CSE 246: Computer Arithmetic Algorithms and Hardware Design Numbers: RNS, DBNS, Montgomory Prof Chung-Kuan Cheng Lecture 3

How to compare two RNS numbers We can approximate the magnitude of a RNS number by the following formula where

An Example Suppose, x = (6|3|0) RNS (7|5|3) y = (3|0|1) RNS (7|5|3) Then we have x/105 = [6(1/7) + 3(1/5) + 0(2/3)] mod 1 ≈ y/105 = [3(1/7) + 0(1/5) + 1(2/3)] mod 1 ≈ Clearly, x (48) is greater than y (10).

Double Base Number System (DBNS) DBNS is a new kind of number system, where there are two bases, p and q. Any number x is represented by the equation Also, this number system could be redundant, e.g. 54 = =

Double Base Number System (DBNS) We can represent DBNS numbers in a two-dimensional table. For example we can express 54 by this tabular representation xx 3x 9xx For each entry in the table, we multiply the corresponding row-value and column-value. Then we add up all such entries to get the value of the number represented by the table.

Double Base Number System (DBNS) DBMS can be of practical use too in some scenarios.  In binary number representation, each bit has approximately 0.5 probability of being 1.  But in DBNS, the number of bits that are logic 1 in the tabular representation could be much less.  Effectively, we can reduce the number of 0  1 and 1  0 transitions, thus saving power.

Double Base Number System (DBNS) A greedy approach to minimize the number of TRUE bits in the tabular representation of any integer : GREEDY (x) { if (x > 0) then do{ find the largest 2-integer w such that w ≤ x; write(w); x = x-w; greedy(x); }

Double Base Number System (DBNS) It can be shown that expected number of bits that are ‘turned on’ in a DBNS representation of integer is O[lg x/(lg lg x)], which is significantly lower than the corresponding number in the positional binary system, O(lg x). As an example, consider the integer In binary system, number of ‘1’s ≈ 100 In DBNS, number of ‘1’s ≈ 30 In the next few slides we shall discuss how we can implement ADDITION operation on two DBNS numbers.

DBNS Numbers: Addition Consider the integers 14 and 20. In DBNS system, 14 = [We represent this number by a green cross] 20 = [We represent this number by a red cross] The addition operation is performed by representation the numbers in tabular form, and then ‘merging’ the tables x 3x 9x

DBNS System: Addition The final merged table is : And the sum of 14 and 20 is = 34, which is indeed correct

DBNS System: Addition Few rules for ‘shifting’ values in the merged table  We can always use algebraic manipulations to minimize number of entries in a DBNS table, e.g. 2 i 3 j + 2 i 3 j+1 = 2 i+2 3 j 2 i 3 j + 2 i+1 3 j = 2 i 3 j+1 A variant of 2-integers are represented by using only single digit. They are of the form 2 s 3 t, and might be useful in logarithmic operations.

Montgomery Multiplication David Harris Harvey Mudd College Claremont, CA

Outline Cryptography Overview Finite Field Mathematics Montgomery Multiplication

Cryptography Overview Encryption has become essential  E-commerce (SSL)  Communications / network processors  Smart cards / digital cash  Military Two major classes of algorithms  Symmetric cryptosystems (e.g. DES)  Public key cryptosystems (e.g. RSA)

Cryptographic Protocols Alice and Bob would like to communicate securely. Eve wants to listen in.  Symmetric key: Alice and Bob must share a key for encryption and decryption. If Eve hears it, she can read the messages.  Public key: Alice publishes her public key to the world. Bob encrypts with Alice’s public key. Alice can decrypt only with her private key. Eve can’t decrypt with the public key.

Digital Signatures Alice wants to sign a contract in a way that only she can do.  Alice publishes her public key and keeps the private key secret.  Encrypt the document with her secret key.  Anyone can decrypt the document with her public key  But nobody can forge her signature.

Key Exchange Public key encryption is slow Use it to share a symmetric key  Use symmetric key to encrypt large blocks of data

RSA Encryption Most widely used public key system.  Good for encryption and signatures.  Invented by Rivest, Shamir, Adleman (1978) Public e and private d keys are long #s  n = bits  Satisfy x de mod M = x for all x  Finding d from e is as hard as factoring M Encryption: B = A e mod M Decryption: C = B d mod M = A ed = A

Modular Exponentiation Critical operation in RSA and for  Digital signature algorithm  Diffie-Hellman key exchange  Elliptic curve cryptosystems Done with 2n modular multiplications  Ex: A 27 = ((((((A 2 ) * A) 2 ) 2 ) * A) 2 ) * A  Division required after each multiplication to compute modulo

Finite Field Mathematics +, * modulo prime p form a finite field  p elements  Additive identity: 0  Multiplicitive identity: 1  Each nonzero number has a unique inverse x -1  Named GF(p) For Evariste Galois, a 19 th century number theorist killed in a duel at age 20

Binary Extension Fields Building blocks are polynomials in x  Operations performed modulo some irreducible polynomial f(x) of degree n  Arithmetic done modulo 2  Called GF(2 n ) Example: GF(2 3 ) Computation is the same as GF(p)  Except that no carries are propagated ElementCode x010 x+1011 x2x2 100 x x2+xx2+x110 x 2 +x+1111

Montgomery Multiplication Faster way to do modular exponentation  Operate on Montgomery residues  Division becomes a simple shift  Requires conversion to and from residues only once per exponentiation

Montgomery Residues Let the modulus M be a prime n-bit integer Define r = 2 n Define the M-residue of an integer a < M as There is a one-to-one correspondence between integers and M-residues for 0 < a < M-1

M-Residue Examples M = 11, r = 16

Montgomery Multiplicaton Define Where r -1 is the inverse of r mod M:  r -1 r = 1 (mod M) This gives the Montgomery residue of  z = xy mod M

Montgomery Multiplicaton

Mont. Multiplication Example It may not be obvious that this is easier to do than regular modular multiplication. Red(T)= Tr -1 mod M

Algorithm m= T M’ mod r (0<= m < r) t= (T+mM)/r If t>=M, return t-M else return t Red(T)= T r -1 mod M Let M’= (-M -1 ) mod r, i.e. rr -1 -M’M=1

Example Red(T)= T r -1 mod M Let M’= -M -1 mod r, i.e. rr -1 -M’M=1 r= 16 M= 11 r -1 mod M = 9 M’= -M -1 mod r = 13 rr -1 -M’M= 16x9-13x11= 1

Example Red(T)= T r -1 mod M r= 16, M= 11, r -1 = 9, M’= 13 m= (T M’ )mod r t= (T+mM)/r If t>=M, t-M else return t Red(1) m=1x13 mod 16= 13 t= (1+13x11)/16= 144/16= 9 Red(1)= 9 Red(1)= 1x9 mod 11= 9

Example Red(T)= T r -1 mod M r= 16, M= 11, r -1 = 9, M’= 13 m= T M’ mod r t= (T+mM)/r If t>=M, t-M else return t Red(2) m=2x13 mod 16= 10 t= (2+10x11)/16= 112/16= 7 Red(2)= 7 Red(2)= 2x9 mod 11= 7

Example Red(T)= T r -1 mod M r= 16, M= 11, r -1 = 9, M’= 13 m= Tmod r M’ mod r t= (T+mM)/r If t>=M, t-M else return t Red(3) m=3x13 mod 16= 7 t= (3+7x11)/16= 80/16= 5 Red(3)= 5 Red(3)= 3x9 mod 11= 5

Example Red(T)= T r -1 mod M r= 16, M= 11, r -1 = 9, M’= 13 m= Tmod r M’ mod r t= (T+mM)/r If t>=M, t-M else return t Red(103) m=103x13 mod 16= 11 t= (103+11x11)/16= 224/16= 14 t= t-M= 14-11=3 Red(103)= 3 Red(103)= 103x9 mod 11= 3

Proof: (T+mM)/r is an integer m=TM’ mod r Thus mM mod r = -T mod r Therefore T+mM mod r is 0 t modM = Tr -1 modM t= (T+mM)/r Thus tr = T+mM Consequently, tr mod M= T mod M 0<= t < 2M 0<= T+mM< rM+rM

Montgomery Multiplier MM is an easier operation that requires no hard division, just shifting In radix 2, Z = 0 for i = 0 to n-1 Z = Z + x i Y if Z is odd then Z = Z + M Z = Z/2 if Z ≥ M then Z = Z – M

Example X = 7 = 0111 Y = 5 = 0101 M = 11 = 1011 Z initially 0  Z = ( ) / 2 = 8  Z = ( ) / 2 = 12  Z = ( ) / 2 = 14  Z = (14 + 0) / 2 = 7 (final result) Z = 0 for i = 0 to n-1 Z = Z + xiY if Z is odd then Z = Z + M Z = Z/2 if Z ≥ M then Z = Z – M

Conversion Conversion of integers to/from Montgomery residues takes one MM operation (if r 2 mod M is precomputed and saved): Modular exponentiation takes two conversion steps and 2n multiplication steps.