隨著有線和無線通訊應用的快速發展，資訊安全已經變的越來越重要，因為這些通訊應用經常帶來致命的威脅。為了有效保護在公開
網路上流通的隱密資料，密碼學是目前最安全同時也是最可靠的方
法，然而實做這些可靠的密碼演算法通常耗費非常高的硬體或軟體
複雜度，因此好的硬體或軟體設計方法是非常重要的。

在這篇論文中，基於一個非對稱性字元基礎的蒙哥馬利乘法演算法
，我們提出一個高效能多模乘法器，此乘法器支援一般整數乘法、
多項式乘法與矩陣向量乘法。由於大部分的非對稱性密碼演算法是
由模數指數、模數反元素與模數乘法運算所構成，而蒙哥馬利演算
法可有效加速這些模數運算，因此我們所提出的多模乘法器，可以
加速大部分的非對稱性密碼演算法。另外，此字元基礎乘法器支援
可變長度的金鑰，在電路實做時，此架構在效能與硬體成本上亦提
供高彈性的選擇。我們更進一步擴展這個多模乘法器來支援完整的
AES演算法。我們利用組合場數學來化簡AES演算法中最複雜的運算
，接著我們重新排列化簡過後的AES運算順序，最後我們合併可以
化簡的矩陣向量乘法。經由化簡後，AES 演算法可拆解成矩陣向量
乘法與非矩陣向量乘法，其中非矩陣向量乘法約佔AES 所有面積的
11%，而矩陣向量乘法部分和輸、輸出緩衝器約佔總面積的87%。我
們選擇128 x 32 bits 大小的規格來實做多模乘法器電路，因為這
個乘法器的大小同時對AES和非對稱性密碼演算法可以得到最大的
效益。我們所提出的128 x 32 bits 多模乘法器對256-bit 的一般
乘法可以提供441Mbps 效能，對256-bit 的多項式乘法可以提供
511Mbps 效能。搭配另外的21.93K 等效邏輯匣(實做非矩陣向量乘
法部分)，在AES 演算法方面，此多模乘法器分別對128-bit、192-
bit、256-bit 的金鑰可以提供1.28Gbps、1.06Gbps、0.91Gbps 效能。

遵循平台式的設計方法，我們亦提出一個通用的單晶片密碼系統，
此密碼系統可應付現有之有線、無線通訊應用所需的密碼處理效能
。針對此單晶片密碼系統，我們開發了四個輔助設計平台：架構平
台、自動化設計軟體平台、設計輔助測試平台、雛型驗證平台。架
構平台利用AMBA 匯流排系統，整合實驗室自行開發的密碼處理器
與一個商用的一般處理器，此密碼處理器提供四類的密碼功能：
AES、RSA、HMAC-SHA1/HMAC-MD5、亂數產生器。自動化設計軟體平
台提供一個完整的軟體環境，此平台整合了晶片設計所用到的軟體
，包含由清大電機系、資工系所開發的軟體與商用的軟體。設計輔
助測試平台利用實驗室所開發的兩套軟體(STEAC、BRAINS)，提供
此密碼單晶片系統一個完整的測試架構。雛型驗證平台加速此單晶
片系統開發與驗證的時間。利用所開發的四個平台，我們已陸續設
計並製造了幾個晶片，這證明了我們所開發之平台的實用性。

With the dramatic growth of wired and wireless communication applications, information security becomes more and more important as these applications usually bring more security threats. To secure personal/private information on the public and unprotected network, cryptography is one of the safest and most reliable method based on its robust mathematical foundation. However, the robust mathematic computation usually results in high hardware or time complexity when the cryptographic algorithms are implemented by hard-wired logic
or software program, respectively. A good methodology in
hardware or software implementation thus is highly desirable.

In this thesis, we propose a highly efficient multi-mode
multiplier supporting prime field, polynomial field, and
matrix-vector multiplications based on an asymmetric word-based Montgomery multiplication algorithm. Since many asymmetric-key cryptographic algorithms are composed of modular exponentiation, modular inversion, or modular multiplication, they can be well addressed by the proposed multi-mode multiplier. In addtion, as the design of the multi-mode multiplier is based on a word-based architecture, it supports a scalable key if the
data storage size is large enough; and it provides a flexible trade-off between performance and area cost in multiplier circuit design. We further extend the multi-mode multiplier to deal with the major operation of AES (Advanced Encryption Standard), i.e.,
matrix-vector multiplication. We apply the composite field
arithmetic on the AES round function to reduce its most
area-consuming step, i.e., SubBytes. By the composite field
arithmetic, the SubBytes step is partitioned into multiplicative inversion over GF((2^4)^2) and some matrix-vector multiplications. The order of four AES steps is rearranged such that the matrices for different steps can be merged into a single matrix. Finally, the AES round is unrolled and recombined; then more matrices can be merged. After the decomposition and regrouping, the original AES round is clearly divided into two parts:
matrix-vector multiplications and non-matrix-vector
multiplications, where the non-matrix-vector multiplication part only stands for 11% of the total gates in the preliminary analysis. We choose the size, 128 x 32 bits, to implement the multi-mode multiplier circuit, as it can get the maximum benefits for both AES and asymmetric-key cryptographic algorithms. The proposed multi-mode 128 x 32 bits multiplier provides a throughput of 441Mbps and 511Mbps for 256-bit operands over GF(p) and GF(2n) at a clock rate of 100MHz, respectively. With 21.93K additional gates for AES (to implement the nonmatrix- vector multiplication part), it can provide 1.28Gbps, 1.06Gbps, and 0.91Gbps throughput rate for 128-, 192-, and
256-bit keys, respectively.

Following the platform-based design methodology, we also propose a generic crypto-SOC and four supporting platforms, where the crypto-SOC is suitable for a wide range of security related protocols in wired and wireless network applications. The four specific platforms, i.e., architecture platform, EDA platform, DFT platform, and prototyping platform, can assist users to develop SOC products more systematically and efficiently.
The architecture platform integrates a general-purpose processor and an in-house crypto-processor by a commercial bus system, i.e.,AMBA (Advanced Micro-controller Bus Architecture). The in-house crypto-processor integrates four crypto-engines (AES, RSA, HMAC-MD5/SHA-1, and Random Number Generator (RNG)) and an intelligent crypto-DMA controller by an AHB (Advanced High-performance Bus). Here, the AES, HMAC-MD5/SHA-1, and RNG are contributed by our group members. The crypto-DMA not only manages
the bulk data movement between internal crypto-engines and
external RAMs, but also manipulates sophisticated flow controls of crypto-engines. The EDA platform provides a complete CAD tool environment which integrates in-house tools and commercial EDA tools to a core-based design flow. The DFT platform provides an SOC test integration methodology, mainly based on two of our in-house tools: STEAC (SOC TEst Aid Console) and BRAINS (BIST for RAM in Seconds). The prototyping platform accelerates function verification of the proposed crypto-SOC when new
crypto-engines or components are integrated. Based on the
proposed crypto-SOC and four assisting platforms, several
prototype chips, for different applications, have been designed and fabricated by different CMOS processes, demonstrating the feasibility and effectiveness of the proposed platforms.

[1] A. Frier, P. Karlton, and P. Kocher, The SSL Protocol Version 3.0. Netscape, Nov. 1996.
[2] S. Kent and R. Atkinson, Security Architecture for the Internet Protocol. IETF Network Working Group, 1998. RFC 2401.
[3] B. Ramsdell, “S/MIME version 3 certificate handling.” RFC 2632, the Internet Society, June 1999.
[4] B. Ramsdell, “S/MIME version 3 message pecification.” RFC 2633, the Internet Society, June 1999.
[5] B. Ramsdell, “Enhanced security services for S/MIME.” RFC 2633, the Internet Society, June 1999.
[6] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, vol. 21, no. 2, pp. 120–126, Feb. 1978.
[7] E. Rescorla, “Diffie-hellman key agreement method.” RFC 2631, the Internet Society, June 1999.
[8] NIST, Data Encryption Standard (DES). Springfield, VA 22161: National Technical Information Service, Oct. 1999.
[9] NIST, Advanced Encryption Standard (AES). Springfield, VA 22161: National Technical Information Service, Nov. 2001.
[10] NIST, Secure Hash Standard (SHS). Springfield, VA 22161: National Technical Information Service, Aug. 2002.
[11] R. L. Rivest, “The MD5 message-digest algorithm.” RFC 1321, the Internet Society, Apr. 1992.
[12] L. Wu, C. Weaver, and T. Austin, “CryptoManiac: A fast flexible architecture for secure communication,” in Proc. 28th Ann. Int’l Symp. on Computer Architecture, pp. 110–119, 2001.
[13] I. Corporation, “Intel IXP2800 network processor product brief.” http://www.intel.com/, 2002.
[14] A. Satoh and K. Takano, “A scalable dual-field elliptic curve cryptographic processor,” IEEE Trans. on Computers, vol. 52, no. 4, pp. 449–460, Apr. 2003.
[15] S. Mangard, M. Aigner, and S. Dominikus, “A highly regular and scalable AES hardware architecture,” IEEE Trans. on Computers, vol. 52, no. 4, pp. 483–491, Apr. 2003.
[16] S. Tillich and J. Groszschaedl, “Instruction set extensions for efficient AES implementation on 32-bit processors,” in Cryptographic Hardware and Embedded Systems (CHES) 2006, vol. 4249 of LNCS, pp. 270–284, Springer-Verlag, 2006.
[17] S. Tillich and J. Groszschaedl, “VLSI implementation of a functional unit to accelerate ECC and AES on 32-bit processors,” in Proc. 1st International Workshop on the Arithmetic of Finite Fields (WAIFI) 2007, vol. 4547 of LNCS, pp. 40–54, Springer-Verlag, 2007.
[18] H.-W. Kim and S. Lee, “Design and implementation of a private and public key crypto processor and its application to a security system,” IEEE Trans. on Consumer lectronics, vol. 50, no. 1, pp. 214–224, Feb. 2004.
[19] C.-P. Su, C.-H. Wang, K.-L. Cheng, C.-T. Huang, and C.-W. Wu, “Design and test of a scalable security processor,” in Proc. Asia and South Pacific Design Automation Conf. (ASPDAC), (Shanghai), pp. 372–375, Jan. 2005.
[20] Wikipedia, “Information security.” http://en.wikipedia.org/wiki/Information security/.
[21] B. A. Forouzan, Introduction to Cryptography and Network Security. New York: McGraw-Hill, 2008.
[22] W. Stallings, Cryptography and Network Security: Principles and Practices, 4/E. Upper Saddle River, NJ: Prentice-Hall Inc., 2006.
[23] Wikipedia, “Cryptographic system.” http://en.wikipedia.org/wiki/Cryptosystem/.
[24] Wikipedia, “RC4.” http://en.wikipedia.org/wiki/RC4.
[25] IEEE, IEEE 802.11i Standard. Pisataway: IEEE Standards Department, July 2004.
[26] J. Daemen and V. Rijnmen, “The block cipher Rijndael,” in Smart Card Research and Application,
vol. 1820 of LNCS, pp. 288–296, Springer-Verlag, 2000.
[27] NIST, DES Modes of operation. Springfield, VA 22161: National Technical Information Service, Dec. 1980.
[28] NIST, Recommendation for Block Cipher Modes of Operation. Springfield, VA 22161: National Technical Information Service, Dec. 2001.
[29] N. Koblitz, “Elliptic curve cryptosystems,” in Mathmatics of Computation, pp. 203–209, 1987.
[30] V. S. Miller, “Use of elliptic curve in cryptography,” in Advances in Cryptology—Crypto’85
Proceedings, pp. 417–426, 1986.
[31] NIST, Digital Signature Standard (DSS). Springfield, VA 22161: National Technical Information Service, Nov. 2008.
[32] IEEE, “IEEE P1363 standard specification for public-key cryptography.”
http://grouper.ieee.org/groups/1363/, 2002.
[33] D. Hankerson, A. Menezes, and S. Vanstone, Guide to Elliptic Curve Cryptography. New York: Springer-Verlag, 2004.
[34] NIST, Recommendation for Key Management-Part 3: Application-Specific Key Management Guidance. Springfield, VA 22161: National Technical Information Service, Aug. 2008.
[35] Wikipedia, “Cryptographic hash function.” http://en.wikipedia.org/wiki/Cryptographic hash function/.
[36] NIST, The Keyed-Hash Message Authentication Code (HMAC). Springfield, VA 22161: National Technical Information Service, Mar. 2002.
[37] T. Dierks and C. Allen, “The TLS protocol version 1.0.” RFC 2246, the Internet Society, Jan. 1999.
[38] T. Dierks and E. Rescorla, “The TLS protocol version 1.2.” RFC 5246, the Internet Society, Aug. 2008.
[39] R. Housley, W. Ford, W. Polk, and D. Solo, “The internet x.509 public key infrastructure certificate and crl profile.” RFC 2246, the Internet Society, Jan. 1999.
[40] T.-F. Lin, “A high-throughput low-cost aes cipher chip,” Master Thesis, Dept. Electrical Engineering,
National Tsing Hua University, Hsinchu, Taiwan, June 2002.
[41] C.-P. Su, T.-F. Lin, C.-T. Huang, and C.-W.Wu, “A high-throughput low-cost AES processor,”IEEE Communications Magazine, vol. 41, no. 12, pp. 86–91, Dec. 2003.
[42] C.-L. Horng, “An AES cipher chip design using on-the-fly key scheduler,” Master Thesis, Dept. Electrical Engineering, National Tsing Hua University, Hsinchu, Taiwan, June 2004.
[43] V. Rijmen, “Efficient implementation of the Rijndael S-box.”
http://www.esat.kuleuven.ac.be/˜rijmen/rijndael/sbox.pdf.
[44] P. L. Montgomery, “Modular multiplication without trial division,” Math. Computation, vol. 44, no. 7, no. 7, pp. 519–521, 1985.
[45] Y.-C. Lin, C.-P. Su, C.-W. Wang, and C.-W. Wu, “A word-based RSA public-key cryptoprocessor core,” in Proc. 12th VLSI Design/CAD Symp., (Hsinchu), Aug. 2001.
[46] M.-C. Sun, C.-P. Su, C.-T. Huang, and C.-W. Wu, “Design of a scalable RSA and ECC crypto-processor,” in Proc. Asia and South Pacific Design Automation Conf. (ASP-DAC),
(Kitakyushu), pp. 495–498, Jan. 2003. (Best Paper Award).
[47] C.-H. Wang, C.-P. Su, C.-T. Huang, and C.-W. Wu, “A word-based RSA crypto-processor with enhanced pipeline performance,” in Proc. 4th IEEE Asia-Pacific Conf. on Advanced System Integrated Circuits (AP-ASIC), (Fukuoka), pp. 218–221, Aug. 2004.
[48] Y.-C. Lin, “A word-based RSA public-key crypto-processor core for IC smart card,” master thesis, Dept. Electrical Engineering, National Tsing Hua University, Hsinchu, Taiwan, June 2001.
[49] M.-C. Sun, “Design of a scalable RSA and ECC crypto-processor,” Master Thesis, Dept. Electrical Engineering, National Tsing Hua University, Hsinchu, Taiwan, June 2002.
[50] C.-H. Wang, “A high-speed word-based RSA crypto-processor,” Master Thesis, Dept. Electrical Engineering, National Tsing Hua University, Hsinchu, Taiwan, June 2003.
[51] X.Wang and H. Yu, “How to break MD5 and other hash functions,” in Proc. 24th Annual International
Conference on the Theory and Applications of Cryptographic Techniques, pp. 19-35, May 2005.
[52] D. Eastlake and P. Jones, “Us secure hash algorithm 1 (SHA1).” RFC 3174, the Internet Society, Sept. 2001.
[53] M.-Y. Wang, C.-P. Su, C.-T. Huang, and C.-W. Wu, “An HMAC processor with integrated SHA-1 and MD5 algorithms,” in Proc. Asia and South Pacific Design Automation Conf.
(ASP-DAC), (Yokohama), pp. 456–458, Jan. 2004.
[54] H. Li and J. Li, “A new compact architecture for AES with optimized shiftrows operation,”in Proc. IEEE Int’l Symp. on Circuits and Systems (ISCAS), pp. 1851–1854, May 2007.
[55] M. Alam, S. Ray, D. Mukhopadhayay, S. Ghosh, D. RoyChowdhury, and I. Sengupta, “An area optimized reconfigurable encryptor for AES-Rijndael,” in Proc. Conf. Design, Automation, and Test in Europe (DATE), pp. 1–6, Apr. 2007.
[56] Y.-K. Lai, L.-C. Chang, L.-F. Chen, C.-C. Chou, and C.-W. Chiu, “A novel memoryless AES cipher architecture for networking applications,” in Proc. IEEE Int’l Symp. on Circuits and Systems (ISCAS), pp. 333–336, May 2004.
[57] C.-C. Lu and S.-Y. Tseng, “Integrated design of AES (advanced encryption standard) encrypter and decrypter,” in Proc. IEEE Int’l Conf. Application-Specific Systems, Architectures, and Processors, pp. 277–285, July 2002.
[58] A. F. Tenca and C□ . K. Koc□, “A scalable architecture for modular multiplication based on
Montgomery’s algorithm,” IEEE Trans. on Computers, vol. 52, no. 9, pp. 1215–1221, Sept. 2003.
[59] D. Harris, R. Krishnamurthy, M. Anders, S. Mathew, and S. Hsu, “An improved unified scalable radix-2Montgomery multiplier,” in Proc. 17th IEEE Symp. on Computer Arithmetic, pp. 172–178, 2005.
[60] M.-C. Sun, C.-P. Su, C.-T. Huang, and C.-W. Wu, “Design of a scalable RSA and ECC crypto-processor,” in Proc. Asia and South Pacific Design Automation Conf. (ASP-DAC), (Kitakyushu), pp. 495–498, Jan. 2003.
[61] F. Crowe, A. Daly, and W. Marnane, “A scalable dual mode arithmetic unit for public key cryptosystems,” in Internaltional Conference on Information Technology: Coding and Computing (ITCC) 2005, pp. 568–573, Apr. 2005.
[62] J. Wang, X. Zeng, and J. Chen, “A VLSI implementation of ECC combined with AES,” in Internaltional Conference on Solid-State and Integrated Circuit Technology (ICSICT) 2006,
pp. 1899–1904, Oct. 2006.
[63] Y. Eslami, A. Sheikholeslami, P. G. Gulak, S. Masui, and K. Mukaida, “An area-efficient universal cryptography processor for smart cards,” IEEE Trans. on VLSI Systems, vol. 14, no. 1, pp. 43–56, Jan. 2006.
[64] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography. Boca Raton, FL: CRC Press, Oct. 1996.
[65] C□ . K. Koc□ and T. Acar, “Montgomery multiplication in GF(2m),” in Design, Codes and Cryptography, pp. 57–69, 1998.
[66] C. Paar, Efficient VLSI Architectures for Bit-Parallel Computation in Galois Fields. PhD dissertation, Dept. Electrical Engineering, National Tsing Hua University, Germany, June 1994.
[67] A. Satoh, S. Morioka, K. Takano, and S. Munetoh, “Unified hardware architecture for 128-bit block ciphers AES and Camellia,” in Cryptographic Hardware and Embedded Systems (CHES) 2003, Springer-Verlag, Aug. 2003.
[68] C.-H. Wang, C.-L. Chuang, and C.-W. Wu, “An efficient multi-mode multiplier supporting aes and fundamental operations of public-key crypto-systems,” IEEE Trans. on VLSI Systems, 2009 (accepted).
[69] T. Good and M. Benaissa, “Pipelined AES on FPGA with support for feedback modes (in a multi-channel environment),” IET Proc. Information Security, vol. 1, no. 1, pp. 1–10, Mar. 2007.
[70] A. Hodjat and I. Verbauwhede, “Area-throughput trade-offs for fully pipelined 30 to 70 gbits/s AES processors,” IEEE Trans. on Computers, vol. 55, no. 4, pp. 366–372, Apr. 2006.
[71] M. Kistler, M. Perrone, and F. Petrini, “Cell multiprocessor communication network: Built for speed,” IEEE Micro, vol. 26, no. 3, pp. 10–23, May-June 2006.
[72] C.-W. Wu, J.-C. Yeh, and H.-H. Ou, “Method and apparatus for multiple polynomial-based random number generation.” R.O.C. Patent No. I2649222, Dec. 2006.
[73] Y.-C. Lin, C.-W. Huang, and J.-K. Lee, “System-level design space exploration for security processor prototyping in analytical approaches,” in Proc. Asia and South Pacific Design Automation Conf. (ASP-DAC), (Shanghai), pp. 372–375, Jan. 2005.
[74] Y.-F. Lee, S.-Y. Huang, S.-Y. Hsu, I.-L. Chen, C.-T. Shieh, J.-C. Lin, and S.-C. Chang, “Power estimation starategies for a low-power security processor,” in Proc. Asia and South Pacific Design Automation Conf. (ASP-DAC), (Shanghai), pp. 367–371, Jan. 2005.
[75] M.-S. Liu, “An automatic AMBA wrapper generation tool for embedded cores,” Master Thesis, Dept. Electrical Engineering, National Tsing Hua University, Hsinchu, Taiwan, June 2004.
[76] C.-P. Su, Design and Test of an Advanced Cryptographic Processor. PhD dissertation, Dept. Electrical Engineering, National Tsing Hua University, Hsinchu, Taiwan, June 2004.
[77] M.-Y. Sum, K.-S. Chang, C.-C. Weng, and S.-Y. Huang, “ToggleFinder: accurate RTL power estimation for large designs,” in Proc. Int’l Symp. on VLSI Design, Automation, and Test (VLSI-DAT), (Hsinchu), pp. 16–19, Apr. 2005.
[78] K.-S. Chang, C.-C. Weng, and S.-Y. Huang, “Accurate RTL power estimation for a security processor,” in Emerging Information Technology Conference, Aug. 2005.
[79] C.-H. Wang, J.-C. Yeh, C.-T. Huang, and C.-W. Wu, “Scalable security processor design and its implementation,” in Proc. IEEE Asian Solid-State Circuit Conf. (A-SSCC), (Hsinchu), pp. 513–516, Nov. 2005.
[80] C.-W. Wang, J.-R. Huang, K.-L. Cheng, H.-S. Hsu, C.-T. Huang, C.-W. Wu, and Y.-L. Lin,“A test access control and test integration system for system-on-chip,” in Sixth IEEE Int’l Workshop on Testing Embedded Core-Based System-Chips (TECS), (Monterey, California), pp. P2.1–P2.8, May 2002.
[81] C.-Y. Lo, C.-H. Wang, K.-L. Cheng, J.-R. Huang, C.-W. Wang, S.-M. Wang, and C.-W. Wu, “STEAC: A platform for automatic SOC test integration,” IEEE Trans. on VLSI Systems, vol. 15, no. 5, pp. 541–545, May 2007.
[82] C. Cheng, C.-T. Huang, J.-R. Huang, C.-W. Wu, C.-J. Wey, and M.-C. Tsai, “BRAINS: A BIST complier for embedded memories,” in Proc. IEEE Int’l Symp. on Defect and Fault
Tolerance in VLSI Systems (DFT), (Yamanashi), pp. 299–307, Oct. 2000.
[83] C.-H. Wang, C.-Y. Lo, M.-S. Lee, J.-C. Yeh, C.-T. Huang, C.-W. Wu, and S.-Y. Huang, “A network security processor design based on an integrated SOC design and test platform,” in Proc. IEEE/ACM Design Automation Conf. (DAC), (San Francisco), July 2006.
[84] Z. Tan, C. Lin, H. Yin, and B. Li, “Optimization and benchmark of cryptographic algorithms on network processors,” IEEE Micro, vol. 24, no. 5, pp. 55–69, Sept.-Oct. 2004.
[85] Wikipedia, “Whirlpool (cryptography).” http://en.wikipedia.org/wiki/Whirlpool (cryptography).