 蒙哥瑪利純量乘法運算 19
第四章 硬體設計與實現 22
4.1 位元長度與參數選擇 22
4.2 二元體算數運算硬體實現 22
4.2.1 二元體加法器之硬體實現 23
4.2.2 二元體乘法器之硬體實現 23
4.2.3 二元體平方器之硬體實現 28
4.2.4 二元體倒數器之硬體實現 31
4.3 蒙哥瑪利純量乘法器的硬體實現與改進 35
4.3.1 傳統版本架構分析 36
4.3.2 Minus Cycle版本架構分析 38
4.3.3 2-Stage Pipeline版本架構分析 40
4.3.4 3-Stage Pipeline版本架構分析 43
4.4 可執行完整點乘運算的硬體實現 45
第五章 硬體驗證與實驗數據 48
5.1 驗證方式 48
5.2 實驗數據與相關文獻的比較 49
第六章 結論與未來研究方向 51
6.1 結論 51
6.2 未來研究方向 51
參考文獻 52

[1] A. Lenstra and E. Verheul, “Selecting Cryptographic Key Sizes,” Journal of Cryptology, vol. 14, no. 4, pp. 255-293, 2001.
[2] Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid“Recommendation for Key Management–Part 1: General(Revised) ,” NIST Special Publication 800-57, March 2007.
[3] N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, Vol. 48, No. 177, pp. 203-209, 1987.
[4] V. Miller, “Use of Elliptic Curves in Cryptography,” CRYPTO’85, LNCS, Vol. 218, pp. 417-426, 1985.
[5] A. Menezes, and S. Vanstone, “Elliptic curve cryptosystems and their implementation,” Journal of Cryptology, pp.209-224, 1993.
[6] S. Sutikno, A. Surya, and R. Effendi, “An implementation of ElGamal elliptic curves cryptosystems,” Circuits and Systems, pp.483-486, 1998.
[7] J. H. Silverman and J. Tate.“Rational Points on Elliptic Curves. Undergrad- uate Texts in Mathematics,”Springer-Verlag, New York, 1992.
[8] Hankerson, R. Darrel, A. J. Menezes, Vanstone, Scott, “Guide to Elliptic Curve Cryptography,” Springer-Verlag, New York, 2004.
[9] G. Seroussi, “Table of Low-Weight Binary Irreducible Polynomials,” Visual Computing Dept., Hewlett Packard Laboratories, Aug 1998.
[10] S. Moon, J. Park, and Y. Lee, “Fast VLSI Arithmetic Algorithms for High-Security Elliptic Curve Cryptographic Applications,” IEEE Trans. on Consumer Electronics, Vol. 47, No. 3, pp.700-708, August 2001.
[11] H. Brunner, A. Curiger, and M. Hofstetter, “On computing multiplicative inverses in GF(2m) ,” IEEE Transactions on Computers, Vol. 42, No.8, pp. 1010-1015, August 1993.
[12] M. Schmalisch, D.Timmermann, “A reconfigurable arithmetic logic unit for elliptic curve cryptosystems over GF(2m),” 2003 IEEE International Symposium on Micro-NanoMechatronics and Human Science, Vol. 2, pp.831 - 834, Dec 2003.
[13] Jin-Hua Hong, Wei-Chung Wu, “The design of high performance elliptic curve cryptographic,” 52nd IEEE International Midwest Symposium on Circuits and Systems, August 2009.
[14] P. Balasubramaniam and E. Karthikeyan, “Elliptic Curve Scalar Multiplication Algorithm Using Complementary Recoding,” Applied Mathematics and Computation, Vol. 190, No. 1, pp. 51-56, 2007.
[15] Xu Huang, P.G. Shah , D. Sharma, “Minimizing hamming weight based on 1's complement of binary numbers over GF(2m),” The 12th International Conference on Advanced Communication Technology (ICACT) , 2010.
[16] S. Moon, “Elliptic Curve Scalar Point Multiplication Algorithm Using Radix-4 Booth’s Algorithm,” ECTI Transaction on Computer and Information Technology, Vol. 1, No. 1, pp. 3-8, 2005.
[17] E. Al-Daoud, R. Mahmod, M. Rushdan, and A. Kilicman, “A new addition formula for elliptic curves over GF(2n),” IEEE Trans. on Computers, vol. 51, pp. 972–975, Aug 2002.
[18] Qingwei Li, Zhongfeng Wang, Xingcheng Liu, “Fast point operation architecture for Elliptic Curve Cryptography,” IEEE Asia Pacific Conference on Circuits and Systems, 2008.
[19] Julio L′opez and Ricardo Dahab, “Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation,” CHES’99, LNCS 1717, pp. 316-327, 1999.
[20] Gerardo Orlando and Christof Paar, “A High-Performance Reconfigurable Elliptic Curve Processor for GF(2m),” Cryptographic Hardware and Embedded Systems (CHES), LNCS 1965, pp. 44-56, 2000.
[21] H. Wu, “Bit-parallel finite field multiplier and squarer using polynomial basis,” IEEE Trans. on Computers, vol. 51, no. 7, pp. 750-758, July 2002.
[22] Jyu-Yuan Lai, Tzu-Yu Hung, Kai-Hsiang Yang, Chih-Tsun Huang, “High-performance architecture for Elliptic Curve Cryptography over binary field,” Proceedings of 2010 IEEE International Symposium on Circuits and Systems (ISCAS), June 2010.
[23] B. Ansari and M. A. Hasan, “High-performance architecture of elliptic curve scalar multiplication,” IEEE Trans. Computers, vol. 57, no. 11, pp. 1143–1153, Nov 2008.
[24] H. Zhao, L Wang, G.-Q. Bai, “An Elliptic Curve Cryptographic Coprocessor over GF(2m) on a Low-Cost Embedded System,” Electron Devices and Semiconductor Technology, pp.190 – 193, June 2007.
[25] T. Itoh and S. Tsujii, “A fast algorithm for computing multiplicative inverses in
GF(2m) using normal basis,” Information and Computing, vol.78,171–177,1988.
[26] F. Rodr′ıguez-Henr′ıquez, N. A. Saqib, and N. Cruz-Cort′es, “A fast implementation of multiplicative inversion over GF(2m),” International Symposium on Information Technology (ITCC 2005), vol. 1, Las Vegas, Nevada, U.S.A., pp. 574–579, April 2005.
[27] A. Satoh and K. Takano, “A scalable dual-field elliptic curve cryptographic processor,” IEEE Trans. on Computers, vo1. 52, pp. 449-460, Apr 2003.
[28] J.-Y. Lai and C.-T. Huang, “Elixir: High-Throughput Cost-Effective Dual-Field Processors and the Design Framework for Elliptic Curve Cryptography,” IEEE Trans. on VLSI Systems, vol. 16, no. 11, Nov 2008.
[29] K. Sakiyama, L. Batina, B. Preneel, and I. Verbauwhede, “High performance public-key cryptoprocessor for wireless mobile applications,” Mobile Networks and Applications, vol. 12, no. 4, pp. 245–258, Aug 2007.
[30] H. M. Choi, C. P. Hong, and C. H. Kim, “High Performance Elliptic Curve Cryptographic Processor over GF(2^163),” IEEE Int. Symposium on Electronic Design, Test, and Applications (DELTA), Hong Kong, pp. 290-295, Jan 2008.
[31] D. Schinianakis, A.Kakarountas, T.Stouraitis, A.Skavantzos, “Elliptic Curve Point Multiplication in GF(2n) using Polynomial Residue Arithmetic,” 16th IEEE International Conference on Electronics, Circuits, and Systems, ICECS, pp980, Dec 2009.
[32] CIC Reference Flow for Cell-based IC Design, CHIP Implementation Center, CIC, Taiwan, Document no. CIC-DSD-RD-08-01, 2008.
[33] National Bureau of Standards, Data Encryption Standard, U.S. Department of Commerce, FIPS pub. 46, January 1977.
[34] American National Standards Institute, Triple Data Encryption Algorithm Modes of Operation, X9.52 (Working Draft), 1998.
[35] J. Daemen, V. Rijmen, “The Design of Rijndae: AES–The Advanced Encryption Standard,” Springer-Verlag, 2002.
[36] R. L. Revest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Comm. ACM, Vol. 21, pp. 120-126, Feb 1978.
[37] William Stallings原著, 巫坤品、曾志光譯, 「密碼學與網路安全：原理與實務第二版」, ?眳p資訊股份有限公司, 2002.
[38] 楊中皇,「網路安全：理論與實務 第二版」,學冠全球資訊網, 2008.