Montgomery Algorithm for Modular Multiplication with Systolic Architecture

Size: px

Start display at page:

Download "Montgomery Algorithm for Modular Multiplication with Systolic Architecture"

Amy Bradford
5 years ago
Views:

1 Montgomery Algorithm for Modular Multiplication with ystolic Architecture MRABET Amine LIAD Paris 8 ENIT-TUNI EL MANAR University A - MP - Gardanne PAE 016 1

2 Plan 1 Introduction for pairing Montgomery Multiplication (IO) 3 Architecture 4 Results 5 onclusion and Perspectives

3 Plan 1 Introduction for pairing Montgomery Multiplication (IO) 3 Architecture 4 Results 5 onclusion and Perspectives

4 General ontext This work is part of the hardware implementation of asymmetric cryptography primitives, such as Optimal-Ate pairing based on elliptic curves, the cryptographic systems based on elliptic curves and RA, 3

5 General ontext This work is part of the hardware implementation of asymmetric cryptography primitives, such as Optimal-Ate pairing based on elliptic curves, the cryptographic systems based on elliptic curves and RA, Which are the best known methods in asymmetric encryption 3

6 Definition Let G1 and G be two additive groups and let G3 be a multiplicative group Pairing is an application e : G1 G G3 with the following properties: 4

7 Definition Let G1 and G be two additive groups and let G3 be a multiplicative group Pairing is an application e : G1 G G3 with the following properties: e is non degenerate : if P G 1, P 0 it exists Q G such as e(p, Q) 1 and if Q G, Q 0 it exists P G 1 such as e(p, Q) 1 4

8 Definition Let G1 and G be two additive groups and let G3 be a multiplicative group Pairing is an application e : G1 G G3 with the following properties: e is non degenerate : if P G 1, P 0 it exists Q G such as e(p, Q) 1 and if Q G, Q 0 it exists P G 1 such as e(p, Q) 1 Bilinearity: e(xp, yq) = e(p,q) xy, e(xp, yq) z = e(yp, zq) x = e(zp, xq) y = e(p,q) xyz 4

9 Pairing protocols The bilinearity of the pairings allowed the construction of protocols 5

10 Pairing protocols The bilinearity of the pairings allowed the construction of protocols Diffie Hellman key exchange ( Joux 001) Identity-Based ryptography(boneh and Franklin) hort signature schemes (Boneh, Lynn, hacham) 5

11 Pairing protocols Example of ryptography Based on Identity : The secret of the trusted authority The Public keys are the identities of people Trusted authority Bob I B Alice I A 6

12 Pairing protocols Example of ryptography Based on Identity : The secret of the trusted authority The Public keys are the identities of people The private keys are onstructed by the trusted authority and Transmitted to users Trusted authority P B =*I B P A =*I A Bob I B Alice I A e (PB, IA) = e (IA, IB) s e (PA, IB) = e (IA, IB) s 6

13 Pairing protocols Example of ryptography Based on Identity Encryption step of the clear message M Alice wants to send a message to Bob: he chooses an integer a randomly, he retrieves Bob's public key : I B, he calculates the pairing e(i B ;Q 0 ) a, he sends to Bob : [ ap, M H (e(i B ;Q 0 ) a ) ]=[U,V] 7

14 Pairing protocols Example of ryptography Based on Identity Decryption step of the encrypted message Bob follows the following steps: He contacts the trusted authority to retrieve his private key P B = si B, He finds the message by calculating V H (e(p B,U)) The message : M The bilinearity of pairings : e(p B,U) = e(si B,aP) = e(i B,P) as = e(i B,sP) a 8

15 Different pairings Weil pairing e W : E (Fp)[r ] E(Fp k )/re (Fp k ) F * p k (P,Q) (-1) r f r, p (Q) / f r,q (P) Miller Lite f r, p (Q) Miller Full f r,q (P) Inversion Multiplication 9

16 Different pairings Weil pairing e W : E (Fp)[r ] E(Fp k )/re (Fp k ) F * p k (P,Q) (-1) r f r, p (Q) / f r,q (P) Tate pairing e T : E (Fp)[r ] E(Fp k )/re (Fp k ) F * p k (P,Q) [ f r, p (Q) ] (p^k- 1)/r Tate pairing is defined with the same parameters E, Fp, r, k than Weil pairing For the calculation of Tate pairing we make log(r) iterations during the Miller algorithm, where r is the order of the subgroups used 9

17 Different pairings Ate paring G1 = E[r] Ker(p-[1]) = E(Fp)[r], G = E[r] Ker(p-[p]) e A : G 1 G F * p k ; (P,Q) [ f T, Q (P) ] (p^k- 1)/r The main advantage compared to Tate pairing is the reduction of the number of iterations made during the Miller algorithm log(t) where T = t 1, and t is the Frobenius trace on E(Fp) The disadvantage of Ate pairing is that it corresponds to a Miller Full application 10

18 Different pairings Twisted Ate pairing G1 = E[r] Ker(p-[1]) = E(Fp)[r], G = E[r] Ker(p-[p]) e TA : G 1 G F * p k ; (P,Q) [ f T, p (Q) ] (p^k- 1)/r The calculation is made by an execution of Miller Lite, which would alleviate the complexity of the calculations 11

19 Different pairings Twisted Ate pairing G1 = E[r] Ker(p-[1]) = E(Fp)[r], G = E[r] Ker(p-[p]) e TA : G 1 G F * p k ; (P,Q) [ f T, p (Q) ] (p^k- 1)/r The calculation is made by an execution of Miller Lite, which would alleviate the complexity of the calculations Ate-Optimal (OATE) pairing Ate-Optimal pairing improves Ate pairing by reducing the number of iterations in the Miller algorithm used to calculate f,q(p) In the case of BN curves, OATE pairing is defined by: where = 6t+ (t the parameter of BN curves) 11

20 Basic operations The basic operations in the Finite field : Addition ubtraction Multiplication inversion 1

21 Basic operations The basic operations in the Finite field : Addition ubtraction Multiplication inversion onstitute the essential of calculation time of pairing That s why the optimization of these operation is the most important 1

22 Plan 1 Introduction for pairing Montgomery Multiplication (IO) 3 Architecture 4 Results 5 onclusion and Perspectives 13

23 Reminder: Montgomery algorithm 14

24 Reminder: Montgomery algorithm onversion between Ordinary Field and Montgomery Ordinary domain Montgomery domain a M(a)=aR mod p b M(b)=bR mod p ab M(ab)=abR mod p 14

25 The oarsely Integrated Operand canning method [1]? The IO method improves the Montgomery algorithm by integrating multiplication and reduction How? [1] Analyzing and omparing Montgomery Multiplication Algorithms, IEEE Micro, juin1996 etin Kaya Koç, Tolga Acar and Burton Kaliski Jr 15

26 The oarsely Integrated Operand canning method [1]? The IO method improves the Montgomery algorithm by integrating multiplication and reduction How? Instead of multiplying axb then performe to reduction, it allows to alternate between the iterations of multiplication and reduction [1] Analyzing and omparing Montgomery Multiplication Algorithms, IEEE Micro, juin1996 etin Kaya Koç, Tolga Acar and Burton Kaliski Jr 15

27 What is a systolic architecture? It s a network composed of a large number of cells, Each cell receives data from the neighboring cells, performs a simple calculation, and then transmits the results, always to neighboring cells 16

28 What is a systolic architecture? It s a network composed of a large number of cells, Each cell receives data from the neighboring cells, performs a simple calculation, and then transmits the results, always to neighboring cells 16

29 What is a systolic architecture? It s a network composed of a large number of cells, Each cell receives data from the neighboring cells, performs a simple calculation, and then transmits the results, always to neighboring cells A systolic architecture provides very simplified elementary cells Therefore, this architecture reduces resource requirements in hardware implementations 16

30 What is a systolic architecture? It s a network composed of a large number of cells, Each cell receives data from the neighboring cells, performs a simple calculation, and then transmits the results, always to neighboring cells A systolic architecture provides very simplified elementary cells Therefore, this architecture reduces resource requirements in hardware implementations Our contribution in this work is to combine a systolic architecture, which is supposed to be the best solution for FPGA implementations, with the IO method of the Montgomery modular multiplication 16

31 oarsely Integrated Operand canning oarsely Integrated Operand canning 17

32 oarsely Integrated Operand canning 17

33 utting the algorithm IO alpha : the lines 5 and 6 17

34 utting the algorithm IO alpha : the lines 5 and 6 _ alpha : the lines 7,8 and 9 17

35 utting the algorithm IO alpha : the lines 5 and 6 _ alpha : the lines 7,8 and 9 beta: the lines11 and 1 17

36 utting the algorithm IO alpha : the lines 5 and 6 _ alpha : the lines 7,8 and 9 beta: the lines11 and 1 gamma: the lines14 and 15 17

37 utting the algorithm IO alpha : the lines 5 and 6 _ alpha : the lines 7,8 and 9 beta: the lines11 and 1 gamma: the lines14 and 15 _ gamma: the lines16,17 and 18 17

38 Plan 1 Introduction Montgomery Multiplication (IO) 3 Architecture 4 Results 5 onclusion and Perspectives 18

39 IO in ystolic for s=8 a0 b0 a0 b1 a0 b a0 b3 a0 b4 a0 b5 a0 b6 a0 b7 i=0 j=0 j=1 j= j=3 j=4 j=5 j=7 j= _ 3 Multiplication tep _ Reduction tep 19

40 IO in ystolic for s=8 a0 b0 a0 b1 a0 b a0 b3 a0 b4 a0 b5 a0 b6 a0 b7 i=0 j=0 j=1 j= j=3 j=4 j=5 j=7 j= _ 3 Multiplication tep _ Reduction tep i= _ _ 19

41 IO in ystolic for s=8 a0 b0 a0 b1 a0 b a0 b3 a0 b4 a0 b5 a0 b6 a0 b7 i=0 j=0 j=1 j= j=3 j=4 j=5 j=7 j= _ 3 Multiplication tep _ Reduction tep i= _ _ In this architecture we also have an integration between the different iterations that loop on i In our case we have 3 iterations of i which can be executed at the same time 19

42 IO in ystolic for s=8 a0 b0 a0 b1 a0 b a0 b3 a0 b4 a0 b5 a0 b6 a0 b7 i=0 j=0 j=1 j= j=3 j=4 j=5 j=7 j= _ 3 Multiplication tep _ Reduction tep i= _ _ i= i=3 i=4 i=5 i=6 i= _ _ 19

43 IO in ystolic for s=8 a0 b0 a0 b1 a0 b a0 b3 a0 b4 a0 b5 a0 b6 a0 b7 i=0 j=0 j=1 j= j=3 j=4 j=5 j=7 j= _ 3 Multiplication tep _ Reduction tep i= _ _ i= i=3 i=4 i=5 i=6 i= _ _ a x b x R -1 mod p 19

44 IO in ystolic for s=8 =0 Multiplication tep Reduction tep i=1 i= i=3 i=4 i=5 i=6 i=7 a x b x R -1 mod p 0

45 IO in ystolic for s=8 =0 Multiplication tep Reduction tep i=1 i= ai bj i=3 i=4 i=5 i=6 i=7 a x b x R -1 mod p 0

46 IO in ystolic for s=8 =0 Multiplication tep Reduction tep i=1 i= m pj i=3 ai bj i=4 i=5 i=6 i=7 a x b x R -1 mod p 0

47 Data Flow B b0 b1 b b3 b4 b5 b6 b7 A a _ i=0 a _ 3 3 _ i=1 a _ i= P p0 p1 p p3 p4 p5 p6 p7 1

48 Data Flow B b0 b1 b b3 b4 b5 b6 b7 B1 B B3 b0 b1 b b3 b4 b5 b6 b7 A a _ i= _ a _ i= _ a i= P p0 p1 p p3 p4 p5 p6 p7 1

49 Data Flow B b0 b1 b b3 b4 b5 b6 b7 B1 B B3 b0 b1 b b3 b4 b5 b6 b7 A a _ i= _ a _ i= _ a7 p0 p1 p p3 p4 p5 p6 p i= P P3 P p0 p1 p p3 p4 p5 p6 p7 1

50 Data Flow B b0 b1 b b3 b4 b5 b6 b7 B1 B B3 b0 b1 b b3 b4 b5 b6 b7 A a _f i= _f a _f i= _f a7 P p0 p1 p p3 p4 p5 p6 p7 P P3 p0 p1 p p3 p4 p5 p6 p i= 1

51 Data Flow B b0 b1 b b3 b4 b5 b6 b7 B1 B B3 b1 b b0 b3 b4 b5 b6 b7 A a _f 3 _f i=0 a _f i= _f a7 P p0 p1 p p3 p4 p5 p6 p7 P P3 p0 p1 p p3 p4 p5 p6 p i= 1

52 Data Flow B b0 b1 b b3 b4 b5 b6 b7 B1 B B3 b b0 b1 b3 b4 b5 b6 b7 A a0 a _f _f i=0 3 3 _f i= _f a7 P p0 p1 p p3 p4 p5 p6 p7 P P3 p0 p1 p p3 p4 p5 p6 p i= 1

53 Data Flow B b0 b1 b b3 b4 b5 b6 b7 B1 B B3 b0 b1 b b3 b4 b5 b6 b7 A a0 a _f _f i=0 3 3 _f i= _f a7 P p0 p1 p p3 p4 p5 p6 p7 P P3 p0 p1 p p3 p4 p5 p6 p i= 1

54 Data Flow B b0 b1 b b3 b4 b5 b6 b7 B1 B B3 b1 b b0 b4 b5 b3 b6 b7 A a0 a _f _f i=0 3 3 _f i= _f a7 P p0 p1 p3 p4 p p5 p6 p7 P P3 p0 p1 p p3 p4 p5 p6 p i= 1

55 Data Flow B b0 b1 b b3 b4 b5 b6 b7 B1 B B3 b b0 b1 b5 b3 b4 b6 b7 A a0 a _f _f i=0 3 3 _f i= _f a7 P p0 p1 p4 p p3 p5 p6 p7 P P3 p0 p1 p p3 p4 p5 p6 p i= 1

56 Data Flow B b0 b1 b b3 b4 b5 b6 b7 B1 B B3 b0 b1 b b3 b4 b5 b6 b7 A a0 a _f 3 _f i=0 3 3 _f i= _f a a7 P p0 p1 p p3 p4 p5 p6 p7 P P3 p0 p1 p p3 p4 p5 p6 p i= 1

57 Data Flow B b0 b1 b b3 b4 b5 b6 b7 B1 B B3 b1 b b0 b4 b5 b3 b7 b6 A a0 a _f 3 _f i=0 3 3 _f i= _f a a7 P p0 p1 p3 p4 p p6 p7 p5 P P3 p0 p1 p p3 p4 p5 p6 p i= 1

58 Data Flow B b0 b1 b b3 b4 b5 b6 b7 B1 B B3 b b0 b1 b5 b3 b4 b7 b6 A a0 a _f 3, _f i=0 3 3 _f i= _f a a7 P p0 p1 p4 p p3 p7 p5 p6 P P3 p0 p1 p p3 p4 p5 p6 p i= 1

59 IO in ystolic for s=8 =0 i=1 i= i=3 i=4 Multiplication tep Reduction tep i=5 During execution of this algorithm there are always three iterations of the loop 'i' which are executed at the same time, which gives a maximum of three alphas and three gammas which are executed in parallel i=6 i=7 a x b x R -1 mod p

60 IO in ystolic for s=8 =0 0 1 i=1 0 1 i= According to the blocks that are repeated, we modeled our FM with 3 states, which allows us to perform all the multiplication in just 33 cycles (8+3)*3= i=3 0 1 i=4 Multiplication tep Reduction tep 0 1 i=5 0 1 i=6 0 1 i= a x b x R -1 mod p

61 IO in ystolic for s=16 a0 b0 a0 b1 a0 b a0 b3 a0 b4 a0 b5 a0 b14 a0 b15 j=0 j=1 j= j=3 j=4 j=5 j=14 j=15 i= _ _ 3

62 IO in ystolic for s=16 a0 b0 a0 b1 a0 b a0 b3 a0 b4 a0 b5 a0 b14 a0 b15 j=0 j=1 j= j=3 j=4 j=5 j=14 j=15 i= _ _ i= i=3 i= _ _ a x b x R -1 mod p 3

63 IO in ystolic for s=16 B b0 b1 b b3 b4 b5 b6 b7 b8 b9 b10 b11 b1 b13 b14 b15 B1 B3 B5 1 B b0 b1 b b3 b4 b5 3 4 B4 b6 b7 b8 b9 b10 b B6 b1 b13 b14 b15 4

64 IO in ystolic for s=16 B b0 b1 b b3 b4 b5 b6 b7 b8 b9 b10 b11 b1 b13 b14 b15 B1 B3 B5 1 B b0 b1 b b3 b4 b5 3 4 B4 b6 b7 b8 b9 b10 b B6 b1 b13 b14 b15 P p0 p1 p p3 p4 p5 p6 p7 p8 p9 p10 p11 p1 p13 p14 p15 p0 p p3 p4 4 p8 p9 p10 6 p14 p15 P P4 P6 1 p1 3 p5 p6 p7 5 p11 p1 p13 P1 P3 P5 4

65 IO in ystolic for s=8 alpha (1) alpha () alpha (3) alpha_ K=56, w=3, s=8 K=51, w=64, s=8 33 clock cycles beta gamma (1) gamma () gamma (3) gamma_ i++ 5

66 IO in ystolic for s=8 alpha (1) alpha () alpha (3) Alpha_f K=56, w=3, s=8 K=51, w=64, s=8 33 clock cycles beta gamma (1) gamma () gamma (3) gamma_ f i++ K=56, w=16, s=16 K=51, w=3, s=16 66 clock cycles alpha (1) alpha () alpha (3) alpha (4) alpha (5) alpha (6) alpha_f beta gamma (1) gamma () gamma (3) gamma (4) gamma (5) gamma (6) gamma_f i++ 5

67 omparison = cells 33 clock cycles = cells 66 clock cycles = cells 13 clock cycles = cells 64 clock cycles 6

68 The interest of each architecture =8 =16 =3 K= K= K= Number of cycles The interest of each architecture depends on our needs ecurity level Resources peed The method used 7

69 Architectures Digital signal processing (DP) Modern FPGAs are equipped with hardware extensions for arithmetic calculation 8

70 Architectures Digital signal processing (DP) Modern FPGAs are equipped with hardware extensions for arithmetic calculation Perform basic arithmetic calculations: multiplication, addition and subtraction of unsigned integers 8

71 Internal architectures - cells a[i] b[j] x + MB w bits REG LB w bits REG Out Out In In + alpha The arithmetic operations of each cell are designed to use the maximum of the DPs 9

72 Internal architectures - cells a[i] b[j] x + MB w bits REG LB w bits REG Out Out In In + alpha REG m p In P[0] x In x + REG Out beta 9

73 Internal architectures - cells m] p[j] x + MB w bits REG LB w bits REG Out Out In In + gamma 30

74 Internal architectures - cells m] p[j] x + MB w bits REG LB w bits REG Out Out In In + gamma 1 In + MB w bits REG LB w bits + w bits REG Out 1 Out In gamma_ 30

75 Internal architectures - cells m] p[j] x + MB w bits REG LB w bits REG Out Out In In + gamma 1 In + MB w bits REG LB w bits + w bits REG Out 1 Out In gamma In + MB w bits REG LB w bits REG Out 1 Out alpha_ 30

76 Internal architectures - Rotation X A (K bits) Mux ROTATION 31

77 Internal architectures - Rotation X A (K bits) Mux X B (3 w bits) Mux ROTATION ROTATION X B (3 w bits) Mux ROTATION X B ( w bits) Mux ROTATION 31

78 Internal architectures - Rotation X A (K bits) Mux X B (3 w bits) Mux X P (3 w bits) Mux ROTATION ROTATION ROTATION X B (3 w bits) Mux X P (3 w bits) Mux ROTATION ROTATION X B ( w bits) Mux ROTATION 31

79 Architectures Out _1_Out zero MUX _1_In sig_state _1_In MUX PE alpha (1) _1_Out A- alpha1 _1_Out 3

80 Architectures _3_Out Out _1_Out Out _1_Out zero MUX In sig_state PE alpha () MUX Out In MUX _1_In sig_state PE alpha (1) _1_In MUX _1_Out B- alpha Out A- alpha1 _1_Out 3

81 Architectures _3_Out Out _1_Out Out _1_Out zero MUX In sig_state PE alpha () MUX Out In MUX _1_In sig_state PE alpha (1) _1_In MUX _1_Out B- alpha Out A- alpha1 _1_Out 1 Out _3_Out Out MUX _3_In sig_state _3_In MUX PE alpha (3) _3_Out - alpha3 _3_Out 3

82 Architectures _ 1_In _ 1_In m p[0] PE gamma (1) _ 1_Out _ 1_Out D- gamma1 33

83 Architectures _ 1_In _ 1_In m p[0] PE gamma (1) _ 1_Out _ 1_Out D- gamma1 _ 1_Out MUX Out In sig_state In _ 1_Out MUX p[j] E- gamma m Out PE gamma () Out 33

84 Architectures _ 1_In _ 1_In m p[0] PE gamma (1) _ 1_Out _ 1_Out D- gamma1 Out _ 3_Out Out _ 1_Out Out _ 1_Out MUX _ 3_In sig_state _ 3_In MUX MUX In sig_state In MUX m p[j] PE gamma (3) _ 3_Out p[j] m PE gamma () Out F- gamma3 _ 3_Out E- gamma Out 33

85 Architectures 1 In In In PE gamma_ PE alpha_ H- gamma_ G- alpha_ 1 Out Out 1 Out Out In p P[0] PE beta I- beta m Out 34

86 Plan 1 Introduction Montgomery Multiplication (IO) 3 Architecture 4 Results 5 onclusion and Perspectives 35

87 Results Nexys 4 DP Frequency (MHz) ycles MMM(s=8/K=56) Alpha Gamma Beta Alpha_ Gamma_

88 Results Nexys 4 DP LUTs Reg Occupied slice MMM =8/k=56 MMM =16/k=56 MMM =8/k=51 MMM =16/k=51 Frequency ycles 37

89 Plan 1 Introduction Montgomery Multiplication (IO) 3 Architecture 4 Results 5 onclusion and Perspectives 38

90 conclusion and perspectives onclusion We have implemented the Montgomery multiplication with a systolic architecture in a number of fixed clock cycles We made our design in order to use the maximum of the DPs on FPGA card We implemented two architectures(s=8 and s=16) We used this two design to implement the scalar multiplication for the security level of 18-bits 39

91 Perspective Finalize the hardware implementation of the designs s= 3 s= 64 Perform a Mixed Implementation oft / hard (co-design) for the Optimal-Ate pairing on the BN curves in Jacobian coordinates using this multiplication algorithm 40

A Dierential Power Analysis attack against the Miller's Algorithm

A Dierential Power Analysis attack against the Miller's Algorithm Nadia El Mrabet (1), G. Di Natale (2) and M.L. Flottes (2) (1) Team Arith, (2) Team CCSI/LIRMM, Université Montpellier 2 Prime 2009, UCC,