Hardware Implementations of RSA Using Fast Montgomery Multiplications. ECE 645 Prof. Gaj Mike Koontz and Ryon Sumner

Transcription

1 Hardware Implementations of RSA Using Fast Montgomery Multiplications ECE 645 Prof. Gaj Mike Koontz and Ryon Sumner

2 Overview Introduction Functional Specifications Implemented Design and Optimizations Tools Testing Results Conclusions

3 Introduction RSA Encryption / Decryption Worldwide use in securing data transmission Public / private key based Large (512-bit +) keys required for protection of data Large keys = Slower decryption times Alice M Bob M Public Key X Private Key M Hacker RSA Encryption CypherData CypherData RSA Decryption

4 Introduction Picture taken from Lecture 11 Exponentiation, Multi-Precision Arithmetic in Software. George Mason University. Prof Gaj. pp 2.

5 Functional Specification RSA Encryption / Decryption Algorithm To calculate Y = X E mod N: S = X Y = 1 for (i = 0 to k-1) k { } if (E i = 1) Y = Y * S mod N S = S * S mod N

6 Functional Specification Picture taken from Lecture 11 Exponentiation, Multi-Precision Arithmetic in Software. George Mason University. Prof Gaj. pp 21.

7 Functional Specification Picture taken from Lecture 11 Exponentiation, Multi-Precision Arithmetic in Software. George Mason University. Prof Gaj. pp 22.

8 Functional Specification Montgomery Multiplication MP (A, B, N) Algorithm: S[0] = 0; for i in 0 to k-1 k 1 loop q i = (S[i] 0 + A i * B 0 ) mod 2; S[i + 1] = (S[i] + A i * B + q i * N) / 2; end loop; return S[k];

9 Functional Specification 5-22 Montgomery Multiplication MP52 (A1, A2, B1, B2, N) Algorithm: S1[0] = 0; S2[0] = 0; for i in 0 to k-1 k 1 loop q i = (S1[i] 0 + S2[i] 0 ) + (A i * ( B1 0 + B2 0 ) ) mod 2; S1[i+1],S2[i+1] = CSR(S1[i] + S2[i] + A i * (B1 + B2) + q i * N) / 2; end loop; return S1[k], S2[k];

10 Functional Specification RSA Encryption / Decryption with MP RSA (C, d, N) K = 2 2k mod N; P1, P2 = 5to2_MontMult( K, 0, C, 0, N ); R1, R2 = 5to2_MontMult( K, 0, 1, 0, N ); for i in 0 to d k loop if d[i] = 1 R1, R2 = 5to2_MontMult( R1, R2, P1, P2, N ); P1, P2 = 5to2_MontMult( P1, P2, P1, P2, N ); end loop; M1, M2 = 5to2_MontMult( 1, 0, R1, R2, N ); return M1 + M2;

11 Functional Specification Addition Chains Sequence of additions to produce a large number Each sequence step is the sum of two numbers previously in the chain e.g. 27 = 1, 2, 3, 6, 12, 24, 27 Expanded to sequence of multiplications X 27 = X 1, X 2, X 3, X 6, X 12, X 24, X 27

12 Functional Specification Addition Chains Use memory (registers) to store intermediate results Use memory to store and serve addition chain commands to multiplier circuit Command structure: 2 Log 2 R C Destination Log 2 R Operand2 Log 2 R Operand1

13 Functional Specification RSA Shell Unit: clock reset data_avail data_in key_in start full RSA with Montgomery Multiplication data_read write data_out

14 Functional Specification RSA Chain Shell Unit: clock reset command_avail command_in data_avail data_in start full Addition Chain RSA with Montgomery Multiplication command_read data_read ready write data_out

15 Implemented Design Criteria: Maximize Throughput Minimize Clock Period Minimize Area (on selected chips) RSA considerations: Encryption is trivial Decryption is bottleneck for RSA process High throughput allows for more decryptions in shorter amount of time

16 Implemented Design Design architectures: Sequential multipliers Small area, incremental results, small latency / round Tree and Array multipliers Large area, one result / clock cycle, pipeline-ready Choice: : Sequential Montgomery Multiplier Best fit to algorithm, small footprint, high clock rates Algorithm difficult to pipeline

17 Implemented Design RSA Diagrams

18 Optimizations 5-22 Montgomery Multiplier Ss [i] Sc [i] Ai * Bs CSA Ai * Bc CSA q * N CSA Ss [i+1] Sc [i+1]

19 Optimizations 4-22 Montgomery Multiplier Calculate D before running multiplier Xi q Q1 Q Bs Bc 1 0 N 0 Ss [i] Sc [i] CSA Q1 Q2 1 1 D1 D2 CSA D1, D2 = CSA( Bs, Bc, N ) Ss [i+1] Sc [i+1]

20 Optimizations 2x Montgomery Multiplier Ss [i] Sc [i] A0*Bs A0*Bc q0*n C Shift x2 Register S0 C0 S1 C1 MP cin FA cout FA cout A1*Bs A1*Bc q1*n MP Ss [i+1] Sc [i+1] A0 A1 Ss [i+2] Sc [i+2]

21 Tools FPGA: ActiveHDL 7.1 Build 1583 Expert Addition Xilinix ISE 7.1i Synplicity Synthesis Pro 8.0 ASIC: Synopsys Design Analyzer (version X ) X Above tools used in ECE 203 lab, remotely on CPE02 and on personal laptops

22 Testing Test Vector Generation Official vectors from RSA Security Personally developed vectors Software RSA Implementation Limited program for performing RSA encryption/decryption Regular exponentiation Montgomery Modular exponentiation

23 Testing Addition Chains Attempted personal addition chain generation tool Few available sources for generating chains, especially for bit lengths > 12-bits (4096) Only able to perform tests with simple exponentiation and non-optimal optimal chains

24 Results Target FPGA Xilinx Virtex 4VLX160FF1513 Speed Grade 12 Device is oversized for all designs Chosen to eliminate area from consideration Main optimization being speed and throughput Target ASIC 90nm TCBN90G TSMC Library

25 Results Architecture Area (CLB Slices) FPGA K = 128-bits Area (Gate Count) Clock Period (ns) Clock Frequency (MHz) MP ,790 33, MP ,102 40, x MP ,950 45, Addition Chain 4, , Architecture ASIC K = 128-bits Area Clock Period (ns) Clock Frequency (MHz) MP MP x MP Addition Chain 222,

26 Results Architecture Area (CLB Slices) FPGA K = 256-bits Area (Gate Count) Clock Period (ns) Clock Frequency (MHz) MP ,341 63, MP ,863 77, x MP ,153 82, Addition Chain 4, , Architecture Area Clock Period (ns) Clock Frequency (MHz) MP MP x MP Addition Chain ASIC K = 256-bits NA NA NA

27 Results Architecture Area (CLB Slices) FPGA K = 512-bits Area (Gate Count) Clock Period (ns) Clock Frequency (MHz) MP , , MP , , x MP , , Addition Chain 7, ,

28 Results Architecture Area (CLB Slices) FPGA K = 1024-bits Area (Gate Count) Clock Period (ns) Clock Frequency (MHz) MP , , MP , , x MP , , Addition Chain 16, ,

29 Results RSA with MP waveforms: 2x MP5-2 MP4-2 MP5-2

30 Results RSA with Addition Chains waveform:

31 Results Circuit MP5-2 Bit Length Latency (ns) Throughput (kb / s) MP x MP Addition Chains

32 Conclusions Recommendations MP design 18% Area increase, 11% Speed increase 2x MP design 60% Area increase, 30% Speed increase Addition Chains design Only benefit when chain performs fewer multiplies than both square and addition portion of Montgomery Multiplication

33 Conclusions Considerations Algorithmic improvements when performing 2x MP? 4x MP vs. 2x MP performance? Difficulties RSA test vector generation Addition chain command and vector generation System resources on CPE01 and CPE02 for FPGA and ASIC synthesis

34 Questions