On Concurrent Detection of Errors in Polynomial Basis Multiplication

Transcription

1 1 On Concurrent Detection of Errors in Polynoial Basis Multiplication Siavash Bayat-Saradi and M. Anwar Hasan Abstract The detection of errors in arithetic operations is an iportant issue. This paper discusses the detection of ultiple-bit errors due to faults in bit-serial and bit-parallel polynoial basis (PB) ultipliers over binary extension fields. Our approach is based on ultiple parity bits. Experiental results presented here show that due to an increase in the nuber of parity bits, the area overhead tends to increase linearly, but the probability of error detection approaches unity fairly quickly, e.g., for 8 parity bits. In bit-serial ipleentation of a GF(2 163 ) PB ultiplier using 8 parity bits, the area overhead and the probability of error detection are 10.29% and 0.996, respectively. This is achieved without any increase in the coputation tie of the GF(2 163 ) PB ultiplier. Index Ters Polynoial basis ultiplication, concurrent error detection, finite fields. 1. INTRODUCTION Digital systes that require large nuber of circuits for their ipleentation can be ore prone to produce erroneous results siply because of the increase in the probability that one of the circuits ay becoe faulty while in use. As a result, for sensitive or critical applications large digital systes are generally designed with soe kind of echanis to provide correct functionality or to detect errors. In soe hardware based cryptosystes or their arithetic accelerators, a finite field ultiplier can be the ost silicon area occupying coponent [1], [2] and hence can be subject to hardware Siavash Bayat-Saradi and M. Anwar Hasan are with the Departent of Electrical and Coputer Engineering, and with the Center for Applied Cryptographic Research at University of Waterloo, Ontario, Canada

2 2 faults. Depending on the cryptosystes, errors due to such faults in the ultiplier can be detected at an upper level operation, e.g., in elliptic curve cryptography (ECC), if a point leaves the curve it can be easily detected by point verification [3], [4]. This is, however, not always possible. In the case of ECC, a fault ay ove a point to another point without leaving the curve and this has been exploited in the so-called sign change fault attack [5]. As a result, soe kind of echaniss for error detection in the finite field ultiplier can be quite iportant in cryptography as well as other critical applications where finite field ultipliers of various sizes are used, for exaple, in deep space channel coding [6] and VLSI testing [7]. One technique to detect errors in hardware ipleentation is on-line testing or concurrent error detection (CED). CED is used to concurrently test a syste while the syste is operating norally [8]. CED can test the circuit at full operating speed without stopping the syste or switching it to test ode. Accordingly, CED can detect transient faults, which ay not be detected in off-line testing, since they ay not occur in test ode (see [9], [10], [11], [12], [13], [14], [15], [16], [17] as CED exaples). This paper focuses on the detection of errors in extension field ultipliers. The coplexity of ultiplication is uch higher than the field s two basic operations naely addition and subtraction. Other coplex finite field arithetic operations such as inversion and exponentiation over binary extension fields can be prefored by repeated ultiplications [18], [19]. In [11], Fenn et al. presented a concurrent error detection schee for finite field ultipliers over binary extension fields. They used a parity bit for detecting errors in bit-serial ultipliers, using a nuber of bases for representation of fields, defined by an irreducible all-one polynoial. Thus, the schee is not generic in the sense that it cannot be used for other field defining polynoials. In [10], Chiou presented a concurrent error detection for two bit-parallel systolic ultipliers for extension fields which the field defining polynoials are irreducible all-one polynoials or irreducible equally spaced ones. In [14], [16], Reyhani-Masoleh and Hasan developed a generic parity based error detection schee for both bit-serial and bit-parallel polynoial basis ultipliers. The schee can detect any odd nuber of erroneous bits. In this schee, input parity is developed through the ultiplier, and predicted output parity is copared to actual output parity. In case of inequality of the parities, an error signal is given. This paper extends the work of [14], [16] by applying ultiple parity bits. The concept of ultiple parity is already known and used in soe other applications [20], [21], but this is the

3 3 first tie it is being used for the finite field ultiplication. Like [16], our work can be applied to any finite field GF(2 ). However, unlike [16], our work can detect all odd parity errors as well as ost of the even parity errors. Additionally, our work can detect at least ultiple-bit errors in the ultiplier. The ain contributions of this paper are suarized as follows: A ultiple parity schee that can detect ultiple-bit errors in both bit-serial and bit-parallel polynoial basis ultipliers over binary extension fields are presented. The error detection capability of the schee in the presence of ultiple-bit rando errors is also investigated. With our proposed frequency of check points, a axiu of one ultiple-bit error in each round of the bit-serial operation (or each row of the bit-parallel operation) can be detected. This iplies that in a GF(2 ) polynoial basis ultiplier, at least ultiple-bit errors can be detected. A nuber of experiental analyses are presented, including the siulation-based faultinjection evaluation of the schee and the analyses of the area and tie overheads. Our experiental results show that the area overhead tends to increase linearly as the nuber of parity bits increases but the probability of undetected errors decreases quite quickly. Furtherore, the area overhead for the bit-serial ipleentation is quite low, e.g., for 8 parity bits the area overhead is 10.29% and the error detection probability is The area overhead for a bit-parallel ipleentation of the ultiplier is greater than the corresponding bit-serial one, but it is still lower than the conventional dual odular redundant systes. The average tie overhead due to the use of the schee in bit-parallel ipleentations is 25%. For bit-serial ipleentations, tie overheads have been observed to be sall to negligible. The organization of the reainder of this paper is as follows. In Section 2, soe preliinaries about polynoial basis ultiplication are discussed. A concurrent error detection strategy is presented in Section 3. In Section 4, the error detection capability of the schee is investigated. Our experiental results for this schee are reported in Section 5. Finally, Section 6 gives a few concluding rearks.

4 4 2. PRELIMINARIES In this section, first polynoial basis ultiplication is briefly explained. Then three ain coponents for the construction of bit-serial and bit-parallel ultipliers are introduced. Let F(x) = f ix i be an irreducible polynoial over GF(2) of degree. Let α GF(2 ) be a root of F(x), i.e., F(α) = 0. Polynoial (or canonical) basis is defined as the following set: { 1,α,α 2,,α 1} Each eleent A of GF(2 ) can be represented using the polynoial basis (PB) as A = 1 a iα i = (a 0 a 1 a 1 ) where a i GF(2). The ultiplication of α and an arbitrary eleent A of GF(2 ) can be represented with respect to PB as: 1 αa = α a i α i od F(α) = a 1 f i=1 (a 1 f i + a i 1 )α i. Hereafter, the odule that receives A GF(2 ) as input and coputes αa is called α-mul odule. Let C be the product of two eleents A and B of GF(2 ). Then PB representation of C is as follows: 1 C = AB od F(α) = A b i α i od F(α) = 1 b i.a (i) = (b 1.A ( 1) + b 2.A ( 2) + (1) + b 1.A (1) + b 0.A (0) ). where A (0) = A and A (i) = αa (i 1). In (1),. is a scalar ultiplication, since b i GF(2) and A (i) GF(2 ), and + is a vector addition, since its two operands are the eleents of GF(2 ). Modules that perfor scalar ultiplication and vector addition are hereafter referred to as SM odule and VA odule, respectively. These two odules and the α-mul odule discussed earlier are the ain coponents of a PB ultiplier. In accordance with (1) and using

5 5 these three ain coponents, bit-serial and bit-parallel PB ultipliers can be constructed as shown in Fig. 1 (see [22] for a siilar ultiplier architecture). A b 0 SM D α-mul α-mul SM b 1 VA α-mul b 2 b i SM SM VA α-mul VA C α-mul SM b 1 VA C (a) Bit-serial (b) Bit-parallel Fig. 1. Polynoial-basis ultiplication 3. CONCURRENT ERROR DETECTION STRATEGY In this section, an error detection schee for PB ultipliers is presented. Errors ay be caused by different types of faults such as open faults, short (bridging) faults, and/or stuck-at faults. Furtherore, the faults can be transient or peranent. The goal of this schee is to detect as any rando errors as possible including single and ultiple errors. Towards this goal, we use a parity based ethod. One-bit parity is able to detect the presence of any odd nuber of erroneous bits [23]. Here, we use additional parity bits in order to increase error detection capability. In particular, an -bit input is divided into k parts and for each part one parity bit is used. Thus, the -bit PB representation of A GF(2 ) is divided as follows: A = (A 0,A 1,A 2,,A k 1 ). The length of A j, 0 j k 1, is + 1 if j < od k; k l j = otherwise. k

6 6 For the sake of siplicity, we assue that k and the length of each part is l =, i.e., k A j = α jk a jk+i α i = (a jk,a jk+1,a jk+2,,a jk+l 1 ). Parity of A j is denoted as P(A j ). Using parity bits of A j s, a k-bit parity of A is fored as follows: P(A) = (P(A 0 ),P(A 1 ),P(A 2 ),,P(A k 1 )). Then using the parity P(A), we construct encoded A as follows: E(A) = (A 0,A 1,A 2,,A k 1,P(A)). Unlike A which is represented with bits, the field defining irreducible polynoial F(x) requires + 1 bits. In order to have the sae length for partitioning, we exclude the leading coefficient of F(x) and divide F(x) x into k parts as follows: F(x) x = (F 0,F 1,,F k 1 ). The parity bit of F j, 0 j k 1, is denoted as P(F j ). One of the iportant issues in detecting errors in the output of a finite field ultiplier (or an arbitrary circuit, in general) is parity prediction. The latter refers to the task of deterining the parity of the expected outputs by using the corresponding inputs as well as the functionality of the circuit. As entioned in Section 2, a polynoial basis ultiplier consists of three odules: 1) α-mul odule 2) SM odule, and 3) VA odule. In the following, the parity prediction ethod for each of these odules will be discussed. A. Multiple Parity Prediction in α-mul Module In the following, the output parity of an α-mul odule is predicted. Let A = αa, i.e.,

7 7 A = a i α i+1 + α l a l+i α i α (k 1)l a (k 1)l+i α i+1 ( ) ) = 0 + a i 1 α i + α (a l l 1 + a l+i 1 α i + i=1 ) + α (a (k 1)l (k 1)l 1 + a (k 1)l+i 1 α i + a kl 1 α kl. A ust be reduced by F(α) = α + k 1 j=0 F j(α) as follows: i=1 i=1 A od F(α) = ( ) ) 0 + a i 1 α i + α (a l l 1 + a l+i 1 α i i=1 i=1 ) + + α (a (k 1)l (k 1)l 1 + a (k 1)l+i 1 α i ( k 1 ) + a 1 F j (α). j=0 Now, we group the expression and obtain A od F(α) = ( ) 0 + a i 1 α i + a 1 f i α i i=1 i=1 ) + α (a l l 1 + a l+i 1 α i + a 1 f l+i α i i=1 + + α (a (k 1)l (k 1)l 1 + a (k 1)l+i 1 α i +a 1 l 1 ) f (k 1)l+i α i. Thus, the j th part of A for 0 j k 1 can be derived as: ) A j = α (a jl jl 1 + a jl+i 1 α i + a 1 f jl+i α i i=1 i=1 (2)

8 8 where a 1 = 0. Fig. 2 shows a circuit diagra ipleenting A j. In practice, any coefficients of F(x) are zero and hence the corresponding XOR gates in Fig. 2 are not needed. By cascading k copies of the circuit shown in Fig. 2, an α-mul odule can be constructed as illustrated in Fig. 3. a jl 1 a jl a jl f jl a jl+1 a jl+i 1 f jl+1 a jl+i a (j+1)l 2 f jl+i a (j+1)l 1 a (j+1)l 1 f (j+1)l 1 a 1 Fig. 2. The j th part of the α-mul odule Let ω be the Haing weight of F(x). The total nuber of two-input XOR gates required in an α-mul odule is ω 2, since no XOR gate is needed for the first and the last coefficients of F(x). For parity prediction of the j th part of the α-mul odule, we have the following lea where A = αa and P Fj = l 1 f jl+i. Lea 1: Let P(A j ) and P(A j) be the parities of the input and the expected output of the j th part of the α-mul odule, respectively. Then, P(A j) = a jl 1 + P(A j ) + a (j+1)l 1 + a 1 P Fj. Proof: Using (2) the proof is iediate. Fig. 4 shows the parity prediction circuit of the j th part of the α-mul odule, where P(x) is predicted parity of x. The parity of the j th part of F(x) is P Fj and is assued to be known, since it can be pre-coputed. Thus, the corresponding AND gate is not really required. On the

9 9 0 a 0 a 0 Part 0 a l 1 a l 1 a l a l Part 1 a 2l 1 a 2l 1 a (k 1)l a (k 1)l Part k 1 a 1 a 1 a 1 Fig. 3. α-mul odule other hand, F(x) can be a trinoial or a pentanoial and usually it can be chosen so that the parities of all parts becoe zero, i.e., P Fj = 0 for 0 j k 1. In this case, the value of a k 1,l 1 is not iportant and one XOR gate is reoved. In the worst case the circuit of Fig. 4 can be ipleented with 3 two-input XOR gates. The total nuber of two-input XOR gates for the whole parity prediction circuit is 3k. a jl 1 a (j+1)l 1 P(A j ) P(A j ) a 1 P Fj Fig. 4. Parity prediction circuit of the j th part of the α-mul odule Hereafter, an α-mul odule together with its parity prediction circuit (PPC) is referred to as α-mul-p odule. It should be entioned that different partitioning of A and F can change the parity prediction circuit of the α-mul odule. Appendix I presents a partitioning of A and

10 10 F that reduces the nuber of XOR gates of each parity prediction circuit by two, i.e., parity prediction circuit can be constructed by only one XOR gate. B. Parity Prediction in Scalar Multiplication and Vector Addition Modules In this work, scalar ultiplication refers to ultiplication of an eleent of GF(2) by an eleent of GF(2 ) and vector addition refers to addition of two eleents of GF(2 ). For b i GF(2) and A GF(2 ) = (a 0,a 1,,a 1 ), scalar ultiplication of b i and A is b i.a = (b i a 0,b i a 1,,b i a 1 ). Thus, P(b i.a) = b i a 0 + b i a b i a 1 = b i (a 0 + a a 1 ) = b i P(A). (3) For A,B GF(2 ), vector addition of A and B is: Thus, A + B = 1 a i α i P(A + B) = (a i + b i ) = = P(A) + P(B). 1 b i α i = (a i + b i )α i. The circuit of the parity prediction, as defined in (3) and (4), are shown in Fig. 5 where they need k two-input AND gates and k two-input XOR gates, respectively. These circuits for parity bits are now included with the SM and the VA odules appropriately and the resulting new odules are hereafter referred to as SM-P and VA-P. 1 a i + 1 b i (4) C. Parity Checking Circuit In order to detect errors in the ultiple parity schee, the predicted parity bits should be copared with the corresponding actual parity bits. Actual parity bits are generated by parity generating circuit. Fig. 6 shows the parity generator and the parity checker. In Fig. 6, Z and Z can be considered as the expected and the actual outputs of one of the three odules discussed earlier. P(Z) and P( Z) are k-bit parities of Z and Z, respectively. The result of bit by bit coparison of P(Z) and P( Z) are ORed to signal any difference which indicates an error. The parity generator is constructed by XOR trees which contain l 1 two-input

11 11 P(A 0) 0 k P(A 1) 1 k P(A) P(b i.a) P(A k 1) b i k 1 P(A) P(B) k k k P(A + B) (a) (b) Fig. 5. PPC for a) SM odule and b) VA odule P(Z) k 1 l error Z l k P( Z) 1 1 Parity Coparator l Parity Generator Fig. 6. Multiple-bit parity checker XOR gates. Furtherore, k two-input XOR gates are required for coparison. Total nubers of two-input XOR and OR gates required for a parity checker are (= k(l 1) + k) and k 1, respectively. D. Polynoial Basis Multiplier with CED To construct a bit-serial and a bit-parallel ultiplier with concurrent error detection capability, we will use PPC ebedded odules α-mul-p, SM-P, and VA-P. Fig. 7 shows a bit-serial ultiplier with PPC. A and B are the inputs of the ultiplier. Register D is initialized with A and its k-bit parity P(A). A parity checker can be at each of the three locations: L1, L2 and L3. In the next section, the frequency of check points will be discussed.

12 12 + k D α-mul-p L1 + k b i SM P L2 + k + k L3 VA P C + k Fig. 7. Bit-serial polynoial basis ultipliers with parity prediction circuit Fig. 8 shows a bit-parallel ultiplier with PPC. In the bit-parallel ultiplier a parity checker can be placed after each odules. Thus, there can be as any as 3 2 error checkers for a bit-parallel ultiplier. 4. ERROR DETECTION CAPABILITY In this section, first the error odel is explained. Then the probability of error detection at the output of the circuit using the ultiple parity ethod is deterined. Finally, the frequency of the check points is discussed. A. Error Modelling The effect of a fault, such as a transient fault, in one location of the ultiplier circuit is odelled by XORing an error vector with the expected correct value of that location. The i th bit of the error vector of a location being one iplies that the i th bit of the value of the location has changed fro 0 to 1 or vice versa due to a fault. If the location is one of the ain coponents (α-mul-p, SM-P or VA-P), without loss of generality we can assue that the error vector should be XORed with the output of the coponent. It is worth entioning that the parity prediction circuits, parity generators and parity checkers should be fault free or at least self-checking [8]. Since in practice the nuber of parity bits, k, is uch less than the size of the

13 13 A, P(A) b 0 + k SM P + k row 1 α-mul-p + k SM P b 1 + k VA P row i α-mul-p b 2 + k SM P + k VA P row ( 1) α-mul-p + k SM P b 1 + k VA P + k C Fig. 8. Bit-parallel polynoial basis ultipliers with parity prediction circuit input operands of the ultiplier,, the self-checking technique is feasible. In this work, these circuits are assued to be fault free or self-checking. It will be shown in Section 5 that with a oderate nuber of parity bits the probability of error detection becoes quite close to unity. As an exaple, for = 163, with 8 parity bits, the error detection probability is approxiately Let e = (e 0,e 1,,e +k 1 ) be the representation of an error of a location in the ultiplier. The first bits of e correspond to errors in an eleent, say A GF(2 ) that is part of the value of that location. The reaining k bits of e correspond to errors in the k-bit parity vector P(A). Note that although we assue the parity prediction and the parity checking circuits to be fault free or self-checking, an error ay occur in the parity bits any where in the reainder of the ultiplier circuit such as the registers in the bit-serial ipleentation of the ultiplier or the wires through which the parity signals propagate. If one assues otherwise, i.e., the parity bits/signals are error free, then all registers and wires through which these signals travel have to be fault free, even though soe of these registers and wires are not part of the parity prediction and checking circuits. Since e is an ( + k)-tuple vector and the all-zero e = (0, 0,, 0) corresponds to no error, the nuber of possible errors is 2 +k 1. We logically divide e into k parts each of length

14 14 l + 1 = + 1 bits where the k jth part is (e jl,e jl+1,,e jl+l 1,e +j ). In the following, we investigate which kind of errors cannot be detected by the k-bit parity schee. B. Probability of Error Detection Let e O be an odd parity error, i.e., the nuber of 1 s in e O is odd. Then the parity of at least one of the k partitions is odd. Therefore, e O can be detected by the proposed CED ethod and the probability of undetected error is Pr U (e O ) = 0. Let e E be a nonzero even parity error. Since k <, there is at least one error, e E, such that all of its partitions have even parity. Then the error cannot be detected. Accordingly, Pr U (e E ) 0. Theore 1: Let k be the nuber of parity bits of the schee. Suppose p is the probability that e i = 1 for 0 i + k 1. The probability of error detection is given as follows: [ ((1 ) 2p) k +1 k ] + 1 Pr D (e) = 1 (1 p) +k. (5) 2 Proof: Pr D = 1 Pr U where Pr U is the probability of undetected errors. As it is entioned, all nonzero errors with even parity in their partitions are undetectable. Thus, considering error vectors are ( + k)-bit long and each of the has k partitions, first we need to copute the probability of an ( + 1)-bit nuber with even parity. k Let E i and O i be the probabilities that an i-bit nuber has even parity and odd parity, respectively. Thus, E i = 1 O i. Moreover, let q be the probability that a bit of the error vector is zero, i.e., q = 1 p. We proceed in a recursive anner. E i+1 = qe i + po i = (1 p)e i + p(1 E i ) = (1 2p)E i + p.

15 15 Let 1 2p = A and p = B. We deterine E i for soe i to find a closed forula: E 0 = 1 E 1 = q E 2 = Aq + B E 3 = A 2 q + AB + B E 4 = A 3 q + A 2 B + AB + B. E i = A i 1 q + A i 2 B + + AB + B ( ) A = A i 1 i 1 1 q + B. A 1 Now, we write the expression only in ters of p: E i = (1 2p) i 1 (1 p) + p ( ) (1 2p) i 1 1 (1 2p) 1 = (1 2p) i 1 (1 p) (1 2p)i = (1 2p) i 1 (1 p 1/2) + 1/2 = (1 2p)i The probability that an ( k + 1) -bit partition of the error vector has even parity is E i= k +1. Moreover, the partitions are independent. Thus, the probability of having a vector with even parity in each of its partitions is ( E i= k +1 ) k or ( ) (1 2p) k +1 k However, the zero vector should be excluded and hence, ( ) (1 2p) k +1 k + 1 Pr U = (1 p) +k. 2 As a result, [ ((1 ) 2p) k +1 k ] + 1 Pr D = 1 (1 p) +k. 2

16 16 As entioned, p is the probability of an error vector bit being one. A reduction of p increases the probability of having an all-zero error vector. This reduction eans a reduction in the probability of (nonzero) errors, which in turn eans a reduction in the probability of undetectable errors. Thus, with a reduction in p, the probability of error detection increases. As it can be deterined fro Equation (5), as the nuber of parity bits increases, the probability of error detection quickly approaches unity so that it reaches for 8 parity bits. C. Frequency of the Check Points Suppose that there are several ultiple-bit errors in a location of the circuit of a PB ultiplier. For having an error detection capability Pr D as given in Theore 1, each of the above entioned locations in Section 3-D should have a parity checker. This causes a very high area overhead especially for bit-parallel ultipliers. The following lea helps us reduce the nuber of checkers considerably. Lea 2: Suppose only a axiu of one ultiple-bit error occurs per round of a bit-serial ultiplier or per row of a bit-parallel ultiplier (see Fig. 7 and Fig. 8). Then any such error can be detected with the probability Pr D, given in Section 4-B, using a parity checker at L3 of the bit-serial ultiplier or a parity checker before the vertical input of every VA-P and one parity checker after the final VA-P in the bit-parallel ultiplier. Proof: It should be verified if a detectable error vector can be changed to an undetectable one after passing through a ain coponent and before reaching one of the check points. If a detectable error vector passes through an α-mul-p odule, it can be changed to an undetectable one. However, the check points are located so that any error vector can reach one of the check points without passing through any α-mul-p odule. Therefore, one of the following cases should be considered: 1) a detectable error vector passes through an SM-P odule or 2) a detectable error vector passes through a VA-P odule or 3) both. In the first case, if b i = 0 then regardless of the other input value, the value of the output vector and parity are zero. This is a correct result and there is no error anyore. If b i = 1 then the input and the output of the SM-P odule are equal. Hence, the error vector passes SM-P without any change.

17 17 In the second case, if only one of the two inputs of VA-P odule has erroneous bits, the error vector can pass the VA-P odule without any change. Since a axiu of one ultiple-bit error is allowed in a round of a bit-serial ultiplier or in a row of a bit-parallel ultiplier, only one of the inputs of VA-P can be erroneous. In the third case, the error ust occur before an SM-P odule but after the α-mul-p odule (in the corresponding row of a bit-parallel ultiplier). Therefore, according to case 1 and case 2, it passes SM-P and VA-P odules and reaches the parity checker. 5. RESULTS Iportant perforance easures for an error detection schee include error detection capability, area and tie overheads. In this section the results of our studies on these easures are presented. The results can guide the choice of a proper nuber of parity bits for design requireents. A. Siulation-Based Fault Injection We have injected stuck-at faults to a GF(2 163 ) PB ultiplier with k = 8 to evaluate the error detection capability of the proposed schee. The fault injection was perfored in a C odel of the ultiplier. Furtherore, the fault injection was at the gate-level, i.e., stuck-at faults (both stuck-at 1 and stuck-at 0) were injected at the input and output pins of the gates of the ultiplier. In the proposed schee, a checker is placed at the end of a round of a bit-serial ultiplier (or at the end of the row of a bit-parallel one). Moreover, the schee can detect an error if the error can be detected in one round of a bit-serial ultiplier (or a row of a bit-parallel one). Fault injection in a coplete ultiplier of GF(2 163 ) is extreely tie consuing. In order to reduce the tie for copleting experients, faults were injected in only one round of a bit-serial ultiplier (and a row of a bit-parallel one). In the following, two phases of our fault injections are presented. 1) Single-Bit Stuck-at Faults: In this experient, single-bit stuck-at faults were injected at the input or output pins of gates. As shown in Figure 9, to inject a fault at a point, a ultiplexer is placed at that point, where the control signal of the ultiplexer selects between the original value of that point and the fault. Also the fault can be chosen to be stuck-at 1 or stuck-at 0.

18 18 original pin value stuck-at 1/0 fault faulty/not faulty pin value fault injection select Fig. 9. Fault injection at a gate pin In a GF(2 ) PB ultiplier, there are ω 2 two-input XOR gates, two-input AND gates, and two-input XOR gates in the α-mul, SM and VA odules, respectively, where ω is the Haing weight of the field defining polynoial. Single-bit stuck-at faults are injected at all input and output pins except the output pins of AND gates of SM odule because they are direct inputs of the VA odule s XOR gates. Therefore, the nuber of locations for single-bit stuck-at fault injections at a round of a bit-serial (or a row of a bit-parallel) ultiplier is 3(ω 2) + 5. Additionally, for each input or output gate pin, two single-bit faults can be injected. Hence, the nuber of single-bit stuck-at faults that should be injected at a round of a bit-serial (or a row of a bit-parallel) ultiplier is 6(ω 2) In this experient, we siulated the ultiplier for one illion rando inputs and for every input, all the above entioned single-bit stuck-at faults were injected. As shown in Table I all faults were detected. Type of stuck-at faults No. of stuck-at faults 1 No. of rando inputs Error detection capability Single-bit % Multiple-bit % 1 in one round of a bit-serial (or one row of a bit-parallel) ultiplier TABLE I ERROR DETECTION CAPABILITY OF THE SCHEME FOR A GF(2 163 ) PB MULTIPLIER AGAINST STUCK-AT FAULTS 2) Multiple-Bit Stuck-at Faults: For ultiple-bit stuck-at fault injection, the location of the above entioned single-bit faults were randoly selected and a stuck-at 0 or stuck-at 1 was

19 19 randoly injected there. Furtherore, siulations were perfored for one illion rando inputs and for every input, 500 rando ultiple-bit stuck-at faults were injected. It is worth entioning that for a GF(2 163 ) ultiplier experient, there are 824 single-bit stuck-at fault locations. Therefore, the nuber of accesses to those locations, whether or not any fault is injected, is ( =) 412 billions, iplying that the experient is very tie consuing. As shown in Table I, the error detection capability of the schee for ultiple-bit stuck-at fault injections is 99.61%. B. Tie and Area Overheads We have described the ultiple-bit parity schee by VHDL to obtain a realistic approxiation of area and tie overheads. In order to reduce the nuber of XOR gates in the ultiplier, field defining polynoial F(x) can be chosen to be a trinoial or a pentanoial such that the parity of F(x) in each partition is zero, i.e., P Fj = 0. In Section I-B, the coplexity of the parity prediction circuit for NIST recoended irreducible polynoials for ECDSA is discussed. We used Modelsi (TM) to siulate the design for checking its correct functionality. We ipleented the ultiple parity schee on a Xilinx Spartan 3 (XC3S5000) FPGA using Xilinx ISE 7.1i. 1) Bit-Serial PB Multiplication: The circuit of a coplete bit-serial ultiplier with CED is shown in Fig. 10. The circuit consists of two ajor blocks: 1) PB ultiplier with PPC and 2) checker. The parity generator of the checker is used at the initialization phase to generate the parity of input A. Note that no extra clock cycle is needed for the circuit shown in Fig. 10 when copared to a bit-serial PB ultiplier without CED. Fro the first experient, we obtained the area overhead percentage of the schee for ultipliers of different field sizes. The nuber of parity bits for this experient was chosen to be 8 bits since the probability of error detection was within acceptable range for our experient ( 0.996). Furtherore, the defining polynoial of the fields used in the experient included the NIST recoended irreducible polynoials for ECDSA. Fig. 11 shows the result of the experient. As shown in the figure, the area overhead for a fixed nuber of parity bits tends to decrease as the size of the field increases. The area overhead does not decrease in a strictly onotonic way because the FPGA copiler used in the experient optiizes the ultiplier for different

20 20 A + k k 1 0 select + k D α-mul-p + k b i SM P select + k + k VA P + k + k 1 0 parity k generator k k-bit coparator error C PB ul with CED Checker Fig. 10. A coplete bit-serial ultiplier with CED field sizes differently. The worst area overhead percentage aong the fields ipleented is for GF(2 201 ) and is still reasonably low, i.e., < 12%. In the second experient, we ipleented the schee for = 163 and = 283 using the NIST recoended field defining polynoials for ECDSA F(x) = x x 7 + x 6 + x and F(x) = x x 12 + x 7 + x 5 + 1, respectively. Both of these polynoials are quite suitable for ipleentation because the parity prediction circuits of the schee would be in the siplest for since, in a k-bit parity schee, we have: {P(F i ) = 0 0 i k 1 and 2 k 20}. As shown in Fig. 12, area overhead cost increases as the nuber of parity bits increases. For all points in each graph depicted in the figure, a line is fitted as follows: for GF(2 163 ) : overhead (%) = 0.50 (# of parity bits) , for GF(2 283 ) : overhead (%) = 0.30 (# of parity bits) (6) As expected according to the first experient, the slope of the fitted line for GF(2 163 ) is ore than that for GF(2 283 ), i.e., the area overhead increase rate vs. parity-bit nubers in GF(2 283 )

21 Area Overhead (%) Field Size Fig. 11. Area (i.e., slice) overhead for bit-serial PB ultipliers for different size of fields is lower. Furtherore, based on the experiental results, area overhead tends to increase linearly except for very sall nubers of parity bits. Note that Equation (6) iplies that even if one parity is used for each inforation bit, circuit overhead is not expected to be ore than 100%, which is the overhead for the conventional dual odular redundant (DMR) schee. In the second experient, we also investigated the tie overhead of the GF(2 163 ) and GF(2 283 ) PB ultipliers for different nubers of parity bits. Since there is no extra clock cycle, the tie overhead is equal to the clock period overhead. We obtain the clock periods fro the post place and route static tiing report of Xilinx ISE. Except for four cases, there was no clock period overhead and in turn no tie overhead for the bit-serial ipleentation of the ultipliers. These four cases belong to the GF(2 163 ) PB ultiplier shown in Table II. According to the table, the tie overheads even for these cases are sall. 2) Bit-Parallel PB Multiplication: A circuit diagra of a coplete bit-parallel polynoial basis ultiplier with CED is depicted in Fig. 13. The parity checker is very siilar to that presented in Fig. 10. As shown in Fig. 13, once the inputs A and B are updated, the results of the ultiplication and error detection are ready after certain aount of delay due to the propagation of various signals through the circuit where no clocking is used.

22 Area Overhead (%) Slice Overhead Linear Fit of Slice Overhead Area Overhead (%) 5 0 Slice Overhead Linear Fit of Slice Overhead Nuber of Parity Bits Nuber of Parity Bits (a) GF(2 163 ) (b) GF(2 283 ) Fig. 12. Area overhead vs. parity-bit nuber No. of parity bits Tie overhead (%) TABLE II NON ZERO TIME OVERHEADS FOR BIT-SERIAL IMPLEMENTATION WHICH BELONG TO THE GF(2 163 ) PB MULTIPLIER For bit-parallel ultiplier, the first experient was to easure the area overhead percentage of the eight parity-bit schee for ultipliers of different field sizes. The results show that the area overhead decreases as the field size increases (Fig. 14). There is a ajor difference between the structure of bit-serial and bit-parallel PB ultipliers and this affects the area overhead considerably. A bit-serial PB ultiplier contains siple and shift registers, but a bit-parallel ultiplier does not. Basically, registers are relatively area consuing coponents in FPGAs. Therefore, assuing that one wants to ipleent a PB ultiplier for a field of size, the area (in ters of slices) needed for a bit-parallel PB ultiplier without CED is significantly saller than ties the area needed for a bit-serial ultiplier. Accordingly, CED overhead on a bit-parallel PB ultiplier is uch higher than that on a bit-serial one. This fact can be observed easily in the experients reported in this section.

23 23 A parity generator k P(A) b 0 + k α-mul-p + k SM P SM P b 1 + k + k VA P parity checker 1 α-mul-p b 2 parity checker 1 + k SM P + k VA P 1 error α-mul-p parity checker α-mul-p b k SM P + k VA P parity checker PB ul with CED C Checker Fig. 13. A coplete bit-parallel ultiplier with CED The second experient was to investigate the area and tie overheads increase rates vs. the nuber of parity bits for the field GF(2 163 ) (see Fig. 15). The field defining polynoial is F(x) = x 163 +x 7 +x 6 +x According to Table III, the bit-parallel ipleentation is very area consuing; therefore, siilar experients for the field GF(2 283 ) are extreely tie consuing and clearly that design does not fit into our current FPGA. However, the area overhead results for higher values of are expected to be better than the result of this experient as one can infer fro Fig. 14, where the nuber of parity bits is fixed to eight. Fig. 15 illustrates that as the nuber of parity bits increases, the area overhead for a bitparallel ipleentation increases at a greater rate copared to the bit-serial ipleentation. However, the area overhead ay be still acceptable for soe applications. This is because for obtaining a sufficiently high probability of error detection (say 0.996), one needs only about 8 parity bits in the proposed schee and it results in about 50% area overhead, which is better than 100% overhead of the DMR schee. In the bit-parallel ipleentation, the tie overhead is the delay of the critical path, i.e., the

24 Area Overhead (%) Field Size Fig. 14. Area (i.e., slice) overhead for bit-parallel PB ultipliers for different size of fields No. of parity bits Without CED Nuber of required Slices FPGA area consuption (%) The total nuber of slices in a Xilinx Spartan 3 (XC3S5000) FPGA is TABLE III FPGA AREA CONSUMPTION FOR A BIT-PARALLEL GF(2 163 ) PB MULTIPLIER axiu propagation delay fro one of the input pins to one of the output pins. We obtain the delay of all input pins to output pins fro the post place and route static tiing report of Xilinx ISE. The tie overhead for the bit-parallel ipleentation of a GF(2 163 ) PB ultiplier vs. nuber of parity bits is given in Fig 16, which shows that the tie overhead is generally less than 25% when ore than a couple of parity bits are used. 6. CONCLUSIONS In this paper, a ultiple parity error detection schee is presented for concurrent detection of errors in polynoial basis ultipliers. In this schee, the probability of error detection for

25 25 overhead = 2.87 x (# of parity bits) Area Overhead (%) Slice Overhead Linear Fit of Slice Overhead Nuber of Parity Bits Fig. 15. Area overhead vs. parity-bit nuber for the field GF(2 163 ) rando errors is ore than 75% and it quickly approaches unity for approxiately 8 parity bits. The overhead of our ipleentation tends to increase linearly as the nuber of parity bits increases. Results show that the area overhead cost of the bit-serial ipleentation is lower than that for the bit-parallel one. Both ipleentations have lower area overheads than the traditional dual odular redundant schee for a sufficient nuber of parity bits. Additionally, the average tie overhead due to the use of the schee in bit-parallel ipleentations is around 25%, while for bit-serial ipleentations tie overheads have been observed to be sall to negligible. It is hoped that using the results presented in this paper, one will be able to choose an appropriate nuber of parity bits for specific applications. APPENDIX I ALTERNATIVE PARTITIONING In this section another partitioning of A and F is presented. The new partitioning reduces the overhead of the parity prediction circuit of the α-mul odule. As entioned A = 1 a iα i is partitioned into k parts. As before, we assue that is

26 Tie Overhead (%) Nuber of Parity Bits Fig. 16. Tie overhead vs. parity-bit nuber for the field GF(2 163 ) divisible by k and l = /k. The alternative (vertical) partitioning is illustrated below: a 0, a 1, a 2,, a k 1, a k, a k+1, a k+2,, a 2k 1,.,,...,,., a (l 1)k, a (l 1)k+1, a (l 1)k+2,, a lk 1 }{{} }{{} }{{} }{{} A 0 A 1 A 2 A k 1 For 0 j k 1, the j th partition is: A j = a ik+j α ik+j = (a j,a k+j,a 2k+j,,a (l 1)k+j ).

27 27 A. Structure of α-mul Module where a 1 = 0. A =αa od F(α) k 1 = a ik+j α ik+j+1 od F(α) = j=0 k a ik+j 1 α ik+j od F(α) j=1 k 1 l 2 = a ik+j 1 α ik+j + a k(i+1) 1 α k(i+1) j=1 + (a 1 α od F(α)) j=1 k 1 1 = a ik+j 1 α ik+j + a ki 1 α ki + a 1 f i α i i=1 k 1 = (a ik+j 1 + a 1 f ik+j )α ik+j j=1 + (a ki 1 + a 1 f ki )α ki k 1 = (a ik+j 1 + a 1 f ik+j )α ik+j j=0 Fig. 17 shows the j th part of the α-mul odule. The coplete α-mul odule is shown in Fig. 18. The nuber of gates is exactly the sae as for the previous α-mul odule entioned in Section 3-A, as only the position of the coordinates is changed. The following lea discusses parity prediction in the j th part of the α-mul odule. Lea 3: Let P(A j ) and P(A j) be the input and the expected output parities of the j th part of the α-mul odule, respectively and P Fj = l 1 f ik+j. Then, P(A P(A j 1 ) + a 1 P Fj if 1 j k 1, j) = P(A k 1 ) + a 1 (P F0 + 1) if j = 0. Proof: According to (7), we have: A j = (a ik+j 1 + a 1 f ik+j ) α ik+j. (7)

28 28 a j 1 a j f j a k+j 1 a k+j f k+j a ik+j 1 a ik+j f ik+j a (l 1)k+j 1 a (l 1)k+j f (l 1)k+j a 1 Fig. 17. The j th part of the α-mul odule Therefore, for 1 j k 1, we have: P(A j) = P + P For j = 0, we have: ( l 1 ( l 1 ) a ik+j 1 α ik+j ) a 1 f ik+j α ik+j = P(A j 1 ) + a 1 P Fj. P(A 0) = P ( l 1 ) a ik 1 α ik + P ( l 1 = (P(A k 1 ) + a 1 ) + a 1 P F0 = P(A k 1 ) + a 1 (P F0 + 1). ) a 1 f ik α ik P Fj s can be pre-coputed. Therefore, the axiu nuber of gates required for the parity prediction circuit of each part of the α-mul odule is one XOR gate. No XOR gate is needed for the parity prediction circuit of a part of the α-mul odule when P F0 = 1 or P Fj = 0 for 0 < j < k. Furtherore, the probability of error detection can be coputed by Theore 1, since the conditions are the sae.

29 29 0 a 0 Part 0 a 0 a 1 a k 1 a k Part 1 a (l 1)k 1 a (l 1)k a (l 1)k a (l 1)k+1 a 2 Part k 1 a 1 a 1 Fig. 18. α-mul odule Irreducible polynoials No. of nonzero-parity partitions No. of 2-input XOR gates for PPC of α-mul-p Horizontal partitioning Vertical partitioning Horizontal partitioning Vertical partitioning F(x) = x x 7 + x 6 + x F(x) = x x F(x) = x x 12 + x 7 + x F(x) = x x F(x) = x x 10 + x 5 + x TABLE IV XOR COUNTS FOR PPC OF AN α-mul MODULE FOR NIST RECOMMENDED IRREDUCIBLE POLYNOMIALS FOR ECDSA APPLICATION B. Coparison of α-mul-p Modules According to Section 5-A, the schee with eight partitions results in a fairly high probability of error detection for values of that are of interest for elliptic curve cryptosystes. Therefore, we have divided each of corresponding NIST recoended irreducible polynoials into eight partitions using our horizontal and vertical partitioning ethods. Table IV gives the nuber of partitions with nonzero parity and the nuber of required two-input XOR gates for PPC of the

30 30 α-mul odule along with the NIST recoended irreducible polynoials. As it can be seen in Table IV, the α-mul-p odule is relatively area efficient in the vertical paritioning than the horizontal partitioning. However, the α-mul-p odule is uch less resource consuing than any of the SM-P and VA-P odules. Therefore, the overheads resulting fro the vertical partitioning are expected to be very siilar to those presented in Section 5 for horizontal partitioning. ACKNOWLEDGMENTS A preliinary version of this paper was presented at the 20th IEEE International Syposiu on Defect and fault Tolerance in VLSI Systes [24]. The work was supported in part by an NSERC Strategic Project-grant awarded to Dr. Hasan. The authors also would like to thank Dr. Miguel F. Anjos for letting us run part of our siulations on his coputer. REFERENCES [1] D. A. McGrew and J. Viega, The Galois/Counter ode of operation (GCM). NIST Modes of Operation for Syetric Key Block Ciphers, 2005, [2] T. Elgaal, A public key cryptosyste and a signature schee based on discrete logariths, IEEE Transactions on Inforation Theory, vol. 31, no. 4, pp , July [3] I. Biehl, B. Meyer, and V. Muller, Differential fault attacks on elliptic curve cryptosystes, in Proceedings of the 20th Annual International Cryptology Conference (CRYPTO). Springer-Verlag, 2000, pp [4] M. Ciet and M. Joye, Elliptic curve cryptosystes in the presence of peranent and transient faults. Designs, Codes and Cryptography, vol. 36, no. 1, pp , July [5] J. Bloer, M. Otto, and J.-P. Seifert, Sign change fault attacks on elliptic curve cryptosystes. Cryptology eprint archive, Report 2004/227, 2004, [6] S. B. Wicker and V. K. Bhargava, Eds., Reed-Soloon Codes and Their Applications. New York, NY, USA: John Wiley & Sons, Inc., [7] D. Pradhan and M. Chatterjee, Glfsr-a new test pattern generator for built-in-self-test, in Proceedings of the International Test Conference, 1994, pp [8] T. Rao and E. Fujiwara, Error-Control Coding for Coputer Systes., E. J. McCluske, Ed. Prentice Hall, Inc., [9] G. Bertoni, L. Breveglieri, I. Koren, P. Maistri, and V. Piuri, Error analysis and detection procedures for a hardware ipleentation of the advanced encryption standard. IEEE Transactions on Coputers, vol. 52, no. 4, pp. 1 14, April [10] C. W. Chiou, Concurrent error detection in array ultipliers for GF(2 ) fields. Electronics Letters, vol. 38, no. 14, pp , July [11] S. Fenn, M. Gossel, M. Benaissa, and D. Taylor, Online error detection for bit-serial ultipliers in GF(2 ). Journal of Electronics Testing: Theory and Applications, vol. 13, pp , 1998.

31 31 [12] N. Joshi, K. Wu, and R. Karri, Concurrent error detection for involutional functions with applications in fault-tolerant cryptographic hardware design. IEEE Transactions on Coputer-Aided Design of Integrated Circuits and Systes, vol. 25, no. 6, pp , June [13] R. Karri, K. Wu, P. Mishra, and Y. Ki, Concurrent error detection schees for fault-based side-channel cryptanalysis of syetric block ciphers. IEEE Transactions on Coputer-Aided Design of Integrated Circuits and Systes, vol. 21, no. 12, pp , Deceber [14] A. Reyhani-Masoleh and M. A. Hasan, Error detection in polynoial basis ultipliers over binary extension fields. in Proceedings of the 4th International Workshop on Cryptographic Hardware and Ebedded Systes (CHES). Springer- Verlag, 2002, pp [15], Towards fault-tolerant cryptographic coputations over finite fields. ACM Transactions on Ebedded Coputing Systes, vol. 3, no. 3, pp , August [16], Fault detection architectures for field ultiplication using polynoial bases. IEEE Transactions on Coputers- Special Issue on Fault Diagnosis and Tolerance in Cryptography, vol. 55, no. 9, pp , Septeber [17] K. Wu, R. Karri, G. Kuznetsov, and M. Goessel, Parity based concurrent error detection for the advanced encryption standard. in Proceedings of the IEEE International Test Conference (ITC), October [18] G. B. Agnew, T. Beth, R. Mullin, and S. Vanstone, Arithetic operations in GF(2 ). Journal of Cryptography, vol. 6, no. 1, pp. 3 13, [19] H. Wu and M. Hasan, Efficient exponentiation of a priitive root in GF(2 ). IEEE Transactions on Coputers, vol. 46, no. 2, pp , February [20] E. Fujiwara, N. Mutoh, and K. Matsuoka, A self-testing group-parity prediction checker and its use for built-in testing. IEEE Transactions on Coputers, vol. C-33, no. 6, pp , June [21] E. S. Sogoonian, Design of built-in self-checking onitoring circuits for cobinational devices. Autoation and Reote Control, vol. 35, no. 2, pp , July [22] L. Song and K. Parhi, Low energy digit-serial/parallel finite field ultipliers. Journal of VLSI Signal Processing, vol. 19, no. 2, pp , [23] S. Lin and D. J. Costello, Jr., Error Control Coding: Fundaentals and Applications., F. F. Kuo, Ed. Prentice Hall, Inc., [24] S. Bayat-Saradi and M. A. Hasan, Concurrent error detection of polynoial basis ultiplication over extension fields using a ultiple-bit parity schee, in Proceedings of the 20th IEEE International Syposiu on Defect and fault Tolerance in VLSI Systes (DFT), Monterey, CA, 2005, pp