Haibin Shen,Yier Jin,Rongquan You

DOI: https://doi.org/10.1109/ICICIC.2006.180

2006-01-01

Abstract:Modular reduction is the basic operation of cryptographic systems. The Barrett's algorithm and Montgomery's algorithm are widely used nowadays and they are both based on pre-computation. In the field of elliptic curve cryptosystem (ECC) over GF(2m), the reduction polynomials recommended by SEC have few items and the degree of second item is much less than that of the first one. Making use of this characteristic, the paper presents a new method to accelerate modular reduction without pre-computation which speeds up modular reduction by 10-30 times over GF(2m) and speeds up ECC point multiplication by 40%-50%. This algorithm has been implemented in a high-speed public-key cipher accelerator

Hai-bin SHEN,Hua-feng CHEN,Xiao-lang YAN

DOI: https://doi.org/10.3785/j.issn.1008-973X.2006.09.004

2006-01-01

Abstract:To accelerate point multiplication operation of elliptic curve cryptography (ECC), a fast reduction algorithm for modular operation was introduced. The algorithm applied the characteristic of the small second item's degree of irreducible polynomial in characteristic 2 finite field. Based on the algorithm and projective Montgomery point multiplication algorithm, a configurable ECC accelerator using very large scale integrated circuit technology was proposed. Scalable field design and unique pipeline technique was adapted in the accelerator. Simulation results show that the accelerator designed by the algorithm can rapidly complete ECC point multiplication operation. When 162 bits key and 192 bits key are selected, the point multiplication operation takes 0.22 ms and 0.43 ms respectively. The accelerator has simple interface and good flexibility, and provides a method for hardware implementation of public key cryptography algorithm.

Yi’er Jin,Haibin Shen,Huafeng Chen,Xiaolang Yan

DOI: https://doi.org/10.1007/s11767-006-0257-4

2008-01-01

Abstract:A new structure of bit-parallel Polynomial Basis (PB) multiplier is proposed, which is based on a fast modular reduction method. The method was recommended by the National Institute of Standards and Technology (NIST). It takes advantage of the characteristics of irreducible polynomial, i.e., the degree of the second item of irreducible polynomial is far less than the degree of the polynomial in the finite fields GF(2 m ). Deductions are made for a class of finite field in which trinomials are chosen as irreducible polynomials. Let the trinomial be x m + x h +1, where 1 ≤ k ≤ [m/1]. The proposed structure has shorter critical path than the best known one up to date, while the space requirement keeps the same. The structure is practical, especially in real time cryptographic applications.

Chuliang Guo,Li Zhang,Xian Zhou,Grace Li Zhang,Bing Li,Weikang Qian,Xunzhao Yin,Cheng Zhuo

DOI: https://doi.org/10.1145/3446213

IF: 2.013

2021-01-01

ACM Journal on Emerging Technologies in Computing Systems

Abstract:Multiplications have been commonly conducted in quantized CNNs, filters, and reconfigurable cores, and so on, which are widely deployed in mobile and embedded applications. Most multipliers are designed to perform multiplications with symmetric bit-widths, i.e., n - by n -bit multiplication. Such features would cause extra area overhead and performance loss when m - by n -bit multiplications ( m > n ) are deployed in the same hardware design, resulting in inefficient multiplication operations. It is highly desired and challenging to propose a reconfigurable multiplier design to accommodate operands with both symmetric and asymmetric bit-widths. In this work, we propose a reconfigurable approximate multiplier to support multiplications at various precisions, i.e., bit-widths. Unlike prior works of approximate adders assuming a uniform weight distribution with bit-wise independence, scenarios like a quantized CNN may have a centralized weight distribution and hence follow a Gaussian-like distribution with correlated adjacent bits. Thus, a new block-based approximate adder is also proposed as part of the multiplier to ensure energy-efficient operation with an awareness of the bit-wise correlation. Our experimental results show that the proposed approximate adder significantly reduces the error rate by 76% to 98% over a state-of-the-art approximate adder for Gaussian-like distribution scenarios. Evaluation results show that the proposed multiplier is 19% faster and 22% more power saving than a Xilinx multiplier IP at the same bit precision and achieves a 23.94-dB peak signal-to-noise ratio, which is comparable to the accurate one of 24.10 dB when deployed in a Gaussian filter for image processing tasks.

Jiang Jiuxing,Zhao Yuying,Huang Hai,Xie Guanghui,Hou Jiao,Feng Xinxin

DOI: https://doi.org/10.11999/jeit190257

2020-01-01

Abstract:Based on the in-depth research on the S-box constitution arithmetic of composite, an area optimized generic low-entropy higher-order masking scheme is proposed in this paper. The low entropy masking method is introduced on GF(2(4)), and the partial module reusing design is adopted, which reduces effectively the number of multiplications based on the S-box inversion operation of the composite. The algorithm can be applied to any order masking scheme of arbitrary S-box composed of inversion operation. This scheme is applied to AES, gives detailed simulation results and optimizes the layout area, compared with the traditional masking scheme, reduces effectively the use of logical resources. In addition, the security is theoretically proved.

Bohan Wang,Qian Sui,Fanjie Ji,Chun Guo,Weijia Wang

DOI: https://doi.org/10.1049/2024/5544999

2024-01-18

IET Information Security

Abstract:At Eurocrypt 2020, Coron et al. proposed a masking technique allowing the use of random numbers from pseudo-random generators (PRGs) to largely reduce the use of expansive true-random generators (TRNGs). For security against d probes, they describe a construction using 2 d PRGs, each of which is fed with at most 2 d random variables in a finite field, resulting in a randomness requirement of O ∼ d 2 . In this paper, we improve the technique on multiple frontiers. On the theoretical level, we push the limits of the randomness requirement by providing an improved masking multiplication using only d PRGs, each of which is fed with d random variables, saving more than half random bits. On the practical level, considering that the masking of arithmetic addition usually requires more randomness (than multiplication), we apply the technique to the algorithm proposed at FSE 2015 that is a very efficient scheme performing arithmetic addition modulo 2 w . It significantly reduces the randomness cost of masked arithmetic addition, and further advocates the advantage of masking with PRGs. Furthermore, we apply our masking scheme to the Speck, XTEA, and Sparkle, and provide the first (to the best of our knowledge) higher order masked implementations for the ciphers using ARX structure.

computer science, information systems, theory & methods

Zhantao Zhang,Weijiang Wang,Jingqi Zhang,Xiang He,Mingzhi Ma,Shiwei Ren,Hua Dang

DOI: https://doi.org/10.3390/mi15101238

IF: 3.4

2024-10-08

Micromachines

Abstract:With the development of mobile communication, digital signatures with low latency, low area, and high security are in increasing demand. Elliptic curve cryptography (ECC) is widely used because of its security and lightweight. Elliptic curve scalar multiplication (ECSM) is the basic arithmetic in ECC. Based on this background information, we propose our own research objectives. In this paper, a low-latency and low-area ECSM architecture based on the comb algorithm is proposed. The detailed methodology is as follows. The recoding-k algorithm and randomization-Z algorithm are used to improve security, which can resist sample power analysis (SPA) and differential power analysis (DPA). A low-area multi-functional architecture for comb is proposed, which takes into account different stages of the comb algorithm. Based on this, the data dependency is considered and the comb architecture is optimized to achieve a uniform and efficient execution pattern. The interleaved modular multiplication algorithm and modified binary inverse algorithm are used to achieve short clock cycle delay and high frequency while taking into account the need for a low area. The proposed architecture has been implemented on Xilinx Virtex-7 series FPGA to perform ECSM on 256-bits prime field GF(p). In the hardware architecture with only 7351 slices of resource usage, a single ECSM only takes 0.74 ms, resulting in an area-time product (ATP) of 5.41. The implementation results show that our design can compete with the existing state-of-the-art engineering in terms of performance and has higher security. Our design is suitable for computing scenarios where security and computing speed are required. The implementation of the overall architecture is of great significance and inspiration to the research community.

chemistry, analytical,nanoscience & nanotechnology,instruments & instrumentation,physics, applied

Qianmei Wu,Wei Cheng,Sylvain Guilley,Fan Zhang,Wei Fu

DOI: https://doi.org/10.46586/tches.v2022.i3.192-222

2022-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Code-based masking is a highly generalized type of masking schemes, which can be instantiated into specific cases by assigning different encoders. It captivates by its side-channel resistance against higher-order attacks and the potential to withstand fault injection attacks. However, similar to other algebraically-involved masking schemes, code-based masking is also burdened with expensive computational overhead. To mitigate such cost and make it efficient, we contribute to several improvements to the original scheme proposed by Wang et al. in TCHES 2020. Specifically, we devise a computationally friendly encoder and accordingly accelerate masked gadgets to leverage efficient implementations. In addition, we highlight that the amortization technique introduced by Wang et al. does not always lead to efficient implementations as expected, but actually decreases the efficiency in some cases. From the perspective of practical security, we carry out an extensive evaluation of the concrete security of code-based masking in the real world. On one hand, we select three representative variations of code-based masking as targets for an extensive evaluation. On the other hand, we aim at security assessment of both encoding and computations to investigate whether the state-of-the-art computational framework for code-based masking reaches the security of the corresponding encoding. By leveraging both leakage assessment tool and side-channel attacks, we verify the existence of “security order amplification” in practice and validate the reliability of the leakage quantification method proposed by Cheng et al. in TCHES 2021. In addition, we also study the security decrease caused by the “cost amortization” technique and redundancy of code-based masking. We identify a security bottleneck in the gadgets computations which limits the whole masked implementation. To the best of our knowledge, this is the first time that allows us to narrow down the gap between the theoretical security order under the probing model (sometimes with simulation experiments) and the concrete side-channel security level of protected implementations by code-based masking in practice.

Wei Wei,Cui Xiaoxin,Wu Di,Li Rui,Ma Kaisheng,Yu Dunshan,Cui Xiaole

DOI: https://doi.org/10.1109/icsict.2012.6466685

2012-01-01

Abstract:A masking scheme of AES algorithm is analyzed, and the optimal masked S-box is implemented in this paper. By using the "tower field" representation, all nonlinear process of unmasked S-box is mapped to multiplication in GF(2), which is a single AND gate in circuits, and power consumption is hidden by using additive masked. In order to further reduce the hardware cost, a simplified masked AND gate is adopted and masks are reused safely. Both gate-level simulation and FPGA testing result have proved that our implementation provides good resistance against DPA attack.

Tao Wu,Shuguo Li,Litian Liu

DOI: https://doi.org/10.1109/iccsnt.2012.6525895

2012-01-01

Abstract:Due to complex hardware architecture and heavy computation, it is difficult to perform modular multiplications over large integers. In this paper, we propose a low-latency scalable modular multiplier for multi-precision modular multiplications. Unlike popular scalable architectures by Montgomery algorithm, the classic modular multiplication A · B mod M is directly implemented here. Low latency can be obtained by deferring the uses of most significant bits during the interleaving modular multiplications. Also, the critical path of processing elements is greatly reduced by carry-save additions. While the scalable modular multiplier obtains comparable performance with optimal scalable Montgomery modular multiplier, its area overhead increases since more registers and selection logics are employed. The proposed modular multiplier is convenient for variant operands and nonsuccessive modular multiplications, where it is more energy-efficient than popular scalable Montgomery modular multipliers.

Weizhen Wang,Jun Han,Jielin Wang,Xiaoyang Zeng

DOI: https://doi.org/10.1109/asicon.2015.7516999

2015-01-01

Abstract:Finite field arithmetic is the base of cryptography algorithms like Elliptic Curves Cryptography (ECC) and RSA. In this paper, We have designed an arithmetic unit to implement the operation (A ± αB)mod N, where α is a small number compared with N. In our design, the coefficient α is smaller than 128. The basic motivation of designing this multiply-accumulate (MAC) unit is to support some high security ECC algorithms such as Optimal Ate Pairings. The well-known Optimal Ate Pairing based on Barreto-Naehrig elliptic curve is famous for it's efficient implementation. In those cryptography algorithms, the calculation of αB mod N is required, where α is a small number. It is unefficient to use modular multiplication to calculate it. This is the basic motivation of implementing the operation (A ± αB)mod N with α <;<; N. Considering that the Barreto-Naehrig elliptic curve for pairing are defined in F P12 , we implement the arithmetic unit to be a Single Instruction Multiple Data (SIMD) unit with pipelined structure. Thus, the design is suitable for arithmetic in extensions of finte fields. We have modified the Barrett reduction algorithm to make it suitable for the design. The design is synthesized with SMIC 65nm CMOS process. Compared with using modular multiplication to calculate (A ± αB)mod N, Our work shows better performance with small latency and high throughput.

Xingjun Wu,Hongyi Chen,Yihe Sun,Weixin Gai

DOI: https://doi.org/10.1023/a:1021110405895

2003-01-01

Abstract:In this paper, a fully-pipeline linear systolic array based on adjusted Montgomery's algorithm is presented to perform modular multiplication at extremely high speed. The processing element ( PE) consists of only 4 full-adders and 14 flip-flops. Three-stage internal pipelined PE results in a very short critical path with only a one-bit full-adder delay. Thus, it can run at a very high cycle rate. The total execution time for an n-bit modular multiplication is 2n + 11 cycles with only (n/2+ 2) PEs. A modular exponentiation based on it takes (3n + 16.5)n cycles in average. Compared with most published VLSI modular multipliers, the hardware complexity is greatly reduced while keeping very high throughput. Therefore it is a good candidate of the arithmetic units used in the many public-key crypto-systems, e.g. RSA, Elliptic Curve and so on, especially for the embedded applications concerning information security.

YL Sun,XJ Wu

DOI: https://doi.org/10.1109/icasic.2003.1277448

2003-01-01

Abstract:RSA public-key cryptography and some other algorithms require various modular arithmetic operations. This paper presents an area efficient modular arithmetic processor. The operands can vary in size from 256 to 2048 bits. Optimized CIOS algorithm is introduced to speed up modular multiplication. At a maximum clock rate of 60 MHz, it takes 57 ms to complete a 1024-bit modular exponentiation. The core circuit without RAM contains 16000 gates and the whole area measures only 3.31 mm2 in a 0.35 μm CMOS technology. As a coprocessor, it is suitable for embedded systems, especially in area-constrained environments such as smart cards.

CHEN Hongyi,GAI Weixin

DOI: https://doi.org/10.3321/j.issn:1000-0054.1998.03.003

1998-01-01

Abstract:A novel systolic linear array modular multiplier is presented which ideally performs the parallel modular multiplication based on the algorithm of Montgomery. The total execution time for an n bit modular multiplication is 2n+11 clock cycles. To further increase the throughput the three stage pipeline architecture is adopted inside the processing element, so that every one bit result outputs at one clock cycle when the pipeline is filled. Each pipeline stage only contains the operation of an one bit full adder. Moreover, with the purely nearest neighbor communication, the interconnect delay is also very short. Therefore it can work at a high clock frequency. On the other hand, every processing element is simple, mainly consisting of four full adders and fourteen flip flops. For n bit modular multiplication, the cost of the hardware is 46 n +184 gates. So this novel linear systolic array for modular multiplication is a speed and area optimized system, suitable for the VLSI implementation. It can be used for modular exponentiation which is a kernel operation in many public key cryptosystems such as RSA. With clock frequency of 200MHz by using 0.8μm CMOS technology, the throughput can reach 129kb/s with a single modular multiplier chip.

Jianping Quan,Guoqiang Bai

DOI: https://doi.org/10.1109/ITNG.2009.184

2009-01-01

Abstract:Researches on DPA-resistant ECC implementation are concentrated in algorithm level. All these countermeasures need a big random number and extra memory overhead which are rare resources in hardware. On the other hand, universal countermeasures in logic level have a big area overhead and face many popular DPA attacks. To avoid these disadvantages, we attempt to solve it in architecture level. This paper presents a DPA-resistant digit-Parallel modular multiplier over GF (2m) which can be used to conceive a secure ECC implementation. It uses 1-bit random number and brings about 20% overhead in speed, 50% overhead in area and 75% overhead in power. Simulations based on back-annotated netlists show that our method can prevent popular DPA attacks successfully.

Hai Huang,Leibo Liu,Min Zhu,Shouyi Yin,Shaojun Wei

DOI: https://doi.org/10.1007/s11432-020-3089-9

2021-01-01

Science China Information Sciences

Abstract:Conclusion The computing-complexity (in terms of XOR, non-linear multiplication over GF(2 n ), and LUT access) is reduced by approximately 62.5% compared with the existing schemes. Therefore, the proposed scheme has the lowest complexity compared to existing higher-order masking schemes. Furthermore, the proposed algorithm is a general method to evaluate the inverse over GF(2 n ), and thus it is suitable for every block cipher constructed with inverse functions and affine transformations, e.g., SM4 and Camellia.

Wenbo Guo,Shuguo Li

DOI: https://doi.org/10.1109/iscas51556.2021.9401571

2021-01-01

Abstract:Number theoretic transform based multiplication is commonly used in Post-quantum cryptography, which is the most resource-consuming operation. In this paper, we propose an area-efficient modular reduction structure for generalized Mersenne primes with interval prediction, and a novel memory access scheme which fetches two data at the same side of a butterfly unit simultaneously. By the interval prediction structure, some adders are eliminated in a modular multiplication. When implement it in 3-stage pipeline mode and synthesize it with TSMC 90nm process, this structure achieves approximate 14.9% less area compared with other designs. The proposed memory access scheme is an in-place scheme. It is more regular than other designs and the two pieces of memory share the same address. Based on this characteristic, we construct an address generator which consumes 40% less area.

CHEN Jun,WANG Jing,ZENG Xiaoyang,HAN Jun

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.04.049

2007-01-01

Abstract:This paper proposes a compact and low cost architecture for AES encrypt and decrypt.As the mathematical manipulation lies on finite filed computation,the orders of the round operation are modified so that the design can reuse some modules to save the area.Meanwhile the element inversion in the SubByte module is performed by composite field technique and the area and power consumption is reduced significantly.Based on the HHNEC 0.25μm CMOS technology,area of the design is about 30k equivalent gates and its system frequency will be up to 100MHz.The operation speed of the 128bits data encryption and decryption is as high as 800Mbps.

Qingfu Cao,Shuguo Li

DOI: https://doi.org/10.1109/ASICON.2009.5351572

2009-01-01

Abstract:This paper proposes a high-throughput cost-effective implementation of AES supporting encryption and decryption with 128-, 192-, and 256-bit cipher key. Optimum irreducible polynomial coefficients are selected to construct the composite field GF(((2(2))(2))(2)) on standard and normal base in order to minimize the gate count in SubBytes/InvSubBytes transformation. In addition, MixCoulmn/InvMixColumn transformations are optimized and the gate count is the least as we know. And then, a novel on-the-fly key expansion structure is applied to improve the throughput. The performance is evaluated on SMIC 0.18 mu m CMOS technology and the design has been verified on FPGA. The throughput can achieve at 1.16Gbps with the cost of only 19476 equivalent NAND2 gates, which outperforms prior works with respect to the parameter throughput per kilo gates with the same process(1).

Chaohui Du,Guoqiang Bai

DOI: https://doi.org/10.1109/trustcom.2015.399

2015-01-01

Abstract:Lattice based cryptography is considered as an important candidate for post-quantum cryptosystems. Various lattice based cryptosystems are based on the Ring learning with errors (Ring-LWE) problem. As a basic operation of Ring-LWE problem, polynomial multiplication over rings is the most critical and computationally intensive operation of these cryptosystems. In this paper, we exploit the number theoretic transform (NTT) to build a family of scalable polynomial multiplier architectures, which provide designers with a trade-off choice of speed vs. area. Our multiplier architectures reduce the required clock cycles from 8n+1.5n lg n) to (2n+1.5n lg n)/B, where n is the dimension of the polynomials and B is number of butterfly operators. The experimental results on a Spartan-6 FPGA show that our proposed polynomial multiplier (B = 2) achieves a speedup of 2.5 times on average and consumes less slices and block RAMs when compared with the state of art of compact design. On a Stratix FPGA, our polynomial multiplier (B = 4) is able to achieve a speedup of 1.2 times on average and save around 90% Memory ALUTs, 75% block memory bits, and 63% DSPs when compared with the state of art of high speed design. On a Spartan-6 FPGA, our polynomial multiplier (B = 8) is capable to calculate the product of two polynomials of degree 256/512/1024/2048 in 2.88/5.71/11.46/24.89 µs.