Eclipses

Recent years have witnessed the emergence of public-key cryptography based on elliptic curves, as an alternative to the well-known RSA cryptosystem. Elliptic-Curve Cryptography (ECC) supports public-key encryption (Elliptic Curve ElGamal), digital signatures (ECDSA), key establishment protocols (EC Diffie-Hellman), etc. and has been normalized through a series of industrial standards. Secure applications which require a high level of security do not consider RSA as an acceptable cryptosystem any longer, mainly due to the lack of performance that hardware and software implementations present with respect to large keys (2048-bit RSA is equivalent to elliptic curves based on 384-bit prime fields), as illustrated by NIST’s recent Suite B (announced in 2005) which completely excludes RSA. Adopted by the National Security Agency (NSA) for government communications, ECC provides the most security per bit of any known public-key scheme. The growing need for ECC, wherein keys and signatures are much shorter, is a natural technological trend opening the way to faster public-key implementations and is intended to compensate the announced obsolescence of RSA. Furthermore, the recent appearance of bilinear maps (aka pairings, a primitive elliptic-curve operation with no RSA equivalent) in cryptography and their increasing popularity (see below) confirms the inherent superiority and versatility of elliptic curves as the natural mathematical ground and foundation for cryptographic applications in near to long-term future.

Secure embedded systems, however, continue to heavily rely on RSA-dedicated cryptoprocessors by taking advantage of the hardware-based modular arithmetic operations they provide to support ECC on prime fields when necessary. Although this may lead to seemingly acceptable implementations, this is inappropriate for a number of reasons:

1. RSA-dedicated coprocessors work on very large operands (much larger than what elliptic curve operations actually require), thereby leading to a dramatic waste of specific memory, logic gates, surface and power consumption,
2. All types of curves are not supported, typically curves defined over binary fields,
3. Operations on the curve, typically point addition, doubling or halving, etc. are necessarily coded in software based on native operations, thus wasting execution time and code size, whereas the cryptoprocessor could advantageously be redesigned to natively support these operations
4. Implementations of pairings (such as IBCS#1 based on the Tate pairing) yield unacceptably poor performances on embedded systems.

OBJECTIVES AND EXPECTED OUTCOMES

ECLIPSES is meant to address all these limitations by providing a groundbreaking design for an elliptic-curve hardware coprocessor which exactly fits the computational needs of ECC-based cryptosystems: basic point operations, scalar multiplication and hardware-supported pairing computations on the widest range of elliptic curves. The ECLIPSES cryptoprocessor shall inherently and transparently resist the most advanced techniques of side-channel analysis and fault-based attacks while reaching unprecedented throughputs with a minimal number of gates, thus opening the way to a new generation of ECC-supporting cryptographic platforms and promoting (the switch from RSA to) a wide adoption of Elliptic Curve Cryptography on the security marketplace.

ECLIPSES requires strong theoretical investigations and targets the development of an experimental prototype but overall remains essentially oriented towards industrial research.