Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Efficient modular operations using the adapted modular number system

Abstract

The adapted modular number system (AMNS) is an integer number system which aims to speed up arithmetic operations modulo a prime p. Such a system is defined by a tuple \((p, n, \gamma , \rho , E)\), where p, n, \(\gamma \) and \(\rho \) are integers and \(E\in \mathbb {Z}[X]\). In El Mrabet and Gama (in: WAIFI, lecture notes in computer science, Springer, 2012) conditions required to build AMNS with \(E(X)=X^n + 1\) are provided. In this paper, we generalise their approach and provide a method to generate multiple AMNS for a given prime p with \(E(X)=X^n-\lambda \) and \(\lambda \in \mathbb {Z}{\setminus }\{0\}\). Moreover, we propose a complete set of algorithms without conditional branching to perform arithmetic and conversion operations in the AMNS, using a Montgomery-like method described in Negre and Plantard (in: Information security and privacy, 13th Australasian conference, ACISP 2008, Wollongong, Australia, 2008). We show that our implementation outperforms GNU MP and OpenSSL libraries. Finally, we highlight some properties of the AMNS which state that it could lead to a helpful countermeasure against some side-channel attacks.

This is a preview of subscription content, log in to check access.

References

  1. 1.

    Abarzúa, R., Valencia, C., López, J.: Survey for performance and security problems of passive side-channel attacks countermeasures in ECC. Cryptology ePrint Archive, Report 2019/010 (2019)

  2. 2.

    Antão, S., Bajard, J.C., Sousa, L.: RNS based elliptic curve point multiplication for massive parallel architectures. Comput. J. 55(5), 629–647 (2012)

  3. 3.

    Bajard, J.C., Duquesne, S., Ercegovac, M.: Combining leak-resistant arithmetic for elliptic curves defined over \(f_p\). Publications Mathématiques de Besançon. Algrèbre et Théorie des Nombres, pp. 67–87 (2013). ISSN: 1958-7236

  4. 4.

    Bajard, J.C., Eynard, J., Hasan, A., Zucca, V.: A full RNS variant of fv like somewhat homomorphic encryption schemes. In: SAC 2016, Selected Areas in Cryptography. St. John’s, Newfoundland and Labrador, Canada (2016)

  5. 5.

    Bajard, J.C., Imbert, L.: A full RNS implementation of RSA. IEEE Trans. Comput. 53(6), 769–774 (2004)

  6. 6.

    Bajard, J.C., Imbert, L., Liardet, P.Y., Teglia, Y.: Leak resistant arithmetic. In: Workshop on Cryptographic Hardware and Embedded Systems CHES 2004. Cambridge (Boston), USA. Lecture Notes in Computer Science, pp. 62–75. Springer (2004)

  7. 7.

    Bajard, J.C., Imbert, L., Plantard, T.: Modular number systems: beyond the Mersenne family. In: 11th International Workshop, Selected Areas in Cryptography, SAC 2004, Waterloo, Canada, pp. 159–169 (2004)

  8. 8.

    Bajard, J.C., Imbert, L., Plantard, T.: Arithmetic operations in the polynomial modular number system. In: 17th IEEE Symposium on Computer Arithmetic (ARITH-17) 2005, Cape Cod, MA, USA, pp. 206–213 (2005). Extended (complete) version: https://hal-lirmm.ccsd.cnrs.fr/lirmm-00109201/document. Accessed 2 Jan 2020

  9. 9.

    Baldi, M.: QC-LDPC Code-Based Cryptography. SpringerBriefs in Electrical and Computer Engineering. Springer, Berlin (2014)

  10. 10.

    Barrett, P.: Implementing the Rivest Shamir and Adleman public key encryption algorithm on a standard digital signal processor. In: Odlyzko, A.M. (ed.) Advances in Cryptology—CRYPTO’86, pp. 311–323. Springer, Berlin (1987)

  11. 11.

    Didier, L.S., Dosso, F.Y., El Mrabet, N., Marrez, J., Véron, P.: Randomization of arithmetic over polynomial modular number system. In: 26th IEEE International Symposium on Computer Arithmetic, vol. 1, pp. 199–206. Kyoto, Japan (2019). https://doi.org/10.1109/ARITH.2019.00048

  12. 12.

    El Mrabet, N., Gama, N.: Efficient multiplication over extension fields. In: WAIFI. Lecture Notes in Computer Science, vol. 7369, pp. 136–151. Springer (2012)

  13. 13.

    El Mrabet, N., Nègre, C.: Finite field multiplication combining AMNS and DFT approach for pairing cryptography. In: ACISP. Lecture Notes in Computer Science, vol. 5594, pp. 422–436. Springer (2009)

  14. 14.

    Garner, H.L.: The residue number system. IRE Trans. Electr. Comput. EL 8(6), 140–147 (1959)

  15. 15.

    Gathen, J.V.Z., Hartlieb, S.: Factoring modular polynomials. J. Symb. Comput. 26(5), 583–606 (1998)

  16. 16.

    Goubin, L.: A refined power-analysis attack on elliptic curve cryptosystems. In: International Workshop on Public Key Cryptography, pp. 199–211. Springer (2003)

  17. 17.

    Granlund, T., et al.: GNU multiple precision arithmetic library 6.1.2 (2016). https://gmplib.org/. Accessed 2 Jan 2020

  18. 18.

    Horner, W.G.: A new method of solving numerical equations of all orders, by continuous approximation. Philos. Trans. R. Soc. Lond. 109, 308–335 (1819)

  19. 19.

    Johnston, A.M.: A generalized qth root algorithm. In: Proceedings of the Tenth Annual ACM-SIAM Symposium on Discrete Algorithms. SODA’99, Society for Industrial and Applied Mathematics, pp. 929–930 (1999)

  20. 20.

    Joye, M., Tymen, C.: Protections against differential analysis for elliptic curve cryptography—an algebraic approach. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2001, pp. 377–390. Springer, Berlin (2001)

  21. 21.

    Kocher, P.C.: Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) Advances in Cryptology—CRYPTO’96, pp. 104–113. Springer, Berlin (1996)

  22. 22.

    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: CRYPTO. Lecture Notes in Computer Science, vol. 1666, pp. 388–397. Springer (1999)

  23. 23.

    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)

  24. 24.

    Mishra, B.: Algorithmic Algebra. Springer, Berlin (1993)

  25. 25.

    Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985)

  26. 26.

    Negre, C., Plantard, T.: Efficient modular arithmetic in adapted modular number system using Lagrange representation. In: Information Security and Privacy, 13th Australasian Conference, ACISP 2008, Wollongong, Australia, pp. 463–477 (2008)

  27. 27.

    Plantard, T.: Arithmétique modulaire pour la cryptographie. Ph.D. thesis, Montpellier 2 University, France (2005)

  28. 28.

    Project, T.O.: Openssl (1999). https://www.openssl.org/. Accessed 2 Jan 2020

  29. 29.

    Shoup, V., et al.: NTL: a library for doing number theory (1990). https://www.shoup.net/ntl/. Accessed 2 Jan 2020

  30. 30.

    Solinas, J., Fu, D.E.: Elliptic curve groups modulo a prime (ECP Groups) for IKE and IKEv2. RFC 5903 (2010). https://doi.org/10.17487/RFC5903. https://rfc-editor.org/rfc/rfc5903.txt. Accessed 2 Jan 2020

  31. 31.

    Stein, W., et al.: Sagemath (2005). http://www.sagemath.org/index.html. Accessed 2 Jan 2020

Download references

Acknowledgements

The authors would like to thank the referees for their constructive comments which helped improving the quality of the paper.

Author information

Correspondence to Pascal Véron.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix A: List of prime numbers used for Table 3

  • \(p192 = 0xE06F20509A52674228D4F0701A08EB3B08C1714F0A93F719\)

  • \(p224 = 0xE886C555B533B33B037F4F356CB97E00B560DD1B5A9C252CCEAF301B\)

  • \(p256 = 0x8FFB5E3E4BD153C220C28FDBA587F9C23D454DBE31C17D0B44462E26684B46E5\)

  • \(p384 = 0xF3D1CD992E8EA43D29612F131C05A03215F247E92951AB3D741FEA820526FD185CDBEC7AEFC31F75BEA2D2F4F43D1547\)

  • \(p521 = 0x15683E5BD61DA4E3A10A95DE122E3B015FAC3F355F6360F33FA19D036CA02897BAF3D615ADAF6508A1E5B325B0345F39505A7B84ED01A8F913CA0D6395A9E135BE3\)

Appendix B: Examples of AMNS for different primes

In this section, we give some examples of the AMNS we used in Sect. 6.4.1 for our numerical experiments. All these AMNS have the common parameter \(\phi = 2^{64}\).

B.1 AMNS 1: 192-bit prime number

  • \(p = 0xE06F20509A52674228D4F0701A08EB3B08C1714F0A93F719\)

  • \(n = 4\)

  • \(\lambda = -1\)

  • \(\rho = 2^{51}\)

  • \(\gamma = 0x7AB09A124AA5065B2E20034E0D0FE3D0A 5F2A276C33E2515\)

  • \(E(X) = X^4 + 1\)

  • \(M(X) = 0x4B3D12868945.X^3 - 0x924097D431D8.X^2 + 0x39B561D62725.X + 0xC580DC0A05E3\)

  • \(M'(Y) = 0x6E2B6D9BAF275F4F.Y^3 +0x8F59D05762288B18.Y^2 + 0x69A1F846105E39CF.Y + 0xBEDE53CF67CF2747\)

B.2 AMNS 2: 224-bit prime number

  • \(p = 0xE886C555B533B33B037F4F356CB97E00B560DD1B5A9C252CCEAF301B\)

  • \(n = 4\)

  • \(\lambda = -2\)

  • \(\rho = 2^{60}\)

  • \(\gamma = 0x64892FE7A2B9E28E496952B025FE138C223826010F31C90E9354AFEF\)

  • \(E(X) = X^4 + 2\)

  • \(M(X) = -0x6A2300C9FAC40E.X^3 - 0xE12EC6DCB579A6.X^2 - 0x272839DE2E827E.X - 0x43419ADAFCFB61\)

  • \(M'(Y) = 0x7D4F705603D9CE42.Y^3 + 0xE0922181D0445FA6.Y^2 + 0x5A4FA29325678B32.Y + 0xDDDE890AB0458D59\)

B.3 AMNS 3: 256-bit prime number

  • \(p = 0x8FFB5E3E4BD153C220C28FDBA587F9C23D454DBE31C17D0B44462E26684B46E5\)

  • \(n = 5\)

  • \(\lambda = 2\)

  • \(\rho = 2^{55}\)

  • \(\gamma = 0x42559355ED8CAAA92688CE0A9322458EE43724D997327755F385B1901F25E507\)

  • \(E(X) = X^5 - 2\)

  • \(M(X) = -0x7F360937497B.X^4 - 0x45FB30302B149.X^3 - 0x1910C5989E6B8.X^2 - 0x28750BDCB9CA3.X + 0x3935AF11550E5\)

  • \(M'(Y) = 0x6AC1B8BE18685FC6.Y^4 + 0x1E8123E1FA66C4B2.Y^3 + 0x5C7430F9C82014D1.Y^2 + 0x33A24848D6BF6427.Y + 0xCC7C0CE54B67A803\)

B.4 AMNS 4: 384-bit prime number

  • \(p = 0xF3D1CD992E8EA43D29612F131C05A03215F247E92951AB3D741FEA820526FD185CDBEC7AEFC31F75BEA2D2F4F43D1547\)

  • \(n = 7\)

  • \(\lambda = 2\)

  • \(\rho = 2^{59}\)

  • \(\gamma = 0xA5C4FB2BBF7D447D0E58D14E3F440AD5C7A0BB773BCFA856914ED875B1A8B3DD5C6327E24B34890BDA7782DE3050EEC4\)

  • \(E(X) = X^7 - 2\)

  • \(M(X) = 0x2B70420C25B6F9.X^6 + 0x27597E8FAEFBA6.X^5 + 0x2A259AA4E719E1.X^4 + 0x12391F5D00D4A7.X^3 - 0x26AC55039EACFD.X^2 + 0x2747CE657C0F2D.X - 0x426A85C33ACE17\)

  • \(M'(Y) = 0x36E06AB70DC02E0C.Y^6 + 0x91EC3470F30AB1DD.Y^5 + 0x521BCB522168C88C.Y^4 + 0x51579EF6AC4A01C8.Y^3 + 0x7145B435BA15791A.Y^2 + 0xCCD28607261C6227.Y + 0x4E6A294F1FBE2093\)

B.5 AMNS 5: 521-bit prime number

  • \(p = 0x15683E5BD61DA4E3A10A95DE122E3B015FAC3F355F6360F33FA19D036CA02897BAF3D615ADAF6508A1E5B325B0345F39505A7B84ED01A8F913CA0D6395A9E135BE3\)

  • \(n = 10\)

  • \(\lambda = -2\)

  • \(\rho = 2^{57}\)

  • \(\gamma = 0x3BEB85F1AC84420C044C472B8845A1896C68ACD6C78773C9392B6CE871027BD5C333EF238A11733384E0A7318139218D99ADDCBB39694C1207938B6CA6789BC3B1\)

  • \(E(X) = X^{10} + 2\)

  • \(M(X) = -0x3D52F259CF52C.X^9 - 0x2F155A2F83CC6.X^8 + 0x3C5398A0AA3D2.X^7 - 0x6161944D2155C.X^6 + 0x92266960FE012.X^5 -0x68DFAA2817992.X^4 - 0x996D8B98C7860.X^3 - 0x31E83951B9F38.X^2 + 0x3E716C4C0B2A4.X + 0x3304421CB90FD\)

  • \(M'(Y) = 0xBA9CFB5216CEA3CC.Y^9 + 0x4DD219C801C0DD06.Y^8 + 0x10DEC022F71CC8F2.Y^7 + 0x199161BB290DEE2C.Y^6 + 0x924D10687452E482.Y^5 + 0x7F6A883FEED1B396.Y^4 + 0x6923B242682C1CA0.Y^3 + 0x76FA75CEF1B36AC8.Y^2 + 0xBD1EDFD16FA95474.Y + 0xC7E79022CD8CD813\)

Appendix C: Examples of AMNS for the same prime

In Sect. 6.5.3, we said that the existence of many AMNS for a given prime could be used to randomise data. Here, we give three examples of AMNS for the prime \(p = 2^{255} + 95\). We also give representatives of three random elements of \(\mathbb {Z}/p\mathbb {Z}\) in these AMNS.

C.1 The AMNS

Common parameters:

  • \(p = 2^{255} + 95\)

  • \(\phi = 2^{64}\)

  • \(n = 5\)

C.1.1 AMNS 1

  • \(\lambda = 2\)

  • \(\rho = 2^{55}\)

  • \(\gamma = 0x4A11EC963214E75587B184AF9B09E8871D0DF5991483661DE2FF6BB1E251199C\)

  • \(E(X) = X^5 - 2\)

  • \(M(X) = 0x28AE865829ED0.X^4 + 0x3B47735E8CB55.X^3 - 0x1337D2969BC11.X^2 + 0x46647D3BC6C24.X - 0x2B2A32D7CA88B\)

  • \(M'(Y) = 0x705370302B557A79.Y^4 + 0xF4EF33F4C4A73DDD.Y^3 + 0x35A8B6E9AE5BB345.Y^2 + 0xB1EAB7F74DA8C6B4.Y + 0xF83A6F9196747A23\)

C.1.2 AMNS 2

  • \(\lambda = 4\)

  • \(\rho = 2^{56}\)

  • \(\gamma = 0x4FB25BB223F254D0EC52A2EE155F444C45582C268782AEE4D4E9FCA973434A6C\)

  • \(E(X) = X^5 - 4\)

  • \(M(X) = -0x38B51AD5722AE.X^4 + 0x53FB8DAF6F024.X^3 + 0x35A85724CB9CE.X^2 - 0x3D243A4DF4584.X - 0x117F860FE1135\)

  • \(M'(Y) = 0x403B2C2CE09E21F6.Y^4 + 0xB893AB63E6BC1344.Y^3 + 0x35C181058EB18F0E.Y^2 + 0xA4AED1FFC25D5C5C.Y + 0x6FC13791D5CE795D\)

C.1.3 AMNS 3

  • \(\lambda = -3\)

  • \(\rho = 2^{56}\)

  • \(\gamma = 0x1EBF5A56EC92F9F46C7F0870E5E3702D3E8383DEAF56E4B4C3D368BD0BF3BD40\)

  • \(E(X) = X^5 + 3\)

  • \(M(X) = -0x1C961F979254D.X^4 + 0x1D9EAFCB6057C.X^3 - 0x3CE080AECD314.X^2 - 0x539D41F2093E8.X +0x709FEB927094\)

  • \(M'(Y) = 0x4C53B117C5A624FC.Y^4 + 0x6F5067DF289E2148.Y^3 + 0x4D82701329D99964.Y^2 + 0x1194DEB36C42D649.Y + 0x823B9BE066BDC6EC\)

C.2 The representatives

Here, we give representatives for three elements of \(\mathbb {Z}/p\mathbb {Z}\) in the preceding AMNS. Let \(w_1\), \(w_2\) and \(w_3\) be three elements of \(\mathbb {Z}/p\mathbb {Z}\), such that:

\(w_1 = 0x413F124E07F832A9615B0F4DF8839FB84654F83EFBE271109B37B5FF3C45F86B\)

\(w_2 = 0x1D52208BBA6F67BDAB73B52C108E35297D77D319A2B960774879AD379A9EFA2C\)

\(w_3 = 0x51D89683548C1AB20A5DD1B6ED40D275399CACB8099775C365EAB9E643D0188B\)

C.2.1 Representatives of \(w_1\)

Some representatives of \(w_1\) in the AMNS above are:

  • In AMNS 1: \(0x1D919BA97C9EE.X^4 + 0x8D2E4EA9D2522.X^3 + 0x387177645E956.X^2 + 0x8B7F74DE7D127.X + 0x7DDB08BBFB2D4\)

  • In AMNS 2: \(0xC2BDA39B9CAA.X^4 - 0x5C79DF0B874A7.X^3 + 0x38E436F97A141.X^2 + 0x83CD4D9F668F0.X + 0x889ED1F53B42\)

  • In AMNS 3: \(-0xE6E254EE2A56.X^4 + 0x1B69F43ED2D64.X^3 - 0x910A16595CB6C.X^2 + 0x3C2140E66E677.X + 0xDCAABE99C9D26\)

C.2.2 Representatives of \(w_2\)

Some representatives of \(w_2\) in the AMNS above are:

  • In AMNS 1: \(0x5D790C3E1A61C.X^4 + 0x70948EA695150.X^3 + 0xA169F530662D0.X^2 + 0xAF3DC447BD060.X + 0xDB6398B75B911\)

  • In AMNS 2: \(0x2C77ABDC5D961.X^4 - 0x829EAF67CA083.X^3 + 0xDFB7B8EBFB188.X^2 + 0xB64039D6B0FC.X - 0x8087A5968F930\)

  • In AMNS 3: \(-0x299A203AE211F.X^4 + 0xE944E22B7F0C.X^3 - 0x6E0B58CF0B1C4.X^2 + 0x54687E54FF785.X + 0x13E4F275D429CF\)

C.2.3 Representatives of \(w_3\)

Some representatives of \(w_3\) in the AMNS above are:

  • In AMNS 1: \(0x26CE79EBC2B79.X^4 + 0x58D977D7CBF80.X^3 + 0x8344B92319D5F.X^2 + 0x469C2152EEA87.X + 0xB6CE8E4FA85CF\)

  • In AMNS 2: \(0x37D32EF24504E.X^4 - 0x3D646DBF95505.X^3 + 0xA0F25DE041BA3.X^2 - 0x32F2DBD31EB84.X - 0xA65A7B1EB4B8A\)

  • In AMNS 3: \(-0x5E2A89914C89F.X^4 - 0x7EDD111585E3.X^3 - 0x3BAB02C97D067.X^2 - 0x20F6AFC3EC4DA.X + 0xFB824ADD2ECF8\)

Appendix D: Integers structures in GNU MP and OpenSSL

In this section, we give the integer structures in GNU MP and OpenSSL. These are the structures we used to compute memory consumptions in Table 6.

GNU MP mpz_t structure:

figurem

In GNU MP mpz_t structure, there are 2 integers of type int and an array of type mp_limb_t. On the computer we used for our tests (see features at Sect. 6.4), int is 32 bits wide and mp_limb_t is 64 bits wide. In the computation of memory consumption, we considered the 2 integers of type int as one integer of 64 bits. For more details, see: https://gmplib.org/manual/Integer-Internals.html.

OpenSSL bignum_st structure:

figuren

In OpenSSL bignum_st structure, there are 4 integers of type int and an array of type BN_ULONG, which is 64 bits wide (on our computer). In memory consumption computation, we considered the 4 integers of type int as two 64-bit integers. For more details, see: https://linux.die.net/man/3/bn_internal.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Didier, L., Dosso, F. & Véron, P. Efficient modular operations using the adapted modular number system. J Cryptogr Eng (2020). https://doi.org/10.1007/s13389-019-00221-7

Download citation

Keywords

  • Modular number system
  • Modular arithmetic
  • Side-channel countermeasure