14. Public key accelerator (PKA)
The public key accelerator is an AHB slave block dedicated to the computation of cryptographic public key primitives related to ECC (elliptic curve cryptography) using a predefined prime modulus and a predefined curve. The PKA core is clocked by the system clock divided by two and the PKA memory is clocked by system clock.
14.1 Features
The main features of the PKA block are:
- • Elliptic curve Diffie-Hellman (ECDH) public-private key pair calculation accelerator
- • Based on the Montgomery method for fast modular multiplications
- • Built-in Montgomery domain inward and outward transformations
- • AMBA AHB lite slave interface with a reduced command set
- • Single port internal memory available for the system when the STM32WB07xC and STM32WB06xC PKA is not using it.
14.2 PKA registers
14.2.1 PKA command and status register (PKA_CSR)
Address offset: 0x00
Reset value: 0x0000 0002
| 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. |
| 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
| Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | SFT_RST | Res. | Res. | Res. | Res. | Res. | READY | GO |
| rw | 1 | rw |
| Bits 31:8 | Reserved, must be kept at zero |
| Bit 7 | SFT_RST : PKA software reset.
Note: When the SFT_RST is set, the access to the PKA registers is not blocked, only the core is under reset. |
| Bits 6:2 | Reserved, must be kept at zero |
| Bit 1 | READY : PKA readiness status.
Caution: If READY bit is high, the PKA cannot be accessed through the AHB interface. |
| Bit 0 | GO : PKA start processing command.
This bit must be written back to zero before the end of the calculation. |
14.2.2 PKA interrupt status register (PKA_ISR)
Address offset: 0x04
Reset value: 0x0000 0000
The PKA_ISR register gives the interrupts status of the PKA block. To clear a pending interrupt, it is necessary to chain two writings in the corresponding bit: write 1'b1 and then 1'b0.
| 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. |
| 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
| Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | ADD_ERR | RAM_ERR | Res. | PROC_END |
| rw | rw | rw |
| Bits 31:4 | Reserved, must be kept at reset value |
| Bit 3 | ADD_ERR: AHB Address error interrupt. When read:
When written: To clear the pending interrupt, the user must write this bit to 1 and clear it just after by writing 0. If the write 0 does not occur, the interrupt is generated on next event towards the CPU if enabled in PKA_IER but the flag is seen at 0 when the interrupt handler reads it in this register (as clear action is still active). |
| Bit 2 | RAM_ERR: RAM read / write access error interrupt. When read:
When written: To clear the pending interrupt, the user must write this bit to 1 and clear it just after by writing 0. If the write 0 does not occur, the interrupt is generated on next event towards the CPU if enabled in PKA_IER but the flag is seen at 0 when the interrupt handler reads it in this register (as clear action is still active). |
| Bit 1 | Reserved, must be kept at reset value |
| Bit 0 | PROC_END: PKA process ending interrupt. When read:
When written: To clear the pending interrupt, the user must write this bit to 1 and clear it just after by writing 0. If the write 0 does not occur, the interrupt is generated on next event towards the CPU if enabled in PKA_IER but the flag is seen at 0 when the interrupt handler reads it in this register (as clear action is still active). |
14.2.3 PKA control register (PKA_IEN)
Address offset: 0x08
Reset value: 0x0000 0000
The PKA_IEN register allows enabling of the PKA interrupts.
| 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. |
| 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
| Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | ADDERR_EN | RAMERR_EN | Res. | READY_EN |
| r/w | r/w | r/w |
| Bits 31:4 | Reserved, must be kept at reset value |
| Bit 3 | ADDERR_EN:
AHB Address error interrupt enable.
|
| Bit 2 | RAMERR_EN:
RAM access error interrupt enable.
|
| Bit 1 | Reserved, must be kept at reset value |
| Bit 0 | READY_EN:
READY interrupt enable.
|
14.2.4 PKA register map
The device communicates to the PKA via 32-bit-wide control registers accessible via the AMBA™ rev. 2.0 “AHB bus.
Refer to Table 3. STM32WB07xC and STM32WB06xC memory map and peripheral register boundary addresses.
Table 39. PKA register map
| Offset | Register | 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0x0000 | PKA_CSR | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | SFT_RST | Res. | Res. | Res. | Res. | Res. | READY | GO | |
| Reset value | 0 | 1 | 0 | |||||||||||||||||||||||||||||||
| 0x0004 | PKA_ISR | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | ADD_ERR | RAM_ERR | Res. | PROC_END |
| Reset value | 0 | 0 | 0 | |||||||||||||||||||||||||||||||
| 0x0008 | PKA_IEN | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | Res. | ADDERR_EN | RAMERR_EN | Res. | READY_EN |
| Reset value | 0 | 0 | 0 |
14.3 Programmer model
14.3.1 Basic sequence
The typical sequence to use the PKA block is the following:
- 1. Load input data into the PKA internal memory (PKA_RAM).
- 2. Assert the GO command by setting the GO bit in the PKA_CSR register.
- 3. Wait for READY bit setting (by polling READY bit in PKA_CSR register or through PROC_END interrupt).
- 4. Copy back elaboration results from PKA internal memory.
14.3.2 Data location in PKA_RAM
The input and output data have a specific location in PKA_RAM. The locations are specified in Table 40. ECC scalar multiplication data location.
Table 40. ECC scalar multiplication data location
| Parameter description | Mnemonic | Address (decimal) | Size (words) | PKA_RAM offset address |
|---|---|---|---|---|
| Input | ||||
| 'k' of kP | ecc_addr_k | 27 | EOS (1) | 0x6C |
| Initial point P, coordinates X,Y | ecc_addr_px ecc_addr_py | 36 | 2*EOS (1) | 0x90 |
| 45 | 0xB4 | |||
| Output | ||||
| Coordinates X,Y, of the results | ecc_addr_px ecc_addr_py | 36 | 2*EOS (1) | 0x90 |
| 45 | 0xB4 | |||
| Error | ecc_addr_kp_error | 0 | 1 | 0x00 |
- 1. EOS:ECC operand size.
The error field returns one if the input point is not a valid point so does not satisfy the curve equation. In this case the computation is very short. If the error field is zero at the end of the calculation, then the result should be considered as valid. The maximum length of data is calculated with the following formula:
Example 1
If ECC P256 is used, an operand needs \( (256 / 32 + 1) \) words, so 9 words are needed by the PKA core. When loading an input that is represented on 256 bits = 8 words, an additional word is requested and has to be filled with zero.