FACTA UNIVERSITATIS Series: Electronics and Energetics Vol. 32, N o 1, March 2019, pp. 129-145 https://doi.org/10.2298/FUEE1901129V FPGA IMPLEMENTATION OF MODIFIED ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM Kamalakannan Venkataraman, Tamilselvan Sadasivam Department of Electronics and Communication Engineering, Pondicherry Engineering College, Pillaichavady, Puducherry, India Abstract. With rapid deployment of Internet-of-Things (IoT) devices, security issues related to data transmitted between the devices increases. Thus the integrity of perceptual layer devices is of utmost importance to secure the information being transmitted between the devices. In a secured information system, digital signature generation and verification processes are entirely different from data encryption and decryption processes. Digital signatures are rapidly emerging due to the problems related to data integrity thus playing a crucial role in the authentication process by enabling the sender to attach a signature to the encrypted message. Based on the devices it is beneficial to select an algorithm showing favorable behavior, therefore Keccak-f [1600] algorithm is best suited for devices having area and cost constraints. In this paper, implementation of the original Elliptic Curve Digital Signature Algorithm and its variants are considered and evaluated in terms of the security level and computational cost. Here the modified ECDSA scheme concepts related to signature generation and verification are similar to the original ECDSA scheme. The computational cost of the Modified ECDSA is reduced by removing inverse operation in key generation and signing phase, also problems related to signature being forged are resolved using hidden generator point concept. Hence the Modified ECDSA is more secure with less computational cost when implemented on FPGA using Verilog HDL. Therefore, this algorithm can be applied for the devices being connected in perceptual layer of the IoT. Key words: Internet of Things, Elliptic Curve Cryptography, Elliptic Curve Digital Signature Algorithm, Secured Hash Algorithm, Keccak 1. INTRODUCTION The Internet of Things (IoT) represents a network of independent devices interconnected globally. In the IoT enormous amounts of information have to be communicated, stored, processed and analyzed securely. Securing these pieces of information is one of the fundamental challenges in the IoT. Many IoT products consist of inexpensive components Received June 20, 2018; received in revised form September 26, 2018 Corresponding author: Kamalakannan Venkataraman Department of Electronics and Communication Engineering, Pondicherry Engineering College, Pillaichavady, Puducherry, India (e-mail: vkamalakannan@pec.edu) 130 V. KAMALAKANNAN, S. TAMILSELVAN with limited memory and computational resources. Such devices might be unable to support the computationally intense cryptographic functions of asymmetrical cryptography. If designers considered the privacy implications of unencrypted data, they have limited options for encryption because of this hardware platform. Therefore the designers have to create their own security protocols. As it is known cryptography is the branch of cryptology dealing with the design of algorithms for encryption and decryption, intended to ensure the secrecy and/or authenticity of message [1]. In 1985 Neal Koblitz and Victor S. suggested that the public key cryptography relates to the algebraic structure of Elliptic Curve (EC) over finite fields. The Digital Signature Algorithm (DSA) was proposed in August 1991 by the U.S. National Institute of Standards and Technology (NIST) and was specified in a U.S. Government Federal Information Processing Standard (FIPS) 186 called the Digital Signature Standard (DSS). In 1992 Scott Vanstone proposed Elliptic Curve Digital Signature Algorithm (ECDSA) because NIST requested public comment related to DSS proposal. In 1998 it was accepted as ISO 14888-3 standard by International Standards Organization (ISO) and in 1999 it was accepted as ANSI X9.62 standard by American National Standard Institute (ANSI). In 2000 it was accepted as IEEE 1363-2000 standard by Institute of Electrical and Electronics Engineers (IEEE) and FIPS 186-2 standard by Federal Information Processing Standards (FIPS). Elliptic Curve Cryptography (ECC) is a public cryptography that has a mathematical advantage when compared to Rivest Shamir Adleman (RSA) as it requires full exponential time for solving Elliptic Curve Discrete Logarithmic Problem (ECDLP). The ECDLP is distributed over points on the Elliptic Curve (EC). A digital signature is generally an authentication process that enables the sender to attach a signature to a message, thus comprises of digital signature generation and digital signature verification processes [2]. The integrity of the message is guaranteed because the digital signatures detects and stops unauthorized users from modifying the data and also authenticates the identity of the signatory. Generally, the ECDSA is an Elliptic Curve variant of the DSA and it gives cryptographically strong digital signatures due to ECDLP concept. Here Keccak-f [1600], recognized as a new Secure Hash Algorithm-3, i.e. SHA-3 by NIST is considered in the digital signature generation and the digital signature verification processes [3]. Here the complexity of digital signature generation and digital signature verification is also analyzed to stop the attacker attempting to forge the signature. In this paper the analysis of the original ECDSA and its variants are considered and evaluated in terms of the implementation area, security level and speed of execution. Based on these analysis a modified ECDSA method is designed and implemented on FPGA for IoT devices. This section gives a brief introduction about the paper. Section 2 and section 3 give an overview of Elliptic Curve Cryptography and Secured Hash Algorithm-3 Keccak. Section 4 gives a detailed description of original ECDSA scheme, its security proofs and an attack possible on original ECDSA scheme. Section 5 describes modified ECDSA suitable for signer with limited computation capability and a method to solve forging problem using initialization and authorization stage. Section 6 provides comparison of ECDSA schemes, whereas Section 7 explains implementation and synthesis of ECDSA. The result analysis of ECDSA and its variant are given in section 8 with conclusions drawn in section 9 followed byreferences. FPGA Implementation of Modified Elliptic Curve Digital Signature Algorithm 131 2. ELLIPTIC CURVE CRYPTOGRAPHY Elliptic Curves have been studied for centuries by mathematicians, therefore have a very rich history. ECC is the foremost choice in public key schemes due to its smaller key size [4], [13]. The key length of ECC is considerably shorter than that of RSA, but it achieves the same level of security of RSA. Generally, EC are of two finite fields; fields of odd characteristic Fp, where p is a large prime number, and fields of characteristic two F2 m , where 2 m is a large binary value. When the distinction is not important, denote both of them as Fq, where n = p or n = 2 m . An EC is the set of solutions (x, y) to Weierstrass equation. An elliptic curve E over a field K is defined by an Eq. (1) as E (K): y 2 + a1xy + a3y = x 3 + a2x 2 + a4x + a6 (1) where the coeffients a1, a2, a3, a4, a6 ∈ K. The curve E is nonsingular or smooth and is an elliptic curve if and only if the discriminant of E, ∆E is nonzero. The Weierstrass equation has been transformed to the elliptic curve called a short Weierstrass curve, where a, b ∈ K. We assume that the characteristic of K ≠ 2, 3 and the discriminant of short Weierstrass curve is given in Eq. (2) as ∆ = − (4a 3 + 27b 2 ) (2) 3. SECURE HASH ALGORITHM-3 Keccak has a different structure when compared to other hash functions. Secure Hash Algorithm-3 Keccak was selected because in 2004 SHA-1 was found to be weak, and the threat was carried to SHA-2 also. Successful attacks have been reported in the algorithms SHA-0 and SHA-1, which generate collisions, which influences the principle of hash functions, which is to ensure the information integrity. The function SHA-2 is currently still safe, but as sharing a similar structure with its predecessor, the SHA-1, becomes suspicious and raises doubts about its safety stimulated the scientific community to search a successor more robust and secure. The sha-3 was focused in the information secure area and was more robust and secure. The Keccak architecture is as shown in the Fig. 1 consisting of pre- processing and the sponge construction [5]. Fig 1 High-level view on Keccak 132 V. KAMALAKANNAN, S. TAMILSELVAN In the pre-processing construction the message is spliced into blocks with necessary padding. In the sponge construction absorbing (or input) phase and squeezing (or output) phases are present as shown in Fig. 2. Fig. 2 Absorbing and squeezing phases of the sponge construction In the absorption phase the block data are applied to the algorithm for processing. In the squeezing phase the processed data is squeezed out based on the configurable length. The function Keccak-f is used in both phases. It reads the input blocks xi, and generates the output blocks yj allowing arbitrary-length outputs y0···yu. The security level of Keccak has to be configured with several parameters related to the input and output sizes. The parameter b to be configured is the width of the state depending on the exponent l i.e., b = r + c = 25(2 l ), where l = 0,1,..,6, having width of b ∈{25,50,100,200,400,800,1600}, r is the bit rate and c is called the capacity. The function Keccak-f referred to as Keccak-f permutation is the main part in hash algorithm and is used in both absorbing phase and squeezing phase. The Keccak-f structure is shown in Fig 3. There are nr rounds in the function, here each round has an input b bits. The parameter l influences the number of rounds specified in Eq. (3) as nr = 12+2l (3) Fig. 3 Internal structure of function Keccak The number of rounds required for the respective state width is provided in Table 1. Any instance of the Keccak sponge function family makes use of one of the seven Keccak-f permutations, denoted Keccak-f[b], where b ϵ {25, 50, 100, 200, 400, 800, 1600} is the width of the permutation. FPGA Implementation of Modified Elliptic Curve Digital Signature Algorithm 133 Table 1 Number of rounds within Keccak-f State width b [bits] # rounds nr 25 50 100 200 400 800 1600 12 14 16 18 20 22 24 These Keccak-f permutations are iterated constructions consisting of a sequence of almost identical rounds. The number of rounds nr depends on the permutation width, and is given by nr = 12 + 2ℓ, where 2 ℓ = b/25. This gives 24 rounds for Keccak-f [1600]. Thus referring the Table 1 the SHA-3 Keccak repeats 24 rounds, each round consists of five steps in sequence manipulating the entire state  Step 1 - step This function consists of three equations involving simple XOR and bitwise cyclic shift operations. [ ] [ ] [ ] [ ] [ ] [ ] (4) [ ] [ ] ( [ ]) (5) [ ] [ ] [ ] (6) Theta step involves XOR-ing between the input state matrix from Eq. (4) and output lanes obtained from Eq. (5) to generate Eq. (6).  Step 2 - step [ ] [ ]( [ ]) (7) Here steps Rho (ρ) and Pi (π) together calculates a 5x5 array “B”. The operation of Rho (ρ) and Pi (π) take the state array “C” and perform circular rotation on each of the 25 lanes by a fixed number to obtain array “D” in Eq. (7).  Step 3 - step [ ] [ ] ( [ ] [ ]) (8) In this step operation on the lanes, the D array obtained in the previous steps is manipulated and the results are replaced in the state array “S” illustrated in the Eq. (8).  Step 4 - step In the Iota ( step specified in Eq. (9) the XOR operation is performed for RC round constant specific for each of the 24 rounds of Keccak-f[1600] with the lane at location [0, 0] of the new state matrix “S”. [ ] [ ] [ ] (9) 4. ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM In 1992 Scott Vanstone proposed ECDSA because NIST requested public comment related to DSS proposal [6]. In 1998 it was accepted as ISO 14888-3 standard by International Standards Organization (ISO). The ECDSA is an Elliptic Curve variant of 134 V. KAMALAKANNAN, S. TAMILSELVAN the DSA and because of ECDLP generates a cryptographically strong digital signatures. The integrity plays a critical role to safeguard data inside the network as shown in Fig 4. Sender Bob generates a signature to be added with the message before transmission. At the other end receiver Alice verifies the signature, in order to receive the message [7]. Fig. 4 Digital signature process ECDSA has been established as an efficient algorithm against cyberattacks and are characterized by their speed to generate and verify the signature. ECDSA consists of 3 phases: key generation, signature generation and signature verification. These three phases are explained in the following sub-sections. 4.1. ECDSA Key Generation To generate a public and private key sender performs the following steps Step 1: Select a random integer dA ∈ [1, p-1] Step 2: Computes the public key QA = dAG. 4.2. ECDSA Signature Generation Using the sender‟s private key dA and public key QA Step 1: Select an integer K ∈ [1, p − 1] Step 2: Compute h = HASH (M) = SHA-3 (M) Step 3: Calculate KG= (x1, y1) Step 4: Compute r = x1 (mod p), If r = 0, go to step 2 Step 5: Compute s = K -1 (h + dA r) (mod p). If s = 0, go to step 2 The signature pair generated is (r, s) 4.3. ECDSA Signature Verification Using public key QA and sender‟s signature (r, s) Step 1: Verify that r and s ∈ [1, p − 1]. If not, the signature is invalid Step 2: Compute h = HASH (M) = SHA-3 (M) Step 3: Compute w = s -1 (mod p) Step 4: Compute u1 = hw (mod p) and u2 = rw (mod p) Step 5: Compute (x2, y2) = u1G + u2QA Step 6: Compute v = x2(mod p) FPGA Implementation of Modified Elliptic Curve Digital Signature Algorithm 135 4.4. Proof of ECDSA Scheme Step 1: Compute s = K -1 (h + dA r) mod p on rearranging Step 2: Compute K = s -1 (h + dA r) Step 3: Compute KG = s −1 (h + dA r) G = (x1, y1) Step 4: Compute KG = s −1 hG + s −1 dA r G Step 5: Compute KG = w h G + r w QA where w = s −1 (mod p) and QA = dA G (mod p) Step 6: Compute KG = u1 G + u2 Qs = (x2, y2) where u1 = hw (mod p) and u2 = rw (mod p) Therefore LHS= KG=(x1, y1) and r = x1 (mod p) RHS=u1G + u2QA = (x2, y2) and v= x2(mod p) Hence v=r The signature is valid if v = r valid, invalid otherwise. In this algorithm if the same key K is being used for signing each and every messages, then there is an issue of the secret key being found by the intruder. This is explained in the following example, where the same secret K is applied for two different messages m1 and m2. In this process two signatures (r, s1) and (r, s2) are generated from the Eq. (10) and Eq. (11) as s1 = K −1 (h1 + dA r) (10) s2 = K −1 (h2 + dA r) (11) where h1 = SHA-3 (m1); h2 = SHA-3 (m2) Knowing s1 and s2 it is possible to find the secret key K using the Eq. (12) K = (h1 – h2)/(s1 – s2) (12) From the equation K s1  K s2 = h1 + dA r  h2 – dA r Thus knowing K, r, s and h in the encryption concept, it is possible to find dA by Eq. (13) dA = (Ksh)/r (13) Hence different key should be used for signing different messages, otherwise the private key dA can be sensed by the intruder. The ECDSA is modified to solve the above problem by considering inverse operation only in verification phase. In this method there is no need of inverse operation in the key generation and signing phase there is no need of inverse operation. The scheme processes are discussed in the following sub-sections having the same key pair generation algorithm. 4.5. ECDSA Scheme 2 Signature Generation Using the sender‟s private key dA and public key QA Step 1: Compute h = HASH (M) = SHA-3 (M) Step 2: Select a random integer K from [1, p − 1] Step 3: Compute KG= (x1, y1) Step 4: Compute r = x1 (mod p), If r = 0, go to step 2 Step 5: Compute s = (Kh + (r xor h)dA) G (mod p). If s = 0, go to step 2 The signature pair generated is (r, s) 136 V. KAMALAKANNAN, S. TAMILSELVAN 4.6. ECDSA Scheme 2 Signature Verification Using the sender‟s private key dA and public key QA Using public key QA and sender‟s signature (r, s) Step 1: Verify that r and s are integers in [1, p − 1]. If not, the signature is invalid Step 2: Compute h = HASH (M) = SHA-3 (M) Step 3: Compute w = h −1 (mod p) Step 4: Compute u = (r xor h) (mod p) Step 5: Compute (x2, y2) = w(s – uQA) Step 6: The signature is valid if v = x2 (mod n) = r, invalid otherwise 4.7. Proof of ECDSA Scheme 2 Step 1: Compute s = (Kh + (r xor h)dA) G = (Kh + u dA) G = KhG + udAG Step 2: Compute sw = KhwG + uwdAG Step 3: Compute sw = KG + uwQA where w = h -1 (mod p) and QA = dA G (mod p) Step 4: Compute KG = sw- uwQA = w (s – u Qs) Therefore LHS= KG=(x1, y1) and r = x1 (mod p) RHS= w(s – u QA) = (x2, y2) and v= x2(mod p) Hence v=r In the ECDSA Scheme 2, an intruder can forge the signature by knowing the public parameters (G, n, p, Qs) and transmit the wrong information to the receiver. The receiver receives the signature and verifies the signature to authenticate the sender's signature. This is been explained as follows If an intruder „T‟ is forges the signature by knowing the public parameters (G, n, p, Qs) for a false message „M‟ in the following steps Step 1: For signing a message „M‟ by sender, using private key dA and public key QS = dAG Step 2: Calculate h = HASH (M) = SHA-3 (M) Step 3: Select a random integer KT from [1, p − 1] Step 4: Compute KT G= (xT, yT) Step 5: Calculate rT = xT (mod p), If rT = 0, go to step 2 Step 6: Calculate sT = (KT h + (rT xor h) QS (mod p). If sT = 0, go to step 2 Thus the signature pair (rT, sT) is transmitted with the false message „M‟ The receiver obtains an authenticated copy of sender‟s signature pair with the false message „M‟ and verifys the authenticity of sender‟s signature (rT, sT) using public parameters (G, n, p, Qs) for message „M‟ by performing the following steps: Step 1: Verify that rT and sT are integers in [1, p − 1]. If not, the signature is invalid Step 2: Calculate h = HASH (M) = SHA-3 (M) Step 3: Calculate w = h −1 (mod p) Step 4: Calculate u = (rT xor h)(mod p) Step 5: Calculate (xT, yT) = w(sT –uQS) Step 6: The signature is valid if vT = xT (mod p) = rT, invalid otherwise If the forged signature is validated, then intruder can successfully send false information, hence digital signature schemes are not secure. To solve this drawback public parameters being shared are reduced. FPGA Implementation of Modified Elliptic Curve Digital Signature Algorithm 137 5. MODIFIED ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM While comparing the original ECDSA and its variants, it is found that original ECDSA is vulnerable to attack if the same key is used for different messages. Scheme 2 is useful for verifier with limited compute apparatus as there is no inverse calculation in key generation and signing phase, but anyone can use legitimate user‟s public-key to forge the signature of any information. Thus in the Modified ECDSA scheme hidden generator point concept is applied to authenticate the encrypted message communicated between the devices connected in the perceptual layer of IoT. The normal ECDSA are configured with the points on the Elliptic Curve, a generator point „G‟ is selected publicly available and distributed over the network by the Certificate Authority (CA) [11]. In this scheme, the requirement of CA makes it difficult to implement security. The information shared by the CA can be breached by the intruders, making the network susceptible to MIM attack [12]. Hence to elucidate this exposure and to secure the network against MIM attacks, maintaining the security for each session of communication between the two nodes without a common generator point is suggested. Therefore a generator point is shared only between the devices being connected to communicate. This concept is implemented in the ECDSA has two stages; initialization stage and authorization stage. 5.1 Initialization Stage Let us consider two nodes represented in Fig. 5 in the WSN. It is assumed that both nodes, i.e. sender and receiver, select their generator points, GS and GR individually apart from the private keys, KS and KR. The inverse of the private keys KS -1 and KR -1 are also computed. Once the inverse of the private keys are computed, the sender generates its public key PSA using the Eq. (14), whereas the receiver generates its public key PRA using the Eq. (15) PSA = KS -1 GS (14) PRA =KR -1 GR (15) Both the public keys PSA and PRA are exchanged between sender and receiver after multiplying it with the inverses of their private keys. The resultant key is transmitted to the receiver as is specified in the Eq. (16), and the resultant key received by the sender is specified in the Eq. (17) PSB = PRAKS -1 = KR -1 GRKS -1 (16) PRB = PSAKR -1 = KS -1 GSKR -1 (17) Fig. 5 Computational process for Generator point 138 V. KAMALAKANNAN, S. TAMILSELVAN These received keys are multiplied again by the sender and the receiver to generate PSC and PRC as specified in Eq. (18) and Eq. (19) PSC=PRBKS=KS -1 GSKR -1 KS =GSKR -1 (18) PRC=PSBKR=KR -1 GRKS -1 KR= GRKS -1 (19) When PSC and PRC received by the individual sender and receiver, they are multiplied with KS and KR to obtain GR and GS. The sender computes the receiver‟s generator point in Eq. (20) as PRC*KS=KS -1 *GR*KS=GR (20) The receiver computes the sender‟s generator in Eq. (21) as PSC*KR=KR -1 *GS*KR=GS (21) These generator points GS and GR are added to generate a common generator points for the sender and receiver given in Eq. (22) as G = GS + GR (22) Hence the sender and receiver exchanges information between them and generated using „G‟ and computing P, 2P….. kP. 5.2 Authorization Stage Let us consider two nodes in the WSN. The public key and the private keys of the transmitter are PS and KS, whereas for receiver it is PR and KR. The key has to be generated by the process shown in Fig. 6 for every session of transmission between the sender and receiver. Thus authorization has to be provided for each transmission. Fig. 6 Computational process for Key Both the public keys PSR and PRS are exchanged after multiplying it with private keys. The key transmitted to the receiver is specified in the Eq. (23), and the key received by the sender is specified in the Eq. (24) FPGA Implementation of Modified Elliptic Curve Digital Signature Algorithm 139 PSR = PRKS (23) PRS = PSKR (24) The keys of the sender and the receiver are multiplied again to generate KSR and KRS given in Eq. (25) and Eq. (26) as KSR = PSRPRS = PRKS PSKR (25) KRS = PRSPSR = PRKS PSKR (26) When PSR and PRS received by the individuals, the Key KSR and KRS are generated by the sender and receiver individually which are equal, thus commonly referred as Key „K‟ in the implementation of ECDSA. The sender and receiver in the WSN have individual generator points, GS and GR with their unique private keys, KS and KR. After initializing the keys generation process, both devices exchange the generator points GS and GR and generate a common generator point by the initialization process explained in subsection 5.1. Hence the sender and receiver exchange information between them by considering common generator point ‘G’ and computing P, 2P, 3P….. kP. The sensor nodes must securely share a key before encryption. The shared secret key is generated and refreshed between the sender and receiver. The public key of sender and receiver are PS and PR. are exchanged using DHKE process and a key is generated by the method explained in the sub section 5.2. Considering the generator point ‘G’ and key ‘K’, scalar multiplication is performed to compute KG provided in Eq. (27), to be applied for signature generation and signature verification process. ( ) ( ) (27) From the initialization and authorization stage, the values of K and G are known. This scheme processes are discussed in the following steps. 5.3. Modified ECDSA Signature Generation To generates the signature for message M the signer using the values of K and G by performing the following steps: Step 1: Calculate h = HASH (M) = SHA-3 (M) Step 2: Compute KG= (x1, y1) Step 4: Compute r = x1 (mod p) Step 5: Compute s = (K + (r xnor h)) G (mod p). The signature pair thus generated is (r, s). 5.4. Modified ECDSA Signature Verification The verifier verifies the signature using K and G from the initialization and authorization stage for message M by performing the following steps: Step 1: Verify that s is integers in [1, p − 1]. If not, the signature is invalid Step 2: Compute KG= (x1, y1) Step 3: Compute r = x1 (mod p) Step 4: Compute u = (r xnor h) mod (mod p) Step 5: (x2, y2) = (s - uG) Step 6: The signature is valid if v = x2 (mod p) = r, invalid otherwise. 140 V. KAMALAKANNAN, S. TAMILSELVAN 5.5 Proof of Modified ECDSA Scheme Signature send by sender to receiver is (r, s) and s can be generated only by Sender because of its private key. Step 1: Compute s = (K + (r xnor h) G Step 2: Compute s = (K + u) G where u = (r xnor h) Step 3: Compute s = KG + uG Step 4: Compute s - uG = KG = (x2, y2) Therefore LHS = KG = (x1, y1) and r = x1 (mod p) RHS = (s  uG) = (x2, y2) and v = x2(mod p) Hence v=r The improved ECDSA scheme reduces the computational cost while keeping the same security as original ECDSA. They are suitable for the users who have limited computing capacity. 6. COMPARISON OF ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM The original ECDSA and proposed ECDSA are compared and represented in the Table 2. While comparing the original ECDSA and the proposed ECDSA, it is found that the original ECDSA consists of inverse operations in signature generation and signature verification and hence is more complex as needs more point multiplication operation. The improved scheme, the initialization stage and authorization stage are introduced to share the values of K and G between the sender and receiver, thus reducing the computational cost as no inverse operations are required for signature generation and signature verification, while keeping the same security as original ECDSA. Table 2 Comparison of ECDSA variants Algorithm Signature Generation Signature Verification Attack Inverse in Key generation Inverse in Signing Inverse in Verification Original ECDSA S=k − 1 (h + dAr) u1=hs −1 u2=rs −1 u1G + u2QA Vulnerable No Yes Yes Proposed ECDSA s = (K + (r xnor h) G u = (r xnor h) (s - uG) Not Vulnerable No No No 7. IMPLEMENTATION AND SYNTHESIS ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM The original ECDSA signature generation and signature verification was realized in Verilog HDL and simulation was carried out using ISim simulation tool available in XILINX 14.3 for verifying its functional correctness. The RTL block schematic of the ECDSA signature generation is illustrated in Fig. 7 and ECDSA signature verification is illustrated in Fig. 8. FPGA Implementation of Modified Elliptic Curve Digital Signature Algorithm 141 The ECDSA signature generation and signature verification were synthesized and the device utilization summary, timings summary and memory utilization are tabulated in Table 3. The hardware implementation of ECDSA signature generation was performed on Virtex-5 5XC5VLX50T-1FF1136 FPGA Development board by XILINX to evaluate the area and speed. It was found that the ECDSA signature generation operated at a maximum frequency of 13.180 MHz whereas the ECDSA signature verification operated at a maximum frequency of 13.210 MHz. Fig. 7 RTL Block Schematic of ECDSA signature generation Fig. 8 RTL Block Schematic of ECDSA signature verification 142 V. KAMALAKANNAN, S. TAMILSELVAN Table 3 Synthesis Summary for ECDSA Parameters Signature Generation Signature Verification Slice Registers 6701 6790 Slice LUTs 16370 22734 LUT-FF pairs 4884 4996 Bonded IOBs 226 226 Real Time 2627.00 secs 890.00 secs CPU Time 2626.99 secs 890.19 secs Maximum Frequency 13.180 MHz 13.210 MHZ The modified ECDSA signature generation and signature verification was realized in Verilog HDL and the simulation was carried out using ISim simulation tool in XILINX for verifying its functional correctness. The RTL block schematic of the Modified ECDSA signature generation is illustrated in Fig. 9, and Modified ECDSA signature verification is illustrated in Fig. 10. Fig. 9 RTL Block Schematic of modified ECDSA signature generation Fig. 10 RTL Block Schematic of Modified ECDSA signature verification FPGA Implementation of Modified Elliptic Curve Digital Signature Algorithm 143 The Modified ECDSA signature generation and signature verification are synthesized and the device utilization summary, timings summary and memory utilization are tabulated in the Table 4. Table 4 Synthesis Summary for modified ECDSA Parameters Signature Generation Signature Verification Slice Registers 198 454 Slice LUTs 7853 16387 LUT-FF pairs 152 346 Bonded IOBs 41 34 Real Time 924.00 secs 910.00 secs CPU Time 923.69 secs 910.09 secs Maximum Frequency 13.469 MHz 13.156 MHz 8. RESULT ANALYSIS OF ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM The ECDSA and its variants are synthesized and analyzed using XILINX tool. The Table 5 and Table 6 illustrate the values obtained after synthesizing Original ECDSA and modified ECDSA Scheme for signature generation and signature verification. Comparison was performed related to maximum frequency and number of Slice LUTs. Table 5 Comparison of Synthesis results of ECDSA Signature Generation Parameters Original ECDSA Proposed ECDSA Number of Slice LUTs 16370 7853 Max. Frequency(MHz) 13.180 13.469 Table 6 Comparison of Synthesis results ECDSA Signature Verification Parameters Original ECDSA Proposed ECDSA Number of Slice LUTs 22734 16387 Max. Frequency(MHz) 13.210 13.156 The outcomes obtained show that the modified ECDSA scheme is better suitable for resource constrained devices. The maximum achievable frequency of 13.469 MHz is achieved for signature generation and maximum achievable frequency of 13.156 MHz is achieved for signature verification on Virtex-5 (XC5VLX50T-1FF1136) FPGA board is better than the existing ECDSA schemes. Based on the design metric such as Frequency (MHz) and Area (Slices/ALUTs), the modified ECDSA outperforms the existing ones in terms of time for execution and Slice LUTs required in FPGA device. 144 V. KAMALAKANNAN, S. TAMILSELVAN 9. CONCLUSION Elliptic Curve Digital Signature Algorithm (ECDSA) is one of the primitives of Elliptic Curve Cryptography (ECC). The SHA-3 algorithms like Keccak provide better security and proves beneficial wherever security constraints have to be achieved. Here a variant of Keccak-f [1600] having five steps (𝜃 step, 𝜌 𝑎𝑛𝑑 𝜋 step, 𝜒 step and 𝜏 step) repeated 24 times were applied to generate hashed output. Generally, Modular Inversion is computed using Montgomery‟s method which consists of a GCD operations. The GCD operation utilizes more number of arithmetical operations. Thus computational cost increases when implemented on FPGA as number of operations increases. From the analysis, it is found that ECDSA is vulnerable to MIM attack when the same key is applied for all messages. At the same time if computational cost is reduced, then there are chances of signature being forged by the intruder. Therefore, the modified ECDSA scheme keeps the mathematical structure of ECDSA and security the same as the original ECDSA scheme, but reduces the computational cost by reducing the inverse operation being applied in the key generation and signing phase. Also this scheme solves the problems related to signature forging due to the available public parameters (G, n, p, QS). These are achieved by using hidden generator concept. Hence this scheme has more security with less computational cost, therefore can be implemented in the perceptual layer devices in IoT i.e., the ECDSA can be applied for securing the information communicated by devices such as WSNs, RFIDs, etc., having limited memory and computational capacity. Since FPGAs are used as end products, the design of ECDSA is fine-tuned for FPGA implementation. The work can be extended by considering advanced FPGAs where parallelism can be exploited in the architecture to reduce the delay in the asymmetrical cryptography. REFERENCES [1] N. Koblitz, A. J. Menezes, and S. A. Vanstone, “The state of elliptic curve cryptography”, Design, Codes, and Cryptography, vol. 19, Issue 2-3, pp.173-193, 2000. [2] V. Miller, “Use of elliptic curves in cryptography”, Advances in Cryptography-Crypto ‟85. LNCS 218, Springer Verlag, 1986, pp. 417-426. [3] G. Provelengios, P. Kitsos, N. Sklavos, and C. Koulamas, “FPGA-Based Design Approaches of Keccak Hash Function,” In Proceedings of the 15 th Euromicro Conference, 2012, pp. 648-653. [4] D. Manel, O. Raouf, H. Ramzi and A. Mtibaa, “Hash Function and Digital Signature based on Elliptic Curve”, In Proceedings of the 14th international conference on Sciences and Techniques of Automatic control & computer engineering - STA'2013, Sousse, Tunisia, December 20-22, 2013 pp. 388-392. [5] K. Latif, M. M. Rao, A. Aziz, and A. Mahboob, “Efficient Hardware Implementations and Hardware Performance Evaluation of SHA-3 Finalists,” In Proceeding of 3 rd SHA-3 Candidate Conference, March 2012. [6] S. P. Raj, A. P. Renold, “An Enhanced Elliptic Curve Algorithm for Secured Data Transmission in Wireless Sensor Network”, In Proceedings of Global Conference on Communication Technologies (GCCT 2015), pp. 891-896. [7] A. Khalique, K. Singh, S. Sood, “Implementation of Elliptic Curve Digital Signature Algorithm”, International Journal of Computer Applications, vol. 2, no. 2, pp. 21-27, May 2010. [8] E. Wajih, B. Noura, M. Mohsen & T. Rached, “Low Power Elliptic Curve Digital Signature Design for Constrained Devices”, International Journal of Security (IJS), vol. 6, no.2, pp. 1-14, April 2012. [9] G. Sarath, D. C. Jinwala and S. Patel, “A Survey on Elliptic Curve Digital Signature Algorithm and its Variants”, Computer Science & Information Technology (CS & IT) –CSCP, 2014, pp. 121–136. [10] A. I. Ali, H. P. Isitc, “Comparison and Evaluation of Digital Signature Schemes Employed in NDN Network”, International Journal of Embedded systems and Applications (IJESA), vol. 5, no. 2, pp. 15-29, June 2015, FPGA Implementation of Modified Elliptic Curve Digital Signature Algorithm 145 [11] H. Junru, “The improved elliptic curve digital signature algorithm”, In Proceedings of the International Conference on Electronic and Mechanical Engineering and Information Technology (EMEIT), 2011, pp. 257-259. [12] B. Panjwani, D. C. Mehta, “Hardware-Software Co-design of Elliptic Curve Digital Signature Algorithm over Binary Fields”, In Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI), 2015, pp. 1101-1106. [13] X. Zhang, S. Ma, W. Shi, and D. Han, “Implementation of Elliptic Curve Digital Signature Algorithm on IRIS Nodes”, In Proceedings of the International Conference on Estimation, Detection and Information Fusion (ICEDIF 2015), pp. 403-406.