27. Public key accelerator (PKA)

27.1 PKA introduction

PKA (public key accelerator) is intended for the computation of cryptographic public key primitives, specifically those related to RSA, Diffie-Hellmann or ECC (elliptic curve cryptography) over \( GF(p) \) (Galois fields). To achieve high performance at a reasonable cost, these operations are executed in the Montgomery domain.

For a given operation, the accelerator performs all computations with no further hardware or software elaboration required to process the inputs or the outputs.

For manipulating secrets, the PKA incorporates a protection against side-channel attacks (SCA), including differential power analysis (DPA), required for SESIP and PSA security assurance level 3 target.

27.2 PKA main features

• • Acceleration of RSA, DH and ECC over \( GF(p) \) operations, based on the Montgomery method for fast modular multiplications. More specifically:
  • – RSA modular exponentiation, RSA chinese remainder theorem (CRT) exponentiation
  • – ECC scalar multiplication, point on curve check, complete addition, double base ladder, projective to affine
  • – ECDSA signature generation and verification
• • Capability to handle operands up to 4160 bits for RSA/DH and 640 bits for ECC
• • When manipulating secrets: protection against side-channel attacks (SCA), including differential power analysis (DPA), required for SESIP and PSA security assurance level 3 target.
  • – Applicable to modular exponentiation, ECC scalar multiplication and ECDSA signature generation
• • Arithmetic and modular operations such as addition, subtraction, multiplication, modular reduction, modular inversion, comparison, and Montgomery multiplication
• • Built-in Montgomery domain inward and outward transformations
• • AMBA AHB slave peripheral, accessible through 32-bit word single accesses only (otherwise an AHB bus error is generated, and write accesses are ignored)

27.3 PKA functional description

27.3.1 PKA block diagram

Figure 136. PKA block diagram

27.3.2 PKA internal signals

Table 207 lists the internal signals available at the PKA level, not necessarily available on product bonding pads.

Table 207. Internal input/output signals

27.3.3 PKA reset and clocks

PKA is clocked on the AHB bus clock. When the PKA peripheral reset signal is released PKA_RAM is cleared automatically, taking 667 clock cycles. During this time the setting of bit EN in PKA_CR register is ignored. Once EN bit is set, refer to Section 27.3.6 for details about PKA initialization sequence.

According to the security policy applied to the device, PKA RAM can also be reset following a tamper event. Refer to Tamper detection and response in the System security section (if applicable to this product).

27.3.4 PKA public key acceleration

Overview

Public key accelerator (PKA) is used to accelerate Rivest, Shamir and Adleman (RSA), Diffie-Hellman (DH) as well as ECC over prime field operations. Supported operand sizes is up to 4160 bits for RSA and DH, and up to 640 bits for ECC.

The PKA supports all non-singular elliptic curves defined over prime fields, that can be described with a short Weierstrass equation \( y^2 = x^3 + ax + b \pmod{p} \) . More information can be found in Section 27.5.1 .

Note: Binary curves, Edwards curves and Curve25519 are not supported by the PKA.

A memory of 5336 bytes (667 words of 64 bits) called PKA RAM is used to provide initial data to the PKA, and to hold the results after computation is completed. Access is done through the PKA AHB interface.

PKA operating modes

The list of operations the PKA can perform is detailed in Table 208 and Table 209 , respectively, for integer arithmetic functions and prime field ( \( F_p \) ) elliptic curve functions.

Table 208. PKA integer arithmetic functions list

Table 209. PKA prime field (Fp) elliptic curve functions list

Each of these operating modes has an associated code that has to be written to the MODE[5:0] bitfield in the PKA_CR register. If the application selects any value that is not documented below the write to MODE[5:0] bitfield is ignored, and an operation error (OPERRF) is triggered. When this happens, a new operation must be selected after the error is cleared.

Some operations in Table 208 and Table 209 are indicated as protected. Those operations are used when manipulating secret keys (modular exponentiation for RSA decryption, scalar multiplication and signature for ECC). Those secrets (protected against side channel attacks) and any intermediate values are automatically erased when PKA RAM is cleared at the end of the protected operations (BUSY goes low). They are also protected against side channel attacks.

Caution: For security reason it is very important to select protected modular exponentiation (MODE[5:0] = 0x3) when performing RSA decryption.

Montgomery space and fast mode operations

For efficiency reasons, the PKA internally performs modular multiply operations in the Montgomery domain, automatically performing inward and outward transformations.

As Montgomery parameter computation is time consuming, the application can decide to use a faster mode of operation during which the precomputed Montgomery parameter is supplied before starting the operation. The performance improvement is detailed in Section 27.5.2: Computation times .

The only operation using fast mode is the modular exponentiation (MODE[5:0] = 0x02).

27.3.5 Typical applications for PKA

Introduction

The PKA can be used to accelerate a number of public key cryptographic functions such as:

• • RSA encryption and decryption
• • RSA key finalization
• • CRT-RSA decryption
• • DSA and ECDSA signature generation and verification
• • DH and ECDH key agreement

The following publications specify the listed functions:

• • FIPS PUB 186-4, Digital Signature Standard (DSS), July 2013 by NIST
• • PKCS #1, RSA Cryptography Standard, v1.5, v2.1 and v2.2. by RSA Laboratories
• • IEEE1363-2000, IEEE Standard Specifications for Public-Key Cryptography, January 2000
• • ANSI X9.62-2005, Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA), November 2005

Refer to these documents for full details. This document limits itself to describing principles.

RSA key pair

For the following RSA operations, a public key and a private key information are defined as follows:

• • Alice transmits her public key \( (n, e) \) to Bob. Numbers \( n \) and \( e \) are very large positive integers.
• • Alice keeps secret her private key \( d \) , also a very large positive integer. Alternatively, this private key can also be represented by a quintuple \( (p, q, dp, dq, qInv) \) .

For more information, refer to the RSA specification.

RSA encryption/decryption principle

As recommended by the PKCS#1 specification, Bob, to encrypt message \( M \) using Alice's public key \( (n, e) \) , must go through the following steps:

1. 1. Compute the encoded message \( EM = \text{ENCODE}(M) \) , where ENCODE is an encoding method.
2. 2. Turn \( EM \) into an integer \( m \) , with \( 0 \leq m < n \) and \( (m, n) \) being coprimes.
3. 3. Compute ciphertext \( c = m^e \bmod n \) .
4. 4. Convert the integer \( c \) into a string ciphertext \( C \) .

Alice, to decrypt ciphertext \( c \) using her private key \( d \) , follows the steps indicated below:

1. 1. Convert the ciphertext \( C \) to an integer ciphertext representative \( c \) .
2. 2. If necessary, retrieve the prime factors \( (p, q) \) using \( (n, e, d) \) information, then compute \( \phi = (p - 1) \times (q - 1) \) . Refer to NIST SP800-56B Appendix C for details.
3. 3. Recover plaintext \( m = c^d \bmod n = (m^e)^d \bmod n \) . If the private key is the quintuple \( (p, q, dp, dq, qInv) \) , then plaintext \( m \) is obtained by performing the operations:
   1. a) \( m_1 = c^{dp} \bmod p \)
   2. b) \( m_2 = c^{dq} \bmod q \)
   3. c) \( h = qInv (m_1 - m_2) \bmod p \)
   4. d) \( m = m_2 + h q \)
4. 4. Convert the integer message representative \( m \) to an encoded message EM.
5. 5. Recover message \( M = \text{DECODE}(\text{EM}) \) , where \( \text{DECODE} \) is a decoding method.

To accelerate these operations with the PKA, use Modular exponentiation \( A^e \bmod n \) if the private key is \( d \) , or RSA CRT exponentiation if the private key is the quintuple \( (p, q, dp, dq, qInv) \) .

Note: The decoding operation and the conversion operations between message and integers are specified in PKCS#1 standard.

For the decryption process, the protected version of modular exponentiation (MODE[5:0] = 0x3) is strongly recommended for security reason. For the encryption process, the MODE[5:0] = 0x3 setting cannot be used as it requires the knowledge of the private key.

Elliptic curve selection

For the following ECC operations, the curve parameters are defined as follows:

• • Curve corresponds to the elliptic curve field agreed among actors (Alice and Bob). Supported curves parameters are summarized in Section 27.5.1: Supported elliptic curves .
• • \( G \) is the chosen elliptic curve base point (also known as generator), with a large prime order \( n \) (that is, \( n \times G = \text{identity element } O \) ).

ECDSA message signature generation

This section describes the ECDSA (elliptic curve digital signature algorithm) signature generation function principle.

Alice, to sign a message \( m \) using her private key integer \( d_A \) , goes through the following steps:

1. 1. Calculate \( e = \text{HASH}(m) \) , where \( \text{HASH} \) is a cryptographic hash function.
2. 2. Let \( z \) be the \( L_n \) leftmost bits of \( e \) , where \( L_n \) is the bit length of the group order \( n \) .
3. 3. Select a cryptographically secure random integer \( k \) where \( 0 < k < n \) .
4. 4. Calculate the curve point \( (x_1, y_1) = k \times G \) .
5. 5. Calculate \( r = x_1 \bmod n \) . If \( r = 0 \) go back to step 3.
6. 6. Calculate \( s = k^{-1} (z + r d_A) \bmod n \) . If \( s = 0 \) go back to step 3.
7. 7. The signature is the pair \( (r, s) \) .

The PKA accelerates the steps 4. to 7. by using:

• • ECDsa sign , or
• • All of the following operations:
  • – ECC Fp scalar multiplication \( k \times P \)
  • – Modular reduction \( A \bmod n \)
  • – Modular inversion \( A^{-1} \bmod n \)
  • – Modular addition and Modular and Montgomery multiplication

ECDsa signature verification

This section describes the ECDsa (elliptic curve digital signature algorithm) signature verification function principle.

Bob, to authenticate Alice's signature, must have a copy of her public key curve point \( Q_A \) . Bob can verify that \( Q_A \) is a valid curve point by going through the following steps:

1. 1. Check that \( Q_A \) is not equal to the identity element \( O \)
2. 2. Check that \( Q_A \) is on the agreed curve
3. 3. Check that \( n \times Q_A = O \) .

Then Bob executes the following procedure:

1. 1. Verify that \( r \) and \( s \) are integer in \( [1, n-1] \)
2. 2. Calculate \( e = \text{HASH}(m) \) , where \( \text{HASH} \) is the agreed cryptographic hash function
3. 3. Let \( z \) be the \( L_n \) leftmost bits of \( e \)
4. 4. Calculate \( w = s^{-1} \bmod n \)
5. 5. Calculate \( u_1 = zw \bmod n \) and \( u_2 = rw \bmod n \)
6. 6. Calculate the curve point \( (x_1, y_1) = u_1 \times G + u_2 \times Q_A \)
7. 7. The signature is valid if \( r = x_1 \bmod n \) , it is invalid otherwise.

The PKA accelerates the steps 4. to 7. by using ECDsa verification .

27.3.6 PKA procedure to perform an operation

Enabling/disabling PKA

Setting the EN bit in the PKA_CR register enables the PKA peripheral. The PKA becomes available when the INITOK bit is set in the PKA_SR register. When EN = 0, the PKA peripheral is kept under reset, with its memory still accessible by the application through the AHB interface.

Note: When the PKA is in the process of clearing its memory, the EN bit cannot be set. When setting the EN bit in PKA_CR, make sure that the MODE[5:0] bitfield value corresponds to an authorized PKA operation (see OPERRF in Section 27.3.7).

Clearing the EN bit while a calculation is in progress aborts the operation. In this case, the content of the PKA memory is not guaranteed, with the exception of the PKA modes 0x03, 0x20 and 0x24. For these operations, the PKA memory is cleared after abort, making the memory unavailable for 667 cycles. During this clearing time only the PKA registers can be accessed, with writes to EN bits ignored.

If the INITOK bit stays at 0, make sure that the RNG peripheral is clocked and properly initialized, then try to enable the PKA again.

Data formats

The format of the input data and the results in the PKA RAM are specified, for each operation, in Section 27.4 .

Executing a PKA operation

To execute any of the supported PKA operations, proceed as follows:

1. 1. Load initial data into the PKA internal RAM, which is located at address offset 0x400.
2. 2. Write in the MODE[5:0] bitfield of PKA_CR register, specifying the operation which is to be executed and then assert the START bit, also in PKA_CR register.
3. 3. Wait until the PROCENDF bit in the PKA_SR register is set, indicating that the computation is complete.
4. 4. Read the result data from the PKA internal RAM, then clear PROCENDF bit by setting PROCENDFC bit in PKA_CLRFR.

Note: When PKA is busy (BUSY = 1), any access by the application to PKA RAM is ignored, and the RAMERRF flag is set in PKA_SR.

Selecting an illegal or unknown operation in step 2 triggers an OPERRF error and prevents the PROCENDF flag from being set and the procedure step 3 from being completed. See Section 27.3.7 for details.

Using precomputed Montgomery parameters (PKA fast mode)

As explained in Section 27.3.4 , when computing many operations with the same modulus, it can be beneficial for the application to compute the corresponding Montgomery parameter only once (see, for example, Section 27.4.5 ). This is referred to as fast mode .

To use the PKA peripheral in fast mode, follow this recommended procedure:

1. 1. Load the modulus size and value information into the PKA RAM. Refer to Section 27.5.1 for detail.
2. 2. Configure the PKA_CR register to Montgomery parameter computation mode (MODE[5:0] = 0x1), then assert the START bit.
3. 3. Wait until the PROCENDF bit in the PKA_SR register is set. Then, read the corresponding Montgomery parameter from the PKA memory and clear the PROCENDF bit by setting PROCENDFC in PKA_CLRFR.
4. 4. Continue with the required PKA operation, loading the Montgomery information R2 mod m on top of the regular input data. Relevant addresses are provided in Section 27.4 .

27.3.7 PKA error management

The following error flags in the PKA_SR register are set to indicate errors that may occur when using the PKA:

• • ADDRERRF flags that the access to PKA RAM falls outside the expected range.
• • RAMERRF flags an AHB access to the PKA RAM occurring while the PKA core uses the PKA RAM. While the flag is set, reads from the PKA RAM return 0 and writes are ignored.
• • OPERRF flags that the selected operating mode using MODE[5:0] bitfield is not listed in PKA operating modes (see the bitfield description), or PKA is running in limited mode

(see LMF bit in PKA_SR). While the flag is set, writes to the MODE[5:0] bitfield are ignored.

For each error flag, the PKA generates an interrupt if enabled with the corresponding bit in the PKA_CR register (see Section 27.7 for details).

The ADDRERRF, OPERRF, and RAMERRF error flags are cleared by setting the ADDRERRFC, OPERRFC, and RAMERRFC bit in PKA_CLRFR, respectively. The OPERRF error flag must be cleared before a new operation is initiated via the PKA_CR register.

Note: The PKA can be re-initialized at any moment by clearing the EN bit in the PKA_CR register.

27.4 PKA operating modes

27.4.1 Introduction

The operations supported by the PKA are detailed in the following subsections, which define the format of both input data and results stored in the PKA RAM.

Warning: Before starting any operation, ensure that all input parameters to the PKA are valid and consistent, as the PKA assumes their correctness. Additionally, input parameters must not exceed the operand sizes specified in the operation tables.

The following information applies to all PKA operations:

• • The PKA core processes 64-bit words in its RAM. Accordingly, in the PKA section of this document, 'word' denotes a 64-bit unit.
• • When writing an element as input in the PKA RAM, append an additional 64-bit word of zeros after the most significant word, except when the operand size is fixed at one word.
• • All RAM storage addresses refer to the least significant word of the data. To obtain the actual address, the application must add the base address of the PKA to the indicated offset.
• • Supported operand sizes are:
  • – ROS (RSA operand size) : Data size is calculated as \( (\text{rsa\_size} / 64) + 1 \) words, where rsa_size is the modulus length in bits. For example, a 1024-bit RSA operand corresponds to 17 words (1088 bits).
  • – EOS (ECC operand size) : Data size is \( (\text{ecc\_size} / 64) + 1 \) words, where ecc_size is the prime modulus length in bits. For example, a 192-bit ECC operand corresponds to four words (256 bits).

Note: Both ROS and EOS include the additional zero word.

• • Unless indicated otherwise, all operands in the tables are integers.

Note: Any fractional results in the formulas must be rounded to the nearest integer, as the PKA core processes data in 64-bit words.

Note: The maximum ROS is 66 words (4160-bit maximum exponent size), while the maximum EOS is 11 words (640-bit max operand size).

Example 1: Understanding endianness in PKA memory during ECC Fp scalar multiplication preparation

Write the x-coordinate of point P for an ECC P256 curve (EOS = 5 words) by placing the least significant bit at bit 0 of the word at address offset 0x578, and the most significant bit at bit 63 of the word at address offset 0x590. Then, write a zero word (0x0000000000000000) at address offset 0x598.

Example 2: Writing the curve coefficient 'a' for ECC Fp scalar multiplication

To write the value \( a = -3 \) for a curve with a modulus length of 224 bits (rounded up to five 64-bit words), write the PKA memory with data as in the following table:

Table 210. Example of 'a' curve coefficient for ECC Fp scalar

27.4.2 Montgomery parameter computation

This function is used to compute the Montgomery parameter ( \( R^2 \bmod n \) ) used by the PKA to convert operands into the Montgomery residue system representation. This operation can be very useful for fast mode operation because passing the Montgomery parameter as input saves the time for its computation.

Note: This operation also supports ECC curves when specifying the prime modulus length and EOS size.

The following table summarizes operation instructions for Montgomery parameter computation.

Table 211. Montgomery parameter computation

27.4.3 Modular addition

The following table summarizes operation instructions for modular addition operation that calculates \( A + B \bmod n \) .

Table 212. Modular addition

27.4.4 Modular subtraction

Modular subtraction operation calculates:

• • \( A - B \bmod n \) , when \( A \geq B \)
• • \( A + n - B \bmod n \) , when \( A < B \)

The following table summarizes the operation instructions.

Table 213. Modular subtraction

27.4.5 Modular and Montgomery multiplication

To be more efficient when performing a sequence of multiplications, the PKA accelerates a multiplication that has at least one input in the Montgomery domain. The two main uses of this operation are:

• • Map a value from natural domain to Montgomery domain and vice-versa
• • Perform a modular multiplication \( A \times B \bmod n \)

The method to perform these operations is described next. The \( x \) function is this operation, and the \( A \) , \( B \) , and \( C \) operands are in the natural domain.

1. 1. Inward or outward conversion to or from the Montgomery domain
   1. a) Assuming that \( A \) is an integer in the natural domain:
      • – Compute \( r2modn \) using Montgomery parameter computation .
      • – The result of \( AR = A \times r2modn \bmod n \) is \( A \) in the Montgomery domain.
   2. b) Assuming that \( BR \) is an integer in the Montgomery domain:
      • – The result of \( B = BR \times 1 \bmod n \) is \( B \) in the natural domain.
      • – Similarly, the \( AR \) value computed in a) can be converted into the natural domain by computing \( A = AR \times 1 \bmod n \) .
2. 2. Simple modular multiplication \( A \times B \bmod n \)
   1. a) Compute \( r2modn \) using Montgomery parameter computation .
   2. b) Compute \( AR = A \times r2modn \bmod n \) . The output is in the Montgomery domain.
   3. c) Compute \( AB = AR \times B \bmod n \) . The output is in the natural domain.
3. 3. Multiple modular multiplication \( A \times B \times C \bmod n \)
   1. a) Compute \( r2modn \) using Montgomery parameter computation .
   2. b) Compute \( AR = A \times r2modn \bmod n \) . The output is in the Montgomery domain.
   3. c) Compute \( BR = B \times r2modn \bmod n \) . The output is in the Montgomery domain.
   4. d) Compute \( ABR = AR \times BR \bmod n \) . The output is in the Montgomery domain.
   5. e) Compute \( CR = C \times r2modn \bmod n \) . The output is in the Montgomery domain.
   6. f) Compute \( ABCR = ABR \times CR \bmod n \) . The output is in the Montgomery domain.
   7. g) (optional) Repeat the two previous steps if multiplying with additional operands is required.
   8. h) Compute \( ABC = ABCR \times 1 \bmod n \) to retrieve the result in the natural domain.

The following table summarizes the operation instructions.

Table 214. Montgomery multiplication

1. 1. Result in Montgomery domain or in natural domain, depending upon the inputs nature (see examples 2 and 3).

27.4.6 Modular exponentiation

Modular exponentiation operation is commonly used to perform a single-step RSA operation. It calculates of \( A^e \bmod n \) .

RSA operation involving public information (RSA encryption) can use the normal or fast mode detailed on Table 215 and Table 216 . RSA operation involving secret information (RSA decryption) must use the protected mode detailed on Table 217 , for security reason.

Note: Once this operation is started PKA control register and PKA memory is no more available. Access is restored once BUSY bit is set to 0 by the PKA.

When this operation completes with errors due to unexpected hardware events a PKA tamper event is triggered to TAMP peripheral, and access to PKA RAM becomes blocked until erased by hardware.

Note: When \( MODE[5:0] = 0x03 \) , the error code is not affected when PKA automatically clears the PKA RAM at the end of this protected operation. When the error output equals \( 0xD60D \) , the result output is not affected either.

Operation instructions for modular exponentiation are summarized in Table 215 (normal mode), Table 216 (fast mode), and Table 217 (protected mode). Fast mode usage is explained in Section 27.3.6 .

Table 215. Modular exponentiation (normal mode)

Table 216. Modular exponentiation (fast mode)

1. 1. Euler totient function of \( n^1 \) with \( \phi = (p - 1) \times (q - 1) \) , where \( p \) and \( q \) are prime factors of modulus \( n \) (see NIST SP800-56B Appendix C or RSA encryption/decryption principle for details). As optimization it is recommended to keep \( \phi \) information as part of the key pair generation. Alternative is to store the key as \( (p, q, e, d) \) instead of \( (N, e, d, \phi) \) , in this case, to derive \( N \) and \( \phi \) using PKA arithmetic multiplier: \( N = p \times q \) , and \( \phi = (p - 1) \times (q - 1) \) .

27.4.7 Modular inversion

The modular inversion operation calculates multiplicative inverse \( A^{-1} \bmod n \) . If the modulus \( n \) is prime, for all values of \( A \) ( \( 1 \leq A < n \) ) modular inversion output is valid. If the modulus \( n \) is not prime, \( A \) has an inverse only if the greatest common divisor between \( A \) and \( n \) is 1.

If the operand \( A \) is a divisor of the modulus \( n \) the result is a multiple of a factor of \( n \) .

The following table summarizes the operation instructions.

27.4.8 Modular reduction

The modular reduction operation calculates the remainder of \( A \) divided by \( n \) .

The following table summarizes the operation instructions.

Table 219. Modular reduction

27.4.9 Arithmetic addition

The arithmetic addition operation calculates \( A + B \) .

The following table summarizes the operation instructions.

Table 220. Arithmetic addition

27.4.10 Arithmetic subtraction

The arithmetic subtraction operation calculates:

• • \( A - B \) , when \( A \geq B \)
• • \( A + 2^{\text{int}(M/32) \times 32 + 1} - B \) , when \( A < B \) and the residue of \( M/32 \) is greater than zero
• • \( A + 2^{\text{int}(M/32) \times 32} - B \) , when \( A < B \) and the residue of \( M/32 \) is zero

For the last two list items, the 32-bit word following the most significant word of the output is 0xFFFF FFFF, as the result is negative.

The following table summarizes the operation instructions.

Table 221. Arithmetic subtraction

27.4.11 Arithmetic multiplication

The arithmetic multiplication operation calculates \( A \times B \) .

The following table summarizes the operation instructions.

Table 222. Arithmetic multiplication

27.4.12 Arithmetic comparison

The arithmetic comparison operation yields the following results:

• • 0xED2C , when \( A = B \)
• • 0x7AF8 , when \( A > B \)
• • 0x916A , when \( A < B \)

The following table summarizes the operation instructions.

Table 223. Arithmetic comparison

27.4.13 RSA CRT exponentiation

For efficiency many popular crypto libraries such as OpenSSL RSA use the following optimization for decryption and signing based on the Chinese remainder theorem (CRT):

• • \( p \) and \( q \) are precomputed primes, stored as part of the private key
• • \( d_p = d \bmod (p - 1) \)
• • \( d_q = d \bmod (q - 1) \) and
• • \( q_{inv} = q^{-1} \bmod p \)

These values allow the recipient to compute the exponentiation \( m = A^d \pmod{pq} \) more efficiently as follows:

• • \( m_1 = A^{d_P} \pmod{p} \)
• • \( m_2 = A^{d_Q} \pmod{q} \)
• • \( h = q_{inv} (m_1 - m_2) \pmod{p} \) , with \( m_1 > m_2 \)
• • \( m = m_2 + hq \pmod{pq} \)

Operation instructions for computing CRT exponentiation \( A^d \pmod{pq} \) are summarized in Table 224 .

Table 224. CRT exponentiation

1. Must be different from 2.

27.4.14 Point on elliptic curve Fp check

This operation checks whether a given point \( P(x, y) \) satisfies or not the curves over prime fields equation \( y^2 = (x^3 + ax + b) \pmod{p} \) , where \( a \) and \( b \) are elements of the curve.

The following table summarizes the operation instructions.

27.4.15 ECC \( F_p \) scalar multiplication

This operation calculates \( k \times P(x_P, y_P) \) , where \( P \) is a point on a curve over prime fields and \( x \) is the elliptic curve scalar point multiplication. The result is a point that belongs to the same curve or a point at infinity.

Note: Once this operation is started PKA control register and PKA memory is no more available. Access is restored once BUSY bit is set to 0 by the PKA.

When this operation completes with errors due to unexpected hardware events, a PKA tamper event is triggered to TAMP peripheral, and access to PKA RAM becomes blocked until erased by hardware. PKA tamper is also triggered when the programmed input point is not found on the input ECC curve. PKA operation point on elliptic curve can be used to avoid this.

The following table summarizes the operation instructions.

Table 226. ECC Fp scalar multiplication (continued)

When performing this operation the following special cases must be noted:

• • For \( k = 0 \) this function returns a point at infinity \( (0, 0) \) if curve parameter \( b \) is nonzero, \( (0, 1) \) otherwise. For \( k \) different from 0 it might happen that a point at infinity is returned. When the application detects this behavior, a new computation must be carried out.
• • For \( k < 0 \) (that is, a negative scalar multiplication is required) the multiplier absolute value \( k = |k| \) must be provided to the PKA. After the computation completion, the formula \( P = (x, -y) \) can be used to compute the \( y \) coordinate of the effective final result (the \( x \) coordinate remains the same).

Note: The error code is not affected when PKA automatically clears the PKA RAM at the end of this protected operation. When the error output equals 0xD60D, the result output is not affected either.

27.4.16 ECDSA sign

Table 227 (input parameters) and Table 228 (output parameters) summarize the ECDSA signing operation.

Upon an output error different from 0xD60D, the application must generate a new \( k \) and repeat the ECDSA sign operation.

Note: As long as this operation is ongoing (BUSY = 1), the PKA control register and the PKA memory are not accessible. The access is restored when the PKA clears the BUSY bit.

The operation completion with errors due to unexpected hardware events triggers a PKA tamper event in the TAMP peripheral and blocks access to the PKA RAM until the hardware erases the event. Missing programmed input point on the input ECC curve also triggers a PKA tamper event. The use of the point on elliptic curve PKA operation prevents this.

Table 227. ECDSA sign - Inputs

1. 1. This integer is usually a cryptographically secure random number, but in some cases \( k \) can be deterministically generated.
2. 2. To match the hash parameter size to the length of the curve prime order \( n \) , pad the result with zeros or use the hash truncation.

Table 228. ECDSA sign - Outputs

Note: The error code is not affected when the PKA automatically clears the PKA RAM at the end of this protected operation. The error output 0xD60D does not affect the result output either.

Extended ECDSA support

The PKA also supports the extended ECDSA signature, which accepts the same inputs as the standard ECDSA signature (see Table 227 ) and produces similar outputs (see Table 228 ), with the addition of the point \( kG \) coordinates. The following table defines these additional outputs.

27.4.17 ECDSA verification

Table 230 (input parameters) and Table 231 (output parameters) summarize the ECDSA verification operation.

Upon an output error different from 0xD60D, the signature is not verified.

1. 1. To match the hash parameter size to the length of the curve prime order \( n \) , pad the result with zeros or use the hash truncation.

27.4.18 ECC complete addition

The ECC complete addition operation calculates the sum of two points on an elliptic curve. Operation instructions are summarized in Table 232 .

Note: The two input points and the resulting point are represented in Jacobian coordinates (X, Y, Z). To input a point in affine coordinates (x, y) conversion \( (X, Y, Z) = (x, y, 1) \) can be used. To convert resulting point to Jacobian coordinates conversion \( (x, y) = (X / Z^2, Y / Z^3) \) can be used.

27.4.19 ECC double base ladder

ECC double base ladder operation consists in the computation of \( k \times P + m \times Q \) , where \( (P, Q) \) are two points on an elliptic curve and \( (k, m) \) are two scalars. Operation instructions are summarized in Table 233 .

If the resulting point is the point at infinity (error code 0xA3B7), the resulting coordinate equals to (0, 0).

Note: The two input points are represented in Jacobian coordinates ( \( X, Y, Z \) ). To input a point in affine coordinates ( \( x, y \) ) conversion ( \( X, Y, Z \) ) = ( \( x, y, 1 \) ) can be used. The result is represented in affine coordinates ( \( x, y \) ).

This operation requires the input point Z coordinate to be equal to 1 (input point represented in affine coordinates).

Table 233. ECC double base ladder

27.4.20 ECC projective to affine

ECC projective to affine operation calculates the conversion between the representation of a point \( P \) in homogeneous projective coordinates and the representation of the point \( P \) in affine coordinates. Namely, if the point is represented by the triple ( \( X, Y, Z \) ), it calculates the affine coordinates \( (x, y) = (X/Z, Y/Z) \) .

All the operations are performed modulo the modulus \( p \) of the curve, which the point belongs to. If the resulting point is the point at infinity (error code 0xA3B7), resulting coordinate equals (0,0).

Operation instructions are summarized in Table 234 .

Table 234. ECC projective to affine

27.5 Example of configurations and processing times

27.5.1 Supported elliptic curves

The PKA supports all non-singular elliptic curves defined over prime fields. Those curves can be described with a short Weierstrass equation, \( y^2 = x^3 + ax + b \pmod{p} \) .

Note: Binary curves, Edwards curves and Curve25519 are not supported by the PKA. The maximum supported operand size for ECC operations is 640 bits.

When publishing the ECC domain parameters of those elliptic curves, standard bodies define the following parameters:

• the prime integer \( p \) , used as the modulus for all point arithmetic in the finite field \( GF(p) \)
• the (usually prime) integer \( n \) , the order of the group generated by \( G \) , defined below
• the base point of the curve \( G \) , defined by its coordinates ( \( G_x, G_y \) )
• the integers \( a \) and \( b \) , coefficients of the short Weierstrass equation.

For the last bullet, when standard bodies define \( a \) as negative, PKA supports two representations:

1. a defined as \( p-|a| \) in the finite field \( GF(p) \) , for example \( p-3 \) :
   Curve coefficient \( p = \text{0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFF} \)
   Curve coefficient \( a \) sign= 0x0 (positive)
   Curve coefficient \( a = \text{0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFC} \)
2. a defined as negative , for example -3 :
   Curve coefficient \( p = \text{0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFF} \)
   Curve coefficient \( a \) sign= 0x1 (negative)
   Curve coefficient \( a = \text{0x00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000003} \)

Table 235 summarizes the family of curves supported by PKA for ECC operations.

Table 235. Family of supported curves for ECC operations

27.5.2 Computation times

The following tables summarize the PKA computation times, expressed in AHB clock cycles.

Table 236. Modular exponentiation

1. CRT stands for chinese remainder theorem optimization (MODE[5:0] bitfield= 0x07).

Table 237. ECC scalar multiplication ⁽¹⁾

1. These times depend on the number of 1s included in the scalar parameter, and include the computation of Montgomery parameter R2.

1. 1. These values are average execution times of random moduli of given length, as they depend upon the length and the value of the modulus.
2. 2. The execution time for the moduli that define the finite field of NIST elliptic curves is shorter than that needed for the moduli used for Brainpool elliptic curves or for random moduli of the same size.

1. 1. The computation times depend upon the length and the value of the modulus, hence these values are average execution times of random moduli of given length.

27.6 PKA in low-power modes

27.7 PKA interrupts

There are four individual maskable interrupt sources generated by the public key accelerator, signaling the following events:

1. 1. PKA unsupported operation error (OPERRF), see Section 27.3.7
2. 2. Access to unmapped address (ADDRERRF), see Section 27.3.7
3. 3. PKA RAM access while PKA operation is in progress (RAMERRF), see Section 27.3.7
4. 4. PKA end of operation (PROCENDF)

The interrupt sources are connected to the same global interrupt request signal pka_it.

The user can enable or disable above interrupt sources individually by changing the mask bits in the PKA control register (PKA_CR) . Setting the appropriate mask bit to 1 enables the interrupt. The status of the individual interrupt events can be read from the PKA status register (PKA_SR), and it is cleared in PKA_CLRFR register.

Table 246 gives a summary of the available features.

27.8 PKA registers

27.8.1 PKA control register (PKA_CR)

Address offset: 0x00

Reset value: 0x0000 0000

Bits 31:22 Reserved, must be kept at reset value.

Bit 21 OPERRIE : Operation error interrupt enable

0: No interrupt is generated when OPERRF flag is set in PKA_SR.

1: An interrupt is generated when OPERRF flag is set in PKA_SR.

Bit 20 ADDRERRIE : Address error interrupt enable

0: No interrupt is generated when ADDRERRF flag is set in PKA_SR.

1: An interrupt is generated when ADDRERRF flag is set in PKA_SR.

Bit 19 RAMERRIE : RAM error interrupt enable

0: No interrupt is generated when RAMERRF flag is set in PKA_SR.

1: An interrupt is generated when RAMERRF flag is set in PKA_SR.

Bit 18 Reserved, must be kept at reset value.

Bit 17 PROCENDIE : End of operation interrupt enable

0: No interrupt is generated when PROCENDF flag is set in PKA_SR.

1: An interrupt is generated when PROCENDF flag is set in PKA_SR.

Bits 16:14 Reserved, must be kept at reset value.

Bits 13:8 MODE[5:0] : PKA operation code

• 000000: Montgomery parameter computation then modular exponentiation
• 000001: Montgomery parameter computation only
• 000010: Modular exponentiation only (Montgomery parameter must be loaded first)
• 000011: Modular exponentiation (protected, used when manipulating secrets)
• 100000: Montgomery parameter computation then ECC scalar multiplication (protected)
• 100100: ECDSA sign (protected)
• 100110: ECDSA verification
• 101000: Point on elliptic curve Fp check
• 000111: RSA CRT exponentiation
• 001000: Modular inversion
• 001001: Arithmetic addition
• 001010: Arithmetic subtraction
• 001011: Arithmetic multiplication
• 001100: Arithmetic comparison
• 001101: Modular reduction
• 001110: Modular addition
• 001111: Modular subtraction
• 010000: Montgomery multiplication
• 100011: ECC complete addition
• 100111: ECC double base ladder
• 101111: ECC projective to affine

When an operation not listed here is written by the application with EN bit set, OPERRF bit is set in PKA_SR register, and the write to MODE[5:0] bitfield is ignored. When PKA is configured in limited mode (LMF = 1 in PKA_SR), writing a MODE[5:0] different from 0x26 with EN bit to 1 triggers OPERRF bit to be set and write to MODE[5:0] bit is ignored.

Bits 7:2 Reserved, must be kept at reset value.

Bit 1 START : start the operation

Set this bit to start the operation selected by the MODE[5:0] bitfield, using the operands and data already written to the PKA RAM. This bit is always read as 0.

When an illegal operation is selected while START bit is set no operation is started, and OPERRF bit is set in PKA_SR.

Note: START is ignored if PKA is busy.

Bit 0 EN : PKA enable

0: Disable PKA

1: Enable PKA; PKA becomes functional when INITOK is set by hardware in PKA_SR.

When an illegal operation is selected while EN = 1, OPERRF bit is set in PKA_SR. See PKA_CR.MODE[5:0] bitfield for details.

Note: When EN = 0, PKA RAM can still be accessed by the application.

27.8.2 PKA status register (PKA_SR)

Address offset: 0x04

Reset value: 0x0000 0000

Bits 31:22 Reserved, must be kept at reset value.

Bit 21 OPERRF : Operation error flag

0: No event error

1: An illegal or unknown operation has been selected in PKA_CR register

This bit is cleared using OPERRFC bit in PKA_CLRFR.

Bit 20 ADDRERRF : Address error flag

0: No address error

1: Address access is out of range (unmapped address)

This bit is cleared using ADDRERRFC bit in PKA_CLRFR.

Bit 19 RAMERRF : PKA RAM error flag

0: No PKA RAM access error

1: An AHB access to the PKA RAM occurred while the PKA core was computing and using its internal RAM (AHB PKA_RAM access are not allowed while PKA operation is in progress).

This bit is cleared using RAMERRFC bit in PKA_CLRFR.

Bit 18 Reserved, must be kept at reset value.

Bit 17 PROCENDF : PKA end of operation flag

0: Operation in progress

1: PKA operation is completed. This flag is set when the BUSY bit is deasserted.

Bit 16 BUSY : Busy flag

This bit is set whenever a PKA operation is in progress (START = 1 in PKA_CR). It is automatically cleared when the computation is complete, making PKA RAM accessible again.

0: No operation is in progress (default)

1: An operation is in progress

If PKA is started with a wrong opcode, it stays busy for a couple of cycles, then it aborts automatically the operation and goes back to ready (BUSY = 0).

Bits 15:2 Reserved, must be kept at reset value.

Bit 1 LMF : Limited mode flag

This bit is updated when EN bit in PKA_CR is set

0: All values documented in MODE[5:0] bitfield can be used.

1: Only ECDSA verification (MODE[5:0] = 0x26) is supported by the PKA.

Bit 0 INITOK : PKA initialization OK

This bit is asserted when PKA initialization is complete.

0: PKA is not initialized correctly. START bit cannot be set.

1: PKA is initialized correctly and can be used normally.

When RNG is not able to output proper random numbers or when SAES is using the RNG bus, INITOK remains at 0. If it happens, make sure the RNG peripheral is properly clocked and initialized, and the SAES peripheral is clocked with BUSY bit cleared in SAES_SR to release the RNG bus, then enable PKA again.

27.8.3 PKA clear flag register (PKA_CLRFR)

Address offset: 0x08

Reset value: 0x0000 0000

Bits 31:22 Reserved, must be kept at reset value.

Bit 21 OPERRFC : Clear operation error flag

0: No action

1: Clear the OPERRF flag in PKA_SR

Bit 20 ADDRERRFC : Clear address error flag

0: No action

1: Clear the ADDRERRF flag in PKA_SR

Bit 19 RAMERRFC : Clear PKA RAM error flag

0: No action

1: Clear the RAMERRF flag in PKA_SR

Bit 18 Reserved, must be kept at reset value.

Bit 17 PROCENDFC : Clear PKA end of operation flag

0: No action

1: Clear the PROCENDF flag in PKA_SR

Bits 16:0 Reserved, must be kept at reset value.

Note: Reading PKA_CLRFR returns all 0s.

27.8.4 PKA RAM

The PKA RAM is mapped at the offset address of 0x0400 compared to the PKA base address. Only 32-bit word single accesses are supported, through PKA.AHB interface.

RAM size is 5336 bytes (max word offset: 0x14D0)

Note: PKA RAM cannot be used just after a PKA reset or a product reset, as described in Section 27.3.3: PKA reset and clocks .

27.8.5 PKA register map

Table 247. PKA register map and reset values

Refer to Section 2.3: Memory organization for the register boundary addresses.