Hierarchical Approach in RNS Base Extension for Asymmetric - PowerPoint PPT Presentation

Hierarchical Approach in RNS Base Extension for Asymmetric Cryptography Libey Djath 1 , Karim Bigou 1 , Arnaud Tisserand 2 1 Universit´ e de Bretagne Occidentale / Lab-STICC, UMR CNRS 6285 2 CNRS / Lab-STICC, UMR 6285 ARITH-26, 10-12 June 2019, Kyoto, Japan -- Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 1 / 21

Contents Context 1 Hierarchical RNS Base Extension 2 Hardware Implementation 3 Conclusion 4 Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 2 / 21

Context Asymmetric cryptography serves in: digital signature authentication secret key exchange An example of asymmetric cryptosystem: Elliptic Curve Cryptography (ECC) [Mil85, Kob87] For ECC, computations are performed in GF ( P ) with P a 200 − 500 bits prime 1 ECC primitive requires a thousand of additions, subtractions and multiplications modulo P Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 3 / 21

Residue Number System (RNS) RNS non-positional representation system Chinese Remainder Theorem (CRT) X is represented by its residues over a base representation with internal parallelism RNS base An RNS base A is a tuple ( a 1 , a 2 , ..., a n ) of coprime integers named moduli Representing the number X − → X = ( X mod a 1 , X mod a 2 , X mod a n ) . . . , − → X = ( x a 1 x a 2 x a n ) , , . . . , Converting back to positional representation Compute the CRT over all the x a i s in base A Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 4 / 21

RNS In hardware implementations of asymmetric cryptosystems: large integers are splitted in small residues (typically 16-64 bits integers) computations on large integers are replaced by parallel computations on small residues channel 1 channel 2 channel n − → x a 1 x a 2 . . . x a n X a i are pseudo − → y a 1 y a 2 y a n Y . . . Mersenne for w w w w w w efficiency purpose ±× ±× ±× . . . mod a 1 mod a 2 mod a n w w w − → z a 1 z a 2 z a n Z . . . Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 5 / 21

RNS Main advantages of RNS architectures: carry free operations among the channels fast parallel +, − , × random order internal computations Drawback: Comparison, division and mod P reduction are difficult Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 6 / 21

0.95 Cost ratio HBE / KBE for 1 RNS MM CMM / CMR = 2 0.90 CMM / CMR = 3 CMM / CMR = 4 0.85 0.80 0.75 0.70 0.65 10 20 30 40 50 60 Number of moduli ( n ) RNS Montgomery mod P Reduction [PP95] Algorithm 2: RNS Montgomery reduction modulo P [26]. A B Input: X A , X B � − P − 1 � � A − 1 � Precomp.: P A , P B , A , × B � XA − 1 � Output: S A and S B with S = mod P + δP BE and δ ∈ { 0 , 1 , 2 } � − P − 1 � 1 Q A ← X A × A × 2 Q B ← BE ( Q A , A , B ) + 3 R B ← X B + Q B × P B × � A − 1 � 4 S B ← R B × B BE S A ← BE ( S B , B , A ) 5 6 return ( S A , S B ) BE: base extension Chinese Remainder Theorem (CRT) formula � n � A � A � n � � � − 1 � − 1 | a i × A | a i × A � � � � | x a i × | x a i × − hA X = � � = � a i a i � a i a i � i =1 � i =1 A (1) with A = a 1 × . . . × a n Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 7 / 21

Base Extension (BE) [KKSS00] x a 1 x a 2 x a 3 x a 4 x a n − 1 x a n Base A x b 1 x b 2 x b 3 x b 4 x b n − 1 x b n Base B BE converts X in base A into X in base B Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 8 / 21

Base Extension [KKSS00] Cox-rower architecture from BE algorithm from [KKSS00] [Gui10] Algorithm 2: Base Extension from [9] (KBE). Input: X A , σ = 0 or 0 . 5 Precomp.: T a i ∀ i ∈ [1 , n ] Memory Output: X B CTRL 1 for i from 1 to n parallel do w x a i ← | x a i × T a i | a i � 2 3 for i from 1 to n do trunc( � x ai ) σ ← σ + 4 1 2 w h i ← ⌊ σ ⌋ 5 cox σ ← σ − h i rower rower rower rower 6 for k from 1 to n parallel do 7 � � t � � � � w � � � � � A x b k ← � x b k + � x a i × � + | − h i A | b k 8 � a i b k b k w w State of the art solution is usually called KBE Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 9 / 21

Contents Context 1 Hierarchical RNS Base Extension 2 Hardware Implementation 3 Conclusion 4 Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 10 / 21

Idea of Hierarchical Base Extension (HBE) Changing the notation   a 1 , 1 · · · a 1 ,c . . A = ( a 1 a n ) A = . . · · · · · · . .   a r, 1 · · · a r,c with n = r × c Main Idea gather residues by row ( c residues per row) into super-residues in base A by computing their partial CRTs compute the CRT of the super-residues of base A in base B Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 11 / 21

Rewriting the KBE Algorithm 2D KBE Algorithm 1: 1D KBE Input: X A , σ = 0 or 0 . 5 Precomp.: T a i,j ∀ i ∈ [1 , r ] and ∀ j ∈ [1 , c ] Output: X B Algorithm 2: Base Extension from [9] (KBE). 1 for i from 1 to r parallel do Input: X A , σ = 0 or 0 . 5 for j from 1 to c parallel do 2 Precomp.: T a i ∀ i ∈ [1 , n ] � � � x a i,j × T a i,j � x a i,j ← � Output: X B 3 a i,j 1 for i from 1 to n parallel do 4 for i from 1 to r do x a i ← | x a i × T a i | a i � 2 for j from 1 to c do 5 3 for i from 1 to n do trunc( � x ai,j ) σ ← σ + 6 trunc( � x ai ) 2 w σ ← σ + 4 h i,j ← ⌊ σ ⌋ 2 w 7 h i ← ⌊ σ ⌋ 5 σ ← σ − h i,j 8 σ ← σ − h i 6 for k from 1 to r parallel do 9 for k from 1 to n parallel do 7 � � for l from 1 to c parallel do � � 10 � � � � � � � A x b k,l ← x b k ← � x b k + � x a i × � + | − h i A | b k 11 8 � � � a i � � b k � � � � b k � � � A � x b k,l + � x a i,j × � + | − h i,j A | b k,l � a i,j b k,l b k,l Main cost: n 2 executions of line 8 With n = r × c , main cost: r 2 c 2 executions of line 11 Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 12 / 21

HBE ( c = 2) x a 1 , 1 x a 1 , 2 x a 2 , 1 x a 2 , 2 x a r, 1 x a r, 2 Base A X A 1 X A 2 X A r x b 1 , 1 x b 1 , 2 x b 2 , 1 x b 2 , 2 x b r, 1 x b r, 2 Base B Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 13 / 21

Comparison between KBE and HBE HBE KBE Algorithm 2: Input: X A , σ = 0 or 0 . 5 Algorithm 1: ? Precomp.: T a i,j ∀ i ∈ [1 , r ] and ∀ j ∈ [1 , c ] Input: X A , σ = 0 or 0 . 5 Output: X B 1 for i from 1 to r parallel do Precomp.: T a i,j ∀ i ∈ [1 , r ] and ∀ j ∈ [1 , c ] for j from 1 to c parallel do Output: X B 2 � � � x a i,j × T a i,j � x a i,j ← � 1 for i from 1 to r parallel do 3 a i,j for j from 1 to c parallel do 2 � � 4 for i from 1 to r parallel do � x a i,j × T a i,j � x a i,j ← � � 3 X A i ← 0 a i,j 5 4 for i from 1 to r do for j from 1 to c do 6 for j from 1 to c do X A i ← � � 5 X A i + � x a i,j × a i,j (no reduction) 7 trunc( � x ai,j ) σ ← σ + 8 for i from 1 to r do 6 2 w h i,j ← ⌊ σ ⌋ trunc( � X Ai ) 7 σ ← σ + 9 2 w × c σ ← σ − h i,j 8 h i ← ⌊ σ ⌋ 10 for k from 1 to r parallel do 9 σ ← σ − h i 11 for l from 1 to c parallel do 10 for k from 1 to r parallel do 12 x b k,l ← 11 � � for l from 1 to c parallel do � � 13 � � � � � � � � � � � A � � � x b k,l + � x a i,j × � + | − h i,j A | b k,l � x b k,l,i ← X A i � � 14 a i,j b k,l b k,l b k,l x b k,l ← 15 � � � x b k,l + � � x b k,l,i × A i + | − h i A | b k,l b k,l Main cost: r 2 c 2 executions Main cost: r 2 c executions of line 11 of line 15 Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 14 / 21

Theoretical Cost Comparison for c = 2 Notation: - CMM ( w , w ) for a ( w × w mod w )-bit modular multiplication - CMR ( w ′ , w ) for a ( w ′ mod w )-bit modular reduction KBE cost: n 2 CMM ( w , w ) + n CMM ( w , w ) n 2 2 CMM ( w , w ) + n 2 HBE cost: 2 CMR (2 w + 1 , w ) + 2 n CMM ( w , w ) Theoretical cost ratio for one BE for various base sizes (n) CMM / CMR = 2 Cost ratio HBE / KBE for 1 BE 0.90 CMM / CMR = 3 CMM / CMR = 4 0.85 0.80 0.75 0.70 0.65 10 20 30 40 50 60 Number of moduli ( n ) Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 15 / 21

Contents Context 1 Hierarchical RNS Base Extension 2 Hardware Implementation 3 Conclusion 4 Libey Djath, Karim Bigou, Arnaud Tisserand Hierarchical RNS Base Extension ARITH-26, 10-12 June 2019 16 / 21