RNS Modular Computations for Cryptographic Applications Karim Bigou - PowerPoint PPT Presentation

RNS Modular Computations for Cryptographic Applications Karim Bigou CNRS – IRISA – CAIRN RAIM 2015: April 7 – 9 Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 – 9 1 / 23

Context One objective of our research group: Design efficient implementations of asymmetric cryptography using fast arithmetic techniques Examples of targetted cryptosystems: RSA [RSA78] Discrete Logarithm Cryptosystems: Diffie-Hellman [DH76] (DH), ElGamal [Elg85] Elliptic Curve Cryptography (ECC) [Mil85] [Kob87] The residue number system (RNS) is a representation which enables fast computations for cryptosystems requiring large integers (or F P elements) Objective of my PhD: exploit RNS properties to speed up cryptographic computations Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 – 9 2 / 23

Residue Number System (RNS) [SV55] [Gar59] X a large integer of ℓ bits ( ℓ ≈ 160–4096) is represented by: − → X = ( x 1 , . . . , x n ) = ( X mod m 1 , . . . , X mod m n ) channel 1 channel 2 channel n x 1 x 2 x n X . . . y 1 y 2 y n Y . . . w w w w w w ±× ±× ±× . . . mod m 1 mod m 2 mod m n w w w z 1 z 2 z n Z . . . RNS base B = ( m 1 , . . . , m n ), n pairwise co-primes of w bits, n × w � ℓ The Chinese remainder theorem (CRT) is the base of RNS Note: an EMM is a w -bit elementary modular multiplication (one channel) Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 – 9 3 / 23

RNS Properties Pros: Carry free between channels each channel is independant Fast parallel + , − , × and some exact divisions computations over all channels can be performed in parallel an RNS multiplication requires n EMM s Non-positional number system randomization of internal computations (SCA countermeasures) Flexibility for hardware implementations the number of hardware channels and theoretical channels can be different various area/ time trade-offs and multi-size support Cons: comparison, modular reduction and division are much harder Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 – 9 4 / 23

RNS Uses in Cryptography In cryptography, RNS has been used for implementations of: RSA and Discrete Logarithm (DL, Diffie-Hellman and Elgamal) e.g. [NMSK01, Gui11, BEG13, PITM13, SS14] Elliptic curve cryptography (ECC) e.g. [SG08, Gui10, ESJ + 13, BM14] Pairings in large characteristic e.g. [CDF + 11, YFCV12] Lattice based cryptography e.g. [BEMP14] Over various platforms, as: FPGA circuits Xilinx and Altera e.g. [Gui10, CDF + 11, ESJ + 13, BM14] ASIC circuits e.g. [GLP + 12, BEG13] GPU e.g. [SG08, ABS12] CPU e.g. [LP07, LPL09] Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 – 9 5 / 23

RNS Montgomery Reduction ( MR ) [PP95] Input : − → X , − → X ′ with X < α P 2 < PM and 3 P < M ′ Output : ( − → ω , − → ω ′ ) with ω ≡ X × M − 1 mod P B ′ B 0 � ω < 3 P × − → − − → X × ( −− → • P − 1 ) BE Q ← (in base B ) − → − BE ( − → • Q ′ ← Q , B , B ′ ) × → − − − → X ′ + − → Q ′ × − → S ′ ← P ′ (in base B ′ ) + − − → S ′ × − → × → − ω ′ ← M − 1 (in base B ′ ) • BE → − − BE ( − → ω ′ , B ′ , B ) • ω ← α is a parameter chosen to speed up some computations, M = � n i =1 m i MR cost: 2 n 2 + O ( n ) EMM s Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 – 9 6 / 23

Typical RNS Computation Flow 1 n ±× ±× ±× ±× ±× ±× ±× ±× • • • ±× ±× ±× ±× ±× ±× ±× ±× • • • n ±× ±× ±× ±× ±× ±× ±× ±× • • • • • • • • • • • • • • • • • • • • • • • • • • • ±× ±× ±× ±× ±× ±× ±× ±× • • • time ±× over one channel over one RNS vector base extension modulo P in RNS (i.e. n channels) Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 – 9 7 / 23

Selection of State-of-art Cryptography with RNS ref. conf./journ. yy usage implem. [BDK98] IEEE TC 98 RSA N [KKSS00] EuroCrypt 00 RSA N [NMSK01] CHES 01 RSA A 250 nm [CNPQ03] MWSCAS 03 RSA F Virtex 2 [BI04] IEEE TC 04 RSA N [MPS07] IMA CC 07 RSA G 7800GTX [LP07] ASSC 07 RSA P Xtensa [SG08] CHES 08 RSA, ECC G 8800GTS [SFM + 09] IEEE TCAS I 09 ECC F Virtex E [LPL09] TENCON 09 ECC P Xtensa [Gui10] CHES 10 ECC F Stratix I & II [CDF + 11] CHES 11 Pair. F Virtex 6, Stratix 3, Cyclone 2 [GLP + 12] IEEE TC 12 RSA A 45 nm [ABS12] Comp. J. 12 ECC G 285GTX [BEG13] ARITH 13 RSA A 250 nm [PITM13] DSD 13 RSA F Spartan 3 [ESJ + 13] IEEE TVLSI 13 ECC F VirtexE, Virtex 2 Pro, Stratix II [SS14] IEEE TCAS I 14 RSA F Virtex 6 Virtex 2 [BM14] CARDIS 14 ECC F Kintex 7 [SGXYC14] ISIC 14 RSA F Virtex 5 Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 – 9 8 / 23

Cox-Rower RNS Architecture [KKSS00, Gui10] Input channel 1 channel 2 channel n n × w CTRL w w w w w w . . . w w w 1 cox rower 1 rower 2 rower n . . . t w w w w w Output Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 – 9 9 / 23

How to Speed Up RNS Computations for Cryptography? Two main ideas to reduce the impact of modular reductions: Reduce the cost of modular reduction in specific contexts, for instance: rearranging computations in an ECC context [Gui10] rearranging computations in RSA exponentiation context [GLP + 12] using optimizations for several usual computation patterns [BT14] Reduce the number of modular reductions, for instance: computing pattern of the form AB + CD mod P in ECC formulas [BDE13] computing the modular inversion with our PM-MI algorithm in an ECC context [BT13] Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 – 9 10 / 23

Fast Patterns for RNS Computations Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 – 9 11 / 23

Improving Modular Computations RNS modular multiplication MM is the most costly operation in RNS cryptographic applications (ECC, RSA, DL) Two different multiplications: simple RNS multiplication : n EMM s MM = simple RNS multiplication + MR : 2 n 2 + O ( n ) EMM s Goal: accelerate some specific, but usual, computation patterns which uses RNS modular multiplications Examples: modular squares modular multiplication by constants more complex patterns with operands reuse In state-of-the-art, RNS do not support accelerations for these patterns (except accelerations inside channels) Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 – 9 12 / 23

Proposed Modular Multiplication A first approach has been proposed in our work [BT14] with a new modular multiplication algorithm Idea: Split operands into 2 parts and introduce partial-reductions only 3 2 n moduli required vs 2 n (3 half-bases B a , B b , B c of n / 2) the Split of X can be performed once for all reuses of X Constraint: It requires an hypothesis on P : not possible for RSA but possible for ECC and discrete logarithm The constraint is µ P + 1 = M a × D with µ small µ P − 1 = M a × D is also possible (for discrete logarithm) Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 – 9 13 / 23

Decomposition with Split Algorithm Input : − − − → X a | b | c − − − − − − − → M − 1 � � Precomp. : a b | c Output : − ( K x ) a | b | c , − − − − − − → ( R x ) a | b | c , − − − − − − → X a | b | c = − − − → ( K x ) a | b | c × − − − − − − → ( M a ) a | b | c + − − − − − − → − − − − − → ( R x ) a | b | c − − − − − → � − − − → � ( R x ) b | c ← BE ( R x ) a , B a , B b | c − − − − − − − → − − − − − → � − X b | c − − − → − − − − → � � M − 1 � ( K x ) b | c ← ( R x ) b | c × a b | c if − ( K x ) b | c = − − − − − → → − 1 then ( K x ) b | c ← − − − − − − → → 0 /* Kawamura BE correction */ − ( R x ) b | c ← − − − − − → ( R x ) b | c − − − − − − → − − − − → ( M a ) b | c − − − → � − − − − → � ( K x ) a ← BE ( K x ) b , B b , B a return − ( K x ) a | b | c , − − − − − − → − − − − − → ( R x ) a | b | c Note: the cost of Split is dominated by the 2 BE s (the first one is larger than the second one) Karim Bigou RNS for Asymmetric Cryptography RAIM 2015: April 7 – 9 14 / 23