RNS Modular Multiplication through Reduced Base Extensions Karim - - PowerPoint PPT Presentation

RNS Modular Multiplication through Reduced Base Extensions

Karim Bigou and Arnaud Tisserand

INRIA-IRISA-CAIRN

ASAP Conference June 18-20

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 1 / 12

Context and Objectives

Research group main objective: Design hardware cryptoprocessors for asymmetric cryptography on FPGA and ASIC with advanced arithmetic support Various aspects of arithmetic operators: efficient algorithms fast and protected representations of numbers hardware implementations This work: Faster Modular multiplication for cryptographic computations in the residue number system (RNS)

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 2 / 12

Residue Number System (RNS) [5] [3]

X and Y two large integers (from 160 to 4096 bits) are represented by: − → X = (x1, . . . , xn) = (X mod m1, . . . , X mod mn) − → Y = (y1, . . . , yn) = (Y mod m1, . . . , Y mod mn) Modular operations over w-bit chunks, e.g. w is 16–64

w w w

x1 y1 mod m1 + − × (/) channel 1

w w w

x2 y2 mod m2 + − × (/) channel 2

· · ·

w w w

xn yn mod mn + − × (/) channel n

RNS base B = (m1, . . . , mn), n pairwise co-prime integers of w bits with n × w log2 P

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 3 / 12

RNS Properties

Pros: Carry-free between channels

each channel is independant

Fast parallel +, −, × and some exact divisions

computations over all channels can be performed in parallel a multiplication requires n elementary modular multiplications (EMM)

Non-positional number system

randomization of computations (SCA countermeasures)

Cons: comparison, modular reduction (by P prime) and division are hard

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 4 / 12

RNS Base Extension [6]

Usual technique for modular reduction: add redundancy using 2 bases Ba = (ma,1, . . . , ma,n) and Bb = (mb,1, . . . , mb,n) are coprime RNS bases X is − → Xa in Ba and − → Xb in Bb The base extension (BE, introduced in [6]) is defined by: − → Xb = BE(− → Xa, Ba, Bb) Some operations become possible after a base extension

Ma = n

i=1 ma,i is invertible in Bb

exact division by Ma can be done easily

State-of-art BE algorithms cost n2 + n w-bit EMMs

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 5 / 12

RNS Montgomery Reduction (RNS-MR) [4, 1]

Input: − → Xa , − → Xb with X < αP2 < PM and 2P < M′ Output: − → ω a|b with ω ≡ X × M−1 mod P 0 ω < 2P − → Q a ← − − → Xa × − − − − − → (−P−1) a (in base B) − → Qb ← −BE(− → Qa , Ba, Bb) − → Sb ← − − → Xb + − → Qb × − → Pb (in base Bb) − → ωb ← − − → Sb × − − − → M−1

a

(in base Bb) − → ωa ← −BE(− → ωb, Bb, Ba)

Ba Bb ×

• ×

+ ×

• BE

BE RNSMR cost: 2 n2 + O(n) EMMs How to exploit RNS properties? Maximize the use of fully parallelizable operations, e.g. computing patterns in the form of (AB + CD) mod P

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 6 / 12

Proposed Modular Multiplication

Idea: Split operands into 2 parts and introduce sub-reductions

• nly 3

2n moduli required vs 2n (3 bases of n/2)

Constraint: Requires an hypothesis on P: not possible for RSA but possible for ECC and discrete logarithm Operations AB mod P A2 mod P Cst × A mod P MM [EMM] 2n2 + 4n 2n2 + 4n 2n2 + 4n SPRR [EMM] 2.5n2 + 12.5n 1.75n2 + 10.5n 1.75n2 + 7n

Note: Karatsuba-Offman idea does not work in RNS

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 7 / 12

Proposed Modular Multiplication Algorithm

Input: X, Y < αP Precomp.: D = |M−1

a |P

Output: − − − → Va|b|c with V ≡

• XYM−1

a M−1 b

• P and V < αP

begin (− − − − − − → (Kx)a|b|c , − − − − − − → (Rx)a|b|c ) ← Split(− − − → Xa,b,c ) (− − − − − − → (Ky)a|b|c , − − − − − − → (Ry)a|b|c ) ← Split(− − − → Ya,b,c ) − − − → Ua|b|c ←PR − − − − − − → (Kx)a|b|c , − − − − − − → (Rx)a|b|c , − − − − − − → (Ky)a|b|c , − − − − − − → (Ry)a|b|c , D

• −

− − → Va|b|c ← RNS-MR(− → Ub , − − → Ua|c ) return − − − → Va|b|c

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 8 / 12

base extension (BE) computations in 1 base SPLIT PR MR

base Ba

Xa Ya Ua Kx Ky Ry = Ya Rx = Xa Qa Sa

base Bb

Xb Yb Rx Kx Ry Ky Ub Qb Sb

base Bc

Xc Yc Rx Kx Ry Ky Uc Qc Sc

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 9 / 12

Theoretical Performance Comparison

Results for exponentiation for discrete logarithm (Diffie-Hellman or ElGamal protocols)

0.7 0.8 0.9 1.0 1.1 1.2 10 20 30 40 50 60 70 Our / Ref n

EMM Expo. LSBF EMM*MEM Expo. LSBF

0.7 0.8 0.9 1.0 1.1 1.2 Our / Ref

EMM Expo. Montg. EMM*MEM Expo. Montg.

State-of-art reference (Ref):[2]

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 10 / 12

Conclusion

Our proposition: reduces by 25 % the number of precomputations stored reduces the number of EMMs up to 10 % for large cryptographic parameters reduces by 25 % the number of base elements required Future works on hardware implementation: implementation of the new RNS modular multiplication in full cryptosystems time×area trade-off explorations

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 11 / 12

Thank you for your attention

This work has been supported in part by a PhD grant from DGA–INRIA and by the PAVOIS project (ANR 12 BS02 002 01).

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 12 / 12

References

[1] J.-C. Bajard, L.-S. Didier, and P. Kornerup. An RNS montgomery modular multiplication algorithm. IEEE Transactions on Computers, 47(7):766–776, July 1998. [2] F. Gandino, F. Lamberti, G. Paravati, J.-C. Bajard, and P. Montuschi. An algorithmic and architectural study on montgomery exponentiation in RNS. IEEE Transactions on Computers, 61(8):1071–1083, August 2012. [3] H. L. Garner. The residue number system. IRE Transactions on Electronic Computers, EC-8(2):140–147, June 1959. [4] K. C. Posch and R. Posch. Modulo reduction in residue number systems. IEEE Transactions on Parallel and Distributed Systems, 6(5):449–454, May 1995. [5] A. Svoboda and M. Valach. Oper´ atorov´ e obvody (operator circuits in czech). Stroje na Zpracov´ an´ ı Informac´ ı (Information Processing Machines), 3:247–296, 1955. [6] N. S. Szabo and R. I. Tanaka. Residue arithmetic and its applications to computer technology. McGraw-Hill, 1967.

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 13 / 12

Elliptic Curve Cryptography (ECC)

P large prime of 160–600 bits y2 = x3 + 4x + 20 over F1009 Elliptic curve E over FP : y2 = x3 + a x + b Curve level operations: Point addition (ADD): Q + Q’ Point doubling (DBL): Q + Q Scalar multiplication: [k]Q = Q + Q + . . . + Q

• k times

Security (ECDLP): knowing Q and [k]Q, k cannot be recovered

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 14 / 12

Scalar Multiplication Internal Operations

[k]Q ADD, DBL +, −, ×,−1 in Fp modm1 · · · · · · modmn

One scalar multiplication requires... Many curve level operations which requires... MANY Fp operations which can be performed using... the residue number system (RNS)

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 15 / 12

Ratio SPRR/RNS-MR for ECC Operations

0.8 0.9 1 1.1 1.2 1.3 1.4 5 10 15 20 25 30 35 40 SPRR / RNS−MM

n

mADD DBL TPL 0.6 0.7 0.8 0.9 1 1.1 1.2 1.3 1.4 SPRR / RNS−MM EMM | 2DBL+mADD EMM*EMW | 2DBL+mADD EMM | 2DBL+mADD+TPL EMM*EMW | 2DBL+mADD+TPL

Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 16 / 12