An FPGA implementation of a GF(p) ALU for encryption processors
Introduction
As the popularity of mobile internet devices increases, so too does the need for secure and reliable electronic communication over insecure channels. Encryption provides the confidentiality, authentication, data integrity and non-repudiation required for electronic transactions. Bulk data is generally encrypted using private key systems, where both parties share the same common secret key. However, the establishment and exchange of these secret keys is normally achieved via public key cryptosystems. Generally, these public key systems are more computationally intensive and slower than their private key counterparts [1].
Field-Programmable Gate Arrays (FPGAs) are an ideal platform to provide hardware arithmetic acceleration for use in many cryptographic applications. Their reconfigurability means that they can be re-programmed to perform the more computationally intensive operations of a range of ciphers depending on security and application requirements.
Elliptic Curve Cryptosystems (ECC) were independently proposed in the mid-eighties by Victor Miller [2] and Neil Koblitz [3] as an alternative to existing public key systems such as RSA and DSA. ECC is quickly establishing itself due to it's potential to provide equivalent security to existing public key cryptosystems at reduced key sizes. This is particularly attractive for use in constrained applications such as smart cards, mobile phones and palm-top devices, where chip area and memory storage are limited resources. The security of this scheme relies on the difficulty of the discrete logarithm problem in the group formed by the points on an elliptic curve over a finite field. Unlike the ordinary discrete logarithm problem, no sub-exponential algorithm is known to date to solve the discrete logarithm problem on a suitably chosen elliptic curve. It is estimated that a 160-bit ECC cryptosystem has security equivalent to RSA with a bit length of 1024 [4].
Two types of finite field are popular for use in elliptic curve public key cryptography: GF(p) with p a ‘large’ prime, and GF(2m) with m a positive integer. Few Elliptic curve cryptosystems over GF(p) have been reported in the literature to date, due to the requirement of carry propagation in the addition operation [5], [6], [7], [8], [9], [10]. Addition in GF(2m) is performed bitwise modulo 2, and thus has a shorter critical path. However, the more complex arithmetic operations of multiplication, inversion and division over GF(2m) do not map well to the underlying FPGA structure. The resulting large combinational structures can reduce performance as significantly as the GF(p) carry-chain adder structures which are optimised on FPGA. Many of the existing ECC implementations over GF(2m) are also constrained to fixed register sizes once the field has been selected and the target device has been configured. Whereas, a GF(p) implementation with a register size of m bits can operate with any prime p up to (2m−1) without reconfiguration. A GF(2m) processor which can operate on different key sizes without reconfiguration has previously been presented in Ref. [11], but it is the belief of the authors that the more versatile GF(p) processors can be implemented as efficiently as GF(2m) processors on reconfigurable platforms.
Section snippets
Elliptic curve cryptography over GF(p)
An elliptic curve over the finite field GF(p) is defined as the set of points (x,y), which satisfy the elliptic curve equationwhere x,y,a and b are elements of the field, and 4a3+27b2≠0.
To encrypt data, it is represented as a point P(xP,yP) on the chosen curve over the finite field. The fundamental encryption operation is point scalar multiplication, i.e. point P is added to itself k times, to get point Q(xQ,yQ).Recovery of k, through knowledge of the elliptic curve
Modular arithmetic functions
All arithmetic in the Galois Field GF(p) is performed modulo the field prime, p. In order to perform the point addition and doubling computations outlined in Section 2, modular addition, subtraction, multiplication and inversion/division are required. In this section the modular arithmetic functions are listed, and algorithms and architectures for each are presented. In Section 4, these architectures are combined into a single GF(p) Arithmetic Logic Unit which is capable of performing any of
The GF(p) arithmetic logic unit
The proposed GF(p) ALU illustrated in Fig. 5 combines all the functions listed in Section 3 into one architecture. Three (m+2)-bit carry-propagate adders are used, and two levels of switching to select the inputs and outputs. The switching multiplexers are controlled by operation mode and signals such as carry bits, parity bits, and bi, the LSB of B, generated by a shift-register for the multiplication operation. The carry-in of an adder is set to ‘1’ when a two's compliment subtraction is
GF(p) ALU application example
As an example, the generic operation was implemented utilizing the GF(p) ALU and tested on a Celoxica RC1000 prototyping PCI card. The card includes a Xilinx Virtex2000e FPGA and 8 Mb of SRAM, and communicates with the host PC over a PCI interface.
The procedure for the operation is given in Procedure 1. All the required functions to perform the operation can be performed in the GF(p) ALU. Step 01 is performed in inversion, subtraction and addition modes as described in Section 3.8,
Results
Post-Synthesis and Post-Place and Route results for the GF(p) ALU are presented in Table 2. The target device for these results was the Xilinx Virtex2 xc2v2000-6 FPGA. The post-synthesis speed figures indicate clock frequencies that the ALU could operate at as a component within another system. The post-place and route results were acquired from a design which included memory interfacing shift registers to input and output data in 32-bit words, and also signal routing to and from I/O pins on
Conclusions
Very few GF(p) arithmetic processors have been reported in the literature to date. Those that have been reported, use projective coordinates to perform point scalar multiplication and focus mainly on the modular multiplication operation, neglecting modular inversion and division. In projective coordinates, point addition requires approximately 16m clock cycles and point doubling requires approximately 10m clock cycles.
Here, a versatile GF(p) Arithmetic Logic Unit capable of performing all
Acknowledgements
This work is funded by a research innovation project from Enterprise Ireland.
Alan Daly received BE (Elec) degree in electrical and electronic engineering from University College Cork, Ireland in 2000. He is currently working towards his PhD degree. His primary research interests are reconfigurable logic devices and applications, cryptography, and large integer arithmetic.
References (15)
Applied Cryptography
(1996)Use of elliptic curves in cryptography
Adv. Cryptogr. Crypto'85
(1985)Elliptic curve cryptosystems
Math. Comp.
(1987)- et al.
Elliptic Curves in Cryptography
(2000) - G. Orlando, C. Paar, A Scalable GF(p) elliptic curve processor architecture for programmable hardware. Cryptographic...
- S.B. Örs, L. Batina, B. Preneel, J. Vandewalle, Hardware implementation of elliptic curve processor over GF(p),...
- et al.
An energy-efficient reconfigurable public-key cryptography processor
IEEE J. Solid-State Circuits
(2001)
Cited by (0)
Alan Daly received BE (Elec) degree in electrical and electronic engineering from University College Cork, Ireland in 2000. He is currently working towards his PhD degree. His primary research interests are reconfigurable logic devices and applications, cryptography, and large integer arithmetic.
William Peter Marnane received BE degree in electrical engineering from National University of Ireland, Cork in 1984 and the DPhil degree from the University of Oxford in 1989. He is a senior lecturer in the Department of Electrical and Electronic Engineering at the National University of Ireland, Cork since 1999. His research interests include digital design for DSP, coding theory and cryptography.
Tim Kerins received his BSc degree in physics from University College Cork, Ireland in 2000. He is currently working towards his PhD degree in electrical engineering at University College Cork. His primary research areas are flexible architectures for the implementation of cryptographic algorithms based over Galois fields and the efficient implementation of public key cryptography protocols based on elliptic curves.
Emanuel Mihai Popovici received Dipl. Ing. Degree in computer engineering from University Politehnica Timisoara, Romania, in 1997 and the PhD degree in microelectronic engineering from the National University of Ireland, Cork, in 2002. He has been a Lecturer in the Department of Microelectronic Engineering at the National University of Ireland, Cork since 2002. His research interests include coding theory, cryptography and their applications, design automation and test.