DESIGN SWITCHES Al Yousuf GreenTech P.O.Box 25 The Curve ...
Design Synopsys_Elliptic Curve Group
19
Chapter DESIGN AND IMPLEMENTATION DESIGN OBJECTIVE: To design Modular Adder, Subtractor, Multiplier, Montgomery multiplier, Arithmetic operations on Elliptic curve Groups 1. ADDITION Given two natural numbers x and y belonging to the interval 0 ≤ x, y < m, compute z = (x + y) mod m. Taking into account that 0 ≤ x + y < 2.m, z must be equal to either x + y or x + y - m. The corresponding algorithm is the following. Algorithm: Modulo m Addition z1:=x+y; z2:=z1 - m; if z2>=0 then z:=z2; else z:=z1; end if; Assume now that B n−1 <m ≤ B n and that x and y are n-digit base-B numbers. Consider three cases: if x + y <m then x + y < Bn, (x + y) + (Bn - m)< B n , z = x + y; So Algorithm Modulo m Addition can be substituted by the following one where all operands have n digits.
Transcript of Design Synopsys_Elliptic Curve Group
Chapter
DESIGN AND IMPLEMENTATION
DESIGN OBJECTIVE: To design Modular Adder, Subtractor, Multiplier, Montgomery
multiplier, Arithmetic operations on Elliptic curve Groups
1. ADDITION
Given two natural numbers x and y belonging to the interval 0 ≤ x, y < m, compute
z = (x + y) mod m. Taking into account that
0 ≤ x + y < 2.m,
z must be equal to either x + y or x + y - m. The corresponding algorithm is the following.
Algorithm: Modulo m Addition
z1:=x+y; z2:=z1 - m;
if z2>=0 then z:=z2; else z:=z1; end if;
Assume now that Bn−1 <m ≤ Bn and that x and y are n-digit base-B numbers.
Consider three cases:
if x + y <m then x + y < Bn, (x + y) + (Bn - m)<Bn, z = x + y;
So Algorithm Modulo m Addition can be substituted by the following one where all operands
have n digits.
Fig: Modulo m adder
2. SUBTRACTION
Fig: Modulo m subtractor
3. Modular Multiplication
Introduction to Modular Multiplication
Modular Multiplication Logic
It expects to receive a multiplicand on th MPAND bus, a multiplier on the MPLIER bus,
and a modulus on the MODULUS bus.
The multiplier and multiplicand must have a value less than the modulus.
A Shift-and-Add algorithm is used in this module.
For each bit of the multiplier, the multiplicand value is shifted.
For each '1' bit of the multiplier, the shifted multiplicand value is added to the product.
To ensure that the product is always expressed as a remainder two subtractions are
performed on the product, P2 = P1-modulus, and P3 = P1-(2*modulus).
The high-order bits of these results are used to determine whether P should be copied
from P1, P2, or P3.
The operation ends when all '1' bits in the multiplier have been used.
Modular multiplication using shift and add logic
Fig: Shift and add basic cell
Fig: Shift and add modular multiplier
4. Montgomery Multiplication
Example
Objective: To compute x * y (mod p)
1. Let x = 43, y = 56, p = 97, R = 100.
2. Convert x and y to Montgomery domain.
3. For x, compute x’ = x*R (mod p) = 43 * 100(mod 97) = 32
4. For y, compute y’ = y*R (mod p) = 56 * 100(mod 97) = 71
5. Compute a:= x’ * y’ = 32 * 71 = 2272
6. In order to zero the first digit, compute a := a + (4p) = 2272 + 388 = 2660.
7. In order to zero the second digit, compute a:= a + (20p) = 2660 + 1940 = 4600.
8. Compute a: = a / R = 4600 /100 = 46.
9. We have that 46 is the Montgomery representation of x * y(mod p), that is x* y * R(mod
p).
10. In order to convert it back, compute a * (1 / R) (mod p) = 46 * 65 (mod 97) = 80.
Montgomery Multiplication
In some cases the use of the Montgomery product concept allows one to reduce the computation
complexity. Only the binary case (B=2) will be studied. The corresponding algorithm is based on
the fact that, given three n-bit natural numbers x, y, and m, such that m odd, x <m, and y < m, it
is relatively easy to find a natural number z < m such that
(z.2n) mod m = x.y mod m
As m is an odd number, the greatest common divisor of 2n and m is 1, so that there exists a
natural number, denoted 2−n, such that 2−n. 2n = 1 mod m, and the preceding relation can be
written in the form
z = x.y.2−n mod m
Above relation defines the Montgomery product of x by y. The following algorithm computes z.
Algorithm 8.10 Montgomery Productr(0):=0;for i in 1..n loopa:=r(i-1)+x(i-1)*y;r(i):=(a+a(0)*m)/2;end loop;if r(n)<m then z:=r(n);else z:=r(n)-m; end if;
Modular Product Based on the Montgomery Product
Montgomery_product (x, y, m, z1);
Montgomery_product (z1, exp_2n, m, z);
Example: n = 8, m = 239, x = 217, y = 189; in base 2, x = 11011001; exp_2n = 216 mod 239 =
50.
First compute the Montgomery product of x and y:
r(0) = 0,
a = r(0) + x(0).y = 189; r(1) = (189 + 239)/2 = 214;
a = r(1) + x(1).y = 214; r(2) = 214/2 = 107;
a = r(2) + x(2).y = 107; r(3) = (107 + 239)/2 = 173;
a = r(3) + x(3).y = 173 + 189 = 362; r(4) = 362/2 = 181;
a = r(4) + x(4).y = 181 + 189 = 370; r(5) = 370/2 = 185;
a = r(5) + x(5).y = 185; r(6) = (185 + 239)/2 = 212;
a = r(6) + x(6).y = 212 + 189 = 401; r(7) = (401 + 239)/2 = 320;
a = r(7) + x(7):y =320 + 189 = 509; r(8) = (509 + 239)/2 = 374;
z1= 374 - 239 = 135; in base 2 z1 = 10000111;
then compute the Montgomery product of z1 and exp_2n:
r(0) = 0,
a = r(0) + x(0).y = 50; r(1) = 50/2 = 25;
a = r(1) + x(1).y = 25 + 50 = 75; r(2) = (75 + 239)/2 = 157;
a = r(2) + x(2).y = 157 + 50 = 207; r(3) = (207 + 239)/2 = 223;
a = r(3) + x(3).y = 223; r(4) = (223 + 239)/2 = 231;
a = r(4) + x(4).y = 231; r(5) = (231 + 239)/2 = 235;
a = r(5) + x(5).y = 235; r(6) = (235 + 239)/2 = 237;
a = r(6) + x(6).y = 237; r(7) = (237 + 239)/2 = 238;
a = r(7) + x(7).y = 238 + 50 = 288; r(8) = 288/2 = 144;
z = 144;
conclusion: 217 _ 189 mod 239 = 144.
Montgomery Multiplier implementation
Fig: Montgomery Multiplier
Datapath Exponentiation:
This module computes y xmodulo m, where x and y are two n-bit numbers.
Fig: Datapath of the exponentiation circuit
5. Arithmetic on Elliptic curve Group:
The code performs the point scalar multiplication on the elliptic curve y2=x3-x+1 over a Galois
field of GF(3M) whose irreducible polynomial is x97+x12+2
P3 = c.P1(x1,y1)//Point Scalar multiplication
P3(X3,Y3) = P1 + P2; for any points P1(X1,Y1) and P2(X2,Y2)
Bilinear Pairing:
F3_add: C == A + B (mod 3)
F3_Sub: C == A – B (mod 3)
F3_mult: C == A * B (mod 3)
F3_add1: c == a+1 (mod 3)
F3_sub1: c == a-1 (mod 3)
INTRODUCTION
The Elliptic Curve Group is for computing the addition of two elements in the elliptic curve
group, and the addition of identical elements in the elliptic curve group.
The elliptic curve is super-singular E: y2=x3-x+1 in affine coordinates defined over a Galois field
GF(3M) , whose irreducible polynomial is x97+x12+2 .
The elliptic curve group is the set of solutions (x, y ) over GF(3M) to the equation of E, together
with an additional point at infinity, denoted . An element in the elliptic curve group is also called
“a point”. The elliptic curve group is abelian. The group law is as follows.
Suppose P1= (x1,y1), P2 = (x2,y2), P3 = P1 + P2 = (x3, y3)
Then –O = O;
-P1 = (x1, -y1)
P1 +0 = 0 + P1 = P1
If P1 = - P2, then P3 = 0
If P1 = P2, then λ= 1/ y1, P3 = (x1 + λ2, -(y1 + λ3))
If P1 ≠±P2, then λ = (y1− y2) / (x1−x2¿, P3 = ¿ - x1−x2, y1+ y2-λ3)
In the following,P1 + P2 will be also called the addition of (elliptic curve group element) P1 and
P2. Given a positive integer c , let c.P1 represent the addition of c identical (elliptic curve group
element) P1, i.e. c.P1= P1 + P1+ P1+……….+P1 (c times ). Computation of c.P1 proceeds as
follows.
1: A←O, B←P1
2: while c > 0 do {
3: if c is odd then A←A+B
4: B←B+B
5: c ←floor(c/2)
6: }
7: return A
Architectural description
The Elliptic Curve Group core consists of two modules, one computing the addition of two
elliptic curve group elements (P1 + P2 ) and the other computing the addition of many identical
elliptic curve group elements (c.P1 ) . The first module is called point_add. The second module
is called point_scalar_mult. The second module builds around the first module.
Inputs and output interface signals:
The Elliptic Curve Group core implements the signals shown in the tables below. Two modules
are separately listed. Input signals are synchronous and sampled at the rising edge of the clock.
Output signals are driven by flip-flops, and not directly connected to input signals by
combinational logic. For signals wider than 1 bit, the range is most significant bit down to least
significant bit.
Table 1: Interface signals of point_add
Signal Name Width Input/Output Description
Clk 1 Input clock
Reset 1 Input Active high synchronous reset
X1 194 Input One of input data
Y1 194 Input One of input data
Zero1 1 Input Asserted if (x1,y1), is the point at infinity
X2 194 Input One of input data
Y2 194 Input One of input data
Zero2 1 Input Asserted if (x2,y2), is the point at infinity
Done 1 Output The termination signal. It is inactive low after the reset signal asserted, and is active high only if the computation is done. When the computation is done ( x3,y3)= (x1,y1 )+ (x2,y2 ).
X3 194 Output Output data. Its value is valid when the done signal is asserted.
Y3 194 Output Output data. Its value is valid when the done signal is asserted.
Zero3 1 Output Output data. It is active high only if ( x3, y3) is the point at infinity.
Table 2: Interface signals of point_scalar_mult
Signal Name Width Input/Output Description
Clk 1 Input clock
Reset 1 Input Active high synchronous reset
X1 194 Input One of input data
Y1 194 Input One of input data
Zero1 1 Input Asserted if (x1,y1), is the point at infinity
c 151 Input One of input data
Done 1 Output The termination signal. It is inactive low after the reset signal asserted, and is active high only if the computation is done. When the computation is done ( x3,y3)= c.(x1,y1 ).
X3 194 Output Output data. Its value is valid when the done signal is asserted.
Y3 194 Output Output data. Its value is valid when the done signal is asserted.
Zero3 1 Output Output data. It is active high only if ( x3, y3) is the point at infinity.
