 Hello and welcome to this presentation of the STM32 Public Key Accelerator, which is embedded in STM32WB microcontrollers. It covers the features used to perform asymmetric key cryptography, which is widely required for cryptographic applications. Public key cryptography is part of many security standards and is widely used to establish secure communication channels across unsecure open networks like the Internet or to provide authentication via electronic signatures. Software-only solutions can be too slow for real-time applications, impacting the system's overall performance. The PKA peripheral is an efficient hardware accelerator that speeds up the public key cryptography operations performed by the CPU. Performing public key cryptography requires intensive computing, which represents a huge workload when done entirely by software. The public key accelerator lightens the STM32WB CPU's workload by performing key operations in the PKA core using dedicated PKA memory. The CPU loads initial data into the PKA internal RAM, which is located at address offset 0x400. Then, in the PKA control register, the CPU specifies the operation, which is to be executed, and finally asserts the start bit. Once the PKA reports the end of operation, or PROCENDF, the CPU reads the resulting data from the PKA RAM, then clears the PROCENDF flag. Software can abort a PKA operation at any time by clearing the end bit in the PKA CR register. In this case, the content of the PKA memory is not guaranteed. The PKA has two error flags, the address error flag, or ADDRERRF, and the RAM error flag, or RAMERRF. All flags can generate an interrupt if the corresponding interrupt enabled bit is set, PROCENDIE, ADDRERRIE, or RAMERRIE. Public key cryptography introduces a very elegant solution to the problem of exchanging messages in a confidential way over an unsecure network like the Internet. Each person exchanging messages possesses a private key used to decrypt messages sent to him or her encrypted using his or her public key. For this technology to work, a trusted central repository of the people's public key is recommended. A digital signature is a powerful technology to ensure the integrity, authentication, and non-repudiation of digital assets such as financial transaction tokens. Person A can prepare a signed message by first performing a secure hashing function on it, then encrypting the resulting digest using his private key. The resulting signature is sent alongside with the message to Person B. Person B can verify A's signed message by performing the same hashing function on it and then use the result when performing the signature verification function using A's public key. The result of the verification function will determine if the message is genuine or not. Here is a list of operations the PKA can perform. Acceleration of asymmetric cryptography, modular exponentiation, and RSA Chinese remainder theorem or CRT exponentiation, ECC scalar multiplication and point-on curve check, and ECDSA signature generation and verification, arithmetic and modular operations, arithmetic addition, subtraction, multiplication, and comparison, modular addition, subtraction, and reduction, and inversion, and Montgomery multiplication. Thanks to these operations, the PKA supports many standard public key algorithms, modular exponentiation, CRT exponentiation, RSA cryptography, elliptic curve cryptography or ECC, digital signature algorithm or DSA, and elliptic curve DSA or ECDSA. Public key accelerator or PKA is used to accelerate Rivest, Shamir, and Edelman or RSA, Diffie-Helman or DH, as well as elliptic curve cryptography or ECC over prime field operations. Supported operand sizes are up to 3,136 bits for RSA and DH, and up to 640 bits for ECC. The PKA is an arm-advanced microcontroller bus architecture or AMBA AHB slave peripheral, accessible through 32-bit word single accesses only. Otherwise, for rights an AHB bus error is generated and write accesses are ignored. Here are the modular exponentiation processing times using different exponent and operand sizes. Figures with the fast indication requires the application to perform a Montgomery parameter computation, as this information is needed to run the fast operation. The Montgomery parameter can be reused for several computations in a row, making the overall operations more efficient if repeated many times. Montgomery multiplication overhead, 1024 bit plus 0 milliseconds, 2048 bit plus 3 milliseconds, 3072 bit plus 8 milliseconds. Here is a summary of the PKA events able to trigger and interrupt in the nested vector interrupt controller. PKA computation completed. PKA RAM access error and access to unmapped address error. The direct memory access or DMA controller cannot be used with the PKA. Here is an overview of the status of the PKA peripheral in each of the low power modes. PKA operations are not possible when the device is in stop mode. This is a list of peripherals related to the PKA. Please refer to these peripheral trainings for more information if needed. If these links and the reference manual are not enough, please refer to the PKA driver in the STM32 CubemX repository described in the next slide. For more details and additional information, refer to the following useful software references.