Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lab Session 2 Design of Elliptic Curve Cryptosystem

Published byAnis Winifred Booth Modified over 9 years ago

Similar presentations

Presentation on theme: "Lab Session 2 Design of Elliptic Curve Cryptosystem"— Presentation transcript:

1 Lab Session 2 Design of Elliptic Curve Cryptosystem
© Dept. of Computer Sc. and Engg, IIT Kharagpur Lab Session 2 Design of Elliptic Curve Cryptosystem Debdeep Mukhopadhyay Chester Rebeiro Dept. of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA 23-27 May 2011, Anurag Labs, DRDO

2 The Processor Overview
Register Bank: regbank.v (stores temporary data) ROM: stores the curve constant ‘b’ and the base points. Arithmetic Unit: ec_alu.v (performs the underlying field computations) Control Unit: smul.v (sequences the field computations for performing the point operations)

3 Register Bank Heart of the register file is 8 registers of size 233 bits. Organized as 3 banks:RA, RB, RC Dual port Distributed RAMs of the Xilinx FPGAs Asynchronous Read Synchronous Write we: write enable signal Inputs: C0, C1, Qout Outputs: A0, A1, A2, A3 and Qin

4 Module regbank.v assign qin = (cwh[21] == 1'b1) ? a1 : a2;
assign rb1_addr1 = {3'b0, cwh[0]}; assign rb1_addr2 = {3'b0, cwh[1]}; assign rb2_addr1 = {2'b0, cwh[4:3]}; assign rb2_addr2 = {2'b0, cwh[6:5]}; assign rb3_addr1 = {3'b0, cwh[8]}; assign rb3_addr2 = {3'b0, cwh[9]}; /* a0 to a3 are fed to the ALU */ assign a0 = (cwh[11] == 1'b0) ? rb1_dout1 : rb2_dout2; assign a2 = (cwh[12] == 1'b0) ? rb2_dout1 : rb1_dout2; assign a1 = (cwh[13] == 1'b0) ? rb3_dout1 : rb2_dout2; assign a3 = rb3_dout2; /* Select what get written into RAM */ assign rb1_we = cwh[2]; assign rb1_din = (cwh[22] == 1'b1) ? c0: ((cwh[14] == 1'b0) ? c0 : c1); assign rb2_we = cwh[7]; assign rb2_din = (cwh[22] == 1'b1) ? c1: ((cwh[15] == 1'b0) ? c0 : c1); assign rb3_we = cwh[10]; assign rb3_din = (cwh[22] == 1'b1) ? 233'h1 : (cwh[20] == 1'b1) ? qout: c0; endmodule module regbank(clk, cwh, c0, c1, a0, a1, a2, a3); input wire clk; input wire [22:0] cwh; /* control word */ input wire [232:0] c0, c1; /* Inputs to regbank from ALU */ output wire [232:0] a0, a1, a2, a3; /* Output from regbank to ALU */ wire rb1_we; wire [3:0] rb1_addr1, rb2_addr1, rb3_addr1; wire [3:0] rb1_addr2, rb2_addr2, rb3_addr2; wire [232:0] rb1_din, rb2_din, rb3_din; wire [232:0] rb1_dout1, rb2_dout1, rb3_dout1; wire [232:0] rb1_dout2, rb2_dout2, rb3_dout2; wire [232:0] qin, qout; /* Instances of distributed memory */ XC3S_RAM16X233 regbank1(rb1_din, rb1_addr1, rb1_addr2, rb1_we, clk, rb1_dout1, rb1_dout2); XC3S_RAM16X233_regbank2(rb2_din, rb2_addr1, rb2_addr2, rb2_we, clk, rb2_dout1, rb2_dout2); XC3S_RAM16X233_D regbank3(rb3_din, rb3_addr1, rb3_addr2, rb3_we, clk, rb3_dout1, rb3_dout2); /* Quadblock instance */ bquadblk bqb(cwh[20], qin, cwh[19:16], qout);

5 The ALU for the ECC Processor
The computation of the AU has 2 phases: Point addition and doubling Inversion The AU consists of: Hybrid Karatsuba Multiplier (used at all time steps) Quad block (used in phase 2 for the final invesion) The Quadblock has 14 cascade steps (as described before) and computes the quading operation repeatedly (as per the value of c[29…26] The AU performs: point operations (doubling and addition) in Lopez Dahab Projective co-ordinates efficiently. Inversion (from projective co-ordinates) to affine co-ordinates. The AU has 5 inputs (the outputs of the regbank) and 3 outputs (the inputs of the regbank).

6 The verilog code for ALU
module ec_alu(cw, a0, a1, a2, a3, c0, c1); input wire [232:0] a0, a1, a2, a3; /* the inputs to the alu */ input wire [9:0] cw; /* the control word */ output wire [232:0] c0, c1; /* the alu outputs */ /* Temporary results */ wire [232:0] a0sq, a0qu; wire [232:0] a1sq, a1qu; wire [232:0] a2sq, a2qu; wire [232:0] sa2, sa4, sa5, sa7, sa8, sa8_1; wire [232:0] sc1; wire [232:0] sd2, sd2_1; /* Multiplier inputs and output */ wire [232:0] minA, minB, mout; multiplier mul(minA, minB, mout); squarer sq1_p0(a0, a0sq); squarer sq_p1(a1, a1sq); squarer sq_p2(a2, a2sq); squarer sq2_p2(a2sq, a2qu); squarer sq2_p1(a1sq, a1qu); squarer sq2_p3(a0sq, a0qu); /* Choose the inputs to the Multiplier */ mux muxA(a0, a0sq, a2, sa7, sd2, a1, a1qu, 233'd0, cw[2:0], minA); mux muxB(a1, a1sq, sa4, sa8, sd2_1, a3, a2qu,a1qu, cw[5:3], minB); /* Choose the outputs of the ALU */ mux muxC(mout, sa2, a1sq, sc1, cw[7:6], c0); mux muxD(sa8_1, sa5, a1qu, sd2, cw[9:8], c1); assign sa2 = mout ^ a2; assign sa4 = a1sq ^ a2; assign sa5 = mout ^ a2sq ^ a0; assign sa7 = a0 ^ a2; assign sa8 = a1 ^ a3; assign sa8_1 = mout ^ a0; assign sc1 = mout ^ a3; assign sd2 = a0qu ^ a1; assign sd2_1 = a2sq ^ a3 ^ a1; endmodule

7 Control Unit The CU is hardwired.
It generates 33 control signals, which determine the flow of data. c[0…9]: controls the input to the multiplier and the output C0 and C1 of the AU c[26…29]: select line of the multiplexers inside the quad block Remaining control lines are for read and write of the registers in the register file

8 Projective Point Arithmetic
Point Doubling: Input : (X1,Y1,Z1), Output: (X4, Y4, Z4) Constraint: One multiplier Can perform one multiplication per clock cycle Hence needs four time steps

9 Projective Point Doubling Sequencing

10 Projective Point Addition
Input : P=(X1,Y1,Z1), Q=(x2,y2) Output: (X3, Y3, Z3) Constraint: One multiplier Can perform one multiplication per clock cycle Hence needs eight time steps

11 Projective Point Addition Sequencing

12 The State Machine for the CU

13 Design of the CU

14 The verilog code for the CU
/* Output Logic */ begin case(state) 6'd0: begin cwl <= 10'h000; /* Init L2R Step 1 */ cwh <= 23'h4x8484; end 6'd1: begin cwl <= 10'h000; cwh <= 23'h4x808D; /* Init L2R Step 2 */ 6'd2: begin cwl <= 10'hx; /* Init L2R Step 3 */ cwh <= 23'h4xx098; /* The Doubling*/ 6'd3: begin /* Double Step 1 */ cwl <= 10'h209; cwh <= 23'h0x8490; 6'd4: begin /* Double Step 1a */ cwl <= 10'h002; cwh <= 23'h0x20F0; 6'd5: begin /* Double Step 2 */ cwl <= 10'h324; cwh <= 23'h0x6544; 6'd6: begin /* Double Step 3 */ cwl <= 10'hxC0; cwh <= 23'h0x0ac0; /* The Addition States */ 6'd7: begin /* Addition Step 1 */ cwl <= 10'h048; cwh <= 23'h0x08a0; end 6'd8: begin /* Addition Step 2 */ cwl <= 10'h002; cwh <= 23'h0x5006; 6'd9: begin /* Addition Step 3 */ cwl <= 10'h028; cwh <= 23'h0x0090; 6'd10: begin /* Addition Step 4 */ cwl <= 10'h011; cwh <= 23'h0x0214; 6'd11: begin /* Addition Step 5 */ cwl <= 10'h102; cwh <= 23'h0x6544; 6'd12: begin /* Addition Step 6 */ cwl <= 10'h08A; cwh <= 23'h0xB4D2; 6'd13: begin /* Addition Step 7 */ cwl <= 10'h00B; cwh <= 23'h0x18A2; 6'd14: begin /* Addition Step 8 */ cwl <= 10'h058; cwh <= 23'h0x0ac0;

15 The final Inversion Step

16 The verilog snippet /* The final Inverse : Starting the Itoh Tsujii here*/ 6'd15: begin /* Inv 1 */ cwl <= 10'hx0D; cwh <= 23'h0x04x0; /* The first a=a^3 */ end 6'd16: begin /* Inv 2 */ cwl <= 10'hx06; cwh <= 23'h0x0090; 6'd17: begin /* Inv 3 */ cwl <= 10'hx35; 6'd18: begin /* Inv 4-1 */ cwl <= 10'hx; cwh <= 23'h130510; 6'd19: begin /* Inv 4-2 */ cwl <= 10'hx02; cwh <= 23'h0x0190; 6'd20: begin /* Inv 5 */ 6'd21: begin /* Inv 6-1 */ cwl <= 10'hx; cwh <= 23'h170510; end 6'd22: begin /* Inv 6-2 */ cwl <= 10'hx02; cwh <= 23'h0x0190; 6'd23: begin /* Inv 7-1 */ cwh <= 23'h1E0510; 6'd24: begin /* Inv 7-2 */ 6'd25: begin /* Inv 8 */ cwl <= 10'hx35; cwh <= 23'h0x0090; 6'd26: begin /* Inv 9-1 */ 6'd27: begin /* Inv 9-2 */ cwh <= 23'h3E0500; 6'd28: begin cwl <= 10'hx3A; /* Inv 9-3 */ endmodule

17 The scalar multiplier

18 The verilog snippet /* the next state logic */ begin case(state) /* Init states */ 6'd0: nextstate <= 6'd1; 6'd1: nextstate <= 6'd2; 6'd2: nextstate <= 6'd3; /* Double States */ 6'd3: nextstate <= 6'd4; 6'd4: nextstate <= 6'd5; 6'd5: nextstate <= 6'd6; 6'd6: begin if(k[`KEYMSB] == 1'b1) nextstate <= 6'd7; /* Do Addition and doubling if K0 is 1 */ else if (ef == 1'b0) nextstate <= 6'd15; /* k[0]=0 and we are in the last iteration, goto end */ else nextstate <= 6'd3; /* Skip addition and do next doubling */ end /* Addition States */ 6'd7: nextstate <= 6'd8; 6'd8: nextstate <= 6'd9; 6'd9: nextstate <= 6'd10; 6'd10: nextstate <= 6'd11; 6'd11: nextstate <= 6'd12; 6'd12: nextstate <= 6'd13; 6'd13: nextstate <= 6'd14; 6'd14: begin if(ef == 1'b1) nextstate <= 6'd3; else nextstate <= 6'd15; end /* The Itoh Tsujii States */ 6'd15: nextstate <= 6'd16; 6'd16: nextstate <= 6'd17; 6'd17: nextstate <= 6'd18; 6'd18: nextstate <= 6'd19; 6'd19: nextstate <= 6'd20; 6'd20: nextstate <= 6'd21; 6'd21: nextstate <= 6'd22; 6'd22: nextstate <= 6'd23; 6'd23: nextstate <= 6'd24; 6'd24: nextstate <= 6'd25; 6'd25: nextstate <= 6'd26; 6'd26: nextstate <= 6'd27; 6'd27: nextstate <= 6'd28; 6'd28: nextstate <= 6'd29; 6'd29: nextstate <= 6'd30; 6'd30: nextstate <= 6'd31; 6'd31: nextstate <= 6'd32; 6'd32: nextstate <= 6'd33; 6'd33: nextstate <= 6'd34; 6'd34: nextstate <= 6'd35; 6'd35: nextstate <= 6'd36; 6'd36: nextstate <= 6'd37; 6'd37: nextstate <= 6'd38; 6'd38: nextstate <= 6'd38; default: nextstate <= 6'bx; endcase

19 IO Interface of the scalar multiplier
/* The input to regbank is either constants or the results from ALU */ assign c0r = (cwh[22] == 1'b0) ? c0a : `BASEPOINT_X; assign c1r = (cwh[22] == 1'b0) ? c1a : yconstants; assign yconstants = (state != 6'd2) ? `BASEPOINT_Y : `CURVECONSTANT_B;

20 Output /* Store the results after converting back into affine coordinates */ assign sx = (key != 233'b1) ? a0 : `BASEPOINT_X; assign sy = (key != 233'b1) ? a2 : `BASEPOINT_Y; assign done = (state == 6'd38) ? 1 : 0; /* Set done to 1 if multiplication is complete */

21 The Module counter `define KEYSIZE 32 `define KEYMSB 31 module counter (clk, nrst, e); input wire clk; /* clock used for the counter */ input wire nrst; /* active low reset */ output wire e; /* set to 0 if count = 0 */ reg [7:0] count; /* ...and the register which actually decrements */ /* activate e when count reaches 0 */ assign e = |count; clk or negedge nrst) begin if(nrst == 1'b0) count <= 8'd`KEYMSB; else count <= count - 1'b1; end endmodule This module computes the number of key bits which are processed. Before the leading 1 is detected, it just shifts the key (at a fast clock) After, the leading 1 is detected, it updates at the start of doubling.

22 The clocks in the design
clk) begin if (nrst == 1'b0) start <= key[`KEYMSB]; else start <= tstart | k[(`KEYMSB - 1)]; end /* Generate clock signal for counter */ if (nrst == 1'b0) begin cck <= 1'b0; else begin case(state) 6'd3: cck <= ~cck; 6'd4: cck <= ~cck; default: cck <= cck; endcase /* Shift register for the key. The current bit is always the MSB */ clk) begin if (nrst == 1'b0) k <= key; else if (start == 1'b0) /* if start=0, shift every clock cycle */ k[`KEYMSB:0] <= {k[(`KEYMSB-1):0], 1'b0}; else if (state == 6'd4) /* if start=1, shift once very iteration of multiplier */ else /* else, don't shift */ k[`KEYMSB:0] <= k[`KEYMSB:0]; end /* Detect the first 1 */ assign tstart = start; /* The counter clock is either a fast clock (clk) used during * leading 1 detection, or a slow clock used during multiplication */ assign mainclk = (start == 1'b0) ? clk : cck;

23 Testing of the design Top level Interface of the design: Test-bench:
module ecsmul(clk, nrst, key, sx, sy, done); Test-bench: module tb(); reg clk; reg nrst; wire done; reg [31:0] kmem [7:0]; reg [255:0] k; wire [232:0] sx, sy; reg [232:0] res[1:0]; integer i;

24 A testbench initial begin $dumpfile ("dump.vcd"); $dumpvars; $dumpon;
# $dumpoff; end ecsmul ec_mul(clk, nrst, k[`KEYMSB:0], sx, sy, done); always begin #100 clk =~clk; endmodule initial begin $readmemh("../../scratch/tv.txt", kmem); #50 for(i=0; i<8; i = i+1) begin $display("%d %h\n", i, kmem[i]); end k = {kmem[0], kmem[1], kmem[2], kmem[3], kmem[4], kmem[5], kmem[6], kmem[7]}; // k = `KEYSIZE'hC7; $display("%h\n", k[`KEYSIZE - 1:0]); clk = 1'b0; nrst = 1'b1; #10 nrst = 1'b0; #110 nrst = 1'b1; #100000 $display("%h\n%h", sx, sy); res[0] = sx; res[1] = sy; #1 $writememh("../../scratch/res_verilog.txt", res); $finish;

25 Verification of Correctness
We use the elliptic curve code by M. Rosing in the book Implementation of Elliptic Curve Cryptography Go to directory ld_rosing/polymath/basics/ In file elliptic_poly.c Lines 1232 to 1239 contain the scalar t1.e[0] is most significant word and t1.e[7] is the least significant Word. Save file and exit On a linux machine run ‘make’ to create the executable Execute ‘elliptic_poly’

Download ppt "Lab Session 2 Design of Elliptic Curve Cryptosystem"

Similar presentations

Verilog Overview. University of Jordan Computer Engineering Department CPE 439: Computer Design Lab.

Verilog Overview. University of Jordan Computer Engineering Department CPE 439: Computer Design Lab.
Verilog Modules for Common Digital Functions

Verilog Modules for Common Digital Functions
Table 7.1 Verilog Operators.

Table 7.1 Verilog Operators.
Verilog. 2 Behavioral Description initial:  is executed once at the beginning. always:  is repeated until the end of simulation.

Verilog. 2 Behavioral Description initial:  is executed once at the beginning. always:  is repeated until the end of simulation.
//HDL Example 6-1 //--------------------- //Behavioral description of //Universal shift register // Fig. 6-7 and Table 6-3 module shftreg.

//HDL Example 6-1 // //Behavioral description of //Universal shift register // Fig. 6-7 and Table 6-3 module shftreg.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
FSM examples.

FSM examples.
Spring 20067W. Rhett Davis with minor modifications by Dean Brock ECE 406 at UNASlide 1 ECE 406 Design of Complex Digital Systems Lecture 10: 9: State.

Spring 20067W. Rhett Davis with minor modifications by Dean Brock ECE 406 at UNASlide 1 ECE 406 Design of Complex Digital Systems Lecture 10: 9: State.
Mini-MIPS From Weste/Harris CMOS VLSI Design. CS/EE 3710 Based on MIPS  In fact, it’s based on the multi-cycle MIPS from Patterson and Hennessy Your.

Mini-MIPS From Weste/Harris CMOS VLSI Design. CS/EE 3710 Based on MIPS  In fact, it’s based on the multi-cycle MIPS from Patterson and Hennessy Your.
OUTLINE Introduction Basics of the Verilog Language Gate-level modeling Data-flow modeling Behavioral modeling Task and function.

OUTLINE Introduction Basics of the Verilog Language Gate-level modeling Data-flow modeling Behavioral modeling Task and function.
Verilog Sequential Circuits Ibrahim Korpeoglu. Verilog can be used to describe storage elements and sequential circuits as well. So far continuous assignment.

Verilog Sequential Circuits Ibrahim Korpeoglu. Verilog can be used to describe storage elements and sequential circuits as well. So far continuous assignment.
ENEE 408C Lab Capstone Project: Digital System Design Fall 2005 Sequential Circuit Design.

ENEE 408C Lab Capstone Project: Digital System Design Fall 2005 Sequential Circuit Design.
ELEN 468 Advanced Logic Design

ELEN 468 Advanced Logic Design
University of Jordan Computer Engineering Department CPE 439: Computer Design Lab.

University of Jordan Computer Engineering Department CPE 439: Computer Design Lab.
1 COMP541 State Machines – 2 Registers and Counters Montek Singh Feb 8, 2007.

1 COMP541 State Machines – 2 Registers and Counters Montek Singh Feb 8, 2007.
Verilog Descriptions of Digital Systems. Electronic Lock // // Electronic combinational lock // module lock(seg7,key, valid_key, col, row, mclk, resetL)

Verilog Descriptions of Digital Systems. Electronic Lock // // Electronic combinational lock // module lock(seg7,key, valid_key, col, row, mclk, resetL)
Overview Logistics Last lecture Today HW5 due today

Overview Logistics Last lecture Today HW5 due today
Sequential Logic in Verilog

Sequential Logic in Verilog
Verilog Digital System Design Z. Navabi, 2006

Verilog Digital System Design Z. Navabi, 2006
1 Verilog Digital System Design Z. Navabi, 2006 Digital Design Flow  Digital Design Flow begins with specification of the design at various levels of.

1 Verilog Digital System Design Z. Navabi, 2006 Digital Design Flow  Digital Design Flow begins with specification of the design at various levels of.

Similar presentations

Ads by Google