36. Public key accelerator (PKA)

36.1 PKA introduction

PKA (public key accelerator) is intended for the computation of cryptographic public key primitives, specifically those related to RSA, Diffie-Hellmann or ECC (elliptic curve cryptography) over \( GF(p) \) (Galois fields). To achieve high performance at a reasonable cost, these operations are executed in the Montgomery domain.

For a given operation, all needed computations are performed within the accelerator, so no further hardware/software elaboration is needed to process the inputs or the outputs.

When manipulating secrets, the PKA incorporates a protection against side-channel attacks (SCA), including differential power analysis (DPA), certified SESIP and PSA security assurance level 3.

36.2 PKA main features

• • Acceleration of RSA, DH and ECC over \( GF(p) \) operations, based on the Montgomery method for fast modular multiplications. More specifically:
  • – RSA modular exponentiation, RSA chinese remainder theorem (CRT) exponentiation
  • – ECC scalar multiplication, point on curve check, complete addition, double base ladder, projective to affine
  • – ECDSA signature generation and verification
• • Capability to handle operands up to 4160 bits for RSA/DH and 640 bits for ECC
• • When manipulating secrets: protection against side-channel attacks (SCA), including differential power analysis (DPA), certified SESIP and PSA security assurance level 3
  • – Applicable to modular exponentiation, ECC scalar multiplication and ECDSA signature generation
• • Arithmetic and modular operations such as addition, subtraction, multiplication, modular reduction, modular inversion, comparison, and Montgomery multiplication
• • Built-in Montgomery domain inward and outward transformations
• • AMBA AHB slave peripheral, accessible through 32-bit word single accesses only (otherwise an AHB bus error is generated, and write accesses are ignored)

36.3 PKA implementation

The devices have a single instance of the peripheral.

The STM32H523/562/563xx devices use the PKA in limited mode (only ECDSA signature verification is available).

36.4 PKA functional description

36.4.1 PKA block diagram

Figure 338. PKA block diagram

36.4.2 PKA internal signals

Table 350 lists the internal signals available at the PKA level, not necessarily available on product bonding pads.

Table 350. Internal input/output signals

36.4.3 PKA reset and clocks

PKA is clocked on the AHB bus clock. When the PKA peripheral reset signal is released PKA_RAM is cleared automatically, taking 667 clock cycles. During this time the setting of bit EN in PKA_CR register is ignored. Once EN bit is set, refer to Section 36.4.6 for details about PKA initialization sequence.

According to the security policy applied to the device, PKA RAM can also be reset following a tamper event. Refer to Tamper detection and response in the System security section (if applicable to this product).

36.4.4 PKA public key acceleration

Overview

Public key accelerator (PKA) is used to accelerate Rivest, Shamir and Adleman (RSA), Diffie-Hellman (DH) as well as ECC over prime field operations. Supported operand sizes is up to 4160 bits for RSA and DH, and up to 640 bits for ECC.

The PKA supports all non-singular elliptic curves defined over prime fields, that can be described with a short Weierstrass equation \( y^2 = x^3 + ax + b \pmod{p} \) . More information can be found in Section 36.6.1 .

Note: Binary curves, Edwards curves and Curve25519 are not supported by the PKA.

A memory of 5336 bytes (667 words of 64 bits) called PKA RAM is used to provide initial data to the PKA, and to hold the results after computation is completed. Access is done through the PKA AHB interface.

PKA operating modes

The list of operations the PKA can perform is detailed in Table 351 and Table 352 , respectively, for integer arithmetic functions and prime field ( \( F_p \) ) elliptic curve functions.

Table 351. PKA integer arithmetic functions list

Table 352. PKA prime field (Fp) elliptic curve functions list

Each of these operating modes has an associated code that has to be written to the MODE field in the PKA_CR register. If the application selects any value that is not documented below the write to MODE bitfield is ignored, and an operation error (OPERRF) is triggered. When this happens, a new operation must be selected after the error is cleared.

Some operations in Table 351 and Table 352 are indicated as protected. Those operations are used when manipulating secret keys (modular exponentiation for RSA decryption, scalar multiplication and signature for ECC). Those secrets (protected against side channel attacks) and any intermediate values are automatically erased when PKA RAM is cleared at the end of the protected operations (BUSY goes low). They are also protected against side channel attacks.

Caution: For security reason it is very important to select protected modular exponentiation (MODE = 0x3) when performing RSA decryption.

Montgomery space and fast mode operations

For efficiency reason the PKA internally performs modular multiply operations in the Montgomery domain, automatically performing inward and outward transformations.

As Montgomery parameter computation is time consuming the application can decide to use a faster mode of operation, during which the precomputed Montgomery parameter is supplied before starting the operation. Performance improvement is detailed in Section 36.6.2: Computation times .

The only operation using fast mode is modular exponentiation (MODE = 0x02).

36.4.5 Typical applications for PKA

Introduction

The PKA can be used to accelerate a number of public key cryptographic functions. In particular:

• • RSA encryption and decryption
• • RSA key finalization
• • CRT-RSA decryption
• • DSA and ECDSA signature generation and verification
• • DH and ECDH key agreement

Specifications of the above functions are given in following publications:

• • FIPS PUB 186-4, Digital Signature Standard (DSS), July 2013 by NIST
• • PKCS #1, RSA Cryptography Standard, v1.5, v2.1 and v2.2. by RSA Laboratories
• • IEEE1363-2000, IEEE Standard Specifications for Public-Key Cryptography, January 2000
• • ANSI X9.62-2005, Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA), November 2005

The principles of the main functions are described in this section, for a more detailed description refer to the above cited documents.

RSA key pair

For the following RSA operations a public key and a private key information are defined as below:

• • Alice transmits her public key \( (n, e) \) to Bob. Numbers \( n \) and \( e \) are very large positive integers.
• • Alice keeps secret her private key \( d \) , also a very large positive integer. Alternatively this private key can also be represented by a quintuple \( (p, q, dp, dq, qInv) \) .

For more information on the above representations refer to the RSA specification.

RSA encryption/decryption principle

As recommended by the PKCS#1 specification, Bob, to encrypt message \( M \) using Alice's public key \( (n, e) \) must go through the following steps:

1. 1. Compute the encoded message \( EM = ENCODE(M) \) , where \( ENCODE \) is an encoding method.
2. 2. Turn \( EM \) into an integer \( m \) , with \( 0 \leq m < n \) and \( (m, n) \) being coprimes.
3. 3. Compute ciphertext \( c = m^e \bmod n \) .
4. 4. Convert the integer \( c \) into a string ciphertext \( C \) .

Alice, to decrypt ciphertext \( c \) using her private key \( d \) , follows the steps indicated below:

1. 1. Convert the ciphertext \( C \) to an integer ciphertext representative \( c \) .
2. 2. If necessary, retrieve the prime factors \( (p, q) \) using \( (n, e, d) \) information, then compute \( \phi = (p - 1) * (q - 1) \) . Refer to NIST SP800-56B Appendix C for details.
3. 3. Recover plaintext \( m = c^d \bmod n = (m^e)^d \bmod n \) . If the private key is the quintuple \( (p, q, dp, dq, qInv) \) , then plaintext \( m \) is obtained by performing the operations:
   1. a) \( m_1 = c^{dp} \bmod p \)
   2. b) \( m_2 = c^{dq} \bmod q \)
   3. c) \( h = qInv (m_1 - m_2) \bmod p \)
   4. d) \( m = m_2 + h q \)
4. 4. Convert the integer message representative \( m \) to an encoded message EM.
5. 5. Recover message \( M = \text{DECODE}(\text{EM}) \) , where \( \text{DECODE} \) is a decoding method.

Above operations can be accelerated by PKA using Modular exponentiation \( A^e \bmod n \) if the private key is \( d \) , or RSA CRT exponentiation if the private key is the quintuple \( (p, q, dp, dq, qInv) \) .

Note: The decoding operation and the conversion operations between message and integers are specified in PKCS#1 standard.

For the decryption process protected version of modular exponentiation (MODE = 0x3) is strongly recommended for security reason. For encryption process MODE = 0x3 cannot be used, as it requires the knowledge of the private key.

Elliptic curve selection

For following ECC operations curve parameters are defined as below:

• • Curve corresponds to the elliptic curve field agreed among actors (Alice and Bob). Supported curves parameters are summarized in Section 36.6.1: Supported elliptic curves .
• • \( G \) is the chosen elliptic curve base point (also known as generator), with a large prime order \( n \) (that is, \( n \times G = \text{identity element } O \) ).

ECDSA message signature generation

ECDSA (elliptic curve digital signature algorithm) signature generation function principle is the following: Alice, to sign a message \( m \) using her private key integer \( d_A \) , goes through the following steps.

1. 1. Calculate \( e = \text{HASH}(m) \) , where \( \text{HASH} \) is a cryptographic hash function.
2. 2. Let \( z \) be the \( L_n \) leftmost bits of \( e \) , where \( L_n \) is the bit length of the group order \( n \) .
3. 3. Select a cryptographically secure random integer \( k \) where \( 0 < k < n \) .
4. 4. Calculate the curve point \( (x_1, y_1) = k \times G \) .
5. 5. Calculate \( r = x_1 \bmod n \) . If \( r = 0 \) go back to step 3.
6. 6. Calculate \( s = k^{-1} (z + rd_A) \bmod n \) . If \( s = 0 \) go back to step 3.
7. 7. The signature is the pair \( (r, s) \) .

Steps 4 to 7 are accelerated by PKA using:

• • ECDsa sign or
• • All of the operations below:
  • – ECC Fp scalar multiplication \( k \times P \)
  • – Modular reduction \( A \bmod n \)
  • – Modular inversion \( A^{-1} \bmod n \)
  • – Modular addition and Modular and Montgomery multiplication

ECDsa signature verification

ECDsa (elliptic curve digital signature algorithm) signature verification function principle is the following: Bob, to authenticate Alice's signature, must have a copy of her public key curve point \( Q_A \) .

Bob can verify that \( Q_A \) is a valid curve point going through the following steps:

1. 1. check that \( Q_A \) is not equal to the identity element \( O \)
2. 2. check that \( Q_A \) is on the agreed curve
3. 3. check that \( n \times Q_A = O \) .

Then Bob follows the procedure detailed below:

1. 1. verify that \( r \) and \( s \) are integer in \( [1, n-1] \)
2. 2. calculate \( e = \text{HASH}(m) \) , where \( \text{HASH} \) is the agreed cryptographic hash function
3. 3. let \( z \) be the \( L_n \) leftmost bits of \( e \)
4. 4. calculate \( w = s^{-1} \bmod n \)
5. 5. calculate \( u_1 = zw \bmod n \) and \( u_2 = rw \bmod n \)
6. 6. calculate the curve point \( (x_1, y_1) = u_1 \times G + u_2 \times Q_A \)
7. 7. the signature is valid if \( r = x_1 \bmod n \) , it is invalid otherwise.

Steps 4 to 7 are accelerated by PKA using ECDsa verification .

36.4.6 PKA procedure to perform an operation

Enabling/disabling PKA

Setting the EN bit to 1 in PKA_CR register enables the PKA peripheral. The PKA becomes available when INITOK bit is set in PKA_SR. When EN = 0, the PKA peripheral is kept under reset, with PKA memory still accessible by the application through the AHB interface.

Note: When PKA is in the process of clearing its memory EN bit cannot be set.

When setting EN bit in PKA_CR make sure that the value of MODE bitfield corresponds to an authorized PKA operation (see OPERRF in Section 36.4.7).

Clearing EN bit to 0 while a calculation is in progress causes the operation to be aborted. In this case, the content of the PKA memory is not guaranteed, with the exception of the PKA modes 0x03, 0x20 and 0x24. For these operations, the PKA memory is cleared after abort, making the memory unavailable for 667 cycles. During this clearing time only PKA registers can be accessed, with writes to EN bits ignored.

If INITOK bit stays at 0, make sure that the RNG peripheral is clocked and properly initialized, then try to enable PKA again.

Data formats

The format of the input data and the results in the PKA RAM are specified, for each operation, in Section 36.5 .

Executing a PKA operation

Each of the supported PKA operation is executed using the following procedure:

1. 1. Load initial data into the PKA internal RAM, which is located at address offset 0x400.
2. 2. Write in the MODE field of PKA_CR register, specifying the operation which is to be executed and then assert the START bit, also in PKA_CR register.
3. 3. Wait until the PROCENDF bit in the PKA_SR register is set to 1, indicating that the computation is complete.
4. 4. Read the result data from the PKA internal RAM, then clear PROCENDF bit by setting PROCENDFC bit in PKA_CLRFR.

Note: When PKA is busy (BUSY = 1) any access by the application to PKA RAM is ignored, and the flag RAMERRF is set in PKA_SR.

Selecting an illegal or unknown operation in step 2 triggers an OPERRF error, and step 3 (PROCENDF = 1) never happens. See Section 36.4.7 for details.

Using precomputed Montgomery parameters (PKA Fast mode)

As explained in Section 36.4.4 , when computing many operations with the same modulus it can be beneficial for the application to compute only once the corresponding Montgomery parameter (see, for example, Section 36.5.5 ). This is known as “Fast mode”.

To manage the usage of Fast mode it is recommended to follow the procedure described below:

1. 1. Load in PKA RAM the modulus size and value information. Such information is compiled in Section 36.6.1 .
2. 2. Program in PKA_CR register the PKA in Montgomery parameter computation mode (MODE="0x1") then assert the START bit.
3. 3. Wait until the PROCENDF bit in the PKA_SR register is set to 1, then read back from PKA memory the corresponding Montgomery parameter, and then clear PROCENDF bit by setting PROCENDFC bit in PKA_CLRFR.
4. 4. Proceed with the required PKA operation, loading on top of regular input data the Montgomery information R2 mod m. All addresses are indicated in Section 36.5 .

36.4.7 PKA error management

When PKA is used some errors can occur:

• • The access to PKA RAM falls outside the expected range. In this case the address error flag (ADDRERRF) is set in the PKA_SR register.
• • An AHB access to the PKA RAM occurred while the PKA core was using it. In this case the RAM error flag (RAMERRF) is set in the PKA_SR register, reads to PKA RAM return 0, while writes are ignored.
• • The selected operating mode using MODE bitfield is not listed in PKA operating modes (see bitfield description), or PKA is running in limited mode (see LMF bit in PKA_SR). In this case the operation error flag (OPERRF) is set in the PKA_SR register, and write to MODE bitfield is ignored.

For each error flag above PKA generates an interrupt if the application sets the corresponding bit in PKA_CR register (see Section 36.7 for details).

ADDRERRF, OPERRF and RAMERRF errors are cleared by setting the corresponding bit in PKA_CLRFR.

OPERRF error must be cleared using OPERRFC bit in PKA_CLRFR before a new operation is written in PKA_CR register.

Note: The PKA can be re-initialized at any moment by resetting the EN bit in the PKA_CR register.

36.5 PKA operating modes

36.5.1 Introduction

The various operations supported by PKA are described in the following subsections, defining the format of the input data and of the results, both stored in the PKA RAM.

Warning: The validity of all input parameters to the PKA must be checked before starting any operation, as PKA assumes that all of them are valid and consistent with each other. Input parameters must not exceed the operand size specified in the operation tables.

The following information applies to all PKA operations.

• • PKA core processes 64-bit words in its RAM. Hence hereafter all word size is 64-bit
• • When an element is written as input in the PKA RAM, an additional word with all bits equal to zero has to be added after the most significant input word. This rule does not apply if the operand has a fixed size of 1.
• • All reported RAM storage addresses refer to the least significant word of the data, and to obtain the actual address to use application must add to the indicated offset the base address of the PKA.
• • Supported operand “Size” are:
  • – ROS (RSA operand size): data size is \( (\text{rsa\_size} / 64 + 1) \) words, with \( \text{rsa\_size} \) equal to the chosen modulus length in bits. For example, when computing RSA with an operand size of 1024 bits, ROS is equal to 17 words, or 1088 bits.
  • – EOS (ECC operand size): data size is \( (\text{ecc\_size} / 64 + 1) \) words, with \( \text{ecc\_size} \) equal to the chosen prime modulus length in bits. For example, when computing ECC with an operand size of 192 bits, EOS is equal to 4 words, or 256 bits.
  • – ROS and EOS values include the required additional all 0 word.
• • Unless indicated otherwise, all operands in the tables are integers.

Note: Fractional results for above formulas must be rounded up to the nearest integer since PKA core processes 64-bit words.

Note: The maximum ROS is 66 words (4160-bit max exponent size), while the maximum EOS is 11 words (640-bit max operand size).

As a first example (and to better understand the endianness in PKA memory), to prepare the operation ECC Fp scalar multiplication , when the application writes the x coordinate of point

P for an ECC P256 curve (EOS = 5 words), the least significant bit must be placed in bit 0 at address offset 0x578, and the most significant bit in bit 63 at address offset 0x590. Then, as mentioned above, the application must write the empty word 0x0000000000000000 at address offset 0x598.

As a second example, still to prepare the operation ECC Fp scalar multiplication, when the application need to write the information \( a = -3 \) , on a curve with a modulus length of 224 bits (that is, four 64-bit words, rounded up, plus one) following data must be written in PKA memory:

@RAM+410 0x0000000000000001 /* curve coefficient 'a' sign without extra word */
@RAM+418 0x0000000000000011 /* value of |a| LSB
@RAM+420 0x0000000000000000 ...
@RAM+428 0x0000000000000000 ...
@RAM+430 0x0000000000000000 value of |a| MSB */
@RAM+438 0x0000000000000000 /* additional all 0 word */

36.5.2 Montgomery parameter computation

This function is used to compute the Montgomery parameter ( \( R^2 \bmod n \) ) used by PKA to convert operands into the Montgomery residue system representation. This operation can be very useful when fast mode operation is used, because in this case the Montgomery parameter is passed as input, saving the time for its computation.

Note: This operation can also be used with ECC curves. In this case prime modulus length and EOS size must be used.

Operation instructions for Montgomery parameter computation are summarized in Table 353 .

Table 353. Montgomery parameter computation

36.5.3 Modular addition

Modular addition operation consists in the computation of \( A + B \bmod n \) . Operation instructions are summarized in Table 354 .

Table 354. Modular addition

36.5.4 Modular subtraction

Modular subtraction operation consists in the following computations:

• • If \( A \geq B \) result equals \( A - B \bmod n \)
• • If \( A < B \) result equals \( A + n - B \bmod n \)

Operation instructions are summarized in Table 355 .

Table 355. Modular subtraction

36.5.5 Modular and Montgomery multiplication

To be more efficient when performing a sequence of multiplications the PKA accelerates multiplication which has at least one input in the Montgomery domain. The two main uses of this operation are:

• • Map a value from natural domain to Montgomery domain and vice-versa
• • Perform a modular multiplication \( A \times B \bmod n \)

The method to perform above operations are described below. Note that “x” function is this operation, and A, B, C operands are in the natural domain.

1. 1. Inward (or outward) conversion into (or from) Montgomery domain
   1. a) Assuming that A is an integer in the natural domain:
      • – Compute \( r2modn \) using Montgomery parameter computation .
      • – Result \( AR = A \times r2modn \bmod n \) is A in the Montgomery domain.
   2. b) Assuming that BR is an integer in the Montgomery domain:
      • – Result \( B = BR \times 1 \bmod n \) is B in the natural domain.
      • – Similarly, above value AR computed in a) can be converted into the natural domain by computing \( A = AR \times 1 \bmod n \) .
2. 2. Simple modular multiplication \( A \times B \bmod n \)
   1. a) Compute \( r2modn \) using Montgomery parameter computation .
   2. b) Compute \( AR = A \times r2modn \bmod n \) . Output is in the Montgomery domain.
   3. c) Compute \( AB = AR \times B \bmod n \) . Output is in natural domain.
3. 3. Multiple modular multiplication \( A \times B \times C \bmod n \)
   1. a) Compute \( r2modn \) using Montgomery parameter computation .
   2. b) Compute \( AR = A \times r2modn \bmod n \) . Output is in the Montgomery domain.
   3. c) Compute \( BR = B \times r2modn \bmod n \) . Output is in the Montgomery domain.
   4. d) Compute \( ABR = AR \times BR \bmod n \) . Output is in the Montgomery domain.
   5. e) Compute \( CR = C \times r2modn \bmod n \) . Output is in the Montgomery domain.
   6. f) Compute \( ABCR = ABR \times CR \bmod n \) . Output is in the Montgomery domain.
   7. g) (optional) Repeat the two steps above if more operands need to be multiplied.
   8. h) Compute \( ABC = ABCR \times 1 \bmod n \) to retrieve the result in natural domain.

Operation instructions for Montgomery multiplication are summarized in Table 356 .

Table 356. Montgomery multiplication

1. 1. Result in Montgomery domain or in natural domain, depending upon the inputs nature (see examples 2 and 3).

36.5.6 Modular exponentiation

Modular exponentiation operation is commonly used to perform a single-step RSA operation. It consists in the computation of \( A^e \bmod n \) .

RSA operation involving public information (RSA encryption) can use the normal or fast mode detailed on Table 357 and Table 358 . RSA operation involving secret information (RSA decryption) must use the protected mode detailed on Table 359 , for security reason.

Note: Once this operation is started PKA control register and PKA memory is no more available. Access is restored once BUSY bit is set to 0 by the PKA.

When this operation completes with errors due to unexpected hardware events a PKA tamper event is triggered to TAMP peripheral, and access to PKA RAM becomes blocked until erased by hardware.

Note: When MODE = 0x03, the error code is not affected when PKA automatically clears the PKA RAM at the end of this protected operation. When the error output equals 0xD60D, the result output is not affected either.

Operation instructions for modular exponentiation are summarized in Table 357 (normal mode), Table 358 (fast mode) and in Table 359 (protected mode). Fast mode usage is explained in Section 36.4.6 .

Table 357. Modular exponentiation (normal mode)

Table 358. Modular exponentiation (fast mode)

Table 359. Modular exponentiation (protected mode)

1. 1. Euler totient function of \( n^1 \) with \( \phi = (p - 1) * (q - 1) \) , where \( p \) and \( q \) are prime factors of modulus \( n \) (see NIST SP800-56B Appendix C or RSA encryption/decryption principle for details). As optimization it is recommended to keep \( \phi \) information as part of the key pair generation. Alternative is to store the key as \( (p, q, e, d) \) instead of \( (N, e, d, \phi) \) , in this case, to derive \( N \) and \( \phi \) using PKA arithmetic multiplier: \( N = p * q \) , and \( \phi = (p - 1) * (q - 1) \) .

36.5.7 Modular inversion

Modular inversion operation consists in the computation of multiplicative inverse \( A^{-1} \bmod n \) . If the modulus \( n \) is prime, for all values of \( A \) ( \( 1 \leq A < n \) ) modular inversion output is valid. If the modulus \( n \) is not prime, \( A \) has an inverse only if the greatest common divisor between \( A \) and \( n \) is 1.

If the operand \( A \) is a divisor of the modulus \( n \) the result is a multiple of a factor of \( n \) .

Operation instructions for modular inversion are summarized in Table 360 .

Table 360. Modular inversion

36.5.8 Modular reduction

Modular reduction operation consists in the computation of the remainder of \( A \) divided by \( n \) . Operation instructions are summarized in Table 361 .

36.5.9 Arithmetic addition

Arithmetic addition operation consists in the computation of \( A + B \) . Operation instructions are summarized in Table 362 .

36.5.10 Arithmetic subtraction

Arithmetic subtraction operation consists in the following computations:

• • If \( A \geq B \) result equals \( A - B \)
• • If \( A < B \) and \( M/32 \) residue is \( > 0 \) result equals \( A + 2^{\text{int}(M/32)*32+1} - B \)
• • If \( A < B \) and \( M/32 \) residue is \( 0 \) result equals \( A + 2^{\text{int}(M/32)*32} - B \)

For the last two bullets the 32-bit word following the most significant word of the output equals 0xFFFF FFFF, as result is negative.

Operation instructions are summarized in Table 363 .

36.5.11 Arithmetic multiplication

Arithmetic multiplication operation consists in the computation of \( A \times B \) . Operation instructions are summarized in Table 364 .

Table 364. Arithmetic multiplication

36.5.12 Arithmetic comparison

Arithmetic comparison operation consists in the following computation:

• • If \( A = B \) then result = 0xED2C
• • If \( A > B \) then result = 0x7AF8
• • If \( A < B \) then result = 0x916A

Operation instructions for arithmetic comparison are summarized in Table 365 .

Table 365. Arithmetic comparison

36.5.13 RSA CRT exponentiation

For efficiency many popular crypto libraries such as OpenSSL RSA use the following optimization for decryption and signing based on the chinese remainder theorem (CRT):

• • \( p \) and \( q \) are precomputed primes, stored as part of the private key
• • \( d_P = d \bmod (p - 1) \)
• • \( d_Q = d \bmod (q - 1) \) and
• • \( q_{inv} = q^{-1} \bmod p \)

These values allow the recipient to compute the exponentiation \( m = A^d \pmod{pq} \) more efficiently as follows:

• • \( m_1 = A^{d_P} \pmod{p} \)
• • \( m_2 = A^{d_Q} \pmod{q} \)
• • \( h = q_{\text{inv}} (m_1 - m_2) \pmod{p} \) , with \( m_1 > m_2 \)
• • \( m = m_2 + hq \pmod{pq} \)

Operation instructions for computing CRT exponentiation \( A^d \pmod{pq} \) are summarized in Table 366 .

Table 366. CRT exponentiation

1. Must be different from 2.

36.5.14 Point on elliptic curve Fp check

This operation consists in checking whether a given point \( P(x, y) \) satisfies or not the curves over prime fields equation \( y^2 = (x^3 + ax + b) \pmod{p} \) , where \( a \) and \( b \) are elements of the curve.

Operation instructions for point on elliptic curve Fp check are summarized in Table 367 .

Table 367. Point on elliptic curve Fp check

36.5.15 ECC Fp scalar multiplication

This operation consists in the computation of \( k \times P (x_P, y_P) \) , where P is a point on a curve over prime fields and “ x ” is the elliptic curve scalar point multiplication. Result of the computation is a point that belongs to the same curve or a point at infinity.

Operation instructions for ECC Fp scalar multiplication are summarized in Table 368 .

Note: Once this operation is started PKA control register and PKA memory is no more available. Access is restored once BUSY bit is set to 0 by the PKA.

When this operation completes with errors due to unexpected hardware events, a PKA tamper event is triggered to TAMP peripheral, and access to PKA RAM becomes blocked until erased by hardware. PKA tamper is also triggered when the programmed input point is not found on the input ECC curve. PKA operation "Point on elliptic curve" can be used to avoid this.

Table 368. ECC Fp scalar multiplication

Table 368. ECC Fp scalar multiplication (continued)

When performing this operation the following special cases must be noted:

• • For \( k = 0 \) this function returns a point at infinity \( (0, 0) \) if curve parameter \( b \) is nonzero, \( (0, 1) \) otherwise. For \( k \) different from 0 it might happen that a point at infinity is returned. When the application detects this behavior a new computation must be carried out.
• • For \( k < 0 \) (that is, a negative scalar multiplication is required) the multiplier absolute value \( k = |k| \) must be provided to the PKA. After the computation completion, the formula \( -P = (x, -y) \) can be used to compute the y coordinate of the effective final result (the x coordinate remains the same).

Note: The error code is not affected when PKA automatically clears the PKA RAM at the end of this protected operation. When the error output equals 0xD60D, the result output is not affected either.

36.5.16 ECDSA sign

ECDSA signing operation (outlined in Section 36.4.5 ) is summarized in Table 369 (input parameters) and in Table 370 (output parameters).

The application has to check if the output error is equal to 0xD60D, if it is different a new \( k \) must be generated and the ECDSA sign operation must be repeated.

Note: Once this operation is started PKA control register and PKA memory is no more available. Access is restored once BUSY bit is set to 0 by the PKA.

When this operation completes with errors due to unexpected hardware events a PKA tamper event is triggered to TAMP peripheral, and access to PKA RAM becomes blocked until erased by hardware. PKA tamper is also triggered when the programmed input point is not found on the input ECC curve. PKA operation "Point on elliptic curve" can be used to avoid this.

Table 369. ECDSA sign - Inputs

1. 1. This integer is usually a cryptographically secure random number, but in some cases k can be deterministically generated.
2. 2. Padding with zeroes or hash truncation must be used to have the hash parameter size equal to the curve prime order n length.

Table 370. ECDSA sign - Outputs

Note: The error code is not affected when PKA automatically clears the PKA RAM at the end of this protected operation. When the error output equals 0xD60D, the result output is not affected either.

Extended ECDSA support

PKA also supports extended ECDSA signature, for which the inputs and the outputs are the same as ECDSA signature ( Table 369 and Table 370 , respectively), with the addition of the coordinates of the point kG . This extra output is defined in Table 371.

36.5.17 ECDSA verification

ECDSA verification operation (outlined in Section 36.4.5 ) is summarized in Table 372 (input parameters) and Table 373 (output parameters).

The application has to check if the output error is equal to 0xD60D, if different the signature is not verified.

1. 1. Padding with zeroes or hash truncation must be used to have the hash parameter size equal to the curve prime order n length.

Table 373. ECDSA verification - Outputs

36.5.18 ECC complete addition

ECC complete addition computes the addition of two given points on an elliptic curve.

Operation instructions are summarized in Table 374 .

Note: The two input points and the resulting point are represented in Jacobian coordinates (X,Y,Z). To input a point in affine coordinates (x,y) conversion (X,Y,Z) = (x,y,1) can be used. To convert resulting point to Jacobian coordinates conversion (x,y)= (X/Z ² , Y/Z ³ ) can be used.

Table 374. ECC complete addition

36.5.19 ECC double base ladder

ECC double base ladder operation consists in the computation of k*P+m*Q , where (P,Q) are two points on an elliptic curve and (k,m) are two scalars. Operation instructions are summarized in Table 375 .

If the resulting point is the point at infinity (error code 0xA3B7), resulting coordinate equals (0, 0).

Note: The two input points are represented in Jacobian coordinates ( \( X, Y, Z \) ). To input a point in affine coordinates \( (x, y) \) conversion \( (X, Y, Z) = (x, y, 1) \) can be used. The result is represented in affine coordinates \( (x, y) \) .

This operation requires the input point Z coordinate to be equal to 1 (input point represented in affine coordinates).

Table 375. ECC double base ladder

36.5.20 ECC projective to affine

ECC projective to affine operation computes the conversion between the representation of a point P in homogeneous projective coordinates and the representation of the point P in affine coordinates. Namely, if the point is represented by the triple \( (X, Y, Z) \) , it computes the affine coordinates \( (x, y) = (X/Z, Y/Z) \) .

All the operations are performed modulo the modulus \( p \) of the curve, which the point belongs to. If the resulting point is the point at infinity (error code 0xA3B7), resulting coordinate equals (0,0).

Operation instructions are summarized in Table 376 .

Table 376. ECC projective to affine

36.6 Example of configurations and processing times

36.6.1 Supported elliptic curves

The PKA supports all non-singular elliptic curves defined over prime fields. Those curves can be described with a short Weierstrass equation, \( y^2 = x^3 + ax + b \pmod{p} \) .

Note: Binary curves, Edwards curves and Curve25519 are not supported by the PKA. The maximum supported operand size for ECC operations is 640 bits.

When publishing the ECC domain parameters of those elliptic curves, standard bodies define the following parameters:

• the prime integer \( p \) , used as the modulus for all point arithmetic in the finite field \( GF(p) \)
• the (usually prime) integer \( n \) , the order of the group generated by \( G \) , defined below
• the base point of the curve \( G \) , defined by its coordinates \( (G_x, G_y) \)
• the integers \( a \) and \( b \) , coefficients of the short Weierstrass equation.

For the last bullet, when standard bodies define \( a \) as negative, PKA supports two representations:

1. a defined as \( p-|a| \) in the finite field \( GF(p) \) , for example p-3 :
   Curve coefficient \( p = \text{0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFF} \)
   Curve coefficient \( a \) sign= 0x0 (positive)
   Curve coefficient \( a = \text{0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFC} \)
2. a defined as negative , for example -3 :
   Curve coefficient \( p = \text{0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFF} \)
   Curve coefficient \( a \) sign= 0x1 (negative)
   Curve coefficient \( a = \text{0x00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000003} \)

Table 377 summarizes the family of curves supported by PKA for ECC operations.

Table 377. Family of supported curves for ECC operations

36.6.2 Computation times

The following tables summarize the PKA computation times, expressed in AHB clock cycles.

Table 378. Modular exponentiation

1. CRT stands for chinese remainder theorem optimization (MODE bitfield= 0x07).

Table 379. ECC scalar multiplication ⁽¹⁾

1. These times depend on the number of 1s included in the scalar parameter, and include the computation of Montgomery parameter R2.

1. 1. These values are average execution times of random moduli of given length, as they depend upon the length and the value of the modulus.
2. 2. The execution time for the moduli that define the finite field of NIST elliptic curves is shorter than that needed for the moduli used for Brainpool elliptic curves or for random moduli of the same size.

1. 1. The computation times depend upon the length and the value of the modulus, hence these values are average execution times of random moduli of given length.

36.7 PKA interrupts

There are four individual maskable interrupt sources generated by the public key accelerator, signaling the following events:

1. 1. PKA unsupported operation error (OPERRF), see Section 36.4.7
2. 2. Access to unmapped address (ADDRERRF), see Section 36.4.7
3. 3. PKA RAM access while PKA operation is in progress (RAMERRF), see Section 36.4.7
4. 4. PKA end of operation (PROCENDF)

The interrupt sources are connected to the same global interrupt request signal pka_it.

The user can enable or disable above interrupt sources individually by changing the mask bits in the PKA control register (PKA_CR) . Setting the appropriate mask bit to 1 enables the interrupt. The status of the individual interrupt events can be read from the PKA status register (PKA_SR), and it is cleared in PKA_CLRFR register.

Table 387 gives a summary of the available features.

36.8 PKA registers

36.8.1 PKA control register (PKA_CR)

Address offset: 0x00

Reset value: 0x0000 0000

Bits 31:22 Reserved, must be kept at reset value.

Bit 21 OPERRIE : Operation error interrupt enable

0: No interrupt is generated when OPERRF flag is set in PKA_SR.

1: An interrupt is generated when OPERRF flag is set in PKA_SR.

Bit 20 ADDRERRIE : Address error interrupt enable

0: No interrupt is generated when ADDRERRF flag is set in PKA_SR.

1: An interrupt is generated when ADDRERRF flag is set in PKA_SR.

Bit 19 RAMERRIE : RAM error interrupt enable

0: No interrupt is generated when RAMERRF flag is set in PKA_SR.

1: An interrupt is generated when RAMERRF flag is set in PKA_SR.

Bit 18 Reserved, must be kept at reset value.

Bit 17 PROCENDIE : End of operation interrupt enable

0: No interrupt is generated when PROCENDF flag is set in PKA_SR.

1: An interrupt is generated when PROCENDF flag is set in PKA_SR.

Bits 16:14 Reserved, must be kept at reset value.

Bits 13:8 MODE[5:0] : PKA operation code

000000: Montgomery parameter computation then modular exponentiation

000001: Montgomery parameter computation only

000010: Modular exponentiation only (Montgomery parameter must be loaded first)

000011: Modular exponentiation (protected, used when manipulating secrets)

100000: Montgomery parameter computation then ECC scalar multiplication (protected)

100100: ECDSA sign (protected)

100110: ECDSA verification

101000: Point on elliptic curve Fp check

000111: RSA CRT exponentiation

001000: Modular inversion

001001: Arithmetic addition

001010: Arithmetic subtraction

001011: Arithmetic multiplication

001100: Arithmetic comparison

001101: Modular reduction

001110: Modular addition

001111: Modular subtraction

010000: Montgomery multiplication

100011: ECC complete addition

100111: ECC double base ladder

101111: ECC projective to affine

When an operation not listed here is written by the application with EN bit set, OPERRF bit is set in PKA_SR register, and the write to MODE bitfield is ignored. When PKA is configured in limited mode (LMF = 1 in PKA_SR), writing a MODE different from 0x26 with EN bit to 1 triggers OPERRF bit to be set and write to MODE bit is ignored.

Bits 7:2 Reserved, must be kept at reset value.

Bit 1 START : start the operation

Set this bit to start the operation selected by the MODE[5:0] bitfield, using the operands and data already written to the PKA RAM. This bit is always read as 0.

When an illegal operation is selected while START bit is set no operation is started, and OPERRF bit is set in PKA_SR.

Note: START is ignored if PKA is busy.

Bit 0 EN : PKA enable

0: Disable PKA

1: Enable PKA. PKA becomes functional when INITOK is set by hardware in PKA_SR.

When an illegal operation is selected while EN = 1, OPERRF bit is set in PKA_SR. See PKA_CR.MODE bitfield for details.

Note: When EN = 0, PKA RAM can still be accessed by the application.

36.8.2 PKA status register (PKA_SR)

Address offset: 0x04

Reset value: 0x0000 0000

Bits 31:22 Reserved, must be kept at reset value.

Bit 21 OPERRF : Operation error flag

0: No event error

1: An illegal or unknown operation has been selected in PKA_CR register

This bit is cleared using OPERRFC bit in PKA_CLRFR.

Bit 20 ADDRERRF : Address error flag

0: No address error

1: Address access is out of range (unmapped address)

This bit is cleared using ADDRERRFC bit in PKA_CLRFR.

Bit 19 RAMERRF : PKA RAM error flag

0: No PKA RAM access error

1: An AHB access to the PKA RAM occurred while the PKA core was computing and using its internal RAM (AHB PKA_RAM access are not allowed while PKA operation is in progress).

This bit is cleared using RAMERRFC bit in PKA_CLRFR.

Bit 18 Reserved, must be kept at reset value.

Bit 17 PROCENDF : PKA end of operation flag

0: Operation in progress

1: PKA operation is completed. This flag is set when the BUSY bit is deasserted.

Bit 16 BUSY : Busy flag

This bit is set whenever a PKA operation is in progress (START = 1 in PKA_CR). It is automatically cleared when the computation is complete, making PKA RAM accessible again.

0: No operation is in progress (default)

1: An operation is in progress

If PKA is started with a wrong opcode, it stays busy for a couple of cycles, then it aborts automatically the operation and goes back to ready (BUSY = 0).

Bits 15:2 Reserved, must be kept at reset value.

Bit 1 LMF : Limited mode flag

This bit is updated when EN bit in PKA_CR is set

0: All values documented in MODE bitfield can be used.

1: Only ECDSA verification (MODE = 0x26) is supported by the PKA.

Bit 0 INITOK : PKA initialization OK

This bit is asserted when PKA initialization is complete.

0: PKA is not initialized correctly. START bit cannot be set.

1: PKA is initialized correctly and can be used normally.

Note: When RNG is not able to output proper random numbers or when SAES is using the RNG bus, INITOK remains at 0. If it happens, make sure the RNG peripheral is properly clocked and initialized, and the SAES peripheral is clocked with BUSY bit cleared in SAES_SR to release the RNG bus, then enable PKA again.

36.8.3 PKA clear flag register (PKA_CLRFR)

Address offset: 0x08

Reset value: 0x0000 0000

Bits 31:22 Reserved, must be kept at reset value.

Bit 21 OPERRFC : Clear operation error flag

0: No action

1: Clear the OPERRF flag in PKA_SR

Bit 20 ADDRERRFC : Clear address error flag

0: No action

1: Clear the ADDRERRF flag in PKA_SR

Bit 19 RAMERRFC : Clear PKA RAM error flag

0: No action

1: Clear the RAMERRF flag in PKA_SR

Bit 18 Reserved, must be kept at reset value.

Bit 17 PROCENDFC : Clear PKA end of operation flag

0: No action

1: Clear the PROCENDF flag in PKA_SR

Bits 16:0 Reserved, must be kept at reset value.

Note: Reading PKA_CLRFR returns all 0s.

36.8.4 PKA RAM

The PKA RAM is mapped at the offset address of 0x0400 compared to the PKA base address. Only 32-bit word single accesses are supported, through PKA.AHB interface.

RAM size is 5336 bytes (max word offset: 0x14D0)

Note: PKA RAM cannot be used just after a PKA reset or a product reset, as described in Section 36.4.3: PKA reset and clocks .

36.8.5 PKA register map

Table 388. PKA register map and reset values

Refer to Section 2.3: Memory organization for the register boundary addresses.