Design of a Modular Exponentiation Module for an RSA Cryptographic Coprocessor with Power Analysis Countermeasures

Abstract

Rivest-Shamir-Adleman (RSA) is a widely used public key cryptographic method. The main operation performed in this method, for encryption and decryption, is modular exponentiation. The way modular exponentiation is computed make the system vulnerable to sidechannel attacks. Side-channel attacks focus on the physical implementation rather than in the algorithms vulnerabilities. In particular, power analysis attacks are a type of sidechannel attack that focuses on extracting information from the power consumption trace. The main thesis goals are to design, verify and obtain the specifications of a Simple Power Analysis (SPA) resistant coprocessor. A coprocessor and the hardware design are introduced because the case of study in this thesis requires a fast implementation of the RSA method. The proposed design work with 4096-bit keys, following the recommendations of NIST Special Publication 800-57 Part 1. Thus, the design focuses on area optimization while dealing with large keys. This design is presented in an easy-going schematic form, but, the fully functional version is presented using the hardware description language VHDL. By using Cadence ® software, the design is simulated and the implemented countermeasures are verified with a 16-bit version. These proposed countermeasures seek not to increase power consumption or execution time. In order to compare against an SPA vulnerable system, this reference version is also designed and simulated. The power traces for both versions are obtained to assess the effectiveness of the applied countermeasure. In order to get realistic results, the design has been synthesized in a 1.2V standard 65 nm CMOS library. The final proposed solution manages the area problem by using only one 4098-bit adder / subtractor into a Montgomery Product (MP) sequential scheme. This adder / subtractor is a type of Parallel Prefix Adder (PPA), in order to reduce delay. In particular, Ladner-Fischer topology is used. This reduces the number of wire tracks and logic levels, which help to synthesize this kind of huge adder. The specifications obtained for the 4096-bit version allow the main system clock to run at about 100 MHz. In the SPA resistant version, this means a modular exponentiation can be computed, in average, in about 504 ms.