# I. INTRODUCTION mart card is a credit-card sized plastic card with an embedded computer chip. Smart cards play an increasingly important role in everyday life. We encounter them as credit cards, loyalty cards, electronic purses, health cards, and as secure tokens for authentication or digital signatures. Their small size and the compatibility of their form make them ideal carriers of personal information such as secret keys, passwords, customization profiles, and medical emergency information. Electronic Payment is one of the most widely used applications of the smart card and is the most familiar among the average user. There are several different types of smart cards in this category, all of which deal with currency or a fiscal value. Smart cards can provide multi-factor authentication by using PIN/Biometrics combination with the card. verification and validation of a user identity using multiple authentication mechanisms. It often combines two or more authentication methods-for example, a three-factor authentication is based on password (Something you know), smart card (Something you have), and fingerprints (Something you are). For example, in addition to what the user knows (such as a PIN), the card can provide authentication using the card owner's digital certificate with the card owner's public key. The digital certificate associates the card owner's identity to the person's public key. The smart card also contains the card owner's private key, which can be used for digitally signing e-mail or documents. With the support of biometric technologies, the smart card can also be used to store biometric templates of the card owner, which can be used to verify the card owner by acquiring a biometric sample (such as a fingerprint) and matching it to the reference template stored on the card or off the card using a biometric authentication server. Using biometric templates can be considered for security-sensitive applications where PINs can be stolen [1]. Unlike standard public-key methods that operate over integer fields, the elliptic curve cryptosystems operate over points on an elliptic curve. Cryptographic algorithms based on discrete logarithm problem can be efficiently implemented using elliptic curves [21]. ECC is emerging as an attractive public-key cryptosystem for smart cards because compared to traditional cryptosystems like RSA/DH, it offers equivalent security with smaller key sizes, faster computation, lower power consumption, as well as memory and bandwidth savings [2]. # II. # SMART CARD & ARCHITECTURE Smart cards come in two varieties: memory and microprocessor. Memory cards simply store data and can be viewed as a small floppy disk with optional security. A microprocessor card, on the other hand, can add, delete and manipulate information in its memory on the card. Similar to a miniature computer, a # January 2012 Multi-factor authentication approach is recommended in which security requirements are intended for highly secure installation and mandate a robust solution. Multi-factor authentication ensures microprocessor card has an input/output port operating system and hard disk with built-in security features. a) Contact Vs. Contactless Smart cards have two different types of interfaces: contact and contactless. Contact smart cards are inserted into a smart card reader, making physical contact with the reader. However, contactless smart cards have an antenna embedded inside the card that enables communication with the reader without physical contact. A combi card combines the two features with a very high level of security. # b) Basic Smart Card Chip Architecture The basic smart card architecture is shown on Figure 1. It is a complete set of a microcontroller. It is a small embedded computer with low processing power (8-bit CPU, 5 MHz clock) and small memory (4 Kb RAM, 16 Kb EEPROM, 64 Kb ROM).It is secure and inexpensive [20]. Test Logic: A verification function only used during the production process to test all internal circuits for manufacturing faults. Security Logic: A continuous function that checks environmental conditions that could jeopardise the security of the smart card. # I/O Interface: A communication function that takes care of receiving external commands and sending back responses using a serial communication protocol. # ROM: The permanent memory of the chip. It can contain parts of the operating system and self test procedures. # RAM: The CPU's scratch pad memory. This is used for storing temporary or intermediate data like session keys, internal variables and stack data. EEPROM: Non-volatile updateable memory. It is used for storing application data like keys, PINs, balances, phone numbers, Biometric template and sometimes application or even operating system code. Data Bus: The transfer channel within the chip. All information exchanged between the various functions passes through this channel. # III. # BIOMETRIC AUTHENTICATION # Biometric technique is an automated methodology for the recognition of a person based on behavioral or physiological characteristics. These characteristics include features such as hand geometry, handwriting, face, fingerprints, vein, voice, retina, and iris. Biometric technologies are now the key to an extensive array of highly secured identification and personal verification solutions. Biometric system is a pattern recognition technology that makes personal identification of an individual by determining the authenticity of a specific physiological or behavioral characteristics possessed by the user [3]. # a) Biometric Based Implementation on Smart Card The use of biometrics within the card itself will mean that biometric features (fingerprint, retina, voice etc) can reliably identify a person. The use of some of these features has already been implemented in many applications. Table 1 below gives the required bytes for various biometric types. Additional information about biometric technology and standards can be found from the following organizations: The Biometric Consortium (www.biometrics.org), International Biometric Industry Association (www.ibia.rg), or BioAPI Consortium (www.iapi com) [4]. Match-off-card: For this type of implementation, the enrolled template is initially loaded onto the smart card and then transferred from the smart card via either contact or contactless interface when requested by the external biometric system. The external equipment then compares a new live template of the biometric with the one retrieved from the smart card. This implementation clearly has some security risks associated with transmitting the enrolled template off of the smart card for every biometric comparison. Appropriate security measures should be implemented to ensure the confidentiality and integrity of the released template. Match-on-card: This implementation technique initially stores the enrolment template in the smart card's secure memory. When a biometric match is requested, the external equipment submits a new live template to the smart card. The smart card then performs the matching operation within its secure processor and securely communicates the result to the external equipment. Biometric match-on-card approach can provide more private and secure identity verification system compare to match-off-card approach [5]. V. # ELLIPTIC CURVE ARITHMETIC Elliptic curves are not like an ellipse or curve in shape. They look similar to doughnuts. Geometrically speaking they somehow resemble the shape of torus, which is the product of two circles when projected in three-dimensional coordinates. ECC makes use of elliptic curves in which the variables and coefficients are restricted to elements of a finite field. There are two families of elliptic curves defined for use in cryptography: prime curves defined over odd prime field F P and binary curves defined over Galois field GF (2 m ). a) Geometrical Definition of Point Addition and point Doubling using chord-and-tangent rule For any two points P(x 1 , y 1 ) ? Q(x 2 , y 2 ) on an elliptic curve, EC group law point addition can be defined geometrically (Figure 2) as: "If we draw a line through P and Q, this line will intersect the elliptic curve at a third point (-R). The reflection of this point about x-axis, R(x 3 , y 3 ) is the addition of P and Q". Fig. 2 : Addition: R=P+Q For P=Q, point doubling, geometrically (Figure 3) if we draw a tangent line at point P, this line intersects elliptic curve at a point (-R). Then, R is the reflection of this point about x-axis. The dominant operation in ECC cryptographic schemes is point multiplication. This is the operation January 2012 which is the key to the use of elliptic curves for asymmetric cryptography---the critical operation which is itself fairly simple, but whose inverse (the elliptic curve discrete logarithm) is very difficult. ECC arranges itself so that when you wish to performance operation the cryptosystem should make easy encrypting a message with the public key, decrypting it with the private key the operation you are performing is point multiplication. Scalar multiplication of a point P by a scalar k as being performed by repeated point addition and point doubling for example 7P=(2((2P)+P)+P. c) Elliptic Curve Over F P and F 2 m Definition of elliptic curve over F P as follows [6]. Let p be a prime in F P and a, b? F P such that 4a 3 + 27b 2 ? 0 mod p in F P , then an elliptic curve E (F P ) is defined as E (F P ):= { p( x, y) , x, y ? F P } Such that y2 = x 3 + ax + b mod p together with a point O, called the point at infinity. Below is the definition of addition of points P and Q on the elliptic curve E (F P ). Let P(x 1 , y 1 ) and Q(x 2 , y 2 ) then The point p(x, -y) is said to be the negation of p(x, y). # The elliptic curves over y 2 ? y 1 If P ? ±Q (Point Addition) x 2 ? x 1 ? = 3x 1 2 + a If P = Q (Point Doubling) 2y 1 O If x 1 = x 2 and y 2 =? y 1 R = P+Q = Q = Q+P If P = O (x 3 , y 3 ) otherwise Where ? 2 +? + x 2 +x 1 + a If P ? ±Q (Point Addition) x 3 = ? 2 + ? + a If P = Q (Point Doubling) y 3 = ? ( x 1 + x 3 )+ x 3 + y 1 and y 2 + y 1 If P ? ±Q (Point Addition) x 2 + x 1 ? = x 1 x 1 If P = Q (Point Doubling) y 1 # VI. ELLIPTIC CURVE CRYPTOGRAPHY FOR MESSAGE AUTHENTICATION The use of Elliptic Curve Cryptography was initially suggested by Neal Koblitz [7] and Victor S. Miller [8]. Elliptic curve cryptosystems over finite field have some advantages like the key size can be much smaller compared to other cryptosystems like RSA, Diffie-Hellman since only exponential-time attack is known so far if the curve is carefully chosen [7] [6] and Elliptic Curve Cryptography relies on the difficulty of solving the Elliptic Curve Discrete Logarithm Problem ECDLP, which states that, "Given an elliptic curve E defined over a finite field F P , a point P?E (F P ) of order n, and a point Q?E (F P ) , find the integer k ? [0,n ?1] such that Q = k P. The integer k is called the discrete logarithm of Q to the base P, denoted k = log P Q". # a) Elliptic Curve Encryption/Decryption Consider a message 'Pm' sent from A to B. 'A' chooses a random positive integer 'k', a private key 'n A ' and generates the public key P A = n A × G and produces the cipher text 'Cm' consisting of pair of points Cm = { kG , Pm + kP B } where G is the base point selected on the Elliptic Curve, P B = n B × G is the public key of B with private key 'n B '. To decrypt the cipher text, B multiplies the 1st point in the pair by B's secret & subtracts the result from the 2nd point Pm + kP B -n B (kG) = Pm + k(n B G) -n B (kG) = Pm. # VII. VARIOUS ECC IMPLEMENTATION APPROACHES ON SMART CARD In [14] Ahmad Khaled M. AL-Kayali demonstrated the advantages and disadvantages of using Prime/binary fields to implement ECC on smart cards. Prime fields are best for software applications where as Binary fields are suitable for Hardware applications [22]. To access remote information systems Password authenticated key agreement scheme [15] is very useful in limited computation and communication resource (smart card) environments. A two-phase authentication mechanism proposed [16] by Abhilasha, Anna Squicciarini, Elisa Bertino. In that first phase consists of a two-factor biometric authentication and second phase combines several authentication factors in conjunction with biometric to provide a strong authentication. A key advantage of this approach is that any unanticipated combination of factors can be used. Disadvantage of using existing remote user authentication schemes [17] [18] is if the smart card is lost and password is revealed then any one can impersonate to sever as authorized user. To overcome this K K Goyal and M S Chahar proposed a new scheme [19] using Biometrics. 3 shows NIST guidelines on choosing computationally equivalent symmetric and public-key sizes [10]. ECC is the best suited in constrained environments. The advantages like speed and smaller keys or certificates are especially important in environments where at least one of the following resources is limited [9]: processing power, storage space, band width, or power consumption. This advantage is because its inverse operation gets harder, faster, against increasing key length than do the inverse operations in Diffie Hellman and RSA. Table 4 shows a comparison of the RSA and ECC cryptographic operations performed by an SSL server. Open SSL speed program is used to measure RSA decryption and ECDH operation for different key sizes (a minor enhancement was made for collecting RSA-1536 numbers). These micro-benchmarks highlight ECC's performance advantage over RSA for different security levels. ECC's performance advantage increases even faster than its key-size advantage as security needs increase [10]. 1![Fig.1 : Basic Smart card Chip Architecture Smart card components are: CPU (Central Processing Unit): The heart of the chip, all computational work like implementing cryptographic algorithms and data exchange goes via this function.](image-2.png "Fig. 1 :") 3![Fig.3 : Doubling: R=P+P](image-3.png "Fig. 3 :") 222![is defined as follows.Denote the (non-super singular) elliptic curve overF 2 m by E (F 2 m ). If a, b ? F 2 m such that b ? 0 then E (F 2 m ) = {p(x, y), x, y ? F 2 m }such that y 2 + xy = x 3 + ax 2 + b ? F P m together with a point O, called the point at infinity.The addition of points on E (F is given as follows: Let P(x 1 , y 1 ) and Q(x 2 , y 2 ) be points on the elliptic curve E(F 2 m ), then A Survey of Elliptic Curve Cryptography Implementation Approaches for Efficient Smart Card Processing Global Journal of Computer Science and Technology Volume XII Issue I Version I x 1 ? x 2 If P ? ±Q (Point Addition) x 3 = ? 2 ? 2x 1 If P = Q (Point Doubling) y 3 = ?(x 1 ? x 3 ) ? y 1 , and](image-4.png "F 2 m 2 m)? 2 ?") ![a) Comparing ECC with other PKC Schemes The majority of public key systems in use today use 1024-bit parameters for RSA and Diffie-Hellman. The US National Institute for Standards and Technology [NIST] has recommended that these 1024-bit systems are sufficient for use until 2010. Table](image-5.png "") 1systemsBiometric SystemNo. of Bytes RequiredFinger scan300-1200Finger geometry14Hand geometry9Iris recognition512Voice verification1500Face recognition500-1000Signature verification500-1000Retina recognition96b) Classification of Biometric ApproachesMainBiometricbasedsmartcardimplementation approaches are "match-off-card" and"match-on-card". 2January 2012 3Security(bits)RSA key Length (bits)ECC key Length (bits)DSA/DH (bits)Key Size Ratio of RSAand ECCMIPS years to attackProtection attack80 1024 160-223 1024 1:6 10 12 Until 2010112 2048 224-255 2048 1:9 10 24 Until 2030128 3072 256-383 3072 1:12 10 28Bey-192 7860 384-511 7860 1:20 10 47ond256 15360 512+15360 1:30 10 602031 January 2012© 2012 Global Journals Inc. (US) © 2012 Global Journals Inc. (US) Global Journal of Computer Science and Technology Volume XII Issue I Version I January 2012© 2012 Global Journals Inc. (US) VIII. ## CONCLUSION The smart card market has experienced a spectacular growth over the past few years. Along with their growing popularity there has been a corresponding growth of interest in their security. With respect to endto-end security no other security solutions nearly as good and affordable as smart cards exist. Elliptic curve cryptography has been emerged as a vast field of interest for application specific security requirements. The elliptic curve discrete logarithm problem makes ECC most efficient compared to earlier RSA/DSA algorithms. * Core Security Patterns: Best Practices and Strategies for J2EE?, Web Services, and Identity Management ChristopherSteel RameshNagappan RayLai * Efficient and provably-secure identity-based signatures and signcryption from bilinear maps Proc. Of ASIACRYPT'05 Of ASIACRYPT'05 2005 3778 * Biometric and Systems Security: An Overview of End-To-End Security System EmmanuelOpara MohammadRob VanceEtnyre Communications of the IIMA 6 2 2006 * Smart Card Technology: Past, Present, and Future LMohammed AbdulRahman Ramli VPrakash MohamedBDaud International Journal of The Computer, the Internet and Management 12 1 January -April, 2004 * Smart Card Alliance white paper PAC-11002 March 2011 Smart Cards and Biometrics * Guide to Elliptic Curve Cryptography DarrelHankerson AlfredMenezes ScottVanstone * EllipticCurve Cryptosystems NKoblitz Mathematics of Computation 1987 48 * Uses of Elliptic Curve in Cryptography VMiller Proceedings of Crypto'85, Lectures notes on Computer Sciences Crypto'85, Lectures notes on Computer Sciences Springer-Verlag 1986 218 Advances in Cryptography * A Survey on Elliptic Curve Cryptography for Pervasive Computing Environment VivekKatiyar KamleshDutta SyonaGupta December 2010 IJCA 11 * Speeding up Secure Web Transactions using Elliptic Curve Cryptography (ECC) VipulGupta DouglasStebila StephenFung SheuelingChang NilsGura HansEberle * AdamDWoodbury DanielVBailey ChristofPaar The Fourth Smart Card Research and Advanced Applications(CARDIS 2000) Conference September 20-22, 2000 ECC on smart cards without coprocessors * Implimentating ECC on PC and smart card IstvanZsolt Berta ZoltanAdam Mann 2002 * Implementing an efficient elliptic curve cryptosystem over GF(p) on a smart card YvonneHitchcock EdwardDawson AndrewClark PaulMontague ANZIAM J 44 2003 * Elliptic Curve Cryptography and Smart Cards AhmadKhaled MAl-Kayali SANS Instutute 2004 * A Password-Authenticated Key Agreement Scheme Based on ECC Using Smart Cards AqeelKhalique KuldipSingh SandeepSood May 2010 IJCA 2 * Privacy Preserving Multi-Factor Authentication with Biometrics AnnaAbhilasha ElisaSquicciarini Bertino DIM'06 November 3, 2006 * A Novel Remote User Authentication Scheme Using Smart Card based on ECDLP DJena SKJena DMohanty SKPanigrahy IEEE Proceeding of International Conference on Advanced Computer Control 2008 * Modified Remote User Authentication Scheme using Smart Card based on ECDLP DebasishJena SanjaySaroj Kumar Panigrahy SubhenduKumar Jena Kumar Pani 2009, 28 -31 December 2009 Sri Lanka * A Novel Remote User Authentication Scheme using Smart Card with Biometric Based on ECDLP K KGoyal M SChahar International Journal of Information Technology and Knowledge Management 4 2 July-December 2011 * A Review of Smartcard Security Issues Hoon RonnieDCaytiles Journal of Security Engineering Jun-2011 * A Workload Characterization of Elliptic Curve Cryptography Methods in Embedded Environments RBranovic EGiorgi Martinelli June-2004 ACM 32 * Elliptic Curve for Data protection AWasim Al-Hamdani Oct-2011 Information Security Curriculum conference