ECC on Your Fingertips: A Single Instruction Approach for Lightweight ECC Design in GF(p)

Size: px

Start display at page:

Download "ECC on Your Fingertips: A Single Instruction Approach for Lightweight ECC Design in GF(p)"

Shauna Marshall
6 years ago
Views:

1 ECC on Your Fingertips: A Single Instruction Approach for Lightweight ECC Design in GF(p) Debapriya Basu Roy, Poulami Das and Debdeep Mukhopadhyay June 19, 2015 Debapriya Basu Roy ECC on Your Fingertips 1 / 18

2 Elliptic Curve Cryptography With the increase of sensitive information in the Internet, security is becoming an important aspect. Debapriya Basu Roy ECC on Your Fingertips 2 / 18

3 Elliptic Curve Cryptography With the increase of sensitive information in the Internet, security is becoming an important aspect. Cryptography provides a method for securing and authenticating the transmission of information over insecure channels. Debapriya Basu Roy ECC on Your Fingertips 2 / 18

4 Elliptic Curve Cryptography With the increase of sensitive information in the Internet, security is becoming an important aspect. Cryptography provides a method for securing and authenticating the transmission of information over insecure channels. Elliptic Curve Cryptography (ECC): Computationally intensive. Debapriya Basu Roy ECC on Your Fingertips 2 / 18

5 Elliptic Curve Cryptography With the increase of sensitive information in the Internet, security is becoming an important aspect. Cryptography provides a method for securing and authenticating the transmission of information over insecure channels. Elliptic Curve Cryptography (ECC): Computationally intensive. Can be accelerated by designing FPGA based accelerator. Debapriya Basu Roy ECC on Your Fingertips 2 / 18

6 Elliptic Curve Cryptography Elliptic Curve Cryptography Public Key Cryptography Algorithm Debapriya Basu Roy ECC on Your Fingertips 3 / 18

7 Elliptic Curve Cryptography Elliptic Curve Cryptography Public Key Cryptography Algorithm based on ECDLP Debapriya Basu Roy ECC on Your Fingertips 3 / 18

8 Elliptic Curve Cryptography Elliptic Curve Cryptography Public Key Cryptography Algorithm based on ECDLP Scalar multiplication: The most important operation of ECC Debapriya Basu Roy ECC on Your Fingertips 3 / 18

9 Elliptic Curve Cryptography Elliptic Curve Cryptography Public Key Cryptography Algorithm based on ECDLP Scalar multiplication: The most important operation of ECC Involves point doubling and point addition operations Debapriya Basu Roy ECC on Your Fingertips 3 / 18

10 Elliptic Curve Cryptography ECC Scalar Multiplication Double-and-Add Algorithm Algorithm 1: Double-and-Add Algorithm Data: Point P and scalar k = k m 1, k m 2, k m 3...k 2, k 1, k 0, where k m 1 = 1 Result: Q = kp Q = P for i = m 2 to 0 do Q = 2Q (Point Doubling) if k i =1 then Q = Q + P (Point Addition) end end Each point doubling requires 8 field multiplications Each point addition requires 11 field multiplications Debapriya Basu Roy ECC on Your Fingertips 4 / 18

11 Single Instruction Processor One Instruction Set Computing Single instruction is executed repeatedly Debapriya Basu Roy ECC on Your Fingertips 5 / 18

12 Single Instruction Processor One Instruction Set Computing Single instruction is executed repeatedly Possible to create a Turing complete machine Debapriya Basu Roy ECC on Your Fingertips 5 / 18

13 Single Instruction Processor One Instruction Set Computing Single instruction is executed repeatedly Possible to create a Turing complete machine Idea of using OISC for cryptographic applications was first proposed in CHES 2010 by David Naccache Debapriya Basu Roy ECC on Your Fingertips 5 / 18

14 Single Instruction Processor One Instruction Set Computing Single instruction is executed repeatedly Possible to create a Turing complete machine Idea of using OISC for cryptographic applications was first proposed in CHES 2010 by David Naccache OISC has been also used to support homomorphic encryption architecture Debapriya Basu Roy ECC on Your Fingertips 5 / 18

15 Single Instruction Processor Example of OISC ADDLEQ (Add the operands and branch if the answer is less than or equal to zero) Debapriya Basu Roy ECC on Your Fingertips 6 / 18

16 Single Instruction Processor Example of OISC ADDLEQ (Add the operands and branch if the answer is less than or equal to zero) SUBLEQ (Subtract the operands and branch if the answer is less than or equal to zero) Debapriya Basu Roy ECC on Your Fingertips 6 / 18

17 Single Instruction Processor Example of OISC ADDLEQ (Add the operands and branch if the answer is less than or equal to zero) SUBLEQ (Subtract the operands and branch if the answer is less than or equal to zero) SBN (Subtract the operands and branch if the answer is less than zero) Debapriya Basu Roy ECC on Your Fingertips 6 / 18

18 Single Instruction Processor Example of OISC ADDLEQ (Add the operands and branch if the answer is less than or equal to zero) SUBLEQ (Subtract the operands and branch if the answer is less than or equal to zero) SBN (Subtract the operands and branch if the answer is less than zero) RSSB (Reverse subtract and skip if borrow) Debapriya Basu Roy ECC on Your Fingertips 6 / 18

19 Single Instruction Processor Example of OISC ADDLEQ (Add the operands and branch if the answer is less than or equal to zero) SUBLEQ (Subtract the operands and branch if the answer is less than or equal to zero) SBN (Subtract the operands and branch if the answer is less than zero) RSSB (Reverse subtract and skip if borrow) SBNZ (Subtract the operands and branch if the answer is non-zero) Debapriya Basu Roy ECC on Your Fingertips 6 / 18

20 Single Instruction Processor SBN Execution Table: SBN and Addition using SBN Code 1.1 SBN: Subtract and Branch if negative SBN A,B,C D.Mem[A]=D.Mem[A]-D.Mem[B] if(d.mem[a]<0) jump to C else jump to next instruction Code 1.2 Addition using SBN ADD C,A,B 1. SBN X,X,2 2. SBN X,A,3 3. SBN X,B,4 4. SBN C,C,5 5. SBN C,X,6 Debapriya Basu Roy ECC on Your Fingertips 7 / 18

21 Single Instruction Processor 1st Operand Address 2nd Operand Address Jump Address Figure: Instruction format of OISC Debapriya Basu Roy ECC on Your Fingertips 8 / 18

22 Single Instruction Processor clk reset 260 Instruction Address en_ins Ins Memory clk reset addr. port A 21 5 we_a 5 addr. port B en_a D A T A M E M O R Y dout port A 260 dout port B en_b Sub tractor 1 +1 clk reset Program Counter clk reset Control Unit 11 we_a=write enable for port A en_a=read enable for port A en_b= read enable for port B Figure: Architecture of SBN-OISC Debapriya Basu Roy ECC on Your Fingertips 8 / 18

23 SBN-OISC and ECC Instruction Level Optimization Switching-off Memory Write-back Code 1.3 Field Addition using Traditional SBN ADD p C,A,B 1. SBN X,X,2 2. SBN X,A,3 3. SBN X,B,4 4. SBN C,C,5 5. SBN C,X,6 6. SBN R,R,7 7. SBN R,X,8 8. SBN R,P,12 9. SBN X,X, SBN X,R, SBN C,X, SBN... Code 1.4 Field Addition using our Modification ADD p C,A,B 1. SBN w X,X,2 2. SBN w X,A,3 3. SBN w X,B,4 4. SBN w C,C,5 5. SBN w C,X,6 6. SBN nw C,P,8 7. SBN w C,P,8 8. SBN... Debapriya Basu Roy ECC on Your Fingertips 9 / 18

24 SBN-OISC and ECC Instruction Level Optimization Operations Practically beyond SBN Right Shift operation Debapriya Basu Roy ECC on Your Fingertips 10 / 18

25 SBN-OISC and ECC Instruction Level Optimization Operations Practically beyond SBN Right Shift operation Shifting Key Register Debapriya Basu Roy ECC on Your Fingertips 10 / 18

26 SBN-OISC and ECC Instruction Level Optimization Operations Practically beyond SBN Right Shift operation Shifting Key Register Multiplication Debapriya Basu Roy ECC on Your Fingertips 10 / 18

27 SBN-OISC and ECC Instruction Level Optimization Different SBN Instructions Table: Different Variant of SBN Instruction Instruction Memory Multiplier Key-shift Right-shift Write-back reset SBN wmulksrs x x x SBN nwmulksrs x x x x SBN nwmulksrs x x x SBN wmulksrs x x SBN nwmulksrs x x x Debapriya Basu Roy ECC on Your Fingertips 11 / 18

28 SBN-OISC and ECC Instruction Level Optimization Different SBN Instructions Table: Different Variant of SBN Instruction Instruction Memory Multiplier Key-shift Right-shift Write-back reset SBN wmulksrs x x x SBN nwmulksrs x x x x SBN nwmulksrs x x x SBN wmulksrs x x SBN nwmulksrs x x x w/nw mul/mul ks/ks rs/rs 1st Operand Address 2nd Operand Address Jump Address Figure: Modified Instruction format of SBN-OISC Debapriya Basu Roy ECC on Your Fingertips 11 / 18

29 Multiplier Architecture Lightweight FPGA based Multiplier Modular Reduction Algorithm Algorithm 2: Fast Modular Reduction Algorithm for NIST P-256 Curve Data: 512 bit product C represented as C = C 15 C C 0, where each C i is a 32 bit integer, i {0, 15} Result: P = C mod P-256 T = (C 7 C 6 C 5 C 4 C 3 C 2 C 1 C 0 ) S 1 = (C 15 C 14 C 13 C 12 C ) S 2 = (0 C 15 C 14 C 13 C ) S 3 = (C 15 C C 10 C 9 C 8 ) S 4 = (C 8 C 13 C 15 C 14 C 13 C 11 C 10 C 9 ) D 1 = (C 10 C C 13 C 12 C 11 ) D 2 = (C 11 C C 15 C 14 C 13 C 12 ) D 3 = (C 12 0 C 10 C 9 C 8 C 15 C 14 C 13 ) D 4 = (C 13 0 C 11 C 10 C 9 0 C 15 C 14 ) P = T + 2S 1 + 2S 2 + S 3 + S 4 D 1 D 2 D 3 D 4 mod P-256 Debapriya Basu Roy ECC on Your Fingertips 12 / 18

30 Multiplier Architecture Lightweight FPGA based Multiplier Architecture of the Multiplier a[15:0] a[255:240] b[15:0] b[255:240] sel_a addr_a DSP BLOCK Acc addr_b we M E M O R Y DSP BLOCK Acc. sel_b mul_sel 48 sel_b sel_a mul_sel we add/sub mod_sel 16 bit right shift clk Multiplier Control Unit addr_a addr_b 32 bit right shift rs a mod_out right_shift_output result_memory output Figure: Architecture of Lightweight Field Multiplier Debapriya Basu Roy ECC on Your Fingertips 13 / 18

31 ECC SBN-OISC Processor Result Full Processor Architecture clk ks Instruc tion Memory reset addr_1 addr_0 instruction key register mul_add we_a=write enable for port A en_a=read enable for port A en_b= read enable for port we_b=write enable for port B Address shift by 1 addr_a ks 256 addr_b web 2 {mul,rs} dina dinb we_a 5 web en_a clk reset D A T A M E M O R Y Multiplier dout port A 260 en_b 260 dout port B 260 Sub tractor Control Unit +1 clk reset Program Counter clk reset Figure: ECC SBN-OISC Processor Architecture Debapriya Basu Roy ECC on Your Fingertips 14 / 18

32 ECC SBN-OISC Processor Result Table: Area and Timing Performance of the proposed ECC SBN-OISC processor Platform Freq. Slices LUTs Flip- DSP DSP Block- Time (MHz) Flops for ALU for Multiplier RAM (ms) Virtex Spartan Debapriya Basu Roy ECC on Your Fingertips 15 / 18

33 ECC SBN-OISC Processor Result Table: Comparison of ECC SBN-OISC Processor with Existing Designs Reference Slices MULTs BRAMs Freq Latency FPGA (MHz) (ms) Micro-ECC P bit [1] Virtex-II Pro Micro-ECC P bit [1] Virtex-II Pro [2] 16 bit any prime curve Virtex-II Pro [2] 32 bit any prime curve Virtex-II Pro [3] P (DSP) Virtex-4 [4] P Not shown Not shown Spartan-6 Present Work, P (DSP) Virtex-5 Present Work, P (DSP) Spartan-6 Debapriya Basu Roy ECC on Your Fingertips 16 / 18

34 ECC SBN-OISC Processor Result Scope of Improvement Reducing the latency of the design Debapriya Basu Roy ECC on Your Fingertips 17 / 18

35 ECC SBN-OISC Processor Result Scope of Improvement Reducing the latency of the design Reducing the block ram usage Debapriya Basu Roy ECC on Your Fingertips 17 / 18

36 Conclusion Conclusion Merged two design strategies to create an extremely light-weight ECC crypto-processor for scalar multiplication in NIST P-256 curve. Debapriya Basu Roy ECC on Your Fingertips 18 / 18

37 Conclusion Conclusion Merged two design strategies to create an extremely light-weight ECC crypto-processor for scalar multiplication in NIST P-256 curve. First strategy: using single instruction processor Debapriya Basu Roy ECC on Your Fingertips 18 / 18

38 Conclusion Conclusion Merged two design strategies to create an extremely light-weight ECC crypto-processor for scalar multiplication in NIST P-256 curve. First strategy: using single instruction processor Second strategy: optimum usage of FPGA hard-ips Debapriya Basu Roy ECC on Your Fingertips 18 / 18

39 Conclusion Conclusion Merged two design strategies to create an extremely light-weight ECC crypto-processor for scalar multiplication in NIST P-256 curve. First strategy: using single instruction processor Second strategy: optimum usage of FPGA hard-ips First implementation to reduce the slice count to less than 100. Debapriya Basu Roy ECC on Your Fingertips 18 / 18

40 Conclusion Michal Varchola, Tim Güneysu, and Oliver Mischke. MicroECC: A Lightweight Reconfigurable Elliptic Curve Crypto-processor. In 2011 International Conference on Reconfigurable Computing and FPGAs, ReConFig 2011, Cancun, Mexico, November 30 - December 2, 2011, pages , Jo Vliegen, Nele Mentens, Jan Genoe, An Braeken, Serge Kubera, Abdellah Touhafi, and Ingrid Verbauwhede. A Compact FPGA-based Architecture for Elliptic Curve Cryptography over Prime Fields, booktitle = 21st IEEE International Conference on Application-specific Systems Architectures and Processors, ASAP 2010, Rennes, France, 7-9 July 2010, pages = , year = 2010, crossref = DBLP:conf/asap/2010, url = doi = /ASAP , timestamp = Thu, 30 Sep :42: , biburl = bibsource = dblp computer science bibliography, Tim Gneysu and Christof Paar. Ultra High Performance ECC over NIST Primes on Commercial FPGAs. In In Proceedings of CHES, pages 62 78, Benedikt Driessen, Tim Güneysu, Elif Bilge Kavun, Oliver Mischke, Christof Paar, and Thomas Pöppelmann. IPSecco: A lightweight and reconfigurable IPSec core. In 2012 International Conference on Reconfigurable Computing and FPGAs, ReConFig 2012, Cancun, Mexico, December 5-7, 2012, pages 1 7, Debapriya Basu Roy ECC on Your Fingertips 18 / 18

ECC on Your Fingertips: A Single Instruction Approach for Lightweight ECC Design in GF (p)

ECC on Your Fingertips: A Single Instruction Approach for Lightweight ECC Design in GF (p) Debapriya Basu Roy, Poulami Das, and Debdeep Mukhopadhyay Secured Embedded Architecture Laboratory (SEAL) Department