1372 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMSI: REGULAR PAPERS, VOL. 62, NO.
5, MAY 2015
A Heterogeneous Multicore Crypto-Processor With
Flexible Long-Word-Length Computation
Jun Han, Member, IEEE, Renfeng Dou, Lingyun Zeng, Shuai Wang, Zhiyi Yu, Member, IEEE, and
Xiaoyang Zeng, Member, IEEE
AbstractA domain specic multicore processor for public-key
cryptography is proposed in this paper. This processor provides
exible and efcient computation for various forms of RSA and
ECC algorithms, fullling low-latency or high-throughput require-
ments of different application scenarios. By using a heterogeneous
multicore architecture, the proposed processor enables high speed
parallel implementations of kernel arithmetics of public-key algo-
rithms. A long-word-length modular multiplication can be parti-
tioned into parallel tasks executed by the high performance mul-
tipliers distributed in multiple cores. Some dedicated communica-
tion mechanisms minimize inter-core data transferring latencies
of the processor. The proposed processor is implemented under
TSMC 65 nm LP CMOS technology. Experimental results show
that our design outperforms previous works based on varied plat-
forms in performance, for instance, it can complete a 1024-bit RSA
encryption in 0.087 ms at 960 MHz. Moreover, we also study the
area reduction techniques for proposed multicore processor from
the perspectives of algorithm, architecture, and circuit.
Index TermsCryptography, ECC, modular multiplication,
multicore, RSA.
I. INTRODUCTION
C LOUD computing as an evolutionary computing tech-
nology has become more and more popular in recent years.
While it brings economic benets, some challenges still need
to be solved. Cloud data security and privacy protection are the
most concerning obstacles impeding the wide adoption of cloud
computing [1], especially for business applications under public
clouds [2]. Several researchers have discussed the security issues
of cloud computing in detail [3], [4], and solutions proposed
in [5], [6] demonstrate that public-key cryptography can be
the infrastructure to preserve the condentiality, integrity, and
authenticity of data and communications. Since one node in a
cloud might face numerous requests of secure services, a high-
throughput scheme to process public-key ciphers is desired.
In wireless communication, public-key ciphers like RSA,
Elliptic-Curve Cryptography (ECC), also play an important
role. For example, in the emerging applications like WiMAX,
Manuscript received June 05, 2014; revised September 15, 2014; accepted
February 13, 2015. Date of publication April 06, 2015; date of current version
April 28, 2015. This work was supported by the National Natural Science Foun-
dation of China under Grant 61176023 and Grant 61234002, and in part by the
Project of State Key Laboratory of ASIC and System under Grant 11MS005.
This paper was recommended by Associate Editor V. Chandra.
The authors are with the State Key Laboratory of ASIC and Systems,
Fudan University, Shanghai 201203, China (e-mail: junhan@fudan.edu.cn;
rdou12@fudan.edu.cn; 13210720074@fudan.edu.cn; 09210720068@fudan.
edu.cn; zhiyiyu@fudan.edu.cn; xyzeng@fudan.edu.cn).
Color versions of one or more of the gures in this paper are available online
at http://ieeexplore.ieee.org.
Digital Object Identier 10.1109/TCSI.2015.2407431
1549-8328 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
femicell, and ubiquitous computing, the devices of access point
(AP) or small base station should provide high-security and
low-latency authentication and authorization services [7]. If
these security services cannot be low-latency, the quality of
delay-sensitive applications such as streaming audio/video and
IP telephony might be greatly affected when a user moves from
one AP to another.
For most cryptographic applications, high security strength
becomes more and more necessary, as for the improved com-
puting ability and new attack methods. This demands to use
large-size keys as well as the countermeasures against potential
threats such as power analysis attack [8]. However, the work-
loads of public-key ciphers are dramatically enlarged along with
the increment of key size. The anti-attack algorithms of [8] re-
quire extra computation overheads.
Hardware platforms are expected to be more powerful to
meet the requirements of high-throughput, low-latency, and
high-security. Moreover, security applications evolve fast and
new cryptographic protocols will require support in the future.
A platform must implement different algorithms and offer cer-
tain freedom for software development. The exibility makes
the hardware implementation problem more difcult.
A general purpose processor (GP) is the most exible platform
but fails to meet the performance requirements. This kind of plat-
form is inefcient to support the kernel arithmetics of public-key
ciphers such as long-word-length operations. Besides, the energy
efciency of GP is unacceptable in many application scenarios.
Opposite to GP, ASIC can provide highest performance and
achieve best energy efciency. However, the ASIC implemen-
tations dedicated to specic applications offer the lowest ex-
ibility. Under nanoscale technology, fabricating ASIC chip for
each application leads to extremely high cost. There are many
attempts to improve the adaptiveness of ASIC designs; for ex-
ample, several ECC processors presented in [8][11] support
both binary and prime eld with different sizes. Nevertheless,
ASIC implementations will not provide the true programma-
bility that enables efcient software development.
A graphic processing unit (GPU) possesses abundant com-
putation resources, and it can run a lot of threads in parallel to
achieve high throughput for cryptographic services. Neverthe-
less, executing multiple tasks on GPU does not shorten the latency
of a single task. For instance, an RSA-1024 exponentiation in
[12] has a latency of 6930 ms at working frequency of 1.35GHz.
Public-key calculations, such as RSA and ECC, contain thou-
sands of modular multiplications. Due to data dependencies, a
large proportion of these multiplications cannot be executed in
parallel. Therefore, a single user of RSA or ECC authentication
must wait considerable time, although the high-throughput
platform processes many users' requests concurrently.
HAN et al.: A HETEROGENEOUS MULTICORE CRYPTO-PROCESSOR WITH FLEXIBLE LONG-WORD-LENGTH COMPUTATION
To adopt multicore architecture rather than to increase the
complexity of a single core can be an effective solution to boost
the performance of a platform with better energy efciency
[13]. Multicore architecture has the inherent merits of parallel
speedup, programmability, and low power density. Several
previous works have studied how to map the public-key algo-
rithms, such as RSA, onto multicore platforms of homogeneous
architecture [14], [15]. Data-computation-dominated tasks and
control-ow-dominated tasks cannot be both well supported
by the homogeneous architecture. Heterogeneous architectures
have been widely exploited in recent years to address this
problem. For example, AMD's heterogeneous system architec-
ture (HSA) delivers improvement across power, performance,
programmability, and portability by using heterogeneous com-
puting units [16].
From cryptographic applications, the main challenge to mul-
ticore architecture is how to implement computations with long-
word-length operands as well as support exible control ow
and parallelism exploitation for algorithms. In this paper, we in-
vestigate what architecture improvements can manage this kind
of challenge and show experimental results toward public-key
ciphers. Our contributions are highlighted here:
We present a low-latency scheme for iterative long-word-
length data computations. Modular multiplication (MM),
which is the kernel of public-key algorithms, always has
long-word-length operands and causes heavy calculation
loads. Using a multicore platform, executing multiple inde-
pendent MMs in parallel is a straightforward way to offer
high throughput. However, it is difcult to accelerate a
single MM to enable real time security services. So in this
paper three approaches to reducing the latency of MM are
proposed for a multicore platform:
1) A high speed modular multiplier is developed as the
critical component of each processing element (PE),
achieving both high working frequency and less itera-
tion cycles.
2) The cooperation of multiple PEs realizes the parallel
execution of a single MM.
3) Dedicated inter-core communication mechanisms
speed up data transferring that can be a performance
bottleneck of parallel computation.
We present a heterogeneous multicore architecture for a
cryptographic processor. Domain specic multicore pro-
cessors are developed for many applications but not well
studied for cryptography. To design a real cryptographic
processor, it is important to balance the exibility and the
computation capability. We decouple the regular tasks of in-
tensive computation from the irregular tasks of high-level
control and allocate different tasks to heterogeneous cores.
This accelerates the performance of the cryptographic pro-
cessor and eases the software development.
We propose several area reduction techniques for the
multicore processor implementing public-key ciphers.
Although parallelization increases the energy efciency,
it results in the high area cost that becomes a big chal-
lenge for multicore system. Area reduction techniques
are useful to save the total fabrication cost of multicore
processors, about which four aspects are studied in this
paper, such as improving the algorithm of Montgomery
1373
modular multiplication with quotient pipelining (MMQP),
employing a folded carry save adder (CSA) in the modular
multiplier, using a shared register le to avoid operands
duplication, and simplifying the hardware complexity
of PE by reducing its capacity of program control and
memory access.
This paper is organized as follows. In Section II, an improved
MMQP algorithm is introduced, based on which hardware struc-
ture and parallel implementation can be developed. The mi-
croarchitecture and hardware design of the proposed processor
will be shown in Section III. Instruction set architecture (ISA)
and the parallelization of applications will be detailed in Sec-
tion IV. In Section V, experimental results are provided and
used to make comparison with related works. Finally, the con-
clusion is obtained in Section VI.
II. IMPROVED MONTGOMERY MODULAR MULTIPLICATION
ALGORITHM
A. Original MMQP Algorithm
Montgomery MM algorithm was proposed by Peter L. Mont-
gomery to avoid the division by modulus [17]. This algorithm
dramatically reduces the computation complexity and has be-
come the dominant method for both software [18], [19] and
hardware implementations [20], [21]. MMQP algorithm pro-
posed by Orup [22], as shown in Algorithm 1, is a variant of
original Montgomery algorithm, which simplies the quotient
determination and allows the quotient pipelining in hardware
design. The drawback of this algorithm is the bit-extension for
operands in Montgomery eld. The operands must extend their
bit-width to that increases by bits compared to ,
which is also called the eld size of normal Montgomery algo-
rithm. This extension leads to non-negligible overhead, espe-
cially in high-radix modular multipliers where the radix al-
ways has a relative large value.
Algorithm 1 Original MMQP algorithm [22]
Input:
, ,
, where , for
, , is Modulus with
. Positive integers , such that ,
i.e., , if is the bit width of .
Output:
mod ,
where , .
1: ;
2: for to
3: mod ; {quotient determination step.} and
are the th words of quotient and result, respectively.
4: div ; {reduction step.}
5: end for
6: .
1374 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMSI: REGULAR PAPERS, VOL. 62, NO. 5, MAY 2015

B. Improved MMQP Algorithm

We propose an improved MMQP algorithm, shown as Algo-
rithm 2, which has a lower upper bound of output than the orig-
inal algorithm. Thus the bit width of operands used by MMQP
can be reduced.

Algorithm 2 Proposed improved MMQP algorithm

Input:
, ,
, , where
, , ,
Fig. 1. Overall heterogeneous multicore architecture.
. Positive integers , such that
.
Then, it can be rewritten to (2) by using several premises, such
Output: as that is inferred from the line 3 of
mod , where . the algorithm, and
, which are both derived from
1:
. By iteratively using the line 4 of the al-
2: for to gorithm, from to , and considering the conditions
, , and , (2) can be transformed into
3: mod ; {quotient determination step} (3). The nal result of the algorithm, , can be computed
4: div ; {reduction step} by (4), if the line 6 of the algorithm replaces the with its
expression in (3). Notice that
5: end for
, , and . Therefore
6: . can be proved based on (4), where
.
1) Correctness: Following the procedures in [22], we prove 2) Input and Output Range: Given ,
the correctness of the proposed algorithm. According to the line we can prove that the output of the proposed algorithm is con-
4 of Algorithm 2, can be calculated through (1). strained by . Based on (4), we get
(5)
Using the preconditions of Algorithm 2, and
, is got. Applying this constraint
(1) to (5), we obtain the upper bound of such that
(6)
3) Advantages: The output of the improved algorithm has
(2) the upper bound of much lower than that is
required by the original version. This reduction shortens the bit
width of operands of MMQP by and thus leads to two
implementation advantages. First, if parameter in the orig-
inal and improved algorithm being represented by and ,
respectively, must be smaller than , given same radix .
This is because can be lower than , according to
and . So the improved algo-
rithm has less iterations and results in more efcient computa-
(3) tion than the original one, given a xed . Second, the data path
of the high-radix multiplier implementing MMQP as well as the
register les that store the operands occupy less area, since the
improved algorithm saves bits in the width of operands.

III. MICROARCHITECTURE OF PROPOSED MULTICORE

PROCESSOR

A. Overall Heterogeneous Multicore Architecture

The overall architecture of the proposed processor consists
(4) of two clock domains responsible for different functionalities.
HAN et al.: A HETEROGENEOUS MULTICORE CRYPTO-PROCESSOR WITH FLEXIBLE LONG-WORD-LENGTH COMPUTATION
Fig. 2. The architecture of 5-stage processing element.
As shown in Fig. 1, the high and low frequency domains con-
tain four PEs and a RISC core, respectively. These heteroge-
neous cores have different hardware structures in order to sup-
port various tasks. Surrounding the inter-core communication
modules, four PEs work at high frequency to perform the in-
tensive but regular computation for public-key ciphers. In con-
trast, the RISC core runs relatively slow, dealing with the ir-
regular tasks, such as high-level control ows of public-key ci-
phers, memory initialization, and IO services. These two clock
domains are connected by asynchronous FIFOs, through sev-
eral of which the RISC core sends commands, named macro
instructions, to the PEs in order to direct their computations.
On the other hand, one of these FIFOs can serve as the channel
between the data memory of RISC core and the shared regle,
which is the common storage area for the PEs.
B. Processing Element
In the multicore architecture, PE is a programmable building
block that provides high performance arithmetic calculations,
such as long-word-length modular multiplication and addition,
for public-key algorithms. It has a RISC-like 5-stage pipeline
architecture equipped with a dedicated modular multiplier.
1) Pipeline Architecture: PE can be divided into 5 pipeline
stages, such as instruction fetch , instruction decode , stages of calculation the whole results of the 292-bit addition
rst execution , second execution , and write
back , as illustrated in Fig. 2. Compared with a classical
RISC pipeline, we remove the memory stage since PE doesn't
access data memory and only manipulates operands in private
and shared regles. Moreover, PE needs to perform the long-
word-length addition of 292-bit. For decreasing the critical path
delay of adder circuits, two execution stages ( , ) are
employed.
At stage, 32-bit instructions are fetched from an instruc-
tion memory. In fact these instructions serve as the microcodes,
which can be translated from the macro instructions sent by the
RISC core managing high-level control ows. At stage, if
an instruction for PE is decoded, operands reading, operands
pre-computing, and modular multiplier conguration are per-
formed in the same cycle. A PE instruction has at most 3 source
operands that might be read from the private or shared regle.
The private regle can provide 3 operands through its 3 reading
ports, while the shared regle only provides one operand for one
PE. Arithmetics with 3 operands, such as
, are imple-
mented by PE, so at stage we also place some pre-computing
logics to merge three operands into two ones. Implemented by a
shift unit with type 1 (SU1), two shift & inversion units (SIU),
1375
Fig. 3. FCSA architecture. (a) Original CSA; (b) The data ow of FCSA at the
rst cycle; (c) The data ow of FCSA at the second cycle.
and a CSA compressor as shown in Fig. 2, these logics simplify
the calculation in subsequent stages. To dene the operands se-
lection signal and operation type for modular multiplications,
PE must set up the modular multiplication unit (MMU) con-
guration register (MMCR) at this stage. The modular multi-
plier operates with the own independent pipeline, but it receives
operands and conguration information at stage.
At and stages, the long-word-length additions
are performed. Each stage has a 146-bit adder that processes
the high or low half part of a 292-bit operand, and after two
are available at stage. The instructions like branch if equal
are execute in the stage by checking the equality
of operands. Notice that multiple PEs can cooperate to add up
long-word-length operands, thus the carries of addition must
be latched at stage and transferred among PEs. At
stage, the result will be adjusted by a shift unit with type 2 (SU2)
and then written back to the private or shared regle.
2) High Performance Montgomery Modular Multiplier: In
PE, the modular multiplier is the fundamental unit to support
high-throughput and low-latency public-key applications. It im-
plements Algorithm 2 that aims at high performance and area re-
duction. Folded CSA architecture is adopted in this multiplier,
making better trade-off between performance and area. It im-
plements Algorithm 2 and adopts a folded CSA (FCSA) archi-
tecture to make trade-off between performance and area. More-
over, the multipliers on different PEs have extension interfaces
to connect each other, whereby they can work together to com-
plete a long-word-length MM with low latency.
a) FCSA tree: Considering long-word-length operands
used in Algorithm 2, compressing partial products straight-
forwardly can result in a large CSA tree. This causes a long
critical path delay as well as a high area cost. Instead, we fold
the compressor tree of CSA as demonstrated in Fig. 3. The
1376 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMSI: REGULAR PAPERS, VOL. 62, NO. 5, MAY 2015

compression completes in two cycles, but the hardware cost,

i.e., the number of full adders (FAs), is lowered.
b) Pre-computation and partial products generation: The
number of partial products exerts a strong inuence upon the
hardware complexity of a modular multiplier. As seen in the
line 4 of Algorithm 2, partial products need to be compressed
because and are -bit numbers. However, the number
of partial products can be reduced to if using pre-computation.
The combinations of the th, , bits of and
are , which lead to combined partial products
, respectively. So in the proposed multiplier,
we reduce the partial products by 50% through pre-computing
the parameter and using the bit codes of both and
to select inputs.
c) Pipelined multiplier architecture: Fig. 4 shows the pro-
posed Montgomery modular multiplier, the main data path of
which is a pipelined compressor tree based on FCSA. The mul-
tiplier has ve inputs, , , , , and , provided Fig. 4. Proposed FCSA-based modular multiplier with extension interface.
by some special registers in the private or shared regle. ,
bits of produced by slice generator, and other four inputs
as well as parameter are used to generate 24 partial prod-
ucts. Notice that although the bit-width of is 288, the partial
products are extended to 320-bit for compression. So the FCSA
tree has a 160-bit width, one-half less than that of partial prod-
ucts. The FCSA tree is partitioned into two stages. In the rst
stage, 24 partial products are merged into 8 ones and latched
into an -bit pipeline register. Then in the second stage, Fig. 5. Switch network for broadcasting.
the 8 results of previous stage and the generated by former
Moreover, the distributed tasks need to duplicate some common
iteration are compressed into 3 results. Since the partial product
operands in the PEs they are allocated to, requiring extra
compression is handled part by part, each result register divided
storage area. Therefore we propose inter-core communication
into two components, such as and , to cap-
mechanisms including broadcast, forwarding, reducing
ture corresponding results. Given and , this
communication latency and area cost.
multiplier is an implementation of Algorithm 2, and it needs
1) Data Dependencies of Distributed MM Computation and
cycles to complete the multiplication since one it-
Real Time Data Transferring: As analyzed in [15], and
eration of the algorithm costs two cycles in average. Compared
dependencies strongly impact the latency of a long-word-length
to a non-pipelined FCSA-based compressor, the pipeline archi-
MM, which is partitioned into tasks distributed among different
tecture almost makes no change to the total cycles of the mul-
cores. To minimize the penalties due to data dependencies, we
tiplication but decreases the critical path delay of the multiplier
propose dedicated mechanisms to transfer and in real
from to , where is the latency of a full
time.
adder. Therefore the high working frequency can be achieved,
First, the extension interface in the multiplier mentioned
and the time delay for the multiplication is shortened. Basically,
above can forward the low 24 bits of immediately. The bene-
this multiplier executes the 288-bit MMQP, but multiplications
ts of this forwarding will be illustrated in Section IV. Second,
with much longer bit width are supported by the cooperation of
a switch network to broadcast is developed. Without corre-
multiple multipliers.
sponding , the block-level tasks of distributed MM cannot
d) Extension interface: The multipliers of different PEs
start. In stead of transferring sequentially through normal
can cooperate with each other, executing an MMQP with very
communication channels in multicore processors such as FIFO,
long bit-width, such as 552 and 1056. Therefore, one multiplier
broadcasting in real time can cut down the communica-
must transfer signals to the other multipliers when they are con-
tion latency and thus speedup the parallel computation. The
currently executing the tasks composing a single MMQP. Some
hardware structure of the congurable switch network for
input and output signals are employed by the multiplier to fulll
broadcasting is shown in Fig. 5. The selection bits from the
this requirement, as shown in Fig. 4. The output signals include
MMCR registers of PEs, , determine
the 24-bit and the low 24-bit of the , while the input sig-
which input is used for MM computing. For example, if
nals comprise the corresponding bits of and from the mul-
two-way MM-521 s are executed, and can
tiplier in another PE. These signals form an extension interface.
be selected to drive and , respectively. As
for MM-1024, can be selected to drive ,
C. Inter-core Communication Mechanism
, and .
To compute parallel tasks distributed among multiple PEs 2) Low Cost General Purpose Inter-core Communication
is an approach of performance acceleration. However, the and Synchronization: As shown in Fig. 6, shared regle that
inter-core communication overheads caused by data dependen- contains 16 288-bit registers is employed to avoid operands
cies can increase the total latency of a public-key algorithm. duplication as well as facilitate inter-core communication. To
HAN et al.: A HETEROGENEOUS MULTICORE CRYPTO-PROCESSOR WITH FLEXIBLE LONG-WORD-LENGTH COMPUTATION
Fig. 6. The structure and interface of shared regle.
Fig. 7. Global synchronization module and an illustration of synchronization
hit generation for PE0.
compute RSA and ECC algorithms through distributed tasks,
some parameters, such as and used in MMQP, must be
shared among these tasks. Moreover, one operand of MM, such
as in Algorithm 2, might be used by several PEs. Duplicating
these long-word-length variables in every PE requires a large
amount of storage area. To save cost, we use the shared regle
as a common data pool that provides parameters or operands
to multiple PEs. For instance, the registers to store
the operand for all PEs while they are computing a 1024-bit
MM. Fig. 6 illustrates that the shared regle is connected to 4
PEs as well as the RISC core by ve read/write ports. Registers
are placed in the front of the read ports in order to prevent
PEs from suffering a long path delay of operand fetching. This
shared regle can also be used as a general purpose channel to
exchange data between PEs. For example, PE0 writes a value
in , and then other PEs can fetch the value by accessing
the directly. This kind of channel can implement exible
communication schemes, such as unicasting, multicasting, and
broadcasting. Because the shared regle acts as both data pool
and inter-core channel, the hardware is highly reused.
Two PEs independently accessing the same register in the
shared regle might cause read-after-write (RAW) hazards.
To synchronize actions of PEs, we propose a cycle-accurate
global synchronization module (GSM). As shown in Fig. 7,
each PE is assigned a 4-bit register to latch the synchronization
bits contained in a synchronization instruction. These bits from
right to left correspond to the synchronization requests of PE0,
PE1, PE2, and PE3, respectively. Taking the synchronization
between PE0 and PE1 as example, PE1 sets the PE1.Sync.Bits
1377
TABLE I
INSTRUCTION SET ARCHITECTURE OF PE
in GSM with value 0011. The PE1 will stall its computation
until PE0 also sets the same value in PE0.Sync.Bits. As long as
two PEs specify same synchronization bits, a hit signal will be
generated by the simple circuit in GSM to inform a successful
synchronization to both PEs.
IV. INSTRUCTION SET ARCHITECTURE AND PARALLELISM
EXPLOITATION FOR APPLICATIONS
A. Instruction Set Architecture
PE has a simple but dedicated ISA as shown in Table I.
This ISA provides special arithmetic and modular multipli-
cation instructions to realize high performance cryptographic
computations. and implement operations like
, while and support opera-
tions like . Here, an instruction
with the postx can put the highest 28 bits of its result into
carry registers, which will be used by an instruction issued on
another PE. , , , and are
instructions to perform varied-word-length MMs. can
be executed on a single PE, while the others require two or
four PEs performing calculations simultaneously. In fact, the
instruction is a package including four instructions
, , , and ,
each of which represents an operation like . Notice
that the instructions for MM have the postxes to specify
quotient selection and shift-enable signals. For example, a PE
executing should get the quotient from PE0 and
receive the value of shifted by its neighbor.
, , , , and represent the
branch if equal, branch if not equal, branch if less than zero,
branch if great than or equal to zero, and jump instructions,
respectively. instruction is used to stall the pipeline of
the PE until it receives a macro instruction from the RISC core.
can also freeze the PE, waiting for the accomplish-
ment of MMU's operation. and set
ags to inform the RISC core for the status of a task allocated to
PEs. instruction is used for the synchronization among
PEs by setting the registers in GSM shown in Fig. 7. Only
simple branch and control instructions are included in the ISA,
and complex program control mechanisms, such as stack main-
tenance and interruption handling, aren't supported by PEs.
Besides, this ISA removes instructions for data memory access,
since all operations in PEs only manipulate the variables in a
private regle (PR), as shown in Fig. 8, or the shared regle
and the data exchange between the shared regle and a memory
unit is managed by the RISC core. These simplications can
indeed reduce the hardware complexity of PEs.
B. Parallel Long-Word-Length MMs
With the proposed ISA, the parallel versions of long-word-
length MMs can be implemented on four PEs. For example,
1378 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMSI: REGULAR PAPERS, VOL. 62, NO. 5, MAY 2015
Fig. 8. Private regle elements and special connections.
Fig. 9. Assemble program sample for parallel implementation of MM-1024.
Fig. 9 shows the assemble program for MM-1024 using the in-
structions dedicated to PEs. This program is developed based
on Algorithm 3 that is the parallel form of MM-1024 derived
from Algorithm 2. The kernel execution ow of this parallel
algorithm on four PEs is illustrated in Fig. 10. Using multipli-
cand-based partitioning, we divide MM-1024 into several com-
putation tasks and evenly distribute them to four cores. Thus,
PEs will compute their tasks in parallel and a high speedup ratio
for MM-1024 can be expected. It is worth to point out that the
necessary communication and cooperation among PEs are ef-
cient. Without receiving generated in PE0, all PEs cannot
continue their computations. Using the switch network shown
in Fig. 5 to broadcast immediately can minimize the time
overhead due to this data dependency. PE0, PE1, and PE2 also
require the adjacent PE at their right side to provide . The real
time forwarding through the extension interface of each PE
removes the possible stalls in PEs that are caused by transfer-
ring through slow communication channels. At the end of the
parallel algorithm (line 16 to 19), some computations must be
carried out across different PEs to obtain the nal result. This
kind of cooperative computations can be implemented by spe-
cial arithmetic and synchronization instructions. As we can see
in Fig. 9, and instructions perform additions
with carry propagation and the instructions enable four
PEs keeping the sequential execution order of these additions
required by the data dependency of the algorithm.
C. Parallel ECC
Elliptic curve scalar multiplication (ECSM) is used to per-
form a multiplication map on an elliptic curve, taking a point
to by a private key . The ECSM can be implemented
by left-to-right (LR) double-and-add (DA) binary method [8].
Several previous works have studied the parallelization of ECC
algorithm. For instance, in [23], Jyu-Yuan Lai et al. proposed
a two-phase scheduling methodology that leads to the efcient
ECC design. Like [23], we exploit the parallelism among ECC
operations (curve and eld arithmetics) through task scheduling
based on our multicore architecture. The experimental results of
the parallel implementation are demonstrated in the following
section.
V. EXPERIMENTAL RESULTS
We have realized two implementations of the multicore pro-
cessor for public-key applications: Design I, our earlier work
[24], and Design II, the improved version. Under TSMC 65 nm
LP CMOS technology, Design I has been fabricated and Design
II is implemented by using Synopsys IC Compiler. The perfor-
mance and power of Design II are obtained from post-layout
simulation and evaluation.
A. Benefits of The Improved MMQP Algorithm
Benets of the improved MMQP algorithm can be demon-
strated by comparing the implementation results of two MMUs
based on Algorithm 1 and Algorithm 2, respectively. Synthe-
sized under same constraints, the MMU with the improved al-
gorithm can obtain 10% reduction on both area and execution
cycles for MM-256, compared to the one with the original algo-
rithm, as shown in Fig. 11. With respect to area-time product, a
1.2 improvement has been achieved by the one with a reduced
bit width of data path and less iterations. Moreover, by using the
improved algorithm, the data width of regles of our processor
is decreased from 312 bits to 288 bits, which makes regles re-
duce their area by about 10%.
B. Comparison with Related Works
Experimental results demonstrate that the proposed designs
achieve the goal of providing both high-throughput and low-
latency computation for public-key algorithms.
HAN et al.: A HETEROGENEOUS MULTICORE CRYPTO-PROCESSOR WITH FLEXIBLE LONG-WORD-LENGTH COMPUTATION 1379

Fig. 10. Parallel execution of kernel iteration of MM-1024 cooperatively by four PEs.

TABLE II
PERFORMANCE COMPARISON WITH RELATED WORKS ON ECC OVER

We choose the author's result under Jacobian coordinates for a fair comparison.

of 305 ms. LR-DAA and RL-DAA ECSM algorithms are

Fig. 11. Performance improvements for MM-256 by using improved MMQP
algorithm compared with the original algorithm.
1) ECC: The comparison results for ECC algorithms are
listed in Table II. Implementing conventional LR-DA ECSM
algorithm, design I and II have higher throughput than the
software implementation on AMD Opteron 252 server CPU
working at 2.6 GHz [25]. Design I and II also outperform the
GPU based work [12] in both throughput and latency. The
GPU implementation achieves the throughput of 1429 op/s
with eld size of 224, which represents the number of ECSM
operations per second, but each operation suffers a long latency
well-known countermeasures against power analysis attacks
[8], [11]. LR-DAA ECSM can resist not only SPA attack but
also DPA attack if using a randomized base point technique.
RL-DAA ECSM is a security-enhanced algorithm to defeat
doubling attack, As illustrated by Table II, design II also
achieves much higher performance in running LR-DAA and
RL-DAA ECSM algorithms, compared to previous works.
Although the anti-attack algorithms introduce extra operations
to disable side channel leakage and require more intensive
computations, the proposed multicore processor can also speed
up them because of its parallel hardware resources.
2) RSA: The comparison results for RSA algorithms are
shown in Table III. Our designs obtain higher throughput of
the RSA exponentiation using Montgomery Ladder method
than the GPU implementation [12]. Meanwhile, Design II has
the much lower execution latency of a single exponentiation.
For example, Design II only needs 0.434 ms for a 1024-bit
exponentiation, while the GPU implementation costs 6930 ms.
Design II also outperforms two ASIC implementations [26],
[27] in the speed of executing the RSA exponentiation using
1380 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMSI: REGULAR PAPERS, VOL. 62, NO. 5, MAY 2015
TABLE III
PERFORMANCE COMPARISON WITH RELATED WORKS ON RSA
CIOS modular exponentiation.
The layout area including macro cells is represented with , and the core area of logic gates is counted by KGates. In [27] the total number of
transistors, 804 k, is presented, and we convert it to KGates by dividing with 4.
Fig. 12. Area reduction compared with our previous design I.
CRT and Montgomery Ladder method, respectively. Mont-
gomery Ladder method [28] is deemed to be a technique with
enhanced resistance to side channel attacks. Our design II can
speed up the RSA implementation using this kind of technique.
3) Design II vs. Design I: Table II and III show that design
II obtains better performance of executing ECC-256, ECC-521,
RSA-1024, and RSA-2048 than design I. Moreover, design II
saves 36% layout area with respect to the physical implementa-
tions of two designs, as shown by Fig. 12. This is attributed to
that it cuts down 10% logic gates, reduces memory blocks and
volumes (from 64 KB to 40 KB), and has a higher standard-cell
utilization in layout than design I.
VI. CONCLUSION
This paper proposes a heterogeneous multicore processor that
is devoted to computing public-key algorithms. It can fulll
varied requirements according to specic application scenarios,
providing both low-latency and high-throughput cryptographic
computation. High performance of long-word-length MMs is
achieved by using efcient modular multipliers and employing
fast inter-core communication. Moreover, algorithm, architec-
ture, and circuit approaches for area reduction are studied to
save the fabrication cost of this processor.
REFERENCES
[1] H. Takabi, J. B. Joshi, and G.-J. Ahn, Security and privacy challenges
in cloud computing environments., IEEE Security Privacy, vol. 8, no.
6, pp. 2431, 2010.
[2] P. Hofmann and D. Woods, Cloud computing: the limits of public
clouds for business applications, IEEE Internet Comput., vol. 14, no.
6, pp. 9093, 2010.
[3] L. M. Kaufman, Data security in the world of cloud computing, IEEE
Security Privacy, vol. 7, no. 4, pp. 6164, 2009.
[4] S. Ramgovind, M. M. Eloff, and E. Smith, The management of se-
curity in cloud computing, in Proc. IEEE Inf. Security South Africa
(ISSA 2010), pp. 17.
[5] C. Wang, Q. Wang, K. Ren, and W. Lou, Privacy-preserving public
auditing for data storage security in cloud computing, in Proc. IEEE
INFOCOM 2010, pp. 19.
[6] D. Zissis and D. Lekkas, Addressing cloud computing security is-
sues, Fut. Gener. Comput. Syst., vol. 28, no. 3, pp. 583592, 2012.
[7] D. He, C. Chen, S. Chan, and J. Bu, Secure and efcient handover au-
thentication based on bilinear pairing functions, IEEE Trans. Wireless
Commun., vol. 11, no. 1, pp. 4853, 2012.
[8] J.-W. Lee, S.-C. Chung, H.-C. Chang, and C.-Y. Lee, Efcient
power-analysis-resistant dual-eld elliptic curve cryptographic pro-
cessor using heterogeneous dual-processing-element architecture,
IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 22, no. 1, pp.
4961, Jan. 2014.
[9] J.-Y. Lai and C.-T. Huang, A highly efcient cipher processor for
dual-eld elliptic curve cryptography, IEEE Trans. Circuits Syst. II,
Exp. Briefs, vol. 56, no. 5, pp. 394398, 2009.
[10] J.-Y. Lai and C.-T. Huang, Energy-adaptive dual-eld processor for
high-performance elliptic curve cryptographic applications, IEEE
Trans. Very Large Scale Integr. (VLSI) Syst., vol. 19, no. 8, pp.
15121517, 2011.
[11] J.-W. Lee, Y.-L. Chen, C.-Y. Tseng, H.-C. Chang, and C.-Y. Lee, A
521-bit dual-eld elliptic curve cryptographic processor with power
analysis resistance, in Proc. ESSCIRC, Sep. 2010, pp. 206209.
[12] R. Szerwinski and T. Gneysu, Exploiting the power of GPUs for
asymmetric cryptography, in Proc. Cryptogr. Hardware Embedded
Syst. (CHES 2008), pp. 7999.
[13] D. Geer, Chip makers turn to multicore processors, Computer, vol.
38, no. 5, pp. 1113, May 2005.
[14] Z. Chen and P. Schaumont, A parallel implementation of Montgomery
multiplication on multicore systems: Algorithm, analysis, prototype,
IEEE Trans. Comput., vol. 60, no. 12, pp. 16921703, Dec 2011.
[15] J. Han, S. Wang, W. Huang, Z. Yu, and X. Zeng, Parallelization of
radix-2 Montgomery multiplication on multicore platform, IEEE
Trans. Very Large Scale Integr. (VLSI) Syst., vol. 21, no. 12, pp.
23252330, Dec. 2013.
[16] L. Su, Architecting the future through heterogeneous computing, in
IEEE Int. Solid-State Circuits Conf. Dig. Tech. Papers (ISSCC), Feb.
2013, pp. 811.
[17] P. L. Montgomery, Modular multiplication without trial division,
Math. Comput., vol. 44, no. 170, pp. 519521, 1985.
[18] . K. Ko, T. Acar, and B. S. Kaliski Jr, Analyzing and comparing
Montgomery multiplication algorithms, IEEE Micro, vol. 16, no. 3,
pp. 2633, 1996.
[19] J. Fan, K. Sakiyama, and I. Verbauwhede, Montgomery modular mul-
tiplication algorithm on multi-core systems, in Proc. IEEE Workshop
Signal Process. Syst. 2007, pp. 261266.
[20] T. Blum and C. Paar, Montgomery modular exponentiation on recon-
gurable hardware, in Proc. 14th IEEE Symp. Comput. Arith. 1999 ,
pp. 7077.
HAN et al.: A HETEROGENEOUS MULTICORE CRYPTO-PROCESSOR WITH FLEXIBLE LONG-WORD-LENGTH COMPUTATION
[21] S. E. Eldridge and C. D. Walter, Hardware implementation of Mont-
gomery's modular multiplication algorithm, IEEE Trans. Comput.,
vol. 42, no. 6, pp. 693699, 1993.
[22] H. Orup, Simplifying quotient determination in high-radix modular
multiplication, in Proc. IEEE 12th Symp. Comput. Arith. 1995, pp.
193199.
[23] J.-Y. Lai and C.-T. Huang, Elixir: High-throughput cost-effective
dual-eld processors and the design framework for elliptic curve
cryptography, IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol.
16, no. 11, pp. 15671580, Nov. 2008.
[24] S. Wang, J. Han, Y. Li, Y. Bo, and X. Zeng, A 920 Mhz quad-core
cryptography processor accelerating parallel task processing of
public-key algorithms, in Proc. IEEE Custom Integr. Circuits Conf.
(CICC), 2013, pp. 14.
[25] P. Longa and C. Gebotys, Efcient techniques for high-speed elliptic
curve cryptography, in Proc. Cryptogr. Hardware Embedded Syst.
(CHES 2010), pp. 8094.
[26] A. Miyamoto, N. Homma, T. Aoki, and A. Satoh, Systematic de-
sign of RSA processors based on high-radix Montgomery multipliers,
IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 19, no. 7, pp.
11361146, Jul. 2011.
[27] B. Devlin, M. Ikeda, H. Ueki, and K. Fukushima, Completely
self-synchronous 1024-bit RSA crypt-engine in 40 nm CMOS, in
Proc. IEEE Asian Solid-State Circuits Conf. (A-SSCC), Nov. 2013,
pp. 309312.
[28] S.-M. Y. Marc Joye, The Montgomery powering ladder, in Proc.
Cryptogr. Hardware Embedded Syst., 2003, pp. 291302.
Jun Han received the B.S. degree from Xidian
University, Shanxi, China, in 2000 and the Ph.D.
degree in microelectronics from Fudan University,
Shanghai, China, in 2006.
He joined Fudan University as an Assistant Pro-
fessor in July 2006 and is currently an Associate Pro-
fessor with the State Key Laboratory of ASIC and
Systems. He is working on a high performance do-
main specic processor especially for digital signal
processing and cryptography.
Renfeng Dou received the B.S. degree in electronic
information engineering from Wuhan University,
Hubei, China, in 2012. He is currently pursuing
the M.S. degree in microelectronics at State Key
Laboratory of ASIC and System, Fudan University,
Shanghai, China.
His current research interests include high-per-
formance and energy-efcient digital VLSI design
on parallel computing architecture and on-chip-net-
works.
1381
Lingyun Zeng received the B.S. degree in electronic
science and engineering from Southeast University,
Jiangsu, China, in 2013. He is currently pursuing
the M.S. degree in microelectronics at State Key
Laboratory of ASIC and System, Fudan University,
Shanghai, China.
His current research interests include high-perfor-
mance digital VLSI design and parallel computing on
multicore architecture.
Shuai Wang received the B.S. degree in electronic
science and engineering from Zhejiang University,
Zhejiang, China, in 2009. He received the M.S.
degree in microelectronics at State Key Laboratory
of ASIC and System, Fudan University, Shanghai,
China, in 2012.
His current research interests include high-perfor-
mance digital VLSI design and parallel computing on
multicore architecture.
Zhiyi Yu received the B.S. and M.S. degrees in elec-
trical engineering from Fudan University, Shanghai,
China, in 2000 and 2003, respectively, and the Ph.D.
degree in electrical and computer engineering from
the University of California, Davis, CA, USA, in
2007.
From 2007 to 2008, he was with IntellaSys Corpo-
ration, USA. He is currently an Associate Professor
with the State Key Laboratory of ASIC and System,
Microelectronics Department, Fudan University. He
has published 2 books (chapters) and over 60 papers.
His research interests include high-performance and energy-efcient digital
VLSI design with an emphasis on many-core processors.
Prof. Yu serves as a member of the Technical Program Committee of several
conferences such as the IEEE Asian Solid-State Circuits Conference (ASSCC)
and the IEEE International Conference on ASIC.
Xiaoyang Zeng received the B.S. degree from
Xiangtan University, Xiangtan, China, in 1992 and
the Ph.D. degree from Changchun Institute of Optics
and Fine Mechanics, Chinese Academy of Sciences,
China, in 2001.
Since 2007, he has been a Full Professor and the
Director of the State Key Laboratory of ASIC and
System, Fudan University, China, where he was a
Postdoctoral Researcher from 2001 to 2003, and
later an Associate Professor. His research interests
include information security chip, VLSI signal
processing, and communication systems design.
Prof. Zeng is the Steering Committee Member of the Asia and South Pacic
Design Automation Conference (ASP-DAC), and the TPC member of the IEEE
Asian Solid-State Circuits Conference (A-SSCC).