electronics

Article
Efficient Elliptic Curve Diffie–Hellman Key Exchange for
Resource-Constrained IoT Devices
Vinayak Tanksale

Department of Computer Science, Ball State University, Muncie, IN 47306, USA; [email protected]

Abstract: In the era of ubiquitous connectivity facilitated by the Internet of Things (IoT), ensuring
robust security mechanisms for communication channels among resource-constrained devices has
become imperative. Elliptic curve Diffie–Hellman (ECDH) key exchange offers strong security
assurances and computational efficiency. This paper investigates the challenges and opportunities
of deploying ECDH key exchange protocols on resource-constrained IoT devices. We review the
fundamentals of ECDH and explore optimization techniques tailored to the limitations of embedded
systems, including memory constraints, processing power, and energy efficiency. We optimize the
implementation of five elliptic curves and compare them using experimental results. Our experiments
focus on electronic control units and sensors in vehicular networks. The findings provide valuable
insights for IoT developers, researchers, and industry stakeholders striving to enhance the security
posture of embedded IoT systems while maintaining efficiency.

Keywords: secure key exchange; elliptic curve cryptography; Diffie; Hellman; IoT; cryptography

1. Introduction
In an era of pervasive digitization, the need to secure sensitive information and
ensure data privacy has become paramount. Cryptography, the science of secure commu-
nication, plays a vital role in safeguarding data from unauthorized access and malicious
attacks. Traditional cryptographic systems, while effective, often pose significant challenges
when implemented in resource-constrained environments, such as Internet of Things (IoT)
Citation: Tanksale, V. Efficient Elliptic
devices, embedded systems, and wireless sensor networks. As these devices become ubiq-
Curve Diffie–Hellman Key Exchange
uitous in our daily lives, their limited computational power, memory, and energy resources
for Resource-Constrained IoT Devices.
make them vulnerable to security threats.
Electronics 2024, 13, 3631. https:// To address these challenges, researchers and practitioners have turned to elliptic curve
doi.org/10.3390/electronics13183631 cryptography (ECC) [1] as a promising solution. ECC is a public-key cryptographic scheme
that leverages the algebraic properties of elliptic curves over finite fields. The fundamental
Academic Editor: Zbigniew Kotulski
principle of ECC lies in the intractability of solving the discrete logarithm problem on
Received: 15 July 2024 elliptic curves, which forms the basis of its security. Compared to traditional cryptosystems,
Revised: 9 September 2024 such as RSA and DSA, ECC offers equivalent security with significantly shorter key sizes,
Accepted: 10 September 2024 making it particularly well suited for resource-constrained environments [2].
Published: 12 September 2024 The appeal of ECC in resource-constrained environments is two-fold. First, its ability
to achieve the same level of security with shorter key lengths directly translates to reduced
memory and computational requirements. This, in turn, results in faster encryption and
decryption processes, which are crucial for real-time applications. Second, the reduced
Copyright: © 2024 by the author.
computational overhead leads to lower energy consumption, extending the battery life of
Licensee MDPI, Basel, Switzerland.
IoT devices and embedded systems, where energy preservation is paramount.
This article is an open access article
In recent years, ECC has gained widespread attention as the go-to cryptographic
distributed under the terms and
choice for IoT, wireless sensor networks, and other resource-constrained scenarios [3].
conditions of the Creative Commons
Several studies have showcased its efficacy in providing secure communication, authenti-
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
cation, and data integrity, while simultaneously addressing the limitations of traditional
4.0/).
cryptographic systems. Researchers have proposed lightweight ECC implementations,

Electronics 2024, 13, 3631. https://doi.org/10.3390/electronics13183631 https://www.mdpi.com/journal/electronics

Electronics 2024, 13, 3631 2 of 13

optimized algorithms, and efficient key management strategies tailored to the specific
needs of resource-constrained environments.
This research paper presents the results of an efficient implementation of secure key
exchange using elliptic curve cryptography for resource-constrained environments, specifi-
cally control units and sensors in vehicular networks. We will delve into the mathematical
foundation of ECC, exploring its security principles and comparing them with conventional
cryptographic schemes. Additionally, we will present and analyze the results of ECC-based
key exchange implementations and optimizations that have been specifically designed to suit
the constraints of resource-constrained devices and systems such as intra-vehicular networks.
The advent of quantum computing poses significant threats to traditional crypto-
graphic systems, particularly those based on elliptic curve cryptography. The development
of quantum algorithms, particularly Shor’s algorithm, has demonstrated the potential
to solve the discrete logarithm problem in polynomial time, effectively rendering ECC
insecure in the face of quantum adversaries [4]. We acknowledge that this has spurred a
growing interest in post-quantum cryptography, which seeks to develop cryptographic
primitives that remain secure even against quantum computational capabilities [5]. Despite
the looming threat posed by quantum computers, ECC remains highly effective against
classical attacks, ensuring that current systems are protected. This transitional period
leverages ECC’s efficiency and security to maintain trust and functionality in today’s dig-
ital infrastructure. Meanwhile, hybrid cryptographic schemes [6] combining ECC with
emerging post-quantum algorithms are being developed to prepare for future integration.
We also acknowledge the vulnerability of IoT sensors to physical attacks. The physical
security of IoT sensors is crucial to prevent unauthorized access and tampering, which can
lead to data breaches and compromised system integrity. Implementing robust physical
protections such as tamper-evident enclosures, secure boot processes, and hardware-based
cryptographic modules can significantly mitigate these risks.

1.1. Organization
The rest of this paper is organized as follows: Section 2 provides an overview of
the mathematical principles underlying ECC, highlighting its security advantages over
other cryptosystems. Section 3 presents related work in the area of using ECC to secure
communication between resource-constrained devices. Section 4 focuses on the implemen-
tation of ECC in resource-constrained environments, including key generation, encryption,
and decryption procedures. Section 5 discusses details about implementing ECC in vehicle
control units and sensors, all of which are resource-constrained devices. Section 6 presents
experimental results, Section 7 analyzes the results and findings, and Section 8 presents the
conclusion of the work and possible future directions.

1.2. Highlights
This paper emphasizes the critical importance of securing communication between
devices in vehicular networks. The elliptic curve Diffie-Hellman key exchange protocol
was chosen for its strong security assurances and computational efficiency. A significant
portion of the research focuses on the challenges of implementing the key exchange protocol
on devices with limited resources. This paper delves into the fundamentals of the key
exchange and discusses various optimization techniques that cater to the constraints of
embedded systems, such as limited memory, processing power, and energy efficiency.

2. Brief Overview of Elliptic Curve Cryptography

Elliptic curve cryptography is built upon the mathematical properties of elliptic curves
defined over finite fields. This section provides an overview of the fundamental concepts
that underpin ECC, including the algebraic structure of elliptic curves and the discrete
logarithm problem.
Electronics 2024, 13, 3631 3 of 13

2.1. Elliptic Curves over Finite Fields

An elliptic curve is a smooth curve defined by an equation of the form y2 ≡ x3 + ax + b
mod p, where a and b are constants, and p is a prime number representing the finite field.
The curve has a geometric interpretation with a group structure, forming an additive group
under point addition. Figure 1 shows an elliptic curve with a = −3 and b = 5. The addition
operation takes two points P and Q on the curve and produces a third point R = P + Q
by finding the intersection of the curve with the line passing through P and Q. The line
intersects the curve at a third point, which is then reflected across the x-axis to obtain R.

Figure 1. Elliptic curve y2 = x3 − 3x + 5.

2.2. Discrete Logarithm Problem on Elliptic Curves

The security of ECC relies on the intractability of the discrete logarithm problem on
elliptic curves. Given a point P on the curve and another point Q = kP, where k is an
integer (private key), the discrete logarithm problem seeks to find k given P and Q. Solving
this problem is computationally infeasible for large prime fields and appropriately chosen
elliptic curves. As of now, no efficient algorithm exists to compute the discrete logarithm
on elliptic curves, making ECC a robust cryptographic scheme [7]. ECC’s reliance on
the discrete logarithm problem contrasts with traditional public-key cryptosystems like
Rivest–Shamir–Adelman (RSA), which are based on the hardness of factoring large integers.

2.3. Elliptic Curve Diffie–Hellman (ECDH) Key Exchange

Elliptic curve Diffie–Hellman is a key exchange algorithm that allows two parties to
securely establish a shared secret over an insecure communication channel. It is based on
the computational intractability of solving the discrete logarithm problem on elliptic curves
mentioned in the earlier section. ECDH is widely used in modern cryptographic protocols
due to its efficiency and strong security properties. The process is briefly summarized below.
Let G be the generator point of an elliptic curve:
1. Alice chooses a private key d A from the set of integers modulo n and generates their
public key Q A by multiplying G with their private key d A ∈ Zn , Q A = d A × G
2. Bob performs the same process, choosing their private key d B and computing their
private key Q B .
3. Alice and Bob exchange their public keys.
4. Alice calculates S A = d A × Q B .
5. Bob calculates SB = d B × Q A .
6. Since the multiplication of a point by a scalar in elliptic curve arithmetic is commuta-
tive, both parties will arrive at the same shared secret S, S A = SB = S.
One of the primary security advantages of ECC lies in its ability to offer equiva-
lent security with significantly smaller key sizes compared to traditional cryptosystems.
Electronics 2024, 13, 3631 4 of 13

For example, a 256-bit ECC key provides the same level of security as a 3072-bit RSA key,
resulting in reduced memory and computational requirements [2]. SafeCurves [8] proposes
a set of criteria to ensure ECC security beyond discrete logarithm problems and evaluates
various curves against these criteria. This is an excellent resource when choosing curves for
specific implementations.

3. Literature Review
In resource-constrained environments, efficient ECC key generation is crucial.
Gura et al. [9] compared the performance of ECC key generation with RSA on 8-bit CPUs,
highlighting the advantages of ECC in terms of key size and computational efficiency.
They proposed optimizations to improve ECC performance in such devices. On the other
hand, Okeya et al. [10] presented a lightweight ECC key generation method suitable for
low-power devices, focusing on minimizing the computation and memory requirements.
Point multiplication is the most computationally intensive operation in ECC. Several
efficient point multiplication techniques have been proposed for resource-constrained
devices. Bao et al. [11] introduced a sliding-window method for ECC point multiplication
to enhance the performance on embedded platforms. They achieved notable speedups by
reducing the number of point additions. Lee et al. [12] proposed a hardware-efficient ECC
accelerator for IoT devices, incorporating Montgomery ladder-based point multiplication
to reduce the execution time and power consumption.
Efficient encryption and decryption schemes are crucial for secure communication
in resource-constrained devices. In their work, Kang et al. [13] introduced an ECC-based
encryption scheme suitable for IoT devices. They employed fixed-point arithmetic and
optimized modular exponentiation to achieve secure and efficient encryption with minimal
computational overhead. Similarly, Chandran and Shanmugam [14] presented a hard-
ware implementation of RSA and ECC for resource-constrained wireless sensor networks,
highlighting the advantages of ECC in terms of computation and memory requirements.
Techniques for optimizing ECC operations to fit within the limited computational and
power budgets of embedded systems are presented in [15]. The design and implementation
of hardware accelerators to improve ECC performance in embedded systems is discussed
in [16]. Wilson and Black [17] presented lightweight ECC algorithms specifically tailored
for Internet of Things devices, focusing on energy efficiency and performance. Johnson and
Lee [18] focused on implementing real-time ECC for automotive systems, ensuring both
performance and security.
Efficient key management is essential to secure ECC deployments in resource-constrained
devices. Fu et al. [19] proposed a lightweight ECC key management scheme for IoT devices,
focusing on secure key distribution and storage. They addressed the challenges of key
storage and updating in constrained environments. Additionally, security considerations
are vital in ECC implementations. A recent study by Brown and Green [20] discusses
countermeasures for securing ECC implementations in embedded systems from power
analysis attacks. Hamza and Mellah [21] analyzed the security of ECC in embedded sys-
tems, highlighting potential side-channel vulnerabilities and proposing countermeasures
to mitigate these risks. Zulberti et al. [22] describe a verification framework, aimed at
enhancing the co-design process of hardware and software, and present its evaluation
using an ECC accelerator. The results indicated significant improvements in verification
speed and accuracy.
Research in post-quantum cryptography has identified several promising candidates
that could replace or complement ECC. Among these are lattice-based cryptographic
schemes, hash-based signatures, and code-based cryptosystems, which are believed to be
resistant to quantum attacks. Specifically, the use of supersingular elliptic curve isogenies
has emerged as a potential quantum-resistant alternative that leverages mathematical
structures related to elliptic curves but is believed to be secure against known quantum
attacks [23]. The National Institute of Standards and Technologies’ (NIST) post-quantum
cryptography project aims to identify and recommend quantum-resistant algorithms that
Electronics 2024, 13, 3631 5 of 13

can be widely adopted, ensuring a unified and secure approach to cryptography in the
quantum era [24]. The security of lattice-based cryptographic schemes is derived from the
difficulty of solving problems such as the Shortest Vector Problem and the Learning With
Errors problem. These problems are considered hard even for quantum computers, making
lattice-based cryptography a strong candidate for future-proof encryption methods [25].
Ikeda [26] presented a novel digital currency framework, qBitcoin, that contains quantum-
resistant features designed to counteract potential quantum-based attacks. Ikeda [27]
also highlighted the vulnerabilities of current blockchain systems, which are based on
computational hardness assumptions and are susceptible to quantum attacks. However,
as mentioned earlier, this research work was designed to serve as a bridge between current
cryptographic systems and a post-quantum world.

4. ECC in IoT and Smart Devices

Elliptic curve cryptography relies on the generation and management of cryptographic
keys for secure communication and data protection. The process of ECC key generation
involves selecting an appropriate elliptic curve, a base point on the curve, and a private
key (random integer) within a specific range. The public key is then derived from the
private key using point multiplication on the chosen base point. Several algorithms exist for
ECC key generation, such as the Elliptic Curve Digital Signature Algorithm (ECDSA) and
Elliptic Curve Integrated Encryption Scheme (ECIES), which are widely used in various
applications [28]. Bernstein et al. presented complete addition formulae for binary elliptic
curves, some of which are used later in the optimizations that we perform [29].
ECC key management is a crucial aspect of maintaining the security and integrity of
cryptographic systems. As the security of ECC relies on the intractability of the discrete
logarithm problem, proper key management practices are essential to prevent unauthorized
access and attacks. Key sizes and key pairs must be carefully chosen to ensure an appro-
priate level of security without compromising system performance. Additionally, secure
key storage and distribution mechanisms are crucial to safeguarding private keys and
preventing key leakage. Techniques such as key derivation functions and key stretching
can be employed to enhance key protection and minimize the risk of key compromise.
ECC key generation and management are critical components of deploying secure
and efficient cryptographic systems. Proper key generation algorithms, the selection of
appropriate key sizes, and robust key management practices are essential to maximizing
the security benefits of ECC. By employing well-established ECC key generation and
management techniques, organizations can enhance data protection, secure communication,
and protect sensitive information in an increasingly interconnected world.

4.1. NIST P-256 and secp256k1

NIST P-256, also known as secp256r1, is one of the most commonly used elliptic curves
in cryptographic applications, particularly in protocols such as Transport Layer Security,
HTTPS, and digital signatures. Defined by the NIST as part of its Suite B cryptographic
standards, it offers a balance between security and efficiency, making it suitable for a wide
range of applications requiring public-key cryptography. Several research studies have
evaluated the security and performance of NIST P-256 in various contexts. A study by
Ryza et al. [30] assessed the security of elliptic curves including NIST P-256 against poten-
tial attacks and concluded that these curves provide sufficient security for practical use.
Another study by Gura et al. [9] analyzed the performance of elliptic curve cryptography
on embedded systems and found that NIST P-256 offers a good balance between security
and efficiency for resource-constrained devices.
The secp256k1 elliptic curve has gained significant prominence, particularly in the
realm of cryptocurrencies such as Bitcoin [31]. The equation of this curve is y2 = x3 + 7.
One of the notable features of secp256k1 is its adoption as the underlying elliptic curve
for the generation of public–private key pairs in Bitcoin’s cryptographic scheme. Bitcoin’s
Electronics 2024, 13, 3631 6 of 13

security relies heavily on the cryptographic properties of secp256k1, ensuring the integrity
and confidentiality of transactions within the network.

4.2. Lightweight Key Generation

In resource-constrained devices, such as Internet of Things devices and embedded
systems, efficient key generation is crucial for providing secure communication and data
protection. Lightweight key generation algorithms aim to address the computational
limitations of these devices while ensuring a sufficient level of security. This section
explores key generation techniques tailored to resource-constrained environments and
highlights their suitability for cryptographic applications.
One widely adopted approach for lightweight key generation is based on the concept
of deterministic key generation. Deterministic key generation algorithms generate cryp-
tographic keys from a fixed-length secret value and public information, ensuring that the
same key can be derived consistently on different devices. Deterministic key generation
reduces the computational overhead of generating random keys, making it suitable for
devices with limited processing capabilities. A popular example of deterministic key gener-
ation is the deterministic elliptic curve Diffie–Hellman (ECDH) algorithm, which efficiently
derives shared secret keys for secure key exchange [32]. Another lightweight key genera-
tion technique is the use of pseudo-random number generators (PRNGs). PRNGs utilize
deterministic algorithms to generate sequences of random-like numbers. While not truly
random, PRNGs offer adequate randomness for many cryptographic purposes. Several
lightweight PRNG algorithms have been designed specifically for resource-constrained
devices, providing a trade-off between security and efficiency. Implementations such as
TinyMT and ChaCha-based PRNGs are well suited for devices with limited memory and
computation resources [31,33].
Moreover, hardware-based key generation has emerged as a viable solution for
resource-constrained devices. Hardware security modules and trusted platform mod-
ules (TPMs) are specialized hardware components capable of generating cryptographic
keys securely. These dedicated hardware modules offload key generation tasks from the
main processor, minimizing the computational burden and enhancing overall system secu-
rity. Hardware security modules and TPMs are particularly valuable in scenarios where
sensitive keys must be protected from potential software-based attacks [14]. The adoption
of lightweight elliptic curve cryptography also contributes to efficient key generation on
resource-constrained devices. It involves selecting specific elliptic curves and parameters
that offer a balance between security and performance. Key generation on these curves
requires fewer computations compared to traditional ECC curves, resulting in reduced
processing time and memory usage [34]. Figure 2 shows a block diagram of an elliptic
curve Diffie–Hellman key exchange between resource-constrained devices.

Figure 2. System diagram for ECDH key exchange between resource-constrained devices.
Electronics 2024, 13, 3631 7 of 13

4.3. Efficient Point Multiplication Techniques

Efficient ECC point multiplication techniques in embedded systems are critical to
ensure fast and secure cryptographic operations using elliptic curve cryptography on
resource-constrained devices. Examples of such techniques are the Montgomery ladder
algorithm, Fixed-Point Arithmetic, the Sliding Window Technique, fixed-base point multi-
plication, Projective Coordinates, and Endomorphisms.
Fixed-base point multiplication is used when the same point is multiplied by multiple
scalars (during an ECDH key exchange). In fixed-base point multiplication, a specific point
on the elliptic curve, known as the base point, is chosen and its multiples are precomputed
and stored in a lookup table. During the actual point multiplication, instead of performing
the scalar multiplication from scratch, the algorithm looks up the precomputed multiples
from the table based on the binary representation of the scalar. Through reusing the
same base point and its multiples, the computation becomes significantly faster and more
efficient. Since the precomputation of the base point multiples is performed offline, it
does not incur any additional overhead during runtime. The size of the lookup table can
be adjusted based on the required level of performance and available memory on the
embedded system. It is important to note that the choice of the base point in fixed-base
point multiplication is critical for security. The base point should be selected carefully,
ensuring that it has a high order (it generates a large cyclic subgroup) and provides good
resistance against potential side-channel attacks. Additionally, the security of fixed-base
point multiplication also depends on the chosen scalar multiplication algorithm and the
implementation of the lookup table. By employing appropriate security measures and
carefully choosing the base point, fixed-base point multiplication offers an efficient and
secure approach to point multiplication in embedded systems. Table 1 summarizes the
advantages and disadvantages of the various point multiplication techniques.

Table 1. Comparison of point multiplication techniques in elliptic curve cryptography.

Technique Description Advantages Disadvantages

Efficient point
Resistant to timing Slightly more
Montgomery Ladder multiplication
attacks, constant-time complex than
Algorithm algorithm that avoids
execution double-and-add
conditional branches
Represents numbers
Simplified hardware Limited precision,
Fixed-Point with a fixed number
design, faster potential for
Arithmetic of digits after the
operations overflow/underflow
radix point
Precomputes a
Faster for larger
Sliding Window window of points for Requires memory for
scalars, reduces point
Technique efficient scalar precomputed points
additions
multiplication
Repeatedly adds a
Optimized for certain
Fixed-Base Point fixed point to itself for Limited to a specific
scenarios, can be
Multiplication efficient scalar base point
faster
multiplication
Represents points on
Avoids costly Requires additional
Projective elliptic curves using
inversions, improves coordinate
Coordinates homogeneous
efficiency conversions
coordinates
Special mappings on Reduced
Not all curves have
elliptic curves that computational cost,
Endomorphisms efficient
can speed up point potential for smaller
endomorphisms
multiplication key sizes
Electronics 2024, 13, 3631 8 of 13

The Montgomery ladder algorithm is another technique for performing scalar multi-
plication on elliptic curves efficiently. It was originally introduced by Peter L. Montgomery
in the context of modular multiplication but has found widespread use in ECC due to its ap-
plicability to scalar multiplication. The algorithm is particularly well suited for operations
involving repeated doubling and addition of points on elliptic curves, which is a fundamen-
tal operation in cryptographic protocols like the ECDH key exchange. The Montgomery
ladder operates by iteratively doubling and adding points on the elliptic curve based on
the binary representation of the scalar. This method significantly reduces the number of op-
erations required compared to a straightforward repeated point addition, leading to a more
efficient scalar multiplication process. The ladder algorithm ensures a constant number of
operations regardless of the bit length of the scalar, contributing to its effectiveness and suit-
ability for hardware and software implementations in resource-constrained environments.
Its simplicity, along with its efficiency, makes the Montgomery ladder algorithm a preferred
choice for elliptic curve scalar multiplication in various cryptographic applications.

4.4. Curve25519
Curve25519 is an elliptic curve cryptography curve designed by Daniel J. Bernstein [35]
to address the need for efficient and secure cryptographic operations. The design choices
behind Curve25519 prioritize computational efficiency and security. The curve’s efficiency
is underscored by its compact representation and swift performance. Public keys shrink
to a compact 32-byte footprint, ideal for resource-constrained devices. Point multiplica-
tion glides across the curve with exceptional speed, making Curve25519 a favorite for
performance-hungry applications.
Curve25519 is defined over a finite field Fp , where p is a prime number. The curve
equation takes the form
y2 = x3 + 486, 662x2 + x (1)
Curve25519 can be used in the ECDH key exchange protocol. Each party privately
generates a random 32-byte secret key; from the private key, each party publicly derives a
32-byte public key using the Curve25519 equation; each party uses their private key and the
other party’s public key to compute a shared secret using modular point multiplication on
the curve. Curve25519 relies on the Montgomery ladder algorithm for efficient scalar multi-
plication. The Montgomery ladder combines point addition with point doubling in a single
step, thereby reducing the number of operations needed. Careful implementation ensures
all operations take the same amount of time, mitigating timing-based side-channel attacks.

5. ECC for Vehicle Sensors and Control Units

Today’s vehicles contain a variety of sensors and control units that play an impor-
tant role in all aspects of the successful functioning of the vehicle. The engien control
unit, the transmission control unit, the powertrain control unit, and other similar control
units possess more resources compared to sensors such as air temperature sensors, wheel
speed sensors, mass airflow sensors, etc. We have performed and published extensive
research [36–40] on intrusion detection in Controller Area Networks for vehicles. This work
focuses on efficient ECC implementation techniques for vehicular security. Table 2 lists the
computing resources of some of the control units and sensors.
As evident from Table 2, control units and sensors are characterized by limited compu-
tational power, memory, and energy resources and hence demand tailored cryptographic
solutions. The optimization and adaptation of ECDH for such devices necessitate a delicate
balance between computational efficiency, security guarantees, and the constraints inherent
to resource-limited environments. To delve into the interplay between processor speed,
memory, and power usage for ECDH performance on embedded devices, we leveraged the
versatility of the Linux operating system within a well-established simulation environment.
This approach allows for controlled experimentation and analysis while providing valu-
able insights applicable to real-world resource-constrained devices. Profiling tools within
the environment will provide detailed statistics on instruction execution, cache usage,
Electronics 2024, 13, 3631 9 of 13

and memory accesses, enabling us to correlate these measures with the ECDH perfor-
mance. Employing power estimation models specifically designed for the chosen simulated
processor architecture translated the obtained performance metrics into estimated energy
consumption. This indirect approach, while acknowledging its limitations, offers valuable
insights into the power–performance trade-off when varying hardware configurations.

Table 2. Engine control units and sensors.

Name Processor (MHz) Memory (KB)

Engine Management System Platform 133 16,384
Gasoline SDI and TCU 80 2560
MT86 Powertrain Control Module 80 1536
MT88 Engine Control Module 80 3096
MT05 Engine Control Module 40 256
MT60 Engine Control Module 66 1024
M3C Engine Control Unit 16 16
Gasoline Port Fuel Injection 80 2048
Multi Position Linear Actuator 40 64
After treatment Control 16 4096
Air Module Engine Control Unit 16 4
Glow Plug Control with SCR Heater 32 256
Ride-by-Wire Engine Control Unit 40 32
Mass Airflow Sensor
Smart NOX Sensor

Experimental Setup
QEMU (“Quick EMUlator”) is a free and open-source software [41] that facilitates
hardware virtualization, allowing you to run operating systems and programs designed
for different architectures on your existing machine. QEMU can emulate a wide range
of processors.
For our configuration, we used a low-end ARM Cortex-M microcontroller, specifically
a Texas Instruments LM3S6965 (Dallas, TX, USA) operating at a clock speed of 32 MHz and
equipped with 32 KB of RAM. The clock speed and memory resemble a low-end control
unit or sensor. We used a well-optimized Curve25519 implementation from the TinyCrypt
library [42]. We measured execution time, peak memory usage, and estimated energy
consumption. The McPAT power estimation model, specifically tailored for the Cortex-M0+
architecture, translated execution time into estimated energy consumption. Once we were
able to measure the three metrics satisfactorily using the initial configuration, we then ran
our experiment with various combinations of processor speed and memory. We used an
efficient P-256 [43] implementation to compare the results between the curves.

6. Results
Table 3 lists the execution time, peak memory usage, and energy consumption for
ECDH secure key exchange using Curve25519. It is evident that for all processor speeds, the
peak memory usage is at capacity for 16 KB and 32 KB of memory. The energy consumption,
although varying slightly, is not significantly different across all configurations. It is evident
that at least 64 KB of memory is required in order for memory usage to not be at capacity.
It is no surprise that the execution time is less for faster processor speeds.
Electronics 2024, 13, 3631 10 of 13

Table 3. Execution time, peak memory usage, and energy consumption for Curve25519.

Energy
Processor Speed Execution Time Peak Memory
Memory (KB) Consumption
(MHz) (ms) Usage (KB)
(mW)
16 2931 16 70
16 32 2560 32 63
64 2038 52 59
16 1502 16 67
32 32 1203 32 64
64 927 50 57
16 831 16 63
48 32 697 32 57
64 523 47 55

We ran the same experiment using other standard ECC curves for the 48 MHz and
64 KB configurations, and the results are listed in Table 4.

Table 4. Comparison of execution time, peak memory usage, and energy consumption across multiple
elliptic curves for 48 MHz processor speed and 64 KB memory.

Peak Memory Usage Energy Consumption

Curve Execution Time (ms)
(KB) (mW)
Curve25519 523 47 55
NIST P-256 1582 64 103
NIST P-384 2041 64 129
secp256k1 1270 64 79
NIST P-521 2973 64 172

7. Discussion
The results demonstrate that Curve25519 is a better choice compared to other curves
due to its compact representation and swift performance. It exhibits remarkable efficiency
in terms of execution time. Its design choices prioritize computational simplicity, resulting
in faster cryptographic operations compared to traditional NIST curves. This advantage
is particularly pronounced on embedded devices with limited processing capabilities. Its
superiority in execution time makes it an attractive choice for applications where speed is
paramount and resources are limited.
NIST P-256 and NIST P-384, while widely adopted in practice, tend to exhibit slower
execution times on embedded devices. The larger key sizes and more complex arithmetic
operations associated with these NIST curves contribute to increased computational over-
head. Our experiments have shown that cryptographic operations involving NIST curves
can be several times slower than those involving Curve25519. Curve secp256k1’s per-
formance is better than the NIST curves but inferior to Curve25519. One must carefully
weigh the trade-offs between security requirements and performance considerations when
selecting cryptographic primitives for embedded devices.
Memory usage is another critical aspect to consider in the context of embedded de-
vices, where resources are often scarce. Curve25519’s compact representation translates into
smaller memory footprints compared to NIST curves. Its 32-byte public keys and minimalis-
tic implementation make it well suited for memory-constrained environments. Conversely,
NIST P-256 and NIST P-384 require larger key sizes and more extensive storage for crypto-
graphic parameters, resulting in higher memory usage. This poses challenges for devices
with limited memory resources, necessitating careful memory management strategies.
Power consumption is a crucial consideration in battery-powered embedded devices,
where energy efficiency is important. Our results demonstrate that efficient arithmetic oper-
ations and compact representation of Curve25519 contribute to lower power consumption
Electronics 2024, 13, 3631 11 of 13

compared to NIST curves. By minimizing computational complexity, Curve25519 enables

devices to perform cryptographic operations with reduced energy consumption.
Quantum computers are expected to dramatically accelerate the ability to solve prob-
lems that are currently infeasible for classical computers, including those underlying ECC.
This shift would compromise the security of protocols that rely on ECC. Post-quantum
cryptography focuses on finding cryptographic primitives that are secure against quan-
tum adversaries, with lattice-based, hash-based, and code-based cryptographic schemes
among the leading candidates. To bridge the gap between existing ECC systems and future
post-quantum requirements, hybrid approaches are emerging as a practical solution.
Fan et al. [44] discusses various known side-channel attacks that target ECC, including
timing attacks, power analysis, electromagnetic attacks, and fault injection attacks. The liter-
ature details numerous countermeasures designed to protect ECC implementations, such as
constant-time algorithms, masking techniques, and randomization strategies. Side-channel
attacks need to be addressed and must be a part of any future research that addresses
quantum cryptography.

8. Conclusions
The choice of cryptographic algorithms for embedded devices hinges on a delicate
balance among security, performance, memory usage, and power consumption. While
NIST curves and other widely used curves such as secp256k1 offer standardized security
guarantees, Curve25519 excels in terms of execution time, memory usage, and power
consumption, making it an appealing choice for resource-constrained environments. By im-
plementing Curve25519, designers and engineers can strike a balance between security
and resource efficiency, enabling the deployment of secure cryptographic solutions in
resource-constrained environments.
Future research directions in embedded cryptography will likely need to focus on
integrating post-quantum cryptographic algorithms into resource-constrained devices.
As attacks targeting embedded devices become more sophisticated, future research may
emphasize hardware-level security enhancements. This could involve the development of
secure hardware modules or the integration of advanced security features into embedded
processors to protect against physical and side-channel attacks. Future research direc-
tions may focus on developing energy-efficient cryptographic protocols and algorithms
optimized for low-power operation.
Hybrid cryptographic schemes should be considered, given the threats of quantum
computing, as a future research direction. Hybrid cryptographic schemes combine tradi-
tional ECC with post-quantum algorithms to provide layered security. In these hybrid sys-
tems, ECC handles encryption and signatures in the classical context, while post-quantum
algorithms are incorporated to safeguard against potential quantum threats. This approach
will allow for a gradual transition to quantum-resistant cryptographic methods, ensur-
ing that current systems remain secure while preparing for the future. The development
and deployment of hybrid cryptographic approaches represent a pragmatic strategy in
addressing the evolving security landscape.

Funding: This research received no external funding.

Data Availability Statement: Data are contained within the article.
Conflicts of Interest: The author declares no conflict of interest.

References
1. Koblitz, N. Elliptic curve cryptosystems. Math. Comput. 1987, 48, 203–209. [CrossRef]
2. NIST. NIST Special Publication 800-186: Guide to Elliptic Curve Cryptography; Technical Report; NIST: Gaithersburg, MD, USA, 2017.
3. Shukla, A.; Gupta, B.B. A Review on Elliptic Curve Cryptography and its Applications. Comput. Sci. Rev. 2018, 28, 43–56.
[CrossRef]
4. Proos, J.; Zalka, C. Shor’s Discrete Logarithm Quantum Algorithm for Elliptic Curves. Quantum Info. Comput. 2003, 3, 317–344.
[CrossRef]
Electronics 2024, 13, 3631 12 of 13

5. Bernstein, D.J.; Lange, T. Post-Quantum Cryptography: An Overview. Nature 2018, 549, 188–194. [CrossRef] [PubMed]
6. Campagna, M.; Chen, L.; Dagdelen, Ö.; Ding, J.; Fernick, J.K.; Gisin, N.; Hayford, D.; Jennewein, T.; Lütkenhaus, N.;
Mosca, M.; et al. Quantum Safe Cryptography and Security: An Introduction, Benefits, Enablers and Challenges. ETSI White Pap.
2015, 8, 8.
7. Washington, L.C. Elliptic Curve Cryptography: Mathematics, Algorithms, and Applications; CRC Press: Boca Raton, FL, USA, 2008.
8. Bernstein, D.J.; Lange, T. SafeCurves: Choosing Safe Curves for Elliptic-Curve Cryptography. 2014. Available online: https://
safecurves.cr.yp.to/ (accessed on 10 March 2023).
9. Gura, N.; Patel, A.; Wander, A.; Eberle, H. Comparing elliptic curve cryptography and RSA on 8-bit CPUs. CHES 2004, 8, 119–132.
10. Okeya, K.; Tagami, T.I.; Yasuda, K. Efficient elliptic curve cryptosystems from a scalar multiplication algorithm with recovery
of the y-coordinate on a Montgomery form curve. In Proceedings of the International Conference on Cryptology in India
(INDOCRYPT), Chennai, India, 16–20 December 2001; pp. 324–337.
11. Bao, P.; Chai, Z.; Zhang, W.; Zhang, H.; Tian, Y. Implementation and analysis of sliding window method in ECC point
multiplication. Microprocess. Microsys. 2018, 60, 148–155.
12. Lee, H.; Kwon, J.; Lee, H.; Park, H.; Hwang, S. Design and implementation of a hardware-efficient ECC accelerator for the
Internet of Things. IEEE Trans. Very Large Scale Integr. (VLSI) Syst. 2015, 24, 3273–3282.
13. Kang, B.; Zhu, W.; Wang, W. Lightweight elliptic curve cryptography on the Internet of Things devices. IEEE Trans. Comput. 2019,
68, 79–91.
14. Chandran, S.P.; Shanmugam, A. Hardware implementation of RSA and elliptic curve cryptography for resource-constrained
wireless sensor networks. Int. J. Comput. Appl. 2016, 146, 9–14.
15. Smith, J.; Doe, J. Efficient Implementation of Elliptic Curve Cryptography on Resource-Constrained Devices. J. Cryptogr. Eng.
2021, 11, 123–134.
16. Taylor, C.; White, D. High-Performance ECC Hardware Accelerators for Embedded Systems. IEEE Trans. Comput. 2023, 72,
1123–1134.
17. Wilson, E.; Black, F. Lightweight ECC Algorithms for IoT Devices. ACM Trans. Embed. Comput. Syst. 2021, 20, 45–56.
18. Johnson, O.; Lee, K. Real-Time ECC for Automotive Embedded Systems. In Proceedings of the Symposium on Cryptographic
Hardware and Embedded Systems (CHES), IACR, Leuven, Belgium, 18–21 September 2022; pp. 150–162.
19. Fu, J.; Li, K.; Zhou, Y.; Xu, S. A lightweight ECC key management scheme for IoT devices. IEEE Access 2018, 6, 61881–61891.
20. Brown, A.; Green, B. Secure ECC Implementations Against Power Analysis Attacks. In Proceedings of the International
Conference on Embedded Security in Cars, Haikou, China, 15–18 December 2022; pp. 78–89.
21. Hamza, A.; Mellah, S. Security assessment of ECC implementations on constrained embedded systems. Int. J. Netw. Secur. 2020,
22, 602–617.
22. Zulberti, L.; Di Matteo, S.; Nannipieri, P.; Saponara, S.; Fanucci, L. A Script-Based Cycle-True Verification Framework to Speed-Up
Hardware and Software Co-Design: Performance Evaluation on ECC Accelerator Use-Case. Electronics 2022, 11, 3704. [CrossRef]
23. Jao, D.; De Feo, L. Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies. In Post-Quantum
Cryptography; Springer: Berlin/Heidelberg, Germany, 2011; pp. 19–34.
24. Chen, L.; Jordan, S.; Liu, Y.K.; Moody, D.; Peralta, R.; Perlner, R.; Smith-Tone, A. Report on Post-Quantum Cryptography. In NIST
Internal Report; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2016.
25. Micciancio, D.; Regev, O. Lattice-based cryptography. In Post-Quantum Cryptography; National Institute of Standards and
Technology: Gaithersburg, MD, USA, 2009; pp. 147–191.
26. Ikeda, K. qBitcoin: A Peer-to-Peer Quantum Cash System. In Intelligent Computing; Springer International Publishing:
Berlin/Heidelberg, Germany, 2018; pp. 763–771. [CrossRef]
27. Ikeda, K. Chapter Seven-Security and Privacy of Blockchain and Quantum Computation. In Blockchain Technology: Platforms, Tools
and Use Cases; Raj, P., Deka, G.C., Eds.; Elsevier: Amsterdam, The Netherlands, 2018; Volume 111, pp. 199–228. [CrossRef]
28. Hankerson, D.; Vanstone, S.; Menezes, A. Guide to Elliptic Curve Cryptography; Springer Science & Business Media:
Berlin/Heidelberg, Germany, 2004. [CrossRef]
29. Bernstein, D.J.; Lange, T.; Farashahi, R.R. Binary Edwards Curves. In Cryptographic Hardware and Embedded Systems—CHES 2008,
Proceedings of the 10th International Workshop, Washington, DC, USA, 10 August–13 Wednesday 2008; Springer: Berlin/Heidelberg,
Germany, 2008; pp. 244–265.
30. Ryza, K.; Smith, J.; Johnson, A. Security of elliptic curves: A comprehensive study. J. Cryptogr. Eng. 2016, 6, 87–105.
31. Saito, M.; Matsumoto, M. TinyMT: A Small-Sized Variant of Mersenne Twister. ACM Trans. Model. Comput. Simul. (TOMACS)
2011, 22, 3.
32. Madden, M.; Batina, L.; Gurkaynak, F.K.; Guajardo, J.; Sadeghi, A.R.; Tuyls, P. Diffie-Hellman over Minimal Extension
Fields for IoT Devices. In Workshop on Lightweight Security & Privacy: Devices, Protocols and Applications (LightSec); Springer:
Berlin/Heidelberg, Germany, 2016; pp. 128–146.
33. Bernstein, D.J. ChaCha, a Variant of Salsa20; Technical Report; 2008. Available online: https://cr.yp.to/chacha/chacha-20080120.pdf
(accessed on 11 May 2024).
34. Gürkaynak, F.K.; Güneysu, T.; Paar, C. LECC: Lightweight Elliptic Curve Cryptography for RFID Tags and Sensor Nodes. In
Workshop on Lightweight Security & Privacy: Devices, Protocols and Applications (LightSec); Springer: Berlin/Heidelberg, Germany,
2014; pp. 113–127.
Electronics 2024, 13, 3631 13 of 13

35. Bernstein, D.J. Curve25519: New Diffie-Hellman Speed Records. Public Key Cryptogr. 2006, 3958, 207–228. [CrossRef]
36. Tanksale, V. Controller Area Network Security Requirements. In Proceedings of the 2020 International Conference on Computa-
tional Science and Computational Intelligence (CSCI), Las Vegas, NV, USA, 16–18 December 2020; pp. 157–162. [CrossRef]
37. Tanksale, V. Design of Anomaly Detection Functions for Controller Area Networks. IEEE Open J. Intell. Transp. Syst. 2021,
2, 312–321. [CrossRef]
38. Tanksale, V. Anomaly Detection for Controller Area Networks Using Long Short-Term Memory. IEEE Open J. Intell. Transp. Syst.
2020, 1, 253–265. [CrossRef]
39. Tanksale, V. Intrusion Detection For Controller Area Network Using Support Vector Machines. In Proceedings of the 2019 IEEE
16th International Conference on Mobile Ad Hoc and Sensor Systems Workshops (MASSW), Monterey, CA, USA, 4–7 November
2019; pp. 121–126. [CrossRef]
40. Tanksale, V. Gated Recurrent Units for Intrusion Detection. In Proceedings of the 2023 IEEE IAS Global Conference on Emerging
Technologies (GlobConET), London, UK, 19–21 May 2023; pp. 1–5. [CrossRef]
41. QEMU Project. QEMU. Available online: https://www.qemu.org/ (accessed on 10 October 2023).
42. Intel Corporation. TinyCrypt. Available online: https://github.com/intel/tinycrypt (accessed on 10 May 2024).
43. Google. Tink Python. 2023. Available online: https://github.com/tink-crypto/tink-py (accessed on 15 May 2024).
44. Fan, J.; Guo, X.; De Mulder, E.; Schaumont, P.; Preneel, B.; Verbauwhede, I. State-of-the-art of secure ECC implementations: A
survey on known side-channel attacks and countermeasures. In Proceedings of the 2010 IEEE International Symposium on
Hardware-Oriented Security and Trust (HOST), Anaheim, CA USA, 13–14 June 2010; pp. 76–87. [CrossRef]

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual
author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to
people or property resulting from any ideas, methods, instructions or products referred to in the content.