Efficient RNS bases for Cryptography

Transcription

1 1 Efficient RNS bases for Cryptography Jean-Claue Bajar, Nicolas Meloni an Thomas Plantar LIRMM UMR 5506, University of Montpellier, France, Abstract Resiue Number Systems (RNS) are useful for istributing large ynamic range computations over small moular rings, which allows the spee up of computations. This feature is well known, an alreay use in both DSP an cryptography. In this paper we eal with implementation for huge numbers like those use for ciphering as with RSA or ECC on prime finite fiels. Moular multiplication is the main operation of these protocols. We fin very interesting moular multiplication algorithms in RNS where the conversion from an RNS basis to another represents the main part of the complexity. Hence, we propose in this paper an analysis of the criteria for selecting some bases giving efficient conversions. We conclue by giving methos for constructing an efficient basis in function of the size of ifferent parameters like the basic operators, the key of the cryptosystem, etc. Resiue Number Systems (RNS) are useful for istributing large ynamic range computations over small moular rings, which allows the spee up of computations. This feature is well known, an alreay use in both DSP an cryptography. In this paper we eal with implementation for huge numbers like those use for ciphering as with RSA or ECC on prime finite fiels. Moular multiplication is the main operation of these protocols. We fin very interesting moular multiplication algorithms in RNS where the conversion from an RNS basis to another represents the main part of the complexity. Hence, we propose in this paper an analysis of the criteria for selecting some bases giving efficient conversions. We conclue by giving methos for constructing an efficient basis in function of the size of ifferent parameters like the basic operators, the key of the cryptosystem, etc. - Inex Terms RNS, MRS, moular reuction, ivision by a constant, bases conversion.rns, MRS, moular reuction, ivision by a constant, bases conversion.- I. INTRODUCTION The Resiue Number Systems (RNS) are base on the very ol Chinese Remainer Theorem (CRT) [Knu81] [Gar59]. This theorem can be written as following: Theorem 1 (Chinese Remainer Theorem): We consier a set of coprime numbers (m 1, m,..., m n ). We note M = n i=1, If we consier (x 1, x,..., x n ) of integer such that x i <. Then there exits an unique X which verifies: 0 X < M an x i = X mo = X mi for 1 i n. (1) The set (m 1, m,..., m n ) of coprimes is generally calle RNS basis. An obvious remark is that the main interest of the Resiue Number Systems is to istribute integer operations on the resiues values. Thus an operation with large integers is mae on the resiues which are small numbers an where computations can be execute inepenently for each moulo allowing a complete parallelization of the calculus. One omain where those systems are helpful, is cryptography [PP95] [BDK98]. The numbers use are huge, 160 bits for Elliptic Curves Cryptography (ECC) an 104 bits for RSA. These systems offer a goo alternative to implemente parallel computing. Aition an multiplication are easily parallelizable with RNS. But some operations, like ivision [Gam89] or moular multiplication[pp95], [BDK01], [BI04], nee conversions from RNS to an other RNS basis. Those operations have been stuie in [BP04] where some criteria for RNS basis was given. We propose to take into account in this approach, the basic moulo algorithms use on a RNS operator on one moulo. The organization of the paper is the following. We first present conversion algorithms from RNS to RNS, analyzing them through the point of view of the RNS bases. Then, we give algorithms for aition an multiplication implemente in the basic moulo operators. We show that the conition for efficient basic operators are compliant to the criteria useful for the bases conversion in RNS. II. CONVERSION FROM RNS TO RNS There are two main methos for conversion: one irectly base on the CRT, an one which uses an auxiliary representation name Mixe Raix Representation (MRS). We note B = (m 1, m,..., m n ) an B = ( m 1, m,..., m n ) two RNS bases. A. With the Chinese Remainer Theorem In the proof of the Chinese Remainer Theorem we show, that the system given by (1) has a solution X such

2 that: n X = x 1 M i 1 mi M i () M i=1 Where, M i = M for 1 i n an M i 1 m represents i the inverse of M i moulo. The conversion from B to B, is obtaine from the equation () which becomes for j {1,..., n}: n X = x 1 M i 1 mi M i fmj α M fmj fmj fmj i=1 where α is such that: X + αm = (3) n x 1 M i 1 mi M i i=1 The main rawbacks of this approach are ue to two elements: first the ifficulty to evaluate α [SK89] [HP94], [PP95], then the ranom aspect of the constant factors M i 1 an M i fmj in (3). B. Using a mixe raix system Like for RNS, we efine as a MRS basis a set of integers (m 1, m,..., m n ) an an integer X, inferior to M, is represente by (x 1,..., x n), with x i < for i {1,..., n}, such that: X = x 1 +x m 1 +x 3m 1 m +...+x nm 1...m n 1 (4) A naive approach [ST67] consists in applying to the RNS representation of X, the extraction of a resiue an the ivision by the raix (which is ifferent at each step). We note m 1 i,j the inverse of moulo m j such that:.m 1 i,j 1 (mo m j ). Thus the conversion can be escribe by the following equations: x 1 = x 1 mo m 1 x = (x x 1)m 1 1, mo m x 3 = ((x 3 x 1)m 1 1,3 x )m 1,3 mo m 3. x n = (.(x n x 1)m 1 1,n x n 1)m 1 n 1,n mo m n (5) There is another approach [Knu81] where we factorize all the inverses in (5). But in this case we loose all the possibilities to parallelize. When the MRS representation is known we apply the expression (4) to each moulo: x j = X mo m j x j = x 1 + m 1 (x + m (x m n 1 x n)...) m j (6) We will see that, with the conversion using MRS, it is possible to use some properties of the elements of the two bases to reuce the cost of this operation. III. ALGORITHMS FOR BASIC MODULO OPERATORS All the RNS complexities are given in number of basic moulo operations on small mouli (or m j ). It is clear that costs of RNS algorithms epens also of the efficiency of such operators. We present in this section the aition an the multiplication moulo (or m j ). We will see in the next section that another operator; a multiplier by an inverse, coul be useful for the conversions. In this section we consier that the mouli of the RNS bases use are represente with the same number k of igits. We note, for i = 1...n, = k c i (resp. = k c i ). For the moment c i is just a number lower than k, we will show that for certain values the operators coul be very efficient. A. The aition We consier two integers a an b such that 0 a, b < an their sum s that we want to reuce moulo. We have the following ientities: a + b = s = s 1 k + s 0 = s 1 + c i s 1 + s 0 So consiering the reuction moulo we obtain a+b c i s 1 +s 0 (mo ). Furthermore, as 0 a, b <, we know that a + b < 1, in other wors a+b < k +( k c i 1). We can obviously euce that s 1 1. It means that only one reuction by coul be neee. We note that we have two possible results a + b if this sus lower than, or else a + b + c k. We remark that this secon possibility implies that a + b + c is greater than k. Thus we only have to test the overflow bit to know which is the right solution. The aition moulo is given by the following algorithm Algorithm 1: moa(a, b, ) Data: 0 a, b < Result: s = a + b mo p 0 a + b; c i ; if 1 k then s 1 mo k ; else s 0 ; en To resume algorithm 1, the mouli aition is equivalent to two aitions, the comparison 1 > k correspons to the overflow which is use for selecting the result.

3 3 B. The multiplication As for the aition, the operans are a an b such that 0 a, b <. We note p = a b the prouct of those two values, an we will reuce p moulo. For this, we ecompose p such that: p = p 1 k + p 0 = p 1 + c i p 1 + p 0. Thus, a b c i p 1 + p 0 (mo ). We note p = c i p 1 + p 0 The conition 0 a, b <, gives that p < m 1 1 < k an p 1 < k. Now, if we suppose that c i < t, then we obtain with this first reuction p = c i p 1 + p 0 < k ( t 1) + k = k+t. A secon reuction is neee. We ecompose p such that p = p 1 k + p 0. Like previously, we obtain a b c i p 1 + p 0 (mo ). We note p = c i p 1 + p 0 an we remark immeiately that, as p < k+t, p 1 < t. Now if we consier that t < k 1 then we assume that p < k + t <. Thus we just nee to reuce p like in the aition algorithm to fin the final result. For 1 < t < (k 1)/ we have the following algorithm for the mouli multiplication operator. Algorithm : mopro(a, b, ) Data: 0 a, b < with = k c i an c i < t an 1 < t < (k 1)/ Result: r = a b mo p p a b; p 1 p k ; p 0 p mo k ; p c i p 1 + p 0 ; p 1 p k ; p 0 p mo k ; p c i p 1 + p 0; ρ p + c i ; if ρ k then r ρ mo k ; else r p ; en This algorithm gives the moular prouct with one multiplication of two k-bits integers, one multiplication of a k-bits number by a t-bits constant, one multiplication of a t-bits number by a t-bits constant, an three aitions of k-bits numbers. The operations k an mo k are pure register hanling. If, we consier that a multiplier of a k-bits number by a t-bits constant is equivalent to the half of a multiplier of two k-bits integers, an a multiplier of a t-bits number by a t-bits constant is equivalent to the quarter of a multiplier of two k-bits integers, (we note that here we i not take into account the constant operans which coul have some properties useful for improving the complexity) then, the multiplication moulo (or m j ) is one with a complexity equivalent to one plus three quarters of a k-bits multiplier. If we note M(k) the complexity of a k-bits multiplier, the obtaine complexity for the moulo operator is 7 4 M(k). The conclusion of this section is that with = k c i such that c i < t an 1 < t < (k 1)/, we assume that aition an multiplication moulo are efficient. IV. A NEW USEFUL ALGORITHM FOR THE BASIC MODULAR OPERATORS Most of the stuies on RNS propose to use a basis like { k 1, k, k + 1}. This kin of basis is very useful in igital signal processing where the values are boune an not too huge. The algorithms propose in the literature [Pie94], [CN99] use generally the CRT approach. But it is not clear that it is the best choice. Conversion using Mixe Raix System (MRS) are often a goo approach even for a three elements basis { k 1, k, k + 1}. If we observe the equation (5) we can consier m 1 = k + 1, m = k 1, an m 3 = k, then, since m 1 mo m =, m 1 mo m 3 = 1 an m mo m 3 = 1, we euce that m 1 1, = n 1, m 1 1,3 = 1 an m 1,3 = 1. Thus the conversion from binary to MRS can be reuce to one shift an four aitions, then conversion to binary nees at most two shifts an four aitions. Now if we consier huge numbers like those use in cryptography, then we show in this section, that the use of MSR can be efficient for some RNS bases. Like in the previous section we consier that for i = 1...n, = k c i (resp. = k c i ) with 0 c i < t (resp. 0 c i < t ) an 1 < t < (k 1)/. The conversion via MRS use the equations (5) an (6).We fin in them two operations: moular multiplication by the moular inverse of a small number for (5) an moular multiplication by a small number for (6). A. Moular multiplication by a moular inverse of a small number In fact, in the equations (5), we have to multiply by m j 1 for 1 j < i n. Consiering that, = k c i we have m j 1 = c i c j 1. We know that t < c i c j < t. Thus, as 1 < t < (k 1)/, we can consier c i c j like a small value represente on t bits. The sign is not a real problem but to simplify the stuy we assume that the elements of the basis are ecreasing orere, m j > for 1 j < i n. To resume, the main operations in (5) are of the form y = x 1 m mo m where x an m are two k-bits integers an a small value (ie t bits number).

4 4 P. Montgomery [Mon85] has propose a reuction where an inverse factor appears in the result. We propose to use it to compute y = x 1 m mo m. Thus, we will construct a multiple of the value by aing to x a multiple of m, this multiple of is equivalent to x moulo m. Then we ivie it by, which is an exact operation, an we obtain y a reuce value lower than m, which is equivalent to x 1 m moulo m. In other wors, we must construct µ such that: µ < an x + µs a multiple of, then, as the ivision of x + µm by is exact, we obtain the expecte value y. This evaluation is one with the algorithm 3 where sciv(x, ) returns (r x, q x ) which are the remainer an the quotient of the eucliian ivision by (such that: x = r x + q x with 0 r x < ). The proceure sciv(x, ) is escribe in the algorithm??. Algorithm 3: : moiv(x,,m) Data: two given integers, m with 0 < < m an gc(m, ) = 1 an an integer x, 0 x < m Precompute: r m, q m an I m such that: m = r m + q m with r m < an I m = ( m) 1 mo Result: an integer y with y = x 1 m mo m (r x, q x ) sciv(x, ); (µ,.) bariv(r x I m, ); ν (r x + µ r m ) ; (0, ρ) bariv(ν, ) ; y ρ + q x + µ q m ; Now, we analyze the complexity of this algorithm step by step, we note δ 1 < δ t : 1) r x an q x are the remainer an the quotient of the eucliian ivision of a k-bits integer x by a small given integer (δ-bits number). For this operation we call a specific proceure sciv(x, ) which will be escribe below. ) r x an I m are smaller than, so µ is obtaine with a classical Barret moular reuction [Bar86] on a δ-bits number, applie to the prouct r x I m. This supposes also that we will store for each possible value of. µ is the remainer obtaine with bariv(r x I m, ) 3) ν is evaluate with one prouct of a δ-bits by a (k δ)-bits numbers an one aition of a k-bits number with a δ-bits one. 4) ρ is obtaine with bariv which evaluates the quotient of the eucliian ivision of ν a δ-bits integer by a given δ-bits integer. 5) y is the result of one prouct of a δ-bits by a δ an (k δ)-bits numbers, one aition of two δ-bits integers an one aition. We can easily verify that: y y = x + µ m = rx+µrm = x+µ m + q x + µq m < m since x < m an µ < Hence, as the ivision is exact, x + µ s a multiple of, we get y = x 1 m mo m. We note that, for this algorithm 3, some values are pre-compute, an nee to be store. For each value of, we will have to store r m, q m an I m, an this for each element of the basis. Thus taking into account that < t an the equation (5), the size of the tables neee is equal to n n (k + t) bits 1. 1) the proceure sciv of ivision by a small constant : The proceure sciv evaluates the remainer r x an the quotient q x of the eucliian ivision of an integer x by a small given integer. As is known, we are in a context close to the one of Barrett s algorithm [Bar86]. We propose to aapt this algorithm to our purpose. The main iea of the Barrett algoriths base on fining the quotient q of the ivision by for x < δ using the following equation: ( δ x ) q = δ 1 + ɛ, with, ɛ = 0, 1, δ+1 δ is a pre-compute value, thus we just have one mutiplication of two (δ + 1)-bits numbers, other operations are truncations, fining ɛ can nee one or two substraction. The j algorithm bariv(x, ) returns (q, r) such that k δ x q = δ 1 an r = x q, for x < δ+l δ+1 an δ 1 < δ. 1 It is possible to reuce those tables to n n (k + t) if we consier that k bits are enough to store r m an q m

5 5 Algorithm 4: : bariv(x, ) Data: x < δ an δ 1 < δ Precompute: δ Result: ( (r, q) such that r = x q < 3 q δ x ) 1 ; δ 1 q q ; δ+1 3 r x q ( r < 3); 4 while r > o r r ; q q + 1 ; en The complexity analysis gives: 1) one prouct of two (δ + 1)-bits numbers, ) one shift, 3) one prouct of (δ + 1)-bits numbers, an one subtraction of (δ + )-bits numbers. 4) at most two subtractions of (δ)-bits numbers, Now in algorithm 3 we nee to ivie x a k-bits integer by a δ-bits number. So, bariv cannot be use irectly. We propose the algorithm 5 which consier the values written in raix δ an uses bariv to fin the igits of the remainer an the quotient. Algorithm 5: : Division by a small constant sciv(x, ) Data: two integers x < k an δ 1 < δ Result: two integers R, Q with R + Q = x an 0 R < R x; Q 0; for i k δ to 0 o R R ( δ ) i ; R R mo ( δ ) i ; (R, Q ) bariv(r, ); R R ( δ ) i + R; Q Q ( δ ) i + Q; en Analysis of the complexity of algorithm 5: 1) we just consier that R is split into two parts, the δ upper bits an the lδ lower bits. ) we call bariv to make a reuction of R (a δ-bits number) by (a δ-bits constant), an to recover Q which is the quotient of this reuction. 3) we rebuil R with the reuce upper part R. Since R is on δ-bits, we just shift R. 4) we buil Q with the quotient of the reuction of R. We have to notice that Q coul be on δ + 1-bits. In orer to avoi making an aition on each loop, we can consier that Q = ( k δ ) i=0 Q i (δ ) i, where Q i is the value of the variable Q at the i th step of algorithm 5. Then we notice that computing L = ( k δ ) i=0 (Q i mo δ )( δ ) i an U = ( k δ ) i=0 (Q i δ )( δ ) i can be one without any aitions ( but only with shifts ) because (Q i mo δ ) an (Q i δ ) are δ-bits integers. As Q i = (Q i mo δ ) + (Q i δ )( δ ), we have Q = L + U( δ ). So Q can be compute with only one aition. Finally the cost of sciv is k δ 1 call to bariv an one k-bits aition. Now we can evaluate the complexity of a call to moiv. We begin by a call to sciv with two integers, one of k-bits an one of δ-bits. We also call bariv twice to reuce a δ-bits number by a δ-bits number. Moreover, we have to compute two multiplication of δ-bits number an one multiplication of a number of δ-bits by a number of k δ + 1-bits. At last, we compute one aition of δ-bits, one of δ + 1-bits an two of k-bits. If we set l = k δ, we can evaluate the complexity of moiv to (l + 1) multiplications an (4l + 1) aitions of δ-bits number. We also call bariv (l + 1) times, but if we consier that the cost of bariv can be evaluate to two δ-bits multiplications an four δ-bits aitions, we have a final complexity of (3l + 3) multiplications an (8l + 5) aitions. So our approach to make a multiplcation by the inverse of a small number is about (3l + 3) δ-bits multiplications. Yet, the classical way to compute a multiplcation by an inverse is to precompute the inverse an to make a moular multiplication. If we use Barrett s algorithm to make the moular multiplication, we obtain a l + 4l δ-bits multiplications complexity. B. Analysis of this conversion from RNS to RNS via MRS To make the whole conversion we have in fact two conversions to o. First we have a RNS to MRS conversion, mae of n(n 1) steps. Each step being compose of one call to a k-bits moa an one multiplication of a k-bits numbers by a inverse of a δ-bits number using moiv. Seconly we have a MRS to RNS conversion, mae of n(n 1) steps. Each steps being compose of a moular multiplication of a t-bits number by a k-bits number an a call to a k-bits moa. If we look at the progress of the algorithm of the moular multiplication we have one multiplication of a k-bits number by a t-bits number, one multiplication of a t-bits number by a t-bits number an two k-bits aitions. We can simplify the complexity of the RNS to RNS conversion to n(n 1) (5l + 5) t-bits multiplications an

6 6 n(n 1) (0l+5) t-bits aitions. In table I we recapitulate the ifferent compexities of our algorithms ( we just give the number of t-bits multiplications ). We compare our metho to the general case where the s are choosen without any special properties. Operation Our metho Classic way mopro l + l + 1 l + 4l moiv 3l + 3 l + 4l 3 RNS-MRS n(n 1)(l + 1) n(n 1)(l + l) MRS-RNS n(n 1)(l + 1) n(n 1)(l + 4l) 5 RNS-RNS n(n 1)(l + 1) 3n(n 1)(l + l) TABLE I COMPARAISON OF OUR METHOD AND THE CLASSIC WAY FOR THE COST OF THE DIFFERENT RNS OPERATIONS V. CONSTRUCTION OF EFFICIENT RNS BASES Now the probles to fin RNS bases such that those ifferences are minimal. To simplify this stuy we can consier that the two bases are orere such that: m 1 > m >... > m n > m 1 > m >... > m n. Thus we set δ max the maximum number of bits to represent the max of m 1 m n an m 1 m n. So, the question is: What is the minimal interval of k-bits integers, which contains n coprime numbers? Or, how many coprimes can we get in an interval of size δ max? In the table II, we give the δ max one have to use on 16, 3 or 64-bits systems, in orer to obtain RNS basis for classic cryptographic lengths. Cryptographic length k TABLE II DIFFERENT δ max NEEDED TO USE DIFFERENT SYSTEMS AND CRYPTOGRAPHIC LENGTHS Example 1: If we compute on a 3-bits system an if we want to execute an ECC on 160 bits, we can use the two bases buil with = 3 c i where c i is in [3, 5, 9, 15, 17] an = 3 c i where c i is in [19, 1, 3, 7, 9]. So we have δ max = 4 an the cost of a multipliciation by an inverse is about 7 4-bits multiplications. Example : If we compute on a 3-bits system an if we want to execute an RSA on 104 bits, we can use the two bases buil with = 3 c i where c i is in [3, 5, 17, 3, 7, 9, 39, 47, 57, 65, 71, 75, 77, 83, 93, 99, 105, 107, 113, 117, 19, 135, 143, 149, 153, 159, 167, 168, 173, 185, 189, 195] an = 3 c i where c i is in [85, 97, 99, 303, 309, 315, 33, 37, 39, 339, 353, 359, 363, 365, 369, 383, 387, 395, 413, 419, 49, 437, 453, 465, 467, 479, 483, 485, 489, 497, 507, 509]. So we have δ max = 8 an the cost of a multiplication by an inverse is about 15 8-bits multiplications. VI. CONCLUSION We have seen in this paper that choosing successive coprime numbers can allow to construct efficient RNS implementations. As all the values of an RNS bases are close, we can choose one reference element an efine the others by their ifferences to it, thus we just use small values. With this choice of mouli, the storage is reuce to nlog (t) + k bits for the.we also have propose some specific algorithms, wich take into account our choice of mouli, in orer to obtain efficient RNS to RNS base conversions. Moreover, one shoul notice that it is easy to fin such bases for cryptographic applications, as shown in table II. At last, we o not have taken into account the possibility of selecting ranomize bases [BILT04] which is interesting in cryptography. It is a new very interesting use of RNS, which nees to be stuie in future works. REFERENCES [Bar86] P. Barrett. Implementing the rivest, shamir an aleman public key encryption algorithm on a stanar igital processor. In A. M. Olyzko, eitor, Avances in Cryptology, Proceeings of Crypto 86, pages , [BDK98] J.-C. Bajar, L.-S. Diier, an P. Kornerup. An RNS montgomery moular multiplication algorithm. IEEE Transactions on Computers, 47(7): , [BDK01] J.-C. Bajar, L.-S. Diier, an P. Kornerup. Moular multiplication an base extension in resiue number systems. In L. Ciminiera N. Burgess, eitor, 15th IEEE Symposium on Computer Arithmetic, pages 59 65, Vail Colorao, USA, 001. IEEE Computer Society Press. [BI04] J.-C. Bajar an L. Imbert. A full rns implementation of rsa. IEEE Transactions on Computers, 53(6): , 004. [BILT04] J.-C. Bajar, L. Imbert, P.LY. Liaret, an Y. Teglia. Leak resistant arithmetic. In L. Ciminiera N. Burgess, eitor, CHES 004, pages 59 65, Boston MA, USA, 004. LNCS Kluwer. [BP04] J.C. Bajar an T. Plantar. Rns bases an conversions. In SPIE Annual Meeting 004, Avence Signal Processing Algorithms, Architectures, an Implementation XIV, pages 60 69, -6 August 004 Denver, Colorao, USA, 004. [CN99] Richar Conway an John Nelson. Fast converter for 3 mouli rns using new property of crt. IEEE Transactions on Computers, 48(8):85 860, [Gam89] D. Gamberger. Incompletely specifie numbers in the resiue number system - efinition an applications. In M. D. Ercegovac an E. Swartzlaner, eitors, 9th IEEE Symposium on Computer Arithmetic, pages 10 15, Santa Monica, U.S.A, IEEE Computer Society Press.

7 7 [Gar59] H. L. Garner. The resiue number system. IRE Transactions on Electronic Computers, EL-8(6): , June [HP94] C. Y. Hung an B. Parhami. An approximate sign etection metho for resiue numbers an its application to RNS ivision. Computers an Mathematics with Applications, 7(4):3 35, Feb [Knu81] Donal Knuth. Seminumerical Algorithms, volume of The Art of Computer Programming. Aison-Wesley, eition, [Mon85] Peter Montgomery. Moular multiplication without trial ivision. Mathematic of Computation, 44(170):519 51, April [Pie94] Stanislaw J. Piestrak. Design of high-spee resiue-tobinary number system converter base on chinese remainer theorem. In ICCD 1994, pages , [PP95] K. C. Posch an R. Posch. Moulo reuction in resiue number systems. IEEE Transaction on Parallel an Distribute Systems, 6(5): , [SK89] A. P. Shenoy an R. Kumaresan. Fast base extension using a reunant moulus in RNS. IEEE Transactions on Computer, 38():9 96, [ST67] N. S. Szabo an R. I. Tanaka. Resiue Arithmetic an its Applications to Computer Technology. McGraw-Hill, 1967.