BIT-SERIAL MODULO MULTIPLIER

Indexing terms: Information theory, Signal processing, Mathematical techniques, Modular arithmetic, Data encryption

A bit-serial modular multiplier is presented which uses a table look-up method to perform modular reduction. Since the clock frequency is independent of word length, this design is most useful when dealing with large integers, and is required by many modern cryptographic systems. Introduction: One of the most interesting developments in the field of cryptology is that of public-key encryption1. In this scheme the cipher has two separate keys, one for encryption and a second for decryption. The encryption key can be stored in a public directory, allowing anyone to encrypt messages, which can then only be deciphered by the intended recipient who holds the decryption key. Although several public-key algorithms have been proposed, the predominant encryption technique in this area is the RSA2 system. This algorithm is based on the modular exponentiation of very large integers, typically 512 bits long or more. When this system is implemented on general-purpose machines, the resulting data rates are disappointing in comparison with those obtained by conventional secret-key techniques. For example, a 512-bit modular exponentiation may take up to 30s. to complete on a 680003, or 2.5s. on a TMS320104 To overcome this problem dedicated hardware is needed to carry out modular arithmetic on large integers. Reviews of existing hardware5,6, reveal that many designs perform modulator multiplication using ripple adders for multiplication and reduction. The carry propagation time in such designs becomes a limiting factor as the word length increases. One notable exception is the bit-serial design proposed by Brickell7 in 1982, which has been reported as performing 512-bit modular exponentiation at a rate of 25 kbit/s. The design proposed here is also bit-serial, but differs from Brickell's in the way modulo reduction is performed. Multiplication procedure: Modulo multiplication is performed most significant bit first according to the add-shift-reduce procedure described by Blakley8 in 1983, but with the following modifications: (1) The intermediate product is allowed to grow by two bits each cycle. (2) At the end of the cycle, these upper bits are reset to zero. (3) The residue corresponding to the two reset bits is added to the intermediate product on the next cycle. The benefit of this approach is that it eliminates the need to compare the intermediate product with the modulus to perform modulo reduction. The operation simply involves the decoding of two bits to select the appropriate residue from a look-up table. That the intermediate reduction may be incomplete, in that after resetting the upper bits the remaining number may be greater than the modulus, is of little practical consequence. Once the multiplication has ended, reduction is completed by subtracting the modulus, but because the word length has been constrained to two bits of growth, no more than seven subtractions of the modulus will be needed to do this.

Hardware design: The basic multiplier cell to compute A * B modulo N can be seen in Fig. 1. The multiplier B is examined most significant bit first and the first adder adds the multiplicand A to the array if the bit is set. If the bit is not set then zero is added. The second adder then adds the residue C, selected from the look-up table, and outputs the sum and carry to two latches. Fig. 2 shows how five basic cells are cascaded to form a 5-bit modular multiplier. Three registers are needed to store the residues, and an adder and accumulator to add the sums and carries at the end of the multiplication and subtract the modulus N to complete the reduction. Once the sums and carries stored in the array have been added, the next multiplication can proceed in parallel with the subtractions.

Performance estimation: Since the final subtractions can be carried out in parallel with the next multiplication, the time taken to complete an N-bit modulator multiply is simply N clock cycles. The bit-serial nature of this design means that the clock frequency will be independent of the word length and limited only by the delay through a single cell. Thus the time for an N-bit exponentiation using the square and multiply algorithm9, with concurrent squaring and multiplying, will be N2 * , where is the delay through one cell. Assuming a delay of roughly 40 ns through each cell, the time for a 512-bit exponentiation will be 10 ms and the data rate 50 kbit/s. A modular arithmetic ASIC is currently being designed using this technique, and prototypes are expected to be tested within the next few months. Summary: An architecture for bit-serial modulator multiplication has been presented which uses a look-up table to perform modulo reduction. It is estimated that this structure can achieve data rates of up to 50 kbit/s for 512-bit modular exponentiation, and a semicustom IC is currently being fabricated to test the design
A. TOMLINSON
Department of Electrical Engineering University of Edinburgh King's Buildings, Edinburgh EH9 3JZ United Kingdom. 9th October 1989

References

1 DIFFIE, W., and HELLMAN, M. E.: 'New directions in cryptography', IEEE Trans., 1976, IT-22, pp. 644-654 2 RIVEST, R. L., SHAMIR, A., and ADLEMAN, L.: 'A method for obtaining digital signatures and public key cryptosystems', Commun. ACM, 1978, 21, pp.120-126 3 RANKINE, G.: 'THOMAS-a complete single chip RSA device', in ODLYZKO, A. M. (Ed.): 'Advances in cryptology-Proc. of Crypto '86' (Lecture Notes in Comput. Science, Springer-Verlag, 1987, 263), pp. 480-487 4 BARRETT P.: 'Implementing the Rivest, Shamir and Adleman public key encryption algorithm on a standard digital signal processor'. Ibid., 1987, pp. 311-323 5 RIVEST, R. L.: 'RSA chips (past/present/future)', in BETH, T., COT, N., and INGEMARSSON, I. (Eds.): 'Advances in cryptology-Proc. Eurocrypt 84' (Lecture Notes in Comput. Sci., Springer-Verlag, 1985), pp. 159-165 6 DIFFIE, W.: 'The first ten years of public-key cryptography', Proc. IEEE, 1988, 76, pp. 560-577 7 BRICKELL, E. F: 'A fast modular multiplication algorithm with application to two key cryptography', in SHERMAN A. T. (Ed.): 'Advances in cryptology-Proc. Crypto '82' (Plenum Press, 1983), pp. 51-60 8 BLAKLEY, G. R.: 'A computer algorithm for calculating the product AB modulo M', IEEE Trans., 1983, C-32, pp. 497-500 9 KNUTH, D. E: 'Semi-numerical algorithms', in 'The art of computer programming, vol. 2, 2nd edn.' (Addison-Wesley, Reading, MA, 1981), pp. 441-442

1664

ELECTRONICS LETTERS 23rd November 1989 Vol. 25 No. 24