[PPT] - Summary Introduction Exotic Number Systems Basic number systems PowerPoint Presentation

SLIDE 1

Exotic Number Systems for Hardware Arithmetic Operators

Arnaud Tisserand

CNRS, IRISA laboratory, CAIRN research team

DIT Seminar, ENS Cachan – antenne de Bretagne March 9th, 2010

Summary

Introduction
Basic number systems

◮ integer and fixed point ◮ floating point

Exotic number systems

◮ logarithmic number system (LNS) ◮ redundant number systems ◮ double base number system (DBNS) ◮ residue number system (RNS)

References
A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

2/69

Babylonian Arithmetic

Use of a positional number system with:

primary radix 60
auxiliary radix 10
digits in the set:

1 2 3 4 5 6 7 8 9 10

Example: = 33×60+30 = 2010

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

3/69

Almost New Type of Look-Up Tables

Illustration of a:

multiplication by 25 table
discovered in Susa
dated to approx. -2000
preserved in Louvre museum

Remark: only the products by (1), 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 30, 40, 50 are required (not all the 59 products)

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

4/69

SLIDE 2

Egyptian Multiplication

M(n, m, p) = n × m + p Rewriting rules: M(0, m, p) = ⇒ p M(2n, m, p) = ⇒ M(n, 2m, p) M(2n + 1, m, p) = ⇒ M(n, 2m, p + m) Example: 12 × 12 = M(12, 12, 0) = M(6, 24, 0) = M(3, 48, 0) = M(1, 96, 48) = M(0, 192, 144) = 144

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

5/69

First Computer with a Floating-Point Unit

Z3 designed by Konrad Zuse (1910–1995) in 1941, Berlin picture of the version rebuilt in 1961 Source: http://www.epemag.com/zuse/

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

6/69

Z3: Architecture and Characteristics

Unit Control Memory Unit Floating−point Clock generator Reader Tape Punched Output Input reg 2 reg 1 22 22 22 8

5.33 Hertz (lamps) (keyboard) address data data instr.

size 5 m × 2 m × 0.8 m weight ≈ 1000 kg frequency 5.33 Hz technology

elect. relays (num.: 600, mem.: 1400)

power consumption ≈ 4000 W

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

7/69

Z3 : Data Format and Floating-Point Unit

Floating-point representation:

1-bit sign
7-bit exponent represented using 2’s complement

◮ exponent = −64 −

→ 0

◮ exponent = 63 −

→ ∞

14-bit mantissa + 1 implicit bit

Floating-point unit:

addition/subtraction 3 cycles (0.6 s/op.)
multiplication 16 cycles (3.0 s/op.)
division 18 cycles (3.4 s/op.)
square root (variable latency)

Other instructions: read keyboard, display, load, store...

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

8/69

SLIDE 3

Intel 486 Processor

32-bit processor
embedded arithmetic co-processor
first commercialization in 1989
frequencies: 50, 33 and 25,MHz
transistors number: 1.2 × 106
technology: CMOS 0.8 or 1.0 µm
silicon area: 81 mm2
power supply: 5 V
package: 168 PGA
pipeline: 5 stages
L1 cache: 8 KB (4w SA, WT)
1 ALU
A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

9/69

Intel Xeon Core i7 (code name: Bloomfield)

64-bit processor
quad core with 2 threads
hyper-threading comm. 6.4 GT/s
3 DDR3-1066 links → 25.6 GB/s
first commercialization in Q4.2008
frequencies: 2.66 to 3.33 GHz
transistors number: 731 × 106
technology: CMOS 45 nm
silicon area: 263 mm2
power supply: 130 W under 1.375 V
socket/package: 1366 LGA
caches: 32 kB I + 32 kB D L1,

4 × 256 kB L2, 8 MB L3

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

10/69

Research in Computer Arithmetic

arithmetic target

validation test accuracy computer arithmetic number systems algorithms implement. application cost speed area memory energy

good adequacy

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

11/69

Design of Computer Arithmetic Operators

perator

x f (x)

perations

±, ×, ÷, √ . . .

p. mod, filters,

sin, cos, exp, log. . . DCT, FFT, crypto.. . . combinations

number systems

integer, redundant, fixed/floating-point, multiple precision, RNS, LNS, DBNS. . . Fp, F2m, F3m

algorithms

polynomial approx., function iterations, tables and operations digit recurrence. . .

implementations t

software: func., lib(m) hardware: FPGA, ASIC area, delay energy

constraints

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

12/69

SLIDE 4

Some Problems in Computer Arithmetic

better arithmetic primitives:

◮ speed (throughput, latency) ◮ silicon area, program size, memory, # intermediate registers ◮ power consumption, energy per operation

limited support in design tools

software: integer, floating-point, libraries for many types hardware: integer, fixed-point, a few IP blocs

validation

accuracy: error bounds, minimal precision, formal proof behavior: overflows, Not a Number design: (formal) verification of the correctness of a program (function, library, hardware bloc, circuit) run time: verification of the correctness of an implementation = functional test

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

13/69

Number Systems

set of represented numbers

◮ integers: N, Z ◮ rationals: Q ◮ real approximations: subset of R ◮ complex approximations: subset of C ◮ finite fields: Fp, F2m, F3m ◮ . . .

system properties

◮ positional or non positional ◮ redundant or non redundant ◮ fixed precision or arbitrary precision (multiple precision) ◮ completeness (in a finite set) ◮ . . .

Number system =

1. data format and encoding
2. a set of interpretation rules for the encoding
A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

14/69

Positional Number System(s)

X =

n−1

i=−m

xi βi = (xn−1xn−2 · · · x1x0 . x−1x−2 · · · x−m)

radix β (usually a power of 2)
digits xi (∈ N) in the digit set D
rank or position i, weight βi
n integer digits, m fractional digits

Examples:

β = 10, D = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}
β = 2, D = {0, 1}
carry save: β = 2, Dcs = {0, 1, 2}
borrow save: β = 2, Dbs = {−1, 0, 1}
signed digits: β > 2, Dsd,α,β = {−α, . . . , α} with 2α + 1 ≥ β
theoretical systems: β = 1+

√ 5 2

, β = 1 + i. . .

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

15/69

Radix-2 Signed Integers

sign and magnitude (absolute value)

A = (saan−2 . . . a1a0) = (−1)sa ×

n−2

i=0

ai2i

2’s complement

A = (an−1an−2 . . . a1a0) = −an−12n−1 +

n−2

i=0

ai2i

biased (usually B = 2n−1 − 1)

A = Amath + B

. . .
A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

16/69

SLIDE 5

Signed Integers

−8 −7 −6 −5 −4 −3 −2 −1 1 2 3 4 5 6 7 8 0111 0110 0101 0100 0011 0010 0001 0000 1001 1010 1011 1100 1101 1110 1111 1000 1001 1010 1011 1100 1101 1110 1111 0000 0001 0010 0011 0100 0101 0110 0111 1111 1110 1101 1100 1011 1010 1001 1000 0111 0110 0101 0100 0011 0010 0001 0000 biased (B=7) 2’s complement integer representations sign/magnitude

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

17/69

Power Consumption in Digital Integrated Circuits

Power sources:

dynamic power:

◮ useful activity due to state modifications ◮ parasitic activity due to circuit defaults

static power: leakage

Example of useful activity (number of transitions):

cycle value 2’s complement t2c sign/magnitude tsm 0000000000000000 0000000000000000 1 1 0000000000000001 1 0000000000000001 1 2

1

1111111111111111 15 1000000000000001 1 3 8 0000000000001000 15 0000000000001000 3 4

27

1111111111100101 15 1000000000011011 4 5 27 0000000000011011 15 0000000000011011 1 total 61 10

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

18/69

Examples of Parasitic Activity

Solution 1 Solution 2

1

s1 i

2

s2 s2 s1 i 2 i 1 i c b a t b c b a a c

stable activity FA FA FA FA FA FA V V H t t cycle i cycle i+1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 H cycle i cycle i+1

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

19/69

Fixed-Point Representations

Widely used in DSPs and digital integrated circuits for higher speed, lower silicon area and power consumption compared to floating point

8 16 23 ranks MSB LSB

2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

−2 −5 −1 −3 −4 −6 −7 −8 −9 −10 −11 −12 −13 −14 −15

2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

−2 −5 −1 −3 −4 −6 −7 −8 −9 −10 −11 −12 −13 −14 −15 −16 8 9 10 11 12 13 14 15

20 2 2 2 2 2 2 2 2

1 2 3 4 5 6 7

2 2 2 2 2 2 2 2

1 2 3 4 5 6 7

2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

−2 −5 −1 −3 −4 −6 −7 −8 −9 −10 −11 −12 −13 −14 −152 −16

1Q15 Q16 N16 or Z16 8Q16

s s s s

Typical fixed-point formats: 16, 24, 32 and 48 bits

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

20/69

SLIDE 6

Floating-Point Representation(s)

Radix-β floating-point representation of x:

sign sx, 1-bit encoding: 0 ⇒ x > 0 and 1 ⇒ x < 0
exponent ex ∈ N on k digits and emin ≤ ex ≤ emax
mantissa mx on n + 1 digits
encoding:

x = (−1)sx × mx × βex mx = x0 . x1 x2 x3 · · · xn xi ∈ {0, 1, . . . , β − 1} For accuracy purpose, the mantissa must be normalized (x0 = 0) Then mx ∈ [1, β[ and a specific encoding is required for the number 0

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

21/69

IEEE-754: basic formats

Radix β = 2, the first bit of the normalized mantissa is always a “1” (non-stored implicit bit) number of bits format total sign exponent mantissa double precision 64 1 11 52 + 1 simple precision 32 1 8 23 + 1

LSB MSB ranks

double precision simple precision

8 16 24 32 40 48 56 63

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

22/69

IEEE-754: Exponent and Special Values

size bias unbiased biased format k b emin emax emin emax SP 8 127 (= 28−1 − 1) −126 127 1 254 DP 11 1023 (= 211−1 − 1) −1022 1023 1 2046 −0 1 00000000 00000000000000000000000 +0 0 00000000 00000000000000000000000 −∞ 1 11111111 00000000000000000000000 +∞ 0 11111111 00000000000000000000000 NaN 0 11111111 00000000000000000000001 (for instance) Not a Number (NaN) is the result of invalid operations such as 0/0, √−1

r 0 × ∞
A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

23/69

Logarithmic Number System (LNS)

Representation of x: (sign of x, fixed-point approximation of log2 x) LNS operations: log2(a × b) = log2 a + log2 b log2(a ÷ b) = log2 a − log2 b log2(a ± b) = log2 a + log2(1 ± 2log2 b−log2 a) log2(aq) = q × log2 a where the functions log2(1 + 2x) and log2(1 − 2x) are approximated (tables or polynomials) Applications in digital signal processing and digital control

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

24/69

SLIDE 7

Carry Ripple Adder (CRA)

Very simple architecture: n FA cells connected in series

s s s s s s r r r r r r

5 5 4 4 3 3 2 2 1 1 5 4 3 2 1 1 2 3 4 5

s6 b a FA b a FA b a FA b a FA b a FA b a FA

complexity delay O(n) area O(n) Warning: Sometimes a CRA is also called Carry Propagate Adder (CPA), but CPA also means a non-redundant adder (that propagates)

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

25/69

Carry Propagation and Generation

a b c s function d generate 1 d d propagate 1 d d propagate 1 1 1 d generate a, b c s function a = b a d generate a = b d d propagate Sometimes kill is used for generating 0 for the output carry (a = b = 0) p = a ⊕ b g = ab k = ab = a + b

g p k a b

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

26/69

Carry-Select Adder

Idea: computation of the higher half part for the 2 possible input carries (0 and 1) and selection when the output carry from lower half part is known

sn

1

sH aL bL bH aH sL

1 1

lower part higher part

Recursive version − → O(log n) delay

but. . .
A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

27/69

Carry-Select Adder: Fanout Problem

1 1 1

a b 1 a b 1 a b 1 a b

3 3 2 2 1 1

1 1 1 1 1 1

s s s s s

1 2 4 3 FA FA FA FA FA FA FA

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

28/69

SLIDE 8

Carry Skip Adder

Idea: split in blocks, fast detection of the block propagation in each block (all ranks of the block propagate the block input carry)

P P P ai:j bi:j si:j ci cj+1

1 1 1

Delay:

uniform block size =

⇒ O(√n)

non-uniform block size?
A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

29/69

Carry Lookahead Adder

Idea: compute all carries as fast as possible (instead of propagating them) At rank i, the input carry ci is 1 in the following cases:

rank i − 1 generates a carry

֒ → gi−1 = 1

rank i − 1 propagates a carry generated at rank i − 2

֒ → pi−1 = gi−2 = 1

ranks i − 1 and i − 2 propagate a carry generated at rank i − 3

֒ → pi−1 = pi−2 = gi−3 = 1 . . .

ranks i − 1 to 0 propagate the adder input carry c0 (set to 1)

֒ → pi−1 = pi−2 = . . . = p1 = p0 = c0 = 1

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

30/69

All carries can be computed using the relation (ci = gi−1 + ci−1pi−1): ci = gi−1 + pi−1gi−2 + pi−1pi−2gi−3 + . . . + pi−1 · · · p1g0 + pi−1 · · · p0c0 CLA architecture: parallel evaluation of

(gi, pi) for all i
carries ci for all i using the above equation
sums using si = ai ⊕ bi ⊕ ci = pi ⊕ ci

1 1

s s s s s

n−1 n−1 n−2 n−2 1 1 1 n−1 n−1 n−1 n−1 n−2 n−2 n−2 n−2 1 n n

a b a b a b a b PG PG PG PG p p p p c c c g g g g c c

i

computation of the c ’s

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

31/69

Carry Lookahead Adder: 4-Bit Example

c1 = g0 + p0c0 c2 = g1 + p1g0 + p1p0c0 c3 = g2 + p2g1 + p2p1g0 + p2p1p0c0 c4 = g3 + p3g2 + p3p2g1 + p3p2p1g0 + p3p2p1p0c0

1 1 2 2 3 3 2 4 3 1

g p g p g p g p c c c c c

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

32/69

SLIDE 9

Parallel-Prefix Addition: Standard Architectures

15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

carry ripple

15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 4 3 2 1

Sklansky

15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 4 3 2 1 5 6

Brent−Kung

15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 4 2 1 3

Kogge−Stone

15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 2 1 3

Han−Carlson

4 5 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

33/69

Redundant or Constant Time Adders

To speed-up the addition, one solution consists in “saving” the carries and using them (this makes sense only in case of multiple additions) In 1961, Avizienis suggested to represent numbers in radix β with digits in {−α, −α + 1, . . . , 0, . . . , α − 1, α} instead of {0, 1, 2, . . . , β − 1} with α ≤ β − 1 Using this representation, if 2α + 1 > β some numbers have several possible representation at the bit level. For instance, the value 2345 (in the standard representation) can be represented in radix 10 with digits in {−5, −4, −3, −2, −1, 0, 1, 2, 3, 4, 5} by the values 2345, 235(-5) or 24(-5)(-5) Such a representation is said redundant In a redundant number system there is constant-time addition algorithm (without carry propagation) where all computations are done in parallel

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

34/69

Carry-Save Adder

In carry-save, the number A is represented in radix 2 using digits ai ∈ {0, 1, 2} coded by 2 bits such that ai = ai,c + ai,s where ai,c ∈ {0, 1} and ai,s ∈ {0, 1} A =

n−1

i=0

ai2i =

n−1

i=0

(ai,c + ai,s)2i

b2 b0 a0 b1 a1 a2 b3 a3 s4 s3 s2 s1 s0 FA FA FA FA FA FA FA FA

1 1 2 2 3 3 4 3 3 3 2 2 2 1 1 1 1 1 2 2 3 3 4

Carry-save addition: delay of 2 FA cells (T = 0(1))

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

35/69

Carry-Save Trees

Example with 3 inputs: A, B and C

c a b c a b c a b c a b c a b a b c

1 1 1 2 2 3 3 3 4 4 4 5 5 5 2

s5 s4 s3 s2 s1 s0 s6 FA FA FA FA FA FA

1 1 2 2 3 3 4 5 6 5 4

Carry-save reduction tree: n(h) non-redundant inputs can be reduced by a h-level carry-save tree where n(h) = ⌊3n(h − 1)/2⌋ and n(0) = 2 h 1 2 3 4 5 6 7 8 9 10 11 n(h) 3 4 6 9 13 19 28 42 63 94 141

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

36/69

SLIDE 10

Borrow-Save Addition

In borrow-save, the number A is represented in radix 2 using digits ai ∈ {−1, 0, 1} coded by 2 bits such that ai = a+

i − a− i

where a+

i ∈ {0, 1} and a− i ∈ {0, 1}

A =

n−1

i=0

ai2i =

n−1

i=0

(a+

i − a− i )2i

a3 b3 a2 b2 a1 b1 a0 b0 a b b b b a a a

3 3 2 2 1 1

s4 s3 s2 s1 s0 s s s s s

4 3 2 1 PPM PPM PPM PPM PPM PPM PPM PPM + + − − − − − − − − + + + + + + + + + + + − − − − − 4 3 3 2 2 1 1 3 3 3 2 2 2 1 1 1 1 1 2 2 3 3 4

Borrow-save addition: delay of 2 PPM cells (T = 0(1))

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

37/69

PPM Cell

a+ b+ d− c+ s− 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

Arithmetic equation: 2c+−s− = a++b+−d− Logic equation: s = a+ ⊕ b+ ⊕ d− c = a+b+ + a+d− + b+d−

1

s a b

PPM

1

b a

− +

s −

+ +

FA

d c d c

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

38/69

Side Channel Analysis/Attacks (SCA)

A B E D M k Ek(M) k Dk(Ek(M)) = M E measure k, M??? attack General principle: measure external parameter(s) on running device in

rder to deduce internal informations
A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

39/69

What Should be Measured?

Answer: everything that can “enter” and/or “get out” in/from the device

power consumption
electromagnetic radiation
temperature
sound
computation time
number of cache misses
number and type of error messages
...

The measured parameters may provide informations on:

global behavior (temperature, power, sound...)
local behavior (EMR, # cache misses...)
A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

40/69

SLIDE 11

Power Consumption Analysis

General principle: measure the current I in the circuit circuit VDD GND I traces Notations: VDD power supply (5, 3, 2.5, 1.2 V), GND ground

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

41/69

“Read” the Traces

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

algorithm =

⇒ decomposition into steps

detect loops

◮ constant time for the loop iterations ◮ non-constant time for the loop iterations

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

42/69

Differences & External Signature

An algorithm has a current signature and a time signature: r = c0 for i from 1 to n do i f ai = 0 then r = r + c1 else r = r × c2 I+ I× t I i ai

1 2 1 3 1 4 5 1 6 7 8 1

T+T× t T

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

43/69

Simple Power Analysis (SPA)

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

44/69

SLIDE 12

Limits of the SPA

Example of behavior difference: (activity into a register) t t + 1 0000000000000000 0000000000000000 1111111111111111 0000000000000001 Important: a small difference may be evaluated has a noise during the measurement = ⇒ traces cannot be distinguished Question: what can be done when differences are too small? Answer: use statistics over several traces

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

45/69

Differential Power Analysis (DPA): Example

average correct incorrect incorrect

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

46/69

Electromagnetic Radiation Analysis (1/2)

General principle: use a probe to measure the EMR circuit VDD GND EMR measurement:

global EMR with a large probe
local EMR with a microprobe
A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

47/69

Electromagnetic Radiation Analysis (2/2)

EMR analysis methods:

simple electromagnetic analysis: SEMA
differential electromagnetic analysis: DEMA

Local EMR analysis may be used to determine internal architecture details, and then select weak parts

f the circuit for the attack

= ⇒ X-Y table

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

48/69

SLIDE 13

Fault Injection Attacks (1/2)

General principle: try to produce variations for some circuit parameters (w.r.t. their nominal values) in order to generate an internal fault which be “detected” Examples:

modify the power supply
modify the temperature
modify the clock signal
violation of setup/hold times
apply EMR on the circuit
use a laser or strong light
...
A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

49/69

Fault Injection Attacks (2/2)

Types of faults:

stuck at faults (1 or 0)
bit flip
prevent some transitions (e.g.: 0 → 1 OK but not 1 → 0)
prevent a jump in a branch
modify the decoding of instructions
...

Faults are used to generate a behavior difference which should be detected by the attacker

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

50/69

Fault Attack Example: Bit Flip on RSA Decryption

A B E D k′ k M C = Ek(M) flip(di) Dk(C) = M

choose a plaintext message M
encrypt M into C = Ek(M)
inject a fault by fliping di for a random i (d is the secret key)
compute M

M = c2i di c2i di

test:

◮

M M = 1 c2i mod N =

⇒ di = 1

◮

M M = c2i mod N =

⇒ di = 0

retry for several i (=

⇒ get small parts of d, then mathematical attacks)

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

51/69

Countermeasures

Prevent attacks by using:

additional protection blocks
a modification of the original circuit (i.e. secured version)

Examples:

electrical shielding
use uniform computation durations
use uniform power consumption
use detection/correction codes
add noise (e.g. useless instructions/computations)
circuit reconfiguration

◮ modify the representation of values ◮ modify the algorithms

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

52/69

SLIDE 14

Modular Exponentiation

Algorithm: square and multiply Inputs : x , d = (dm−1 . . . d1d0)2 Output : y = xd

1

R ← − 1

2

i ← − m − 1

3

while (i ≥ 0) do

4

R ← − R2 square

5

i f (di = 1) then

6

R ← − R × x multiply

7

endif

8

i ← − i − 1

9

endwhile

10

return R Main operation for RSA

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

53/69

Square and multiply is Weak!

Attack: SPA Difference at each loop iteration:

di = 1 =

⇒ square and multiply

di = 0 =

⇒ square only Trace example:

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

54/69

SPA Countermeasure: Square and multiply always

Inputs : x , d = (dm−1 . . . d1d0)2 Output : y = xd

1

R ← − 1

2

i ← − m − 1

3

while (i ≥ 0) do

4

R1 ← − R2 square

5

R2 ← − R1 × x multiply

6

i f (di = 1) then

7

R ← − R2

8

else

9

R ← − R1

10

endif

11

i ← − i − 1

12

endwhile

13

return R

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

55/69

ECC: Scalar Multiplication

This is the main operation for ECC Inputs: P a point of the curve E, a large integer k = n−1

i=0 ki2i

Output: the point Q = [k]P = P + P + P + . . . + P

k times

Basic algorithm: double-and-add 1: Q ← − P 2: for i from n-2 to 0 do 3: Q ← − 2P 4: if ki = 1 then Q ← − Q + P Problem: weak for SPA!

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

56/69

SLIDE 15

Countermeasure: Key Recoding

Recoding: w-NAF (non-adjacent form) With k =

n−1

i=0

ki2i, ki ∈ {0, 1} use k with digits in “windows” of w bits |ki| < 2w−1 Example: k = 267 = ( 1 1 1 1 )2 ( 1 1 1 1 )2−NAF ( 1 1 3 )3−NAF ( 1 1 ¯ 5 )4−NAF ( 1 11 )5−NAF Cost: n − 1 DBL and

n w+1 ADD

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

57/69

Double-Base Number Systems (DBNS) (1/3)

Source: L. Imbert Redundant representation based the sum of powers of 2 AND 3: x =

n

i=1

xi2ai3bi, with xi ∈ {−1, 1}, ai, bi ≥ 0 Example: 127 = 108 + 16 + 3 = 72 + 54 + 1 = . . . 1 2 4 8 16 1 1 3 1 9 27 1 1 2 4 8 1 1 3 9 1 27 1

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

58/69

Double-Base Number Systems (DBNS) (2/3)

Smallest x > 0 with n DBNS terms in its decomposition: n unsigned signed 2 5 5 3 23 105 4 431 (4985) 5 18,431 ? 6 3,448,733 7 1,441,896,119 8 ? DBNS is a very sparse and redundant representation Example: 127 has 783 DBNS representations among which 6 are canonic: 127 = (108 + 18 + 1) = (108 + 16 + 3) = (96 + 27 + 4) = (72 + 54 + 1) = (64 + 54 + 9) = (64 + 36 + 27)

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

59/69

Double-Base Number Systems (DBNS) (3/3)

Application: ECC scalar multiplication 314159 = 2439 + 2831 − 1 [314159]P = [2439]P + [2831]P − P cost: 12 DBL + 10 TPL + 2 ADD 314159 = 2439 − 2036 − 33 − 32 − 3 − 1 [314159]P = 3(3(3(33([2433]P − P) − P) − P) − P cost: 4 DBL + 9 TPL + 5 ADD

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

60/69

SLIDE 16

Residue Number System (RNS)

Base B = (m1, m2, . . . , mk) of k relatively prime moduli
Size of the base: k

A = {a1, a2, . . . , ak}, ∀i ai = A mod mi Operations: A ± B = (|a1 ± b1|m1, . . . , |ak ± bk|mk) A × B = (|a1 × b1|m1, . . . , |ak × bk|mk)

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

61/69

Residue Number System: Example (1/2)

Base: B = (8, 7, 5, 3) Dynamic range: M = 8 × 7 × 5 × 3 = 840, i.e., 0 ≤ A < M Astd ARNS [0, 0, 0, 0] 1 [1, 1, 1, 1] 2 [2, 2, 2, 2] 3 [3, 3, 3, 0] 4 [4, 4, 4, 1] 5 [5, 5, 0, 2] 6 [6, 6, 1, 0] 7 [7, 0, 2, 1] 8 [0, 1, 3, 2] Astd ARNS 9 [1, 2, 4, 0] 10 [2, 3, 0, 1] 11 [3, 4, 1, 2] 12 [4, 5, 2, 0] 13 [5, 6, 3, 1] 14 [6, 0, 4, 2] 15 [7, 1, 0, 0] 16 [0, 2, 1, 1] 17 [1, 3, 2, 2] Astd ARNS 18 [2, 4, 3, 0] 19 [3, 5, 4, 1] 20 [4, 6, 0, 2] 21 [5, 0, 1, 0] 22 [6, 1, 2, 1] 23 [7, 2, 3, 2] 24 [0, 3, 4, 0] 25 [1, 4, 0, 1] 26 [2, 5, 1, 2]

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

62/69

Residue Number System: Example (2/2)

Operands: A = 6 = [6, 6, 1, 0] and B = 16 = [0, 2, 1, 1] Addition:

(6 + 0) mod 8 = 6
(6 + 2) mod 7 = 1
(1 + 1) mod 5 = 2
(0 + 1) mod 3 = 1

Verification: 22 = [6, 1, 2, 1] Multiplication:

(6 × 0) mod 8 = 0
(6 × 2) mod 7 = 5
(1 × 1) mod 5 = 1
(0 × 1) mod 3 = 0

Verification: 96 = [0, 5, 1, 0]

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

63/69

Residue Number System: Conversions

From standard to RNS: ∀i ai = A mod mi From RNS to standard: Using a constructing proof of the Chinese Remainder Theorem (CRT) A =

k

i=1

aiMi|M−1

i

|mi mod M where

M = k

i=1 mi, A < M

Mi = M/mi
|M−1

i

|mi is the inverse of Mi modulo mi

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

64/69

SLIDE 17

Residue Number System: Summary

Advantages:

fast addition/subtraction and multiplication (parallel)
no carry propagation (on the whole format)
natural way to split large numbers (simple scheduling)
no order in the elements

Disadvantages:

difficult comparison (< and >)
difficult division
difficult sign test
difficult magnitude computation
A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

65/69

Circuit-Level Representations of Digits

Standard representation of a bit b:

VDD =

⇒ b = 1, GND = ⇒ b = 0 b Dual-rail representation of a bit b:

r1 = VDD r0 = GND =

⇒ b = 1

r1 = GND r0 = VDD =

⇒ b = 0 r0 r1 Benefit: same number of transitions for 0 → 1 and 1 → 0 Cost: larger area and memory High-radix coding: radix 4 with digits in {−2, −1, 0, 1, 2} ± 20 21 ± 1 2 −2 −1 1 2

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

66/69

Good Books

Digital Arithmetic Milos Ercegovac and Tomas Lang

2003. Morgan Kaufmann

ISBN: 1–55860–798–6 Guide to Elliptic Curve Cryptography

D. Hankerson, A. Menezes and S. Vanstone
2004. Springer

ISBN: 0–387–95273–X

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

67/69

Good Books

CMOS VLSI Design (3rd edition)

N. Weste and D. Harris
2004. Addison Wesley

ISBN: 0–321–14901–7

A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

68/69

SLIDE 18

The end, some questions ?

Contact:

mailto:arnaud.tisserand@irisa.fr
http://www.irisa.fr/prive/Arnaud.Tisserand/
CAIRN Group

http://www.irisa.fr/cairn/

IRISA Laboratory, CNRS–INRIA–Univ. Rennes 1

6 rue K´ erampont, BP 80518, F-22305 Lannion cedex, France Thank you

ECOFAC 2010 http://ecofac2010.irisa.fr

´

Ecole th´ ematique CNRS: conception faible consommation pour les syst` emes embarqu´ es temps r´ eel

29 mars – 2 avril 2010, Plestin les Gr`

eves, Cˆ

tes-d’Armor, Bretagne
A. Tisserand, CNRS–IRISA–CAIRN. Exotic Number Systems for Hardware Arithmetic Operators

69/69