Chuliang Guo,Li Zhang,Xian Zhou,Grace Li Zhang,Bing Li,Weikang Qian,Xunzhao Yin,Cheng Zhuo

DOI: https://doi.org/10.1145/3446213

IF: 2.013

2021-01-01

ACM Journal on Emerging Technologies in Computing Systems

Abstract:Multiplications have been commonly conducted in quantized CNNs, filters, and reconfigurable cores, and so on, which are widely deployed in mobile and embedded applications. Most multipliers are designed to perform multiplications with symmetric bit-widths, i.e., n - by n -bit multiplication. Such features would cause extra area overhead and performance loss when m - by n -bit multiplications ( m > n ) are deployed in the same hardware design, resulting in inefficient multiplication operations. It is highly desired and challenging to propose a reconfigurable multiplier design to accommodate operands with both symmetric and asymmetric bit-widths. In this work, we propose a reconfigurable approximate multiplier to support multiplications at various precisions, i.e., bit-widths. Unlike prior works of approximate adders assuming a uniform weight distribution with bit-wise independence, scenarios like a quantized CNN may have a centralized weight distribution and hence follow a Gaussian-like distribution with correlated adjacent bits. Thus, a new block-based approximate adder is also proposed as part of the multiplier to ensure energy-efficient operation with an awareness of the bit-wise correlation. Our experimental results show that the proposed approximate adder significantly reduces the error rate by 76% to 98% over a state-of-the-art approximate adder for Gaussian-like distribution scenarios. Evaluation results show that the proposed multiplier is 19% faster and 22% more power saving than a Xilinx multiplier IP at the same bit precision and achieves a 23.94-dB peak signal-to-noise ratio, which is comparable to the accurate one of 24.10 dB when deployed in a Gaussian filter for image processing tasks.

Lijuan Li,Shuguo Li

DOI: https://doi.org/10.1109/tcsii.2017.2785382

2018-01-01

Abstract:Point multiplication is the key operation that dominates the speed and area of each elliptic curve cryptosystem. In this brief, we propose a highly efficient architecture for point multiplication on Koblitz curves. The right-to-left point multiplication algorithm is adopted to allow parallel computation of Frobenius maps and point additions. In order to achieve short latency as well as high frequency, we explore operation rescheduling in consecutive point additions with a pipelined bitparallel finite field multiplier accumulator. Furthermore, the pipelined mixed-form double-digit scalar converter with compact recoding is employed to reduce the wait time and consumed logic resources by scalar conversion. Fast inversion based on optimal addition chains is used to further reduce the latency. Implementation results on Xilinx Virtex V show that the proposed architecture can perform a point multiplication in as few as 2.50, 4.09, 5.81, 9.50, 18.51 mu s over the five NIST Koblitz curves K-163, K-233, K-283, K-409, and K-571, respectively. To the best of our knowledge, the proposed architecture of point multiplication has the fastest speed in comparison to the reported results.

Xiangren Chen,Bohan Yang,Shouyi Yin,Shaojun Wei,Leibo Liu

DOI: https://doi.org/10.46586/tches.v2022.i1.94-126

2021-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Number theoretic transform (NTT) is widely utilized to speed up polynomial multiplication, which is the critical computation bottleneck in a lot of cryptographic algorithms like lattice-based post-quantum cryptography (PQC) and homomorphic encryption (HE). One of the tendency for NTT hardware architecture is to support diverse security parameters and meet resource constraints on different computing platforms. Thus flexibility and Area-Time Product (ATP) become two crucial metrics in NTT hardware design. The flexibility of NTT in terms of different vector sizes and moduli can be obtained directly. Whereas the varying strides in memory access of in-place NTT render the design for different radix and number of parallel butterfly units a tough problem. This paper proposes an efficient conflict-free memory mapping scheme that supports the configuration for both multiple parallel butterfly units and arbitrary radix of NTT. Compared to other approaches, this scheme owns broader applicability and facilitates the parallelization of non-radix-2 NTT hardware design. Based on this scheme, we propose a scalable radix-2 and radix-4 NTT multiplication architecture by algorithm-hardware co-design. A dedicated schedule method is leveraged to reduce the number of modular additions/subtractions and modular multiplications in radix-4 butterfly unit by 20% and 33%, respectively. To avoid the bit-reversed cost and save memory footprint in arbitrary radix NTT/INTT, we put forward a general method by rearranging the loop structure and reusing the twiddle factors. The hardware-level optimization is achieved by excavating the symmetric operators in radix-4 butterfly unit, which saves almost 50% hardware resources compared to a straightforward implementation. Through experimental results and theoretical analysis, we point out that the radix-4 NTT with the same number of parallel butterfly units outperforms the radix-2 NTT in terms of area-time performance in the interleaved memory system. This advantage is enlarged when increasing the number of parallel butterfly units. For example, when processing 1024 14-bit points NTT with 8 parallel butterfly units, the ATP of LUT/FF/DSP/BRAM n radix-4 NTT core is approximately 2.2 × /1.2 × /1.1 × /1.9 × less than that of the radix-2 NTT core on a similar FPGA platform.

Jianfei Wang,Chen Yang,Yishuo Meng,Fahong Zhang,Jia Hou,Siwei Xiang,Yang Su

DOI: https://doi.org/10.1109/tcsi.2024.3483229

2024-01-01

IEEE Transactions on Circuits and Systems I Regular Papers

Abstract:Out-of-place constant-geometry (CG) NTT usually has a simple and uniform memory access pattern. However, out-of-place CG NTT always requires ping-pong memory, resulting in a memory capacity requirement of 2 $N$ . Therefore, we propose a novel radix-4 in-place CG (IPCG) NTT/INTT that reduces the capacity requirement from 2 $N$ to $N$ . An area-efficient and dynamical reconfigurable polynomial multiplier (RAEPM) based on IPCG NTT is proposed to speed up polynomial multiplication over rings. In RAEPM, a Barrett modular multiplier using area-efficient radix-4 booth multiplier is designed to reduce area. In addition, an odd-bank buffer structure is proposed to achieve conflict-free memory mapping independent of polynomial length $N$ and NTT/INTT stage. Moreover, we also proposed an efficient modular reduction for specific numbers and introduced a division equivalent method to eliminate the odd number modular reduction and odd number division in addressing. RAEPM is implemented on Xilinx VC709 FPGA and runs at 294MHz clock frequency. Compared with the prior pure NTT accelerators, under the same parameters, RAEPM achieves a decrease of 39.02% $\sim$ 57.63% in area-time complexity of equivalent LUT, and a decrease of 15.97% $\sim$ 49.24% in area-time complexity of equivalent FF. Compared with the prior NTT-based polynomial multipliers, under the same parameters, RAEPM achieves a decrease of 35.48% $\sim$ 90.81% in area-time complexity of equivalent LUT, and a decrease of 24.24% $\sim$ 88.41% in area-time complexity of equivalent FF.

Bin Li,Yunfei Yan,Yuanxin Wei,Heru Han

DOI: https://doi.org/10.1109/tvlsi.2023.3312423

2023-01-01

IEEE Transactions on Very Large Scale Integration (VLSI) Systems

Abstract:In lattice-based postquantum cryptography (PQC), polynomial multiplication is complex and time-consuming, which affects the overall computational efficiency. In addition, the parameters of different lattice-based algorithms require different number theoretic transform (NTT) structures, which limits the versatility of hardware design. To this end, this article proposes scalable and parallel optimization of the NTT based on a field-programmable gate array (FPGA). By analyzing the algorithm flow of the NTT, inverse NTT (INTT), and pointwise multiplication (PWM), an FPGA loosely coupled structure is designed, which can be used to place butterfly units of multiple pipelines in parallel and supports various modulo operations of a polynomial. In addition, to improve computing efficiency and scalability, key algorithm modules such as multipliers and modular reduction are deeply optimized. Moreover, the storage optimization of multiple RAM channels is carried out, and the alternate access control of data and the multiplexing of RAM resources reduce resource consumption and improve data access efficiency. For the SHA-3 algorithm, the scalable Keccak algorithm is implemented in a serial–parallel hybrid manner and supports multiple hash modes. Finally, taking the Dilithium algorithm as an example, through the parallelization of SHA-3 and NTT, the calculation cycle of key generation, signature, and verification is shortened. The experimental results and analysis show that the scheme in this article shortens the NTT calculation period while ensuring a high frequency, and the calculation time is significantly better than that of other schemes. Furthermore, it can support the optimized parallelization of multiple moduli and give full play to the computing advantages of an FPGA.

engineering, electrical & electronic,computer science, hardware & architecture

Hai-bin SHEN,Hua-feng CHEN,Xiao-lang YAN

DOI: https://doi.org/10.3785/j.issn.1008-973X.2006.09.004

2006-01-01

Abstract:To accelerate point multiplication operation of elliptic curve cryptography (ECC), a fast reduction algorithm for modular operation was introduced. The algorithm applied the characteristic of the small second item's degree of irreducible polynomial in characteristic 2 finite field. Based on the algorithm and projective Montgomery point multiplication algorithm, a configurable ECC accelerator using very large scale integrated circuit technology was proposed. Scalable field design and unique pipeline technique was adapted in the accelerator. Simulation results show that the accelerator designed by the algorithm can rapidly complete ECC point multiplication operation. When 162 bits key and 192 bits key are selected, the point multiplication operation takes 0.22 ms and 0.43 ms respectively. The accelerator has simple interface and good flexibility, and provides a method for hardware implementation of public key cryptography algorithm.

Xiang Feng,Shuguo Li

DOI: https://doi.org/10.1109/tvlsi.2017.2691727

2017-01-01

IEEE Transactions on Very Large Scale Integration (VLSI) Systems

Abstract:This brief proposes a double modulus number theoretical transform (NTT) method for million-bit integer multiplication in fully homomorphic encryption. In our method, each NTT point is processed simultaneously under two moduli, and the final result is generated through the Chinese reminder theorem. The employment of double modulus enlarges the permitted NTT sample size from 24 to 32 bits and thus improves the transform efficiency. Based on the proposed double modulus method, we accomplish a VLSI design of million-bit integer multiplier with the Schonhage-Strassen algorithm. Implementation results on Altera Stratix-V FPGA show that this brief is able to compute a product of two 1024k-bit integers every 4.9 ms at the cost of only 7.9k ALUTs and 3.6k registers, which is more area-efficient when compared with the current competitors.

Haihua Gu,Dawu Gu

DOI: https://doi.org/10.1080/01611190903185344

2009-01-01

Cryptologia

Abstract:Scalar multiplication nP is the core operation of elliptic curve public-key cryptosystems. Double bases representation of n is proposed to speed up scalar multiplication. Avanzi et al. presented a recoding algorithm for Koblitz curves which works in all cases with optimal constants [1]. However, their algorithm may be expensive to implement because it requires many divisions in []. In this paper, we show that divisions in [] can be replaced by divisions in . Our improved version of the algorithm runs in about 33% of the time of the Avanzi et al. algorithm on the Koblitz curve K-163, with larger improvements as the size of the curve increases.

Shuguo Li,Jian Zhang

DOI: https://doi.org/10.1587/elex.6.449

2009-01-01

IEICE Electronics Express

Abstract:The parallel Fermat number transform (FNT) architecture is usually implemented with the code conversion (CC) and the butterfly operation (BO) in the diminished-1 number system. However, both the CC and the BO require too much area and delay due to modulo 2n+1 carry-propagation addition. In this paper, we propose a novel parallel FNT architecture with the root of unity 2 which is mainly composed of carry-save code conversion (CSCC) and carry-save butterfly operation (CSBO).The CSCC and the CSBO remove the carry-propagation addition by exploiting the property of carry-save adders. Thus the proposed FNT architecture requires less area and delay than the previous one. Synthesis results using 0.13-µm CMOS standard cells library demonstrate the superiority of the resulting architecture against the previously reported solution.

Neng Zhang,Qiao Qin,Hang Yuan,Chenggao Zhou,Shouyi Yin,Shaojun Wei,Leibo Liu

DOI: https://doi.org/10.1109/tc.2019.2958334

IF: 3.183

2020-01-01

IEEE Transactions on Computers

Abstract:Large integer multiplication, or large degree polynomial multiplication, is the most time-consuming operation in fully homomorphic encryption (FHE). Low area and power consumption are difficult to maintain while achieving high performance for a large size multiplier. To address this issue, an area-efficient low-power architecture for multiplication, named NTTU, is proposed in this article. First, a combined number theoretic transform (NTT) method consisting of decimation-in-time (DIT) NTT for input in natural order and bit-reversed order is proposed to eliminate the steps of zero padding, scramble, and the first stage in NTT, thereby achieving a reduction of $7N/2$7N/2 clock cycles compared with the single-type NTT method. Second, the NTT-uncoupled architecture is proposed to uncouple the multiplication components, decreasing the storage space for coefficients by 1/2 compared with state-of-the-art designs. Third, a parallel computing architecture based on a crossed memory access scheme is proposed, therein reducing the corresponding execution time by one-half compared with serial execution. Synthesized using 65 nm technology, the proposed architecture can multiply two 1024k/768k integers in 1.7 ms at 500 MHz at a cost of 13.66/7.67 million gates and 726.7/550.2 mW, and a 71.17 percent/30.37 percent area time product (ATP) reduction is achieved compared with the state-of-the-art ASIC designs.

Thao Thi Phuong Vo,Quynh Thi Nhu Truong,Thuc Trong Hoang,Hung Duc Le

DOI: https://doi.org/10.32508/stdjns.v1it4.468

2017-12-31

Abstract:In this paper, a single-precision floating-point FFT twiddle factor (TF) implementation is proposed. The architecture is based on the Adaptive Angle Recoding CORDIC (AARC) algorithm. The TF design was built and verified on Altera Stratix IV FPGA chip and 65nm SOTB synthesis. The FPGA implementation had 103.9 MHz maximum frequency, throughput result of 16.966 Mega-Sample per second (MSps), and resources utilization of 7.747 ALUTs and 625 registers. On the other hand, the SOTB synthesis has 16.858 standard cells on an area of 298x291 μm2, 166 MHz maximum frequency, and the speed of 27.107 MSps. The accuracy results were 1.133E-10 Mean-Square-Error (MSE) and about 26 part-per-million (ppm) maximum error.

Weizhen Wang,Jun Han,Jielin Wang,Xiaoyang Zeng

DOI: https://doi.org/10.1109/asicon.2015.7516999

2015-01-01

Abstract:Finite field arithmetic is the base of cryptography algorithms like Elliptic Curves Cryptography (ECC) and RSA. In this paper, We have designed an arithmetic unit to implement the operation (A ± αB)mod N, where α is a small number compared with N. In our design, the coefficient α is smaller than 128. The basic motivation of designing this multiply-accumulate (MAC) unit is to support some high security ECC algorithms such as Optimal Ate Pairings. The well-known Optimal Ate Pairing based on Barreto-Naehrig elliptic curve is famous for it's efficient implementation. In those cryptography algorithms, the calculation of αB mod N is required, where α is a small number. It is unefficient to use modular multiplication to calculate it. This is the basic motivation of implementing the operation (A ± αB)mod N with α <;<; N. Considering that the Barreto-Naehrig elliptic curve for pairing are defined in F P12 , we implement the arithmetic unit to be a Single Instruction Multiple Data (SIMD) unit with pipelined structure. Thus, the design is suitable for arithmetic in extensions of finte fields. We have modified the Barrett reduction algorithm to make it suitable for the design. The design is synthesized with SMIC 65nm CMOS process. Compared with using modular multiplication to calculate (A ± αB)mod N, Our work shows better performance with small latency and high throughput.

Zhen Gu,Shuguo Li

DOI: https://doi.org/10.1109/tcsi.2021.3126797

2022-01-01

Abstract:In this paper, we presented a method of minimizing the number of overlapped partial products in the accumulation of four-term Karatsuba multiplication. This method reduced the summation of 13 overlapped partial products to 9 and the summation of 40 overlapped partial products to 24 in the case of four-term Karatsuba multiplication and eight-term Karatsuba multiplication, respectively. Moreover, to deal with the problem of negative multiplicands introduced by the choice in the evaluation of four-term Karatsuba multiplication, we further presented a method of converting negative multiplicands to non-negative multiplicands. In this way, our method would lead to the reduction of summation complexity and not using signed multipliers. Compared to the original Karatsuba multiplication designs, our proposed Karatsuba-like multiplication with optimal interpolation would lead to up to 7.7% reduction in ADP (area-delay-product) in ASIC implementations, and up to 20.2% reduction in ADP compared with built-in designs of Synopsys Design Compiler.

Jing Tian,Piaoyang Wang,Zhe Liu,Jun Lin,Zhongfeng Wang,Johann Großschädl,Johann Grosschadl

DOI: https://doi.org/10.1109/tc.2021.3057331

IF: 3.183

2022-03-01

IEEE Transactions on Computers

Abstract:Thanks to relatively small public and secret keys, the Supersingular Isogeny Key Encapsulation (SIKE) protocol made it into the third evaluation round of the post-quantum standardization project of the National Institute of Standards and Technology (NIST). Even though a large body of research has been devoted to the efficient implementation of SIKE, its latency is still undesirably long for many real-world applications. Most existing implementations of the SIKE protocol use the Montgomery representation for the underlying field arithmetic since the corresponding reduction algorithm is considered the fastest method for performing multiple-precision modular reduction. In this paper, we propose a new data representation for supersingular isogeny-based Elliptic-Curve Cryptography (ECC), of which SIKE is a sub-class. This new representation enables significantly faster implementations of modular reduction than the Montgomery reduction, and also other finite-field arithmetic operations used in ECC can benefit from our data representation. We implemented all arithmetic operations in C using the proposed representation such that they have constant execution time and integrated them to the latest version of the SIKE software library. Using four different parameters sets, we benchmarked our design and the optimized generic implementation on a 2.6 GHz Intel Xeon E5-2690 processor. Our results show that, for the prime of SIKEp751, the proposed reduction algorithm is approximately 2.61 times faster than the currently best implementation of Montgomery reduction, and our representation also enables significantly better timings for other finite-field operations. Due to these improvements, we were able to achieve a speed-up by a factor of about 1.65, 2.03, 1.61, and 1.48 for SIKEp751, SIKEp610, SIKEp503, and SIKEp434, respectively, compared to state-of-the-art generic implementations.

engineering, electrical & electronic,computer science, hardware & architecture

Chaohui Du,Guoqiang Bai

DOI: https://doi.org/10.1109/trustcom.2015.399

2015-01-01

Abstract:Lattice based cryptography is considered as an important candidate for post-quantum cryptosystems. Various lattice based cryptosystems are based on the Ring learning with errors (Ring-LWE) problem. As a basic operation of Ring-LWE problem, polynomial multiplication over rings is the most critical and computationally intensive operation of these cryptosystems. In this paper, we exploit the number theoretic transform (NTT) to build a family of scalable polynomial multiplier architectures, which provide designers with a trade-off choice of speed vs. area. Our multiplier architectures reduce the required clock cycles from 8n+1.5n lg n) to (2n+1.5n lg n)/B, where n is the dimension of the polynomials and B is number of butterfly operators. The experimental results on a Spartan-6 FPGA show that our proposed polynomial multiplier (B = 2) achieves a speedup of 2.5 times on average and consumes less slices and block RAMs when compared with the state of art of compact design. On a Stratix FPGA, our polynomial multiplier (B = 4) is able to achieve a speedup of 1.2 times on average and save around 90% Memory ALUTs, 75% block memory bits, and 63% DSPs when compared with the state of art of high speed design. On a Spartan-6 FPGA, our polynomial multiplier (B = 8) is capable to calculate the product of two polynomials of degree 256/512/1024/2048 in 2.88/5.71/11.46/24.89 µs.

Mingyu Wang,Zhaolin Li

DOI: https://doi.org/10.1016/j.micpro.2018.12.007

IF: 3.503

2018-01-01

Microprocessors and Microsystems

Abstract:Floating-point fast Fourier transform (FFT) has been widely expected in scientific computing and high-resolution imaging applications due to the wide dynamic range and high processing precision. However, it suffers high area and energy overhead problems in comparison to fixed-point implementations. To address these issues, this paper presents an area- and energy-efficient hybrid architecture for floating-point FFT computations. It minimizes the required arithmetic units and reduces the memory usage significantly by combining three different parts. The serial radix-4 butterfly (SR4BF) is used in the single-path delay commutator (SDC) part to minimize the required arithmetic units with 100% adder utilization ratio obtained. A modified single-path delay feedback (MSDF) architecture is proposed to achieve a tradeoff between arithmetic resources and memory usage by using the new half radix-4 butterfly (HR4BF) with 50% adder utilization ratio obtained. The intermediate caching buffer is modified accordingly in the MSDF part. By combining both the advantages on arithmetic units reducing and memory usage optimization in different parts, the optimized area and power are obtained without throughput loss. The logic synthesis results in a 65 nm CMOS technology show that the energy per FFT is about 331.5 nJ for 1024-point FFT computations at 400 MHz. The total hardware overhead is equivalent to 460k NAND2 gates.

Xiang Feng,Shuguo Li

DOI: https://doi.org/10.1109/tcsii.2018.2840108

2019-01-01

Abstract:This brief proposes a novel hardware structure for large integer multiplication in fully homomorphic encryption. We propose a method based on negative wrapped convolution to avoid zero padding in Strassen's algorithm, which can cut down half of the Fourier transform length. In addition, we also optimize the ping-pong fast Fourier transform algorithm by doubling the transform throughput and generating the round constant on the fly. Based on our proposed method and optimized algorithm, we design and implement a 768 k-bit integer multiplier on Altera Stratix V field-programmable gate array (FPGA). Implementation results on FPGA show that our structure outperforms the current competitors in area efficiency.

Jinnan Ding,Shuguo Li,Zhen Gu

DOI: https://doi.org/10.1109/tcsi.2018.2878598

2019-01-01

IEEE Transactions on Circuits and Systems I Regular Papers

Abstract:In this paper, a high-speed elliptic curve cryptography (ECC) processor specialized for primes recommended by the National Institute of Standards and Technology (NIST) was constructed. Toom–Cook multiplication without division was proposed to implement modular multiplication for NIST primes. Compared with a traditional algorithm, the computation complexity was reduced from 16 base multiplications to 7 in 4-way Toom–Cook multiplication. Moreover, we introduced non-least-positive (NLP) form into our design, so that the carry chain in the large array accumulation was broken down, which greatly shortened the critical path and made parallel processing possible. In order to support NLP form and lazy reduction strategy, conventional fast reduction methods for NIST primes were also modified. In addition, pipeline technique at the level of point multiplication was used, so the latency of modular inverse can be covered. Implemented on the Xilinx Virtex-6 FPGA platform, the ECC processor can perform a point multiplication every 54 $\mu s$ at the cost of 30.3k LUTs and 48 DSPs. Synthesized with 180nm CMOS technology, the speed achieves 43.7 $\mu s$ with 466k gate counts. These experimental results show a significantly better performance per area than previous works.

Zhenwei Zhao,Guoqiang Bai

DOI: https://doi.org/10.1109/trustcom.2014.27

2014-01-01

Abstract:In this paper, we present a high-performance elliptic curve cryptographic architecture over SCA-256 prime field by introducing a one-cycle full-precision multiplier. Based on the multiplier, we give a thorough bottom-up optimization in algorithm level. The performance of the architecture is boosted by the use of a two-stage pipeline scheme, and our pipeline utilization reaches 100%. It takes only 8 cycles to perform point doubling and 12 cycles to perform point addition. Using NAF recoding of scalar k, it takes about 3333 cycles to complete the point multiplication operation. In the hardware evaluation using a 0.13 mum CMOS standard cell library, our high-performance SM2 architecture executes one point multiplication operation in 20.36 mus, which translates into more than 49000 point multiplications per second. To the best of our knowledge, our architecture offers the highest single-core performance over prime fields reported in literature up to now.

Wenbo Guo,Shuguo Li

DOI: https://doi.org/10.1109/iscas51556.2021.9401571

2021-01-01

Abstract:Number theoretic transform based multiplication is commonly used in Post-quantum cryptography, which is the most resource-consuming operation. In this paper, we propose an area-efficient modular reduction structure for generalized Mersenne primes with interval prediction, and a novel memory access scheme which fetches two data at the same side of a butterfly unit simultaneously. By the interval prediction structure, some adders are eliminated in a modular multiplication. When implement it in 3-stage pipeline mode and synthesize it with TSMC 90nm process, this structure achieves approximate 14.9% less area compared with other designs. The proposed memory access scheme is an in-place scheme. It is more regular than other designs and the two pieces of memory share the same address. Based on this characteristic, we construct an address generator which consumes 40% less area.