High-Speed RSA Crypto-Processor with Radix-4 4 Modular Multiplication and Chinese Remainder Theorem

Size: px

Start display at page:

Download "High-Speed RSA Crypto-Processor with Radix-4 4 Modular Multiplication and Chinese Remainder Theorem"

Timothy Conley
5 years ago
Views:

1 High-Speed RSA Crypto-Processor with Radix-4 4 Modular Multiplication and Chinese Remainder Theorem Bonseok Koo 1, Dongwook Lee 1, Gwonho Ryu 1, Taejoo Chang 1 and Sangjin Lee 2 1 Nat (NSRI), Korea 2 Center for Information Security Technology (CIST) Korea University, Korea

2 Outline 1 2 Background Radix-4 Modular Multiplier 3 4 Modular Reduction RSA Crypto-processor processor 5 6 Result & Performance Conclusion 2

3 Background RSA Public Key Algorithm Key generation Choose two large primes P, Q and let N = PQ Choose a public exponent e mutually prime to ϕ(n) = (P-1)(Q-1) Calculate a private exponent d Encryption satisfying ed = 1 mod ϕ(n) Calculate the ciphertext C = M e mod N, where M < N Decryption M = C d mod N 3

4 Background Modular exponentiation uses a sequence of modular multiplications e n 1 e 2i 1 0 2n i i en 1 2e1 e n 1 = 0, where i= M = M = M M M highly depends on the implementation of modular multiplication For high-speed RSA Implementation High-radix modular multiplication CRT (Chinese Remainder Theorem) Hardware calculation of modular reduction e = 0 e i 2, e i {0,1} i 4

5 Radix-4 modular multiplier Montgomery modular multiplication Modulo 2 and division by 2 are simpler than division by N suitable for hardware implementation carry propagation from very large operand additions(step 4) makes critical path systolic-array or CSA addition used to solve this problem 5

6 Radix-4 modular multiplier Systolic array architecture Pipelining structure based on 1-bit full adders 2n clock cycles for a modular multiplication 3n clock cycles for two interleaved modular multiplications 6

7 Radix-4 modular multiplier CSA(Carry Save Addition) architecture no carry propagation requires a separate adder(w-bit) for final addition n+n/w n clock cycles for a modular multiplication fully parallel architecture, relatively easy to control 7

8 Radix-4 modular multiplier used radix-4 Montgomery modular multiplication rearranged Hong s radix-4 algorithm for CSA style implementation 8

9 Radix-4 modular multiplier Basic architecture of our radix-4 modular multiplier consists of (n+2) & (n+3) CSAs two 2-bit adders BR & RT Blocks 3 registers a w-bit adder RT(Reduction Table) generates neg N & N i critical path 4FAs+2XORs+AND # of clock cycles ( n+ 3)/2 + ( n+ 2)/ w + 1 n/2 9

10 Radix-4 modular multiplier supporting CRT Using CRT for RSA calculation used for RSA private key operation (decryption and signature) the two n/2-bit modular exponentiations (Steps 3~4) calculated in parallel, 4 times faster than the n-bit exponentiation two n/2-bit modular multipliers are required for the speed-up modify the n-bit radix-4 modular multiplier to support CRT 10

11 Radix-4 modular multiplier supporting CRT CSA has fully parallel architecture easy to modify our n-bit multiplier to two n/2-bit multipliers selectively does an n-bit modular multiplication two n/2-bit modular multiplications treats the input A(B) as an (n+2)-bit input or concatenation of two (n/2+1)-bit inputs treats the input N as concatenation of two n/2-bit moduli, P & Q # of clock cycles for two n/2-bit ( n/2+ 3)/2 + ( n/2+ 2)/ w + 1 n/4 11

12 Modular Reduction In RSA decryption with CRT C = C mod P and C = C mod Q are required P Q Montgomery mapping constant is required for Montgomery exponentiation Pre-computations are not practical (N is a public key, C P is a ciphertext!) Software implementation would degrade the performance of system implement a modular reduction logic in hardware 12

13 Modular Reduction used Koc s modular reduction algorithm uses CSA and sign estimation technique sign estimation technique estimates the sign of a number represented by CSA style ( + ) if y = i= 0 i 3 y i= 0 i i i i i n 2+ i n 2+ i i= 0 i= 0 i= 0 ES( S, C) ( ) if y = 1 and y = 0 ( ± ) if = 1, where Y = y 2 = s 2 + c 2 modified the algorithm to operate for arbitrary n-bit modulo used shift-up and down method for the fixed position of sign estimation 13

14 Modular Reduction architecture of our modular reduction logic consists of an (n+2)-bit CSA a logn bit up/down counter 2 a 4-bit adder four registers a w-bit separate adder the 4-bit adder calculates Y used for sign estimation # of clock cycles X is (n+k) bits, N is an n-bit modulo of which MSB l-bits are all 0 s 2 l + ( k + l + 1) + 2 ( n+ 2)/ w k + l 14

15 RSA crypto-processor Overall architecture of our high speed RSA crypto-processor can do modular exponentiation and modular reduction selectively 15

16 RSA crypto-processor When sel_mr is 0 executes L-R Montgomery modular exponentiation N_reg, M_reg, E_reg store the values N, M, e respectively R_reg stores the Montgomery mapping constant K at the start and the final result at the end with radix-4 modular multiplier supporting CRT executes an n-bit modular exponentiation (sel_crt = 0 ) or two n/2-bit modular exponentiations in parallel (sel_crt = 1 ) # of clock cycles of exponentiation (on average) ( n /2 + n / w) n ( n2/8 + n2/4 w) 3 n 16 2 for an n-bit exponentiation (sel_crt = 0 ) for two n/2-bit exponentiations (sel_crt = 1 ) 16

17 RSA crypto-processor When sel_mr is 1 executes modular reduction, X mod N M_reg and E_reg store X (shared for efficiency), X is 2n+2 bits # of clock cycles of modular reduction n ( n+ 3)/ w n 1.5n ( n+ 3)/ w 1.5n for calculation of K (if MSB of N = 1 ) for calculation of C P (if MSB of P = 1 ) 17

18 Result and Performance Synthesis result with ASIC library used 32-bit CLA for final addition Samsung 0.18um CMOS standard cell library & Design Compiler synthesis tool critical path delay 3 ns, 300MHz clock rate requires 0.84M clock cycles for a 1024-bit exponentiation 300MHz 0.25M cycles for two 512-bit exponentiations 300MHz 18

19 Result and Performance Performance Comparison (1024-bit designs) Kwon [13] Tech (um) 0.5 Gate count 156K Freq (MHz) 50 No. of cycles n 2 Op. time (ms) 43 Baud rate (Kbps) 45 CRT non Mod Reduc no Blum[6] FPGA - 45 n 2 / non no Cho[22] - 230K 40 n 2 / non no McIvor [23] FPGA - 97 n 2 / CRT no Ours K n 2 / ,233 both yes 19

20 Conclusion Proposed a high-speed RSA crypto-processor used Radix-4 Montgomery modular multiplication based on CSA designed the modular multiplier which supports CRT hardware implementation of modular reduction to speed up the calculation of Montgomery mapping constant, modular reduced ciphertext Throughput with 0.18um ASIC library 365Kbps for a 1024-bit modular exponentiation 1.233Mbps for two 512-bit modular exponentiations 20

21 Thank you for your attention

CARRY SAVE COMMON MULTIPLICAND MONTGOMERY FOR RSA CRYPTOSYSTEM

CARRY SAVE COMMON MULTIPLICAND MONTGOMERY FOR RSA CRYPTOSYSTEM American Journal of Applied Sciences 11 (5): 851-856, 2014 ISSN: 1546-9239 2014 Science Publication doi:10.3844/ajassp.2014.851.856 Published Online 11 (5) 2014 (http://www.thescipub.com/ajas.toc) CARRY