SERBIAN JOURNAL OF ELECTRICAL ENGINEERING Vol. 11, No. 1, Fbruary 2014, 121-131 UDC: 004.3`142:621.394.14 DOI: 10.2298/SJEE140114011S Hardwar Moduls of th RSA Algorithm Vlibor Škobić 1, Branko Dokić 1, Žljko Ivanović 1 Abstract: This papr dscribs basic principls of data protction using th RSA algorithm, as wll as algorithms for its calculation. Th RSA algorithm is implmntd on FPGA intgratd circuit EP4CE115F29C7, family Cyclon IV, Altra. Four moduls of Montgomry algorithm ar dsignd using VHDL. Synthsis and simulation ar don using Quartus II softwar and ModlSim. Th moduls ar analyzd for diffrnt ky lngths (16 to 1024) in trms of th numbr of logic lmnts, th maximum frquncy and spd. Kywords: RSA algorithm, FPGA, Encryption. 1 Introduction Protction from unauthorizd accss to data and information is notabl challng within data transmission procss. Encryption provids such a data protction. Transmittr ncrypts data and snds it to th rcivr which rconstructs th original data, using dcryption. Eavsdroppr may catch th data, but is not abl to dcrypt it, without knowldg about dcryption mthod [1, 2]. Scur data transfr is vry important aspct of bank transactions, onlin shopping, tlphon communication, -mail tc. Data transfr in ths applications is providd by communication ntworks [2]. Ths ways of transfr ar not scur and thr is a possibility of unauthorizd accss to th data bing transfrrd. Thr ar svral data ncryption mthods. Classical mthods ar basd on scrcy of ncryption and dcryption algorithms. In modrn cryptography, kys ar bing usd for data ncryption. Modrn cryptography is basd on th ida that ncryption algorithms ar public, whil th kys ar privat. Algorithms ar mostly basd on mathmatical problms that ar difficult to comput. On of th bst known public ky ncryption algorithms is th RSA (Rivst, Shamir, Adlman) algorithm [3], which is basd on th principls of numbr thory. This algorithm is implmntd in oprating systms, scur phons, and in many protocols for scur intrnt communications [4 6]. In th RSA algorithm, th mthods of ncryption and dcryption ar th sam, but with 1 Univrsity of Banja Luka, Faculty of Elctrical Enginring, Patr 5, 78 000 Banja Luka, Bosnia and Hrzgovina; E-mails: vlibor.skobic@tfbl.nt, bdokic@tfbl.nt, zljko.ivanovic@tfbl.nt 121
V. Škobić, B. Dokić application of diffrnt kys. Scurity of ths algorithms strongly dpnds on th ky lngth. Th structur of this papr is as follows. In th scond sction th RSA algorithm is dscribd. Th third sction dscribs computational mthods. Simulation rsults of implmntd moduls ar prsntd in th fourth sction. Conclusions ar givn in th fifth sction. 2 Basics of th RSA Algorithm Opration of th RSA algorithm is prformd in thr phass [3]: ky gnration, ncryption and dcryption. Th ky gnration is don in th following way. Two prims p and q ar gnratd, and thn numbr m is obtaind by multiplication of th prims: m= pq. (1) Th nxt stp is computing of th Eulr function φ of th numbr m. Whil p and q ar prims, th valu of φ is givn by th formula: ϕ ( m) = ( p 1)( q 1). (2) Aftr that, it is ncssary to dtrmin a numbr having valu gratr than 1 and lss than φ(m). Anothr condition is that numbr 1 is th gratst common divisor of numbrs and φ(m): GCD(, ϕ ( m)) = 1. (3) Obtaind numbrs m and rprsnt a public ky that is usd for ncryption. For dcryption, bsids numbr m, a scrt ky d is ndd as wll. Th valu of d is dfind by th following quation: kϕ ( m) + 1 d =, k N, (4) undr th constraint: ( d)mod ϕ ( m) = 1. (5) Encryption/dcryption is prformd by xponntiation of th mssag by th valu of ky and th rsult of th xponntiation is dividd modulo m. Complxity of this computation dpnds on th ky lngth. Encryptd data corrspond xactly to th input data if th input mssag P is shortr than numbr m. Encryption of th mssag P is don by th following: C = P mod m. (6) whil dcryption of th mssag C is don by th following: d P= C mod m. (7) 122
Hardwar moduls of RSA Algorithm From th quations (6) and (7), it can b sn that ncryption and dcryption mthods ar idntical. Application of a corrct scrt ky, within procss of dcryption, provids rcovry of th original mssag P. An illustration of data ncryption/dcryption using th RSA algorithm is givn by th following xampl. Lt p and q b th prims with valus: p= 17, q= 19. (8) Comput m i φ(m): m= pq= 323, (9) ϕ ( m) = ( p 1)( q 1) = 288. Th nxt stp is dtrmination of th numbr according to th condition (3),.g. = 11. Thn comput d according to th quation (5). Taking k = 5 in th rlation (5) w gt scrt ky d = 131. Numbrs m and mak th public ky, whil numbrs m and d rprsnt th scrt ky. Lt th input data b P = 15, thn ncryptd data is 11 C = 15 mod 323 = 60, (10) whil dcryption yilds: 131 P = 60 mod323 = 15, (11) i.. th original data P = 15. Thr ar many mthods to brak RSA ncryption. In fact, thy ar basd on th waknss of th whol data protction procss, and not on waknss of ncryption itslf. Efficint way to brak RSA ncryption is not discovrd until now. In ordr to brak RSA ncryption, it is ncssary to find th factorization of numbr m, i.. to dtrmin th prim numbrs p and q. Knowing p and q, it is possibl to dtrmin a scrt ky. Factorization of larg numbrs is a vry complx and tim consuming procss. Considring larg ky lngths (1024 or 2048), vn with application of th fastst modrn computrs and th bst algorithms for dcryption, it would tak many yars to finish th procss of factorization. W mphasiz, it is not mathmatically provn that factorization of numbr m is ndd in ordr to rcovr a mssag P from th mssag C [1]. 3 Computation of th RSA Algorithm Eithr softwar or hardwar implmntation of th RSA algorithm is possibl. Softwar implmntation mans a program which oprats on th digital procssor. Data procssing tim dpnds on a frquncy of procssor and th ky lngth. Incras of th ky lngth incrass algorithm scurity, as wll as th data procssing tim. Systms that procss larg amount of data rquir som assistanc to procssor opration. Rmarkabl solution is hardwar implmntation of th RSA algorithm. In that cas, data procssing is mostly 123
V. Škobić, B. Dokić don in paralll with procssor opration, thus yilds shortr tim for ncryption/dcryption. Thr ar svral paprs on this topic,.g. [7 11]. From th quations (6) and (7) it is sn that ncryption is don by xponntiation of th mssag P by. Dcryption mans xponntiation of th ncryptd mssag C by d. Thn computation modulo m nds to b don. So, th basic algorithm rlis on squntial multiplication of th mssag P (C for dcryption) (d) tims, and thn application of modulo m oprator: C = Pi mod m. (12) i= 1 Th numbr of bits ndd to stor intrmdiat rsults during mssag xponntiation is givn by th quaton: log 2 ( k Qbita = P ) 2 k, (13) whr k is numbr of bits of th ky and th mssag. Taking k = 256, 80 according to th rlation (10), to stor that data w nd Cbits 10 bits, which is a hug valu impossibl to implmnt. Using th following rlationship: ( A B) mod m= ( A ( Bmod m)) mod m (14) numbr of th bits to b stord can b rducd. Th maximum numbr of bits, ndd to stor th data according to this mthod, is 2k, whil numbr of itrations is 1. For larg valus of computation tim is too long. Ths xampls illustrat th computing complxity of ncryption/ dcryption. Ths mthods ar appropriat nithr for hardwar nor softwar implmntation, bcaus of a grat numbr of bits ndd to stor intrmdiat rsults, as wll as th grat numbr of itrations. Rduction of th numbr of itrations can b don by convrsion of th numbr to its binary form: k 1 i k 1 1 0 i i i= 0 = (,...,, ) = 2, {0,1}. (15) In this cas, th computing is prformd in k itrations including two ways of computing, lft-to-right and right-to-lft. Following psudo-cod dscribs both algortihms [7]: right-to-lft rsult C = P mod m 1. Y = 1, Z = P 2. i = 0 to i= k 1 a. if i = 1 thn Y = Y Zmod m b. Z = Z Zmod m 3. output C = Y 124
Hardwar moduls of RSA Algorithm lft-to-right rsult C = P mod m 1. Y = 1 2. i= k 1 to i = 0 a. Y = Y Ymod m b. if i = 1 thn Y = Y Pmod m 3. output C = Y Th first algorithm has two variabls Z and Y, which mans on rgistr mor than for th scond algorithm, which has only on variabl, Y. In rspct to spd, scond algorithm rquirs two conscutiv modular multiplications, within itration, whil th first on rquirs just on modular multiplication pr itration. Bsid ths, svral othr ncryption/dcryption algorithms ar dvlopd, such as m mthods, adaptiv m mthods, addition chains, factor mthod, powr tr, Montgomry tc. [12]. Most of ths mthods us modular multiplication, so implmntation of an fficint modular multiplication algorithm is of high importanc. On of th most frquntly usd algorithms for modular computing of P is th Montgomry algorithm. It is vry fficint and simpl for hardwar implmntation and it is givn by th following xprssion: k Monpro( A, B, m) = A B 2 modm. (16) As sn from (16), multiplication contains numbr 2 k, so it is ncssary to adapt th form Y Y to th form AB2 -k. To achiv this, it is ncssary to prform Montgomry modular multiplication by numbr 2 2k, on th initial valus. Th rsult should b modularly multiplid by numbr 1. Putting Montgomry modular multiplication in th algorithms of lft-to-right and right-to-lft multiplication, w gt Montgomry modular computation of P. Montgomry modular multiplication algorithm is givn by th following psudo cod: Rsult S = Monpro( A, B, m) 1. S = 0 2. i = 0 to i= k 1 st a. S = S + A b i (1 addr) nd b. S = ( S + S(0) m) / 2 (2 addr) This cod dfins algorithm with two addrs (Montgomry_2a). For hardwar ralization of this algorithm, on shift rgistr, rgistr for storing th variabl S, two addrs, and multiplxrs for signal routing ar ndd. Th 125
V. Škobić, B. Dokić Montgomry algorithm can b implmntd with on addr. Algorithm with on addr is givn by th following psudo cod (Montgomry_1a): Rsult S = Monpro( A, B, m) 1. S = 0, Am= A+ m 2. i = 0 to i= k 1 a. cas( B( i)& A(0)& S(0)) whn(001 011) L = m whn(100 111) L = A whn(101 110) L = A m whn othrs L=0 S = ( S + L)/2 (addr) For this ralization, following componnts ar ndd: on addr, on shift rgistr, two rgistrs for storing S and A m, and multiplxr logic for routing signal L. Both algorithms tak k+1 itrations for computing. Complt Montgomry algorithm by mthod right-to-lft and lft-to-right is givn by th psudo-cod: right-to-lft rsult C = P mod m 2n 1. K = 2 modm 2. Z = Monpro(1, K, M ) 3. P = Monpro( P, K, m) 4. i = 0 to i= k 1 a. if i = 1 thn Z = Monpro( Z, P, m) b. P = Monpto( P, P, m) 5. Z = Monpro(1, Z, m) 6. C = Z lft-to-right rsult C = P mod m 2n 1. K = 2 modm 2. Z = Monpro(1, K, M ) 3. P = Monpro( P, K, m) 4. i= k 1 to i = 0 a. Z = Monpto( Z, Z, m) b. if i = 1 thn Z = Monpro( Z, P, m) 5. Z = Monpro(1, Z, m) 6. C = Z 126
Hardwar moduls of RSA Algorithm It taks k + 2 itrations for computing. Each itration includs two Montgomry modular multiplications. Algorithm right-to-lft taks two Montgomry modular multiplirs working in paralll, and lft-to-right algorithm taks on Montgomry modular multiplir that works squntially. 4 FPGA Implmntation In this papr, implmntation of th RSA algorithm is mad on FPGA intgratd circuit EP4CE115F29C7, family Cyclon IV, Altra [13]. This componnt contains 266 mbddd multiplirs (18 x18 bits), 4 PLL blocks, 3888 Kbits of mbddd mmory, 528 I/O pins and 114480 logic lmnts. Prfrnc for FPGA circuit rlis on availability, asinss of systm tsting, flxibility, rlativly good prformanc in trms of spd and powr consumption. Four moduls for RSA ncryption ar implmntd. Two of thm implmnt th Montgomry algorithm right-to-lft with on addr (Montgomry_rl_1a) and with two addrs (Montgomry_rl_2a). Anothr two moduls us th Montgomry algorithm lft-to-right with on addr (Montgomry_lr_1a) and with two addrs (Montgomry_lr_2a). As mntiond bfor, th RSA algorithm is symmtric, so th sam modul may b usd for ncryption, as wll as for dcryption. Th moduls ar dsignd using VHDL. Synthsis and simulation wr don using Quartus II softwar and ModlSim. Th RSA algorithm implmntation using Montgomry modular multiplication is quit simpl and suitabl for hardwar implmntation, hnc following ky lngths (k) ar achivd: 16, 32, 64, 128, 256, 512 and 1024. Th analysis of implmntd moduls shows th numbr of ndd rsourcs, numbr of clocks for ncryption, as wll as maximum oprating frquncy of th moduls. Tabl 1 prsnts rsults of th analysis in th mans of logic rsourcs ndd for implmntation of th Montgomry rigth-to-lft algorithm. Tabl 1 Numbr of logic lmnts for th Montgomry right-to-lft algorithm. k Montgomry_rl_1a Montgomry_rl_2a 16 395 386 32 746 822 64 1451 1575 128 2738 3117 256 5427 6189 512 10808 11602 1024 22776 24132 127
V. Škobić, B. Dokić Tabl 2 givs rsults of th analysis with rspct to th logic rsourcs ndd for implmntation of th Montgomry lft-to-right algorithm. Tabl 2 Numbr of logic lmnts for th Montgomry lft-to-right algorithm. k Montgomry_lr_1a Montgomry_lr_2a 16 329 322 32 621 683 64 1195 1257 128 2231 2483 256 4408 4916 512 9356 10317 1024 18701 20584 From th rsults givn in th Tabl 1 and Tabl 2, Montgomry right-tolft implmntation occupis mor logic rsourcs than lft-to-right. This is du to th fact that implmntation of right-to-lft rquirs two Montgomry modular multiplirs, whil implmntation of lft-to-right rquirs on Montgomry modular multiplir. Implmntation of Montgomry modular multiplication with on addr rquirs lss rsourc thn implmntation with two addrs. For addition, arithmtic opration dfind in th packag i.numric_std was usd. With this implmntation of addrs, th ralization taks logical lmnts connctd in sris, which works in arithmtic mod. On k bit addr taks k logical lmnts. Rduction of numbr of k bits addrs savs th rsourcs. For ky lngth of 1024 bits, th last rsourcs rquirs Montgomry_ld_1a implmntation, with 18701 logic lmnts. Maximum oprating frquncy analysis was prformd by using TimQust Timing Analyzr includd in th Quartus II softwar. Th rsults for th Montgomry right-to-lft algorithm ar prsntd in th Tabl 3, and for th Montgomry lft-to-right algorithm in th Tabl 4. Tabl 3 Maximum oprating frquncy of Montgomry right-to-lft implmntation [μs]. k Montgomry_rl_1a Montgomry_rl_2a 16 250 250 32 121.2 111.73 64 91.74 83.41 128 64.86 63.29 256 41.09 37.42 512 24.19 22.82 1024 13.19 12.73 128
Hardwar moduls of RSA Algorithm Tabl 4 Maximum oprating frquncy of Montgomry lft-to-right implmntation [μs]. K Montgomry_lr_1a Montgomry_lr_2a 16 250 250 32 115.55 108.23 64 96.32 88.64 128 64.91 62.45 256 41.44 41.45 512 24.31 23.68 1024 13.31 12.86 Th gratst maximum oprating frquncy has Montgomry_ld_1a implmntation. This is causd by th fact that it rquirs lss rsourcs, shortr routing links, which rsults in shortr propagation tim. Th lowst maximum oprating frquncy has Montgomry_dl_2a. This is du to th fact that it rquirs th most rsourcs, longr routhing links, thrby gratr propagation tim. For ky lngth of 1024 bits, Montgomry_ld_1a implmntation has th highst oprating frquncy, i.. 13.31 MHz. To ncrypt on data in Montgomry right-to-lft implmntation, it taks (k+3)(k+2) cycls, whr ach of k+3 of modular P computation cycls rquirs k + 2 cycls for modular multiplying. Montgomry lft-to-right implmntation rquirs 2(k+3)(k+2) cycls, whr ach of 2(k +3) of modular P computation cycls rquirs k + 2 cycls for modular multiplying. Lft-to-right implmntation rquirs twic mor cycls than right-to-lft implmntation. This is du to th fact that lft-to-right implmntation rquirs on Montgomry modular multiplir that works squntially, and right-to-lft implmntation rquirs two Montgomry modular multiplirs that works in paralll. Combination of th rsults for maximum oprating frquncy (Tabl 3 and Tabl 4), numbr of cycls for ncryption and ky lngth yilds maximum data ncryption spd in bits pr scond, as a function of th ky lngth (maxfrq k/cycls). In th Tabl 5 th rsults for right-to-lft implmntation ar prsntd, whil th Tabl 6 givs th rsults for lft-to-right implmntation. From th analyzis of th rsults givn in th Tabl 5 and in th Tabl 6, it is obvious that Montgomry_dl_1a implmntation has maximum spd of ncryption, bcaus in this implmntation Montgomry modular multiplirs works in paralll (lss cycls for compytation), and Montgomry modular multiplir us on addr (lss logic lmnts, lss dlay). An incras of th ky lngth, yilds rduction of ncryption spd. rducs. For ky lngth of 1024 bits, maximum ncryption spd is 12.81 kb/s. If implmntation with lss rsourcs is usd, maximum ncryption spd is achivd by Montgomry_ld_1a implmntation, with 6.46 kb/s. 129
V. Škobić, B. Dokić Tabl 5 Maximum spd of ncryption for Montgomry right-to-lft implmntation [kb/s]. k Montgomry_dl_1a Montgomry_dl_2a 16 11695.91 11695.91 32 3259.16 3004.5 64 1327.76 1207.2 128 487.49 475.69 256 157.41 143.35 512 46.78 44.13 1024 12.81 12.37 Tabl 6 Maximum spd of ncryption for Montgomry lft-to-right implmntation [kb/s]. k Montgomry_ld_1a Montgomry_ld_2a 16 5847.95 5847.95 32 1553.61 1455.19 64 697.02 641.44 128 243.93 234.69 256 79.37 79.39 512 23.51 22.9 1024 6.46 6.24 5 Conclusion Four FPGA moduls, which implmnt th RSA ncryption algorithm, ar mad on Altra s EP4CE115F29C7 circuit. Synthsis and simulation has bn prformd using Quartus II and ModlSim softwar. For xponntiation, th binary algorithm has bn usd, whil for modular multiplications, th Montgomry algorithm has bn usd. Slctd FPGA dvic allows ky lngths of 16, 32, 64, 128, 256, 512 and 1024 bits. Numbr of rquird logic lmnts incrass with th ky lngth. Right-to-lft implmntation occupis mor rsourcs than lft-to-right implmntation. Also, Montgomry modular multiplication with on addr occupis fwr rsourcs than implmntation with two addrs. Th last rsourcs tak Montgomry_ld_1a implmntation. For ky lngth of 1024 bits, Montgomry_ld_1a taks 18701 logic lmnts. Right-to-lft implmntation has gratr ncryption spd than lft-to-right implmntation. Maximum ncryption spd can b achivd using Montgomry_dl_1a implmntation. For ky lngth of 1024 bits, Montgomry_dl_1a has ncryption spd of 12.81 kb/s. 130
Hardwar moduls of RSA Algorithm 6 Rfrncs [1] A.S. Tannbaum: Computr Ntworks, Prntic Hall, Uppr Saddl Rivr, NJ, USA, 2002. [2] B. Schnir: Applid Cryptography: Protocols, Algorithms, and Sourc Cod in C, John Wily and Sons, NY, USA, 1996. [3] R.L. Rivst, A. Shamir, L. Adlman: A Mthod for Obtaining Digital Signaturs and Publicky Crypto Systms, Communications of th ACM, Vol. 21, No. 2, Fb. 1978, pp. 120 126. [4] A. Karaca, O. Ctin: A Robust Ral-tim Scur Communication approach Ovr Public Switchd Tlphon Ntwork, Journal of Naval Scinc and Enginring, Vol. 7, No. 1, April 2011, pp. 37 47. [5] K. Chakravarthy, M. Srinivas: Spch Encoding and Encryption in VLSI, Asia and South Pacific Dsign Automation Confrnc, Kitakyushu, Japan, 21 24 Jan. 2003, pp. 569 570. [6] M.I. Ibrahimy, M.B.I. Raz, K. Asaduzzaman, S. Hussain: FPGA Implmntation of RSA Encryption Engin with Flxibl Ky Siz, Intrnational Journal of Comunication, Vol. 1, No. 3, 2007, pp. 107 113. [7] C.K. Koc: High-spd RSA Implmntation, RSA Laboratoris, Rdwood City, CA, USA, Nov. 1994. [8] S.K. Sahu, M. Pradhan: FPGA Implmntation of RSA Encryption Systm, Intrnational Journal of Computr Applications, Vol. 19, No. 9, Apr. 2011, pp. 10 12. [9] R. Ghayoula, E. Hajlaoui, T. Korkobi, M. Traii, H. Trablsi: FPGA Implmntation of RSA Cryptosystm, Intrnational Journal of Social, Human Scinc and Enginring World Acadmy of Scinc, Enginring and Tchnology, Vol. 2, No. 8, 2008, pp. 848 852. [10] J. Fry, M. Langhammr: RSA and Public Ky Cryptography in FPGAs, Tchnical Rport TR CF-032305-1.0, Altra Corporation, 2005. [11] A. Anand, P. Pravn: Implmntation of RSA Algorithm on FPGA, Intrnational Journal of Enginring Rsarch and Tchnology, Vol. 1, No. 5, July 2012. [12] P.L. Montgomry: Modular Multiplication without Trial Division, Mathmatics of Computation, Vol. 44, No. 170, April 1985, pp. 519 521. [13] Cyclon IV EP4CE115F29C7 Data Shts. http://www.altra.com. 131