SWCU194 March 2023 CC1314R10 , CC1354P10 , CC1354R10 , CC2674P10 , CC2674R10
The sequencer also controls ECC operations (for a summary, see Table 13-17).
Function | Mathematical Operation | Vector A | Vector B | Vector C | Vector D |
---|---|---|---|---|---|
ECC-ADD | Point addition/doubling(1) on elliptic curve: y2 = x3 + ax + b (mod p) pntA + pntC → pntD | pntA.x followed(2) by pntA.y both B_Len long (A_Len is not used) | Curve parameter p
followed(2) by a (b is not required) all B_Len long | pntC.x followed(2) by pntC.y both B_Len long | Result (that is, pntD.x followed(2) by pntD.y and workspace) |
ECC-MUL | Point multiplication on elliptic curve: y2 = x3 + ax + b (mod p) k × pntC → pntD | Scalar k A_Len long | Curve parameter p
followed(2) by a and b all B_Len long | pntC.x followed(2) by pntC.y both B_Len long | Result (that is, pntD.x followed(2) by pntD.y and workspace) |
For users of the PKA engine, the functions in Table 13-17 appear to be extensions of the set of PKCP functions described in Section 13.2.3 with the following exceptions:
The PKA_SHIFT register returns information on the result of the operation.
Table 13-18 lists the PKA_SHIFT result values.
Function | PKA_SHIFT Register Field Value at Conclusion |
---|---|
ECC-ADD | 0 → success; vector D holds the result point. 7 → result is point-at-infinity; vector D result point is undefined. 31 → error (p is not odd-numbered, too short, and so on); vector D result point is undefined. Other values are reserved. |
ECC-MUL |
Table 13-19 lists the operational restrictions.
Function | Requirements |
---|---|
ECC-ADD | 1 < B_Len ≤ 24 (maximum vector
length is 768 bits) Modulus p must be a prime > 263. Effective modulus size (in bits) must be a multiple of 32.(1) The highest word of the modulus vector (as indicated by B_Len) may not be 0. a < p and b < p pntA and pntC must be on the curve (this is not checked). Neither pntA nor pntC can be the point-at-infinity (although ECC-ADD can return this point as a result). |
ECC-MUL | 0 < A_Len ≤ 24 (maximum vector
length is 768 bits) 1 < B_Len ≤ 24 (maximum vector length is 768 bits) Modulus p must be a prime > 263. Effective modulus size (in bits) must be a multiple of 32.(1) The highest word of the modulus vector (as indicated by B _Len) may not be 0. a < p and b < p pntC must be on the curve (this is not checked). pntC cannot be the point-at-infinity (although ECC-MUL can return this point as a result). |
Table 13-20 and Table 13-21 list the overlap restrictions of the input vector and the memory allocation details of the scratchpad area, respectively.
Function | Result Vector | Restrictions |
---|---|---|
ECC-ADD ECC-MUL | D | Scratchpad area starting at D may not overlap with any other vectors. |
Function | Scratchpad Area Size Result Vector is 2 × (B_Len + ε (B_Len)) 32-Bit Words Long |
---|---|
ECC-ADD | 2 × L + 5 × M where:
|
ECC-MUL | 18 × L + Max(8, L) where:
|
During the execution of an ECC-ADD or ECC-MUL operation, the last 72 bytes of the PKA RAM are used as a general scratchpad for the program execution of the sequencer. These areas must not overlap with any of the input vectors or the D vector scratchpad area during execution.
Table 13-22 lists example PKA RAM vector allocations for ECC point multiplication operations.
The free space start address is the first free byte following the vector
scratchpad (the sequencer execution scratchpad of 72 bytes must fit between this
address and the end of PKA RAM); because of this, a
521-bit ECC point multiplication cannot be performed with a 2 KB PKA RAM.
Modulus Length | (sub-) Vector | Start Address Byte Offset | Size (Words) | Buffer (Words) | |
---|---|---|---|---|---|
192 bits (= 6 words, ALENGTH = 0x006, BLENGTH = 0x006) | Scalar k | 0x000 | (APTR = 0x000) | 6 | 0 |
p | 0x018 | (BPTR = 0x006) | 6 | 2 | |
a | 0x038 | 6 | 2 | ||
b | 0x058 | 6 | 2 | ||
pntC.x (base) | 0x078 | (CPTR = 0x01E) | 6 | 2 | |
pntC.y (base) | 0x098 | 6 | 2 | ||
pntD.x (result) | 0x0B8 | (DPTR = 0x02E) | 6 | 2 | |
pntD.y (result) | 0x0D8 | 6 | 0 | ||
Vector scratchpad | 0x0B8 | (= pntD.x) | (18 × 8) + 8 = 152 | 0 | |
Free space | 0x318 | (792 bytes used) | – | – | |
384 bits (= 12 words, ALENGTH = 0x00C, BLENGTH = 0x00C) | Scalar k | 0x000 | (APTR = 0x000) | 12 | 0 |
p | 0x030 | (BPTR = 0x00C) | 12 | 2 | |
a | 0x068 | 12 | 2 | ||
b | 0x0A0 | 12 | 2 | ||
pntC.x (base) | 0x0D8 | (CPTR = 0x036) | 12 | 2 | |
pntC.y (base) | 0x110 | 12 | 2 | ||
pntD.x (result) | 0x148 | (DPTR = 0x052) | 12 | 2 | |
pntD.y (result) | 0x180 | 12 | 0 | ||
Vector scratchpad | 0x148 | (= pntD.x) | (18 × 14) + 14 = 266 | 0 | |
Free space | 0x570 | (1392 bytes used) | – | – | |
521 bits (= 17 words, ALENGTH = 0x011, BLENGTH = 0x011) | Scalar k | 0x000 | (APTR = 0x000) | 17 | 1 (to align p) |
p | 0x048 | (BPTR = 0x012) | 17 | 3 | |
a | 0x098 | 17 | 3 | ||
b | 0x0E8 | 17 | 3 | ||
pntC.x (base) | 0x138 | (CPTR = 0x04E) | 17 | 3 | |
pntC.y (base) | 0x188 | 17 | 3 | ||
pntD.x (result) | 0x1D8 | (DPTR = 0x076) | 17 | 3 | |
pntD.y (result) | 0x228 | 17 | 0 | ||
Vector scratchpad | 0x1D8 | (= pntD.x) | (18 × 20) + 20 = 380 | 0 | |
Free space | 0x7C8 | (1992 bytes used) | – | – |