Received October 24, 2018, accepted November 6, 2018, date of publication November 15, 2018,

date of current version December 19, 2018.

Digital Object Identifier 10.1109/ACCESS.2018.2881444

Elliptic Curve Lightweight Cryptography: A Survey

CARLOS ANDRES LARA-NINO 1, ARTURO DIAZ-PEREZ2 , AND MIGUEL MORALES-SANDOVAL1
1 CINVESTAV Tamaulipas, Ciudad Victoria 87130, Mexico
2 CINVESTAV Guadalajara, Zapopan 45019, Mexico

Corresponding author: Carlos Andres Lara-Nino ([email protected])

This work was supported in part by CONACyT under Grant 336750, in part by CINVESTAV, in part by Fondo Sectorial de Investigación
para la Educación, CONACyT Mexico, under Project 281565.

ABSTRACT Since it was invented in 1986, elliptic curve cryptography (ECC) has been studied widely in
industry and academy from different perspectives. Some of these aspects include mathematical foundations,
protocol design, curve generation, security proofs, point representation, algorithms for inherent arithmetic
in the underlying algebraic structures, implementation strategies in both software and hardware, and attack
models, among others. The main advantage of ECC is that shorter keys (less-memory requirements and
faster field arithmetic operations) can be used if compared with other cryptosystems, which has made it the
ideal choice for implementing public key cryptography in resource constrained devices, as the ones found
in the envisioned applications of the Internet of Things, e.g., wireless sensors. In this application domain,
lightweight cryptography has emerged as the required one because of the scarce computing resources
and limited energy in devices. In this paper, we present a survey of ECC in the context of lightweight
cryptography. The aim of this paper is to identify the criteria that make an ECC-based system lightweight
and a viable solution for using in practical constrained applications. Representative works are systematically
revised to determine the key aspects considered in ECC designs for lightweight realizations. As a result, this
paper defines, for the first time, the concept and requirements for elliptic curve lightweight cryptography.

INDEX TERMS Cryptography, elliptic curve, lightweight, survey.

I. INTRODUCTION and in some cases energy supply, restricts the security algo-
In recent years, the trend in manufacturing of electronic rithms that can be utilized. These applications require at
devices has been marked by the reduction of their physical least the same security services of a conventional network,
size, the push to reduce production costs, and the increment of even having less processing power. Moreover, like in the
the connectivity of said appliances. Smart objects, which are case of WSN, the constrained devices might be deployed in
capable of performing small computations and data collec- hostile environments and an attacker can have physical access
tion, become more ubiquitous each day. All of the information to the network. Additional security measures, such as side
which is collected from these objects can provide insights on channel countermeasures, should be considered to patch these
the behavior of its user or its environment. Hence the need to vulnerabilities.
protect these data.
A constrained environment is considered a computa- A. CRYPTOGRAPHY FOR CONSTRAINED DEVICES
tional system of multiple heterogeneous elements, where the Some of the most important security services required in IoT
underlying computational devices are of limited capabili- include privacy (confidentiality), trust (integrity, authentica-
ties. These limitations are related to the processing power, tion), nonrepudiation (signature, access control), and avail-
the communications bandwidth, the storage memory, the size ability. For some instances, protection against a node capture,
of the device, or the energy availability of the devices. impersonation, duplication of the data, and forensic attacks is
Examples of constrained devices are the Wireless Sensor also required. Cryptography can provide the means for most
Network (WSN) motes, Radio-Frequency Identification of the demanded security services in this domain.
(RFID) tags, and Internet of Things (IoT) nodes, thus However, as pointed out by NIST ‘‘[. . .] cryptographic
WSN, RFID, and IoT applications are considered constrained standards were designed to perform well on general-purpose
environments. computers’’ [1]. But modern technologies have capabilities
Providing security services for these new generation net- far more limited than general-purpose computers. As it is
works has proven to be a difficult challenge. Strict constraints also mentioned in the NIST report, it is often the case that
on resources such as processor time, bandwidth, hardware, conventional cryptographic algorithms can be implemented

2169-3536 2018 IEEE. Translations and content mining are permitted for academic research only.
72514 Personal use is also permitted, but republication/redistribution requires IEEE permission. VOLUME 6, 2018
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
C. A. Lara-Nino et al.: ECLC: Survey

to fit the resource requirements of constrained applications. generally created from a mathematical function that estab-
But this comes at the cost of reduced performance and lower lishes a relation between the private and the public key, but
efficiency. It can be inferred that conventional cryptography with special properties to avoid deriving the private key from
can be used to provide security services under constrained the public one. This second group of algorithms constitutes
environments, but it might not be the best solution. what is known as Asymmetric Cryptography or Public Key
The push for newer algorithms which satisfy the security Cryptography (PKC).
needs of IoT and other such systems has created a new branch PKC is critical for networked environments. It has been
in cryptography denominated Lightweight Cryptography. used in encryption, signatures, digital envelopes and key
Its aims are to provide privacy, integrity and trust among other establishment to provide confidentiality, integrity, authentica-
services, by using symmetric and asymmetric mechanisms, tion, nonrepudiation, availability and access control services.
but taking into consideration reductions in the implementa- PKC is a costly security mechanism especially for con-
tion sizes, the processing latencies, and the energy costs of strained devices. Encryption and digital signatures in PKC
the solution. This field is an evolving study area, not only the demand complex group operations. The operands used in
security paradigms change, new attack models are revealed, these procedures can have lengths of thousands of bits in
and security levels are phased out. some cases. From the different PKC alternatives reported in
Lightweight cryptography is related to the problem of pro- the literature, those that rely on elliptic curves are the most
viding security to constrained environments by means of low- favorable for implementation in restricted devices.
cost cryptographic algorithms. It is the set of tools designed to Elliptic Curve Cryptography (ECC) utilizes an elliptic
offer security services with reduced costs. The optimizations curve defined over a finite field Fq , which is denoted by E(Fq )
followed in this approach generally involve tradeoffs between and contains the affine points (x, y) ∈ Fq × Fq that satisfy the
implementation size, performance, and security. Weierstrass equation (1).
It results difficult to determine a threshold value for a cryp-
y2 +a1 xy+a3 y = x 3 +a2 x 2 +a4 x +a6 , where ai ∈ Fq (1)
tographic primitive to be denominated lightweight, with refer-
ence to one or more metrics of interest: physical size, latency, E(Fq ) together with a special point named the point at infin-
energy. Take as example the literature for cryptographic hard- ity O form an abelian group. O serves as the neutral element
ware solutions where lightweight symmetric algorithms have in the group operation. The security of ECC rests on the dif-
shown to require an order of magnitude less area units than ficulty of solving the Discrete Logarithm Problem over such
their generic counterparts at the cost of reduced performance. a group, abbreviated as ECDLP, for which only algorithms
Current understanding of ‘‘lightweightness’’ also includes with exponential computational complexities are known.
performance and energy as critical design goals. Designing It is not an easy task to find a group E(Fq ) with the required
security solutions that can be denominated ‘‘lightweight’’, properties that make the ECDLP difficult to solve. Hence,
while achieving small implementation size, low energy con- the elliptic curves known to be secure are reported in the
sumption, and adequate performance is a challenging task. literature and included in standards. Conventional PKC based
In the past decade, the study of lightweight crypto- on ECC generally uses these standardized structures, which
graphic primitives has gained popularity. First initiated with define secure realizations of ECC but that were not thought
focus on block ciphers and later on hash functions, this to be utilized in constrained environments. In recent years,
field of research has propelled the development of multiple the definitions for new elliptic curves not only seek to achieve
algorithms, some of which have been standardized [2]. Most high security levels, but also to reduce operational costs
recently, the focus of lightweight cryptography has trans- and to reduce the hardware resources required to perform
lated from symmetric to asymmetric constructions. However, computations efficiently. These new elliptic curves are left
whereas the progress for the former has been steady and out of the scope of standards but are an attractive alternative
fruitful, the latter has found moderate success. for WSN, RFID, e-health, and other emerging technologies
Some of the challenges in lightweight asymmetric algo- in the IoT domain.
rithms are the complexity of the operations, the size of the In this work we address ECC solutions that are suit-
operands, the lengthy delays in processing, and the relentless able for constrained applications and therefore denominated
advance of attack models which threaten any hasty proposal. lightweight. In the literature is has not been demonstrated if
lightweight realizations of ECC are due to 1) the underlying
B. LIGHTWEIGHT PUBLIC KEY CRYPTOGRAPHY mathematical model, or 2) the design and implementation
Keyed cryptographic algorithms are those requiring some decisions. The review presented in this work provides insights
secret material (key) to protect the data. They can be divided on which elliptic curves are the most used or considered for
in two main groups: symmetric and asymmetric. The first a lightweight ECC implementation. We ultimately identify
group includes all the systems which use a single secret key the characteristics of the primitives and requirements that
in their operation. From the key nature it follows that this shape the Elliptic Curve Lightweight Cryptography (ECLC)
area is known as Symmetric Cryptography. The algorithms concept and provide guidelines for the future development
that form the second group use a key pair instead, where one of such systems. Figure 1 shows a wordcloud of keywords
of the keys is private and the other public. The key pair is associated with ECLC.

VOLUME 6, 2018 72515

 C. A. Lara-Nino et al.: ECLC: Survey

FIGURE 1. Wordcloud for Elliptic Curve Lightweight Cryptography (ECLC).

C. ECLC SYSTEM AND SECURITY MODEL

ECLC can be useful for emerging technologies in the IoT
paradigm such as in RFID, WSN, e-Health, Smart Grid, and
others. It differentiates from ECC mainly in the fact that
ECLC realizations must exhibit awareness of the application
constraints and accommodate such requirements accordingly.
Such constraints can be grouped broadly as performance,
size, energy, and security. ECLC is similar to ECC in that
FIGURE 2. Use of ECLC for providing key establishment in the context of
the former ought to preserve the same security features as the WSN: (A) System model. (B) Security model.
latter, and thus it can be used for implementing comparable
security services.
The cryptographic strength of both, ECC and ECLC, relies ECLC solution, the protocols, algorithms, and realizations
on the hardness of the discrete logarithm problem. This must be aware of the nodes constraints.
notion, paired with security protocols can be used for pro- Any ECLC solutions ought to be as secure as its ECC coun-
viding services of key establishment, encryption, authen- terparts. The hardness of ECLC still relies on the difficulty
tication, and signatures. These security solutions can then of finding discrete logarithms over elliptic curve groups. The
be implemented in constrained environments as the afore- order of the group will be directly related with the security of
mentioned for applications in healthcare, military, rescue, the solution, as well as with the complexity of evaluating the
security, among others. group operations. Improving the performance, the size, or the
Figure 2 illustrates the use of ECLC for providing key energy consumption of an ECLC realization should not com-
agreement using WSN as case study. We would like to remark promise the security of the system. Therefore the underlying
that this is just an instance of the many technologies that can field size should be defined according to recommended ECC
benefit from its advantages. In a classical WSN model, sen- security levels [3].
sor nodes are distributed in environments of difficult reach; Under certain scenarios, however, the designer might deter-
the information harvested by these nodes is collected by mine that the information being protected does not require
a base station with internet connection and the end users long term security. One particular example are WSNs which,
obtain information from the base station through the internet. by definition, are only meant to last from a few weeks
A characteristic of sensor nodes is that they suffer from to months. In this instance, using an elliptic curve group
critical constraints in regards to performance, size, and which guarantees security for thousands of years might not
energy. In order to achieve secure communications in a wide- be required. By using smaller fields performing group oper-
area, the nodes must be able to establish multi-hop links. ations becomes cheaper, as mentioned. Such idea has been
ECLC can enable the nodes to link up with each other explored in [4]. Nonetheless, the impact of disclosing data
with low processing and storage costs. In this example from which on first sight might appear innocuous is difficult to
Figure 2, a basic ECDH-like protocol is described; in an assess: undoubtedly, nowadays information has a high value.

72516 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

ECC is a set of tools to provide security. To extend this know, yet open:
definition to lightweight cryptography, it follows that the • If there are elliptic curves designed to fit the needs of
security is to be provided for constrained environments. constrained devices, is it possible to call such curves
Then, we can understand lightweight cryptography as the lightweight?
set of tools designed to provide security while observing the • Is the ‘‘lightweight’’ adjective exclusive for the imple-
application constraints. If these tools are based on elliptic mentation of these systems?
curve constructions, then • If the underlying ECC constructions are not standard-
Definition 1: ECLC is the set of elliptic curve proto- ized, will there be any traction on implementing them?
cols, domain parameters, algorithms, and implementation • What are the strategies used in the design and implemen-
techniques, tailored for providing security services under tation of lightweight security solutions based on ECC?
constrained environments. The knowledge derived by answering the above questions
ECLC is a novel concept. The attribute of lightweightness can serve to build novel lightweight security solutions for IoT
has been vested upon ECC-based constructions in multi- and related applications.
ple instances, as the survey evidences. Nonetheless, nobody
has sought to answer two fundamental questions: what is E. CONTRIBUTIONS OF THE SURVEY
lightweight in the context of ECC, and how to assess that an This work has five main contributions:
ECC-based system is lightweight. For some, these questions 1) Surveys, for the first time, ECC in the context of
might appear trivial; however, reaching a common under- lightweight cryptography.
standing and reference frame is a key point of science. Our 2) Quantifies the State of the Art bounds for ECC-based
innovation lies on exploring ECC in the context of lightweight systems which are denominated lightweight.
cryptography for providing answers for these questions. 3) Determines the criteria for ECC-based systems to be
D. PROBLEM STATEMENT denominated lightweight.
In this survey, for the first time, we survey works which use 4) Proposes a design methodology that guides the realiza-
elliptic curve cryptography are denominated lightweight. In a tion of ECLC solutions.
sense, this is a survey on ECC in the context of lightweight 5) All the tables and graphs data are available in a public
cryptography. This is one of the main differences between our repository1 as well as in IEEE DataPort.2
work and previous ECC surveys.
Other significant differentiations which can be made F. HOW TO READ THIS SURVEY
between our work and previous ECC surveys is the depth and Our survey first provides introductory notions so that
extension of our work. In this document we provide prelimi- researchers which are first approaching the topic of ECC
naries, a state of the art review, novel concepts, a summary of can finds some pointers on mathematical fundamentals, sug-
strategies, and in general an extensive analysis of the surveyed gested literature, and in general concepts and applications
data, qualitatively and quantitatively. of ECC; these are included in Section II. Readers well
The quick review of previously published ECC-related sur- versed on ECC from a general point of view can skip these
veys provided in Table 1 can highlight some of their general preliminaries.
limitations. It is possible to find many more unpublished The data collection techniques, our categories for classify-
works but most of them suffer from lack of scope, scientific ing the papers, and the data extracted from the different works
character, and extension. A particular exception is the work are reported in Section III. In this part we go in great detail
in [5] where hardware realizations of ECC are covered with to describe the surveyed data since some of these concepts
sufficient detail. require being clearly delimited.
Our research aims at providing answers, in the broad sense, The main body of the survey is presented in Section IV.
for two main questions: What is lightweight in the context In this part the reader can find tables which summarize char-
of ECC? and how to determine if an ECC-based security acteristics and quantifiable results from the different works.
solution is lightweight? The section is divided in three categories which include
From the discussion provided in this section we also iden- in broad terms: protocols, algorithms, and implementations
tify additional research questions which are, as far as we (software/hardware). For each category we provide a discus-
sion and identify strategies used in the literature. The qualita-
TABLE 1. Brief summary of some published ECC-related surveys. tive analysis of the papers is expanded in Section V where we
provide our views on each of the different papers as a whole,
aiming at assessing if they do in fact belong to ECLC.
Qualitative analysis of the surveyed papers can be found
in Section VI. This section is rich with resources for study-
ing the surveyed papers using different analysis approaches.
1 https://www.tamps.cinvestav.mx/~datasets/
2 http://dx.doi.org/10.21227/bqfj-6c39

VOLUME 6, 2018 72517

 C. A. Lara-Nino et al.: ECLC: Survey

This part of the document requires that the reader has fol- By knowing the group generator, a wide set of elements
lowed the previous three sections since the labeling of the data can be specified with a single root element, instead of enu-
might be confusing otherwise. merating all the contents in the set.
Sections VII, VIII, and IX, provide insights on the char- Definition 4: The generator, root, or primitive element of
acteristics of the topic surveyed, in regards to applications, G is any r ∈ G such that hri = G.
strategies, trends, and open problems. Lastly, Section X con- Cyclic groups are a particular instance of groups useful
cludes the work with a summary of our findings. If the reader for cryptographic applications since the results of any group
is interested in our findings, beyond the detailed survey and operation is also in the group, hence it is not needed to verify
analysis of the papers, or in the answers we provide for the the result and the calculations ought not need to be repeated.
research questions enumerated they can go directly to these Definition 5: If exists an r ∈ G such that hri = G, then
last sections. G is said to be cyclic. The subgroups found in a cyclic group
are also cyclic.
II. ELLIPTIC CURVES AND CRYPTOGRAPHY If a generator is known, and it is used to represent a
The security of PKC systems relies on mathematical prin- subgroup of G, the cardinality of this subgroup is also an
ciples denominated one-way functions. These relations have interesting property to know. The number of elements in a
two main characteristics: first that knowing all the input vari- subgroup created by a generator is known as the generator
ables it is easy to solve for the result, second that if the result order.
and only some input variables are known it is difficult to solve Definition 6: An element p ∈ G has finite order if and only
for the missing inputs. Only a handful of these problems are if hpi is finite. The order of p is the cardinality of hpi and is
known and used in cryptography, the most popular ones being given by the smallest t ∈ Z such that pt = e. This is also
the integer factorization problem and the discrete logarithm called the generator order for hpi.
problem. The latter is of particular interest to us since the Groups are defined for a single group operation. The alge-
security of most ECC systems depends on it. braic structure which uses both an additive and multiplicative
composition laws is called a ring.
A. BASIS Definition 7: A set of elements R with two binary opera-
All modern PKC constructions rely on group’s theory in order tions {f , g} is a ring if and only if R is a commutative group
to guarantee the security of the systems. In the following we with f , and g is associative and distributive over f . In this case
provide some definitions useful to frame the concepts around f and g represent additive and multiplicative group operations
ECC that are used in the literature review. with 0 and 1 as identity element, respectively.
Definition 2: A group is a set of elements G equipped with Definition 8: If a ring R is commutative and all of its
a binary operation f : G × G → G such that f is associative nonzero elements are invertible it is said that R is a field.
with an identity element e and every element in G has an In order for all the elements in a field to have an inverse,
inverse. G is said to be abelian if and only if f is commutative. it must be defined by either 0 or a prime.
Let ‘‘f ’’ be called the group operation. In practical realiza- Definition 9: If the order of a field K is finite, then it is
tions, groups can be additive (if f represents an addition of said to be a finite field.
elements) or multiplicative (if f represents a multiplication). In Elliptic Curve Cryptography the elliptic curves are
Independently of the group realization, usually the notation is always defined over finite fields. The order of the finite field
multiplicative. That is, the group operation is denoted by ‘*’, K is given by pm , where p is a prime and m is the finite
the identity element in G is ‘1’, and the inverse for any a in G dimension of the vector space in K . Finite fields are also
is a−1 . The consecutive application of the group operation n known as Galois fields, denoted by GF(pm ).
times over a group element p is usually represented as pn . Definition 10: For any prime p and any positive integer
It is important to determine the cardinality of any group m there exists a finite field with q = pm elements denoted
used in cryptography since the difficulty of any mathematical by Fq .
problem defined over such groups is associated with the A finite field of order q (Fq ) exists if and only if its order
number of elements in the group. is a prime power q = pm . The most common constructions
Definition 3: The group is finite if and only if G is a finite include the cases where q = p (denoted prime field Fp ) and
set, in which case the number of elements in G, its cardinality, where q = 2m (denoted binary field F2m ). These are the basis
is called the order of G. for defining the most popular elliptic curve systems.
However, by using the totality of the elements in a group For further details on groups and fields theory the reader
can reduce the complexity, at the same time, if we know that might consult [10, Ch. 2].
all the elements are valid.
A subgroup H of G is a subset of G, which contains e, B. ELLIPTIC CURVES
if and only if f : H × H → H holds for every element in H Following the definition in (1), Fig. 3 shows two elliptic curve
and the inverse of such elements is also in H : for any p ∈ G, groups E(Fq ) where q = 19 and q = 97.
the production q = pn for any n ∈ Z is a subgroup of G All these tuples denoted as E(Fq ) are called points with
generated by p, denoted as hpi. x and y referred as coordinates [11]. The set E(Fq ) together

72518 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

FIGURE 3. Points in the curve y 2 = x 3 − 7x + 10 ∈ Fq with q = 19 (left) and q = 97 (right). Note that, for every x,
there are at most two points.

with a point at infinity O form a group. The group operation is are used to find a different point Q ∈ E(Fq ) such that
the addition law, which can be performed through arithmetic Q = kP through a defined set of rules. Multiple methods for
operations in Fq according to well defined formulae [11]. performing scalar multiplication have been proposed, among
With this addition rule, the set of points E(Fq ) forms an them: double and add, NAF, Montgomery ladder, to mention
abelian group with O serving as the identity element. Cyclic a few [12]. All these methods are built on group operations,
subgroups of such elliptic curve groups can be used to imple- which are defined for a specific elliptic curve.
ment cryptographic systems.
b: GROUP ARITHMETIC
1) PROPERTIES This type of arithmetic comprises the realization of the ellip-
The order of an elliptic curve group {E(Fq ) ∪ O}, denoted tic curve point addition. It is independent of kP algorithms
by o, is the number of points in E. The values of o and q and varies depending on the curve type, finite field and
are related by the Frobenius trace t = q + 1 − o. Hasse’s coordinates type being used. The addition of two points in
√
theorem implies that |t| ≤ 2 q. Given a point P ∈ E(Fq ) its the elliptic curve
order is the smallest positive integer n such that nP = O.
By Lagrange’s theorem, the order of a point P ∈ E(Fq ) P + Q ∀ P, Q ∈ E(Fq ) (2)
divides the order o of the group E(Fq ). Thus oP = O for any and point doubling
P ∈ E(Fq ) and, consequently, the order of a point is always
less than or equal to the order of the elliptic curve. P + P ∀ P ∈ E(Fq ) (3)

2) ARITHMETIC are the staples of group operations. A scalar multiplication

generally uses both these calculations and thus finding effi-
Different types of computations are involved in ECC. These
cient formulae3 for group operations is critical.
are of diverse nature, depending if they are defined for the
elliptic curve, for the elliptic curve group, or for the finite
c: FIELD ARITHMETIC
field.
The field operations are those defined for Fq . The point addi-
a: CURVE ARITHMETIC tion and doubling are performed as a sequence of operations
In the case of curve operations the inputs are points in the over different coordinates from the input points, these coordi-
elliptic curve, which are used to find other points in the ellip- nates are field elements. The field arithmetic is linked and not
tic curve. A single calculation belongs to this set, the scalar dependent with the curve arithmetic or the group operations.
multiplication. This is the embodiment of the group law: the Different configurations of field operations perform group
application of successive group operations (addition) to a calculations. The most common of these procedures include
point P ∈ E(Fq ) will generate as a result other points also field multiplication, polynomial reduction, field addition and
in the curve. If the number of additions applied to the point subtraction, field squaring and field inversion, to mention
equals the order of the elliptic curve group, the result is the a few.
original point. Fig. 4 summarizes the different levels of operations in
Scalar multiplication in the curve E(Fq ) means calculat- ECC.
ing k additions of a point P and is represented by kP. In this 3 Efficiency is often measured in quantity, diversity, and quality of the
process, a scalar k ∈ N and a curve point P ∈ E(Fq ) underlying field arithmetic.

VOLUME 6, 2018 72519

 C. A. Lara-Nino et al.: ECLC: Survey

field inversions. These are called projective-w coordinates.

The main reasons for using these special coordinates are
to reduce storage requirements and to improve operations
efficiency. Depending on the nature of w = f (x, y), the point
addition can be tweaked in order to reduce the number of field
operations required. Mixed systems of w coordinates can also
be constructed. The use of such coordinates reduces the stor-
age space and the number of field operations required, also
eliminating the need for field inversions. The main drawback
for the w coordinates is that converting the points back to the
affine domain involves the half trace function [13], which is
costly.
FIGURE 4. Operations in ECC divided by levels.

4) ELLIPTIC CURVE FAMILIES

3) POINT REPRESENTATION The generalized form of an elliptic curve can be
A point P ∈ E(Fq ) can have different representations which reduced or simplified to identify particular sets of curves
satisfy equivalent models of the Weierstrass equation. Math- known as families. Fig. 5 presents the taxonomy of the
ematical transformations are applied to each point in order different elliptic curve families. The most relevant ones are
to generate a projection of the curve. These transformation described below.
functions must be bijective. The main reason to perform a
coordinate transformation over a point is to achieve simplifi-
cations for performing curve operations.
The basic system of point representation is affine. Under
this system each point P ∈ E(Fq ) is represented by a coor-
dinates pair, generally (x, y). Only two values are required to
represent a point and, in some cases, a single coordinate is
sufficient. The main drawback is that in the computation of
the group operation, multiple field inversions are required to
retrieve a result in affine coordinates. Inversions are resource
intensive operations in Fq so they should be avoided in FIGURE 5. Families of elliptic curves defined over prime and binary fields.
constrained environments. Each family has a corresponding curve model which represents its curves.
Projective coordinates are used to solve this problem.
A projective point P ∈ E(Fq ) is denoted by a coordinate’s Definition 11: For elliptic curves defined over a field Fq
tuple (X : Y : Z ). The transformation from affine to projec- with q = pm and m = 1 the Weierstrass equation is simplified
tive coordinates generally follows x = X /Z and y = Y /Z . as
In this case the result can be obtained without any inversion
operation. An additional value is required to represent a curve Ep : y2 = x 3 + ax + b (4)
point (for the Z coordinate). with a, b ∈ Fp and 4a3 + 27b2 6= 0.
Mixed coordinates is a term used to refer to those systems These curves are generally denominated prime curves and
which perform group operations with mixed point represen- the model that defines them is referred as reduced Weierstrass
tations. In most of the cases, point addition takes an input in equation.
affine coordinates but delivers the output in projective coor- Definition 12: Nonsupersingular elliptic curves over a
dinates to avoid using field inversions. Point doubling, on the finite field Fq with q = pm and p = 2 are defined by
other hand, can use projective inputs to produce projective
outputs with low cost. Such systems require a single coordi- Eb : y2 + xy = x 3 + ax 2 + b (5)
nate transformation at the end of each scalar multiplication
thus improving the efficiency of the calculations. with a, b ∈ F2m .
A special point representation denominated w-coordinates This is the so called set of binary elliptic curves.
was proposed in [13]. In this system a curve point is repre- Other notable families of curves include Montgomery
sented by a single coordinate (w). The equivalence of these curves, Koblitz curves, Edwards curves, and the novel MoTE
coordinates with the affine system is usually w = x + y. curves [14].
However, as it is the case with affine coordinates, perform- Definition 13: A Montgomery curve is a form of elliptic
ing curve operations in w systems involve multiple field curve defined over Fq , with characteristic different of 2, by
inversions. The projective version of these coordinates cor- EM : By2 = x 3 + Ax 2 + x (6)
responds with the relation w = W /Z and works in the
same way as projective coordinates to reduce the need for with A ∈ Fq \ {−2, 2}, B ∈ Fq \ {0} and B(A2 − 4) 6= 0.

72520 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

Introduced by Peter L. Montgomery in 1987, these curves group of a finite field, and cyclic subgroups of elliptic curve
are used in cryptographic applications. The major attraction groups.
of these curves is the possibility to perform point arithmetic Definition 18: Discrete Logarithm Problem over Elliptic
with the x coordinate only [15]. Curves. Let E be an elliptic curve defined over a finite
Koblitz curves, also known as anomalous binary curves, field Fq . Let P be a point in E(Fq ), and suppose that P has a
were proposed by Neal Koblitz for cryptographic use prime order n. Then, the cyclic subgroup of E(Fq ) generated
in 1992 [16]. Compared to random binary curves, point by P is
multiplications methods which are significantly faster are
hPi = {O, P, 2 · P, 3 · P, . . . , (n − 1) · P}. (12)
available.
Definition 14: Koblitz curves satisfy an equation of the For these systems the group operation · is the consecutive
form addition of elliptic curve points or scalar multiplication.
Given a point
EK : y2 + xy = x 3 + ax 2 + 1 (7)
Q = k · P ∈ hPi (13)
with a ∈ F2 .
The family of Edwards Elliptic Curves is defined as fol- and the root element or generator P, finding k is called the
lows. Discrete Logarithm Problem over Elliptic Curves (ECDLP)
Definition 15: Let Fq be a field in which 2 6 = 0 and let and is computationally intractable [12].
d ∈ Fq \ {0, 1}; then The DLP is of practical use in asymmetric cryptography
since it is the basis for the key pair system. In the case of ECC,
EE : x 2 + y2 = 1 + dx 2 y2 (8) the prime q, the equation of the elliptic curve E, the point P,
and its order n are public domain parameters. A private key
defines an Edwards curve [16].
is an integer k that is selected uniformly at random from the
Computing scalar multiples in these curves takes fewer
interval [1, n − 1] and the corresponding public key is
field operations than in other representations. Additionally,
the formulas for addition on Edwards’s curves can provide Q = k · P. (14)
protection against simple side-channel attacks [16].
Definition 16: A variation of these curves called twisted D. ELLIPTIC CURVE CRYPTOGRAPHY
Edwards curves satisfies that Elliptic curve cryptography (ECC) was discovered in 1985 by
2 2 2 2 Neal Koblitz and Victor Miller. ECC schemes are public-key
ET = a + y = 1 + dx y (9)
mechanisms used in cryptographic protocols in order to pro-
with a, d ∈ Fq \ {0} and a 6 = d. vide specific security services. The security the systems based
A MoTE curve can be described as an elliptic curve which on elliptic curves relies on the hardness of the ECDLP [12].
has the Montgomery model as well as twisted Edwards Currently the best algorithms known to solve this prob-
model [15]. lem have fully exponential running time, in contrast to the
Definition 17: The Montgomery model of a MoTE curve subexponential-time algorithms known for the integer fac-
is given by an equation as torization problem. This difference is what creates the main
advantage for ECC over other public key alternatives: smaller
EM : −(A + 2)y2 = x 3 + Ax 2 + x, (10) key sizes are sufficient to achieve an equivalent security level.
which means the parameter B = −(A + 2). The birationally-
equivalent twisted Edwards model of the above MoTE curve 1) DOMAIN PARAMETERS
is given by The domain parameters for an elliptic curve scheme are the
necessary elements to describe an elliptic curve group. These
2−A 2 2 include the elliptic curve E, a finite field Fq , a base point
ET : −x 2 + y2 = 1 + x y , (11)
2+A P ∈ E(Fq ), and its order n [12]. The parameters should
be chosen according to application constraints. Typically,
C. THE DISCRETE LOGARITHM PROBLEM domain parameters are shared by a group of entities; however,
A discrete logarithm is an integer k solving bk = g, where in some applications they may be specific to each user.
b and g are elements of a finite group. This construction was Domain parameters D = (Fq , E, P, n) are comprised of:
used to propose one-way functions utilized as the basis for 1) The finite field Fq .
asymmetric cryptography [17]. 2) The coefficients that define the equation of the elliptic
In order for a system based on discrete logarithms to be curve E over Fq .
efficient, fast algorithms for computing the group operation 3) Two field elements xP and yP in Fq that define a base
must be available. For security, the discrete logarithm prob- point P = (xP , yP ) ∈ E(Fq ) in affine coordinates.
lem should be computationally intractable [12]. P has prime order and is called the base point, primitive
The most popular groups for implementing discrete loga- root, or hPi = E(Fq ).
rithm systems are the cyclic subgroups of the multiplicative 4) The order n of P.

VOLUME 6, 2018 72521

 C. A. Lara-Nino et al.: ECLC: Survey

2) KEY ESTABLISHMENT and sends c to A. To decrypt c, A applies the decryption

The purpose of a key establishment protocol is to provide transformation to obtain the original message
two or more entities communicating over an open network m = Da (c), (18)
with a shared secret key. The key may then be used in a
symmetric-key protocol to achieve some cryptographic goal as described in [18].
such as confidentiality or data integrity [12]. EC-ElGamal: In order to establish a secure communica-
Elliptic Curve Diffie-Hellman (ECDH): Suppose two par- tions channel, B creates a key pair {b, PB } as
ties A and B want to establish a shared key. Let A and B agree PB = b · P (19)
on the common domain parameters D. A randomly chooses
a ∈ [1, n − 1] and computes PA = a · P while B follows the where b ∈ [1, n−1] and publishes PB while keeping b secret.
same procedure and obtains PB = b · P. A and B publicly To transmit a message m to B it must first be mapped to a point
exchange these intermediate results. If the ECDLP is hard in the curve as
in E(Fq ), a or b cannot be computed given {PA , P} or {PB , P}, Pm ← m. (20)
respectively. Upon receiving PB , A computes
User A chooses a random integer a and sends the pair of
PK = a · PB = (a × b) · P. (15) points {PA , PE } where
Now B can obtain the same result as PA = a · P (21)
PK = b · PA = (b × a) · P, (16) and

thus they are both in possession of a group element PK , PE = Pm + a · PB . (22)

becoming the shared key, which should not be computable To read the message, B multiplies the first point in the pair by
from the public values PA and PB . The interaction diagram his secret as
for the basic ECDH protocol is illustrated in Fig. 6.
b · PA = (b × a) · P, (23)
The security of ECDH relies on the ECDLP. As a
protocol, the problems an attacker must solve are the and then subtracts the results from the second point in the pair
Diffie-Hellman computational problem or the Diffie-Hellman as
decisional problem.
PE − b · PA = Pm + a · PB − b · PA
• Computational Diffie-Hellman problem: Computing
= Pm + (a × b) · P − (b × a) · P = Pm (24)
abP given aP and bP.
• Decisional Diffie-Hellman problem: Given aP, bP and as shown in [19]. Fig. 7 provides an interaction diagram for
cP to decide whether cP = abP. the EC-ElGamal cryptosystem.
The Elliptic Curve Integrated Encryption Scheme (ECIES):
3) DATA ENCRYPTION ECIES was proposed by Bellare and Rogaway, and is a
In public-key encryption systems each entity A has a public variant of the ElGamal public-key encryption scheme [12].
key PA and a corresponding private key a. In secure sys- In ECIES, a secret PK obtained using ECDH is used to
tems, the task of computing a given PA is computationally derive two symmetric keys k1 and k2 with a Key Deriva-
intractable. The public key defines an encryption transfor- tion Function (KDF). The key k1 is used to encrypt the
mation EPA , whereas the private key defines the associated message using a symmetric-key cipher, with encryption (E)
decryption transformation Da . Any entity B wishing to send and decryption (D) functions, whereas the key k2 is used to
a message m to A obtains an authentic copy of A’s public authenticate the resulting ciphertext using a Message Authen-
key PA , uses the encryption transformation to obtain the tication Code (MAC) function. The interaction diagram for
ciphertext ECIES is shown in Fig. 8.

c = EPA (m), (17)

FIGURE 7. Interaction diagram for the EC-ElGamal cryptosystem. In this

FIGURE 6. Interaction diagram for the basic ECDH protocol. In this scheme the parameters Fq , E (Fq ), P and the mapping m → Pm are
scheme the parameters Fq , E (Fq ), and P are publicly known. publicly known. The receiver of information must disclose its public key.

72522 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

FIGURE 8. Interaction diagram for the ECIES cryptosystem. In this case PK

represents a shared secret generated using the ECDH algorithm, and is
used to generate two secret keys with a key derivation function (KDF).
The operations E and D are the encryption and decryption functions for a
symmetric cipher. m, c, and t represent the plain message, the encrypted
message and a MAC tag, respectively.

4) DIGITAL SIGNATURES
A digital signature of a message is a code dependent on the FIGURE 9. Interaction diagram for the ECDSA scheme. The message to be
signed is represented by m and the signature itself is represented by (r , s).
signers private key and the message being signed. Signatures
must be verifiable; if a dispute arises as to whether a party
signed a document, an unbiased third party should be able to Fig. 10 presents a classification of the reviewed cryptosys-
resolve the matter using the public key of the signer [18]. tems. Some derived algorithms that were not mentioned in
ECDSA: With a private key a and a public key PA , this review are also included in the classification for com-
to generate a signature for the message m, A selects a random pleteness, these can be looked up in [12].
k ∈ [1, n − 1], computes
k · P = (x1 , y1 ). (25)
Then A computes
r = x1 mod n (26)
and if the result is zero, a different k must be selected. Next,
A calculates
e = H(m) (27)
and
s = k −1 (e + a × r) mod n, (28)
where H denotes a cryptographic hash function. If s = 0 the
process must be restarted. The signature for the message m is
the pair (r, s). Fig. 9 provides an interaction diagram for this FIGURE 10. Classification of different Elliptic Curve based security
signature scheme. schemes.
To verify the signature generated by A, user B must have
an authenticated copy of PA . First, B verifies that r and s are E. ECC AND OTHER PKC SOLUTIONS
valid integers, if any verification fails the signature is rejected. As reviewed in the previous examples, the most important
After the verification, B computes security services provided by ECC include key establishment,
e = H (m) and w = s−1 mod n. (29) confidentiality, integrity, and authentication. However, ECC
is not the only cryptographic solution for these tasks.
Next, B calculates Before ECC gained widespread attention, systems which
u1 = e × w mod n and u2 = r × w mod n. (30) relied on integer factoring and discrete logarithms over mul-
tiplicative groups were used as PKC instances. Perhaps the
Then B computes most popular from these is RSA, proposed in 1977 for creat-
X = u1 · P + u2 · PA = (x2 , y2 ). (31) ing encryption and digital signature methods. Nowadays this
scheme is still supported and used by many internet servers.
If X = O the signature is rejected. Finally B computes Due to breakthroughs on algorithms for solving its underlying
hard problem, the length of RSA’s operands has increased
v = x2 mod n. (32)
to 3072-bits for a security level of 128-bits. In comparison,
The signature is accepted if and only if v = r. ECC only requires operands of 256-bits for the same security

VOLUME 6, 2018 72523

 C. A. Lara-Nino et al.: ECLC: Survey

level. This difference of an order of magnitude is a signif- of quantum computers on PKC, as well as the discussion on
icant advantage for ECC as shorter operands imply shorter the advances in the development of quantum computers are
computing times and smaller storage requirements. outside the scope of this work.
Garbled circuits [20] are a classical instance of a crypto- Systems based on elliptic curve groups achieve greater effi-
graphic approach for achieving secure two-party computa- ciency and flexibility than the aforementioned alternatives.
tion. These constructions were first described in 1986 and They have been adopted in a wide range of applications, and
have been called ‘‘the first secure computation protocol.’’ in some cases under critical constraints. ECC is the most
Their main application is enabling two mistrusting parties to popular of such systems, but in the literature it is possible to
achieve a secure function evaluation (SFE) while providing find different alternatives which extend its security features.
privacy, authentication, and obliviousness [21]. These pro- Bilinear pairings over elliptic curve groups have been used
tocols rely on a primitive called oblivious transfer which is to construct cryptographic schemes which make use the user’s
difficult to achieve; classical proposals relied on RSA for this identity [28]. Identity based encryption (IBE) [29] is perhaps
regard. The use of these constructions in constrained envi- the most notorious of such proposals. Under this model,
ronments is limited by performance and storage issues that the public key of a user is a random string which can provide
have not been properly addressed. Moreover, the proposals some meaningful information associated with the identity of
in the literature have limited the study of the security of gar- the user: name, address, email. The secret keys are distributed
bled circuits to reduced adversarial models (semi-honest) and to each user by a trusted third party in a secure way. The main
often rely on symmetric primitives which represent additional advantage of these constructions is the ease in the manage-
costs. ment and distribution of public keys. Although this field has
A notion which was considered almost from the beginning great potential in consumer appliances, as described in [28]
(one year after RSA), but believed to be inapplicable for ‘‘[i]t makes the cryptographic aspects of the communication
many years is homomorphic encryption (HE) [22]. Under this almost transparent to the user’’, for constrained devices the
scheme it is possible to perform computations on a ciphertext, increased complexity obfuscates its advantages.
without requiring decrypting the data. This implies that an Attribute based encryption (ABE) [30] is a modifica-
entity applying some processing over confidential informa- tion of the identity-based systems on that the ‘‘identity’’ is
tion does not require disclosure of such secrets. Although ‘‘a set of descriptive attributes.’’ The security of ABE also
partial homomorphism was possible using many classi- relies on bilinear pairings defined over elliptic curve groups.
cal cryptosystems, among them RSA, fully homomorphic This scheme can be used in structured multi-party environ-
encryption (FHE) was created with the development of lattice ments where a single policy can provide distinct access levels
based cryptography. Both learning with errors (LWE) and based on each party’s attributes. Efficiency concerns also
NTRU have been used to create homomorphic encryption restrict the use of ABE solutions in constrained environments.
schemes [23], [24]. The main application of FHE is to allow Although the research on pairing based cryptography is
an untrusted party to carry computations over a protected still novel, in the literature we can find some instances of such
secret without granting it access to the data, this represents systems in the context of lightweight cryptography [31]–[34].
an extension of the notion of privacy. Such works are not included in this survey since the study
Beyond the scope of HE, lattice-related problems of lightweight pairings is not our main focus. Nonetheless,
(SIS, LWE, RLWE, MLWE, LWR, MLWR) have been since elliptic curves are an essential part in pairing based
employed for creating PKC solutions [25]. The main advan- cryptography (IBE, ABE,. . .), ECLC would also impact the
tage of lattice-based cryptosystems include strong provable realization of such systems and possibly will enable their
security guarantees, flexibility, and high asymptotic effi- practical use in IoT domains.
ciency [26]. Although lattice-based systems can perform
encryption and decryption operations with relative efficiency, F. SUMMARY
their key sizes are much larger than those of RSA or ECC, Up to this point we have reviewed concepts which are impor-
which makes their use impractical for constrained devices. tant in understanding the survey. Fig. 11 provides a diagram
When the underlying one-way function used in a crypto- which summarizes the relations between some of the different
graphic construction uses an error correcting code, such a topics reviewed.
solution is denominated a code-based cryptosystem [27]. The
McEliece public key encryption scheme, proposed in 1978, III. METHODS
is acknowledged to be the first of these systems. The This section describes the methodology for the literature
main feature of code-based systems is their security—the review, the classification categories, and the surveyed data.
McEliece cryptosystem remains secure nowadays with just The labels introduced in this section are used throughout the
minor tweaks. Their main downside is the size of their key rest of the document for identifying the surveyed data.
pairs, larger than even those used in lattice instances. Both
lattice and code solutions are believed to resists quantum A. SYSTEMATIC REVIEW
attack models and so, although not as efficient as ECC, are of This review was conducted over papers retrieved from four
interest for the research community. The study of the impact electronic collections: IEEE Xplore, Springer Link, ACM

72524 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

FIGURE 11. Summary of different concepts reviewed and their relations.

Digital Library, and Science Direct. The terms ‘‘lightweight These categories allow us to focus the analysis and discus-
ECC’’, ‘‘lightweight elliptic curves’’, ‘‘low-area ECC’’, and sion on reduced contexts. In this way we can provide general
‘‘low-power ECC’’ were used to search for the related works. strategies, metrics, and results for each case.
Given the scope of this work, the analysis was focused
on those papers where the authors use the adjective C. SURVEYED DATA
‘‘lightweight’’ to describe their proposal. The additional In the following we review the information that we sought to
terms included in the querying process allowed us to gather extract from every paper and introduce labels for identifying
a wider set of documents, which were then screened. The each field.
review was updated up to September 2018.
In total 91 papers were obtained from the digital libraries A) WHY IS IT CONSIDERED LIGHTWEIGHT?
consulted. Using the criteria of being called ‘‘lightweight’’ In our review we found out that a variety of moti-
and using Elliptic Curve Cryptography this set was reduced vations followed by authors to describe their works as
to 62 papers. All of these are considered in our qualitative and ‘‘lightweight’’ or use this keyword. However, an specific
quantitative analysis. reasoning is rarely made explicit. Six main motivations are
identified:
B. SURVEY CATEGORIES [A1] New protocol: A protocol is presented to establish a
The qualitative assessment of the surveyed papers is divided shared secret, to authenticate a node, or to sign a message.
in two parts. First we provide summaries of the surveyed data In this case the objective is to reduce the number of operations
in which the papers are grouped according to the categories and thus to reduce the quantity of messages being sent.
described in the following. In the second part we offer our [A2] Optimized implementation: With aims to implement
qualitative assessment of all the works as a set. The latter at the lowest possible cost the arithmetic in ECC that include:
represents an analysis on ECLC as a whole. scalar multiplication, point addition, point doubling, field
We use three categories for structuring the presentation of operations. This category also covers software or hardware
the surveyed papers: implementations which make use of optimization techniques
CAT1 Papers which propose elliptic-curve based lightweight such as highly optimized assembly and low level digital
protocols. design.
CAT2 Papers which propose elliptic-curve based lightweight [A3] Modification to ECC: Contributions in this category
algorithms for solving group operations. present an alternative to generic ECC constructions aiming
CAT3 Papers which propose elliptic-curve based lightweight at reducing resource consumption or improving its imple-
realizations, divided in software, FPGA, and ASIC. mentations performance in constrained devices. Examples of

VOLUME 6, 2018 72525

 C. A. Lara-Nino et al.: ECLC: Survey

this include modifications to the form of the underlying finite it should make use of algorithms adapted for the application
field, the elliptic curve family, the group algorithms, the point (the System and the implementation technology). The Algo-
representation, or the scalar representation. rithm abstraction level is met if the works fulfill this require-
[A4] ECC-based: Some works define their proposals as ment. Software implementations are also considered in this
lightweight just by using ECC instead of classical alternatives category, since the optimizations focus on tailoring the algo-
like RSA. Whereas there is some truth to such affirmation, rithms to a given processor architecture.
what we propose as lightweight involves more design and [B4] Architecture: Architectures which implement the pro-
implementation considerations which tailor the solution to posed algorithms efficiently in order to meet the application
the application. constrains. The design of a digital circuit to perform compu-
[A5] Tailored system: By replacing instances of asymmet- tations (regardless of the implementation technology) entitles
ric primitives or RSA and its relatives on legacy systems with a work with the Architecture abstraction level. Different tech-
ECC, some proposals claim to achieve lightweightness. This nologies exist which allow for implementing architectures
can be considered similar to A4, however in this case more of digital circuits, the most common ones being FPGA and
design aspects are involved. ASIC. In the former a description of the architecture is created
[A6] More lightweight than the SoTA: Some validation and then mapped to an array of logic elements present in
is provided when a solution claims to be lightweight by the FPGA. Most of this process is done automatically by
requiring less resources than some other work in the lit- vendor specific design tools and so implementations targeting
erature. This does not say anything about the work used FPGA are said to meet only the Architecture abstraction
as reference, however. If an ECC based system is imple- level.
mented, and then said to be lightweight from the results [B5] Circuit: ASIC design provides greater control over the
obtained but the design aspect is missing, we assign it this final product and enables optimizations at circuit level which
classification. can help improve the efficiency of a solution. Proposals which
use this implementation technology are said to meet the Cir-
B) ABSTRACTION LEVELS OF THE WORK cuit abstraction level. Low-level FPGA design also enables
Design abstraction levels can be observed in the develop- for circuit level optimizations, however these processes are
ment of solutions for constrained environments. This idea uncommon as FPGAs are generally used for rapid develop-
was originally proposed Fan et al. [35] illustrate a security ment and testing. If a publication deals with low-level FPGA
pyramid which delimits four abstraction levels to achieve a design it can also be said to meet the Circuit abstraction level
low-power implementation of ECC: System, Protocol and characteristic.
Algorithm, Architecture, and Circuit. This concept can be
extended to lightweight solutions which consider not only C) MAIN GOALS OF THE WORK
power reduction, but area, performance, and security as well. We identified the main contributions of a paper based on
In this survey we propose five abstraction levels which can its design goals. Some proposals seek throughput improve-
be identified in the design of a lightweight security solution. ment, runtime reduction, or latency reduction. Other aim
We have opted to separate the protocol and algorithm levels at reducing physical area or memory usage. Some try to
since they differ substantially on the underlying problems and improve security or reduce the amount of data transmitted.
the evaluation metrics used. By identifying a ‘‘main’’ goal, we do not say that a work over-
[B1] System: A contribution which considers technology- looks the other goals, but that they simply take extra steps to
specific optimizations to improve the quality of their proposal improve a specific characteristic. The main aim(s) of a work
(for example, optimizations which exploit the characteristics can be:
of WSN) is considered to observe the System abstraction [C1] Performance: To reduce the cycle count or the latency
level. By nature, all protocols are considered to be ‘‘system of the proposal. This usually encompasses faster algorithms,
aware’’, as they are generally designed with the application reduced number of operations, and reduced number of steps,
requirements in mind. among others. This trait is commonly associated with metrics
[B2] Protocol: A lightweight solution which seeks to pro- such as throughput, latency, frequency, and runtime. The
vide security services in the scope of public key cryptog- implementation platform determines important characteris-
raphy (i.e., authentication, signature, key establishment) for tics such as the frequency, which affects the throughput and
constrained environments (the System) ought to consider the the runtime. A more technology-independent measurement
protocol design in aims to reduce the computational time and is the latency, which is the required number of cycles to
the amount of information being transmitted over the wireless perform a task, usually clock cycles or processor cycles. The
channel. Works which propose optimizations concerning the latency, however, depends on the implementation strategy for
protocols being utilized are considered to meet the Protocol the algorithm.
abstraction level. [C2] Hardware resources: To reduce memory footprint of
[B3] Algorithm: The security algorithms are closely asso- a software implementation or elements count in the case of
ciated with the underlying elliptic curve group. If a proposal hardware. The use of smaller fields generally falls in this cat-
aims to be adapted by constrained devices, it is expected that egory, along with reducing the variety of the operations and

72526 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

optimizing the circuit design for hardware implementations. [D2] RFID: Extremely constrained systems which operate
For software oriented solutions the resource usage usually passively. Their cost is low and so have widespread use in
translates into memory usage, which can be program mem- commercial application such as inventory monitoring.
ory (code lines) or application memory (bits). In regards to [D3] WSN: Represent the link between the physical and
hardware implementations, most commonly this is associated the cybernetic world. Information systems rely on informa-
with the target platform. In the case of FPGAs the resource tion, and this information can only be retrieved effectively
usage can be given as a count of FPGA elements utilized by sensors. The deployment costs and security concerns have
(slices, Look-up Tables, Flip-Flops, block RAMs, multipli- restricted their practical use to research and military appli-
ers (DSPs)). For ASIC the resource usage is equivalent to cations. Since these devices are actively consuming energy
the implementation size, which is commonly given in gate and their retrieval after deployment is impractical, open prob-
equivalents (GE). lems regarding extending battery duration, energy harvesting,
[C3] Security: To select a high security setting and then part and preventing contamination of the environment must be
from it to build the lightweight solution. Mitigating a wide resolved.
range of attacks and improving the security features of the [D4] e-Health: With a population that grows old many
system also falls in this category. Some of the reviewed works countries must seek ways to automate healthcare systems.
measure the security of their proposals based on the number We have grouped technologies such as WBANs and remote
of attacks resisted. Other approaches may consider relating monitoring of patients into this category. On this group the
this with the key size utilized. applications are deeply connected to the user, and so ensuring
[C4] Bandwidth: To reduce the quantities of data transmit- confidentiality, privacy, and comfort are key aspects for any
ted, which frees up the communications channel and saves such solution.
energy. In the design of protocols it is usually reported the [D5] Smart Grid: Novel technology which proposes to
number of bits that are required to be transmitted. This can improve the electrical grid in order to improve its efficiency
also be related to the number of messages required to be and QoS.
exchanged. Both influence in the bandwidth of the system [D6] Embedded systems: Denomination used to refer to
and the energy consumption of the platform. ‘‘everything on a board’’ systems. The definition says little
[C5] Energy: Systems which have been designed in order about its requirements. Embedded systems have been built for
to reduce power dissipation or energy consumption. The decades and are a core technology for industrial automation
power dissipation is a key feature for passive elements such as processes.
RFID tags, it can be divided in quiescent and dynamic power. [D7] Mobile systems: The physical embodiment of ubiq-
It has a direct relation with the physical size of the device, uity. Human society took the phone and turned it into a
the operational power and frequency, and the temperature. network which enables sharing multimedia information in
Energy consumption is derived as a function of power dissi- real time, all the time, everywhere that there is coverage.
pation and execution time, it is important for battery-powered State of the art mobiles have higher specifications than many
devices, where a higher consumption impacts the lifetime of desktop computers. However, the security requirements of the
the platform. former are enhanced given their wireless nature. A mobile
terminal must be protected against remote and direct access,
D) SYSTEM in the similar way of a WSN.
Lightweight solutions are required for different constrained
environments. Depending on the specific application, E) IMPLEMENTATION TECHNOLOGY
the interests or goals of a paper might be shifted. For each Among the surveyed works a differentiation can be made
work we have assigned a ‘‘main’’ system that they target. The according to the implementation platform used. Whereas
IoT tends to the used as a cover-all alternative, but given its some works have been developed with aims of achieving high
heterogeneity and novelty little is known about its require- efficiency as software solutions for constrained processors
ments. On contrast, RFID and WSN have clearly defined (usually with word sizes of 8-bit), others try to achieve high
scopes and a handful implementation devices. Designing efficiency through hardware circuitry reduction (as dedicated
for WSN or RFID, therefore, enables some works to take coprocessors or stand-alone computing units). By choosing
more application-related trade-offs. Emerging technologies the implementation target in an early stage of development,
are also represented with e-Health and Smart Grid, these are some considerations can be made to further optimize the
well defined but more recent. Embedded and mobile systems system at the cost of a loss in its generality. By maintaining
are as well mentioned as target systems by some works. generality, the cost is a loss in the improvement potential. The
These have been around for some time and include devices set of papers can be divided in two broad groups: software and
with less energy/processing/cost restrictions than IoT and hardware. The latter can then be divided between FPGA and
similar. ASIC.
[D1] IoT: The Internet of Things, an interconnected net- [E1] Processor: A defined general-purpose architecture is
work of heterogeneous applications which are expected to used to run a sequence of instructions or code. This code is
change the world in the next 10 years. created in order to implement a specific processing task with

VOLUME 6, 2018 72527

 C. A. Lara-Nino et al.: ECLC: Survey

the help of memory spaces. The number of instructions in establishment, but data encryption is also considered. The
the sequence and the amount of memory required are called works which involve protocol design usually do not carry
temporal and spatial complexity, respectively. Reducing these out implementation of their solutions, and so the efficiency
complexities fits within the algorithm abstraction level. of these schemes is evaluated using estimated metrics for
[E2] FPGA: A reconfigurable array of gates which can the number of operations required and the amount of bits
be activated to create a specific datapath. This reconfigu- transmitted.
ration map is generally created by automated design tools Table 2 presents a summary of the most important char-
based on an RTL design, synthesized from an architectural acteristics of the reviewed protocols. The security services
description. The architectural description used to be created and application scope for each protocol are provided. The dif-
with a Hardware Description Language (HDL), however, ferent cryptographic primitives required and the participants
nowadays High Level Synthesis tools are available which considered are also reported.
allow using common languages like C in order to describe the
desired behavior. As the designer goes deeper in the design CAT1 STRATEGIES AND REMARKS
tree, the optimization possibilities widen. In all the reviewed All the protocols reviewed specify an application scope.
FPGA-related works the proposals seem to use a HDL to Most predominantly, IoT and its underlying technologies are
describe the architecture. chosen as proposed applications. In order of predominance,
[E3] ASIC: The same RTL design used for FPGAs can the proposed protocols perform tasks of authentication, key
be compiled for ASIC libraries. An Application-Specific establishment, encryption, and digital signatures.
Integrated Circuit (ASIC) is a chip manufactured with the Although most of the works specify a preference for a
minimum number of transistors required to implement an prime or a binary finite field, the field length is not always
architecture. The area or physical size is reported in area available. A specific elliptic curve is not clearly proposed in
units (mm2 , µm2 , nm2 ), this can be used to obtain an esti- most of the cases and neither is the group generator or its
mation of the number of gates required for the circuit: gate order. Similarly, the group operations or the point represen-
equivalents (GE). This metric is the most common ASIC tation required to perform the scalar multiplication are rarely
measurement given. It is commonly accepted that a GE equals described.
a 2-NAND in size. From the reviewed works which have been classified under
the protocol abstraction level, all of them rely on the scalar
F) SECURITY LEVEL multiplication, with high predominance of pseudo-random
We have retrieved details of the fields, groups and curves number generators (PRNG) and symmetric primitives such
utilized when available. However, the complete information hash functions and block ciphers. Some of them require addi-
is generally not available and thus cannot be used to classify tional field operations which have been included as modular
the works with a high level of detail. It is understandable that arithmetic in Table 2.
the information is often not available since generality and As for evaluation metrics, the number of operations,
optimization go hand in hand. A work with high generality the runtime, and the bits transmitted are the most popular
can function with a wider range of fields and curves. This alternatives. If the protocol was implemented then it is possi-
generality can be exchanged to achieve higher efficiency. ble to obtain a runtime, if not, the operations cost is provided.
Most of the works do describe the field length or the security The amount of information transmitted is also important since
level, however. We have divided the different security levels it determines the bandwidth requirements of a proposal.
according to NIST recommendations for key usage: Designing a security protocol is a challenging task. The
[F1] Less than 112-bit: this is no longer recommended. base knowledge required ranges from cryptographic basis,
[F2] Equal to 112-bit: this is recommended until 2030. passing by networking theory, to attack models.
[F3] Higher than 112-bit: which can provide security In the case of the first, it is necessary to define a strong
beyond 2030. cryptographic basis for the security of the protocol to rely on.
Elliptic curves are interesting in this regard as they require
IV. SURVEYED WORKS smaller operand sizes than other asymmetric techniques and
This section presents data gathered from the set of publica- so contribute to reduce the transmission costs.
tions retrieved, which have been denominated lightweight in Assumptions about the network model and topology deter-
the publication or related media. We have divided the papers mine the number of participants in the protocol. Even though
according to the results provided: protocol designs, algo- the basic scenario involves a two party system, it is also pos-
rithm specifications, software design, FPGA implementation, sible to consider third party service providers (e.g. Certifying
ASIC implementation. Agencies), back-end servers, databases, or group schemes.
Having less participants simplifies the network specifications
A. CAT1: LIGHTWEIGHT PROTOCOLS required but increases the complexity in the design and so the
Protocols denominated lightweight aim to provide security overhead of the protocol in the underlying systems.
services for constrained applications. These security services The application scope can also help to determine the
involve most commonly authentication, signature, and key attacks which are more important to offer protections

72528 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

TABLE 2. Summary of the main characteristics for the surveyed protocols denominated lightweight.

against. Creating a protocol which resists more attack models From the survey, it can be noted how a common approach
improves the security of the network, but this results on is to limit the computations that are performed in the con-
requiring more underlying operations, more diverse crypto- strained device and to define properly which attacks should
graphic operations, and often more complex network specifi- the system be protected against. These strategies coupled
cation requirements. with the use of efficient classes of elliptic curves can help to

VOLUME 6, 2018 72529

 C. A. Lara-Nino et al.: ECLC: Survey

achieve a protocol specification which can be denominated interesting for systems that can afford to use some temporary
lightweight. registers in order to reduce the total number of operations.
In the same tone, performing the calculations as constants
B. CAT2: LIGHTWEIGHT ALGORITHMS pre-deployment can free up processor cycles at the cost of the
In our survey we have identified cryptographic algorithms energy required to hold the value. Both strategies are found in
which are designed to be more efficient than generic alterna- contributions of novel formulae with reduced number of field
tives. Table 3 provides a summary of the different algorithms operations.
surveyed. In this table we report the problem which is solved The field representation can also be exploited in order
by the algorithm, the cryptographic basis of the proposal, to improve the efficiency of an ECC-based realization. The
the approach followed by the authors to design the algorithm, Optimal Prime Fields and the pseudo-Mersenne prime fields
and the goal of such design. are a couple of such cases. The influence of the prime selec-
tion varies from reducing storage space, achieving complete-
CAT2 STRATEGIES AND REMARKS ness in the group operations, obtaining processor-friendly
In most of the surveyed works with emphasis at the algorith- field arithmetic, among others.
mic level the main goal is to improve the running time of the
scalar multiplication. By exploring novel families of elliptic C. CAT3: LIGHTWEIGHT ECC REALIZATIONS
curves, special primes to define finite fields, or special point 1) SOFTWARE IMPLEMENTATIONS
representations, each work aims to reduce the number of field Table 4 shows a summary of the papers reporting algo-
operations required in the group arithmetic. The end goals rithms for lightweight cryptography implemented in soft-
for such optimizations are usually improving performance ware. This table reports the cryptographic basis of the
by requiring fewer operations or by requiring fewer storage different implementations but also provides technical details
registers. about the underlying platform, the performance benchmark,
Even though it results convenient to divide the algorithms and the implementation goal.
found in the literature in two classes for benchmarking pur-
poses, the strategies involved in the creation of a lightweight 2) HARDWARE ARCHITECTURES
algorithm are similar. All the hardware implementations surveyed propose an archi-
Using special families of elliptic curves or special point tectural design. Generally speaking, a hardware architec-
representations allows reducing the number of field opera- ture is the realization of an algorithm using digital circuits.
tions required to perform group operations (point multipli- In this sense, a group of hardware components is intercon-
cation, point addition, point doubling). This helps both the nected in a way that through the use of control signals it
algorithms and their implementation. is possible to perform computations over the input data and
The use of mathematic resources such as the common Z achieve a desired result. These can be classified as processors,
strategy (Co-Z) [77] is an alternative which can also lead co-processors or standalone architectures. The main differ-
to reduction in the number of field operations or registers ence between these approaches lies on the generality of the
required in an algorithm. In this case the point representation solution. Whilst a processor should be able to perform a
is modified during processing, at the cost of point conversions wide range of related operations, compromising the general-
before or after processing. ity allows for implementation optimizations to achieve more
Factoring common expressions is a technique which helps efficient solutions.
to reduce the number of computations required at the cost of Table 5 summarizes the main characteristics and bench-
extra memory to hold the intermediate results. This method is mark for the different FPGA implementations found in the

TABLE 3. Summary of the different abstract algorithms denominated lightweight which were surveyed.

72530 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

TABLE 4. Summary of the reviewed ECC implementations in software denominated lightweight.

literature denominated lightweight. In this case we consider Flip-Flops, and other generics in the physical FPGA board.
that all the works surveyed for FPGA implementation of ECC Or compiled using CMOS libraries into an array of transistors
feature the Architecture characteristic. which is then manufactured into a silicon chip. The main
advantages of the FPGA technology is the rapid develop-
ment and implementation process which make it captivating
3) HARDWARE CIRCUITS for prototyping and testing. In the case of ASIC the main
Once an architecture has been conceptually designed and advantage lies on the technology level optimizations (Circuit)
described, there is still an implementation step required to which can be applied to the chip in order to achieve greater
obtain the physical realization of the system. The implemen- efficiency.
tation of hardware architectures can be approached from two The ASIC implementations of ECC found in the litera-
main technologies which currently rule the market: using an ture are summarized in Table 6. In this case we consider
FPGA or creating an ASIC. In both cases, a formal descrip- that all the ASIC proposals surveyed perform optimizations
tion of the architecture is used to generate a resistor-transistor at circuit level and hence feature the Circuit characteristic
level (RTL) description of the circuit. This new description is according to the abstraction levels proposed. The benchmark
then mapped to a reconfigurable array of Look-Up-Tables, for ASIC implementation reports the technology used, the

VOLUME 6, 2018 72531

 C. A. Lara-Nino et al.: ECLC: Survey

TABLE 5. Summary of the reviewed ECC implementations in FPGA denominated lightweight.

implementation costs in GEs, the latency of the circuit, and developed software implementations for generic processors,
the power and energy estimations when available. which are usually found in environments where regular ECC
can be used. Most of the implementations targeted processors
CAT3 STRATEGIES AND REMARKS are available in mobile systems—like smartphones. Whereas
Software implementations are intended for providing security the processing power of these chips is not a problem, they
services. As it can be noted from Table 4, only seven surveyed can still benefit from ECLC traits such as low energy con-
software implementations perform scalar multiplication rou- sumption and small bandwidth requirements. Lastly, only a
tines. In most of the cases the curves used are defined, rang- handful of the implementations targeted the lower end of
ing from a curve-optimized solution to offering support for processors which are found in WSN motes and RFID tags.
a family of curves. The security levels offered range from In these cases both the processor time and the energy footprint
80 to 128 bits in the majority of the cases. The preferred of the implementation ought to be observed closely.
optimization goal identified was to improve performance, As for evaluation of the proposals, some of the metrics
in the form of shorter runtimes. reported are the runtime, the operational frequency achiev-
The implementation platforms are not uniform in archi- able, the latency, and the energy consumption. These are in
tectural type nor register size. Some of the surveyed papers line with software implementations.

72532 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

TABLE 6. Summary of the reviewed ECC implementations in ASIC denominated lightweight.

All the architectural designs found in the literature focus implementations, ASIC oriented works seem to favor area
on the computation of the scalar multiplication. Either as a reducing optimizations.
processor, or a co-processor, or as an independent dedicated The use of specific instructions which help to improve
core. These works often define the curve or family of curves the performance of the implementation is also valid for soft-
which is used, with security levels ranging from 80 to 128 bits ware realizations. Some libraries have been made available
in most of the cases. The FPGAs utilized are divided between with highly optimized routines which improve the processors
Xilinx, Altera, and MicroSemi boards. efficiency. Some rely on exploiting the word size of the
As implementation metrics the FPGA resources are architecture in order to achieve instruction-level parallelism
reported for almost all of the cases. The operational fre- whereas others make use of mathematical cores available to
quency and latency cycles are also almost always reported. the processor such as floating point units and DSPs.
At difference of software implementations however, the main To create lightweight architectures it is important to first
optimization goal is reducing the area or the resource usage. analyze the algorithm and determine, considering that a hard-
Similarly as with the case of FPGA implementations, all ware implementation is sought, modifications in order to sim-
of the ASIC related works propose designs to perform scalar plify the design. Compared to software realizations, hardware
multiplications. In these references, however, it is possible solutions often have trouble dealing with the control structure
to note how the number of supported curves per proposal is required by the system. A simplified architecture implies a
reduced from an average of 3.7 to 1.85 curves per work. This simplified controller. Complexity in the control of the circuit
is evidence of the main difference between FPGA and ASIC can generate resource overhead and increased latency.
works: FPGAs allow rapid prototyping and some generality The processing generality required in the implementation
pre and post synthesis, ASIC designs are more optimized to is what determines the hardware design approach. Complex
take advantage of the domain parameters selected. algorithms which rely heavily on conditionals or that require
The libraries used in the surveyed works range from 180nm a wide set of subroutines are easier to implement in an
to 65nm. As implementation metrics, the works report area application specific processor. If the implementation already
in GE, operational frequency, latency cycles, power dissi- considers the use of a processing system, hardware accel-
pation, and energy consumption. As in the case of FPGA eration can be achieved with a dedicated co-processor and

VOLUME 6, 2018 72533

 C. A. Lara-Nino et al.: ECLC: Survey

mapped memory. If the algorithm is simple enough and it was implicit and a more complete analysis was required
repetitive, then a hardware architecture is the best choice. to assess this characteristic as accurately as possible. All
All of these approaches can be used to solve a problem, these descriptions, as reported in Table 7, were classified in
the difference will be noticeable in the design complexity and six main reasons. The frequency for each one of these main
the resource consumption of the final product. classes is illustrated in Fig. 12.
Common approaches identified from the literature in the As it can be noted, the most predominant reasons to define
design of lightweight architectures for ECC involve: a proposal as lightweight are by designing a lightweight
• Determining if a specific module is really necessary or if protocol, by optimizing a lightweight implementation, and by
the operation can be performed differently (e.g. squar- proposing some lightweight variant of ECC.
ings, inversions). Lightweight protocols rely on reducing the communica-
• Adjusting the word size of field multipliers to look for tions and memory overheads. Reducing the operations count,
the best trade-off between resources and performance. the operations diversity, the transmission overhead, the mem-
• Adjusting the width of the datapath to reduce the ory requirements, all are factors that should be covered in
resources required to process the data. their design.
• Modifying the way in which the data is stored in the A good part of the publications surveyed cover the design
system to reduce read/write times or to simplify the and implementation of a complete cryptosystem. It is thus
control. important to keep in mind that an ECLC solution starts with
In regards to circuits, the implementation might be the elliptic curve: selecting the field, curve, representation,
improved in order to reduce the physical size, reduce the and algorithms. These are then translated into architectures
latency in processing, memory access times, or energy con- and circuits for implementation. Each one of these steps must
sumption. Selecting the most suitable implementation tech- be aware of the application constraints.
nology for the application (e.g. LUT-4 vs. LUT-6), select- Other reasons to define a paper as lightweight include the
ing a specific type of memory (e.g. BRAM vs. distributed), use of ECC over other PKC instances, the modification of a
preventing spurious computations, and applying clocking previously existing solution, and comparisons with the state
techniques (e.g. clock enable and multiclock domain), are of the art. These works showcase that the term ‘‘lightweight’’
all circuit specific optimizations which can be performed is often used without the adequate substance to back the def-
to almost any architectural design in order to improve the inition. Whereas it is not harmful to use the concept subjec-
efficiency of the implementation. tively, it has the negative effect of misleading the researches
which might be interested in this field of study.
V. ASSESSMENT OF THE SURVEYED WORKS
In the previous section we provided a classification based on 2) ABSTRACTION GOALS
objective data retrieved from the surveyed works. We now We have also analyzed to what extent the five abstractions
try to evaluate all the papers as a set, by using the charac- levels for ECLC are observed. The results are presented
teristics described on Section III. Table 7 summarizes our in Fig. 13. As it can be noted, the quantity of papers which
observations. possess each characteristic has an inverse relation with the
This data is can be used for classifying the surveyed papers degree of specificity (from design to implementation). It is
using clustering techniques. Other analysis can also be drawn reasonable to expect that full systems which require longer
from this information. These are provided in the next section. development times (processors, co-processors, standalone
cores) would be scarcer than protocols.
VI. DATA ANALYSIS What we found surprising is that only 60% of the surveyed
The information retrieved from the surveyed papers can pro- papers make use of the underlying system characteristics to
vide insights regarding the design of novel elliptic curve create ECLC solutions. A possible explanation is that works
based cryptosystems that can be denominated lightweight. without a clear problem to solve (technological challenge)
For this reason it is important to present a quantitative anal- seek to maintain generality and provide functionality for
ysis of the related works in the literature. This section is multiple systems. This contradicts the expectation that an
dedicated to provide a modern analysis and trends of the ECC solution called ‘‘lightweight’’ is optimized for a specific
surveyed papers. technology. Even if the implementation scope is not clear,
it would be convenient to at least observe the standards that
A. STATISTICS govern the technology and derive optimizations from them.
We now review some quantitative measurements for the dif-
ferent characteristics reported in Table 7. 3) DESIGN GOALS
The study of the design goals identified from the papers
1) LIGHTWEIGHTNESS can provide insights into the differences between ECLC and
From each paper we tried to determine the main reason for other classes of lightweight cryptography. Fig. 14 shows
the work to be denominated lightweight. In some of the cases how the design goals are represented in the surveyed papers.
the motivation was explicitly stated in the papers. In others It can be noted that a primordial factor for ECLC systems

72534 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

TABLE 7. Summary of the different reviewed works which have been called ‘‘lightweight’’ by the authors in the publication or related
media (presentations). The reason for lightweightness (A), abstraction levels (B), goals (C), system (D), implementation technology (E), and security levels
are all reported for each paper. The X symbol indicates that an entry complies with the characteristic in that specific column. The different design goals
specified in the works are summarized in priority order with 1st being the most important.

is to achieve good performance, then security, and third to 4) TARGET SYSTEM

reduce the resource requirements of the system (hardware, Other aspect that is important to remark from the surveyed
bandwidth, energy). ECC generally is used to because of papers is the application scope for which they were designed.
improved security, thus it is not surprising that security is Lightweightness certainly is tied to the technology, identified
a top goal in the surveyed papers. But it is also true that in this work as the first abstraction level. Lightweight cryp-
ECC systems suffer from lengthy latencies. Consequently, tography is the cryptography that has been tailored for the
unlike other types of lightweight cryptography, ECLC will constrained systems. These systems, as it is shown in Fig. 15,
try first to address the performance constraints of the sys- evolve.
tem and then observe the resource requirements of the From our study, the IoT domain occupies the first place
application. of ECLC application scope from the surveyed works.

VOLUME 6, 2018 72535

 C. A. Lara-Nino et al.: ECLC: Survey

FIGURE 12. Distribution of the main reasons to denominate use the FIGURE 15. Distribution of the application scope reported for the
adjective lightweight in the surveyed papers. different surveyed works.

FIGURE 16. Implementation technology for the different proposals

FIGURE 13. Distribution of the surveyed works for the different surveyed. Note that the total does not equal 100% since some works
abstraction levels. Note that the total does not equal 100% since some appear in multiple categories.
works appear in multiple categories.
be made for e-Health and Smart Grids, which are emerging
technologies.

5) IMPLEMENTATION TECHNOLOGY
This review revealed that only 50% of the surveyed papers
were implemented. Dividing the implementation technolo-
gies between software and hardware, they come even with
about 30% of the instances each. Specifically in hardware,
13% of the works were implemented in FPGA and 20%
were implemented in ASIC. These statistics are presented
in Fig. 16.

6) SECURITY
FIGURE 14. Percentage of publications associated with the different
Fig. 17 illustrates the quantity of works which propose to use
design goals presented in the survey. Note that the total does not equal the different security levels. As it can be noted, more than half
100% since some works appear in multiple categories. of the works surveyed propose to use security levels which are
no longer recommended by NIST, and a third of them does not
This novel technology promises to bring changes to the propose anything concrete.
very structure of society, hence its relevance. In second and
third spots we can find RFID and WSN, which are often B. QUALITATIVE ANALYSIS
defined as the basis of IoT. Overall, these three applications An analysis which relies on the characteristics of the surveyed
cover ∼70% of the surveyed works. Notable mentions can works if provided in the following.

72536 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

system (B1) and the protocol (B2) abstraction levels. In these

instances the optimization goal is performance (C1) or
security (C2).
This method resulted effective to divide the papers in
possible sets of interest. However, when the number of sur-
veyed papers is extensive, it becomes difficult to collect the
data needed for the classification. This is more relevant in
instances where it is sought to initially filter papers which
might be related with the topic of interest and thus be attrac-
tive for the community. Modern data mining algorithms allow
extracting metadata from text sources. These data can then be
used to classify a wide set of papers.
FIGURE 17. Security level recommended by the different proposals
surveyed. Note that the total does not equal 100% since some works
appear in multiple categories.
2) EXTENDED CLUSTERING
Communities are groups which can be found in sets of items
1) CLUSTERING which share certain relationship. For this work these items are
Using the data collected in Table 7 it is possible to classify publications. The set of documents surveyed, their references,
the surveyed papers in different groups. For doing this we and their citations can be represented as a graph. Classifica-
created an undirected graph where a matching characteristic tion algorithms can then be applied over these graphs to detect
between two papers is expressed as an edge. The created communities based on the graph’s topology.
graph contains 60 nodes and 3921 edges4 and is presented Parting from all the documents surveyed we extracted all
in Fig, 18. of their references and linked them. In this way, multiple doc-
In that illustration each node represents a paper and each uments in the initial set can make reference to the same pub-
edge represents a matching characteristic. The size of the lication and become connected. Next, using Google Scholar6
nodes is determined by their centrality and the weight of the we retrieved all the publications which reference the original
edges is given by the sum of all the edges between two nodes. set of documents and linked them as well. In this second
The different colors represent different communities. Edges step a new type of connections appeared in the original set.
with weight lower than 3 have been removed for visualiza- Some works became related through the papers that cite
tion; the topology is a Circular Layout and the image was multiple elements of the original set. The resulting graph
created using Gephi.5 contained 1640 nodes and 2160 edges.7 The weight of the
In the graph it is possible to appreciate the connectivity edges between documents in the original set was increased
between the clusters by the coloring of the edges. Uniform by 2 and the weight of the citations was increased by 1.
colors indicate inter-cluster links, mixed-color edges repre- The resulting graph is shown in Fig. 19 with a representation
sent links between clusters. By using the Modularity analysis obtained using the Circle Pack Layout in the Gephi8 tool.
of Gephi it was possible to divide the papers into four groups For the Modularity analysis we used a Resolution
as detailed in Table 8. A resolution of 0.81 with randomiza- of 1.0 and allowed Randomization and Weight usage. With
tion and weights was used for this analysis. this analysis 19 clusters were identified. Details regarding the
The first group with Cluster 0 is dominated by works which top six communities are presented in Table 9. Although the
are said to be lightweight by proposing an Optimized imple- table only includes papers from the original set, the cardinal-
mentation (A2). The most predominant abstraction levels on ity for each group is bigger.
this class are the architecture (B4) and the circuit (B5). The The first group (Cluster 1) contains 211 elements
predominant optimization goals involve hardware resources (12.87%). Each one of the main papers included is said to be
(C2) in all the cases. In this cluster we can find almost all the lightweight by proposing a Modification to ECC (A3), almost
FPGA and ASIC implementations. all have the system (B1) and algorithm (B2) abstraction levels
The second set with Cluster 1 includes several works assigned, and all seek to improve performance as their main
which propose a Modification to ECC (A3). The predominant goal. The set with Cluster 2 contains papers of ASIC imple-
abstraction levels are system (B1) and algorithm (B3). The mentations for the most part, whereas in the set with Cluster 3
main goal for all but one instances is to improve perfor- are FPGA design proposals. Groups with Cluster 4, 14, 16
mance, and almost all the implementations included target include a mix of protocols and software implementations with
processors. varying differences between them. For example in Cluster 4
In the third group, Cluster 3, we can note that the main we can note a predilection for performance as design goal and
reason for calling the works lightweight is by designing a lower security specifications.
New protocol (A1). Almost all the instances observed the
6 https://scholar.google.com
4 The graph data is available at https://www.tamps.cinvestav.mx/~datasets/ 7 The graph data is available at https://www.tamps.cinvestav.mx/~datasets/
5 https://gephi.org/ 8 https://gephi.org/

VOLUME 6, 2018 72537

 C. A. Lara-Nino et al.: ECLC: Survey

FIGURE 18. Analysis of the surveyed papers, as presented in Table 7, as a graph. The different colors represent different communities.

3) CENTRALITY reading and related papers. Moreover, they represent a viable

In the previous analysis we focused on the degree and option when the number of papers is big.
quality of the connections of a node. However, in graphs
there are other metrics which can provide useful infor-
mation such as the eigenvector centrality. An analysis 4) KEYWORDS DETECTION
based on this metric can provide a different set of rel- An easy way to review a wide set of documents is to perform
evant papers for a researcher interested in the topic. keywords or topic extraction. These techniques use text from
In Fig. 20 we illustrate the reference tree derived from the papers such as the titles, the abstracts, or the whole doc-
an analysis making emphasis on the centrality of cer- ument to extract words which are relevant to the document.
tain nodes. The Fruchtermain-Reingold layout is used in These data can then be used to classify the documents. The
this case. main challenge is the processing power required for big sets
Table 10 provides the list of the publications with centrality of text.
scores higher than 0.3 in the provided graph. A popular modern representation of the keywords of a set
It is true that these analyses are not flawless, however, they of texts are the word clouds. These diagrams, as the ones
provide insights regarding references that might be worth presented in Fig. 1 and Fig. 21, allow a visual representation

72538 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

TABLE 8. Top three communities identified in the set of documents surveyed, classified using the data in Table 7. These three communities
include ∼ 92% of the surveyed papers.

of the most relevant words using the font size as differentiator. shows that the tendency is exponential, as given by
For the word cloud illustrated we extracted the titles of the
f (t) = 1.83 × 10−110 e0.1278t . (33)
surveyed papers, their references, and the papers that cite
them, and used the tool WordCloud.9 If we focus on the surveyed papers only we can identify as
similar behavior, as illustrated in Fig. 23. With limited data
C. TRENDS it is difficult to determine whether the growth tendency can
By incorporating the publication and citation dates of the sur- be kept or if the number of related publications will become
veyed works to the reference analysis it is possible to observe stagnant over the time. For now it appears that there is a
trends in regards to the number of documents published, and growing interest surrounding ECLC and related fields. This
the number of citations. is expected to go hand in hand with the development of IoT
Considering the set of documents surveyed, their refer- and its evolving security requirements. This behavior follows
ences, and their citations, Fig. 22 illustrates the number of the distribution
papers per year of publication. A simple analysis of the data f (t) = 4.471 × 10−248 e0.2837t . (34)
A similar behavior is observed in the distribution of the
9 https://pypi.python.org/pypi/wordcloud citations to the surveyed papers per year. This is illustrated

VOLUME 6, 2018 72539

 C. A. Lara-Nino et al.: ECLC: Survey

FIGURE 19. Analysis of the surveyed papers, their references, and citations as a graph. The varying colors represent different
communities.

TABLE 9. Top six clusters identified in the set of documents surveyed.

in Fig. 24. This plot reveals that the interest in ECLC has The projection shown in Fig. 24 is represented by the model
sparkled in the last five years. The rapid growth can be asso-
ciated to the consolidation of IoT and related technologies. f (t) = e0.6474t−1301 . (35)

72540 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

FIGURE 20. Analysis of the surveyed papers, their references, and citations as a graph. The size and color of the nodes is determined by their
centrality.

If we study the citations to the surveyed papers in a case efficiency, attractive solutions can be obtained. Being able
by case basis, it is possible to notice that there is no apparent to provide critical security services in constrained networked
relation in the number of citations with the year of publica- environments, without the drawbacks of conventional sym-
tion. This analysis is presented in Fig. 25. A color code was metric solutions, is the most important feature of ECLC.
included in the plot to showcase the number of references The limitations steam from the novelty of the area. The
made by a paper. As it can be noted, it seems that there exists main problems are the complexity in the design of ECLC
a relation between the number of publications references and solutions, the lack of interoperability, and the possibility
the number of citations received. of new vulnerabilities being discovered. All these can be
addressed as long as there is a community interested on
VII. ECLC TAXONOMY AND APPLICATIONS researching the field and new elliptic curves are proposed.
The advantages of ECLC over traditional asymmetric cryp- Fig. 26 illustrates ECLC as function of the different char-
tography alternatives are clear: smaller key sizes, improved acteristics retrieved from the papers. In this diagram we
security, and flexibility, all inherited from ECC. When these have included the three main reasons for defining a pro-
are coupled with resource awareness and implementation posal as lightweight, the five abstraction levels, and the most

VOLUME 6, 2018 72541

 C. A. Lara-Nino et al.: ECLC: Survey

TABLE 10. Documents with the higher Eigenvector Centrality (> 0.3) in
the dataset of surveyed documents, their references, and the papers that
cite them.

FIGURE 21. Word cloud generated with the abstracts of the surveyed
papers. The size of each word is determined by its frequency in the
source text.
important design goal for each work. In total 57% of the
surveyed works are included in this representation.
From the surveyed data it can be appreciated how it is include:
usually the case that ECLC solutions first try to meet the • IoT [43], [46], [48]–[50], [52], [55], [58]
performance and security requirements of the application. • WSN [38], [48], [59]
Reducing resource and bandwidth usages are often secondary • RFID [36], [37], [40], [42], [47], [61]
goals. From our experience, achieving high performance and • e-Health [57], [60], [63], [66], [67]
security are critical for any security system. However, reduc- • Smart Grid [45], [51], [54], [65]
ing resource usage (which impacts production costs) and These instances exemplify the potential for ECLC for sev-
energy consumption (which impacts devices lifetime) are key eral technologies which are perceived to become dominant in
factors in fomenting the adoption of emerging technologies. the near future [106]. Ensuring that our information is safe
Carefully constructed trade-offs between performance, secu- under these constrained applications is the purpose of ECLC.
rity, hardware resources, and energy are undoubtedly impor-
tant. In the next section we provide strategies for creating VIII. STRATEGIES TO CONSTRUCT
ECLC systems. ECLC-BASED SOLUTIONS
From Tables 2 through 6 we can identify some state of the We propose that the steps to follow for constructing an ECLC
art uses of ECLC. Providing confidentiality, integrity, authen- design and implementation process should match the abstrac-
tication, and key establishment, through means of encryption, tion levels presented in this survey. For the System level we
signatures, key agreement, and authentication protocols are have defined steps VIII-A to VIII-C. The Protocol level is
common use cases. The technologies where these are found reflected in step VIII-D. The steps VIII-E trough VIII-G are

FIGURE 22. Publications per year in the last 20 years. Includes the papers surveyed, their references, and
their citations.

72542 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

FIGURE 25. Citations to each surveyed paper. The color code indicates the
number of references made by the paper.
FIGURE 23. Publications per year of the surveyed papers.

A. IDENTIFY THE PROBLEM

The first step requires to clearly defining the problem and
security requirements. Based on this definition a set of secu-
rity services can be proposed to provide protection for the
system. Some of the most popular services from asymmetric
cryptography are authentication, key establishment, and sig-
natures.
Some works which clearly define the problem are those
that target specifically RFID [42], WSN [38], healthcare [57],
among others. By knowing the problem, the required security
services are defined.

B. DETERMINE THE IMPLEMENTATION PLATFORM

FIGURE 24. Citations per year to the surveyed papers. It is also important to identify the target implementation
platform (the device) and identify the application constraints.
It should first be defined if the implementation will be
associated with the Algorithm abstraction level. Finally the in hardware or in software. For the former, select the
levels Architecture and Circuit are grouped in step VIII-H. implementation technology: FPGA, ASIC or a different

FIGURE 26. Taxonomy of ECLC. Only the most representative characteristics are included
for visualization purposes.

VOLUME 6, 2018 72543

 C. A. Lara-Nino et al.: ECLC: Survey

system and study the hardware resources available in each some other families: binary random, binary Koblitz, binary
case. For the latter, select a processor and study its archi- Edwards, and Hessian. Each one of these is a set of construc-
tecture, its register width, the operations supported, and the tions denominated family, which contains curves for fields
memory availability. of different length. These were discussed in more detail in
From the literature review, some works that target WSN Section II-B.
motes are [50] and [71]. These proposals have identified The coefficients for each curve model are also defined for
their implementation platform and designed their solution in each instance. The generator or base point for an elliptic curve
such a way that it was useful for such platform. In the case is provided with the specification, and some have multiple
of hardware, works like [88] and [89] have designed their generators.
solutions according to the features of the selected platform. These values should be selected in a way that allows to
achieve advantages in the implementation of the cryptosys-
C. IDENTIFY THE SYSTEM CONSTRAINTS tem for the target platform.
Depending on the specifications and features of the devices The contribution in [71] provides a good example of a clear
some operational constraints can be drawn. Others come from description of domain parameters, designed for constrained
standards and norms if the system is to be compliant with environments, which are said to come from a ‘‘family of
any regulations such as IEEE 802, ISO/IEC 14443, FIPS lightweight elliptic curves’’ (the MoTE curves). We shall use
PUB 200, ISO/IEC 29182, among others. In general terms all the MoTE curve P159 as case study:
limited devices share similar constraints, but the application • Field. The selected field is the prime field Fp where
may determine that some are more critical than others.
Take as example the proposals in Trujillo-Olaya et al. [4], p = 2159 − 91. (36)
Sojka-Piotrowska and Langendoerfer [59], and Sojka et al.
[68], [78] take into account the application scope in order to The length of p is 159 bits, therefore the expected secu-
define the security features of the solution. This idea should rity of this curve is 80-bit.
not be limited to the security aspects of the proposal, however, • Curve. The curve is defined through the Montgomery
but also to the technical requirements of the system as in [40] model
and [50].
EM : By2 = x 3 + Ax 2 + x (37)
D. SELECT A PROTOCOL TO SOLVE THE PROBLEM
For most of the problems pertinent to networked environ- where
ments general solutions are available in the literature. It is
recommended, however, to construct an ad hoc protocol for A = 3191566 and B = −3191568. (38)
the application scope. In this step the goal is to choose the
protocol algorithm in general terms. This selection should Since this is a MoTE curve, it is birationally equivalent
account for the security services to be provided, which steam to the Edwards curve given by
from the problem to be solved. Some of the most popular
protocols include variants of ECDH, ECDSA, EC-ElGamal, ET : −x 2 + y2 = 1 + dx 2 y2 (39)
ECIES, COAP and IKE.
where
E. SELECT THE DOMAIN PARAMETERS OF THE
ELLIPTIC CURVE d = 837225916393474870456
Determine the ECC to be used with the protocol specified /08834894170521976562663492. (40)
to provide security services for the system. Select the tuple
of domain parameters D = {Fq , E, P, n} as specified in • Generator. Since the elliptic curve group is cyclic, any
Section II-D. point in the curve can be a generator of the curve.
The most common fields Fq to be utilized are the prime • Order. The order reported for the curve is 4l < p where
field or the binary field. The former being more efficient l is a prime smaller than 2157 .
in software whereas the latter are preferred in hardware • Co-factor The curve has a co-factor of 4.
implementations. Current standards (NIST, IEEE, SEC, . . .) The first two parameters enumerated are mandatory in
recommend specific fields for security reasons. In the case of order to establish a system which is based on the curve spec-
the prime field, it is defined by a prime p. In the case of the ified. The generator is required in order to establish security
binary field, an irreducible polynomial F(x) defines it. The protocols with additional parties, the difference with the first
length in bits of p or the degree of F(x) must be compliant two parameters is that the generator can vary across instances
with the standards to meet a specific security level. of the security system. The last two parameters are related
In the prime fields there are different elliptic curve with the security of the system; these are not required for
families: random, Koblitz, Montgomery, Edwards, Twisted- the system to work however it is important to report them for
Edwards, and most recently MoTE. For binary fields there are security auditing.

72544 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

F. DEFINE THE POINT REPRESENTATION hardware the limitations are physical since the resources tend
As presented in Section II-B, points on an elliptic curve to be restricted.
group E(Fq ) can have multiple representations which have In some works like [86], the scalar multiplication would
different characteristics. Derivations from the affine represen- be performed using naïve approaches such as the Double and
tation such as the projective coordinates, the w coordinates, Add method. This procedure, however, has the disadvantage
the λ coordinates, and combinations of these can represent that it takes decisional branches which depend on the data
interesting alternatives for an elliptic curve system. For ECLC utilized. This information leakage can be used to retrieve the
systems the mixed coordinate systems offer attractive advan- secret key and compromise the system. More recent propos-
tages in reducing some of the operations required, such as als, like [15], rely on the Montgomery ladder since it performs
inversions, and if paired with strategies like Co-Z, it is pos- on constant time and mitigates the information leakage. This
sible to reduce the storage requirements. Selecting different scalar multiplication method has also been used to construct
coordinate representations usually implies modifications to more efficient group operations like the differential addition
the group operations and a direct impact on the number and and doubling proposed in [73].
type of Fq operations.
The work in [73] proposes to use w coordinates to represent H. DEFINE THE IMPLEMENTATION STRATEGIES
the elliptic curve points. In that work, w coordinates are first By implementation we refer to taking the algorithmic descrip-
used to reduce the number of field operations required in the tion of the solution and mapping it to a physical realization.
group operations. A mixed system with w and projective- This can be achieved through the use of a processor, a recon-
w was implemented in order to reduce the number of field figurable device, or an integrated circuit. For each of these
inversions required. The Co-Z strategy is also exploited in options the implementation strategies are different. Hence
order to further reduce the operations count and the storage it is important to identify the underlying implementation
requirements of their solution. technology.
According to the target platform each algorithm can be
implemented in multiple ways. For constrained environments
G. CHOOSE THE ARITHMETIC though, it is mandatory to address the restrictions of the sys-
Once the elliptic curve to be used has been defined and tem. Power availability, clocking frequency, maximum delay,
the implementation technology is known, it is necessary to and memory are generic constraints that can be observed for
do the actual data processing. ECC relies on the group and any technology. Specifically in processors, the stack size,
field operations described in Section II-B. It is important the operations supported, the register width, and the RAM are
to determine the most suitable alternatives to perform the related constraints. For hardware, physical size and generics
group and field operations. This suitability is determined by availability are important factors. The software or hardware
the elliptic curve, the point representation, and finite field specification of the solution ought to be designed respecting
selected. these physical constraints.
As mentioned, at group level the most important opera- Furthermore, the design goals can also influence the imple-
tion is the scalar multiplication. Some of the most popular mentation. Once the ECLC design is suitable for the target
alternatives to perform this calculation include the Double platform, additional considerations can be taken into account
and Add method, Comb methods, NAF method, and the in order to align the design with specific goals. A performance
Montgomery Powering Ladder [12]. Whereas some of these oriented implementation will be substantially different from
focus on efficiency by performing the minimal number of an area optimized core, even if both perform the same task.
operations required, others such as the Montgomery Ladder The implementation strategies are determined first by the
seek regularity in the processing of the data to prevent infor- constraints of the system, and then by the design goals.
mation leakage. Papers like [15], [88], and [89] provide detailed explana-
The scalar multiplication relies on point addition and point tions of their implementation strategies which may help the
doubling. Through adequate selection of the point represen- reader to further understand the design principles in ECLC.
tation and for specific fields and curves, these operations
can be optimized. Reducing the number of field operations, I. SECTION REMARKS
discarding complex field operations from the processing, The application of this procedure can ease the need to
reducing the diversity of field operations required, and miti- research the different steps that must be taken in the design
gating duplicated calculations are all possible goals for these of an ECLC solution. By using this method, a researcher
optimizations. would instead focus on a specific set of steps in order to
The field algorithms required by the group operations achieve an ad hoc solution. Having broad knowledge of the
should be determined by the implementation system and problem, the target technology, and the system constraints can
the field selection. If the application constraints demand it, be considered as background data that should be specified
then performance should be prioritized in the field realiza- when a project is started. Addressing the protocol, domain
tions used. For software systems, the availability depends on parameters, representation, and arithmetic can be considered
the instructions supported by the processor. In the case of sufficient to obtain a complete specification of the solution,

VOLUME 6, 2018 72545

 C. A. Lara-Nino et al.: ECLC: Survey

in a theoretical sense. The implementation strategies are what More involvement of the community could help identifying
shall consolidate the idea. risks and optimization opportunities.
In recent years, the idea that quantum computers will be a
IX. OPEN PROBLEMS AND FUTURE TRENDS reality in the next decades has gained support. As NIST points
There are multiple challenges that must be overcome in order out, many scientists now believe that the creation of practical
to make use of ECLC in constrained devices. First and fore- quantum computers is merely a significant engineering chal-
most, even though the performance and implementation sizes lenge [108]. Some authors go as far as to state that within the
of ECLC systems outperforms other asymmetric techniques, next 20 years or so quantum computers, sufficiently large to
they still fall behind symmetric solutions. Lightweight sym- present a threat to modern cryptography, will be built [109].
metric ciphers and hash functions can achieve implemen- In 1994 Peter Shor discovered an algorithm capable of fac-
tation sizes and latencies at least one order of magnitude toring numbers in polynomial time on a quantum computer,
smaller than those of ECLC. This restrains the use of ECLC along with another to compute discrete logarithms. In a
systems from providing security services such as bulk encryp- practical approach, this implies that traditional cryptographic
tion and authentication. Instead, ECLC solutions are pivotal primitives that rely on such problems can be broken by a
in key establishment and the use of digital signatures. But quantum computer which is large enough. The possibility of
these applications must observe the lengthy latencies and the creation of a such quantum computer capable of running
the hardware/processing overhead. In order to improve the Shor’s algorithm would represent the demise of any PKC
quality of the services provided by ECLC, further research system which relies on IF, DLP, and ECDLP as we know it.
must be conducted to reduce the latency and implementation In a Post-Quantum setting, Elliptic Curve based cryptog-
size of these solutions. raphy would be unable to rely on the hardness of ECDLP.
Another important challenge is associated with informa- However, the isogenies in super-singular curves [110] has
tion security. As the development of new elliptic curves and been proposed as a different NP-hard problem which enables
processing techniques progresses, the attack models are also cryptographic constructions based on elliptic curves. The
improved. Mathematical, cybernetic, and physical attacks are isogenies problem on super-singular curves has no quantum
a threat to any security system. However, the challenge is attack known, but there has not been enough analysis on
greater if we consider the application scope of ECLC. Provid- their security [108]. This new variant of ECC would need to
ing additional security measures generally represents signif- be adapted for constrained environments thus preserving the
icant security overheads. It is often the case that constrained essence of ECLC.
environments cannot afford additional security protections.
From the mathematical point of view, new algorithms can
reduce the complexity of certain instances of ECDLP [107]. X. CONCLUSIONS AND FINAL REMARKS
This leads to requiring increased key sizes or different fam- In this survey we have determined the criteria that make an
ilies of curves. In that case the efficiency of the solution ECC-based solution lightweight and viable for use in practi-
can be reduced. Cybernetic attacks are those that reach cal constrained applications. Representative works were sys-
their targets over the internet. These protections are easier tematically revised to determine the key aspects in an ECC
to account for as usually network-wide protections are put design that lead to lightweight realizations. As a result, this
in place by a gateway. Finally, attacks which have direct paper provided for the first time the concept and require-
access to the network are the most challenging to deal ments for Elliptic Curve Lightweight Cryptography (ECLC).
with. Constrained systems often are deployed in unsuper- We designed and described a methodology to create ECLC
vised environments and in high density. Multiple attacks systems. We also discussed the open challenges that must be
can be performed with different goals and it is practically addressed by these systems. From the surveyed data we can
impossible to provide protections for every possible sce- answer the questions raised in the problem statement.
nario. ECLC implementations must then consider that a If there are proposals of elliptic curves designed to fit the
device can be captured so it should not rely on nonvolatile needs of constrained devices, is it possible to call such curves
information. as lightweight? Or is this adjective more associated with
Standardization also hurts ECLC. Current standards are implementations of these systems?
outdated in regards to the application scope. When the orig- In our study we found out that 48% of the surveyed papers
inal suites were proposed, lightweight cryptography was not were not implemented. This implies that it is possible to
yet consolidated. Thus NIST and Sec standards only include denominate a proposal as ‘‘lightweight’’ even when there is
general application curves. Novel efficient elliptic curves not implementation data to back this statement. Nonetheless,
have been proposed but there is not a suite which includes from our proposed methodology, we suggest that such works
them. This lack of standardization limits their usage. If mul- must observe the higher abstraction levels of System, Proto-
tiple systems do not support these new curves, interoper- col, or Algorithm, in order to create a solution which can be
ability problems might arise. This problem also brings secu- useful for constrained environments.
rity risks. Since there is not any suite using modern elliptic If the elliptic curves are not standardized, will there be any
curves, these will not get exposed to enough public scrutiny. traction on implementing them?

72546 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

Multiple surveyed works were developed for nonstandard- REFERENCES

ized elliptic curves. This leads us to believe that there is [1] K. A. McKay, L. Bassham, M. S. Turan, and N. Mouha, ‘‘Report on
certain interest in the use of constructions which prove to lightweight cryptography,’’ Nat. Inst. Standards Technol., Gaithersburg,
MD, USA, Tech. Rep. NISTIR 8114, Mar. 2017, doi: 10.6028/NIST.
be advantageous for the application. However, if modern, IR.8114.
efficient curves were included in a standard for lightweight [2] Information Technology—Security Techniques—Lightweight
cryptography it would definitely help improving the auditing Cryptography—Part 2: Block Ciphers, document ISO/IEC 29192-
2:2012, Jan. 2012.
and optimization process for these systems. This would also [3] E. Barker, ‘‘Part 1. Revision 4. Recommendation for key manage-
contribute to spread their use. ment,’’ NIST, Gaithersburg, MD, USA, Tech. Rep. NIST SP 800-57,
What are the guidelines to determine if an ECC-based 2016. Accessed: Oct. 10, 2018. [Online]. Available: http://nvlpubs.nist.
gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
design or solution is lightweight? [4] V. Trujillo-Olaya, T. Sherwood, and Ç. K. Koç, ‘‘Analysis of perfor-
The abstraction levels outlined in this survey can serve as a mance versus security in hardware realizations of small elliptic curves
guideline for this purpose. This method relies on identifying for lightweight applications,’’ J. Cryptograph. Eng., vol. 2, no. 3,
pp. 179–188, 2012.
if the solution was designed with modifications in regards to [5] B. Rashidi. (2017). ‘‘A survey on hardware implementations of
the implementation system, at the level of protocols, algo- elliptic curve cryptosystems.’’ [Online]. Available: https://arxiv.
rithms, architectures, or circuits, in aims to tailor it for con- org/pdf/1710.08336.pdf
[6] G. M. de Dormale and J.-J. Quisquater, ‘‘High-speed hardware implemen-
strained environments. It is desirable that these decisions can tations of elliptic curve cryptography: A survey,’’ J. Syst. Archit., vol. 53,
be backed up with implementation data, but as mentioned nos. 2–3, pp. 72–84, 2007.
[7] S. Kalra and S. K. Sood, ‘‘Elliptic curve cryptography: Survey and its
before, it is not a requirement. We found a recurring mistake
security applications,’’ in Proc. Int. Conf. Adv. Comput. Artif. Intell.
found in the identification of why each one of the surveyed (ACAI), New York, NY, USA, 2011, pp. 102–106.
works is denominated lightweight. This was the miscon- [8] S. M. Sakharkar, R. S. Mangrulkar, and M. Atique, ‘‘A survey: A
secure routing method for detecting false reports and gray-hole attacks
ception that replacing traditional PKC (RSA) with generic along with Elliptic Curve Cryptography in wireless sensor networks,’’ in
ECC can lead to lightweight implementations. It is indeed Proc. IEEE Students’ Conf. Elect., Electron. Comput. Sci., Mar. 2014,
true that such works might be more suitable for constrained pp. 1–5.
[9] R. Harkanson and Y. Kim, ‘‘Applications of elliptic curve cryptography:
environments than the state of the art in PKC. However, true A light introduction to elliptic curves and a survey of their applica-
ECLC solutions are those that satisfy the definition provide tions,’’ in Proc. 12th Annu. Conf. Cyber Inf. Secur. Res. (CISRC), 2017,
in this work: first to select ECC and then to considerer several pp. 6:1–6:7.
[10] H. Cohen et al., Eds., Handbook of Elliptic and Hyperelliptic Curve
aspect for its efficient implementation in constrained devices. Cryptography, 2nd ed. London, U.K.: Chapman & Hall, 2012.
What can be denominated ECLC? Is this concept utilized in [11] C. Lederer, R. Mader, M. Koschuch, J. Großschädl, A. Szekely, and
the literature? Or is the word ‘‘lightweight’’ ever associated S. Tillich, ‘‘Energy-efficient implementation of ECDH key exchange
for wireless sensor networks,’’ in Proc. 3rd IFIP WG 11.2 Int.
with ECC proposals/implementations? Workshop Inf. Secur. Theory Pract. Smart Devices, Pervasive Syst.,
We came to define ECLC as the set of elliptic curve Ubiquitous Netw. (WISTP), Berlin, Germany: Springer-Verlag, 2009,
protocols, domain parameters, algorithms, and implementa- pp. 112–127.
[12] D. Hankerson, A. J. Menezes, and S. Vanstone, Guide to Elliptic Curve
tion techniques, designed to provide security in constrained Cryptography. Secaucus, NJ, USA: Springer-Verlag, 2003.
environments. All the surveyed works were denominated [13] D. J. Bernstein, T. Lange, and R. R. Farashahi, ‘‘Binary edwards curves,’’
in Cryptographic Hardware and Embedded Systems (Lecture Notes
‘‘lightweight’’ in the paper or related media. However, no one in Computer Science), vol. 5154. Berlin, Germany: Springer, 2008,
analyzes or supports the use of that adjective. We identified pp. 244–265.
that the main difference with traditional lightweight cryp- [14] Z. Liu, E. Wenger, and J. Großschädl, ‘‘MoTE-ECC: Energy-scalable
elliptic curve cryptography for wireless sensor networks,’’ in Applied
tography is that ECLC first tries to address the performance Cryptography and Network Security. Cham, Switzerland: Springer, 2014,
constraints of the system to then pursue other objectives. pp. 361–379.
There are multiple threats that can compromise the security [15] Z. Liu, J. Weng, Z. Hu, and H. Seo, ‘‘Efficient elliptic curve cryptography
for embedded devices,’’ ACM Trans. Embedded Comput. Syst., vol. 16,
of ECLC systems. However, this technology offers great pp. 53:1–53:18, Dec. 2016.
opportunities for the development of new systems such as [16] H. C. A. van Tilborg and S. Jajodia, Eds., Encyclopedia of Cryptography
IoT. The development of new networked environments will and Security, 2nd ed. Boston, MA, USA: Springer, 2011.
[17] W. Diffie and M. E. Hellman, ‘‘New directions in cryptography,’’ IEEE
require strong security primitives which are efficient and Trans. Inf. Theory, vol. 22, no. 6, pp. 644–654, Nov. 1976.
represent small overheads for the device. This is a role that [18] A. J. Menezes, S. A. Vanstone, and P. C. van Oorschot, Handbook of
ECLC, with any of its different variants, can fulfill. Applied Cryptography, 1st ed. Boca Raton, FL, USA: CRC Press, 1996.
[19] N. Koblitz, ‘‘Elliptic curve cryptosystems,’’ Math. Comput., vol. 48,
no. 177, pp. 203–209, 1987.
[20] D. Beaver, S. Micali, and P. Rogaway, ‘‘The round complexity of secure
A. FUTURE WORK protocols,’’ in Proc. 22nd Annu. ACM Symp. Theory Comput. (STOC),
1990, pp. 503–513.
Some directions that we would like to explore in the [21] M. Bellare, V. T. Hoang, and P. Rogaway, ‘‘Foundations of garbled cir-
near future include: studying the implications of quantum cuits,’’ in Proc. ACM Conf. Comput. Commun. Secur. (CCS), New York,
NY, USA, 2012, pp. 784–796.
attacks on the security of constrained devices; exploring the [22] R. L. Rivest, L. Adleman, and M. L. Dertouzos, ‘‘On data banks
state of the art for other PKC solutions in the context of and privacy homomorphisms,’’ Found. Secure Comput., vol. 4, no. 11,
lightweight cryptography; construct benchmarks using com- pp. 169–179, 1978.
[23] A. Lopez-Alt, E. Tromer, and V. Vaikuntanathan. (2013). On-the-Fly
mercial devices in order to compare the multiple solutions Multiparty Computation on the Cloud via Multikey Fully Homomorphic
available under fair conditions. Encryption. [Online]. Available: https://eprint.iacr.org/2013/094

VOLUME 6, 2018 72547

 C. A. Lara-Nino et al.: ECLC: Survey

[24] J. Alperin-Sheriff and C. Peikert. (2014). Faster Bootstrapping With [48] W. Zhang, D. Lin, H. Zhang, C. Chen, and X. Zhou, ‘‘A lightweight
Polynomial Error. [Online]. Available: https://eprint.iacr.org/2014/094 anonymous mutual authentication with key agreement protocol on ECC,’’
[25] C. Peikert, A Decade of Lattice Cryptography. Boston, MA, USA: Now, in Proc. IEEE Trustcom/BigDataSE/ICESS, Aug. 2017, pp. 170–176.
2016. [49] E. K. Win, T. Yoshihisa, Y. Ishi, T. Kawakami, Y. Teranishi, and
[26] C. Peikert, ‘‘Lattice cryptography for the Internet,’’ in Post-Quantum S. Shimojo, ‘‘A lightweight multi-receiver encryption scheme with
Cryptography, M. Mosca, ed. Cham, Switzerland: Springer, 2014, mutual authentication,’’ in Proc. IEEE 41st Annu. Comput. Softw. Appl.
pp. 197–219. Conf. (COMPSAC), vol. 2, Jul. 2017, pp. 491–497.
[27] R. Overbeck and N. Sendrier, ‘‘Code-based cryptography,’’ in [50] A. Mathur, T. Newe, W. Elgenaidi, M. Rao, G. Dooly, and D. Toal,
Post-Quantum Cryptography. Berlin, Germany: Springer, 2009, ‘‘A secure end-to-end IoT solution,’’ Sens. Actuators A, Phys., vol. 263,
pp. 95–145. pp. 291–299, Aug. 2017.
[28] A. Shamir, ‘‘Identity-based cryptosystems and signature schemes,’’ in [51] K. Mahmood, S. A. Chaudhry, H. Naqvi, S. Kumari, X. Li, and
Advances in Cryptology, G. R. Blakley and D. Chaum, Eds. Berlin, A. K. Sangaiah, ‘‘An elliptic curve cryptography based lightweight
Germany: Springer, 1985, pp. 47–53. authentication scheme for smart grid communication,’’ Future Gener.
[29] S. Chatterjee and P. Sarkar, Identity-Based Encryption, 1st ed. Boston, Comput. Syst., vol. 81, pp. 557–565, Apr. 2017.
MA, USA: Springer, 2011. [52] A. A. Diro, N. Chilamkurti, and P. Veeraraghavan, ‘‘Elliptic curve based
[30] A. Sahai and B. Waters, ‘‘Fuzzy identity-based encryption,’’ in Proc. cybersecurity schemes for publish-subscribe Internet of Things,’’ in Het-
24th Annu. Int. Conf. Theory Appl. Cryptograph. Techn. (EUROCRYPT). erogeneous Networking for Quality, Reliability, Security and Robustness.
Berlin, Germany: Springer-Verlag, 2005, pp. 457–473. Cham, Switzerland: Springer, 2017, pp. 258–268.
[31] X. Chen, K. Choi, and K. Chae, ‘‘A secure and efficient key authentication [53] A. A. Diro, N. Chilamkurti, and N. Kumar, ‘‘Lightweight cybersecurity
using bilinear pairing for NFC mobile payment service,’’ Wireless Pers. schemes using elliptic curve cryptography in publish-subscribe fog com-
Commun., vol. 97, pp. 1–17, Nov. 2017. puting,’’ Mobile Netw. Appl., vol. 22, pp. 848–858, Oct. 2017.
[32] F. Guo, Y. Mu, W. Susilo, H. Hsing, D. S. Wong, and V. Varadharajan, [54] M. Badra and S. Zeadally, ‘‘Lightweight and efficient privacy-preserving
‘‘Optimized identity-based encryption from bilinear pairing for data aggregation approach for the Smart Grid,’’ Ad Hoc Netw., vol. 64,
lightweight devices,’’ IEEE Trans. Dependable Secure Comput., vol. 14, pp. 32–40, Sep. 2017.
no. 2, pp. 211–220, Mar. 2017. [55] M. Lavanya and V. Natarajan, ‘‘Lightweight key agreement protocol
[33] K. T. Nguyen, N. Oualha, and M. Laurent, ‘‘Securely outsourcing the for IoT based on IKEv2,’’ Comput. Elect. Eng., vol. 64, pp. 580–594,
ciphertext-policy attribute-based encryption,’’ World Wide Web, vol. 21, Nov. 2017.
pp. 169–183, Jan. 2018. [56] N. Meddah, A. Jebrane, and A. Toumanari, ‘‘Scalable lightweight ABAC
[34] X. Yao, Z. Chen, and Y. Tian, ‘‘A lightweight attribute-based encryption scheme for secure sharing PHR in cloud computing,’’ in Advanced Infor-
scheme for the Internet of Things,’’ Future Gener. Comput. Syst., vol. 49, mation Technology, Services and Systems. Cham, Switzerland: Springer,
pp. 104–112, Aug. 2015. 2018, pp. 333–346.
[35] J. Fan, O. Reparaz, V. Rozic, and I. Verbauwhede, ‘‘Low-energy encryp- [57] M. Mohammedi, M. Omar, and A. Bouabdallah, ‘‘Secure and lightweight
tion for medical devices: Security adds an extra design dimension,’’ in remote patient authentication scheme with biometric inputs for mobile
Proc. 50th ACM/EDAC/IEEE Design Automat. Conf. (DAC), May 2013, healthcare environments,’’ J. Ambient Intell. Humanized Comput., vol. 9,
pp. 1–6. pp. 1527–1539, Sep. 2017.
[36] S. Kim, Y. Kim, and S. Park, ‘‘RFID security protocol by lightweight ECC [58] H. Hasan et al., ‘‘Secure lightweight ECC-based protocol for multi-agent
algorithm,’’ in Proc. 6th Int. Conf. Adv. Lang. Process. Web Inf. Technol. IoT systems,’’ in Proc. IEEE 13th Int. Conf. Wireless Mobile Comput.,
(ALPIT), Aug. 2007, pp. 323–328. Netw. Commun. (WiMob), Oct. 2017, pp. 1–8.
[37] C.-J. Kim, S.-Y. Yun, and S.-C. Park, ‘‘A lightweight ECC algorithm for [59] A. Sojka-Piotrowska and P. Langendoerfer, ‘‘Shortening the security
mobile RFID service,’’ in Proc. 5th Int. Conf. Ubiquitous Inf. Technol. parameters in lightweight WSN applications for IoT—Lessons learned,’’
Appl., Dec. 2010, pp. 1–6. in Proc. 2nd IEEE PERCOM Workshop Secur. Privacy Trust Internet
[38] S. Ju, ‘‘A lightweight key establishment in wireless sensor net- Things, Mar. 2017, pp. 636–641.
work based on elliptic curve cryptography,’’ in Proc. IEEE Int. [60] J. Shen, S. Chang, J. Shen, Q. Liu, and X. Sun, ‘‘A lightweight multi-layer
Conf. Intell. Control, Autom. Detection High-End Equip., Jul. 2012, authentication protocol for wireless body area networks,’’ Future Gener.
pp. 138–141. Comput. Syst., vol. 78, no. 3, pp. 956–963, 2018.
[39] B. Bakhache, E. El-Hamawi, and H. Houssain, ‘‘Fast and secure key [61] A. Tewari and B. B. Gupta, ‘‘A robust anonymity preserving authentica-
agreement protocol for the security of low power wireless networks,’’ tion protocol for IoT devices,’’ in Proc. IEEE Int. Conf. Consum. Electron.
in Proc. IEEE Faible Tension Faible Consommation (FTFC), Jun. 2013, (ICCE), Jan. 2018, pp. 1–5.
pp. 1–4. [62] A. A. Diro, N. Chilamkurti, and Y. Nam, ‘‘Analysis of lightweight encryp-
[40] N. Druml et al., ‘‘A Flexible and Lightweight ECC-Based Authentication tion scheme for fog-to-things communication,’’ IEEE Access, vol. 6,
Solution for Resource Constrained Systems,’’ in Proc. 17th Euromicro pp. 26820–26830, 2018.
Conf. Digit. Syst. Design (DSD), Aug. 2014, pp. 372–378. [63] A. Vaniprabha and P. Poongodi, ‘‘Augmented lightweight security scheme
[41] X. Yao, X. Han, and X. Du, ‘‘A light-weight certificate-less public key with access control model for wireless medical sensor networks,’’ Cluster
cryptography scheme based on ECC,’’ in Proc. 23rd Int. Conf. Comput. Comput., vol. 21, pp. 1–11, Jan. 2018.
Commun. Netw. (ICCCN), Aug. 2014, pp. 1–8. [64] J. Shen, Z. Gui, S. Ji, J. Shen, H. Tan, and Y. Tang, ‘‘Cloud-aided
[42] D. He, N. Kumar, N. Chilamkurti, and J.-H. Lee, ‘‘Lightweight ECC lightweight certificateless authentication protocol with anonymity for
based RFID authentication integrated with an ID verifier transfer proto- wireless body area networks,’’ J. Netw. Comput. Appl., vol. 106,
col,’’ J. Med. Syst., vol. 38, no. 10, p. 116, 2014. pp. 117–123, Mar. 2018.
[43] S. A. Chaudhry, H. Naqvi, K. Mahmood, H. F. Ahmad, and M. K. Khan, [65] D. Abbasinezhad-Mood and M. Nikooghadam, ‘‘Design and hardware
‘‘An improved remote user authentication scheme using elliptic curve implementation of a security-enhanced elliptic curve cryptography based
cryptography,’’ Wireless Pers. Commun., vol. 96, pp. 5355–5373, lightweight authentication scheme for smart grid communications,’’
Oct. 2017. Future Gener. Comput. Syst., vol. 84, pp. 47–57, Jul. 2018.
[44] A. G. Reddy, E.-J. Yoon, A. K. Das, and K.-Y. Yoo, ‘‘Lightweight [66] M. Almulhim and N. Zaman, ‘‘Proposing secure and lightweight
authentication with key-agreement protocol for mobile network environ- authentication scheme for IoT based E-health applications,’’ in
ment using smart cards,’’ IET Inf. Secur., vol. 10, no. 5, pp. 272–282, Proc. 20th Int. Conf. Adv. Commun. Technol. (ICACT), Feb. 2018,
Mar. 2016. pp. 481–487.
[45] D. He, H. Wang, M. K. Khan, and L. Wang, ‘‘Lightweight anonymous key [67] M. Mohammedi, M. Omar, W. Aitabdelmalek, A. Mansouri, and
distribution scheme for smart grid using elliptic curve cryptography,’’ IET A. Bouabdallah, ‘‘Secure and lightweight biometric-based remote
Commun., vol. 10, no. 14, pp. 1795–1802, 2016. patient authentication scheme for home healthcare systems,’’ in
[46] M. Lavanya and V. Natarajan, ‘‘Lightweight authentication for COAP Proc. Int. Symp. Program. Syst. (ISPS), Apr. 2018, pp. 1–6, doi:
based IOT,’’ in Proc. 6th Int. Conf. Internet Things (IoT), New York, NY, 10.1109/ISPS.2018.8379017.
USA, 2016, pp. 167–168. [68] A. Sojka, K. Piotrowski, and P. Langendoerfer, ‘‘Short ECC:
[47] K. Kaur, N. Kumar, M. Singh, and M. S. Obaidat, ‘‘Lightweight authenti- A lightweight security approach for Wireless Sensor Networks,’’
cation protocol for RFID-enabled systems based on ECC,’’ in Proc. IEEE in Proc. Int. Conf. Secur. Cryptogr. (SECRYPT), Jul. 2010,
Global Commun. Conf. (GLOBECOM), Dec. 2016, pp. 1–6. pp. 1–5.

72548 VOLUME 6, 2018

C. A. Lara-Nino et al.: ECLC: Survey

[69] R. Azarderakhsh, K. U. Jarvinen, and M. Mozaffari-Kermani, ‘‘Effi- [90] A. Salman, A. Ferozpuri, E. Homsirikamol, P. Yalla, J. Kaps, and
cient algorithm and architecture for elliptic curve cryptography for K. Gaj, ‘‘A scalable ECC processor implementation for high-speed
extremely constrained secure applications,’’ IEEE Trans. Circuits Syst. I, and lightweight with side-channel countermeasures,’’ in Proc. Int.
Reg. Papers, vol. 61, no. 4, pp. 1144–1155, Apr. 2014. Conf. ReConFigurable Comput. FPGAs (ReConFig), Dec. 2017,
[70] Z. Liu, J. Großschädl, and D. S. Wong, ‘‘Low-weight primes for pp. 1–8.
lightweight elliptic curve cryptography on 8-bit AVR processors,’’ in [91] E. Wenger, T. Korak, and M. Kirschbaum, ‘‘Analyzing side-
Information Security and Cryptology. Cham, Switzerland: Springer, channel leakage of RFID-suitable lightweight ECC hardware,’’ in
2014, pp. 217–235. Radio Frequency Identification. Berlin, Germany: Springer, 2013,
[71] Z. Liu, X. Huang, Z. Hu, M. K. Khan, H. Seo, and L. Zhou, ‘‘On emerging pp. 128–144.
family of elliptic curves to secure Internet of Things: ECC comes of age,’’ [92] J. Bosmans, S. S. Roy, K. Jarvinen, and I. Verbauwhede, ‘‘A tiny copro-
IEEE Trans. Dependable Secure Comput., vol. 14, no. 3, pp. 237–248, cessor for elliptic curve cryptography over the 256-bit NIST prime field,’’
May 2017. in Proc. 29th Int. Conf. VLSI Design 15th Int. Conf. Embedded Syst.
[72] S. S. Roy, K. Järvinen, and I. Verbauwhede, ‘‘Lightweight coprocessor (VLSID), Jan. 2016, pp. 523–528.
for Koblitz curves: 283-bit ECC including scalar conversion with only [93] T. K. Goyal and V. Sahula, ‘‘Lightweight security algorithm for low
4300 gates,’’ in Cryptographic Hardware and Embedded Systems. Berlin, power IoT devices,’’ in Proc. Int. Conf. Adv. Comput., Commun. Inform.
Germany: Springer, 2015, pp. 102–122. (ICACCI), Sep. 2016, pp. 1725–1729.
[73] B. Koziel, R. Azarderakhsh, and M. Mozaffari-Kermani, ‘‘Low-resource [94] N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz, ‘‘Comparing
and fast binary edwards curves cryptography,’’ in Progress in Cryptology. elliptic curve cryptography and RSA on 8-bit CPUs,’’ in Cryptographic
Cham, Switzerland: Springer, 2015, pp. 347–369. Hardware and Embedded Systems. Berlin, Germany: Springer, 2004,
[74] D. Khleborodov, ‘‘Fast elliptic curve point multiplication based on binary pp. 119–132.
and binary non-adjacent scalar form methods,’’ Adv. Comput. Math., [95] P. Szczechowiak, L. B. Oliveira, M. Scott, M. Collier, and R. Dahab,
vol. 44, pp. 1275–1293, Aug. 2018. ‘‘NanoECC: Testing the limits of elliptic curve cryptography in sensor
[75] K. Jarvinen, S. S. Roy, and I. Verbauwhede, ‘‘Arithmetic of τ -adic expan- networks,’’ in Wireless Sensor Networks. Berlin, Germany: Springer,
sions for lightweight koblitz curve cryptography,’’ J. Cryptograph. Eng., 2008, pp. 305–320.
vol. 8, no. 4, pp. 285–300, Nov. 2018. [96] P. L. Montgomery, ‘‘Speeding the Pollard and elliptic curve
[76] D. Khleborodov, ‘‘Fast elliptic curve point multiplication based on methods of factorization,’’ Math. Comput., vol. 48, pp. 243–264,
window Non-Adjacent Form method,’’ Appl. Math. Comput., vol. 334, Jan. 1987.
pp. 41–59, Oct. 2018. [97] A. Liu and P. Ning, ‘‘TinyECC: A configurable library for ellip-
[77] N. Meloni, ‘‘New point addition formulae for ECC applications,’’ in tic curve cryptography in wireless sensor networks,’’ in Proc. 7th
Arithmetic of Finite Fields, C. Carlet and B. Sunar, Eds. Berlin, Germany: Int. Conf. Inf. Process. Sensor Netw., Washington, DC, USA, 2008,
Springer, 2007, pp. 189–201. pp. 245–256.
[78] A. Sojka, K. Piotrowski, and P. Langendoerfer, ‘‘Symbiosis of a
[98] J. Großschädl, M. Hudler, M. Koschuch, M. Krüger, and A. Szekely,
lightweight ecc security and distributed shared memory middleware in
‘‘Smart elliptic curve cryptography for smart dust,’’ in Quality, Reliability,
wireless sensor networks,’’ in Proc. IEEE 30th Symp. Reliable Distrib.
Security and Robustness in Heterogeneous Networks. Berlin, Germany:
Syst. Workshops, Oct. 2011, pp. 36–41.
Springer, 2012, pp. 623–634.
[79] E. Wenger and J. Grossschadl, ‘‘An 8-bit AVR-based elliptic curve cryp-
[99] H. Wang and Q. Li, ‘‘Efficient implementation of public key cryptosys-
tographic RISC processor for the Internet of Things,’’ in Proc. 45th
tems on mote sensors (short paper),’’ in Information and Communications
Annu. IEEE/ACM Int. Symp. Microarchitecture Workshops (MICROW),
Security, P. Ning, S. Qing, and N. Li, Eds. Berlin, Germany: Springer,
Dec. 2012, pp. 39–46.
[80] E. Wenger, ‘‘Hardware architectures for MSP430-based wireless sen- 2006, pp. 519–528.
[100] T. Itoh and S. Tsujii, ‘‘A fast algorithm for computing multiplica-
sor nodes performing elliptic curve cryptography,’’ in Applied Cryp-
tive inverses in GF (2m ) using normal bases,’’ Inf. Comput., vol. 78,
tography and Network Security, M. Jacobson, M. Locasto, P. Mohas-
pp. 171–177, Sep. 1988.
sel, and R. Safavi-Naini, Eds. Berlin, Germany: Springer, 2013,
[101] D. Hein, J. Wolkerstorfer, and N. Felber, ‘‘ECC is ready for RFID—
pp. 290–306.
[81] S. Namal, K. Georgantas, and A. Gurtov, ‘‘Lightweight authentication A proof in silicon,’’ in Selected Areas in Cryptography, R. M. Avanzi,
and key management on 802.11 with Elliptic Curve Cryptography,’’ L. Keliher, and F. Sica, Eds. Berlin, Germany: Springer, 2009,
in Proc. IEEE Wireless Commun. Netw. Conf. (WCNC), Apr. 2013, pp. 401–413.
pp. 1830–1835. [102] P. L. Montgomery, ‘‘Modular multiplication without trial division,’’ Math.
[82] A. Höller, N. Druml, C. Kreiner, C. Steger, and T. Felicijan, ‘‘Hard- Comput., vol. 44, no. 170, pp. 519–521, Apr. 1985.
ware/software co-design of elliptic-curve cryptography for resource- [103] J. Großschädl and G.-A. Kamendje, ‘‘Architectural enhancements for
constrained applications,’’ in Proc. 51st ACM/EDAC/IEEE Design Montgomery multiplication on embedded RISC processors,’’ in Applied
Autom. Conf. (DAC), Jun. 2014, pp. 1–6. Cryptography and Network Security, J. Zhou, M. Yung, and Y. Han, Eds.
[83] O. P. Piñol, S. Raza, J. Eriksson, and T. Voigt, ‘‘BSD-based elliptic curve Berlin, Germany: Springer, 2003, pp. 418–434.
cryptography for the open Internet of Things,’’ in Proc. 7th Int. Conf. New [104] O. Ugus, D. Westhoff, R. Laue, A. Shoufan, and S. A. Huss. (2009).
Technol., Mobility Secur. (NTMS), Jul. 2015, pp. 1–5. ‘‘Optimized implementation of elliptic curve based additive homomor-
[84] M. Varchola, T. Guneysu, and O. Mischke, ‘‘MicroECC: A lightweight phic encryption for wireless sensor networks.’’ [Online]. Available:
reconfigurable elliptic curve crypto-processor,’’ in Proc. Int. Conf. Recon- https://arxiv.org/abs/0903.3900
figurable Comput. (FPGAs), Nov. 2011, pp. 204–210. [105] H. Hisil, K. K.-H. Wong, G. Carter, and E. Dawson, ‘‘Twisted Edwards
[85] B. Driessen, T. Güneysu, E. B. Kavun, O. Mischke, C. Paar, and curves revisited,’’ in Advances in Cryptology—ASIACRYPT, J. Pieprzyk,
T. Pöppelmann, ‘‘IPSecco: A lightweight and reconfigurable IPSec ed. Berlin, Germany: Springer, 2008, pp. 326–343.
core,’’ in Proc. Int. Conf. Reconfigurable Comput. FPGAs (ReConFig), [106] Sri International Menlo Park CA. (2008). Six Technologies with Potential
Dec. 2012, pp. 1–7. Impacts on US Interests out to 2025. Accessed: Oct. 16, 2018. [Online].
[86] M. Schramm and A. Grzemba, ‘‘On the implementation of a lightweight Available: http://www.dtic.mil/dtic/tr/fulltext/u2/a519715.pdf
generic FPGA ECC crypto-core over GF(p),’’ in Proc. Int. Conf. Appl. [107] T. Kim and R. Barbulescu, ‘‘Extended tower number field sieve: A new
Electron., Sep. 2013, pp. 1–4. complexity for the medium prime case,’’ in Advances in Cryptology—
[87] E. Wenger, ‘‘A lightweight ATmega-based application-specific CRYPTO. Berlin, Germany: Springer, 2016, pp. 543–571.
instruction-set processor for elliptic curve cryptography,’’ in Lightweight [108] L. Chen et al. Report on Post-Quantum Cryptography.
Cryptography for Security and Privacy. Berlin, Germany: Springer, Accessed: Dec. 10, 2018. [Online]. Available: http://nvlpubs.
2013, pp. 1–15. nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf
[88] D. B. Roy, P. Das, and D. Mukhopadhyay, ‘‘ECC on your fingertips: [109] M. Mosca. Cybersecurity in an Era With Quantum Computers:
A single instruction approach for lightweight ECC design in GF(p),’’ Will we be Ready? Accessed: Oct. 10, 2018. [Online]. Available:
in Selected Areas in Cryptography. Cham, Switzerland: Springer, 2016, http://eprint.iacr.org/2015/1075.pdf
pp. 161–177. [110] D. Jao and L. De Feo, ‘‘Towards quantum-resistant cryptosystems from
[89] T. Yalçin, ‘‘Compact ECDSA engine for IoT applications,’’ Electron. supersingular elliptic curve isogenies,’’ in Post-Quantum Cryptography.
Lett., vol. 52, no. 15, pp. 1310–1312, 2016. Berlin, Germany: Springer, 2011, pp. 19–34s.

VOLUME 6, 2018 72549

 C. A. Lara-Nino et al.: ECLC: Survey

CARLOS ANDRES LARA-NINO received the MIGUEL MORALES-SANDOVAL received the

master’s degree in computer science from CIN- Ph.D. degree from the National Institute for Astro-
VESTAV Tamaulipas, Mexico, in 2016, where he physics, Optics, and Electronics, Mexico, in 2008.
is currently pursuing the Ph.D. degree. His aca- He is currently a researcher in computer science
demic interests include digital systems, robotics, with special interests on data security, cryptog-
FPGAs, and security. His current research focuses raphy, and embedded systems. He is currently
on the implementation of cryptographic algo- focused on the development of hardware/software
rithms optimized for constrained environments. security schemes for networked embedded sys-
tems and for the cloud.

ARTURO DIAZ-PEREZ received the Ph.D. degree

in electrical engineering from CINVESTAV,
Mexico, in 1998. He is currently a full-time
Professor with CINVESTAV Guadalajara. He has
co-authored the book Cryptographic Algorithms
on Reconfigurable Hardware. His research inter-
ests include information security and algorithms
for high-performance computing, hardware secu-
rity in constrained devices, and security schemes
for big-data storage and processing.

72550 VOLUME 6, 2018