Title Hardware design of cryptographic accelerators Author(s) Baldwin, Brian John Publication date 2013 Original citation Baldwin, B.J., 2013. Hardware design of cryptographic accelerators. PhD Thesis, University College Cork. Type of publication Doctoral thesis Rights © 2013. Brian J. Baldwin http://creativecommons.org/licenses/by-nc-nd/3.0/ Embargo information No embargo required Item downloaded http://hdl.handle.net/10468/1112 from Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGN OF CRYPTOGRAPHIC ACCELERATORS by BRIAN BALDWIN Thesis submitted for the degree of PHD from the Department of Electrical Engineering National University of Ireland University College, Cork, Ireland May 7, 2013 Supervisor: Dr. William P. Marnane “What I cannot create, I do not understand” - Richard Feynman; on his blackboard at time of death in 1988. Contents 1 Introduction 1 1.1 Motivation...................................... 1 1.2 ThesisAims..................................... 3 1.3 ThesisOutline................................... 6 2 Background 9 2.1 Introduction.................................... 9 2.2 IntroductiontoCryptography. ...... 10 2.3 MathematicalBackground . ... 13 2.3.1 Groups ................................... 13 2.3.2 Rings .................................... 14 2.3.3 Fields.................................... 15 2.3.4 FiniteFields ................................ 16 2.4 EllipticCurves .................................. 17 2.4.1 TheGroupLaw............................... 18 2.4.2 EllipticCurvesoverPrimeFields . .... 19 2.5 CryptographicPrimitives&Protocols . ........ 19 2.5.1 Symmetric-KeyCryptography . .. 20 2.5.2 Public-KeyCryptography . 21 2.5.3 The Integer Factorisation Problem (IFP) . ....... 22 2.5.4 TheDiscreteLogarithmproblem(DLP) . .... 23 I 2.5.5 The Elliptic Curve Discrete Logarithm problem (ECDLP) ........ 23 2.5.6 DigitalSignatures .......... ........... ........ 24 2.5.7 CryptographicKeySizes . 25 2.6 HardwareOverview................................ 27 2.6.1 XilinxFPGA ................................ 28 2.6.2 MemoryandDSPBlocks ...... ........... ........ 29 2.6.3 FPGADesign................................ 30 2.7 Microblaze ..................................... 31 2.7.1 Microblaze Architecture & Implementation . ....... 31 2.7.2 FSLBus .................................. 33 2.8 HardwareArchitecture . ... 33 2.8.1 AdditionalHardware . 34 2.9 HardwareConstraints. ... 35 2.9.1 SideChannelAttacks. 36 2.9.2 Area,Speed,PowerandEnergy . 36 2.10 PerformanceMetrics . ... 38 2.11Conclusions.................................... 39 3 Elliptic Curve Cryptography 40 3.1 Introduction.................................... 40 3.2 DedicatedDoublingandAddition . ..... 43 3.2.1 AffineCoordinateSystem . 44 3.2.2 ProjectiveCoordinateSystem . ... 44 3.2.3 JacobianCoordinateSystem . .. 46 3.2.4 TwistedEdwardsCurves . 48 3.2.5 ExtendedTwistedEdwards. 50 3.2.6 DedicatedAlgorithmOverview . .. 51 3.3 EllipticCurveCryptographicProcessor . ......... 52 II 3.3.1 Control ................................... 52 3.3.2 ModularArithmetic ............................ 53 3.3.3 ModularMultiplication. .. 54 3.3.4 ModularInversion ............................. 56 3.3.5 SchedulingandEfficiency . 57 3.3.6 AlgorithmicCostofFieldOperations . ..... 61 3.3.7 AreaResults forDedicated Doublingand Addition . ........ 63 3.4 MeasuringthePowerDissipation. ...... 64 3.4.1 DedicatedDoublingandAdditionPower Results . ....... 67 3.4.2 Area-TimeandAreaEnergyProduct. ... 69 3.5 PowerAnalysisAttacks. ... 72 3.6 DummyArithmeticInstructions . ..... 73 3.7 UnifiedDoublingandAddition. .... 74 3.8 RegularScalarMultiplication. ....... 76 3.8.1 Co-ZArithmetic .............................. 78 3.8.2 CombinedDouble-AddOperation . .. 79 3.8.3 (X,Y)-onlyoperations . 79 3.9 AlgorithmicCostofSPASecureAlgorithms . ........ 82 3.10 Area and Power Results for SPA Secure Algorithms . .......... 83 3.10.1 Comparing Dedicated Addition & SPA Secure Algorithms........ 88 3.11 LargerKeyandFieldSizes . .... 89 3.12Conclusions.................................... 90 4 Hash Functions 92 4.1 Introduction.................................... 92 4.2 BackgroundtotheSHA-3HashFunctions . ...... 95 4.3 ImplementatingSHA-3HashFunctions . ...... 96 4.3.1 CubeHash.................................. 98 III 4.3.2 Shabal.................................... 100 4.4 SHA-3RoundTwoImplementations . .... 102 4.4.1 BLAKE................................... 102 4.4.2 Grøstl.................................... 103 4.4.3 JH...................................... 104 4.4.4 Keccak ................................... 106 4.4.5 Skein .................................... 107 4.5 HashInterface................................... 108 4.5.1 CommunicationsProtocol . 111 4.5.2 PaddingProtocol .............................. 112 4.6 RoundTwoResults ................................. 114 4.7 RoundThreeAnalysis .............................. 118 4.7.1 RoundThreeChanges ........ ........... ........ 118 4.7.2 ComparingDifferentRoundResults . .... 119 4.7.3 SHA-3PowerandEnergy . 120 4.8 ComparisonwithOtherWork. ... 123 4.8.1 ComparisonofRoundThreeResults. ... 126 4.9 Conclusions..................................... 130 5 Cryptographic Processor 132 5.1 Introduction.................................... 132 5.2 BackgroundtoSignatureAlgorithms. ....... 135 5.2.1 TheEllipticCurve DigitalSignatureAlgorithm . ......... 136 5.2.2 ECDSADomainParameters . 137 5.3 ImplementingECDSA ............................... 138 5.3.1 KeyPairGeneration ............................ 138 5.3.2 SignatureGeneration. 139 5.3.3 SignatureVerification. 139 IV 5.3.4 ECDSAImplementationOptions . 140 5.4 RandomKeyGeneration ........... ........... ....... 141 5.4.1 Entropy................................... 142 5.4.2 Fortuna ................................... 143 5.4.3 RandomNumberGeneratorBlock . 144 5.5 CryptoProcessorUsingMicroblaze . ...... 147 5.5.1 HashBlock................................. 147 5.5.2 EllipticCurveProcessorBlock. .... 150 5.5.3 CoordinateConversion . 150 5.6 ImplementingECCinSoftwareandCo-Design . ....... 153 5.6.1 DedicatedSoftwareResults . 154 5.6.2 InstructionSetExtensions . ... 155 5.7 ECDSADesign................................... 158 5.7.1 ECDSAResults............................... 160 5.8 ECDSAComparison ................................ 161 5.9 Conclusions..................................... 163 6 Conclusions 164 6.1 ContributionsofthisThesis. ...... 164 6.2 FutureResearchDirections . ..... 167 A Appendix - Elliptic Curve Cryptography 170 A.1 Double-and-AddAlgorithms . .... 170 A.2 EdwardsCurves................................... 173 A.3 Co-ZAlgorithms .................................. 175 A.4 Point Doubling Formulæ with Update in Homogeneous Coordinates.. 178 A.5 FullCoordinateRecovery. .... 180 A.6 PointDoublingandTriplingwithCo-ZUpdate . ........ 181 V A.7 FullPower,EnergyandTimingResults . ...... 182 B Appendix - Hash Functions 185 B.1 RoundTwoHashFunctionImplementationResults . ......... 185 B.2 RoundTwoHashFunctionResults . .... 187 B.3 RoundThreeFPGAPowerandTimingResults . ..... 193 VI List of Figures 1.1 Cost-Performance-Security Tradeoff . ......... 2 1.2 Hierarchical Model for Elliptic Curve Based Cryptography............ 4 2.1 PointOperationsonanEllipticCurve . ....... 18 2.2 MicroblazeProcessor. ... 32 2.3 SaseboGII ..................................... 34 2.4 MicroblazeDesignonXUPV5 . .. 35 2.5 SPAanalysisusingFPGA. .. 37 3.1 EllipticCurveProcessor . .... 53 3.2 ModularAdder-Subtracter . .... 54 3.3 ModularMultiplier ............................... .. 56 3.4 ClockCountforDedicatedDoublingandAddition . ......... 63 3.5 PowerWrapper ................................... 66 3.6 AveragePowerDissipation . .... 68 3.7 Area-TimeProduct ................................ 70 3.8 Area-EnergyProduct .. ........... ........... ...... .. 71 3.9 EstimatedDynamicVersusMeasuredResults . ........ 72 3.10 ClockCountforSPA Secure DoublingandAddition . ......... 84 3.11 AverageDynamicPower . .. 86 3.12 SPAResistantArea-TimeProduct . ...... 87 3.13 SPAResistantArea-EnergyProduct . ....... 87 VII 3.14 SPA Reistant Estimated Versus Measured Results . ........... 88 3.15 Area-Time Product: 192, 256 & 521 ........................ 90 4.1 GenericHashFunctionInternals . ...... 93 4.2 CubehashCompressionFunction. ..... 99 4.3 Shabal........................................ 100 4.4 BlakeArchitecture ............................... 103 4.5 GrøstlP/QPermutation . ... 104 4.6 JHArchitecture .................................. 105 4.7 Keccak f(1600) Architecture ............................ 107 4.8 SkeinArchitecture ............................... 108 4.9 HashWrapper.................................... 109 4.10PaddingBlock................................... 114 4.11 256-bitWrapperThroughput-Area . ....... 118 4.12 AveragePowerDissipationat25MHz . ...... 122 4.13 Area-EnergyProduct . ... 123 5.1 SecurityintheTCP/IPstack . .... 133 5.2 DigitalSignatureProcess . ..... 136 5.3 EllipticCurveDigitalSignatureAlgorithm. ........... 137 5.4 FortunaGenerator................................ 143 5.5 FortunaFlowDiagram . ........... ........... ....... 145 5.6 CryptographicProcessorusingMicroblaze . .......... 148 5.7 TimingDiagramforMicroblazeI/O . ..... 149 5.8 MicroblazewithHardwareMultiplier . ....... 156 5.9 MicroblazeSignaturePlatform . ...... 159 B.1 256-bitLong32-bitBusPaddingHardware . ....... 187 B.2 256-bitShort32-bitBusPaddingHardware . ........ 187 VIII B.3 512-bitLong32-bitBusPaddingHardware . ....... 188 B.4 512-bitShort32-bitBusPaddingHardware . ........ 188 B.5 256-bitLong32-bitBusPaddingSoftware