This paper describes a hardware implementation of an arithmetic processor which is efficient for bit-lengths suitable for both commonly used types of Public Key Cryptography (PKC), i.e., Elliptic Curve (EC) and RSA Cryptosystems. The processor consists of special operational blocks for Montgomery Modular Multiplication, modular addition/substraction, EC Point doubling/addition, modular multiplicative inversion, EC point multiplier, projective to affine coordinates conversion and Montgomery to normal representation conversion.

In order to avoid fault-based attacks on cryptographic security modules (e.g., smart-cards), some authors suggest that the computation results should be checked for faults before being transmitted. In this paper, we describe a potential fault-based attack where key bits leak only through the information whether the device produces after a temporary fault a correct answer or not. This information is available to the adversary even if a check is performed before output.

Security protocols are critical to enabling the growth of a wide range of wireless data services and applications. However, they impose a high computational burden that is mismatched with the modest processing capabilities and battery resources available on wireless clients. Bridging the security processing gap, while retaining sufficient programmability in order to support a wide range of current and future security protocol standards, requires the use of novel system architectures and design methodologies.

Abstract--A new version of Montgomery’s algorithm for modular multiplication of large integers and its implementation in hardware is presented. It has been designed to meet the predominant requirements of most modern devices: small chip area and low power consumption. The algorithm is superior to the original method by a factor of 2, with respect to both area and latency. The new method has a simple structure. It requires a small amount of precomputation and storage in order to reduce the number of neccessary additions by a factor of 2. Index terms—modulo multiplication, carry save addition, Montgomery algorithm A.

In this paper we show that, paradoxically, what seems like a "universal improvement" or a "straight-forward improvement" which enables better security and better reliability on a theoretical level, may in fact, within certain operational contexts, introduce new exposures and attacks, resulting in a weaker operational cryptosystem. We demonstrate a number of such dangerous "improvements". This implies that careful considerations should be given to the fact that an implemented cryptosystem exists within certain operational environments (which may enable certain types of tampering and other observed information channels via faults, side-channel attacks or behavior of system operators).

The distinct advantage of SRAM-based Field Programmable Gate Arrays (FPGA) is their flexibility for configuration changes. However, this opens up the threat of theft of Intellectual Property (IP) since the system configuration is stored in easy-to-access Flash memory. To prevent this, high-end FPGAs have already been extended with symmetric-key decryption engines used to load an encrypted version of the configuration that cannot simply be copied and used without knowledge of the secret key. However, such protection systems based on straightforward use of symmetric cryptography are not well-suited with respect to business and licensing processes, since they are lacking a convenient scheme for key transport and installation. We propose a new protection scheme for the IP of circuits in configuration bit files that provides a significant improvement to the current unsatisfying situation. It uses both public-key and symmetric cryptography, but does not burden FPGAs with the usual overhead of public-key cryptography: While it needs hard-wired symmetric cryptography, the public-key functionality is moved into a temporary configuration bit stream for a one-time setup procedure. This approach requires only very few modifications to current FPGA technology. Using five basic stages, the new protection scheme allows new accounting models for volume licensing of IP, with automated key installation on FPGAs taking place at the customer’s site. Keywords: IP protection, secure configuration, FPGA, embedded security

We present a cryptographic architecture optimization technique called divide-and-concatenate based on two observations: (i) the area of a multiplier and associated data path decreases exponentially and their speeds increase linearly as their operand size is reduced. (ii) in hash functions, message authentication codes and related cryptographic algorithms, two functions are equivalent if they have the same collision probability property. In the proposed approach we divide a 2w-bit data path (with collision probability 2 ) into two w-bit data paths (each with collision probability 2 ) and concatenate their results to construct an equivalent 2w-bit data path (with a collision probability 2 ). We applied this technique on NH hash, a universal hash function that uses multiplications and additions. When compared to the 100% overhead associated with duplicating a straightforward 32-bit pipelined NH hash data path, the divide-and-concatenate approach yields a 94% increase in throughput with only 40% hardware overhead. The NH hash associated message authentication code UMAC architecture with collision probability 2 that uses four equivalent 8-bit divide-and-concatenate NH hash data paths yields a throughput of 79.2 Gbps with only 3840 FPGA slices when implemented on a Xilinx XC2VP7-7 Field Programmable Gate Array (FPGA). 1. Motivation In the past, most cryptographic algorithms have been developed to run fast on general-purpose processors. More recently, dedicated cryptographic hardware is being developed and deployed to match the >10 Gbps wire speed requirements. In this paper we will investigate scalable hardware architectures for cryptographic algorithms.

Abstract. This paper presents a case study of a hardware-software codesign of the RSA cipher embedded in reconfigurable hardware. The soft cores of Altera’s Nios RISC processor are used as the basic building block of the proposed complete embedded solutions. The effect of moving computationally intensive parts of RSA into an optimized parameterized scalable Montgomery coprocessor(s) is analyzed and compared with a pure software solution. The impact of the tasks distribution between the hardware and the software on the occupation of logic resources as well as the speed of the algorithm is demonstrated and generalized. 1

Abstract — This paper presents a comparison of two possible approaches for the efficient implementation of a scalable Montgomery Modular Multiplication (MM) coprocessor on modern Field Programmable Logic Devices (FPLDs). The first implementation uses data path based on traditionally used redundant carry-save adders, the second one exploits standard carry-propagate adder with fast carry chain logic not yet used in fully scalable designs. Both implementations use large embedded memory blocks available in recent FPLDs. Speed and logic requirements comparisons are performed on the optimized designs. The issues of targeting a design specifically for a FPLD are considered taking into account the underlying architecture imposed by the target FPLD technology. It is shown that carrysave adder is not an optimal building block for constrained scalable MM coprocessor in modern FPLDs.

Abstract — Security in today’s networked world is a rising concern. All private information passed through a network or simply transmitted from a source to a destination, must be encrypted to ensure proper security. This is especially important since there are predictions which indicate that the number of wireless network users will surpass the number of wired network users by the year 2004. There are many algorithms that do this, of which most use modular multiplication as a basic building block, but we need to concentrate on hardware that will support them. Montgomery’s algorithm is used to perform fast modular multiplication with minimal complexity. Due to the various sizes of operands and the modulus used in Montgomery’s multiplication and its applications, we are interested in an architecture that implements the algorithm in a flexible manner that can adapt to the required precision. In order to be worthwhile, we must balance execution time, physical area and cost of production. I.