Implementation of ECM Using FPGA devices. ECE646 Dr. Kris Gaj Mohammed Khaleeluddin Hoang Le Ramakrishna Bachimanchi

Transcription

1 Implementation of ECM Using FPGA devices ECE646 Dr. Kris Gaj Mohammed Khaleeluddin Hoang Le Ramakrishna Bachimanchi

2 Introduction Why factor numbers? Security of RSA relies on difficulty to factor large composites n = p.q, known n, what is p and q? (in practice: n ~ 1024 bit) In cryptanalysis: "Find efficient method for factoring (large) integers." ECM Architecture Implementation 2

3 Introduction (cont.) Different algorithms for different purposes Best known method for factoring large integers: GNFS Methods suited for factoring numbers of bit, e.g., MPQS ECM (small factors) Trial division (very, very small factors) ECM Architecture Implementation 3

4 Introduction (cont.) In GNFS, smoothness test of medium size integers are required. Why ECM? Factor integers with relatively small factors (up to 200 bit) Almost ideal for hardware implementation: Allows for low I/O Requires little memory Easy to parallelize Closely related to Elliptic Curve Cryptography (ECC) ECM Architecture Implementation 4

5 Elliptic Curve An elliptic curve is a plane curve defined by an 2 3 equation of the form y = x + ax+ b a, b will determine the shape of the curve 0 is the point at infinity (is a point which when added to the real number line yields a closed curve called the real projective line) ECM Architecture Implementation 5

6 Elliptic Curve Method Algorithm proposed by [H.W. Lenstra 1985] Principle based on Pollard s (p-1)-method Step 1. Choose an integer k that is the product of primes to small powers. Step 2. Choose an integer a such that 1 < a < n. Step 3. Calculate GCD(a, n). If this is nontrivial, then we have a divisor d of n, so terminate. Step 4. Calculate d = GCD(a^k 1, n). If d = 1 then go back to Step 1 and choose a different k. If d = n then go back to Step 2 and choose a different a. Otherwise we have a divisor of n, so terminate. Advantage over Pollard s (p-1)-method: If no factor found, simply choose another curve Easy to parallelize ECM Architecture Implementation 6

7 Elliptic Curve Method (Cont.) Phase I Computer Q=k.P where Scalar Multiplication Algorithm ( k, k,..., k, k ) L 1 L P = zero (point at infinity); P = ( C, C ) for ( i = L 1 downto 0) { if ( k = 1) else i P = P + P P P = 2 P ; 2 2 = 2 P ; 1 1 P = P + P ; ; } e p k = p and e = log B p B p p 1 1 ECM Architecture Implementation 7

8 Elliptic Curve Method (Cont.) Phase II Compute p Q B p B and check if gcd( z, N) > 1 i 1 i 2 p Q Precompute a small table T of multiple k.q Represent p in the form of p = m*d + k where D k [1, ] and D B 2 2 i Fact: gcd( z, N) > 1 iff gcd( x x z, N) > 1 pq mdq kq mdq ( x z x z ) Compute mdq kq kq mdq for all primes and compute the final gcd of N ECM Architecture Implementation 8

9 Elliptic Curve Method (Cont.) Elliptic curves and point arithmetic: Use curves in Montgomery form: By z = x + Ax z + xz Point Addition: x = z [( x z )( x + z ) + ( x + z )( x z )] P+ Q P Q P P Q Q P P Q Q z = x [( x z )( x + z ) ( x + z )( x z )] P Q P Q P P Q Q P P Q Q Point Duplication: 4 x z = ( x + z ) ( x z ) 2 2 p P P P P P x = ( x + z ) ( x z ) P P P P P z x z x z x z A 2 2 P = 4 P P[( P P) + 4 P P( + 2)/4] 2 2 ECM Architecture Implementation 9

10 ECM Architecture (operation table) ADD SUB MUL-I MUL-II a 1 =x P +z P s 1 =x P z P NOP NOP a 2 =x Q +z Q s 2 =x Q z Q m 1 = (x P z P ) 2 m 2 =(x P + z P ) 2 NOP s 3 =m 2 m 1 m 3 =s 1 * a 2 m 4 = s 2 * a 1 a 3 = m 3 +m 4 s 4 =m 3 m 4 m 5 = m 1 * m 2 m 6 = s 3 * c 3 a 4 = m 1 +m 6 NOP m 7 = a 3 2 m 8 = s 3 2 NOP NOP m 9 = s 3 * a 4 m 10 = s 3 2 * c 1 ECM Architecture Implementation 10

11 ECM Architecture (Global View) One unit for 1 curve One control unit for all 20 curves A/S M1 M2 LOCAL MEM UNIT 1 CONTROL UNIT 2 multiplier, 1 adder/ subtractor, 1 local Mem per unit A/S M1 LOCAL MEM GLOBAL MEM M2 UNIT 20 ECM Architecture Implementation 11

12 Montgomery Multiplication An efficient technique for multiplying two integers modulo M. Replacing the modulus M by another divisor R for which the division step may be faster Iterative process of additions and shifts without involving any division by M (if R is a power of 2) Conversions to and from Montgomery domain are required using Montgomery Multiplication. ECM Architecture Implementation 12

13 Montgomery Multiplication (Cont.) The algorithm in radix-2 S[0] = 0; for i = 0 to n -1 do q = ( S[ i] + A * B ) mod 2; (1) i 0 i 0 Si [ + 1] = ( Si [ ] + A* B + q* M) div2; (2) end for; return S[ n]; i i ECM Architecture Implementation 13

14 Montgomery Multiplication (Const.) The critical delay of the algorithm above occurs in Si [ + 1] = ( Si [ ] + Ai* B + qi* m) div2 Reduce propagation delay CPA vs. CSA Xn-1 Yn-1 Xn-2 Yn-2 Xo Yo Cin X n-1 Yn-1 Zn-1 Xn-2 Yn-2 Zn-2 X o Yo Zo FA FA FA FA FA FA Cout Sn-1 Sn-2 So X Y Z Cn-1 Sn-1 Cn-2 Sn-2 Co So X Y Z Cout SUM SUM S C S ECM Architecture Implementation 14

15 ECM Multiplier Unit (Block Diagram) B n A_M_Choice B A_M write start S1 S1in Es S2in Es reg_rst S2 reg_rst S1out S2out zeros Bout Ai BB B Eb reset zeros qi n nout nn Eb reset clk A1 A2 B C A loada reset MULTIPLIER CSR42 A (Shift_Reg) A(0) reset C 32 read S1in S2in >>1 >>1 SUM CARRY sum carry S1out(0) S2out(0) Bout(0) Ai AND Ai qi SS1 Ess reset SS2 Ess reset S1out S2out ECM Architecture Implementation 15

16 ECM Adder/Subtractor Unit addr1 WEL addr2 A_M A_M_Choice LUT 32X32 MEM B A_M write add_sub A_M B A_M_Choice T_S clk reset ADDER/ SUBTRACTOR OP1 sum1 OP2 + sum2 sub C1 EC1 32 Cout ADDER Cin C2 EC2 C read Es rst set REG <> read sign C ECM Architecture Implementation 16

17 ECM Memories (Global, Local) Implemented using B-RAM 2 blocks for global Mem 1 block for local Mem Kout M C1 C2 C3 I2 I3 C1 C2 19 C3 I2 Data_in I nk K 10 R_K Rwrite_in Raddr Kaddr Data_out 0 GREi A_M 32 B M Ain C1 C2 C3 Aaddr I2 Aout I3 I0 WEA I1 WEB Bout Baddr C 32 Aaddr 9 WEA WEBi 20 Baddr GLOBAL MEMORY 511 LOCAL MEMORY Bin Kout 32 ECM Architecture Implementation 17

18 ECM Instruction ROM Total of 24 instructions 32-bit wide Implemented using LUT 32x32 ROM MUL2 MUL1 SUB ADD Instr Instr_addr 32 MUL2 MUL1 5 SUB 23 ADD 31 INSTRUCTION MEMORY (ROM) ECM Architecture Implementation 18

19 ECM Control Unit (Phase I) Instr Instr_addr Kout Aaddr WEA Baddr WEBi GREi CONTROL UNIT 10 Kaddr read_add_sub read_mul1 read_mul2 Rwrite_out Rstart start_mul1 start_mul2 write_add_sub A_M_Choice add_sub write_mul1 write_mul2 ECM Architecture Implementation 19

20 ECM Phase I Result Operation Our Implementation Previous work Modular Addition 0.34 µs 2.00 µs Modular Subtraction 0.34 µs 1.68 µs Modular Multiplication 2.72 µs 64.5 µs Modular Squaring 2.72 µs 64.5 µs Point Addition(Phase-I) µs 333 µs Point Doubling(Phase-I) µs 330 µs Phase-I 20 ms 912 ms ECM Architecture Implementation 20

21 ECM Phase I Result (Cont.) Our Implementation Previous work Modular Addition Modular Subtraction Modular Multiplication Modular Squaring ECM Architecture Implementation 21

22 ECM Phase I Result (Cont.) Our Implementation Previous work Point Addition(Phase-I) Point Doubling(Phase-I) ECM Architecture Implementation 22

23 ECM Phase I Result (Cont.) Our Implementation Previous work Phase-I ECM Architecture Implementation 23

24 ECM Phase I Result Analysis Architecture of our multiplier 272 clock cycles vs in their case Faster implementation in adder and subtractor unit 34 cycles vs. 50 cycles in their case Faster system clock frequency 100 MHz vs. 25 MHz Two multipliers running in parallel ECM Architecture Implementation 24

25 ECM Phase II - Proposal Initialization Pre-compute and load table of primes and k Pre-compute Compute k.q for all k Compute D.Q Compute PHASE 1 INITIALIZATION PHASE 2 PRE-COMPUTE PHASE 1 k.p & POINT ADDITION PHASE 2 INITIALIZATION MAIN CONTROL PHASE 2 COMPUTE Compute m min.d.q Compute ( xmdq zkq xkq zmdq ) for all primes and compute the final gcd with N Compute m next D.Q = m prev D.Q + D.Q k.p k.p & Point Addition ECM Architecture Implementation 25

26 Conclusion Better implementation in term of time Cost of area Scalable implementation Future work Complete Phase II Implement on ASIC and SRC-6 ECM Architecture Implementation 26

27 Questions? THANK YOU ECM Architecture Implementation 27