Hybrid Position-Residues Number System Karim Bigou and Arnaud - PowerPoint PPT Presentation

Hybrid Position-Residues Number System Karim Bigou and Arnaud Tisserand CNRS, IRISA, INRIA Centre Rennes - Bretagne Atlantique and Univ. Rennes 1 ARITH 23, July 10 – 13 Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 1 / 25

Context Work on the design of efficient hardware implementations of asymmetric cryptosystems using advanced arithmetic techniques: RSA [RSA78] Discrete Logarithm Cryptosystems: Diffie-Hellman [DH76] (DH), ElGamal [Elg85] Elliptic Curve Cryptography (ECC) [Mil85] [Kob87] The residue number system (RNS) is a representation which enables fast computations for cryptosystems requiring large integers or F P elements through internal parallelism Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 2 / 25

Residue Number System (RNS) [SV55] [Gar59] X a large integer of ℓ bits ( ℓ > 200) is represented by: � X � = ( x 1 , . . . , x n ) = ( X mod m 1 , . . . , X mod m n ) RNS base B = ( m 1 , . . . , m n ), n pairwise co-primes of w bits, n × w � ℓ channel 1 channel 2 channel n x 1 x 2 x n X . . . y 1 y 2 y n Y . . . w w w w w w ±× ±× ±× . . . mod m 1 mod m 2 mod m n w w w z 1 z 2 z n Z . . . RNS relies on the Chinese remainder theorem (CRT) EMM = w -bit elementary modular multiplication in one channel Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 3 / 25

RNS vs Positional Number Systems + × + × + × + × + × + × + × + × Positional β 7 β 6 β 5 β 4 β 3 β 2 β 1 β 0 + × + × + × + × + × + × + × + × RNS m 7 m 6 m 5 m 4 m 3 m 2 m 1 m 0 involves data dependencies involves hard access to positional information Remark: here, one assumes a high radix positional representation of w bits Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 4 / 25

RNS vs Positional Number Systems operation/feature RNS Positional Representation multiplication easier harder modular reduction harder easier modular multiplication equivalent equivalent expansion of values harder easier comparisons harder easier parallelism easier harder flexibility easier harder internal randomization easier harder Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 5 / 25

Proposed Representation: Hybrid Position-Residues HPR Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 6 / 25

Main principle of HPR (finite field case) + × + × + × + × + × + × + × + × Positional β 7 β 6 β 5 β 4 β 3 β 2 β 1 β 0 + × + × + × + × + × + × + × + × HPR d = 4 ( m 0 m 1 ) 3 ( m 0 m 1 ) 2 ( m 0 m 1 ) 1 ( m 0 m 1 ) 0 + × + × + × + × + × + × + × + × HPR d = 2 ( m 0 m 1 m 2 m 3 ) 1 ( m 0 m 1 m 2 m 3 ) 0 RNS + × + × + × + × + × + × + × + × m 7 m 6 m 5 m 4 m 3 m 2 m 1 m 0 Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 7 / 25

Hybrid Position-Residues Representation HPR Formally: d − 1 � X i M i � � X HPR = � X d − 1 � a | b , . . . , � X 0 � a | b X = with a HPR i =0 where B a = ( m a , 0 , . . . , m a , n d − 1 ) and B b = ( m b , 0 , . . . , m b , n d − 1 ) , M a = � n d − 1 i =0 m a , i and β min M a � X i � β max M a ( β max − β min > 1) 2 RNS bases are required to contain temporary sub-products of HPR words during a full multiplication Remark 1: conversions are made using classical methods (radix conversions and RNS conversions) Remark 2: internal conversions between both RNS bases are made using state-of-the-art base extension methods ( e.g using CRT) Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 8 / 25

Example for 1 HPR-word Multiplication (1/2) Parameters: B a = (2 , 7 , 13), B b = (3 , 5 , 11), M a = 182, M b = 165 Inputs: X = 141, Y = 101 � � X HPR = � 1 , 1 , 11 , 0 , 1 , 9 � a | b � � Y HPR = � 1 , 3 , 10 , 2 , 1 , 2 � a | b X × Y = 14241 � � X HPR × Y HPR = � 1 × 1 , 1 × 3 , 11 × 10 , 0 × 2 , 1 × 1 , 9 × 2 � a | b � � = � 1 , 3 , 6 , 0 , 1 , 7 � a | b The high part of the product must be propagated : 14241 = 78 × 182 + 45 = 78 × M a + 45 Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 9 / 25

Decomposition algorithm ( Split ) Split decomposes a double word value into 2 HPR-words ( i.e radix M a ) Input : � X � a | b with X < ( β max M a ) 2 and M b > β 2 max M a Precomp. : � M − 1 a � b � � Output : � Q � a | b , � R � a | b � R � a ← � X � a (virtual operation) � R � b ← BE ( � R � a , B a , B b ) ( n / d ) × ( n / d ) EMM s � Q � b ← ( � X � b − � R � b ) × � M − 1 a � b if � Q � b = �− 1 � b then � Q � b ← � 0 � b /*using Kawamura BE [KKSS00] */ � R � b ← � R � b − � M a � b � Q � a ← BE ( � Q � b , B b , B a ) ( n / d ) × ( n / d ) EMM s return � Q � a | b , � R � a | b Split becomes faster when d increases (but it reduces the parallelism) Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 10 / 25

“High” part propagation in HPR This algorithm uses Split to propagate the high parts (”MSBs” in radix M a ) of subproducts Input : X HPR = ( � X d − 1 � , . . . , � X 0 � ) with X i < ( β max M a ) 2 Output : X HPR = ( � X d � , . . . , � X 0 � ) with X i < ( β 2 max + 1) M a � C − 1 � ← � 0 � , � X d − 1 � ← � 0 � for i from 0 to d − 1 parallel do ( � C i � , � X i � ) ← Split ( � X i � ) for i from 0 to d parallel do � X i � ← � X i � + � C i − 1 � return ( � X d � , . . . , � X 0 � ) Remark: to propagate a carry after an addition, we use a small carry propagation algorithm (details in the paper) Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 11 / 25

Example for 1 HPR-Word Multiplication (2/2) X × Y = 14241 = 78 × 182 + 45 = 78 × M a + 45 � � X HPR × Y HPR = � 1 × 1 , 1 × 3 , 11 × 10 , 0 × 2 , 1 × 1 , 9 × 2 � a | b � � = � 1,3,6,0,1,7 � a | b � � = � 0,1,0,0,3,1 � a | b , � 1,3,6,0,0,1 � a | b High part propagation Using BE, convert 45 from B a to B b : � 1,3,6 � a − → � 0,0,1 � b In B b perform the division by M a : � XY � b − �| XY | M a � b � � = � 0,1,7 � b − � 0,0,1 � b × � 2 , 3 , 2 � b � M a � b � � = � 0 , 1 , 6 � b × � 2 , 3 , 2 � b = � 0,3,1 � b Finally one performs another BE from B b to B a : � 0,3,1 � b − → � 0,1,0 � a Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 12 / 25

Application 1: A New Modular Multiplication Algorithm Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 13 / 25

Principle Proposition:well-chosen finite fields F P for fast modular multiplications example of application: finite field for ECC P prime with P = Q ( M a ) and Q ( X ) = X d − Q ′ ( X ) where Q ′ is sparse F P is a d × ( n / d ) × w = nw bits finite field M d a ≡ Q ′ ( M a ) mod P toy example 1: P 1 = (2 × 7 × 13) 2 − 5 = M 2 a − 5 = 33119 is prime toy example 2: P 2 = (3 × 5 × 11) 3 − 2 = M 3 b − 2 = 27225 is prime Main Idea: Adapt pseudo-Mersenne modular multiplication for HPR representation Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 14 / 25

HPR Modular Multiplication Positional Modular Reduction : reduction using M d a ≡ Q ′ ( M a ) mod P example: Q ′ = 2 then Z i = Z i + 2 Z i + d for i ∈ [0 , d − 1] × 2 × 2 × 2 + + + d = 3 M 5 M 4 M 3 M 2 M 1 M 0 a a a a a a Parameters : B a with P = Q ( M a ) and Q of degree d Input : X HPR , Y HPR Output : Z HPR with Z = XY mod P d 2 ( n / d ) = 2 nd EMM s Z HPR ← HPR Product ( X HPR , Y HPR ) Z HPR ← Positional Modular Reduction( Z HPR , Q ) ( n EMA s) 2 n 2 Z HPR ← HPR “High” Part Propagation ( Z HPR ) d + 2 n EMM s Z HPR ← Positional Modular Reduction( Z HPR , Q ) ( n / d EMA s) Z HPR ← HPR Small Carry Propagation ( Z HPR ) 2 n EMM s return Z HPR Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 15 / 25

Cost of modular multiplication in RNS and HPR for various fixed d Operation cost: trade-off between HPR product and HPR High part propagation 3000 Operation Cost [EMM] 2500 2000 1500 RNS 1000 HPR d=2 HPR d=3 500 HPR d=4 HPR d=8 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 number of moduli (n) Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 16 / 25

Impact of d for n and the field size fixed Using schoolbook multiplication, d = √ n is the best trade-off 2400 n=32 Operation Cost [EMM] n=24 2000 n=20 n=16 1600 n=12 n=8 1200 800 400 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 number of RNS digits (d) d 2 4 8 16 n 2 + 8 n n 2 n 2 n 2 cost ( EMM ) 2 + 12 n 4 + 20 n 8 + 36 n Karim Bigou and Arnaud Tisserand HPR Representation ARITH 23, July 10 – 13 17 / 25