KR102126933B1 - UNIFIED ARM/NEON MODULAR MULTIPLICATION METHOD OF ARMv7-A PROCESSOR - Google Patents

Abstract

The present invention relates to a method for accelerating multiplication on a 32-bit ARMv7-A processor.
In the present invention, when performing multiplication on a 32-bit ARMv7-A processor having an ARM general operator and a NEON image operator, two multiplications between n-bit operands are converted into three multiplications of n/2-bit operands using Karatsuba multiplication. After the transformation, a multiplication acceleration method is disclosed in which two n/2 bit multiplication operations are performed in an ARM general operator and the other n/2 bit multiplication operations are performed in a NEON image operator.
When the 512-bit multiplication is compared with the conventional implementation technique on the 32-bit mobile processor (ARM Cortex-A15), the technique proposed in the present invention shows a performance improvement of about 1.26 times.

Description

How to accelerate multiplication on 32-bit ARMv7-A processors {UNIFIED ARM/NEON MODULAR MULTIPLICATION METHOD OF ARMv7-A PROCESSOR}

The present invention relates to a method for accelerating multiplication on a 32-bit ARMv7-A processor, and more particularly, to a method for accelerating multiplication using an ARM general operator and a NEON image operator on a 32-bit ARMv7-A processor.

Public key cryptography (PKC) of pre-quantum (eg RSA) or post-quantum instances (eg SIDH) is usually a performance-critical building block that requires modular multiplication. One of the most promising modular reduction techniques for PKC is Montgomery multiplication, which replaces expensive division operations in multiplication operations. Several techniques have been proposed for faster Montgomery multiplication on different CPU architectures. However, such operations are still computationally intensive in modern processors and require high-speed optimization.

The 32-bit ARM architecture (eg ARMv7-A) is widely used in mini computers and wearable devices. The advanced ARMv7-A processor supports Single Instruction Multiple Data (SIMD) instructions (eg NEON engine) to perform multimedia massive workloads. To take advantage of the parallel computing power of SIMD instructions, existing serial implementations have to be rewritten in a vectorized way. In SAC'13, Bos et al. introduced a new implementation of Montgomery multiplication in vector computation. This multiplication reversed the sign of the precomputed Montgomery constant, accumulating the results with two separate median values. However, in implementation, pipeline stall occurred due to read-after-write (RAW) dependencies in the command flow. This is because the instruction to be executed must wait until the operand of the source register can be read. In another attempt, product scanning-based Montgomery multiplication was introduced to compute a pair of 32-bit multiplications at a time. However, this column-wise multiplication still causes high RAW dependencies. To avoid RAW dependence, Seo et al. at ICISC'14 introduced a new 2-way Cascade Operand Scanning (COS) multiplication that performs partial multiplication in non-traditional order. Therefore, for modular multiplication, two COS multiplications are performed in an interleaved manner. This COS multiplication is further enhanced by using the additive Karatsuba method for long integers such as 1024-bit and 2048-bit integers, while separate Montgomery multiplication is selected. However, the prior art paid little attention to the new ARM multiply instruction set (UMAAL), which shows a better choice than the NEON instruction set (VMULL) in multi-precision multiplication.

P. Barrett. Implementing the Rivest Shamir and Adleman public key encryption algorithm on a standard digital signal processor. In Conference on the Theory and Application of Cryptographic Techniques, pages 311?323. Springer, 1986. H. Fujii and D. F. Aranha. Curve25519 for the Cortex-M4 and beyond. Progress in Cryptology-LATINCRYPT, 2017. GMP. The GNU Multiple Precision Arithmetic Library. Available for download at https://gmplib.org/, 2018 H. Seo, Z. Liu, J. Großschadl, and H. Kim. Efficient arithmetic on ARM-NEON and its application for high-speed RSA implementation. Security and Communication Networks, 9(18):5401?5411, 2016. B. Koziel, A. Jalali, R. Azarderakhsh, D. Jao, and M. Mozaffari-Kermani. NEON-SIDH: efficient implementation of supersingular isogeny Diffie-Hellman key exchange protocol on ARM. In International Conference on Cryptology and Network Security, pages 88-103. Springer, 2016.

The present invention aims to propose a method that utilizes these guidelines and provides faster modular multiplication for PKC implementation.

The main object of the present invention

1.Introducing the integrated ARM/NEON modular multiplication, and the ARM(UMAAL) and NEON(VMULL) instruction sets are precisely integrated to perform modular multiplication in parallel. This method reduces the number of pipeline stalls with manual out-of-order execution and memory access by sharing intermediate results and operands between ARM and NEON registers. Manual Out-of-Order execution optimizes automatic Out-of-Order execution by about 20% for n-word multiplication and saves 6n memory accesses.

2. A new Montgomery reduction method is introduced by combining UMAAL instructions and hybrid-scanning techniques to reduce the number of memory accesses to operands and to perform multiplication and accumulation steps. For unified ARM/NEON n-word Montgomery multiplication, the present invention saves 10n times the number of memory accesses.

3. The Montgomery multiplication operation according to the present invention reduces the complexity of the critical path for word unit multiplication from θ(2n ² + n) to θ(n ² ). 34% better than the best-known results on the ARM Cortex-A15 processor. Montgomery multiplication for the SIDH protocol is further improved based on the modular multiplication according to the present invention. The Montgomery multiplication proposed for the SIDH protocol applied directly to the latest Microsoft SIDH v3.0 library improves 11.7x performance on the ARM Cortex-A15 processor.

으로 변환한 이후에 나머지 연산 중 2개의 n/2-비트 곱셈을 일반 연산기(ARM)에서 수행하고 나머지 1개의 n/2-비트 곱셈을 이미지 연산기(NEON)에서 수행하도록 제안하였다. 모든 계산 결과값은 일반 연산기에서 합산되어 최종적인 결과값을 도출한다. 제안하는 곱셈 기법은 공개키 암호의 핵심 연산을 가속화시키는 장점을 가지고 있다.In the proposed multiplication technique, Karatsuba algorithm is first applied to n -bit multiplication to increase multiplication complexity.

After conversion to, it was proposed to perform two n/2 -bit multiplications of the remaining operations in the general operator (ARM) and the remaining one n/2 -bit multiplications in the image operator (NEON). All calculation results are summed in the general operator to derive the final result. The proposed multiplication technique has the advantage of accelerating the core operation of public key cryptography.

delete

를 연산하는 제4단계를 포함하고, 제2단계와 제3단계는 각각 ARM 일반 연산기와 NEON 이미지 연산기에서 병렬 연산으로 수행되는 것을 특징으로 하는 32-비트 ARMv7-A 프로세서상 곱셈 가속화 방법에 의하여 달성 가능하다.The object of the present invention is a 32-bit ARMv7-A processor multiplication on a 32-bit ARMv7-A processor for accelerating the multiplication of n-bit factor A and B on a 32-bit ARMv7-A processor with an AARM generic operator and a NEON image operator. Hence, n-bit factor A consists of upper n/2 bits A_H and lower n/2 bits A_L, and n-bit factor B consists of upper n/2 bits B_H and lower n/2 bits B_L, ARM The difference between absolute values in a general operator |A_H-A_L| And |B_H-B_L| The first step of calculating, and the second step of performing two multiplication operations A_L*B_L and A_H*B_H in the ARM general operator, and in the NEON image operator, the first step is multiplying the difference of absolute values |A_H- A_L| * |B_H-B_L| Step 3 and ARM In general arithmetic units, the first, second, and third stages are used by using the results.

Comprising a fourth step of computing, the second and third steps are achieved by a multi-acceleration method on a 32-bit ARMv7-A processor, characterized in that it is performed in parallel in the ARM general operator and the NEON image operator, respectively. It is possible.

Before performing the multiplication operation starting from the first step, n-bit factor A is divided into upper n/2 bits A_H and lower n/2 bits A_L and stored, and n-bit factor B is stored in upper n/2 bits B_H and lower order. By dividing and storing n/2 bits B_L, steps 1-1 to convert a multiplication between n-bit factors into a multiplication between n/2 bit factors may be further performed.

In addition, as a step performed between steps 1-1 and 3, steps 2-1 of transmitting the results of the two calculations of the first step to the NEON image calculator should be further provided.

When the 512-bit multiplication is compared with the conventional implementation technique on the 32-bit mobile processor (ARM Cortex-A15), the technique proposed in the present invention shows a performance improvement of about 1.26 times.

In the present invention, an integrated ARM/NEON design for high-speed Montgomery multiplication in an ARMv7-A processor is presented. In particular, we proposed an optimization technique to perform parallel computation for both ARM and NEON instruction sets and optimized the number of memory accesses. In addition, a new hybrid scanning method using UMAAL was proposed to reduce Montgomery. Combining these optimizations yields a very efficient Montgomery multiplication. This multiplication is 34% faster than the previous implementation of the Cortex-A15 processor.

In addition, the results of implementing the SIDH protocol very efficiently on the above platform were reported. Optimized Montgomery multiplication accelerates the latest Microsoft SIDH v3.0 library by 11.7x on ARM Cortex-A15 processors. This result sets a new speed record for SIDH implementation on ARMv7-A processors. Finally, comparing the proposed work with pre-quantum encryption (such as RSA and ECC) shows that the SIDH protocol appears to be the slowest, but fast enough to take advantage of pirate applications.

It is also worth noting that the method according to the present invention is perfectly suited for other processors that support SIMD multiplication operations, such as the INTEL-SSE or INTEL-AVX processor family. Based on these observations, the next task is to apply the proposed modular multiplication routines to the INTEL-SSE and INTEL-AVX processors. This is expected to directly contribute to widening the boundaries by replacing the traditional approach to the proposed modular multiplication.

1 is an explanatory diagram illustrating a multiplication procedure of the present invention at a word-level.

The terms used in the present invention are only used to describe specific embodiments, and are not intended to limit the present invention. Singular expressions include plural expressions unless the context clearly indicates otherwise. In this specification, the terms "include" or "have" are intended to indicate the presence of features, numbers, steps, actions, components, parts or combinations thereof described in the specification, one or more other features. It should be understood that the existence or addition possibilities of fields or numbers, steps, operations, components, parts or combinations thereof are not excluded in advance.

In addition, in the present specification, "on or above" means that it is located above or below the target part, and does not necessarily mean that it is located on the upper side based on the direction of gravity. Also, when a portion of an area, plate, or the like is said to be "on or above" another portion, this means that another portion in the middle, as well as if it is in contact or spaced "on or above" another portion. Also included.

In addition, in this specification, when one component is referred to as "connected" or "connected" with another component, the one component may be directly connected to the other component, or may be directly connected, but in particular It should be understood that, as long as there is no objection to the contrary, it may or may be connected via another component in the middle.

Further, in this specification, terms such as first and second may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from other components.

In the present invention, the modular multiplication proposed in the ARMv7-A processor widely used in mini computers and wearable devices is implemented.

The desired architecture supports both ARM and NEON instruction sets. On the other hand, there are 16 ARM registers that are 32 bits long. Of these registers, engineers can use 32-bit 14 registers, including R0 through R12 and R14, in assembly language. ARM registers can only hold 448-bit (32 × 14) variables, and there was not enough space to hold both the intermediate result and the operand. One of the most important issues in a high-speed implementation based on this architecture is how to efficiently utilize registers and minimize memory access.

The ARM processor supports very powerful 32-bit smart operations. In particular, the ARMv7-A processor supports four unsigned integer multiply instructions, including:

MUL (Multiplication: MUL R0, R1, R2 → R0 = R1 × R2 mod 2³²),

MUL (Multiplication: MUL R0, R1, R2 → R0 = R1 × R2 mod 2 ³² ),

UMULL (Unsigned-Multiplication: UMULL R0, R1, R2, R3 → R1 || R0 = R2 × R3),

UMULL (Unsigned-Multiplication: UMULL R0, R1, R2, R3 → R1R0 = R2 × R3),

UMLAL (Unsigned-Multiplication-Accumulation: UMLAL R0, R1, R2, R3 → R1 || R0 = R1 || R0 + R2 × R3), 및

UMLAL (Unsigned-Multiplication-Accumulation: UMLAL R0, R1, R2, R3 → R1||R0 = R1||R0 + R2 × R3), and

UMAAL (Unsigned-Multiplication-Addition-Addition: UMAAL R0, R1, R2, R3 → R1 || R0 = R1 + R0 + R2 × R3).

UMAAL (Unsigned-Multiplication-Addition-Addition: UMAAL R0, R1, R2, R3 → R1R0 = R1 + R0 + R2 × R3).

In particular, the UMAAL instruction can be used to perform multiplication operations using addition operations, does not generate carry bits, and the following equation ((2 ⁿ -1) ² + 2(2 ⁿ -1) = (2 ^2n- Eliminates the need for carry handling by 1)).

The NEON engine, on the other hand, provides 64-bit double (D) words and 128-bit quad (Q) word registers. These engineers can utilize 128-bit 16 registers, including Q0 through Q15, in assembly language. The NEON register can hold 2048-bit (128x16) variables, which is enough space to hold all intermediate results and operands. In the present invention, the number of memory accesses is reduced by using this space as a temporary storage space rather than memory.

The NEON instruction is performed in a vectorized manner (ie, 8-bit, 16-bit, 32-bit and 64-bit) using data-parallelism at the instruction set level. For 32-bit unsigned multiplication, the NEON engine uses two sets of multiplication instructions, including:

VMULL.U32 (Vectorized Unsigned Multiplication: VMULL.U32 Q0, D2, D3[0] → D1 = D2[1] × D3[0], D0 = D2[0] × D3[0],

VMULL.U32 (Vectorized Unsigned Multiplication: VMULL.U32 Q0, D2, D3[0] → D1 = D2[1] × D3[0], D0 = D2[0] × D3[0],

VMLAL.U32 (Vectorized Unsigned Multiplication Accumulation: VMLAL.U32 Q0, D2, D3[0] → D1 = D1 + D2[1] × D3[0], D0 = D0 + D2[0] × D3[0].

VMLAL.U32 (Vectorized Unsigned Multiplication Accumulation: VMLAL.U32 Q0, D2, D3[0] → D1 = D1 + D2[1] × D3[0], D0 = D0 + D2[0] × D3[0].

In addition, the instruction set can issue two 32-bit unsigned multiplications and produce two 64-bit results at the same time. In this work, the ARM Cortex-A15 processor was used as the target platform. The target ARM Cortex-A15 processor operates at 2GHz and has 2GB DDR3 RAM. The processor provides a 15-step integer pipeline and a 17-25 stage floating-point pipeline, and uses an unspecified speculative issue 3-way superscalar execution pipeline.

In the conventional Montgomery multiplication, NEON instructions were mainly used for high-speed implementation. However, multiplication implementations based on the ARM instruction set are still competitive in execution timing. In SAC'13, Bos et al. evaluated the performance of Montgomery multiplication on various platforms, including INTEL-AVX processors and ARM-NEON processors.

Interestingly, some results for the ARMv7-A processor show that the ARM implementation achieved better performance than NEON.

Recent Latincrypt'17's Fujii and Aranha are newer multiplication methods than ARM Cortex-M processors using the ARMv7 processor's new multiplication instruction set (UMAAL) and continuous operand caching (COC) multiplication methods to reduce the number of memory accesses and carry operations. To suggest. Compared to the previous work, the realization of the odds is about 50% faster than the previous work.

To compare the performance of the ARM processor and the NEON engine, the benchmarks show all best practices for ARM and NEON instructions on the target ARMv7-A platform. The detailed comparison results are shown in Table 1. As expected, ARM instructions outperformed NEON instructions by 16% for A15 processors. This result shows that the SIMD instruction set (eg NEON engine) does not guarantee the best performance.

Architecture Fujii et al. (ARM) [2] S et al. (NEON) [4] Ratio(ARM/NEON) ARMv7 158 188 0.84
The numbers in square brackets of each item in row 1 in Table 1 refer to the non-patent document numbers of the prior art documents.

In the previous work, only the non-optimal ARM instruction set or the NEON instruction set was used because both instruction sets can be issued in parallel. In the following, to make the best use of the resources of ARM and NEON, the two instruction sets are well integrated and multiplied in parallel.

의 곱을 취하면, 곱셈 (P = A · B)은 부가적 Karatsuba 알고리즘을 사용하여 수학식 1에 따라 계산될 수 있다.The description of integrated ARM/NEON multiplication is given in Algorithm 1. First, the m-bit operand multiplication is divided by the m/2-bit operand multiplication. Then, one-step Karatsuba multiplication is performed on m/2-bit operand multiplication. It can be seen that Karatsuba multiplication effectively reduces the complexity of multiplication from four m/2 bit multiplications to three m/2 bit multiplications for one level. Karatsuba routines can be established with two approaches: addition and subtraction. n-word operand

Taking the product of, multiplication (P = AB) can be calculated according to Equation 1 using the additional Karatsuba algorithm.

Using the subtractive Karatsuba algorithm, it can be calculated as in Equation 2.

In particular, in the present invention, a subtractive Karatsuba method was used. The CM calculation avoids carry bits, but requires two absolute differences in CM and one conditional negation. The two absolute difference calculations are initially performed on the ARM processor, while the operands are transferred directly to the NEON register. Second, two m/2-bit multiplications are assigned to the ARM processor and one m/2-bit multiplication is assigned to the NEON engine. The two routines are performed in parallel. Here, Continuous Operand Caching (COC) method such as Fujii using UMAAL in ARM instruction set and Cascade Operand Scanning (COS) method were performed in NEON engine.

2.099)이므로 NEON 명령어당 두 개의 ARM 명령어(예: ..., ARM 명령어; ARM 명령어; NEON 명령어; ...)를 혼합했다. 병렬 세션이 끝나면 중간 결과를 누적하여 최종 결과를 생성한다.For parallel computation, both the ARM and NEON instruction sets are executed interleaved. The ARM Cortex-A15 processor supports Out-of-Order execution (OoOE). However, automatic OoOE by GCC compiler does not generate optimized OoOE1. For this reason, we manually mix the two sets of commands line by line. For example, with 512-bit multiplication, the number of lines for an ARM implementation (two 256-bit multiplications) is 296, and the number of lines for a NEON implementation (multiplying one 256-bits) is 141. Line ratio is approximately 2 (about 296/141

2.099), so we mixed two ARM instructions per NEON instruction (e.g. ..., ARM instruction; ARM instruction; NEON instruction; ...). At the end of the parallel session, intermediate results are accumulated to produce the final result.

For ease of understanding, the word-level description of FIG. 1 is provided.

이고, w는 워드 크기이다. 곱셈 결과 C = A · B는 피연산자 길이의 두 배이며 C = (C[2n-1], ..., C[2], C[1], C[0])로 표시된다. 곱셈 구조는 위에서 아래로의 부분곱의 순서를 설명하고 마름모 형태의 각 점은 부분곱을 나타낸다. 마름모의 가장 오른쪽 모서리는 가장 낮은 인덱스 (i, j = 0)를 나타내지만 가장 왼쪽은 가장 높은 인덱스 (i, j = n-1)를 나타낸다. 포인트 위의 검은색 화살표는 부분 제품의 처리를 나타낸다. 최하단은 가장 오른쪽 코너 (k = 0)부터 가장 좌측 코너 (k = 2n-1)까지의 범위를 나타내는 인덱스 C[k]를 나타낸다. ARM 명령어 세트는 SISD(Single Instruction Single Data) 아키텍처를 따르므로 하나의 부분곱이 연속적으로 수행된다. 반면에 NEON 명령어 세트는 SIMD(Single Instruction Multiple Data)를 따르고 두 개의 부분곱을 연속적으로 수행한다.Describe this method using both the multiplication structure and the rhombus format. The following notation is required here. A and B are called operands of length m bits. Each operand is written as: A = (A[n-1], ..., A[2], A[1], A[0]), B = (B[n-1],. .., B [2], B [1], B [0]), where

And w is the word size. The result of multiplication C = A · B is twice the length of the operand and is expressed as C = (C[2n-1], ..., C[2], C[1], C[0]). The multiplication structure describes the order of the sub products from top to bottom, and each dot in the rhombus form represents a sub product. The rightmost corner of the rhombus represents the lowest index (i, j = 0), but the leftmost represents the highest index (i, j = n-1). The black arrow above the point indicates the treatment of the partial product. The lowermost part represents the index C[k] indicating the range from the rightmost corner (k = 0) to the leftmost corner (k = 2n-1). Since the ARM instruction set follows the Single Instruction Single Data (SISD) architecture, one partial product is continuously executed. On the other hand, the NEON instruction set follows SIMD (Single Instruction Multiple Data) and continuously performs two subproducts.

The calculation is divided into three subsections (②③④) in order to perform multiplication ARM / NEON concurrent design. The two parts (②④) are executed in the ARM instruction using the COC method and the other part (③) is executed in the NEON instruction using the COS method. Since both the ARM processor and the NEON engine are independent units, ARM and NEON instructions are performed in parallel without interference.

-In step ①, the middle part of the operand in the ARM processor (A _M [0~3] ← |A[0~3]-A[4~7] and B _M [0~3] ← |B[0~3 ]-Operator subtraction is performed to generate operands for B [4~7]|). To optimize the number of memory accesses, the operands generated are transferred directly from the ARM register to the NEON register. This approach reduces the number of memory accesses by 2n (n storage and n loading operations) for two n/2 word operands.

-After step ①, the parallel section starts. In step ③, the middle part of Karatsuba multiplication (CM[0~7] ← AM[0~3] × BM [0~3]) is performed in NEON. In steps ② and ④, the lower and upper parts of Kartatsuba multiplication are performed.

. 이로써 n/2-워드 덧셈 및 2n 메모리 액세스(n 워드로드 및 저장 작업)가 저장된다. 둘째, ARM 프로세서의 중간 결과는 NEON 엔진의 결과와 함께 누적된다.

, 여기서,

,

,

및

이다. 중간 결과(CML)는 NEON 레지스터에서 ARM 레지스터로 직접 전송되므로 n(n/2 워드로드 및 저장 작업)별로 메모리 액세스 수가 절약된다.-Karatsuba multiplication requires 3n addition/subtraction for the middle part. Intermediate results are stored in a partially accumulated fashion. First, the upper and lower parts are accumulated and stored

. This saves n/2-word additions and 2n memory accesses (n word load and store operations). Second, the intermediate results of the ARM processor accumulate with the results of the NEON engine.

, here,

,

,

And

to be. The intermediate result (CML) is transferred directly from the NEON register to the ARM register, saving the number of memory accesses per n (n/2 word load and store operations).

. 중간 결과(CMH)는 NEON 레지스터에서 ARM 레지스터로 직접 전송되기 때문에 n(n/2 워드로드 및 저장 작업)별로 메모리 액세스 수가 절약된다. 레지스터 공유 방식을 사용하여 메모리 액세스 횟수를 6n 배 절감했다.-Finally, in step ⑤, the rest of the NEON processor (CMH ← CM div 2 ⁿ ) is accumulated.

. The intermediate result (CMH) is transferred directly from the NEON register to the ARM register, saving the number of memory accesses per n (n/2 word load and store operations). By using the register sharing method, the number of memory accesses is reduced by 6n times.

The results according to the invention are compared to the most well-known prior results in the ARM and NEON instruction sets, as shown in Table 2.

Method Instruction Timings [cc] Fujii et al. [2] ARM 596 GMP-6.1.2 [3] ARM 1,138 Seo et al. [4] NEON 632 The present invention ARM/NEON 470
In Table 2, the numbers in the square brackets on the right of each Method refer to the non-patent document numbers of the above-mentioned prior art documents.

ARM instruction-based multiplication shows better performance than NEON. Compute instruction-based multipliers on the target ARMv7-A processor. The latest multi-precision multiplication library is also evaluated. However, GMP-6.1.2 had the slowest performance. This shows that the open library has not been fully optimized yet. Of the four implementations, the method according to the invention achieved the best results. The implementation according to the present invention showed a 21.2% performance improvement over the ARM Cortex-A15 processor compared to ARM instruction-based multiplication. The proposed integration approach is general to the SISD/SIMD platform, so it can be applied to other general SISD/SIMD architectures. One of the most promising goals is an INTEL processor that integrates the INTEL instruction set and the SSE/AVX2 engine.

배를 피할 수 있다. SIDH 구현은 성능을 11% 향상시킨다.Unlike the previous work, both the ARM and NEON instruction sets were used. The 512-bit integrated ARM/NEON modular multiplication requires only 878 clock cycles. Compared to Fujii et al.'s study, implementations according to the present invention show 34% improved performance. Obviously this is mainly because the integrated ARM/NEON approach ensures parallel computation and reduces the number of memory accesses by passing intermediate results and operands between registers. For ARM's Montgomery reduction, hybrid scans are redesigned to take full advantage of the UMAAL instruction set. Regarding the special modulus of SIDH, Montgomery modular multiplication was presented. Approximation of word-wise multiplication compared to normal multiplication

You can avoid the boat. The SIDH implementation improves performance by 11%.

In order to evaluate the effect of the implementation according to the present invention, the desired Montgomery multiplication was applied to the SIDH protocol. Table 5 shows the software implementation results for the SIDHp503 protocol of the ARM Cortex-A15 processor, consistent with the post-quantum security of AES128. For comparison purposes, we adopted the same set of parameters as the previous study. At CANS'16, Koziel et al. announced the first SIDH implementation for the ARMv7-A processor. In order to achieve high performance, Montgomery Multiplication Method (COS) such as Seo was used, and when implementing the SIDH protocol, it required 302 * 106 cycles on the ARM Cortex-A15 processor. Implementing the SIDH protocol requires 197*106 cycles for the ARM Cortex-A15, which is roughly 1.5x faster than the ARM Cortex-A15. This performance gap comes from high-speed modular multiplication. This is because the proposed modular multiplication is about 1.76x faster than in the prior art. Also, the proposed implementation is about 11.7x faster than the Microsoft SIDH v3.0 library. Significant progress could be achieved from the optimization of the present invention for Montgomery multiplication because the current library does not provide highly optimized modular multiplication.

표 3에서 각 Method 우측 괄호 내 숫자는 선행기술문헌 중에서 비특허문헌 번호를 의미한다.

In Table 3, the number in the right parenthesis of each method means a non-patent document number among prior art documents.

To compare the performance of the SIDH protocol with the traditional public key, Table 6 compares the RSA and ECC implementation of the latest OpenSSL 1.1.0h library on the ARMv7-A platform with the SIDH protocol implementation according to the present invention. The 128-bit security level RSA signature generation and verification can perform 63 and 3,726 operations per second on the ARM Cortex-A15 processor, and the ECDH operation of the NIST P-256 can perform 2,849 operations per second. The SIDHp503 proposed for comparison performs 21 operations per second. ECC provides the highest performance of the three implementations, but does not provide quantum security. The SIDH protocol, on the other hand, achieved the lowest performance, but three times slower than RSA, but fast enough to use a practical application. In addition, advances in the SIDH protocol will narrow the performance gap between pre-quantum encryption and post-quantum encryption.

Although the preferred embodiment of the present invention has been described and illustrated using specific terms, such terms are only intended to clearly describe the present invention, and the embodiments and described terms of the present invention are the technical spirit and scope of the following claims. It is obvious that various changes and changes can be made without deviating from. Such modified embodiments should not be individually understood from the spirit and scope of the present invention, and should be said to be within the scope of the claims of the present invention.

Claims (4)

delete In a 32-bit ARMv7-A processor multiplication acceleration method for accelerating the multiplication of n-bit factor A and B on a 32-bit ARMv7-A processor having an ARM general operator and a NEON image operator,
The n-bit factor A consists of upper n/2 bits A_H and lower n/2 bits A_L, and the n-bit factor B consists of upper n/2 bits B_H and lower n/2 bits B_L,
ARM The difference between absolute values in a general operator |A_H-A_L| And |B_H-B_L| The first step of calculating the,
Steps 1-2 of transferring the difference values of the absolute values of the first step to a NEON image operator register;
A second step of performing two multiplication operations A_L*B_L and A_H*B_H in the ARM general operator,
In the NEON image operator, the first step is a multiplication operation on the difference of absolute values |A_H-A_L| * |B_H-B_L| The third step to perform and
ARM In general arithmetic units, the first, second, and third stages are used by using the results.

It includes a fourth step of calculating, the first and second steps are performed after the first step and before the third step, the second step and the third step is a parallel operation in the ARM general operator and NEON image operator, respectively. A method of accelerating multiplication on a 32-bit ARMv7-A processor, characterized in that it is performed.
According to claim 2, As the step performed before the first step,
The first 1 to divide and store the n-bit factor A into the upper n/2 bits A_H and the lower n/2 bits A_L, and to divide and store the n-bit factor B into the upper n/2 bits B_H and the lower n/2 bits B_L. Method for accelerating multiplication on a 32-bit ARMv7-A processor, further comprising one step.
According to claim 3,
As a step performed between the first step 1-1 and the third step,
And a 2-1 step of transmitting the result of the two calculations of the first step to the NEON image operator, a multiplication acceleration method on a 32-bit ARMv7-A processor.

Images