24 RSA Accelerator (RSA)

24 RSA Accelerator (RSA)

24.1Introduction

The RSA Accelerator provides hardware support for multiple precision arithmetic operations used in RSA asymmetric cipher algorithms.

Sometimes, multiple precision arithmetic is also called ”bignum arithmetic”, ”bigint arithmetic” or ”arbitrary precision arithmetic”.

24.2Features

•Support for large-number modular exponentiation

•Support for large-number modular multiplication

•Support for large-number multiplication

•Support for various lengths of operands

24.3Functional Description

24.3.1 Initialization

The RSA Accelerator is activated by enabling the corresponding peripheral clock, and by clearing the DPORT_RSA_PD bit in the DPORT_RSA_PD_CTRL_REG register. This releases the RSA Accelerator from reset.

When the RSA Accelerator is released from reset, the register RSA_CLEAN_REG reads 0 and an initialization process begins. Hardware initializes the four memory blocks by setting them to 0. After initialization is complete, RSA_CLEAN_REG reads 1. For this reason, software should query RSA_CLEAN_REG after being released from reset, and before writing to any RSA Accelerator memory blocks or registers for the first time.

24.3.2 Large Number Modular Exponentiation

Large-number modular exponentiation performs Z = XY mod M. The operation is based on Montgomery multiplication. Aside from the arguments X, Y , and M, two additional ones are needed — r and M′. These arguments are calculated in advance by software.

The RSA Accelerator supports operand lengths of N {512, 1024, 1536, 2048, 2560, 3072, 3584, 4096} bits. The bit length of arguments Z, X, Y , M, and r can be any one from the N set, but all numbers in a calculation must be of the same length. The bit length of M′ is always 32.

To represent the numbers used as operands, define a base-b positional notation, as follows:

b = 232

In this notation, each number is represented by a sequence of base-b digits, where each base-b digit is a 32bit word. Representing an N-bit number requires n base-b digits (all of the possible N lengths are multiples of

Submit Documentation Feedback

24 RSA Accelerator (RSA)

32).

n =

N

32

Z = (Zn−1Zn−2 · · · Z0)b

X = (Xn−1Xn−2 · · · X0)b

Y = (Yn−1Yn−2 · · · Y0)b

M = (Mn−1Mn−2 · · · M0)b r = (rn−1rn−2 · · · r0)b

Each of the n values in Zn−1 ~ Z0, Xn−1 ~ X0, Yn−1 ~ Y0, Mn−1 ~ M0, rn−1 ~ r0 represents one base-b digit (a 32-bit word).

Zn−1, Xn−1, Yn−1, Mn−1 and rn−1 are the most significant bits of Z, X, Y , M, while Z0, X0, Y0, M0 and r0 are the least significant bits.

If we define

(Equation 2 is written in a form suitable for calculations using the extended binary GCD algorithm.) Software can implement large-number modular exponentiations in the following order:

1.Write ( 512N − 1) to RSA_MODEXP_MODE_REG.

2.Write Xi, Yi, Mi and ri (i [0, n) ∩ N) to memory blocks RSA_X_MEM, RSA_Y_MEM, RSA_M_MEM and RSA_Z_MEM. The capacity of each memory block is 128 words. Each word of each memory block can store one base-b digit. The memory blocks use the little endian format for storage, i.e. the least significant digit of each number is in the lowest address.

Users need to write data to each memory block only according to the length of the number; data beyond this length are ignored.

3.Write M′ to RSA_M_PRIME_REG.

4.Write 1 to RSA_MODEXP_START_REG.

5.Wait for the operation to be completed. Poll RSA_INTERRUPT_REG until it reads 1, or until the RSA_INTR interrupt is generated.

6.Read the result Zi (i [0, n) ∩ N) from RSA_Z_MEM.

7.Write 1 to RSA_INTERRUPT_REG to clear the interrupt.

After the operation, the RSA_MODEXP_MODE_REG register, memory blocks RSA_Y_MEM and RSA_M_MEM, as well as the RSA_M_PRIME_REG will not have changed. However, Xi in RSA_X_MEM and ri in RSA_Z_MEM will have been overwritten. In order to perform another operation, refresh the registers and memory blocks, as required.

Submit Documentation Feedback

24 RSA Accelerator (RSA)

24.3.3 Large Number Modular Multiplication

Large-number modular multiplication performs Z = X × Y mod M. This operation is based on Montgomery multiplication. The same values r and M′ are derived by software using the formulas 1 and 2 shown above.

The RSA Accelerator supports large-number modular multiplication with eight different operand lengths, which are the same as in the large-number modular exponentiation. The operation is performed by a combination of software and hardware. The software performs two hardware operations in sequence.

The software process is as follows:

1.Write ( 512N − 1) to RSA_MULT_MODE_REG.

2.Write Xi, Mi and ri (i [0, n) ∩ N) to registers RSA_X_MEM, RSA_M_MEM and RSA_Z_MEM. Write data to each memory block only according to the length of the number. Data beyond this length are ignored.

3.Write M′ to RSA_M_PRIME_REG.

4.Write 1 to RSA_MULT_START_REG.

5.Wait for the first round of the operation to be completed. Poll RSA_INTERRUPT_REG until it reads 1, or until the RSA_INTR interrupt is generated.

6.Write 1 to RSA_INTERRUPT_REG to clear the interrupt.

7.Write Yi (i [0, n) ∩ N) to RSA_X_MEM.

Users need to write to the memory block only according to the length of the number. Data beyond this length are ignored.

8.Write 1 to RSA_MULT_START_REG.

9.Wait for the second round of the operation to be completed. Poll RSA_INTERRUPT_REG until it reads 1, or until the RSA_INTR interrupt is generated.

10.Read the result Zi (i [0, n) ∩ N) from RSA_Z_MEM.

11.Write 1 to RSA_INTERRUPT_REG to clear the interrupt.

After the operation, the RSA_MULT_MODE_REG register, and memory blocks RSA_M_MEM and RSA_M_PRIME_REG remain unchanged. Users do not need to refresh these registers or memory blocks if the values remain the same.

24.3.4 Large Number Multiplication

Large-number multiplication performs Z = X × Y . The length of Z is twice that of X and Y . Therefore, the RSA

Operands X and Y need to be extended to form arguments X and Y which have the same length (N bits) as the

Submit Documentation Feedback