DE102022201693A1 - EFFICIENT MONTGOMERY MULTIPLIER - Google Patents

Abstract

An integrated Montgomery calculation engine (IMCE) for multiplying two multiplicands by a predefined number includes a carry save adder circuit (CSA) and a control circuit. The CSA circuit has multiple inputs and outputs, including a sum output and a carry output. The control circuit is connected to the inputs and the outputs of the CSA circuit and is configured to operate the CSA circuit in at least (i) a first setting that calculates a Montgomery prediction value and (ii) a second setting that calculates a Montgomery multiplication of the two multiplicands operates.

Description

CROSS REFERENCE TO RELATED APPLICATIONS

This application is related to U.S. Patent Application No. 17/180,999 entitled "Fast Precomputation for Montgomery Multiplier," filed February 22, 2021, the disclosure of which is incorporated herein by reference.

FIELD OF THE INVENTION

The present invention relates generally to Montgomery arithmetic, and more particularly to the computation of Montgomery precompute values and the implementation of Montgomery multipliers and associated circuitry.

BACKGROUND OF THE INVENTION

In cryptography, operations such as modulo multiplication and raising large integers to the power are widely used. Several methods for quickly implementing such multiplication and exponentiation have been proposed. Such a widely used method was proposed by Peter Lawrence Montgomery in 1985 and is used, for example, by Kork et al. in "Analyzing and Comparing Montgomery Multiplication Algorithms", IEEE Micro 16(3), June 1996, pages 26-33, in which the authors discuss several Montgomery multiplication algorithms and analyze in detail the space and time requirements for the described methods.

In "Modified Montgomery modular multiplication and RSA exponentiation techniques," IEE Proceedings on Computation Digital Techniques, Vol. 151, no. 6, November 2004, Mclvor et al. a modified Montgomery multiplication and associated modular Rivest-Shamir-Adleman (RSA) exponentiation algorithms and circuit architectures that use carry-save adders (CSAs) to perform large word-length additions. The presented approach is based on a reformulation of the solution for modular multiplication in the context of RSA exponentiation and presents two algorithmic variants, one based on a five-by-two CSA and the other on a four-by-two CSA plus multiplexer based.

SUMMARY OF THE INVENTION

The invention is defined by the claims. Aspects and embodiments are described herein for purposes of illustration of the invention, which may or may not fall within the scope of the claims.

An embodiment of the present invention described herein provides a Montgomery multiplier (MMA) for multiplying two multiplicands modulo a predefined number. The MMA includes a precalculation circuit and a Montgomery multiplication circuit. The precalculation circuit is configured to calculate a Montgomery precalculation value by performing a series of iterations. In a given iteration, the pre-calculation circuit is configured to modify one or more intermediate values by performing bit-wise operations on the intermediate values calculated in a previous iteration. The Montgomery multiplication circuit is configured to multiply the two multipliers modulo the predefined number by performing a plurality of Montgomery reduction operations using the Montgomery precalculation value calculated by the precalculation circuit.

In some embodiments, the Montgomery precalculation value is at least two to the power of twice the number of bits of the Montgomery multipliers.

In some embodiments, the pre-calculation circuit is configured to modify a bitwise sum and carry in the given iteration by performing bitwise sum and bitwise carry operations on (i) the bitwise sum calculated in the previous iteration, (ii) twice the bitwise carry calculated in the previous iteration and (iii) a modulo correction number. In one embodiment, the precalculation circuit is configured to calculate the Montgomery precalculation value based on the sum of the bitwise sum and the double bitwise carry after a last iteration of the series of iterations net. In another embodiment, the pre-calculation circuit is configured to calculate the modulo correction number based on the sum of the bitwise sum and the double bitwise carry calculated in a last iteration.

In another embodiment, the pre-calculation circuit is configured to calculate the modulo correction number in the given iteration based on a difference between the sum of the bitwise sum and the bitwise carry calculated in the previous iteration and the predefined number. In another embodiment, the pre-calculation circuit is configured to calculate the modulo correction number in the given iteration based on a subset of the most significant bits of the sum of the bitwise carry and the bitwise sum calculated in the previous iteration and a subset of the most significant bits of the predefined number.

In a disclosed embodiment, the pre-calculation circuit is configured to calculate the modulo correction number in the given iteration based on a subset of bits of the sum of the bitwise carry and the bitwise sum calculated in the previous iteration and on a subset of the Calculates bits of the predefined number. In one embodiment, the pre-calculation circuit is configured to set the modulo correction number to the predefined number multiplied by -1, -2 or 0. In one embodiment, the pre-calculation circuit comprises a carry save adder (CSA) configured to calculate in the given iteration a bitwise sum and a bitwise carry of (i) twice the bitwise sum calculated in the previous iteration , (ii) the double bitwise carry calculated in the previous iteration, and (iii) a modulo correction number set to the predefined number multiplied by -1, -2 or 0.

In some embodiments, the pre-calculation circuit includes a three-input carry-save adder (CSA) configured to calculate, in the given iteration, a bit-wise sum and bit-wise carry of (i) twice the bit-wise calculated in the previous iteration sum, (ii) twice the bitwise carry calculated in the previous iteration, and (iii) a modulo correction number configured to the predefined number multiplied by -1, -2 or 0. In other embodiments, the pre-calculation circuit comprises a four-input carry-save adder (CSA) configured to calculate in the given iteration a bit-wise sum and a bit-wise carry of (i) twice the bit-wise calculated in the previous iteration sum, (ii) twice the bitwise carry calculated in the previous iteration, (iii) a first modulo correction number set to the predefined number multiplied by -1 or 0, and (iv) a second modulo Correction number that is set to the predefined number multiplied by -2 or 0.

In some embodiments, the pre-calculation circuit and the Montgomery multiplication circuit are included in a network device and configured to perform a cryptographic operation of the network device.

Additionally, according to an embodiment of the present invention, a method for multiplying two multiplicands by a predefined number is provided. The method includes, using a precalculation circuit, calculating a Montgomery precalculation value by performing a series of iterations, wherein in a given iteration one or more intermediate values are modified by performing bitwise operations on the intermediate values calculated in a previous iteration. Using a Montgomery multiplication circuit, the two multiplicands are multiplied modulo the predefined number by performing a plurality of Montgomery reduction operations using the Montgomery precalculation value calculated by the precalculation circuit.

Further in accordance with an embodiment of the present invention, an integrated Montgomery calculation engine (IMCE) for multiplying two multiplicands by a predefined number is provided. The IMCE includes a carry-save adder (CSA) circuit and a control circuit. The CSA circuit has multiple inputs and outputs, including a sum output and a carry output. The control circuit is coupled to the inputs and the outputs of the CSA circuit and is configured to operate the CSA circuit in at least (i) a first setting that calculates a Montgomery prediction value and (ii) a second setting that calculates a Montgomery multiplication of the two multiplicands operates.

In some embodiments, the control circuit is configured to logically shift the sum output and the carry-out of the CSA circuit and to couple the shifted sum output and the shifted carry-out to the respective inputs of the CSA circuit. In one embodiment, the control circuit is configured to logically left shift the sum output and carry output of the CSA circuit in the first setting and logically right shift the sum output and carry output of the CSA circuit in the second setting.

In one embodiment, in the first setting, the control circuit is configured to set two of the inputs of the CSA circuit to a constant value that depends on the predefined number. In another embodiment, the control circuit is configured in the first setting to set an input of the CSA circuit to the predefined number or to zero, depending on the most significant bits of the sum output and the carry output of the CSA circuit and on the two multiplicands . In another embodiment, in the second setting, the control circuit is configured to set an input of the CSA circuit to zero or to one of the multiplicands depending on the other of the multiplicands. In a disclosed embodiment, the control circuit is configured to set an input of the CSA circuit to zero or to the predefined number in the second setting depending on the least significant bits of the sum output, the carry output and the two multiplicands.

In some embodiments, the control circuitry is configured to operate the CSA circuitry in a third setting that computes a predefined base raised to a power by a predefined exponent, modulo the predefined number. In one embodiment, the control circuit is configured to operate the CSA circuit in the third setting by applying the first setting and the second setting in an order defined according to the exponent.

In some embodiments, the CSA and control circuitry are included in a network device and configured to perform a cryptographic operation of the network device.

According to an embodiment of the present invention, there is also provided a method for multiplying two multiplicands modulo a predefined number. The method includes operating a multi-input carry-save adder (CSA) circuit having outputs that include a sum output and a carry output. Using a control circuit coupled to the inputs and the outputs of the CSA circuit, the CSA circuit is controlled to operate in at least (i) a first setting that calculates a Montgomery prediction value, and (ii) a second setup that computes a Montgomery multiplication of the two multiplicands.

In some embodiments, controlling the CSA circuit includes logically shifting the sum output and the carry output of the CSA circuit and coupling the shifted sum output and the shifted carry output to corresponding inputs of the CSA circuit. In one embodiment, controlling the CSA circuit includes logically left shifting the sum output and carry output of the CSA circuit in the first setting and logically right shifting the sum output and carry output of the CSA circuit in the second setting.

In one embodiment, controlling the CSA circuit in the first setting includes setting two of the inputs of the CSA circuit to a constant value that depends on the predefined number. In another embodiment, the control of the CSA circuit in the first setting comprises setting an input of the CSA circuit to the predefined number or to zero depending on the most significant bits of the sum output and the carry output of the CSA circuit and on the two multiplicands . In another embodiment, controlling the CSA circuit in the second setting includes setting an input of the CSA circuit to zero or to one of the multiplicands depending on the other multiplicand. In a disclosed embodiment controlling the CSA circuit in the second setting includes setting an input of the CSA circuit to zero or to the predefined number depending on the least significant bits of the sum output, the carry output and the two multiplicands.

In some embodiments, controlling the CSA circuitry further includes operating the CSA circuitry in a third setting that exponentiates a predefined base a predefined exponent, modulo the predefined number, is calculated. In one embodiment, operation of the CSA circuit in the third setting includes applying the first setting and the second setting in an order defined according to the exponent.

In some embodiments, operation and control of the CSA is performed in a network device to perform a cryptographic operation of the network device.

Each feature of one aspect or embodiment may be applied to other aspects or embodiments, in any suitable combination. In particular, any feature of a method aspect or embodiment may be applied to an apparatus aspect or embodiment and vice versa.

The present invention will be better understood from the following detailed description of the embodiments taken in conjunction with the figures in which it is illustrated:

character list

• 1 Fig. 12 is a block diagram schematically showing a Montgomery multiplier (MMA) according to an embodiment of the present invention;
• 2 FIG. 12 is a block diagram schematically showing a Montgomery Precomputation Circuit (MPC) in the MMA of FIG 1 according to an embodiment of the present invention;
• 3 Fig. 12 is a flow chart that schematically illustrates a method for Montgomery precomputation according to an embodiment of the present invention;
• 4 Fig. 12 is a block diagram schematically showing an MMA with a precalculation circuit integrated into the Montgomery Calculation Engine according to an embodiment of the present invention;
• 5 Fig. 12 is a block diagram schematically showing an integrated Montgomery computation engine (IMCE) according to an embodiment of the present invention;
• 6 Fig. 12 is a flow diagram that schematically illustrates a method for Montgomery 4096-bit x 4096-bit multiplication according to an embodiment of the present invention; and
• 7 FIG. 12 is a flow chart that schematically illustrates a method for modulo exponentiation according to an embodiment of the present invention.

DETAILED DESCRIPTION OF EMBODIMENTS

OVERVIEW

Public-key cryptosystems can be used to ensure data confidentiality, author authentication, and data integrity. Some public-key cryptosystems (e.g. Rivest-Shamir-Adleman (RSA)) rely on the modular exponentiation of large numbers, which requires repeated modular multiplications. To increase security, the operands are usually well over 1000 bits long, which increases the computational load of the exponentiation operation.

A typical algorithm used to reduce the computational cost of modular multiplication is the Montgomery algorithm (described e.g. in the above-mentioned article by Kork et al.). The Montgomery multiplication algorithm replaces the trial division by the modulus through a series of additions and divisions by a power of two and is the algorithm most commonly used in RSA cryptosystems today.

The Montgomery algorithm can be implemented in hardware or software. Typically, hardware implementations are based on repetitive operations that are preceded by a pre-computation of one or more values and may be followed by a carry-propagate operation and a final modulo correction. For example, the precomputed value may be (2 ²ⁿ ) %R, where n is the number of bits of the Montgomery operand, "%" denotes a modulo operation, and R, the divisor, is a preselected number (R < 2 ⁿ ).

The embodiments of the present invention described herein provide efficient methods and apparatus for computing the Montgomery prediction values. In some disclosed embodiments, a Montgomery multiplier (MMA) is configured to modulo multiply two multiplicands by a predefined number. In some embodiments, the MMA includes a precalculation circuit and a Montgomery multiplication circuit. The precalculation circuit is configured to calculate a Montgomery precalculation value by performing a series of iterations. In a given iteration, the pre-calculation circuit modifies one or more intermediate values by performing bit-wise operations on the intermediate values calculated in a previous iteration. In one embodiment, in a given iteration, the pre-calculation circuit modifies a bitwise sum and carry by performing bitwise sum and bitwise carry operations on (i) the bitwise sum calculated in the previous iteration, (ii) the double bitwise carry calculated in the previous iteration, and (iii) a modulo correction number. The Montgomery multiplication circuit is configured to multiply the two multiplicands modulo the divisor by performing a plurality of Montgomery reduction operations using the Montgomery precalculation value calculated by the precalculation circuit.

In some embodiments, two more bits are added to the operands of the precalculation and/or Montgomery multiplication to avoid a final modulo correction step; so for 4096-bit arithmetic, 4098-bit operands are used. The addition of two bits also prevents intermediate values from overflowing.

Other embodiments according to the present invention presented herein provide an integrated Montgomery calculation engine (IMCE) in which the pre-calculation circuit is embedded in the Montgomery multiplication circuit; in one embodiment, the same bitwise sum and bitwise transfer circuits are used in both precomputation and Montgomery multiplication.

In some embodiments, the IMCE includes a CSA and a control circuit. The control circuitry is configured to control operation of the CSA in a variety of settings; in a first setting, the control circuit controls the CSA to perform a Montgomery precalculation; in a second setting, the control circuitry controls the CSA to perform a Montgomery multiplication, and in a third setting, the control circuitry controls the CSA to calculate a modulo exponentiation using a sequence of Montgomery multiplications. In embodiments, the control circuit includes a first circuit configured to control loopback inputs of the CSA and a second circuit capable of configuring the CSA (via the first circuit) to calculate a modulo exponentiation.

In the examples described below, the number of bits of the Montgomery operator is 4098; however, the technique described is not limited to 4098 bits; in alternate embodiments, any other suitable number of bits may be used.

The disclosed MMAs and IMCEs can be embedded in a variety of host systems and used in a variety of use cases. In general, any system that uses Montgomery multiplication can benefit from the techniques described here. For example, host systems include various network devices such as network adapters (e.g. Ethernet Network Interface Controllers (NICs), Infiniband Host Channel Adapters (HCAs), Data Processing Units (DPUs) or "Smart-NICs", network-capable Graphics Processing Units (GPUs)), network -Switches and routers as well as accelerators.

In an exemplary use case, an exposed MMA and/or IMCE is embedded in a network device and used in a secure boot process of the network device, e.g. to authenticate signatures. In another use case, an exposed MMA and/or IMCE is embedded in a network adapter and used to accelerate cryptographic operations such as public key operations.

DESCRIPTION OF THE SYSTEM

1 12 is a block diagram that schematically shows a Montgomery multiplier (MMA) 100 according to an embodiment of the present invention. MMA 100 calculates the product of pairs of numbers modulo a large prime number N and includes a Montgomery Calculation Engine (MCE) 102, a Montgomery Precompute Unit (MPC) 104; and a processor 106. The MCE 102 is also referred to herein as a Montgomery multiplication circuit. Depending on the applicable host system and use case, processor 106 may consist of or be embedded in, for example, a CPU, GPU, system-on-chip (SoC), controller, digital signal processor (DSP), or other suitable type of processor.

MCE 102 is configured to receive the multiplication arguments A, B and the divisor N from the processor 106 and a precalculation value ^2R %N from the MPC 104 and to output the product (A*B)%N to the processor 106. MCE 102 may be a processor running an appropriate software program, or a hardware Montgomery multiplier (see eg "Montgomery Multiplier for Faster Cryptosystems", by Thampi and Jose, Procedia Technology 25 (2016), pages 392-398). In some embodiments, MCE 102 includes additional circuitry that computes exponents based on Montgomery multiplication (see, e.g., the Mclvor et al. article cited above).

The MPC 104 is configured to receive N and -N from the processor 106 . N and -N are typically represented in n+2 bits, where n is the number of bits used in Montgomery multiplication (-N can be represented by the two's complement representation: -N=∼N+1 (N inverse + 1)).

MPC 104 then calculates the precalculation value (2 ²ⁿ )%N and sends the result to MCE 102. In one embodiment, the MPC includes a three or four input carry-save adder (CSA) and completes the calculation in a number of cycles , which is close to n - the number of bits.

Processor 106 is configured to send operands (multiplicands) to MCE 102 and MPC 104 and to receive MCE 102 the multiplication result. In some embodiments, processor 106 may not be required, e.g., where MPC 104 includes a processor.

The configuration of the MMA 100 is an example configuration presented for conceptual clarity only. Other suitable configurations may be used in alternative embodiments of the present invention. For example, in some embodiments, a single MPC is configured to pre-compute values for a plurality of MCEs. In another example, MPC 104 is configured to compute -N by two's complement of N; therefore, processor 106 does not send -N to MPC 104.

In some embodiments, processor 106 and/or MPC 104 consists of a general purpose processor programmed with software to perform the functions described herein. The software may be downloaded to the processor in electronic form, e.g., over a network or from a host, or alternatively or additionally, may be provided and/or stored on non-portable, tangible media such as magnetic, optical, or electronic storage.

2 FIG. 12 is a block diagram that schematically shows the Montgomery Precomputation Circuit (MPC) 104 according to an embodiment of the present invention. The MPC includes a four-input carry-save adder (CSA) 200 configured to sum four inputs (designated In[0] through In[3]). The value of -N (N is the modulo divisor) is input to the MPC (eg, from processor 106, 1 ) and applied to an R_0 input of an AND gate 202 and an R_1 input of an AND gate 204. AND gates 202 and 204 are configured to transfer the -N input to inputs in[0] and in[1] of the CSA, respectively, when activated, and to transfer a value of 0 otherwise. (The enable inputs of AND gates 202 and 204 are labeled en_0 and en_1, respectively).

Note that when both en_0 and en_1 are off (e.g. at logic 0), CSA 200 gets a combined value of 0 at input in[0] and in[1]; if one of en_0, en_1 is on, CSA gets a combined value of -N, and if both en_0, en_1 are on, CSA gets a combined value of -2N.

Two registers - an R_C register 206 and an R_S register 208 - are configured to store the carry and sum output of CSA 200, respectively. The data stored in R_C 206 may be fed back to the in[3] input of CSA 200 via a shifter 210, while the data stored in R_S 208 may be fed via a shifter 212 to the in[2] input. Shifters 210 and 212 are configured to multiply by two by shifting the data left one position (the rightmost output bit is set to logic 0).

MPC 104 further includes a controller 214 configured to control inputs en_0 and en_1 of AND gates 202 and 204 . As below (referring to 3 ), only some of the most significant bits (eg, the five most significant bits) of N and R_SC are input to controller 214 in embodiments.

In one embodiment, the precalculation process performed by MPC 104 includes a carry-save phase in which CSA 200 generates a sum and carry representation of the precalculation value, and a carry-propagate phase in which the sum and carry (those stored in R_S 208 and R_C 206 respectively) are added to produce the precalculation value P = 2 ²ⁿ %N. According to the 2 In the embodiment shown, MC 104 includes a full adder 216 configured to add the values stored in R_S 208 and R_C 206 to generate the precalculation value P . In one embodiment, full adder 216 is 64 bits and can perform a 4096-bit addition in 64 cycles (as described below, two more bits may be needed in the CSA, so full adder 216 takes 65 cycles to complete the 4098 perform bit addition).

In summary, MPC 104 computes P=2 ²ⁿ %N in an iterative carry-save phase, followed by an iterative carry-propagate phase. In the carry-save phase, a 4-input CSA iteratively computes P by adding a carry-save value of 0, -N, or -2N and the left-shifted carry and save results of the previous iteration. In the carry-propagate phase, a full adder iteratively sums the carry and sum of the carry-save phase to produce P.

As can be appreciated, the configuration of the MPC 104 is an example configuration, shown for conceptual clarity only. Other suitable configurations may be used in alternative embodiments of the present invention. For example, a three-input CSA can be used instead of four, replacing the AND gates 202, 204 with a multiplexer configured to output 0, -N, or -2N to a single CSA input that replaced in[0] and in[1]. In one embodiment, sliders 210 and/or 212 may not be required; instead, R_S and R_C can be meshed with in [2] and in [3] in a shifted fashion (e.g. R-S[0] with in [2][1], R-S[1] with in[2][2], etc. ).

SAVING A LAST STAGE OF SUBTRACTION

According to the original Montgomery paper and its early implementation, a Montgomery multiplication is followed by a final step in which a modulo correction of the result C is made: $$\text{if}\left(\text{C}>\text{N}\right)\text{C}=\text{C}-\text{N}.$$

This process is relatively expensive since it requires full carry propagation. Also, a hacker trying to find the key can deduce whether modulo correction was required by externally measuring the number of Montgomery multiplication cycles, which limits the range of possible key values. However, in an article by Walter entitled "Montgomery exponentiation needs no final subtractions", Electronics Letters, 35(21), 1999, the author shows how the final modulo correction can be avoided if the number of bits in the Montgomery multiplication is increased by 2. The following table describes the differences between the original Montgomery algorithm and Walter's proposal: parameter value Broad description Montgomery Walter n 4,096 Remaining width = 4,096 A [n-1:0] B [n-1:0] N [n-1:0] rest R R = ^{2n +2} [n:0] [n+2:0] Border R' R ' = ( R ² ) mod ( N ) [n-1: 0] precalculation Ribbon n n+2

Thus, in some embodiments, MPC 104 calculates a precalculation value where the exponent is greater than 2n, eg calculates R=2 ²⁽ⁿ⁺²⁾ .

3 FIG. 3 is a flowchart 300 that schematically shows a method for Montgomery precomputation according to an embodiment of the present invention. The MPC 104 ( 1 ) executed. The flow chart begins with an Initialize Carry Save Addition step 302 in which the MPC sets initial values for parameters stored in registers including R_0, R_1, RS and R_C (all with reference to above 2 described), and a counter configured to count iterations. Step 302 includes: initializing R0 and R1 to an n+3 bit representation of -N; Initialize R_S to an n+1 bit representation of 2 ⁿ , initialize R_C to an N+1 bit representation of 0, and initialize the counter to 4096+4.

The MPC then enters a carry-save addition step 304 in which the MPC: i) sets en_0 to 1 if the number represented by the five most significant bits of S_N is greater than the number represented by the five most significant bits of N (en_0=1 outputs - N to in[0] while en 0=0 outputs 0); ii) sets en 1 to 1 if the number represented by the 6 most significant bits of S_N is greater than the number represented by the 5 most significant bits of N (en_1=1 outputs -N to in[1] while en_1=0 returns 0); iii) confirms the value of R_S in in[2] shifted left by 1; iv) confirms the value of R_C in in[3] shifted left by 1; v) sets R_S equal to the sum (without carry) of in[0], in[1], in[2] and in[3]; vi) sets R_C equal to the carry of in[0], in[1], in[2] and in[3]; and vii) decrements the counter.

$$\text{en}\_0=\left(\text{N}\left[4095:4095-3\right]<\text{ SUM}\_\text{SC}\left[5:0\right]\right);$$

$$\text{in}0=\left(\text{en}\_0\right)?-4096:0$$

$$\text{en}\_1=\left(\text{N}\left[4095:4095-3\right]<\text{ SUM}\_\text{SC}\left[5:1\right]\right);$$

$$\text{in}1=\left(\text{en}\_1\right)?-4096:0$$

$$\text{in}2=\text{ R}\_\text{S }<<1$$

$$\text{in}3=\text{ R}\_\text{C }<<1$$

$$\text{R}\_\text{C},\text{R}\_\text{S}=\text{CSA}\left(\text{in}\mathrm{0,}\text{ in}\mathrm{1,}\text{ in}\mathrm{2,}\text{ in}3\right)$$

$$\text{Z}\ddot{\text{a}}\text{hler}=\text{Z}\ddot{\text{a}}\text{hler}-1).$$

(Carry-Save Addition step 304 is defined mathematically by the following equations: $$\text{SUM}\_\text{SC}\left[5:0\right]=\text{R}\_\text{S}\left[\text{n}:\text{n}-4\right]+\text{R}\_\text{C}\left[\text{n}:\text{n}-4\right]$$

$$\text{in}\_0=\left(\text{N}\left[4095:4095-3\right]<\text{SUM}\_\text{SC}\left[5:0\right]\right);$$

$$\text{in}0=\left(\text{in}\_0\right)?-4096:0$$

$$\text{in}\_1=\left(\text{N}\left[4095:4095-3\right]<\text{SUM}\_\text{SC}\left[5:1\right]\right);$$

$$\text{in}1=\left(\text{in}\_1\right)?-4096:0$$

$$\text{in}2=\text{R}\_\text{S}<<1$$

$$\text{in}3=\text{R}\_\text{C}<<1$$

$$\text{R}\_\text{C},\text{R}\_\text{S}=\text{CSA}\left(\text{in}\mathrm{0,}\text{in}\mathrm{1,}\text{in}\mathrm{2,}\text{in}3\right)$$

$$\text{Z}\ddot{\text{a}}\text{hler}=\text{Z}\ddot{\text{a}}\text{hler}-1).$$

After step 304, the MPC goes to a check-CSA-done step 306 and checks whether the counter has reached the value zero. If so, the carry-save addition phase is complete; the sum and carry of the pre-computed value P=2 ²ⁿ %N are stored in R_S and R_C, respectively, and the MPC then proceeds to step 308 Initialize Carry-Propagate-Addition. If the carry-save addition is not performed in step 306, the MPC returns to step 304 to perform the next CSA iteration.

In step 308, the MPC initializes the counter to 65. According to the in 3 illustrated embodiment includes the full adder 216 ( 2 ) 64 bits; therefore, carry-propagate addition takes 64+1 iterations (64*64 = 4096; one extra iteration is required because n is slightly larger than 4096).

After step 308, the MPC enters a carry-propagate addition step 310 in which the output P is calculated (by adding the carry from the previous iteration, a 64-bit group of R_S and a 64-bit group of R_C ) and the counter is decremented. The selected bit groups of R_S and R_C are shifted left in successive iterations (e.g. bits 63:0 are selected in the first iteration, bits 127:64 are selected in the next iteration, etc.).

Next, the MPC goes to check-carry-propagation-addition-done (CPA-done) step 312 and checks whether the counter has reached zero. If so, the precalculation schedule is complete and the precalculation value is stored in P . If in step 312 the carry propagation addition is not complete, the MPC returns to step 310 for the next CPA iteration.

This in 3 The illustrated flowchart 300 is an example presented for conceptual clarity only. In alternate embodiments of the present invention, other suitable flowcharts may be used. For example, the counter can count up rather than down (with steps for checking completion modified accordingly). In some embodiments, the counter may be incremented (or decremented) after the "check-done" steps.

PRECALCULATION OF SMALL NUMBERS

1. a. Der Operand wird (durch den MPC, den MCE oder durch einen Prozessor) nach links verschoben, bis das MSB=1 ist;
2. b. Die Anzahl der Algorithmuszyklen wird um die Anzahl der Verschiebungen von a) verringert.

In some embodiments, the number of bits for the precompute operation may be less than the width of the MPC (e.g., N < 4096). Since the methods and circuits described above execute a next cycle depending on the high-order bits of the operand, two preliminary stages are added:

1. a. The operand is shifted left (by the MPC, the MCE, or by a processor) until the MSB=1;
2. b. The number of algorithm cycles is reduced by the number of shifts from a).

After the pre-calculation algorithm is complete, the result is right-shifted (by the MPC, the MCE, or a processor) to restore the original bit size.

INTEGRATED MONTGOMERY MULTIPLIER WITH PRE-COMPUTATION CIRCUIT

The precalculation circuit described above is similar to the Montgomery multiplication circuit. In some embodiments, the pre-calculation is integrated into the Montgomery multiplication circuit, adding a small amount of logic.

4 12 is a block diagram that schematically shows an MMA 400 with precalculation circuitry integrated into the Montgomery Calculation Engine according to an embodiment of the present invention. Like MMA 100 ( 1 ) MMA 400 computes the product of pairs of numbers modulo a large prime N, but unlike MMA 100, MMA 400 includes an Integrated Montgomery Calculation Engine (IMCE) 402 configured to take arguments A, B and the divisor N of a Processor 404 receives and outputs the product (A*B)%N to processor 404. The processor 404 is configured to send operands (multiplicands) to the IMCE 402 and receive the multiplication result from the IMCE. In some embodiments, processor 404 may not be required, such as when IMCE 402 includes a processor.

As with MMA 100, in some embodiments processor 404 and/or IMCE 402 comprise a general purpose processor programmed in software to perform the functions described herein. The software may be downloaded to the processor in electronic form, e.g., over a network or from a host, or alternatively or additionally, may be provided and/or stored on non-transferable, tangible media, e.g., magnetic, optical, or electronic storage .

5 FIG. 4 is a block diagram that schematically shows an integrated Montgomery computation engine (IMCE) 402 according to an embodiment of the present invention. In the exemplary embodiment, the multiplication is 4096 bits x 4096 bits (however, as explained in the Walter reference cited above, we use 4096+2=4098 bits to save a final modulo operation). As can be seen, ICME 402 is a superset of MPC 104 ( 2 ); some of the subunits of ICME 402 are identical to their MPC 104 counterparts (and retain the same subunit numbers; other subunits are supersets of the corresponding subunits of MPC 104. In addition, IMCE 402 includes three new subunits - a control unit 518 (which differs from the control unit 214, 2 , distinguishes) and two registers - a GPR0 register 514 and a GPR1 register 516.

4-input CSA 200 with carry save adds inputs IN[0] through IN[3]. The sum and carry outputs are connected to an R_S register 208 and an R_C register 206, respectively. Inputs IN[0] and IN[1] are connected to AND gates 202 and 204, respectively. The AND gate 202 is configured to output the value of an R_0 register 502 at IN[0] when a signal en_0 is at logic -1 and zero otherwise, while the AND gate 204 is configured so that it outputs the value of an R_1 register 504 at IN[1] when a signal en_1 is at logic-1 and at zero otherwise.

A left/right shifter 512 is configured to shift the output of R_S 208 left or right and send the shift value to IN[2] of CSA 200; similarly, a left/right shifter 510 is configured to shift the output of R_C 206 left or right and sends the shift value to CSA 200 IN[3]. As can be seen, left/right shifters 512 and 510 are a superset of shifters 212, 210 ( 2 ) configured for left shift only. In some embodiments, CPA 216 adds groups of bits (eg, 64-bit groups) from R_S 208 and R_C 206 to reduce the 4098-bit carry-sum representation to a 4098-bit binary representation; in one embodiment, GPPR0 514 and/or GPR1 516 sequentially load the output of CPA 216, eg, in groups of 64 bits.

The controller 518 is configured to control the operation of the IMCE 402 by sending a sequential pattern of control signals to the sub-units, including en_0, en_1; controlling the shifting direction of the left/right shifters 512 and 510; load control of registers R_0 502, R_1 504, GPR0 514, GPR1 516; and by initializing control of registers R_S 208, R_C 206. The controller may (eg, by processor 404, 4 ) can be configured to one of at least two settings - a first setting in which the controller controls AND gates 202, 204 and shifters 510, 512 so that the CSA calculates a Montgomery precalculation value, and a second setting in which the controller controls the AND gates and the shifters so that the CSA computes a Montgomery multiplication. In some embodiments, the controller may be configured for a third setting in which the CSA calculates an exponentiation (eg, RSA exponentiation) by cascading a Montgomery precomputation setting and multiple occurrences of Montgomery multiplication settings.

Hereinafter, the entirety of controller 518, AND gate 202, AND gate 204, shifter 510 and shifter 512 is collectively referred to as a control circuit.

According to the 5 In the embodiment illustrated and described above, IMCE 402 is configured to perform both Montgomery precomputation and Montgomery multiplication (and specifically, Montgomery precomputation followed by Montgomery multiplication).

In the 5 The IMCE 104 configuration illustrated and described herein is an example configuration presented for conceptual clarity only. Other suitable configurations may be used in alternative embodiments of the present invention. For example, in some embodiments there is no CPA, and all operations are performed in sum-and-carry notation (except for the final exponentiation result, which may be converted to binary by a CPA or, for example, by software).

6 FIG. 6 is a flowchart 600 that schematically illustrates a method for Montgomery 4096-bit X 4096-bit multiplication according to an embodiment of the present invention. in the in 6 In the exemplary embodiment shown, the two multiplicands are expanded to 4098 bits in order to save a final modulo stage (as explained above). The flow is carried out by control circuitry 518, which controls the various sub-units of IMCE 402 ( 5 ). The flow chart begins with an initialize CSA register step 602 where the control circuit loads a value of N (the modulo) into R0 502, loads a value of A (a first multiplicand) into R1 504, B (the second multiplicand ) loads into GPR1 514 and zero loads into registers R_S 208 and R_C 206. In one embodiment, the controller loads the 4098-bit values in groups of 64 bits over 65 cycles. In some embodiments, the controller receives some or all of the values from a processor (eg, processor 404, 4 ), directly or via a bus.

1. i) den Eingang en0 des UND-Gates 202 (Fig. 402) auf S[0] + C[0] * GPR1[0]*r1[0] (Bitoperationen) setzt;
2. ii) den Eingang en1 des UND-Gates 204 auf GPR1[0] setzt;
3. iii) wenn en_0 auf logisch-1 ist - R0 in das 4098-Bit in[0] kopiert; andernfalls - in[0]=0 setzt;
4. iv) wenn en_1 auf logisch-1 ist - R1 in das 4098-Bit in[1] kopiert; andernfalls - in[1]=0 setzt;
5. v) den 4098-Bit-Wert von in[2] auf eine Rechtsverschiebung um 1 von R_S setzt;
6. vi) den 4098-Bit-Wert in[3] auf eine Verschiebung von R_C nach rechts um 1 setzt;
7. vii) bitweise von in[0],in[1],in[2],in[3] (Speichern der bitweisen Summe in R_S und des bitweisen Übertrags in R_C) addiert; und,
8. viii) den Zähler dekrementiert.

Next, the control circuit enters an initialize counter step 604 and loads an internal counter (not shown) with the value 4098 - the number of Montgomery reduction iterations to be performed. The control loop then enters a Montgomery iteration step 606 in which the control loop:

1. i) sets input en0 of AND gate 202 (Fig. 402) to S[0]+C[0]*GPR1[0]*r1[0] (bit operations);
2. ii) sets the en1 input of AND gate 204 to GPR1[0];
3. iii) if en_0 is logic-1 - R0 copied to the 4098 bit in[0]; otherwise - sets in[0]=0;
4. iv) if en_1 is logic-1 - R1 copied to the 4098 bit in[1]; otherwise - sets in[1]=0;
5. v) sets the 4098-bit value of in[2] to a right shift of 1 from R_S;
6. vi) sets the 4098-bit value in[3] to a right shift of R_C by 1;
7. vii) add bitwise from in[0],in[1],in[2],in[3] (store bitwise sum in R_S and bitwise carry in R_C); and,
8. viii) decrements the counter.

The control circuit then enters a Check Counter Greater Than Zero step 608 and checks if the counter value is still greater than zero. If so, the Montgomery multiplication loop is not complete and control loops back to step 606 to perform the next Montgomery iteration. If the counter is not greater than zero in step 608, the control circuit enters an init-carry-propagate-addition step 610 in which the control circuit sets the counter to 65 and then enters a carry-propagate-addition (CPA) Step 612 occurs.

CPA step 612 (same as step 310 in 3 ) is a 64-bit addition that adds a group of 64 R_S bits to a corresponding group of 64 R_C bits and decrements the counter. In a Check CPA Done step 614, the control circuitry checks whether the counter has reached zero and returns to step 612 if the counter is still greater than zero. The control circuit loops through steps 612 and 614 65 times to accumulate all 4098 carry-save bit pairs. When the counter has reached zero in step 614, the flowchart ends.

This in 6 The flowchart 600 illustrated and described above is an example presented for conceptual clarity only. Other suitable flow charts may be used in alternative embodiments of the present invention. For example, in embodiments, the counter may be incremented and then compared to the number of iterations. In some embodiments, the counter is changed after it has been checked for completeness.

CALCULATION OF THE RSA EXPONENT

The RSA algorithm consists of modulo powers of large numbers. In the above-cited Mclvor et al. the authors describe the use of a Montgomery multiplier for exponentiation. The exponentiation is formally defined as M=C ^D MOD(n). D - the exponent, may be stored in control circuitry 518 or supplied by a processor (e.g., processor 204, 4 ) to be read.

7 FIG. 7 is a flowchart 700 that schematically shows a method for modulo exponentiation according to an embodiment of the present invention. The flow chart is generated by the control circuit 518 ( 5 ) executed. The exponentiation flowchart includes the execution of the precomputation flowchart 300 ( 3 ) and several iterations of the Montgomery multiplication flowchart 600 ( 6 ). In the following we denote the Montgomery precomputation that computes K=(2 ^2k )%n Precomputation(k,n) and a Montgomery multiplication M=(a*b)%n MONTGOMERY(a,b,n) .

Flowchart 700 begins with a precalculation step 702, in which the control circuit calculates a precalculation value K=PRECALCULATION(k,n) by executing a precalculation flow, e.g., flowchart 300 ( 3 ), calculated. Next, in a Calculate-Initial-GPRO step 704, the control circuitry executes a Montgomery multiplication flow (e.g., flow 600, 6 ) to calculate MONTGOMERY(K,C,n) and stores the result in GPR0. Then, in a Calculate Initial GPR1 step 706, the control circuit performs another Montgomery multiplication flow to calculate MONTGOMERY(K,1,n) and stores the result in GPR1. The control circuit now sets the value of the counter to 4098 in a Set-Counter-4098 - the number of iterations in the exponentiation.

After step 708, the control circuit starts the sequence of 4098 exponentiation iterations. After the ith iteration, GPR0 stores the value of C ²ⁱ , while GPR1 stores the accumulated exponentiation result for CD ^[i-1:0] . In a Calculate Next GPR0 step 710, the control circuit calculates MONTGOMERY(GPR0,GPR0,n) and squares the previous value of GPR0. Next, the control circuit checks in a Check Di step 612 whether the ith bit of d is logic-1. If so, control circuitry proceeds to an update GPR1 step 714 in which the control circuitry performs a Montgomery multiplication (eg, flowchart 600) to compute MONTGOMERY(GPR0,GPR1,n), storing the result in GPR1 and proceeds to a decrement counter step 716 (if in step 712 d[i] is not logic -1, the control circuitry bypasses step 714).

In step 716, the control circuit decrements the counter and then in a check counter 0 step 718 checks whether the counter has reached zero. If so, the exponentiation flow ends and GPR1 stores M - the exponentiation result. If the counter has not reached 0 in step 718, control loops back to step 710 for the next exponentiation iteration.

This in 7 The flowchart 700 shown and described above is an example presented for conceptual clarity only. In alternate embodiments of the present invention, other suitable flowcharts may be used. For example, to protect against security attacks where the exponentiation time is measured to estimate the number of bits of the logic 1 exponent, in some embodiments the Montgomery multiplication of step 714 is always performed and the value of bit d[i] des Exponent (which is checked in step 712) determines whether GPR1 is updated with the multiplication results. In some embodiments, the counter is cleared at step 708, incremented at step 716, and compared to 4098 at step 718. In one embodiment, the counter is incremented after being compared to the final value.

MONTGOMERY CALCULATION OF SMALL NUMBERS

In the methods and circuits of Montgomery multiplication described above, a next cycle is executed depending on the low-order bit of the operand. Therefore, the algorithm works well when the number of bits of the numbers to be multiplied is smaller than the width of the IMCE (e.g. N<4096). The operands should be loaded into the LSB parts of the registers and logical 0 bits should be loaded into the unused MS part.

The configurations of the Montgomery multiplication devices (MMA) 100 and 400, including the Montgomery pre-calculation circuit (MPC) 104 and the integrated Montgomery calculation engine (IMCE) 402, as well as the methods of the flowcharts 300, 600 and 700 described here are Example configurations and methods shown for conceptual clarity only. Any other suitable configuration and flowchart may be used in alternative embodiments. The various elements of Montgomery multiplication devices (MMA) 100 and 400, including Montgomery precalculation circuit 104 and integrated Montgomery calculation engine 402, may be implemented with appropriate hardware, such as in one or more application specific integrated circuits (ASICs) or field programmable gate Arrays (FPGAs).

Although the embodiments described herein relate primarily to Montgomery multiplication, Montgomery precomputation, and Montgomery-based exponentiation, the methods and systems described herein can also be used for other applications, such as fast division.

It is therefore understood that the embodiments described above are given as examples and that the present invention is not limited to what has been particularly shown and described herein. Rather, the scope of the present invention includes combinations and sub-combinations of the various features described herein, as well as variations and modifications thereof that would occur to those skilled in the art upon reading the foregoing description and which are not disclosed in the prior art. Documents incorporated by reference into the present patent application are to be considered an integral part of the application, except that to the extent that terms in these incorporated documents are defined in a way that is contrary to the definitions in definitions made explicit or implicit in this description, only the definitions in the present description are to be considered.

It is understood that the aspects and embodiments described above are exemplary only and that changes may be made in detail within the scope of the claims.

Each apparatus, method and feature disclosed in the description and (where appropriate) claims and drawings may be provided independently or in any suitable combination.

The reference numerals contained in the claims are for illustration only and have no limiting effect on the scope of the claims.

QUOTES INCLUDED IN DESCRIPTION

This list of documents cited by the applicant was generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Patent Literature Cited

• US 17/180999 [0001]

Claims (20)

Integrated Montgomery Calculation Engine (IMCE) for multiplying two multiplicands modulo a predefined number, where the IMCE comprises: a multi-input carry-save adder (CSA) circuit having outputs including a sum output and a carry output; and Control circuitry coupled to the inputs and the outputs of the CSA circuitry and configured to operate the CSA circuitry in at least (i) a first setting that calculates a Montgomery precalculation value and (ii) a second setting , which computes a Montgomery multiplication of the two multiplicands. The IMCE after claim 1 wherein the control circuit is configured to logically shift the sum output and the carry output of the CSA circuit and to couple the shifted sum output and the shifted carry output to respective inputs of the CSA circuit. The IMCE after claim 2 wherein the control circuit is configured to logically shift left the sum output and carry output of the CSA circuit in the first setting and logically shift the sum output and carry output of the CSA circuit right in the second setting. The IMCE of any preceding claim, wherein in the first setting the control circuit is configured to set two of the inputs of the CSA circuit to a constant value dependent on the predefined number. The IMCE of any preceding claim, wherein in the first setting the control circuit is configured to set an input of the CSA circuit to the predefined number or to zero depending on the most significant bits of the sum output and the carry output of the CSA circuit and from the two multiplicands. The IMCE of any preceding claim, wherein in the second setting the control circuit is configured to set an input of the CSA circuit to zero or to one of the multiplicands, depending on the other of the multiplicands. The IMCE of any preceding claim, wherein in the second setting the control circuit is configured to set an input of the CSA circuit to zero or to the predefined number depending on the least significant bits of the sum output, the carry output and the two multiplicands . The IMCE of any preceding claim, wherein the control circuitry is configured to operate the CSA circuitry in a third setting that calculates a power of a predefined base by a predefined exponent, modulo the predefined number. The IMCE after claim 8 , wherein the control circuit is configured to operate the CSA circuit in the third setting by applying the first setting and the second setting in an order defined according to the exponent. The IMCE of any preceding claim, wherein the CSA and the control circuitry are contained within a network device and configured to perform a cryptographic operation of the network device. A method of multiplying two multiplicands by a predefined number, the method comprising: operating a multi-input carry-save adder (CSA) circuit having outputs including a sum output and a carry output; and using a control circuit coupled to the inputs and the outputs of the CSA circuit, controlling the CSA circuit to operate in at least (i) a first setting that calculates a Montgomery precalculation value and (ii) a second setting, which calculates a Montgomery multiplication of the two multiplicands. The procedure after claim 11 wherein controlling the CSA circuit comprises logically shifting the sum output and the carry output of the CSA circuit and coupling the shifted sum output and the shifted carry output to respective inputs of the CSA circuit. The procedure after claim 12 wherein controlling the CSA circuit comprises logically left shifting the sum output and the carry output of the CSA circuit in the first setting and logically right shifting the sum output and the carry output of the CSA circuit in the second setting. The procedure according to one of the Claims 11 , 12 or 13 , wherein the control of the CSA circuit in the first setting comprises setting two of the inputs of the CSA circuit to a constant value dependent on the predefined number. The procedure according to one of the Claims 11 , 12 or 13 , wherein the control of the CSA circuit in the first setting comprises setting an input of the CSA circuit to the predefined number or to zero depending on the most significant bits of the sum output and the carry output of the CSA circuit and on the two multiplicands. The procedure according to one of the Claims 11 until 15 wherein controlling the CSA circuit in the second setting comprises setting an input of the CSA circuit to zero or one of the multiplicands depending on the other of the multiplicands. The procedure according to one of the Claims 11 until 16 wherein the control of the CSA circuit in the second setting comprises setting an input of the CSA circuit to zero or to the predefined number depending on the least significant bits of the sum output, the carry output and the two multiplicands. The procedure according to one of the Claims 11 until 17 wherein controlling the CSA circuitry further comprises operating the CSA circuitry in a third setting that computes a predefined base raised to a power by a predefined exponent, modulo the predefined number. The procedure after Claim 18 , wherein operating the CSA circuit in the third setting includes applying the first setting and the second setting in an order defined according to the exponent. The procedure according to one of the Claims 11 until 19 wherein the operation and control of the CSA is performed in a network device to perform a cryptographic operation of the network device.

Images