1 / 92

Efficient Modular Arithmetic: Montgomery Multipliers & Exponentiation Units

Learn about Montgomery Multipliers, Exponentiation Units, and modular arithmetic in RSA encryption. Understand how to efficiently compute exponentiation and perform modular multiplication using advanced algorithms like Montgomery method. Improve your understanding of secure cryptographic systems.

sandraleon
Download Presentation

Efficient Modular Arithmetic: Montgomery Multipliers & Exponentiation Units

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 7 Montgomery Multipliers & Exponentiation Units

  2. Motivation: Public-key ciphers

  3. Secret-key (Symmetric) Cryptosystems key of Alice and Bob - KAB key of Alice and Bob - KAB Network Decryption Encryption Bob Alice

  4. Key Distribution Problem Users Keys N · (N-1) N - Users Keys 5,000 100 2 1000 500,000

  5. Digital Signature Problem Both corresponding sides have the same information and are able to generate a signature • There is a possibility of the • receiver falsifying the message • sender denying that he/she sent the message

  6. Public Key (Asymmetric) Cryptosystems Private key of Bob - kB Public key of Bob - KB Network Decryption Encryption Bob Alice

  7. Non-repudiation Alice Bob Signature Message Signature Message Hash function Hash function Hash value 1 Hash value yes no Hash value 2 Public key cipher Public key cipher Alice’s public key Alice’s private key

  8. RSA as a trap-door one-way function PUBLIC KEY message ciphertext C = f(M) = Me mod N M C M = f-1(C) = Cd mod N PRIVATE KEY N = P  Q P, Q - large prime numbers e  d  1 mod ((P-1)(Q-1))

  9. RSA keys PUBLIC KEY PRIVATE KEY { e, N } { d, P, Q } P, Q: P, Q - large prime numbers N: N = P  Q e: gcd(e, P-1) = 1 and gcd(e, Q-1) = 1 d: e  d  1 mod ((P-1)(Q-1))

  10. Mini-RSA keys PUBLIC KEY PRIVATE KEY { e, N } { d, P, Q } P, Q: P = 5 Q = 11 N = P  Q = 55 N: e: gcd(e, 5-1) = 1 and gcd(e, 11-1) = 1 e=3 d: 3  d  1 mod 40 d=27

  11. Mini-RSA as a trap-door one-way function PUBLIC KEY message ciphertext C = f(2) = 23 mod 55 = 8 M=2 C=8 M = f-1(C) = 827 mod 55 = 2 PRIVATE KEY N = 5  11 5, 11 - prime numbers 3  27  1 mod ((5-1)(11-1))

  12. Basic Operations of RSA L < k Encryption public key exponent e C M N mod = public key modulus plaintext ciphertext k-bits k-bits k-bits Decryption L=k private key exponent d M mod = C N ciphertext private key modulus plaintext k-bits k-bits k-bits

  13. Modular arithmetic

  14. Quotient and remainder Given integers a and n, n>0 ! q, r  Z such that a = q n + r and 0  r < n a q = q – quotient r – remainder (of a divided by n) = a div n n a r = a - q n = a –  n = n = a mod n

  15. mod 5 = • -32 mod 5 =

  16. Integers coungruent modulo n Two integers a and b are congruent modulo n (equivalent modulo n) written a  b iff a mod n = b mod n or a = b + kn, k  Z or n | a - b

  17. Rules of addition, subtraction and multiplication modulo n a + b mod n = ((a mod n) + (b mod n)) mod n a - b mod n = ((a mod n) - (b mod n)) mod n ab mod n = ((a mod n)  (b mod n)) mod n

  18. 9 · 13 mod 5 = 25 · 25 mod 26 =

  19. Laws of modular arithmetic Modular addition Regular addition a+ba+c (mod n) iff bc (mod n) a+b = a+c iff b=c Regular multiplication Modular multiplication If a b ac (mod n) and gcd(a, n) = 1 then bc (mod n) If a b = ac and a0 then b=c

  20. Modular Multiplication: Example 18  42 (mod 8) 6  3  6  7 (mod 8) 3  7 (mod 8) 0 1 2 3 4 5 6 7 x 6  x mod 8 0 6 4 2 0 6 4 2 0 1 2 3 4 5 6 7 x 5  x mod 8 0 5 2 7 4 1 6 3

  21. Basic Modular Exponentiation

  22. How to perform exponentiation efficiently? Y = XE mod N = X  X  X  X  X …  X  X mod N E-times E may be in the range of 21024  10308 Problems: 1. huge storage necessary to store XE before reduction 2. amount of computations infeasible to perform Solutions: 1. modulo reduction after each multiplication 2. clever algorithms 200 BC, India, “Chandah-Sûtra”

  23. Exponentiation: Y = XE mod N Right-to-left binary exponentiation Left-to-right binary exponentiation E = (eL-1, eL-2, …, e1, e0)2 Y = 1; S = X; for i=0 to L-1 { if (ei == 1) Y = Y  S mod N; S = S2 mod N; } Y = 1; for i=L-1 downto 0 { Y = Y2 mod N; if (ei == 1) Y = Y  X mod N; }

  24. Right-to-Left Binary Exponentiation in Hardware X 1 enable S Y E SQR MUL output

  25. Left-to-Right Binary Exponentiation in Hardware 1 Y X Control Logic E MUL output

  26. Modular Multiplication

  27. Algorithms for Modular Multiplication Multiplication Multiplication combined with modular reduction (k2) • Classical • Karatsuba • Schönhage-Strassen (FFT) (klg 3) 2 • Montgomery algorithm (k  ln(k)) (k2) Modular Reduction (k2) • Classical • Barrett • Selby-Mitchell complexity same as multiplication used (k2)

  28. Montgomery Multiplication

  29. Montgomery Modular Multiplication (1) X, Y, M – (n-1)-bit numbers Z = X Y mod M Integer domain Montgomery domain X X’ = X 2n mod M Y Y’ = Y 2n mod M Z’ = MP(X’, Y’, M) = = X’ Y’  2-n mod M = = (X 2n)  (Y 2n)  2-n mod M = = X  Y  2nmod M Z = X  Y mod M Z’ = Z  2nmod M

  30. Montgomery Modular Multiplication (2) X X’ X’ = MP(X, 22n mod M, M) = = X  22n 2-n mod M = X  2n mod M Z Z’ Z = MP(Z’, 1, M) = = (Z  2n)  1  2-n mod M = Z mod M = Z

  31. Basic version of the Radix-2Montgomery Multiplication Algorithm

  32. Montgomery Product S[0] = 0 S[i+1] = Z = S[n] for i=0 to n-1 S[i]+xiY 2 if qi = S[i] + xiY mod 2= 0 S[i]+xiY + M 2 if qi = S[i] + xiY mod 2= 1 M assumed to be odd

  33. Basic version of the Radix-2Montgomery Multiplication Algorithm

  34. Project 2 Rules • Groups consisting of 2 students (preferred) • or a single student (if needed) • Each group works on different architectures • Each group of two works on two similar architectures. • Members of the group can freely exchange VHDL code • and ideas with each other. • Students working individually work on a single architecture. • They must not exchange code with other students. • Members of the group of two are graded jointly, • unless they agree to split no later than two weeks • before the Project deadline.

  35. Investigated Montgomery Multipliers Non-Scalable Scalable G1 G2 • McIvor, et al. • based on 5-to-2 CSA • based on 4-to-2 CSA • Koc & Tenca • radix 2 • radix 4 G3 • Huang, et al. • Architecture 2 • Huang, et al. • Architecture 1 G4 G5 • Savas et al. • radix 2 • radix 4 • Harris, et al. • radix 2 • radix 4 G6 • Suzuki • Virtex 5 DSP • Stratix III DSP

  36. Investigated Montgomery Multipliers Non-Scalable Scalable • flexible, can handle multiple • operand sizes • operand size is described • by a special input, and can be • changed during run-time • size of the circuit • is constant • dedicated to one particular • operand size • operand size is described • by a generic, and can be • changed only after • reconfiguration • size of the circuit varies • as a function of the operand • size

  37. Assumptions (1) Operand sizes: Evaluated parameters: Max. Clock Frequency [MHz] Min. Latency [clock cycles] Min. Latency [μs] Resource Utilization (CLB slices/ALUTs, DSP Units, Block Memories) Latency x Area [μs x CLB slices/ALUTs]

  38. Project 2 Rules • Montgomery Multiplier - required • Montgomery Exponentiation Unit – bonus • Virtex 5 and Stratix III – required • Virtex 6 and Stratix IV - bonus • 1024 and 2048 bit operand sizes required • 3072 and 4096 bit operand sizes bonus

  39. Assumptions (2) • Uniform Interface • (to be provided, but may need to be tweaked • depending on the architecture) • Test vectors generated using reference software • implementation • (may need to be extended to generate • intermediate results) • Your own testbench.

  40. Montgomery Multipliers based on Carry Save Adders

  41. Carry Save Adder (CSA) cn-1 c2 c1 c0 bn-1 b2 b1 b0 an-1 a2 a1 a0 . . . FA FA FA FA c3 c2 s2 s3 c1 s1 s0 sn-1 cn cn-1

  42. Operation of a Carry Save Adder (CSA) Example 20 22 23 24 21 x y z 0 1 0 1 0 1 1 0 1 1 1 0 1 1 1 s c 0 0 1 1 0 1 1 011 x+y+z = s + c

  43. x3 x2 x1 x0 y3 y2 y1 y0 z3 z2 z1 z0 w3 w2 w1 w0 s3 s2 s1 s0 c4 c3 c2 c1 w3 w2 w1 w0 c4 s3 s2 s1 s0 c4 c3 c2 c1 ’ ’ ’ ’ ’ ’ ’ ’ S5 S4 S3 S2 S1 S0 Carry-save adder for four operands

  44. Carry-save adder for four operands s0 s3 s2 c2 s1 c1 c3 c4 s0 ’ ’ s3 s2 s1 ’ ’ c4 ’ c3 c2 c1 ’ ’ ’

  45. Carry-save adder for four operands z y w x 4 4 4 4 CSA c s CSA s’ c’ CPA S

  46. Radix-2 Montgomery Multiplication with Carry Save Addition

  47. Carry Save Reduction 4-to-2 U+V+W+Y = S+C

  48. Radix-2 Montgomery Multiplier Based on Carry Save Reduction 4-to-2

  49. Montgomery Multipliers and Exponentiation Units by Mc Ivor, et al.

More Related