1 Contents. Version of EnSilica Ltd, All Rights Reserved

Transcription

1

2 1 Contents 1 Contents 2 2 Overview 3 3 Hardware Interface Resource requirements 4 4 Software Interface Register Map Interrupts 7 5 RSA Operation Introduction Cycle counts References 9 6 Revision History 10 Version of EnSilica Ltd, All Rights Reserved

3 2 Overview The core is an easy to use RSA accelerator peripheral for a 32-bit APB bus. ASIC or FPGA target Key sizes parameterable up to 4096 Performs all code necessary for modular exponentiation Supports short public keys Fully synchronous design APB configuration Verilog 2001 APB Clock APB Slave IRQ APB Registers RSA Engine Figure 1: Version of EnSilica Ltd, All Rights Reserved

4 3 Hardware Interface Module Name esi_rsa_apb HDL Verilog 2001 Technology Generic Source Files esi_rsa_apb.v, esi_rsa_apb_if.v, esi_rsa.v, esi_rsa_ram_sp.v, esi_rsa_ram_pdp.v, esi_pulse_scdc.v Parameter Range Default Description apb_address_width APB address bus width for key sizes apb_data_width APB data bus width key_size_max Maximum supported key size Table 1: Parameters APB Port Direction Width Description pclk Input 1 Clock presetn Input 1 Reset, active-low paddr Input 8 Address psel Input 1 Slave select penable Input 1 Enable pwrite Input 1 Write pwdata Input 32 Write data pclk_cactive Output 1 Clock active pready Output 1 Ready prdata Output 32 Read data pslverr Output 1 Slave error interrupt_n Output 1 Interrupt request, active-low Table 2: APB I/O Ports RSA Port Direction Width Description clk Input 1 RSA clock that can be externally gated reset_n Input 1 Reset, active-low clk_cactive Output 1 RSA clock active Table 3: RSA I/O Ports For complete details of the APB signals, please refer to the AMBA Protocol specifications available at Resource requirements The deliverable contains a RTL compiler script to synthesise the top level with ARM artisan memories. The following table gives some typical results for 200 MHz operation in TSMC90LP. key_size_max Logic area Memory area Total area Equivalent gates ,500 44,200 94,700 33, ,500 61, ,600 39, ,500 88, ,000 49,250 Variants using only single port register files or just registers are also supported. Version of EnSilica Ltd, All Rights Reserved

5 4 Software Interface 4.1 Register Map The software register map for the 1024 bit configuration is given below. For other configurations the address offset scales accordingly Register Address offset Access Description a_memory 0x000 R/W Residue memory b_memory 0x080 R/W Message memory d_memory 0x100 R/W Private key memory n_memory 0x180 R/W Modulus memory control 0x200 R/W Control register status 0x204 R/W Status register instruction 0x208 R/W Instruction register n0prime 0x20C R/W n0' register length 0x210 R/W Length register e 0x214 R/W Public key register Table 4: Register Map Control Register The control register contains the module and interrupt enable bits. The interrupt enable bit only affects the generation of the hardware interrupt, it does not affect the software interrupt status bit in the status register. Figure 2: Format of the control register 1 0 IE E Register Values Description E 0 - Disable Enable for RSA module. 1 - Enable IE 0 - Disable Interrupt 1 - Enable Interrupt Interrupt enable. Table 5: Fields of the control register Status Register The status register contains the interrupt status bit. To clear a bit in the status register, write a 1 to it. Writing a 0 will leave it unchanged. Figure 3: Format of the status register 0 IS Register Values Description IS 0 - Interrupt not set 1 - Interrupt set Interrupt status. This bit is set to 1 once all the micro-instructions in the control register have finished. It is set independent of the IE field to allow software polling instead of hardware interrupt generation. Write 1 to clear. Table 6: Fields of the status register Version of EnSilica Ltd, All Rights Reserved

6 4.1.3 Instruction Register The instruction register contains a selection of flags that control the operation of the module. A sequence of instructions can be performed by setting more than one flag in this register, and they will be executed strictly in the order from LSB to MSB. The register is autocleared when all instructions are complete OP12 OP11 OP10 OP9 RES OP7 OP6 OP5 OP4 OP3 OP2 OP1 OP0 Figure 4: Format of the instruction register Register Syntax Values Description OP0 MON B,A,B 0 - Disabled OP1 RED B,B,R 0 - Disabled OP2 RED A,1,R 0 - Disabled OP3 RED A,A,R 0 - Disabled OP4 MON A,A,B 0 - Disabled OP5 MON B,B,B 0 - Disabled OP6 EXP_PRI 0 - Disabled for to if then OP7 EXP_PUB 0 - Disabled for to if then RES Reserved Write as 0 OP9 MON B,1,A 0 - Disabled OP10 MON B,1,B 0 - Disabled OP11 MON A,1,A 0 - Disabled OP12 Reserved Write as 0 Table 7: Fields of the instruction register N0prime Register The n0prime register holds a constant required for Montgomery reduction 31 0 N0PRIME Figure 5: Format of the n0prime register The Montgomery multiplier requires an additional quantity,. This is the negative inverse of the least significant digit of n_memory modulo, i.e.. This is easily calculated in software Length Register The length register holds the array digit and bit sizes PRI_KEY_BITS PUB_KEY_BITS SIZE Figure 6: Format of the length register Version of EnSilica Ltd, All Rights Reserved

7 Register Values Description SIZE 0-32 The number of digits in the modulus n_memory. PUB_KEY_BITS 1-31 The number of bits in the public key register e. PRI_KEY_BITS 1-key_size_max The number of bits in the private key memory d_memory. Table 8: Fields of the length register Public Key Register The e register holds the public key E Figure 7: Format of the length register The public key is usually chosen to be very simple, for example is a common choice. In this IP the public key cannot be more than 32 bits long. 4.2 Interrupts The interrupt status bit IS is set when all instructions in the control field have executed to completion. The interrupt_n signal will be raised when the IS bit is set and the IE flag in the control register is set to 1. The IS bit is set independent of the IE flag setting. The IS bit and interrupt_n signal are both cleared by writing a 1 to the status register. Version of EnSilica Ltd, All Rights Reserved

8 5 RSA Operation 5.1 Introduction The RSA algorithm finds application in public key cryptography. This core accelerates one of the core functions required, that of modular exponentiation. The following equation is used to produce the ciphertext from a message using a public key and modulus The inverse operation recovers the message from the ciphertext using the private key. The modular exponentiation is broken down inside the hardware to a series of modular multiplications and these in-turn are performed by an efficient digit based algorithm called Montgomery multiplication. The modular exponentiation LSB method is defined as follows function ModExp(,, ) Input: -bit modulus in n_memory message in b_memory exponent with bits in d_memory or e Output: in b_memory Step 1. Step 2. Step 3. for to if then end if Step 4. end for return Where is defined as and, with digits of size,, and must be odd. The IP core is capable of carrying out a number of micro-instructions to perform the complete algorithm, and these are available individually so intermediate results can be stored, or they can be chained together to complete the calculation without intervention. For example the algorithm above can be completed in one step using the sequence of microinstructions intable 9; write 0x246 for private key or 0x286 for public key exponentiation to the instruction register. The cycle count is given for an 1024-bit RSA and public key Version of EnSilica Ltd, All Rights Reserved

9 Step Instruction OP Operation Cycles Initial Load message into 1 RED B,B,R OP RED A,1,R OP EXP_PRI OP6 for to or or if then EXP_PUB OP7 4 MON B,1,A OP Total Table 9: Performing a one-off modular exponentiation If the same modulus is to be reused for multiple messages the n-reduction in Step 1 is best performed in a different manner. This involves using the hardware instructions to pre-calculate and store, which can be re-used multiple times to quickly get the message n-residue with one iteration of MonPro. The precalculation can be performed by writing 0xC to the instruction register. You then read back the result from a_memory and store it in the processor memory. When you come to perform the modular exponentiation you now write back to a_memory in addition to writing the message into b_memory, and the new instruction to execute is now either 0x245 or 0x285 for private and public key respectively. Note that the a_memory is overwritten each time so will need to be re-loaded, hence the requirement for the processor to store it away. The cycle count is given for an 1024-bit RSA and public key The new sequence is given in Table 10. Step Instruction OP Operation Cycles Pre 1 RED A,1,R OP Pre 2 RED A,A,R OP Initial Load message into b_memory Load into a_memory 1 MON B,A,B OP RED A,1,R OP EXP_PRI OP6 for to or or if then EXP_PUB OP7 4 MON B,1,A OP Total Table 10: Performing multiple modular exponentiation with the same modulus 5.2 Cycle counts The cycle counts using the method described in Table 10 are given in Table 11. The public key is in these examples, and the private exponent has an equal number of 1's and 0's. RSA 1024 Public key RSA 1024 Private key 50,973 3,648,272 Table 11: Cycle count 5.3 References 1 PKCS#1 v2.1: RSA Cryptography Standard. RSA Laboratories. June 14, 2002 Table 12: References Version of EnSilica Ltd, All Rights Reserved

10 6 Revision History Revision Date Description /03/2012 Initial Release /01/2013 Corrected register map offsets for byte address Renamed from esi_apb_rsa to esi_rsa_apb Table 13: Revision History Version of EnSilica Ltd, All Rights Reserved