Performance of HECC Coprocessors Using Inversion-Free Formulae

The HyperElliptic Curve Cryptosystem (HECC) was quite extensively studied during the recent years. In the open literature one can find results on how to improve the group operations of HECC as well as teh implementations for various types of processors. There have also been some efforts to implement HECC on hardware devices, like for instance FPGAs. Only one of these works, however, deals with the inversion-free formulae to compute the group operations of HECC.

We present inversion-free group operations for the HEC

y

2

+

xy

=

x

5

+

f

1

x

+

f

0

and we target characteristic-two fields. The reason is that of allowing a fair comparison with hardware architectures using the affine case presented in [BBWP04]. In the main part of the paper we use these results to investigate various hardware architectures for a HECC VLSI coprocessor. If area constraints are not considered, scalar multiplication can be performed in 19,769 clock cycles using three field multipliers (of type

D

= 32), one field adder and one field squarer, where

D

indicates the digit-size of the multiplier. However, the optimal solution in terms of latency and area uses two multipliers (of type

D

= 4), one addition and one squaring. The main finding of the present contribution is that coprocessors based on the inversion-free formulae should be preferred compared to those using group operations containing inversion. This holds despite the fact that one field inversion in the affine HECC group operation is traded by up to 24 field multiplications in the inversion-free case.