 Hello and welcome to this presentation of the STM32 Public Key Accelerator, which is embedded in STM32WB microcontrollers. It covers the features used to perform asymmetric key cryptography, which is widely required for cryptographic applications. Public Key Cryptography is part of many security standards and is widely used to establish secure communication channels across unsecure open networks like the Internet or to provide authentication via electronic signatures. Software-only solutions can be too slow for real-time applications, impacting the system's overall performance. The PKA peripheral is an efficient hardware accelerator that speeds up the public key cryptography operations performed by the CPU. Performing public key cryptography requires intensive computing, which represents a huge workload when done entirely by software. The Public Key Accelerator lightens the STM32L5 CPU's workload by performing key operations in the PKA core using dedicated PKA memory. The CPU loads initial data into the PKA internal RAM, which is located at address offset 0x400. Then, in the PKA control register, the CPU specifies the operation which is to be executed and finally asserts the start bit. Once the PKA reports the end of operation, PROCENDF, the CPU reads the resulting data from the PKA RAM, then clears the PROCENDF flag. Software can abort a PKA operation at any time by clearing the EN bit in the PKA CR register. In this case, the content of the PKA memory is not guaranteed. The PKA has two error flags, the error address flag, ADDRERRF, and the RAM error flag, RAMERRF. All flags can generate an interrupt if the corresponding interrupt enable bit is set. PROCENDIE, ADDRERRIE, or RAMERRIE. When the PKA peripheral reset signal is released, the PKA RAM is cleared automatically, taking 894 clock cycles. During this time, the setting of the EN bit in PKA CR is ignored. Public key cryptography introduces a very elegant solution for the problem of exchanging messages in a confidential way over an unsecure network like the Internet. Each person exchanging messages possesses a private key used to decrypt messages sent to him or her encrypted using his or her public key. For this technology to work, a trusted central repository of the people's public key is recommended. Digital signature is a powerful technology to ensure the integrity, authentication, and non-repudiation of digital assets such as financial transaction tokens. Person A can prepare a signed message by first performing a secure hashing function on it, then encrypting the resulting digest using his private key. The resulting signature is sent alongside with the message to Person B. Person B can verify A's signed message by performing the same hashing function on it and then use the result when performing the signature verification function using A's public key. The result of the verification function will determine if the message is genuine or not. Here is a list of operations the PKA can perform. Acceleration of asymmetric cryptography, modular exponentiation, and RSA Chinese remainder theorem or CRT exponentiation, ECC scalar multiplication and point-on-curve check, and ECDSA signature generation and verification, arithmetic and modular operations, arithmetic addition, subtraction, multiplication, and comparison, modular addition, subtraction, and reduction and inversion, and Montgomery multiplication. Thanks to these operations, the PKA supports many standard public key algorithms, modular exponentiation, CRT exponentiation, RSA cryptography, elliptic curve cryptography or ECC, digital signature algorithm or DSA, and elliptic curve DSA or ECDSA. Public key accelerator or PKA is used to accelerate Rivest, Shamir and Edelman or RSA, Diffie-Hellman or DH, as well as elliptic curve cryptography or ECC over prime field operations. Supported operand sizes are up to 3,136 bits for RSA and DH, and up to 640 bits for ECC. The PKA is an arm-advanced microcontroller bus architecture or AMBA AHB slave peripheral, accessible through 32-bit word single accesses only. Otherwise, for rights an AHB bus error is generated and right accesses are ignored. Here are the modular exponentiation processing times using different exponent and operand sizes. Figures with the fast indication requires the application to perform a Montgomery parameter computation as this information is needed to run the fast operation. The Montgomery parameter can be reused for several computations in a row, making the overall operations more efficient if repeated many times. Montgomery multiplication overhead, 1024-bit plus 1 millisecond, 2048-bit plus 4 milliseconds, 3072-bit plus 10 milliseconds. Figures are computed for a PKA clock of 110 MHz. Here is a summary of the PKA events able to trigger and interrupt in the nested vectored interrupt controller. PKA computation completed. PKA RAM access error and access to unmapped address error. The direct memory access or DMA controller cannot be used with the PKA. Here is an overview of the status of the PKA peripheral in each of the low power modes. PKA operations are not possible when the device is in stop mode. This is a list of peripherals related to the PKA. Please refer to these peripheral trainings for more information if needed. If these links and the reference manual are not enough, please refer to the PKA driver in the STM32 CubemX repository described in the next slide. For more details and additional information, refer to the following useful software references.