High-speed implementation of an ECC-based wireless authentication protocol on an ARM microprocessor M.Aydos, T.Yanik and C.K.KOG Abstract: The results of the implementation of elliptic curve cryptography (ECC) over the field G@) on an 80MHz, 32-bit ARM microprocessor are presented. A practical software library has been produced which supports variable length implementation of the elliptic curve digital signature algorithm (ECDSA). The ECDSA and a recently proposed ECC-based wireless authentication protocol are implemented using the library. Timing results show that the 160-bit ECDSA signature generation and verification operations take around 46ms and 94ms, respectively. With these timings, the execution of the ECC-based wireless authentication protocol takes around 140ms on the ARM7TDMI processor, which is a widely used, low-power core processor for wireless applications. ,./ 1 Introduction The rapid progress in wireless communication systems, personal communication systems, and smartcard technolo- gies has brought new opportunities and challenges to be met by engineers and researchers worlung on the security aspects of the new communication technologies. Public-key cryptography offers robust solutions to many of the exist- ing problems in communication systems, although excessive computational demands (on-line memory, code size and speed) have made the use of public-key cryptography limited, particularly on wireless communication systems. The implementation of public-key cryptography on server and client platfomis rarely leads to problems, due to the availability of high-speed processors and extensive memory space. However, in restricted hardware environments with limited computational power and small memory, e.g. smartcards and cellular phones, we meet more challenges. The integration of the public-key cryptographic techniques is often delayed or completely ruled out due to the difi- culty of obtaining efficient, reliable solutions. It is obvious that we need: Public-key cryptographic systems with higher strength per key bit. Efficient, platform-specific, and optimised implementa- tions for a given restricted environment. The benefits of the ‘higher strength per key bit’ include higher speeds, lower power consumption, smaller band- width requirements and smaller certificate sizes. These advantages are particularly beneficial in applications where the bandwidth, computational strength, power availability, or storage are hghly constrained. Elliptic curve cryptography [l-31 offers secure and effi- cient solutions for the new communication technologies. It 0 IEE, 2001 IEE Proceedings online no. 2001051 I DOL 10.1049/ipm:20010511 Paper fmt received 5th May 2000 and in revised form 10th May 2001 The authorj are with the Electrical and Computer Engineering Department, Oregon State University, Owen Hall 220, Cowallis, Oregon 97331, USA requires fewer bits than the RSA for a sdar amount of security. For example, 1024-bit RSA seems to be equivalent to 139-bit ECC, since it requires approximately the same amount of computational power to break [4]. While the ECC provides shorter key sizes, the time and code size requirements may still be excessive. Thus, efficient and opti- mised implementations are required for the restricted plat- forms found in wireless communication. Certicom’s SigGen smartcard [5] is a good example of an ECC software implementation on a restricted platform. It is a prototype smartcard with an 8-bit microprocessor that generates digital signatures using a conventional core from Motorola (68SC28). Developed in cooperation with Schlumberger, Siggen combines the Multifiex card technol- ogy with the Certicom Elliptic Curve Engine based on the field GF(29, and provides fast public-key operations. This card demonstrates that effective digital signature applica- tions can be implemented on standard processors. The digital signatures are generated in less than 600ms while using only 90 bytes of RAM. It has been implemented in less than 4K code. SigGen is ideally suited for applications requiring end-user identification and strong authentication. Another interesting implementation of the ECC over the field G@) on a 16-bit micro-computer was introduced in [6]. A practical cryptographic library has been designed, which supports the elliptic curve arithmetic operations, the digital signature generation and verification, and the secure hash algorithm SHA-1. Their target processor was Mitsubishi’s 10 MHz, 16-bit microcomputer M16C, whch has been used in various applications in mobile telecommu- nication systems, e.g. cellular phones, pagers, etc. They designed two independent integer arithmetic modules: one for executing the modular arithmetic operations with respect to a fixed prime p, and the other for general integer routines which accept any positive integers with arbitrary length for wider applicability. Their goal here was to support not only the ECC but also the RSA. They have reported a speed of 150ms for generating a 160-bit ECDSA signature, and 630ms for verifying the signature. The total code size was 4 kbyte, including the SHA-1. There are much faster implementations of the ECC [7], although these implementations are obtained on high-end microproc- essors. IEE ProcCommun., Vol. 148, No. 5, October 2001 273 Authorized licensed use limited to: Univ of Calif Berkeley. Downloaded on December 14, 2009 at 16:46 from IEEE Xplore. Restrictions apply.Our goal is to design a high-speed and scalable cqpto- graphic library suitable for implementation on low-power microprocessors and digital signal processors. The library supports the ECDSA signature generation and verification and also contains SHA and DES algorithms, which are necessary for the implementation of the wireless authentica- tion protocols. In this paper, we report the implementation results of the wireless authentication protocol described in [SI. We implemented the protocol on the SOMHz, 32-bit ARM7TDMI microprocessor using the ARM software development toolkit. The ARM7TDMI is a commonly used low-power processor for wireless communication plat- forms; for example, see [9, 101 and the web locations: http://www.dspg.com/prodtech/core/article/18.htm http://www.lucent.co"icro/NEWSPRESS 1999/