RNS Modular Multiplication through Reduced Base Extensions Karim - PowerPoint PPT Presentation

RNS Modular Multiplication through Reduced Base Extensions Karim Bigou and Arnaud Tisserand INRIA-IRISA-CAIRN ASAP Conference June 18-20 Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 1 / 12

Context and Objectives Research group main objective: Design hardware cryptoprocessors for asymmetric cryptography on FPGA and ASIC with advanced arithmetic support Various aspects of arithmetic operators: efficient algorithms fast and protected representations of numbers hardware implementations This work: Faster Modular multiplication for cryptographic computations in the residue number system (RNS) Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 2 / 12

Residue Number System (RNS) [5] [3] X and Y two large integers (from 160 to 4096 bits) are represented by: − → X = ( x 1 , . . . , x n ) = ( X mod m 1 , . . . , X mod m n ) − → Y = ( y 1 , . . . , y n ) = ( Y mod m 1 , . . . , Y mod m n ) Modular operations over w -bit chunks, e.g. w is 16–64 channel 1 channel 2 channel n x 1 y 1 x 2 y 2 x n y n w w w w w w · · · mod m 1 mod m 2 mod m n + − × ( / ) + − × ( / ) + − × ( / ) w w w RNS base B = ( m 1 , . . . , m n ), n pairwise co-prime integers of w bits with n × w � log 2 P Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 3 / 12

RNS Properties Pros: Carry-free between channels each channel is independant Fast parallel + , − , × and some exact divisions computations over all channels can be performed in parallel a multiplication requires n elementary modular multiplications ( EMM ) Non-positional number system randomization of computations (SCA countermeasures) Cons: comparison, modular reduction (by P prime) and division are hard Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 4 / 12

RNS Base Extension [6] Usual technique for modular reduction: add redundancy using 2 bases B a = ( m a , 1 , . . . , m a , n ) and B b = ( m b , 1 , . . . , m b , n ) are coprime RNS bases X is − X a in B a and − → → X b in B b The base extension ( BE , introduced in [6]) is defined by: X b = BE ( − − → → X a , B a , B b ) Some operations become possible after a base extension M a = � n i =1 m a , i is invertible in B b exact division by M a can be done easily State-of-art BE algorithms cost n 2 + n w -bit EMM s Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 5 / 12

RNS Montgomery Reduction (RNS-MR) [4, 1] Input : − X a , − → → X b with X < α P 2 < PM and 2 P < M ′ Output : − → ω a | b with ω ≡ X × M − 1 mod P B a B b 0 � ω < 2 P × − − − − − → − → − − → • BE ( − P − 1 ) a Q a ← X a × (in base B ) • − → − BE ( − → Q b ← Q a , B a , B b ) × X b + − Q b × − → → − → − − → + S b ← (in base B b ) P b − − − → × − − → − → M − 1 ω b ← S b × (in base B b ) • BE a → − − BE ( − → ω a ← ω b , B b , B a ) • RNSMR cost: 2 n 2 + O ( n ) EMM s How to exploit RNS properties? Maximize the use of fully parallelizable operations, e.g. computing patterns in the form of ( AB + CD ) mod P Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 6 / 12

Proposed Modular Multiplication Idea: Split operands into 2 parts and introduce sub-reductions only 3 2 n moduli required vs 2 n (3 bases of n / 2) Constraint: Requires an hypothesis on P : not possible for RSA but possible for ECC and discrete logarithm A 2 mod P Operations AB mod P Cst × A mod P 2 n 2 + 4 n 2 n 2 + 4 n 2 n 2 + 4 n MM [ EMM ] 2 . 5 n 2 + 12 . 5 n 1 . 75 n 2 + 10 . 5 n 1 . 75 n 2 + 7 n SPRR [ EMM ] Note: Karatsuba-Offman idea does not work in RNS Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 7 / 12

Proposed Modular Multiplication Algorithm Input : X , Y < α P Precomp. : D = | M − 1 a | P Output : − − − → � � � XYM − 1 a M − 1 V a | b | c with V ≡ P and V < α P � b begin ( − ( K x ) a | b | c , − − − − − − → ( R x ) a | b | c ) ← Split ( − − − − − − → − − → X a , b , c ) ( − ( K y ) a | b | c , − − − − − − → ( R y ) a | b | c ) ← Split ( − − − − − − → − − → Y a , b , c ) − − − → � − ( K x ) a | b | c , − − − − − − → ( R x ) a | b | c , − − − − − − → ( K y ) a | b | c , − − − − − − → − − − − − → � U a | b | c ← PR ( R y ) a | b | c , D − V a | b | c ← RNS-MR ( − − − → U b , − → − → U a | c ) return − − − → V a | b | c Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 8 / 12

SPLIT PR MR Y c R y K y base extension (BE) base B c Q c U c S c X c R x K x R y K y Y b base B b U b Q b S b computations in 1 base X b R x K x K y Y a base B a R y = Y a U a Q a S a R x = X a X a K x Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 9 / 12

Theoretical Performance Comparison Results for exponentiation for discrete logarithm (Diffie-Hellman or ElGamal protocols) EMM Expo. Montg. 1.2 EMM*MEM Expo. Montg. 1.1 Our / Ref 1.0 0.9 0.8 0.7 EMM Expo. LSBF 1.2 EMM*MEM Expo. LSBF 1.1 Our / Ref 1.0 0.9 0.8 0.7 10 20 30 40 50 60 70 n State-of-art reference (Ref):[2] Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 10 / 12

Conclusion Our proposition: reduces by 25 % the number of precomputations stored reduces the number of EMM s up to 10 % for large cryptographic parameters reduces by 25 % the number of base elements required Future works on hardware implementation: implementation of the new RNS modular multiplication in full cryptosystems time × area trade-off explorations Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 11 / 12

Thank you for your attention This work has been supported in part by a PhD grant from DGA–INRIA and by the PAVOIS project (ANR 12 BS02 002 01). Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 12 / 12

References [1] J.-C. Bajard, L.-S. Didier, and P. Kornerup. An RNS montgomery modular multiplication algorithm. IEEE Transactions on Computers , 47(7):766–776, July 1998. [2] F. Gandino, F. Lamberti, G. Paravati, J.-C. Bajard, and P. Montuschi. An algorithmic and architectural study on montgomery exponentiation in RNS. IEEE Transactions on Computers , 61(8):1071–1083, August 2012. [3] H. L. Garner. The residue number system. IRE Transactions on Electronic Computers , EC-8(2):140–147, June 1959. [4] K. C. Posch and R. Posch. Modulo reduction in residue number systems. IEEE Transactions on Parallel and Distributed Systems , 6(5):449–454, May 1995. [5] A. Svoboda and M. Valach. Oper´ atorov´ e obvody (operator circuits in czech). Stroje na Zpracov´ an´ ı Informac´ ı (Information Processing Machines) , 3:247–296, 1955. [6] N. S. Szabo and R. I. Tanaka. Residue arithmetic and its applications to computer technology . McGraw-Hill, 1967. Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 13 / 12

Elliptic Curve Cryptography (ECC) P large prime of 160–600 bits Elliptic curve E over F P : y 2 = x 3 + a x + b Curve level operations: Point addition ( ADD ): Q + Q’ Point doubling ( DBL ): Q + Q Scalar multiplication: [ k ] Q = Q + Q + . . . + Q � �� � k times Security (ECDLP): knowing Q and [ k ] Q , k cannot be recovered y 2 = x 3 + 4 x + 20 over F 1009 Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 14 / 12

Scalar Multiplication Internal Operations One scalar multiplication requires... [ k ] Q Many curve level operations which ADD , DBL requires... MANY F p operations which can be + , − , × , − 1 in F p performed using... the residue number system (RNS) mod m 1 mod m n · · · · · · Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 15 / 12

Ratio SPRR/RNS-MR for ECC Operations 1.4 EMM | 2DBL+mADD EMM*EMW | 2DBL+mADD 1.3 EMM | 2DBL+mADD+TPL EMM*EMW | 2DBL+mADD+TPL 1.2 SPRR / RNS−MM 1.1 1 0.9 0.8 0.7 0.6 1.4 mADD DBL 1.3 TPL SPRR / RNS−MM 1.2 1.1 1 0.9 0.8 5 10 15 20 25 30 35 40 n Karim Bigou and Arnaud Tisserand RNS Modular Multiplication ASAP Conference June 18-20 16 / 12