Small RSA/ECC Public Key Accelerators

Overview

Key Features

• Up to 4160-bit modulus size for RSA & 768-bit modulus for prime field ECC operations
• Public key signature generation, verification and key negotiation with little involvement of host
• NIST CAVP compliant for FIPS 140-3

Benefits

• The PKA-IP-28 accelerates the following basic operations in hardware:
  • Large vector addition, subtraction and combined addition/subtraction
  • Large vector bit shift right or left
  • Large vector multiplication, modulo and division (the 
latter generates both remainder and quotient)
  • Large vector compare and copy
• The PKA-IP-28 also accelerates the following complex operations, under control of an embedded sequencer microcontroller, using locally stored firmware:
  • Large vector unsigned value modular exponentiation
  • Large vector unsigned value modular exponentiation using the ‘Chinese Remainders Theorem’ (‘CRT’) method with pre-calculated Q inverse vector
  • Modular inversion: given A and M, calculate B such that ((AB) MOD M) = 1
  • Prime field ECC point addition/doubling on elliptic curve y2=x3+ax+b (mod p) with ‘p’ a prime number and ‘a’ and ‘b’ input values to the operation, adding identical points automatically performs point doubling – operation can be performed with affine and projective points
  • Prime field ECC point multiplication on elliptic curve y2=x3+ax+b (mod p) with ‘p’ a prime number and ‘a’ and ‘b’ input values to the operation – a version of the ‘Montgomery ladder’ algorithm, point randomization and point-on-curve checking are used to provide side channel attack protection 
The Sequencer firmware hides the fact that the modular exponentiations and ECC point multiplication are done using numbers in the Montgomery domain.
For improved performance of modular exponentiation operations, the Public Key Accelerator employs exponent recoding techniques that use a table with pre-calculated odd powers (filling this table is performed by the sequencer firmware). The smallest configurations can optionally use the ‘Montgomery Ladder’ algorithm for modular exponentiation (lower performance but fixed timing).

Block Diagram

Applications

• IoT, mobile, or other small gate count applications for secure boot, software public key signature checking and ‘occasional’ public key operations as used for IPsec and MACsec channel setup and firmware download signatures
• Secure router boxes, secure network interfaces and SSL servers, where the PKA-IP-28 is used in medium to high performance (Elliptic Curve) Diffie-Hellman key negotiation engines
• Hardware security modules, used in medium to high performance secure public key signature generator/checker engines

Deliverables

• Documentation
  • Hardware Reference and Programmer Manual
  • Integration Manual
  • Verification Specification
• Synthesizable Verilog RTL source code
• Self-checking RTL test bench, including test vectors and expected result vectors
• Simulation scripts
• Synthesis scripts
• Many different configurations available:
  • RAM or ROM option
  • Protection of side-channel attacks
  • Gate counts range from : 16-515k gates, depending on the number of Large Number Multipliers and Exponentiators
• Performance when running at 400 MHz (using the highest performing configuration for each operation and doing modular inversions with exponentiations):
  • DH 180/1K-bit exp/mod negotiate: 10,500 ops/s
  • RSA 1K-bit sign (no CRT): 2,000 ops/s; sign (with CRT): 3,500 ops/s; verify (17 bits exp): 70,000 ops/s
  • DSA 160/512-bit exp/mod sign: 16,000 ops/s; verify: 8,900 ops/s
  • ECDSA 192-bit sign: 2,950 ops/s; verify: 1,650 ops/s
  • ECDSA 384-bit sign: 900 ops/s; verify: 490 ops/s
  • SM2DSA 256-bit sign: 1,280 ops/s; verify: 890 ops/s
• For more information about this product or the all the different configurations, please contact Rambus: https://www.rambus.com/contact

Technical Specifications