An embedded cryptosystem implementing symmetric cipher and public-key crypto algorithms in hardware by Hau, Yuan Wen
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
PART ONE 
THESIS CONTENT
  
CHAPTER 1 
 
 
 
 
INTRODUCTION 
 
 
 
 
This thesis proposes the FPGA implementation of an embedded 
cryptosystem. The design applies the System-on-Chip (SoC) technology to produce a 
hardware security module that performs operation such as encryption, decryption, 
digital signature signing and verification, etc.  This chapter covers the background, 
problem statement, research objectives, scope of work, the significance and 
contribution of the research, and finally thesis organization. 
 
 
 
 
1.1       Background 
 
 
Nowadays, it is difficult to open a newspaper, watch a television program, or 
even have a conversation without some mention of the Internet, e-commerce, WAP 
and m-commerce. The rapid progress in wireless communication system, personal 
communication system, and smart card technology in our society makes information 
more vulnerable to abuse. In a communication system, the content of the 
communication may be exposed to an eavesdropper, or system services can be used 
fraudulently. For these reasons, it is important to make information systems secure 
by protecting data and resources from malicious acts.  
 
 
Today, embedded systems have become increasingly popular, as advances in 
IC-technology and processor architectures allow for flexible computational parts and 
high-performance modules integrated on a single carrier. An embedded system may 
  
2 
be defined as hardware system incorporating general-purpose computational units 
and several dedicated modules.  Typical embedded system include digital camera, 
digital camcorder, VCR, DVD, etc. They perform a specific function carefully 
partitioned in software and hardware to strike the balance between flexibility, 
reusability, performance and cost.  
 
 
In today’s state-of-the-art technology, many of the embedded system or 
substantial parts of the systems can be integrated on a single microchip. System-on-
a-chip (SoC) technology is a programmable platform that integrates most of the 
functions of an end product into a single chip. It incorporates at least one processing 
element (e.g. microprocessor, DSP) that executes the embedded software. The 
system is completed with peripherals random logic and interfaces to the outside 
world and employs a bus-based architecture. Figure 1.1 shows an example of SoC-
based embedded system. Design reuse and intellectual property (IP) sharing for both 
hardware and software are critical for high productivity in designing SoC. Therefore, 
SoC requires core-based design techniques, which utilize available hardware and 
software cores and compose them by adding appropriate interface to generate new 
designs (Li, 1998).  
 
 
 
Figure 1.1 SoC Integration 
 
 
 
 
1.2 Problem Statement 
 
 
As mentioned earlier in previous section, it is important to make information 
systems secure by protecting data and resources from malicious acts or being abused. 
 
 
 
  
3 
IT security can be provided by crypto (cryptographic) solutions. Cryptography is, in 
general, the science of concealing data. It uses mathematical algorithms and 
processes to convert intelligible plaintext into unintelligible ciphertext, and vice 
versa. A crypto solution can provide four security services, which is authentication, 
non-repudiation, data integrity and confidentiality.  The first three services are 
typically provided by digital signature and confidentiality is typically provided by 
encryption (Certicom, 1998). 
 
 
 The two main types of cryptography are symmetric key cryptography and 
asymmetric key cryptography. Symmetric key cryptography schemes require two 
parties who want to communicate in confidence to share a common, secret key. Each 
user must trust the other not to divulge the common key to a third party. These 
systems encrypt large amounts of data efficiently. However, they pose significant 
key management problems in networks of large number of users. Public key 
cryptography schemes require each part to have a key pair: a private key, which must 
not be disclosed to another user, and a public key, which may be made available in a 
public directory. The two keys are related by a one–way function, so it is 
computationally infeasible to determine the private key from the public key.  Public 
key systems solve the key management problems associated with symmetric key 
encryption. Even more importantly, public key cryptography offers the ability to 
efficiently implement digital signatures (RSA, 1999). However, its speed is slow in 
encryption of large amount of data compared with symmetric key cryptography. The 
complete solution is to combine both of the symmetric key cryptography and public 
key cryptography to compliment each other into a well-defined framework, such as 
Public Key Infrastructure (PKI) (Sun, 2001). 
 
 
Crypto algorithm can be implemented in either hardware or software. It is 
fairly easy to implement crypto algorithms in software, but such approach is typically 
too slow for real-time applications such as storage devices, embedded system, etc. 
Hence, for these kinds of applications, hardware always appears to be the ultimate 
choice of implementation. As coprocessors, they can offload time-consuming 
algorithms and reduce the computation bottleneck (Lejla et al., 2003). For any same 
operation and function, hardware implementation will always outperform software 
  
4 
implementation in timing performance.  Crypto hardware accelerators are not only 
faster in general, but also offer at the same time more intrinsic security. Unlike 
software implementations, crypto hardware is resistant to physical tampering. This is 
one of the most important features of the crypto hardware. In addition, crypto 
hardware also cannot be cloned easily, hacked, modify, etc. Therefore, it is suitable 
to be used in many of the critical real-time applications. 
 
 
In the hardware implementation, the FPGA (Field Programmable Gate Array) 
has become the chosen rapid prototyping platform for any proof-of-concept design, 
before being committed to an ASIC (Application-Specific Integrated Circuit) or 
VLSI implementation. The flexibility and reconfigurability of FPGAs make them 
suitable platform for implementations of crypto hardware embedded systems.  
 
 
 
 
1.3 Objectives 
 
 
From the discussion above, this thesis sets out two objectives: 
 
1. To design an embedded cryptosystem that integrates several dedicated IP 
cores. The IP cores include four crypto coprocessors, which perform elliptic 
curve cryptography (ECC), SHA-1 hashing, AES Encryption and RSA 
public-key crypto algorithm. These processors are complemented with LZSS 
(Lempel-Ziv-Storer-Szymanski) data compression core and large integer 
Modular Arithmetic Processor (MAP) core and a 32-bit CPU. The embedded 
system is designed using SoC technology in a single FPGA chip. 
 
2. To develop a hardware security module, that incorporates the cryptosystem in 
(1) to perform the security functions of data confidentiality, data integrity, 
non-repudiation and authentication. To achieve these functions, the security 
mechanisms will include symmetric encryption, digital signature, and public-
key cryptography. A secure e-document application is developed as a 
demonstration application prototype to validate the proposed cryptosystem in 
a real-world case. 
  
5 
1.4 Scope of Work 
 
 
1. The embedded cryptosystem is designed in VHDL. It implements a 128-bit 
AES algorithm for message encryption, 1024-bit RSA for public-key 
encryption, and 163-bit elliptic curve (ECC) public-key cryptography for 
digital signature.  
 
2. The system provides a suitable compromise between the constraints of speed, 
space and required security level based on the specific demands of targeted 
application. This is achieved with parameterization in the design.  
 
3. The complete prototype is to fit into an Altera Stratix EP1S40F780C5 FPGA 
chip (which contains 41250 LEs (Logic Elements) or an equivalent of 14 x 
106 system gates). The current cryptosystem’s running frequency is limited to 
40 MHz. Figure 1.2 shows the system architecture showing the host and 
proposed embedded cryptosystem. 
 
 
 
Figure 1.2 System Architecture 
  
6 
4. With VHDL parameterization, the RSA and ECC coprocessor can be 
reconfigured to other key sizes, based on the security level and the hardware 
resources required by targeted application.  
 
5. The current version of the proposed cryptosystem does not include on-chip, 
the ECC system parameter generation and RSA key pair generation. The 
current version is able to sign / verify and encrypt /decrypt a file limited to 
size of not more than 512 MB and 4 GB, respectively. For a file larger than 
these sizes, the file needs to be chopped into multiple smaller files. 
 
6. The cryptosystem is validated by a secure e-document application through a 
Local Area Network (LAN). 
 
 
 
 
1.5 Research Contribution and Project Delivery 
 
 
1. An advanced security processor hardware for next-generation IT security is 
proposed. It incorporates a 32-bit RISC embedded general-purpose Nios 
processor together with six IP modules including ECC, RSA, SHA, AES, 
LZSS and MAP. 
 
2. Introduce and establish a systematic design approach to design an embedded 
system in a SoC environment based around the Altera NIOSTM embedded 
processor using hardware/software codesign techniques. 
 
3. Deliver an application demonstration prototype in the form of an examination 
security application, which demonstrates the transfer of confidential 
document through insecure electronic network. 
 
 
 
 
 
 
 
 
 
  
7 
1.6 Thesis Organization 
 
 
The thesis is organized into eight chapters. The first chapter introduces the 
motivation, research objectives, research scope, research contribution and together 
with thesis organization. 
 
 
Chapter 2 reviews the background of the research. Related works similar to 
this field are presented. Summary of the literature review is given to clarify the 
research rationale. 
 
 
Chapter 3 describes the research methodology, system design procedures and 
application tools that have been used in this research.  
 
 
Chapter 4 presents the design of a hybrid cipher cryptosystem for message 
encryption, while Chapter 5 presents the design of ECC-based public key digital 
signature cryptosystem. These two chapters discuss in terms of hardware block 
design, device driver and API development. 
 
 
Chapter 6 reports the hardware test and performance studies on the proposed 
hybrid encryption cryptosystem and public key digital signature cryptosystem and 
their related coprocessor. Comparison between the proposed embedded cryptosystem 
and previous implementations is made. 
 
 
Chapter 7 describes the software development of application demonstration 
prototype, which is a real-time e-document transmission via insecure channel. This 
application demonstration prototype is used to test the functionality of the embedded 
cryptosystem, as well as embedded device drivers and APIs. 
 
 
In the final chapter, the research work is summarized and the potential future 
works are given. 
