A Scalable ECC Processor for High-Speed and Light-Weight Implementations with Side-Channel Countermeasures

Transcription

1 A Scalable ECC Processor for High-Speed and Light-Weight s ith Side-Channel Countermeasures Ahmad Salman, Ahmed Ferozpuri, Ekaat Homsirikamol, Panasayya Yalla, Jens-Peter Kaps, and Kris Gaj Cryptographic Engineering Research Group (CERG) Department of ECE, Volgenau School of Engineering, George Mason University, Fairfax, VA, USA Department of Integrated Science and Technology, James Madison University, Harrisonburg, VA, USA ReConFig-27 ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight / 52

2 Outline Introduction Introduction ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 2 / 52

3 Introduction NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication Advantages of ECC: Short key lengths, ciphertexts and signatures smaller storage Fast key generation Fast digital signatures High-Speed: lo latency and latency delay Lighteight: Moderate latency delay ith minimal resource usage (area as ell as poer). Min. of Symm. RSA ECC Strength Alg len(p) 8 2TDEA, TDEA 2, AES-28 3, AES-92 7, AES-256 5,36 52 [] NIST SP 8-57, Pt., Rev.4, Recommendation for Key Management: General, Jan 26. [2] NIST FIPS PUB 86-4, Digital Signature Standard (DSS), Jul 23. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 3 / 52

4 Elliptic Curves Introduction NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication Elliptic curves built over m K = GF(2 ) Normal basis representation K = GF(p) Polynomial basis representation Elliptic Curve over GF (p) is the set of all pairs (x, y) GF (p) hich fulfill y 2 x 3 + a x + b mod p here a, b GF (p) and 4 a b 2 mod p + a special point called the point at infinity O K=GF (p): Arithmetic operations present in many libraries K=GF (2 m ): Fast in hardare Compact in hardare ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 4 / 52

5 NIST Curves Introduction NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication GF (p) denotes a prime field ith p elements here p is prime. GF (2 m ) denotes a binary field ith 2 m elements for some m (called degree of the field) Recent improvements in attacking discrete logarithms over small-characteristic fields raised security concerns about binary curves (applies only to pairings for the time being). NIST special curves are those hose coefficients and underlying field have been selected to optimize the efficiency of the elliptic curve operations. NIST special primes are of a special type (called generalized Mersenne numbers) for hich modular multiplication can be carried out more efficiently than in general. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 5 / 52

6 ECC Operations Introduction NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication Cryptographic Protocols ECC Operations Scalar Multiplication Point Addition Point Doubling Affine to Projective & Projective to Affine GF Operations Inversion Division Addition Multiplication Squaring Interchangeable ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 6 / 52

7 Scalar multiplication Introduction NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication Fast and efficient in calculating the scalar multiplication. Does not require a lot of memory. Subject to side-channel attacks. Simple Poer Analysis (SPA) Differential Poer Analysis (DPA) Double-and-Add k P Require: Prime p E(F q ), P = (x, y), here x, y GF (p), k Z, < k < #E, k = (k l, k l 2,..., k ) 2, and k l = Ensure: Q = (x, y ) Q = P for i = l 2 donto do Q = 2Q if k i = then Q = Q + P return Q ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 7 / 52

8 Side Channel Analysis (SCA) NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication Plain Text Cryptographic Device Secret Key Cipher Text ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 8 / 52

9 Side Channel Analysis (SCA) NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication EM Radiation Side Channels Timing Poer Consumption Plain Text Cryptographic Device Secret Key Cipher Text ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 8 / 52

10 Side Channel Analysis (SCA) NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication Danger: s are susceptible to Side Channel Analysis (SCA). Key space 256-bit, =.2 77 keys EM Radiation Side Channels Timing Poer Consumption Atoms in Universe (ikipedia) SCA allos to attack 8-bit at a time SCA complexity = 892 Plain Text Cryptographic Device Secret Key Cipher Text ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 8 / 52

11 Side Channel Analysis (SCA) NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication Danger: s are susceptible to Side Channel Analysis (SCA). Key space 256-bit, =.2 77 keys EM Radiation Side Channels Timing Poer Consumption Atoms in Universe (ikipedia) SCA allos to attack 8-bit at a time SCA complexity = 892 Plain Text Cryptographic Device Secret Key Cipher Text Danger These are passive, non invasive attacks. They are difficult to detect. The measurement setup is not very expensive ($2 $2,). Applies to Softare as ell as Hardare implementations. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 8 / 52

12 Simple Poer Analysis (SPA) NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication Involves direct interpretation of poer traces.(one or More Traces) Hamming eight of certain byte of the key, Number of rounds in the Algorithm(resp to Key Length) Memory accesses have higher poer consumption, repetitive patterns Cons: Attacker needs to have detailed information about the algorithm. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 9 / 52

13 Differential Poer Analysis (DPA) NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication Kocher et al. proposed poer analysis attack in 999. Vcc DPA exploits the data dependency beteen poer consumption of cryptographic device and secret. Detailed knoledge about the attacked device is not required. A GND A C Load DPA in a Nutshell Choose intermediate result, should be function of data & key. 2 Measure the poer consumption. 3 Calculate the hypothetical values and build a poer model. 4 Compare hypothetical poer model ith poer consumption. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight / 52

14 Differential Poer Analysis (DPA) Kocher et al. proposed poer analysis attack in 999. DPA exploits the data dependency beteen poer consumption of cryptographic device and secret. Detailed knoledge about the attacked device is not required. DPA in a Nutshell NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication A Vcc GND A C Load Choose intermediate result, should be function of data & key. 2 Measure the poer consumption. 3 Calculate the hypothetical values and build a poer model. 4 Compare hypothetical poer model ith poer consumption. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight / 52

15 Differential Poer Analysis (DPA) Kocher et al. proposed poer analysis attack in 999. DPA exploits the data dependency beteen poer consumption of cryptographic device and secret. Detailed knoledge about the attacked device is not required. DPA in a Nutshell NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication A Vcc GND A C Load Choose intermediate result, should be function of data & key. 2 Measure the poer consumption. 3 Calculate the hypothetical values and build a poer model. 4 Compare hypothetical poer model ith poer consumption. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight / 52

16 Safe Scalar multiplication NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication Montgomery Ladder protects against SPA and safe-error attacks. Requires more computations to calculate the scalar multiplication. Coron s Randomization of the Private Exponent method protects against DPA. Calculate Q = k P instead of Q = kp here k = k + d #E. Montgomery Ladder k P Require: Prime p E(F q ), P = (x, y), here x, y GF (p) k Z, < k < #E, k = (k l, k l 2,..., k ) 2, k l = Ensure: Q = (x, y ) Q = P P = 2Q for i = l 2 donto do if k i = then Q = Q + P P = 2P else P = P + Q Q = 2Q return Q ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight / 52

17 Projective coordinates NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication Point Addition Point Doubling Coordinates #Muls #Adds #Invs #Muls #Adds #Invs A + A =A P + A =A 3 7 N/A P + P =P MJ+MJ =MJ A Affine; P Projective; MJ Modified Jacobian Affine: Requires time consuming inverse operation Projective: Only one inversion at the end of a full scalar multiplication Modified Jacobian: Proposed by Cohen et al. Quadruple representation of a point (X, Y, Z, az 4 ) Fast point doubling Easy conversion beteen Affine and Modified Jacobian P A = (x, y) P MJ = (x, y,, a) P MJ = (X, Y, Z, az 4 ) P A = (X /Z 2, Y /Z 3 ) ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 2 / 52

18 Co-Z Scalar multiplication NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication Point addition can be accelerated if both points P and Q share the same Z coordinate. Montgomery Ladder can be efficiently calculated using three algorithms Add ith update (ZADDU) Add ith conjugate (ZADDC) Double ith update (DBLU) Montgomery Ladder k P Require: Prime p E(F q ), P = (X, Y, Z), here X, Y, Z GF (p), k Z, < k < #E, k = (k l, k l 2,..., k ) 2, k l = Ensure: Q = (X, Y, Z) P, Q = DBLU(P) for i = l 2 donto do if k i = then Q, P = ZADDC(P, Q) P, Q = ZADDU(Q, P) else P, Q = ZADDC(Q, P) Q, P = ZADDU(P, Q) return Q Almost as fast as Double-and-ADD algorithm. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 3 / 52

19 Montgomery Multiplication NIST Curves ECC Operations Scalar Multiplication Montgomery Multiplication X, Y, M are n-bit numbers, R = 2 n, Z = X Y mod M Ordinary Montgomery domain domain X X = X R mod M Y Y = Y R mod M Z Z = X Y R mod M Z R mod M Z X Y Z = Mont(X, Y, M) = X Y R mod M = (X R) (Y R) R mod M = X Y R mod M = Z R mod M X X X = Mont(X, R 2 mod M, M) = X R 2 R mod M = X R mod M Z Z Z = Mont(Z,, M) = (Z R) R mod M = Z mod M = Z ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 4 / 52

20 Montgomery Multiplication ECC Scalar Multiplication Montgomery Multiplication Architectures Tenca and Koc introduced a ord-based algorithm for Montgomery multiplication, called Multiple-Word Radix-2 Montgomery Multiplication (MWR2MM), as ell as a scalable hardare architecture capable of performing the multiplication operation using a variable number of Processing elements (PEs). (999) The systolic high-radix design by McIvor et al. is capable of very high speed operation ith the penalty of using large area requirements for fast multiplier units. (24) Kaihara et al. proposed a concept hich enables parallel execution of the Montgomery and Interleaved multiplication. (25) Öksüzoğlu et al. reported DSP-based architecture for lo-cost devices. (28) ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 5 / 52

21 Montgomery Multiplication ECC Scalar Multiplication Montgomery Multiplication s Harris et al. implemented the MWR2MM algorithm by left shifting one of the operands (Y) and the modulus (M) instead of right shifting the intermediate result (S). Their approach led to an improvement in terms of latency and latency area by factor of to. (2) Suzuki combined MWR2MM ith the quotient pipelining technique and proposed an architecture hich can be mapped efficiently onto modern high-performance DSP-oriented FPGA structure. (27) Huang et al. proposed to architectures to optimize the original MWR2MM algorithm to process n-bit precision multiplication in approximately n clock cycles by precomputing intermediate S values. (2) ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 6 / 52

22 ECC Scalar Multiplier Architectures Montgomery Multiplication ECC Scalar Multiplication Örs et al. introduced a module-based design for ECC processors over GF (p). The architecture is suitable for any prime field and any prime. The design uses Montgomery in a systolic array architecture to perform modular multiplication. (23) Amiet et al. implemented a generalized ECC processor hich supports all five of NIST prime fields for any prime p. Their implementation uses to Montgomery multiplier units hich ork in parallel ith a Modular adder/subtractor to perform the prescheduled scalar multiplication operations. (26) MuthuKumar and Jeevananthan proposed a high-speed ECC scalar multiplier over GF (p) and GF (2 m ) for key-size of 256-bits. They use Jacobian coordinates and Montgomery multipliers built of 6 x 6 multiplication units. (2) ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 7 / 52

23 Montgomery Multiplication ECC Scalar Multiplication ECC Scalar Multiplier s Q. Xu et al. designed a lo area ECC multiplier that supports NIST p-6, p-92, and p-256 curves. They proposed a tiny hardare module targeting ASICs. The design has counter measures to side-channel attacks (SPA), hile having average performance. (28) Alrimeih et al. implemented a hardare/softare co-design for ECC processor to perform the scalar multiplication over GF (p). Supports all five prime fields recommended by NIST but also limited to and optimized for their corresponding primes. (24) Sasdrich and Güneysu implemented a hardare accelerator for ECC point multiplication. The design is limited to Curve 2559 using pseudo Mersenne primes. Their ork as expanded later to include techniques for counter measures against SPA and DPA attacks. (25) ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 8 / 52

24 Design Decisions Introduction Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier Generalized for all GF (p) curves for a specified field size. External Memory usage Support for ASIC implementations, mapps to embedded memories on FPGAs. Unified high-speed and lighteight storage requirements. Support for all 5 NIST field sizes for a ide range of applications: 92, 224, 256, 384, and 52. Not limited to special primes Optimizations for special primes might be patent restricted. Generic design for FPGA and ASIC, not targeted for special FPGA features: e.g. DSP. High-speed design uses different ord sizes (6, 32, and 64) and redundant representation to achieve high throughput. Lighteight design uses a variable number of PE units (2, 4, or 8) to increase flexibility hile maintaining lo area. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 9 / 52

25 Top Level Architecture Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier FIFO interface Independent initialization of field and curve parameters. Interface ith external memory for ASIC implementations Modular Montgomery Multiplication (MMM) Modular Addition and Subtraction (MAS) clk rst di_data di_valid di_ready W Scheduler W do_data do_valid do_ready MMM MAS start init_field init_curve Mem_Ctrl ECC busy RAM RAM2 ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 2 / 52

26 Scheduler Introduction Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier Start Normal to Montgomery Conversion Scalar Multiplication Projective to Affine Conversion Montgomery to Normal Conversion Outputs Each state has its on controller making the design modular. start signal triggers a state to begin operation and hands control back to the scheduler by returning a done signal. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 2 / 52

27 Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier Scheduler: EC Point Addition (unprotected) Algorithm 3(a)[3] Control ROM: Q = P + Q Require: P = (x, y,, a), P = (xr,yr,,a), Q = (X q,y q,z q,az qˆ4) P 2 = (X 2, Y 2, Z 2, az2 4 ) Multiplier Adder Ensure: P + P 2 = P 3 = (X 3, Y 3, Z 3, az3 4 Ops ) Res OP OP2 Res OP OP2 : T Z2 2 T Z q Z q mul 2: T 2 xt T 2 xr T mul 3: T T Z 2 T 3 X 2 T 2 T T Z q T 3 X q T 2 mulsub 4: T yt T yr T mul 5: T 4 T3 2 T 5 Y 2 T T 4 T 3 T 3 T 5 Y q T mulsub 6: T 2 T 2 T 4 T 2 T 2 T 4 mul 7: T 4 T 4 T 3 T 6 2T 2 T 4 T 4 T 3 T 6 T 2 T 2 muladd 8: Z 3 Z 2 T 3 T 6 T 4 + T 6 Z q Z q T 3 T 6 T 4 T 6 muladd 9: T 3 T5 2 T 3 T 5 T 5 mul : T T T 4 X 3 T 3 T 6 T T T 4 X q T 3 T 6 mulsub : az3 4 Z 3 2 T 2 T 2 X 3 az qˆ4 Z q Z q T 2 T 2 X q mulsub 2: T 3 T 5 T 2 T3 T 5 T 2 mul 3: az3 4 (az 3 4)2 Y 3 T 3 T az qˆ4 az qˆ4 az qˆ4 Y q T 3 T mulsub 4: az3 4 a(az 3 4 ) az qˆ4 ar az qˆ4 mul [3] S.B. Örs, L. Batina, B. Preneel, and J. Vandealle, Hardare of an Elliptic Curve Processor over GF (p), in ASAP 23, IEEE, Jun 23. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 22 / 52

28 Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier Scheduler: EC Point Doubling (unprotected) Algorithm 3(b)[3] Control ROM: Q = 2Q Q = (X q,y q,z q,az qˆ4) Require: P = (X, Y, Z, az 4 ), Multiplier Adder Ensure: 2P = P 3 = (X 3, Y 3, Z 3, az4 4 ) Res OP OP2 Res OP OP2 Ops : T Y 2 T 2 2X T Y q Y q T 2 X q X q muladd 2: T 3 T 2 T 2 2T 2 T 3 T T T 2 T 2 T 2 muladd 3: T T 2 T T 3 2T 3 T T 2 T T 3 T 3 T 3 muladd 4: T 2 X 2 T 3 2T 3 T 2 X q X q T 3 T 3 T 3 muladd 5: T 4 Y Z T 3 2T 3 T 4 Y q Z q T 3 T 3 T 3 muladd 6: T 5 T 3 (az 4) T 6 2T 2 T 5 T 3 az qˆ4 T 6 T 2 T 2 muladd 7: T 2 T 6 + T 2 T 2 T 6 T 2 add 8: T 2 T 2 + (az 4 ) T 2 T 2 az qˆ4 add 9: T 6 T2 2 Z 3 2T 4 T 6 T 2 T 2 Z q T 4 T 4 muladd : T 4 2T T 4 T T add : X 3 T 6 T 4 X q T 6 T 4 sub 2: T T X 3 T T X q sub 3: T 2 T 2 T az3 4 2T 5 T 2 T 2 T az qˆ4 T 5 T 5 muladd 4: Y 3 T 2 T 3 Y q T 2 T 3 sub [3] S.B. Örs, L. Batina, B. Preneel, and J. Vandealle, Hardare of an Elliptic Curve Processor over GF (p), in ASAP 23, IEEE, Jun 23. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 23 / 52

29 Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier Scheduler: EC Point ZADDC (protected) Algorithm 3[4] Control ROM: Q, P = P + Q Require: P = (X, Y, Z), P = (X p,y p,z), Q = (X q,y q,z) P 2 = (X 2, Y 2, Z) Multiplier Adder Ensure: P + P 2 = P 3 = (X 3, Y 3, Z 3 ) P Res OP OP2 Res OP OP2 Ops : T X X 2 T X p X q sub 2 : T 2 T 2 T 3 Y Y 2 T 2 T T T 3 Y p Y q mulsub 3 : Z 3 ZT T 4 Y + Y 2 Z Z T T 4 Y p Y q muladd 4 : T X T 2 T X p T 2 mul 5 : X 2 X 2 T 2 X q X q T 2 mul 6 : Y 2 T4 2 T 5 T X 2 Y q T 4 T 4 T 5 T X q mulsub 7 : T 2 T3 2 Y 2 Y 2 T T 2 T 3 T 3 Y q Y q T mulsub 8 : T 5 Y T 5 T 2 T 2 T T 5 Y p T 5 T 2 T 2 T mulsub 9 : X 3 Y 2 X 2 X p Y q X q sub : X 2 T 2 X 2 X q T 2 X q sub : Y 2 T X 2 Y q T X q sub 2: T 2 T 3 Y 2 T T X 3 T 2 T 3 Y q T T X p mulsub 3: T 3 T 4 T Y 2 T 2 T 5 T 3 T 4 T Y q T 2 T 5 mulsub 4: Y 3 T 3 T 5 Y p T 3 T 5 sub [4] R. R. Goundar, M. Joye, and A. Miyaji, Co-z addition formula and binary ladders on elliptic curves, CHES. 2, pp ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 24 / 52

30 Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier Scheduler: EC Point ZADDU (protected) Algorithm 2[4] Control ROM: P, Q = Q + P Require: P = (X, Y, Z), P = (X p,y p,z), Q = (X q,y q,z) P 2 = (X 2, Y 2, Z) Multiplier Adder Ensure: P 2 + P = P 3 = (X 3, Y 3, Z 3 ) P 2 Res OP OP2 Res OP OP2 Ops : T X X 2 T X p X q sub 2 : T 2 T 2 T 3 Y Y 2 T 2 T T T 3 Y p Y q mulsub 3 : Z 3 ZT Z Z T mul 4 : T X 2 T 2 T X q T 2 mul 5 : X X 2 T 2 X p X p T 2 mul 6 : T 4 T3 2 T 5 X T T 4 T 3 T 3 T 5 X p T mulsub 7 : Y Y T 5 T 4 T 4 X Y p Y p T 5 T 4 T 4 X p mulsub 8 : X 3 T 4 T X q T 4 T sub 9 : Y 2 X X 3 Y q X p X q sub : Y 2 T 3 Y 2 Y q T 3 Y q mul : Y 3 Y 2 Y Y q Y q Y p sub [4] R. R. Goundar, M. Joye, and A. Miyaji, Co-z addition formula and binary ladders on elliptic curves, CHES. 2, pp ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 25 / 52

31 Memory Introduction Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier Nr RAM idx Name Rˆ2 mod M a 2 2 x 3 3 y 4 4 R 5 5 X q 6 6 Y q 7 7 Z q 8 8 az qˆ4 9 9 T T 2 T T T T MSB52(-4) 6 M 7 M K 9 3 MSB52(6-8) We need to store 8 operands, incl. temporary values, each of maximum size 52 bits. Memory : 6 x 52 bits, Memory 2: 4 x 52 bits. 9 MSB bits of 52-bit operands are stored in MSB52 locations and packed if = 64. Example: Virtual Address X_q RAM idx MSB MSB X_q Physical Address X_q MSB Physical Address ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 26 / 52

32 Modular Adder Subtracter (MAS) Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF first B>A Subtraction mod ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52 C

33 Modular Adder Subtracter (MAS) Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF first B>A Subtraction mod ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52 C

34 Modular Adder Subtracter (MAS) Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF first B>A Subtraction mod ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52 C

35 Modular Adder Subtracter (MAS) Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF first B>A Subtraction mod ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52 C

36 Modular Adder Subtracter (MAS) Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF first B>A Subtraction mod carry ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52 C

37 Modular Adder Subtracter (MAS) Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF first B>A Subtraction mod carry 5 ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52 C

38 Modular Adder Subtracter (MAS) Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF first B>A Subtraction mod carry 5 Positive result Done. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52 C

39 Modular Adder Subtracter (MAS) A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier first B>A Subtraction mod carry 5 Positive result Done. C Subtraction mod ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52

40 Modular Adder Subtracter (MAS) A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier first B>A Subtraction mod carry 5 Positive result Done. C Subtraction mod ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52

41 Modular Adder Subtracter (MAS) A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier first B>A Subtraction mod carry 5 Positive result Done. C Subtraction mod carry ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52

42 Modular Adder Subtracter (MAS) A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier first B>A Subtraction mod carry 5 Positive result Done. C Subtraction mod carry -8 ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52

43 Modular Adder Subtracter (MAS) A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier first B>A Subtraction mod carry 5 Positive result Done. C Subtraction mod carry -8 Negative result addition of modulus. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52

44 Modular Adder Subtracter (MAS) A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier first B>A Subtraction mod carry 5 Positive result Done. C Subtraction mod carry -8 Negative result addition of modulus. Addition mod ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52

45 Modular Adder Subtracter (MAS) A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier first B>A Subtraction mod carry 5 Positive result Done. C Subtraction mod carry -8 Negative result addition of modulus. Addition mod ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52

46 Modular Adder Subtracter (MAS) A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier first B>A Subtraction mod carry 5 Positive result Done. C Subtraction mod carry -8 Negative result addition of modulus. Addition mod ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52

47 Modular Adder Subtracter (MAS) A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier first B>A Subtraction mod carry 5 Positive result Done. C Subtraction mod carry -8 Negative result addition of modulus. Addition mod carry ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52

48 Modular Adder Subtracter (MAS) A sign add/subtract last B All supported field sizes except 52 are divisible by 6 and 32. Storing them in ord-size memory does not leave space for sign. FF Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier first B>A Subtraction mod carry 5 Positive result Done. C Subtraction mod carry -8 Negative result addition of modulus. Addition mod carry 6 ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 27 / 52

49 Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier Modular Montgomery Multiplier (MMM) Optimized MWR2MM [4] : if j = then 2: q i = (x i Y () ) S () 3: C () = 4: if j < e then 5: (CO (j+), SO (j), S(j) 2... ) = (, S(j)... ) + C (j) + x i Y (j) + q i M (j) 6: (CE (j+), SE (j), S(j) 2... ) = (, S(j)... ) + C (j) + x i Y (j) + q i M (j) 7: if S (j+) = then 8: C (j+) = CO (j+) 9: S (j)... = (SO(j), S(j) 2... ) : else : C (j+) = CE (j+) 2: S (j) (j)... = (SE, S(j) 2... ) 3: else 4: (C (e), S (e ) ) = (C (e), S (e )... ) + C (e ) + x i Y (e ) + q i M (e ) Task E Task F Task D [4] M. Huang, K. Gaj, and T. El-Ghazai. Ne hardare architectures for Montgomery modular multiplication algorithm, in IEEE ToCo, 6(7), pp , Jul, 2. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 28 / 52

50 t Introduction Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier High-Speed Design (based on architecture 2 [4]) x x x 7 x 8 x 52 =64 n=52 e=9 p=9 PE# Y () S () PE# Y () S () S () S () S () S () S () S (7) S (8) S () S () S (7) S (8) S () S (7) S (8) Task D Task E Task F PE#7 Y (7) S (7) PE#8 Y (8) S (7) S (8) S (8) e clk n clk n number of ords e = number of processing elements p = e number of clock cycles T = n + (e ) Example: = 64, n = 52 e = = 9 T = 52 + (9 ) = 529 Example: = 32, n = 52 e = = 7 T = 52 + (7 ) = 537 /2 T minimal bigger 2e 2p but each PE processes bits/2 area similar ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 29 / 52

51 Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier High-Speed Design: supporting different field sizes q i q i Y () Y () M () M () () (2) S S D E PE# C () PE# C (2) q i (e r 2) (e r 2) Y (e 2) M r (e ) S r E (e ) PE# C r e r 2 (e ) bit SREG q q i (e r ) (e r ) Y E/F PE# e r (e ) r M S (e ) r (e ) r C q q q i e r i (e 5 2) i (e 5 ) (e r ) (e 5 2) (e ) Y Y Y 5 (e r ) (e M 5 2) (e ) M M 5 (e +) S r (e S 5 ) E E F (e +) (e ) PE# C r PE# C 5 PE# e r e 5 2 e 5 X i S () X i S () X (e 2) S r i (e 2) r X (e ) S r E/F_sel i (e ) r (e ) bit SREG X X i (e ) r S (e r ) X (e 2) S 5 i (e 2) 5 X (e S 5 ) i (e ) 5 = 6, 32 or 64 e = 92 e = e = e = e = ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 3 / 52

52 Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier Lighteight Design (based on architecture [4]) Each PE can perform E, D, and F p < e e must store inbeteen values in a queue. size of queue Q = e p n T = n + (e p) + p + p Example: p = 8, = 6, n = 52 e = 33, T = 28, Q = 25 Example: p = 4, = 6, n = 52 e = 33, T = 4325, Q = 29 p/2 > 2T Q increases a bit area/2 for PE t Y () Y () Y (2) Y () Y () Y (2) Y () Y () Y (2) S () S () S (2) S () S () S (2) S () S () S (2) x S () S () S (2) x S () 2 S () S (2) x S () 4 S () S (2) x S () x 3 S () x 5 Q# S () S (2) S () S (2) Task D Task E Task F ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 3 / 52 PE# PE# =2 n=6 e=3 p=2 S () S () S (2)

53 Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier Reading and Reformatting x i en x p en x p+ X (j) x 2p x 2p+ x 2p+2 load x p x en x p+ x en en x p+2 x p+2 x 2 x i x i+ en x i+2 en x x 3p x 2p x p en x i+p sreg E A B C D 92 A= p 224 B= p 256 C= p 384 D= p 52 E= p ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 32 / 52

54 Main Computational Unit Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier M (j) Y (j) reg reg reg sreg E A B C D same as previous diagram 8 x i x i+ x i+2 x i+p F D sreg 9 reg F D sreg 8 reg F D PE# PE# PE#2 8 sreg 2 reg F D PE# p 8 sreg 2 sreg9 p S (j) 5 8 ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 33 / 52

55 Inside the PE Unit Introduction Design Decisions Scheduler Modular Adder Subtracter Modular Montgomery Multiplier X i M (j) Y (j) S (j) +2 mode F (e) C + S (j) 2 2 reg FF en S (j+) 2 S (j) + S (j) 2 S (j) q i C mode D ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 34 / 52

56 Test Setup Introduction Results Conclusions Embedded memories are used only for external RAM. All implementations are coded in VHDL and do not use any other embedded resources. Implemented using Xilinx ISE 4.7, Quartus Prime 6., and Libero SoC.7 and Optimized using ATHENa. All results are Post-Place & Route. Xilinx Altera Microsemi Family Tech Family Tech Family Tech Spartan-6 45 nm Virtex-6 4 nm Stratix IV 4 nm IGLOO2 65 nm Artix-7 28 nm Cyclone V 28 nm Virtex-7 28 nm Stratix V 28 nm Zynq-7 28 nm ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 35 / 52

57 Results Conclusions Latency & Throughput for a given field and idth for HS Latency in clock cycles TP in Op/sec Field size Size of ord (W) at f = MHz W=64 W=32 W=6 W=64 W=32 W=6 92-bit 766, ,229,7, bit,45,978,64,77,43, bit,296,79,462,77,793, bit 2,9,58 3,263,447 3,969, bit 5,398,49 6,7,54 7,255, Average 2,283,646 2,555,26 3,4, bit 824,22 939,969,7, bit,25,24,26,229,564, bit,395,369,584,853,963, bit 3,23,729 3,528,699 4,338, bit 5,79,34 6,52,5 7,925, Average 2,45,932 2,763,252 3,392, TP Throughput; Op Operations; f Frequency Unprotected Protected Average TPs are based on average latencies. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 36 / 52

58 Results Conclusions results of HS designs on Xilinx FPGAs Avg. Latency f TP TP/Area Width Slices LUTs FFs BRAMs [Clock cycles] [MHz] [ Op sec ] [ Op Slices sec ] Virtex7:xc7vx485tffg ,269 3,36 4, ,45, ,227 2,68 4, ,763, ,44 4,66 2 3,392, Virtex6:xc6vlx24tff ,36 3,4 4, ,45, , 2,886 4, ,763, ,74 2,84 4,66 2 3,392, Zynq:xc7z2clg ,35 3,72 4, ,45, ,72 2,72 4, ,763, ,224 2,765 4,66 2 3,392, TP is calculated using the average latency at maximum frequency ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 37 / 52

59 Results Conclusions results of HS designs on Altera FPGAs Avg. Latency f TP TP/Area Width ALMs ALUTs FFs MBits [Clock cycles] [MHz] [ Op sec ] [ Op ALMs sec ] Stratix V:5SGXEA7K2F4C3 64 2,998 5,66 5,383 2,48 2,45, ,766 5,76 5,3 2,48 2,763, ,629 4,84 5,84 2,48 3,392, Stratix IV:EP4SE53H35C4 64 4,32 3,936 4,687 2,48 2,45, ,73 4,76 4,582 2,48 2,763, ,68 4,3 4,67 2,48 3,392, TP is calculated using the average latency at maximum frequency ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 38 / 52

60 Results Conclusions results of HS designs on Microsemi FPGAs Avg. Latency f TP TP/Area Width LEs 4LUTs FFs RAM [Clock cycles] [MHz] [ Op sec ] [ Op ALMs sec ] IGLOO2:M2GLTS-FG ,846 6,737 5, ,45, ,7 6,7 4, ,763, ,839 5,927 4,926 3,392, TP is calculated using the average latency at maximum frequency ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 39 / 52

61 Results Conclusions results of HS designs on ASICs Area Avg. Latency f TP TP/Area Width GEs [Clock cycles] [MHz] [ Op sec ] [ Op GEs sec ] 64 57,669 2,98, ,468 2,386, ,62 2,77, TP is calculated using the average latency at maximum frequency Implemented on 9nm technology Area is counted in terms of NAND2x gates Design area does not include size of memories Results are after synthesis ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 4 / 52

62 Results Conclusions Poer Estimates for HS using Xpoer and Libero Family Avail. P static [mw] P dynamic [mw] P total [mw] LUTs W=64 W=32 W=6 W=64 W=32 W=6 W=64 W=32 W=6 VX7 33, VX6 5,72 3,424 3,423 3, ,5 3,468 3,477 ZQ 53, AX7 63, SN6 9, IG2 2, FY Family; VX Virtex; SN Spartan; AX Artix; ZQ Zynq; IG IGLOO Results are generated under the folloing conditions: Clock at MHz. randomly generated values of k for each of the five fields. Size of k is equal to curve field size. Static poer of VX6 as reported by tool does not seem correct. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 4 / 52

63 Comparison of HS results Results Conclusions Curve f TP TP/Area Work Device Slices LUTs DSPs BRAMs Size Type [MHz] [ Op sec ] [ Op LUTs sec ] 92 GF (p) GF (p) TW[W=32] VX GF (p),227 2, (Protected) 384 GF (p) GF (p) GF (p) GF (p) TW[W=64] VX GF (p),269 3, (Protected) 384 GF (p) GF (p) GF (p) 3, Amiet et. al[w=32] VX GF (p),5.22 N/A 6,86 2 N/A N/A 384 GF (p) 55.8 (Unprotected) 52 GF (p) Amiet et al.[w=64] VX GF (p) N/A 8, N/A N/A (Unprotected) 52 GF (p) p-92 3, p-224 2, Alrimeih et al. VX p-256,2 32, ,5.75 (N/A) 384 p p Roy et al. VX p Baldin et al. VX-5 92 GF (p) N/A 6, N/A N/A GF (p) N/A 7,8 N/A N/A TW This Work; VX Virtex; GF (p) any prime for a given size; p-xxx NIST prime only ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 42 / 52

64 Other results Introduction Results Conclusions Curve f TP TP/Area Work Device Slices LUTs DSPs BRAMs Size Type [MHz] [ Op sec ] [ Op Slices sec ] 92 GF (p) 4, Ghosh et al. VX GF (p) 7, GF (p) 2, p p Ananyi et al. VX p-256 2, p p Güneysu et al. VX p , , , p , ,76.84 Güneysu et al. VX p-256, , McIvor et al. VX GF (p) 5, Guillermin SX-II 256 GF (p) 9, , GF (p) 6, , Schiniakis et al. SX-II 256 GF (p) 9, , GF (p) 3, GF (p) 7, VX Virtex; SX Stratix; ALMs; 2 Op [ ALMs sec ] ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 43 / 52

65 Results Conclusions Latency & Throughput for a given field and no. of PE for LW Latency in clock cycles TP in Op/sec Field size Number of PE units (#PE) at f = MHz #PE=8 #PE=4 #PE=2 #PE=8 #PE=4 #PE=2 92-bit,477,45 2,4,45 4,265, bit 2,22, 3,684,47 6,652, bit 3,73,655 5,23,35 9,58, bit 9,453,25 6,857,85 3,75, bit 22,89,39 4,8,938 79,687, Average 7,82,35 3,993,42 26,365, bit,576,957 2,557,883 4,54, bit 2,358,523 3,922,55 7,74, bit 3,279,973 5,555,83,34, bit,57,53 7,96,72 33,676, bit 24,33,723 44,374,347 84,533, Average 8,37,338 4,865,465 27,99, TP Throughput; Op Operations; f Frequency Unprotected Protected ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 44 / 52

66 Results Conclusions results of LW designs on Xilinx FPGAs Avg. Latency f TP TP/Area # of PEs Slices LUTs FFs BRAMs [Clock cycles] [MHz] [ Op sec ] [ Op Slices sec ] Zynq:xc7z2clg ,697,69 2 8,37, ,353,5 2 4,865, , ,99, Artix:xc7atcsg ,675,69 2 8,37, ,3,5 2 4,865, , ,99, Spartan6:xc7vx485tffg ,758,78 2 8,37, ,36,24 2 4,865, , ,99, TP is calculated using the average latency at maximum frequency ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 45 / 52

67 Results Conclusions results of LW designs on Altera FPGAs Avg. Latency f TP TP/Area # of PEs ALMs ALUTs FFs MBits [Clock cycles] [MHz] [ Op sec ] [ Op ALMs sec ] Stratix V:5SGXEA7K2F4C ,5,222 2,48 8,37, , ,8 4,865, ,48 27,99, Cyclone V:5CEBA4F23C , ,786 8,37, , ,875 4,865, ,92 27,99, Stratix IV:EP4SE53H35C4 8,7, ,48 8,37, , ,48 4,865, ,48 27,99, TP is calculated using the average latency at maximum frequency ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 46 / 52

68 Results Conclusions results of LW designs on Microsemi FPGAs Avg. Latency f TP TP/Area # of PEs LEs 4LUTs FFs RAM [Clock cycles] [MHz] [ Op sec ] [ Op ALMs sec ] IGLOO2-M2GL5S:FG ,25 2,835,49 2,45, ,753 2,385,34 2,763, ,522 2,79,269 3,392, TP is calculated using the average latency at maximum frequency ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 47 / 52

69 Results Conclusions results of LW designs on ASICs Area Avg. Latency f TP TP/Area Width GEs [Clock cycles] [MHz] [ Op sec ] [ Op GEs sec ] 8 2,696 3,273, ,42 23,832, ,42 44,998, TP is calculated using the average latency at maximum frequency Implemented on 9nm technology Area is counted in terms of NAND2x gates Design area does not include size of memories Results are after synthesis ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 48 / 52

70 Results Conclusions Poer Estimates for LW using Xpoer and Libero Family Avail. P static [mw] P dynamic [mw] P total [mw] LUTs PE=8 PE=4 PE=2 PE=8 PE=4 PE=2 PE=8 PE=4 PE=2 ZQ 53, AX7 63, SN6 9, IG2 6, FY Family; SN Spartan; AX Artix; ZQ Zynq; IG IGLOO Results are generated under the folloing conditions: Clock at MHz. randomly generated values of k for each of the five fields. Size of k is equal to curve field size. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 49 / 52

71 Comparison of LW results Results Conclusions Curve f TP TP/Area Work Device Slices LUTs DSPs BRAMs Size Type [MHz] [ Op sec ] [ Op Slices sec ] 92 GF (p) GF (p).27 TW[#PEs=8] SN GF (p) 48, GF (p) GF (p) 7.5 Driessen et al. SN p N/A N/A N/A Royet al. SN p VX p Varchola et al. VX-2 Pro 224 p N/A VX-2 Pro 256 p N/A Vliegen et al. VX-2 Pro 256 GF (p) 694 N/A TW This Work; VX Virtex; SN Spartan; Multipliers; GF (p) any prime for a given size; p-xxx NIST prime only ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 5 / 52

72 Conclusions Introduction Results Conclusions We designed to implementations of a scalable ECC processor, one for high-speed and one lighteight. Unlike many published results, our processor is not limited to NIST primes. Our TP/Area results are slightly loer than the high-speed design by Amiet, hoever, e use only one MMM, a fraction of the BRAMs, no DSP units neither contribute to TP/Area and our design is protected. In case of ligheight, our design is about 6 larger as compared to Roy s design. But e do not use any DSP units and only to BRAMs. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 5 / 52

73 Results Conclusions Thanks for your attention. ReConFig-27 A. Salman, A. Ferozpuri, P Yalla et al. Scalable ECC Processor, High-Speed Lighteight 52 / 52