Efficient Elliptic Curve Diffie–Hellman Key Exchange for Resource-Constrained IoT Devices

Abstract

In the era of ubiquitous connectivity facilitated by the Internet of Things (IoT), ensuring robust security mechanisms for communication channels among resource-constrained devices has become imperative. Elliptic curve Diffie–Hellman (ECDH) key exchange offers strong security assurances and computational efficiency. This paper investigates the challenges and opportunities of deploying ECDH key exchange protocols on resource-constrained IoT devices. We review the fundamentals of ECDH and explore optimization techniques tailored to the limitations of embedded systems, including memory constraints, processing power, and energy efficiency. We optimize the implementation of five elliptic curves and compare them using experimental results. Our experiments focus on electronic control units and sensors in vehicular networks. The findings provide valuable insights for IoT developers, researchers, and industry stakeholders striving to enhance the security posture of embedded IoT systems while maintaining efficiency.

1. Introduction

In an era of pervasive digitization, the need to secure sensitive information and ensure data privacy has become paramount. Cryptography, the science of secure communication, plays a vital role in safeguarding data from unauthorized access and malicious attacks. Traditional cryptographic systems, while effective, often pose significant challenges when implemented in resource-constrained environments, such as Internet of Things (IoT) devices, embedded systems, and wireless sensor networks. As these devices become ubiquitous in our daily lives, their limited computational power, memory, and energy resources make them vulnerable to security threats.

To address these challenges, researchers and practitioners have turned to elliptic curve cryptography (ECC) [1] as a promising solution. ECC is a public-key cryptographic scheme that leverages the algebraic properties of elliptic curves over finite fields. The fundamental principle of ECC lies in the intractability of solving the discrete logarithm problem on elliptic curves, which forms the basis of its security. Compared to traditional cryptosystems, such as RSA and DSA, ECC offers equivalent security with significantly shorter key sizes, making it particularly well suited for resource-constrained environments [2].

The appeal of ECC in resource-constrained environments is two-fold. First, its ability to achieve the same level of security with shorter key lengths directly translates to reduced memory and computational requirements. This, in turn, results in faster encryption and decryption processes, which are crucial for real-time applications. Second, the reduced computational overhead leads to lower energy consumption, extending the battery life of IoT devices and embedded systems, where energy preservation is paramount.

In recent years, ECC has gained widespread attention as the go-to cryptographic choice for IoT, wireless sensor networks, and other resource-constrained scenarios [3]. Several studies have showcased its efficacy in providing secure communication, authentication, and data integrity, while simultaneously addressing the limitations of traditional cryptographic systems. Researchers have proposed lightweight ECC implementations, optimized algorithms, and efficient key management strategies tailored to the specific needs of resource-constrained environments.

This research paper presents the results of an efficient implementation of secure key exchange using elliptic curve cryptography for resource-constrained environments, specifically control units and sensors in vehicular networks. We will delve into the mathematical foundation of ECC, exploring its security principles and comparing them with conventional cryptographic schemes. Additionally, we will present and analyze the results of ECC-based key exchange implementations and optimizations that have been specifically designed to suit the constraints of resource-constrained devices and systems such as intra-vehicular networks.

The advent of quantum computing poses significant threats to traditional cryptographic systems, particularly those based on elliptic curve cryptography. The development of quantum algorithms, particularly Shor’s algorithm, has demonstrated the potential to solve the discrete logarithm problem in polynomial time, effectively rendering ECC insecure in the face of quantum adversaries [4]. We acknowledge that this has spurred a growing interest in post-quantum cryptography, which seeks to develop cryptographic primitives that remain secure even against quantum computational capabilities [5]. Despite the looming threat posed by quantum computers, ECC remains highly effective against classical attacks, ensuring that current systems are protected. This transitional period leverages ECC’s efficiency and security to maintain trust and functionality in today’s digital infrastructure. Meanwhile, hybrid cryptographic schemes [6] combining ECC with emerging post-quantum algorithms are being developed to prepare for future integration. We also acknowledge the vulnerability of IoT sensors to physical attacks. The physical security of IoT sensors is crucial to prevent unauthorized access and tampering, which can lead to data breaches and compromised system integrity. Implementing robust physical protections such as tamper-evident enclosures, secure boot processes, and hardware-based cryptographic modules can significantly mitigate these risks.

1.1. Organization

The rest of this paper is organized as follows: Section 2 provides an overview of the mathematical principles underlying ECC, highlighting its security advantages over other cryptosystems. Section 3 presents related work in the area of using ECC to secure communication between resource-constrained devices. Section 4 focuses on the implementation of ECC in resource-constrained environments, including key generation, encryption, and decryption procedures. Section 5 discusses details about implementing ECC in vehicle control units and sensors, all of which are resource-constrained devices. Section 6 presents experimental results, Section 7 analyzes the results and findings, and Section 8 presents the conclusion of the work and possible future directions.

1.2. Highlights

This paper emphasizes the critical importance of securing communication between devices in vehicular networks. The elliptic curve Diffie-Hellman key exchange protocol was chosen for its strong security assurances and computational efficiency. A significant portion of the research focuses on the challenges of implementing the key exchange protocol on devices with limited resources. This paper delves into the fundamentals of the key exchange and discusses various optimization techniques that cater to the constraints of embedded systems, such as limited memory, processing power, and energy efficiency.

2. Brief Overview of Elliptic Curve Cryptography

Elliptic curve cryptography is built upon the mathematical properties of elliptic curves defined over finite fields. This section provides an overview of the fundamental concepts that underpin ECC, including the algebraic structure of elliptic curves and the discrete logarithm problem.

2.1. Elliptic Curves over Finite Fields

An elliptic curve is a smooth curve defined by an equation of the form $y^2\equiv x^3+ax+b$ mod p, where a and b are constants, and p is a prime number representing the finite field. The curve has a geometric interpretation with a group structure, forming an additive group under point addition. Figure 1 shows an elliptic curve with $a=-3$ and $b=5$. The addition operation takes two points P and Q on the curve and produces a third point $R=P+Q$ by finding the intersection of the curve with the line passing through P and Q. The line intersects the curve at a third point, which is then reflected across the x-axis to obtain R.

2.2. Discrete Logarithm Problem on Elliptic Curves

The security of ECC relies on the intractability of the discrete logarithm problem on elliptic curves. Given a point P on the curve and another point $Q=kP$, where k is an integer (private key), the discrete logarithm problem seeks to find k given P and Q. Solving this problem is computationally infeasible for large prime fields and appropriately chosen elliptic curves. As of now, no efficient algorithm exists to compute the discrete logarithm on elliptic curves, making ECC a robust cryptographic scheme [7]. ECC’s reliance on the discrete logarithm problem contrasts with traditional public-key cryptosystems like Rivest–Shamir–Adelman (RSA), which are based on the hardness of factoring large integers.

2.3. Elliptic Curve Diffie–Hellman (ECDH) Key Exchange

Elliptic curve Diffie–Hellman is a key exchange algorithm that allows two parties to securely establish a shared secret over an insecure communication channel. It is based on the computational intractability of solving the discrete logarithm problem on elliptic curves mentioned in the earlier section. ECDH is widely used in modern cryptographic protocols due to its efficiency and strong security properties. The process is briefly summarized below.

Let G be the generator point of an elliptic curve:

• Alice chooses a private key $d_A$ from the set of integers modulo n and generates their public key $Q_A$ by multiplying G with their private key $d_A\in {\mathbb{Z}}_n$, $Q_A=d_A\times G$
• Bob performs the same process, choosing their private key $d_B$ and computing their private key $Q_B$.
• Alice and Bob exchange their public keys.
• Alice calculates $S_A=d_A\times Q_B$.
• Bob calculates $S_B=d_B\times Q_A$.
• Since the multiplication of a point by a scalar in elliptic curve arithmetic is commutative, both parties will arrive at the same shared secret S, $S_A=S_B=S$.

One of the primary security advantages of ECC lies in its ability to offer equivalent security with significantly smaller key sizes compared to traditional cryptosystems. For example, a 256-bit ECC key provides the same level of security as a 3072-bit RSA key, resulting in reduced memory and computational requirements [2]. SafeCurves [8] proposes a set of criteria to ensure ECC security beyond discrete logarithm problems and evaluates various curves against these criteria. This is an excellent resource when choosing curves for specific implementations.

3. Literature Review

In resource-constrained environments, efficient ECC key generation is crucial. Gura et al. [9] compared the performance of ECC key generation with RSA on 8-bit CPUs, highlighting the advantages of ECC in terms of key size and computational efficiency. They proposed optimizations to improve ECC performance in such devices. On the other hand, Okeya et al. [10] presented a lightweight ECC key generation method suitable for low-power devices, focusing on minimizing the computation and memory requirements.

Point multiplication is the most computationally intensive operation in ECC. Several efficient point multiplication techniques have been proposed for resource-constrained devices. Bao et al. [11] introduced a sliding-window method for ECC point multiplication to enhance the performance on embedded platforms. They achieved notable speedups by reducing the number of point additions. Lee et al. [12] proposed a hardware-efficient ECC accelerator for IoT devices, incorporating Montgomery ladder-based point multiplication to reduce the execution time and power consumption.

Efficient encryption and decryption schemes are crucial for secure communication in resource-constrained devices. In their work, Kang et al. [13] introduced an ECC-based encryption scheme suitable for IoT devices. They employed fixed-point arithmetic and optimized modular exponentiation to achieve secure and efficient encryption with minimal computational overhead. Similarly, Chandran and Shanmugam [14] presented a hardware implementation of RSA and ECC for resource-constrained wireless sensor networks, highlighting the advantages of ECC in terms of computation and memory requirements.

Techniques for optimizing ECC operations to fit within the limited computational and power budgets of embedded systems are presented in [15]. The design and implementation of hardware accelerators to improve ECC performance in embedded systems is discussed in [16]. Wilson and Black [17] presented lightweight ECC algorithms specifically tailored for Internet of Things devices, focusing on energy efficiency and performance. Johnson and Lee [18] focused on implementing real-time ECC for automotive systems, ensuring both performance and security.

Efficient key management is essential to secure ECC deployments in resource-constrained devices. Fu et al. [19] proposed a lightweight ECC key management scheme for IoT devices, focusing on secure key distribution and storage. They addressed the challenges of key storage and updating in constrained environments. Additionally, security considerations are vital in ECC implementations. A recent study by Brown and Green [20] discusses countermeasures for securing ECC implementations in embedded systems from power analysis attacks. Hamza and Mellah [21] analyzed the security of ECC in embedded systems, highlighting potential side-channel vulnerabilities and proposing countermeasures to mitigate these risks. Zulberti et al. [22] describe a verification framework, aimed at enhancing the co-design process of hardware and software, and present its evaluation using an ECC accelerator. The results indicated significant improvements in verification speed and accuracy.

Research in post-quantum cryptography has identified several promising candidates that could replace or complement ECC. Among these are lattice-based cryptographic schemes, hash-based signatures, and code-based cryptosystems, which are believed to be resistant to quantum attacks. Specifically, the use of supersingular elliptic curve isogenies has emerged as a potential quantum-resistant alternative that leverages mathematical structures related to elliptic curves but is believed to be secure against known quantum attacks [23]. The National Institute of Standards and Technologies’ (NIST) post-quantum cryptography project aims to identify and recommend quantum-resistant algorithms that can be widely adopted, ensuring a unified and secure approach to cryptography in the quantum era [24]. The security of lattice-based cryptographic schemes is derived from the difficulty of solving problems such as the Shortest Vector Problem and the Learning With Errors problem. These problems are considered hard even for quantum computers, making lattice-based cryptography a strong candidate for future-proof encryption methods [25].

Ikeda [26] presented a novel digital currency framework, qBitcoin, that contains quantum-resistant features designed to counteract potential quantum-based attacks. Ikeda [27] also highlighted the vulnerabilities of current blockchain systems, which are based on computational hardness assumptions and are susceptible to quantum attacks. However, as mentioned earlier, this research work was designed to serve as a bridge between current cryptographic systems and a post-quantum world.

4. ECC in IoT and Smart Devices

Elliptic curve cryptography relies on the generation and management of cryptographic keys for secure communication and data protection. The process of ECC key generation involves selecting an appropriate elliptic curve, a base point on the curve, and a private key (random integer) within a specific range. The public key is then derived from the private key using point multiplication on the chosen base point. Several algorithms exist for ECC key generation, such as the Elliptic Curve Digital Signature Algorithm (ECDSA) and Elliptic Curve Integrated Encryption Scheme (ECIES), which are widely used in various applications [28]. Bernstein et al. presented complete addition formulae for binary elliptic curves, some of which are used later in the optimizations that we perform [29].

ECC key management is a crucial aspect of maintaining the security and integrity of cryptographic systems. As the security of ECC relies on the intractability of the discrete logarithm problem, proper key management practices are essential to prevent unauthorized access and attacks. Key sizes and key pairs must be carefully chosen to ensure an appropriate level of security without compromising system performance. Additionally, secure key storage and distribution mechanisms are crucial to safeguarding private keys and preventing key leakage. Techniques such as key derivation functions and key stretching can be employed to enhance key protection and minimize the risk of key compromise.

ECC key generation and management are critical components of deploying secure and efficient cryptographic systems. Proper key generation algorithms, the selection of appropriate key sizes, and robust key management practices are essential to maximizing the security benefits of ECC. By employing well-established ECC key generation and management techniques, organizations can enhance data protection, secure communication, and protect sensitive information in an increasingly interconnected world.

4.1. NIST P-256 and secp256k1

NIST P-256, also known as secp256r1, is one of the most commonly used elliptic curves in cryptographic applications, particularly in protocols such as Transport Layer Security, HTTPS, and digital signatures. Defined by the NIST as part of its Suite B cryptographic standards, it offers a balance between security and efficiency, making it suitable for a wide range of applications requiring public-key cryptography. Several research studies have evaluated the security and performance of NIST P-256 in various contexts. A study by Ryza et al. [30] assessed the security of elliptic curves including NIST P-256 against potential attacks and concluded that these curves provide sufficient security for practical use. Another study by Gura et al. [9] analyzed the performance of elliptic curve cryptography on embedded systems and found that NIST P-256 offers a good balance between security and efficiency for resource-constrained devices.

The secp256k1 elliptic curve has gained significant prominence, particularly in the realm of cryptocurrencies such as Bitcoin [31]. The equation of this curve is $y^2=x^3+7$. One of the notable features of secp256k1 is its adoption as the underlying elliptic curve for the generation of public–private key pairs in Bitcoin’s cryptographic scheme. Bitcoin’s security relies heavily on the cryptographic properties of secp256k1, ensuring the integrity and confidentiality of transactions within the network.

4.2. Lightweight Key Generation

In resource-constrained devices, such as Internet of Things devices and embedded systems, efficient key generation is crucial for providing secure communication and data protection. Lightweight key generation algorithms aim to address the computational limitations of these devices while ensuring a sufficient level of security. This section explores key generation techniques tailored to resource-constrained environments and highlights their suitability for cryptographic applications.

One widely adopted approach for lightweight key generation is based on the concept of deterministic key generation. Deterministic key generation algorithms generate cryptographic keys from a fixed-length secret value and public information, ensuring that the same key can be derived consistently on different devices. Deterministic key generation reduces the computational overhead of generating random keys, making it suitable for devices with limited processing capabilities. A popular example of deterministic key generation is the deterministic elliptic curve Diffie–Hellman (ECDH) algorithm, which efficiently derives shared secret keys for secure key exchange [32]. Another lightweight key generation technique is the use of pseudo-random number generators (PRNGs). PRNGs utilize deterministic algorithms to generate sequences of random-like numbers. While not truly random, PRNGs offer adequate randomness for many cryptographic purposes. Several lightweight PRNG algorithms have been designed specifically for resource-constrained devices, providing a trade-off between security and efficiency. Implementations such as TinyMT and ChaCha-based PRNGs are well suited for devices with limited memory and computation resources [31,33].

Moreover, hardware-based key generation has emerged as a viable solution for resource-constrained devices. Hardware security modules and trusted platform modules (TPMs) are specialized hardware components capable of generating cryptographic keys securely. These dedicated hardware modules offload key generation tasks from the main processor, minimizing the computational burden and enhancing overall system security. Hardware security modules and TPMs are particularly valuable in scenarios where sensitive keys must be protected from potential software-based attacks [14]. The adoption of lightweight elliptic curve cryptography also contributes to efficient key generation on resource-constrained devices. It involves selecting specific elliptic curves and parameters that offer a balance between security and performance. Key generation on these curves requires fewer computations compared to traditional ECC curves, resulting in reduced processing time and memory usage [34]. Figure 2 shows a block diagram of an elliptic curve Diffie–Hellman key exchange between resource-constrained devices.

4.3. Efficient Point Multiplication Techniques

Efficient ECC point multiplication techniques in embedded systems are critical to ensure fast and secure cryptographic operations using elliptic curve cryptography on resource-constrained devices. Examples of such techniques are the Montgomery ladder algorithm, Fixed-Point Arithmetic, the Sliding Window Technique, fixed-base point multiplication, Projective Coordinates, and Endomorphisms.

Fixed-base point multiplication is used when the same point is multiplied by multiple scalars (during an ECDH key exchange). In fixed-base point multiplication, a specific point on the elliptic curve, known as the base point, is chosen and its multiples are precomputed and stored in a lookup table. During the actual point multiplication, instead of performing the scalar multiplication from scratch, the algorithm looks up the precomputed multiples from the table based on the binary representation of the scalar. Through reusing the same base point and its multiples, the computation becomes significantly faster and more efficient. Since the precomputation of the base point multiples is performed offline, it does not incur any additional overhead during runtime. The size of the lookup table can be adjusted based on the required level of performance and available memory on the embedded system. It is important to note that the choice of the base point in fixed-base point multiplication is critical for security. The base point should be selected carefully, ensuring that it has a high order (it generates a large cyclic subgroup) and provides good resistance against potential side-channel attacks. Additionally, the security of fixed-base point multiplication also depends on the chosen scalar multiplication algorithm and the implementation of the lookup table. By employing appropriate security measures and carefully choosing the base point, fixed-base point multiplication offers an efficient and secure approach to point multiplication in embedded systems.

Table 1. Comparison of point multiplication techniques in elliptic curve cryptography.

Technique	Description	Advantages	Disadvantages
Montgomery Ladder Algorithm	Efficient point multiplication algorithm that avoids conditional branches	Resistant to timing attacks, constant-time execution	Slightly more complex than double-and-add
Fixed-Point Arithmetic	Represents numbers with a fixed number of digits after the radix point	Simplified hardware design, faster operations	Limited precision, potential for overflow/underflow
Sliding Window Technique	Precomputes a window of points for efficient scalar multiplication	Faster for larger scalars, reduces point additions	Requires memory for precomputed points
Fixed-Base Point Multiplication	Repeatedly adds a fixed point to itself for efficient scalar multiplication	Optimized for certain scenarios, can be faster	Limited to a specific base point
Projective Coordinates	Represents points on elliptic curves using homogeneous coordinates	Avoids costly inversions, improves efficiency	Requires additional coordinate conversions
Endomorphisms	Special mappings on elliptic curves that can speed up point multiplication	Reduced computational cost, potential for smaller key sizes	Not all curves have efficient endomorphisms

summarizes the advantages and disadvantages of the various point multiplication techniques.

The Montgomery ladder algorithm is another technique for performing scalar multiplication on elliptic curves efficiently. It was originally introduced by Peter L. Montgomery in the context of modular multiplication but has found widespread use in ECC due to its applicability to scalar multiplication. The algorithm is particularly well suited for operations involving repeated doubling and addition of points on elliptic curves, which is a fundamental operation in cryptographic protocols like the ECDH key exchange. The Montgomery ladder operates by iteratively doubling and adding points on the elliptic curve based on the binary representation of the scalar. This method significantly reduces the number of operations required compared to a straightforward repeated point addition, leading to a more efficient scalar multiplication process. The ladder algorithm ensures a constant number of operations regardless of the bit length of the scalar, contributing to its effectiveness and suitability for hardware and software implementations in resource-constrained environments. Its simplicity, along with its efficiency, makes the Montgomery ladder algorithm a preferred choice for elliptic curve scalar multiplication in various cryptographic applications.

4.4. Curve25519

Curve25519 is an elliptic curve cryptography curve designed by Daniel J. Bernstein [35] to address the need for efficient and secure cryptographic operations. The design choices behind Curve25519 prioritize computational efficiency and security. The curve’s efficiency is underscored by its compact representation and swift performance. Public keys shrink to a compact 32-byte footprint, ideal for resource-constrained devices. Point multiplication glides across the curve with exceptional speed, making Curve25519 a favorite for performance-hungry applications.

Curve25519 is defined over a finite field $F_p$, where p is a prime number. The curve equation takes the form

$$y^2=x^3+486,662x^2+x$$

(1)

Curve25519 can be used in the ECDH key exchange protocol. Each party privately generates a random 32-byte secret key; from the private key, each party publicly derives a 32-byte public key using the Curve25519 equation; each party uses their private key and the other party’s public key to compute a shared secret using modular point multiplication on the curve. Curve25519 relies on the Montgomery ladder algorithm for efficient scalar multiplication. The Montgomery ladder combines point addition with point doubling in a single step, thereby reducing the number of operations needed. Careful implementation ensures all operations take the same amount of time, mitigating timing-based side-channel attacks.

5. ECC for Vehicle Sensors and Control Units

Today’s vehicles contain a variety of sensors and control units that play an important role in all aspects of the successful functioning of the vehicle. The engien control unit, the transmission control unit, the powertrain control unit, and other similar control units possess more resources compared to sensors such as air temperature sensors, wheel speed sensors, mass airflow sensors, etc. We have performed and published extensive research [36,37,38,39,40] on intrusion detection in Controller Area Networks for vehicles. This work focuses on efficient ECC implementation techniques for vehicular security.

Table 2. Engine control units and sensors.

Name	Processor (MHz)	Memory (KB)
Engine Management System Platform	133	16,384
Gasoline SDI and TCU	80	2560
MT86 Powertrain Control Module	80	1536
MT88 Engine Control Module	80	3096
MT05 Engine Control Module	40	256
MT60 Engine Control Module	66	1024
M3C Engine Control Unit	16	16
Gasoline Port Fuel Injection	80	2048
Multi Position Linear Actuator	40	64
After treatment Control	16	4096
Air Module Engine Control Unit	16	4
Glow Plug Control with SCR Heater	32	256
Ride-by-Wire Engine Control Unit	40	32
Mass Airflow Sensor
Smart $N{O}_X$ Sensor

lists the computing resources of some of the control units and sensors.

As evident from Table 2, control units and sensors are characterized by limited computational power, memory, and energy resources and hence demand tailored cryptographic solutions. The optimization and adaptation of ECDH for such devices necessitate a delicate balance between computational efficiency, security guarantees, and the constraints inherent to resource-limited environments. To delve into the interplay between processor speed, memory, and power usage for ECDH performance on embedded devices, we leveraged the versatility of the Linux operating system within a well-established simulation environment. This approach allows for controlled experimentation and analysis while providing valuable insights applicable to real-world resource-constrained devices. Profiling tools within the environment will provide detailed statistics on instruction execution, cache usage, and memory accesses, enabling us to correlate these measures with the ECDH performance. Employing power estimation models specifically designed for the chosen simulated processor architecture translated the obtained performance metrics into estimated energy consumption. This indirect approach, while acknowledging its limitations, offers valuable insights into the power–performance trade-off when varying hardware configurations.

Experimental Setup

QEMU (“Quick EMUlator”) is a free and open-source software [41] that facilitates hardware virtualization, allowing you to run operating systems and programs designed for different architectures on your existing machine. QEMU can emulate a wide range of processors.

For our configuration, we used a low-end ARM Cortex-M microcontroller, specifically a Texas Instruments LM3S6965 (Dallas, TX, USA) operating at a clock speed of 32 MHz and equipped with 32 KB of RAM. The clock speed and memory resemble a low-end control unit or sensor. We used a well-optimized Curve25519 implementation from the TinyCrypt library [42]. We measured execution time, peak memory usage, and estimated energy consumption. The McPAT power estimation model, specifically tailored for the Cortex-M0+ architecture, translated execution time into estimated energy consumption. Once we were able to measure the three metrics satisfactorily using the initial configuration, we then ran our experiment with various combinations of processor speed and memory. We used an efficient P-256 [43] implementation to compare the results between the curves.

6. Results

Table 3. Execution time, peak memory usage, and energy consumption for Curve25519.

Processor Speed (MHz)	Memory (KB)	Execution Time (ms)	Peak Memory Usage (KB)	Energy Consumption (mW)
	16	2931	16	70
16	32	2560	32	63
	64	2038	52	59
	16	1502	16	67
32	32	1203	32	64
	64	927	50	57
	16	831	16	63
48	32	697	32	57
	64	523	47	55

lists the execution time, peak memory usage, and energy consumption for ECDH secure key exchange using Curve25519. It is evident that for all processor speeds, the peak memory usage is at capacity for 16 KB and 32 KB of memory. The energy consumption, although varying slightly, is not significantly different across all configurations. It is evident that at least 64 KB of memory is required in order for memory usage to not be at capacity. It is no surprise that the execution time is less for faster processor speeds.

We ran the same experiment using other standard ECC curves for the 48 MHz and 64 KB configurations, and the results are listed in

Table 4. Comparison of execution time, peak memory usage, and energy consumption across multiple elliptic curves for 48 MHz processor speed and 64 KB memory.

Curve	Execution Time (ms)	Peak Memory Usage (KB)	Energy Consumption (mW)
Curve25519	523	47	55
NIST P-256	1582	64	103
NIST P-384	2041	64	129
secp256k1	1270	64	79
NIST P-521	2973	64	172

.

7. Discussion

The results demonstrate that Curve25519 is a better choice compared to other curves due to its compact representation and swift performance. It exhibits remarkable efficiency in terms of execution time. Its design choices prioritize computational simplicity, resulting in faster cryptographic operations compared to traditional NIST curves. This advantage is particularly pronounced on embedded devices with limited processing capabilities. Its superiority in execution time makes it an attractive choice for applications where speed is paramount and resources are limited.

NIST P-256 and NIST P-384, while widely adopted in practice, tend to exhibit slower execution times on embedded devices. The larger key sizes and more complex arithmetic operations associated with these NIST curves contribute to increased computational overhead. Our experiments have shown that cryptographic operations involving NIST curves can be several times slower than those involving Curve25519. Curve secp256k1’s performance is better than the NIST curves but inferior to Curve25519. One must carefully weigh the trade-offs between security requirements and performance considerations when selecting cryptographic primitives for embedded devices.

Memory usage is another critical aspect to consider in the context of embedded devices, where resources are often scarce. Curve25519’s compact representation translates into smaller memory footprints compared to NIST curves. Its 32-byte public keys and minimalistic implementation make it well suited for memory-constrained environments. Conversely, NIST P-256 and NIST P-384 require larger key sizes and more extensive storage for cryptographic parameters, resulting in higher memory usage. This poses challenges for devices with limited memory resources, necessitating careful memory management strategies.

Power consumption is a crucial consideration in battery-powered embedded devices, where energy efficiency is important. Our results demonstrate that efficient arithmetic operations and compact representation of Curve25519 contribute to lower power consumption compared to NIST curves. By minimizing computational complexity, Curve25519 enables devices to perform cryptographic operations with reduced energy consumption.

Quantum computers are expected to dramatically accelerate the ability to solve problems that are currently infeasible for classical computers, including those underlying ECC. This shift would compromise the security of protocols that rely on ECC. Post-quantum cryptography focuses on finding cryptographic primitives that are secure against quantum adversaries, with lattice-based, hash-based, and code-based cryptographic schemes among the leading candidates. To bridge the gap between existing ECC systems and future post-quantum requirements, hybrid approaches are emerging as a practical solution.

Fan et al. [44] discusses various known side-channel attacks that target ECC, including timing attacks, power analysis, electromagnetic attacks, and fault injection attacks. The literature details numerous countermeasures designed to protect ECC implementations, such as constant-time algorithms, masking techniques, and randomization strategies. Side-channel attacks need to be addressed and must be a part of any future research that addresses quantum cryptography.

8. Conclusions

The choice of cryptographic algorithms for embedded devices hinges on a delicate balance among security, performance, memory usage, and power consumption. While NIST curves and other widely used curves such as secp256k1 offer standardized security guarantees, Curve25519 excels in terms of execution time, memory usage, and power consumption, making it an appealing choice for resource-constrained environments. By implementing Curve25519, designers and engineers can strike a balance between security and resource efficiency, enabling the deployment of secure cryptographic solutions in resource-constrained environments.

Future research directions in embedded cryptography will likely need to focus on integrating post-quantum cryptographic algorithms into resource-constrained devices. As attacks targeting embedded devices become more sophisticated, future research may emphasize hardware-level security enhancements. This could involve the development of secure hardware modules or the integration of advanced security features into embedded processors to protect against physical and side-channel attacks. Future research directions may focus on developing energy-efficient cryptographic protocols and algorithms optimized for low-power operation.

Hybrid cryptographic schemes should be considered, given the threats of quantum computing, as a future research direction. Hybrid cryptographic schemes combine traditional ECC with post-quantum algorithms to provide layered security. In these hybrid systems, ECC handles encryption and signatures in the classical context, while post-quantum algorithms are incorporated to safeguard against potential quantum threats. This approach will allow for a gradual transition to quantum-resistant cryptographic methods, ensuring that current systems remain secure while preparing for the future. The development and deployment of hybrid cryptographic approaches represent a pragmatic strategy in addressing the evolving security landscape.