Electronics Guide

Why Hardware Cryptography

Hardware implementations of cryptographic algorithms offer several compelling advantages over pure software approaches:

• Performance: Dedicated hardware can process cryptographic operations orders of magnitude faster than general-purpose processors, enabling real-time encryption of high-bandwidth data streams
• Power efficiency: Specialized circuits consume far less energy per operation than software running on CPUs, critical for battery-powered and energy-constrained devices
• Constant-time execution: Hardware can be designed to complete operations in fixed time regardless of input values, eliminating timing side channels that plague software implementations
• Physical isolation: Cryptographic keys and intermediate values can be confined within dedicated security boundaries, protected from observation or extraction
• Tamper resistance: Physical protection mechanisms can detect and respond to attempts to probe or modify the hardware

These advantages make hardware cryptography essential for applications requiring high security assurance, from payment terminals and identity documents to military communications and critical infrastructure control systems.

Implementation Approaches

Hardware cryptographic implementations span a spectrum from fully dedicated circuits to programmable architectures:

• Full custom ASICs: Application-specific integrated circuits optimized for specific algorithms, offering maximum performance and efficiency but limited flexibility
• Standard cell ASICs: Semi-custom designs using pre-characterized library cells, balancing optimization with design time and cost
• FPGA implementations: Field-programmable gate arrays enabling algorithm updates and customization, with moderate performance overhead
• Crypto coprocessors: Dedicated processors with instruction set extensions for cryptographic operations, combining hardware acceleration with programmability
• Hardware security modules: Complete secure subsystems integrating cryptographic engines, key storage, and physical protection

The choice of implementation approach depends on performance requirements, flexibility needs, security certification targets, and economic considerations including development cost and production volume.

Design Considerations

Effective hardware cryptographic design requires attention to several key factors:

• Algorithm selection: Choosing algorithms that are both cryptographically secure and amenable to efficient hardware implementation
• Architecture design: Selecting between iterative, pipelined, and unrolled structures based on throughput and area requirements
• Side-channel resistance: Incorporating countermeasures against power analysis, electromagnetic analysis, and timing attacks from the design's inception
• Fault attack protection: Implementing detection and response mechanisms for induced faults that could leak key material
• Key management: Designing secure storage, generation, and handling of cryptographic keys throughout their lifecycle
• Interface security: Protecting data paths between the cryptographic core and external interfaces

AES Algorithm Structure

Each AES round consists of four transformations applied to a 4x4 byte state matrix:

• SubBytes: A non-linear byte substitution using an S-box derived from the multiplicative inverse in GF(2^8) followed by an affine transformation
• ShiftRows: A cyclic shift of bytes within each row by different offsets
• MixColumns: A linear mixing operation treating each column as a polynomial and multiplying by a fixed polynomial modulo x^4+1
• AddRoundKey: XOR of the state with a round key derived from the cipher key through the key schedule

The final round omits MixColumns, and an initial AddRoundKey precedes the first full round. This structure presents multiple opportunities for hardware optimization.

S-Box Implementation Options

The SubBytes S-box is the most resource-intensive component and can be implemented in several ways:

• Lookup tables: Direct ROM or register-based tables providing byte-to-byte mapping, offering simple implementation but consuming significant area for 16 parallel S-boxes
• Composite field arithmetic: Computing the multiplicative inverse in GF(2^8) using isomorphic mapping to GF((2^4)^2), reducing gate count substantially
• Canright construction: Further optimization decomposing GF(2^4) operations into GF(2^2) computations, achieving minimal gate complexity
• Tower field approach: Hierarchical decomposition enabling additional area-performance tradeoffs

Composite field implementations typically require 3-5 times fewer gates than direct lookup tables while introducing additional logic depth that affects maximum clock frequency.

Architecture Variants

AES hardware architectures balance throughput, latency, and area across a wide design space:

• Iterative (round-based): A single round circuit reused for all rounds, minimizing area but requiring 10-14 clock cycles per block. Suitable for area-constrained designs.
• Pipelined: Separate hardware for each round with pipeline registers between stages, enabling one block output per clock cycle at the cost of increased area and latency
• Fully unrolled: All rounds implemented combinationally without registers, achieving single-cycle encryption at maximum area cost
• Hybrid approaches: Partial pipelining or multiple rounds per cycle, offering intermediate points in the design space
• Byte-serial: Processing one byte at a time to minimize area for extremely constrained applications, requiring 160+ cycles per block

High-performance implementations targeting network encryption may achieve throughputs exceeding 100 Gbps using deeply pipelined architectures, while IoT devices may use byte-serial designs consuming under 3,000 gates.

MixColumns Optimization

The MixColumns transformation multiplies each column vector by a constant matrix with elements 1, 2, and 3 in GF(2^8). Efficient implementation exploits the structure:

• XTime operation: Multiplication by 2 in GF(2^8) requires only a left shift and conditional XOR with 0x1B
• Multiplication by 3: Computed as XTime result XORed with the original value
• Matrix symmetry: The circulant matrix structure allows resource sharing across column positions

Inverse MixColumns for decryption requires multiplication by 9, 11, 13, and 14, which are more complex but can be derived from multiple XTime operations.

Key Schedule Implementation

The key schedule expands the cipher key into round keys, and its implementation affects overall performance:

• On-the-fly generation: Computing round keys as needed, saving area but adding latency to each round
• Pre-computed storage: Expanding all round keys before encryption begins, enabling immediate access but requiring key memory
• Decryption considerations: Decryption uses round keys in reverse order, potentially requiring full key storage or reverse key schedule computation

AES-GCM and Authenticated Encryption

Modern applications increasingly require authenticated encryption modes like AES-GCM that provide both confidentiality and integrity:

• GHASH computation: Galois field multiplication for authentication tag generation, parallelizable for high throughput
• Counter mode: CTR encryption enabling parallel block processing and random access
• Pipelined integration: Overlapping AES and GHASH operations for maximum throughput
• Karatsuba multiplication: Efficient 128-bit GF(2^128) multiplication for GHASH using polynomial techniques

SHA-2 Family Implementation

SHA-256 and SHA-512 dominate current applications, sharing a common Merkle-Damgard construction with different word sizes and round counts:

• Message schedule: Expanding the 512-bit (SHA-256) or 1024-bit (SHA-512) message block into 64 or 80 words through rotation and XOR operations
• Compression function: 64 or 80 rounds of operations including majority and conditional functions, modular addition, and constant addition
• Working variables: Eight 32-bit (SHA-256) or 64-bit (SHA-512) variables updated each round

The data dependencies between rounds create a critical path through the modular adders, limiting clock frequency in straightforward implementations.

SHA-256 Optimization Techniques

Several techniques accelerate SHA-256 computation:

• Carry-save arithmetic: Maintaining partial sums in redundant form to break adder chains, reducing critical path
• Speculation: Computing multiple round candidates and selecting based on earlier results
• Message schedule optimization: Pre-computing or pipelining message expansion independently of compression
• Unrolling: Implementing multiple rounds in parallel where dependencies permit

These optimizations can achieve throughputs exceeding 10 Gbps in modern process technologies.

SHA-3 and Keccak Architecture

SHA-3 uses the Keccak sponge construction with a fundamentally different architecture from SHA-2:

• State array: A 5x5 array of 64-bit lanes (1600 bits total) transformed through permutation rounds
• Permutation rounds: 24 rounds of theta, rho, pi, chi, and iota operations
• Theta: Column parity computation and XOR, enabling high parallelism
• Rho and pi: Lane rotation and transposition, implementable through wiring
• Chi: Non-linear row-wise operation requiring modest logic
• Iota: Round constant XOR into a single lane

SHA-3's regular structure and operation parallelism enable efficient hardware implementation, with the 1600-bit state being the primary area determinant.

High-Throughput Hash Engines

Applications such as cryptocurrency mining and high-speed network security demand extreme hash throughput:

• Deep pipelining: Breaking rounds into multiple pipeline stages to maximize frequency
• Parallel engines: Multiple independent hash units processing different messages
• ASIC mining: Specialized chips implementing hundreds of parallel SHA-256 engines for Bitcoin mining
• Memory-hard functions: Scrypt and Ethash implementations requiring substantial on-chip memory

HMAC Implementation

Hash-based Message Authentication Code (HMAC) constructs a keyed hash function from the underlying hash algorithm:

• Two-pass structure: Inner and outer hash computations with key-derived padding
• State caching: Pre-computing and storing intermediate hash states for the key-dependent portions
• Integrated design: Combining HMAC with the base hash accelerator for efficient operation

Mathematical Foundations

ECC security relies on the difficulty of the elliptic curve discrete logarithm problem. Operations occur on points of an elliptic curve over a finite field:

• Prime field curves: Coordinates are elements of GF(p) for a large prime p, using modular arithmetic
• Binary field curves: Coordinates are elements of GF(2^m), using polynomial arithmetic
• Point addition: Computing a third curve point from two input points
• Point doubling: Adding a point to itself, with optimized formulas
• Scalar multiplication: Computing kP for scalar k and point P, the fundamental operation for ECC protocols

Standard curves include NIST P-256, P-384, and P-521 for prime fields, and Curve25519 for high-security applications.

Modular Arithmetic Units

Prime field ECC requires efficient modular arithmetic for field elements of 256 bits or more:

• Montgomery multiplication: Converting to Montgomery domain enables multiplication without explicit division, using only shifts and additions
• Barrett reduction: Pre-computing a multiplier to approximate division for modular reduction
• Specialized reduction: Exploiting the structure of NIST primes (generalized Mersenne) for fast modular reduction
• Modular inversion: Extended Euclidean algorithm or Fermat's little theorem, both computationally expensive

The modular multiplier is typically the critical component, with design choices between parallel multipliers for speed and iterative multipliers for area efficiency.

Point Multiplication Algorithms

Efficient scalar multiplication algorithms minimize the number of point operations:

• Double-and-add: Basic algorithm processing one scalar bit per iteration, vulnerable to side-channel analysis
• Montgomery ladder: Constant-time algorithm performing one point addition and one doubling per bit regardless of bit value
• Windowed methods: Pre-computing small multiples of P to process multiple scalar bits per iteration
• NAF encoding: Non-adjacent form representation reducing the number of additions
• Projective coordinates: Avoiding modular inversion during intermediate operations by using projective or Jacobian coordinates

Security-focused implementations typically use the Montgomery ladder or similar constant-time algorithms to prevent timing and power analysis attacks.

ECDSA Hardware

The Elliptic Curve Digital Signature Algorithm (ECDSA) requires specific hardware considerations:

• Signature generation: Random nonce generation, scalar multiplication, and modular arithmetic for computing signature components
• Signature verification: Two scalar multiplications (one with the generator, one with the public key) and point addition
• Nonce protection: Secure random number generation and protection against nonce reuse attacks
• Shamir's trick: Computing aP + bQ more efficiently than separate multiplications for verification

EdDSA and Curve25519

Modern curve designs simplify secure implementation:

• Edwards curves: Unified addition formulas eliminate special cases that complicate secure implementation
• Curve25519: Designed for Montgomery ladder implementation with resistance to timing attacks
• Ed25519 signatures: Deterministic nonce generation eliminating random number generator vulnerabilities
• Fast field arithmetic: Prime 2^255-19 enables efficient reduction through simple shift and add operations

RSA Operations

RSA encryption and decryption require modular exponentiation with very large integers:

• Public key operation: Computing m^e mod n with small public exponent e (typically 65537)
• Private key operation: Computing c^d mod n with large private exponent d, the performance bottleneck
• Chinese Remainder Theorem: Splitting private key operation into two smaller exponentiations using prime factors of n
• Key sizes: 2048-bit minimum for current security, with 3072 and 4096 bits for longer-term protection

Montgomery Multiplication for RSA

Montgomery multiplication is essential for practical RSA implementation:

• Domain conversion: Converting operands to Montgomery form before a sequence of multiplications
• Interleaved multiplication-reduction: Processing multiplication and reduction together to avoid double-width intermediate products
• Radix selection: Choosing word size for the iterative multiply-accumulate operations
• Systolic arrays: Highly parallel implementations pipelining word-level operations across many processing elements

A 2048-bit Montgomery multiplication may require millions of gate operations, making implementation choices critical for performance.

Exponentiation Algorithms

Modular exponentiation algorithms trade memory for computation:

• Square-and-multiply: Basic algorithm processing one exponent bit per iteration
• m-ary method: Pre-computing powers and processing multiple exponent bits per iteration
• Sliding window: Variable-length windows reducing the number of multiplications
• Fixed-window: Constant-time variant using fixed windows with dummy operations

Private key operations must use constant-time algorithms to prevent timing attacks that could reveal exponent bits.

CRT Optimization

Chinese Remainder Theorem acceleration is standard for RSA private key operations:

• Factor-size operations: Computing exponentiations modulo p and q (half the key size) rather than n
• Speedup factor: Approximately 4x improvement from reduced operand size
• CRT recombination: Garner's algorithm or similar methods to combine results
• Fault attack sensitivity: CRT implementations are vulnerable to fault injection attacks requiring countermeasures

Multi-Precision Arithmetic

RSA hardware must handle operands far exceeding native processor widths:

• Word-serial multipliers: Processing one word at a time with accumulation
• Parallel multiplier arrays: Multiple word multiplications in parallel for throughput
• Carry propagation: Managing carries across the full operand width
• Memory interfaces: Efficiently accessing operand words from storage

Homomorphic Encryption Concepts

Homomorphic schemes allow specific operations on ciphertexts that correspond to operations on plaintexts:

• Partially homomorphic: Supporting either addition (Paillier) or multiplication (RSA, ElGamal) but not both
• Somewhat homomorphic: Supporting limited numbers of both operations before noise makes decryption impossible
• Fully homomorphic (FHE): Supporting unlimited operations through noise management techniques like bootstrapping
• Leveled FHE: Pre-determined depth of operations without bootstrapping, more practical for many applications

Lattice-Based FHE

Modern FHE schemes are primarily based on lattice problems:

• Ring-LWE: Learning With Errors over polynomial rings provides the security foundation
• Polynomial arithmetic: Operations in polynomial rings Z[x]/(x^n+1) for power-of-two n
• Noise growth: Each operation increases ciphertext noise, eventually requiring management
• Bootstrapping: Homomorphically evaluating the decryption circuit to reduce noise

FHE Hardware Acceleration

FHE's computational demands require specialized hardware:

• Number Theoretic Transform (NTT): FFT-like polynomial multiplication in finite fields, the primary computational kernel
• Large polynomial degrees: Ring dimensions of 2^14 to 2^17 with coefficients of hundreds of bits
• Modular reduction: Frequent reduction with multi-hundred-bit moduli
• Memory bandwidth: Moving large polynomials between computation and storage
• Residue Number System: Representing large integers using multiple smaller moduli for parallel processing

Research accelerators have demonstrated orders of magnitude speedup over software, bringing practical FHE closer to reality.

Emerging FHE Hardware

The field of FHE acceleration is rapidly evolving:

• Custom ASICs: Purpose-built chips optimizing NTT and modular arithmetic for FHE
• FPGA implementations: Reconfigurable platforms enabling algorithm experimentation and updates
• GPU acceleration: Leveraging massive parallelism for polynomial operations
• Hybrid architectures: Combining different accelerator types for different FHE operations

Quantum Computing Threat

Quantum computers pose specific threats to current cryptography:

• Shor's algorithm: Polynomial-time factoring and discrete logarithm computation, breaking RSA, DSA, and ECC
• Grover's algorithm: Quadratic speedup for search problems, effectively halving symmetric key security
• Harvest-now-decrypt-later: Encrypted data captured today could be decrypted once quantum computers mature
• Transition timeline: Cryptographic agility needed before quantum computers achieve sufficient capability

Lattice-Based Cryptography

Lattice problems form the basis for leading PQC candidates:

• CRYSTALS-Kyber: NIST-selected key encapsulation mechanism based on Module-LWE
• CRYSTALS-Dilithium: NIST-selected digital signature based on Module-LWE and Module-SIS
• Hardware operations: Polynomial multiplication via NTT, sampling from distributions, matrix-vector operations
• Compact implementations: Shared NTT hardware for both key exchange and signatures

Lattice schemes offer relatively small key and signature sizes with reasonable computational requirements.

Hash-Based Signatures

Hash-based signatures derive security from hash function properties:

• SPHINCS+: NIST-selected stateless signature scheme using hash trees
• XMSS and LMS: Stateful schemes with smaller signatures but state management requirements
• Hardware requirements: Efficient hash function implementation and tree traversal logic
• Trade-offs: Larger signatures but conservative security assumptions based on well-studied hash functions

Code-Based and Other Approaches

Additional PQC families offer alternative security foundations:

• Classic McEliece: Based on error-correcting codes with very large public keys but proven security
• BIKE and HQC: Alternative code-based schemes with smaller keys
• Isogeny-based: SIKE was broken, but isogeny research continues with new constructions
• Multivariate: Systems of multivariate polynomial equations, with signature schemes like Rainbow (broken) prompting new designs

PQC Hardware Considerations

Implementing PQC in hardware presents new challenges:

• Algorithm diversity: Different PQC families require very different hardware primitives
• Parameter flexibility: Security level choices affect key sizes and computational requirements
• Hybrid modes: Combining PQC with traditional algorithms during transition requires both implementations
• Side-channel resistance: New algorithms require development of new countermeasures
• Performance gap: Many PQC algorithms are slower than their classical counterparts

Constraint Categories

Lightweight cryptography targets several constraint dimensions:

• Area: Minimizing gate count and memory for small die sizes and low cost
• Power: Reducing instantaneous power consumption for limited power supply capability
• Energy: Minimizing total energy per operation for battery or energy-harvesting power sources
• Latency: Achieving acceptable encryption speed with minimal hardware
• Code size: For software implementations on microcontrollers with limited program memory

NIST Lightweight Cryptography Standard

The NIST Lightweight Cryptography competition selected Ascon as the new standard:

• Ascon: Permutation-based authenticated encryption with associated data (AEAD) and hashing
• Sponge construction: Similar to SHA-3, enabling both encryption and hashing from the same primitive
• 320-bit state: Compact state size suitable for constrained implementations
• Simple operations: Based on XOR, rotation, and AND operations for efficient hardware
• Side-channel resistance: Designed with implementation security in mind

Block Cipher Designs

Lightweight block ciphers minimize hardware complexity:

• PRESENT: 64-bit block cipher achieving under 1,600 gates with bit-permutation and 4-bit S-boxes
• GIFT: Improved efficiency over PRESENT with better cryptographic properties
• SIMON and SPECK: NSA-designed families offering area-performance trade-offs for hardware and software
• LED: AES-like structure with minimal key schedule overhead
• PRINCE: Low-latency cipher designed for single-cycle encryption

These designs achieve 1,000-3,000 gate equivalents compared to 3,000-10,000 for compact AES implementations.

Stream Cipher and MAC Designs

Lightweight stream ciphers and authentication codes complement block ciphers:

• Grain-128: Hardware-oriented stream cipher with NLFSR-based design
• Trivium: Extremely compact stream cipher using shift register structure
• PHOTON: Lightweight hash function using AES-like structure with smaller state
• SPONGENT: Permutation-based hash using PRESENT-like rounds

Implementation Techniques

Achieving minimal footprint requires specific implementation approaches:

• Serialization: Processing data bit-by-bit or nibble-by-nibble to minimize datapath width
• Resource sharing: Reusing components for encryption and decryption, or across algorithm operations
• Simple key schedules: Minimizing or eliminating key expansion logic
• Bit-permutation layers: Implementing diffusion through wiring rather than logic
• Small S-boxes: Using 4-bit rather than 8-bit S-boxes to reduce table size

Side-Channel Attack Types

Various physical phenomena can leak cryptographic secrets:

• Timing attacks: Exploiting data-dependent execution time variations
• Simple power analysis (SPA): Directly observing key-dependent patterns in power traces
• Differential power analysis (DPA): Statistical correlation between power consumption and processed data
• Electromagnetic analysis: Similar to power analysis but measuring EM emanations
• Cache attacks: Exploiting shared cache timing in multi-tenant environments

Masking

Masking splits sensitive values into random shares that are processed independently:

• Boolean masking: XORing the sensitive value with random masks
• Arithmetic masking: Adding random values modulo the group order
• Higher-order masking: Using multiple mask shares for stronger protection
• Mask refreshing: Re-randomizing shares to prevent accumulating leakage
• Masked S-boxes: Computing non-linear functions on masked values without unmasking

Masking increases area and power consumption roughly proportionally to the number of shares.

Hiding Techniques

Hiding reduces or randomizes the side-channel signal:

• Constant-time implementation: Ensuring identical execution regardless of data values
• Dual-rail logic: Complementary logic paths that always switch, equalizing power consumption
• Random delays: Inserting random timing variations to misalign measurements
• Shuffling: Randomizing the order of independent operations
• Power filtering: On-chip regulation to reduce power signature visibility

Fault Attack Protection

Fault attacks induce errors to extract key information:

• Voltage glitching: Brief power supply disturbances causing computational errors
• Clock glitching: Timing violations causing setup or hold failures
• Laser fault injection: Precisely targeted bit flips in memory or logic
• Detection countermeasures: Sensors for voltage, clock, light, and temperature anomalies
• Computation redundancy: Repeating operations and comparing results
• Error detection codes: Detecting corrupted intermediate values

HSM Architecture

HSMs combine multiple security components:

• Cryptographic accelerators: High-performance engines for symmetric and asymmetric algorithms
• Key storage: Tamper-resistant memory for master keys and operational keys
• Random number generator: Hardware entropy sources for key generation
• Secure processor: Executing cryptographic operations and enforcing policies
• Physical protection: Tamper detection, response, and evidence mechanisms

Key Management

HSMs provide comprehensive key lifecycle management:

• Key generation: Creating keys using certified random number generators within the security boundary
• Key storage: Encrypted storage with master keys that never leave the HSM
• Key backup: Secure export under key-encrypting keys for disaster recovery
• Key destruction: Verifiable erasure when keys are no longer needed
• Access control: Role-based policies governing key usage

Certification Standards

HSMs are validated against rigorous security standards:

• FIPS 140-2/140-3: US federal standard with four security levels
• Common Criteria: International standard with protection profiles for cryptographic modules
• PCI HSM: Payment card industry requirements for payment processing
• eIDAS: European standards for qualified electronic signatures

Functional Verification

Confirming that the implementation matches the algorithm specification:

• Test vectors: Standard test cases from algorithm specifications and certification bodies
• Random testing: Comparing hardware outputs against reference software for random inputs
• Formal verification: Mathematical proof of equivalence between RTL and specification
• Coverage analysis: Ensuring all code paths and corner cases are exercised

Security Verification

Validating that countermeasures are correctly implemented:

• Leakage assessment: Test Vector Leakage Assessment (TVLA) to detect information leakage
• Formal methods: Proving constant-time behavior and mask independence
• Fault injection testing: Verifying detection and response to induced faults
• Penetration testing: Attempting attacks on prototype implementations

Certification Processes

High-assurance applications require formal certification:

• Algorithm validation: CAVP testing for FIPS-approved algorithms
• Module validation: CMVP for complete cryptographic modules
• Laboratory testing: Accredited labs performing validation testing
• Documentation requirements: Security policies, design evidence, and test reports

Architectural Optimization

High-level design choices dominate performance:

• Parallelism: Multiple algorithm instances processing independent data streams
• Pipelining: Overlapping operations from different blocks in flight
• Resource allocation: Balancing multiple arithmetic units against utilization
• Memory bandwidth: Sufficient data paths to keep compute units busy

Micro-Architectural Optimization

Detailed implementation choices affect critical path and utilization:

• Adder architectures: Carry-lookahead, carry-select, and parallel prefix adders for multi-hundred-bit operations
• Multiplier structures: Booth encoding, Wallace trees, and array multipliers
• Clock domain design: Matching operating frequency to critical path limits
• Power-performance modes: Configurable performance levels for varying requirements