VHDL for RSA Public Key System

Transcription

1 VHDL for RSA Public Key System Rui He, Jie Gu, Liang Zhang, Cheng Li Engineering and Applied Science Memorial University of Newfoundland St. John s, NL, Canada, A1B3X5 {ruihe, jiegu, lzhang, Abstract The RSA system is widely employed and achieves good performance and high security. In this paper, we use VHDL to implement a 64-bit RSA block cipher system. The whole implementation includes three parts: key generation, encryption and decryption process. The key generation stage aims to generate a pair of public key and private key, and then the private key will be distributed to receiver according to certain key distribution schemes. Data security is achieved after the 64-bit input data are block encrypted by RSA public key. The cipher text can be decrypted at receiver side by RSA secret key. In our design, we realize several good features. First, this cryptosystem system is scalable. We use generic map in VHDL which make the block size easily be extended to 128-bit or even 1024-bit. Second, we design the encryption and decryption with a constant processing time interval which can prevent the time analysis attack. 1. Introduction The first public key scheme was developed in 1977 [1] by Ron Rivest, Adi Shamir, and Len Adleman at MIT. Now Rivest-Shamir-Adleman (RSA) is the most widely accepted and implemented public key cryptosystem. The public key system is based on using different keys, one key for encryption and a different but related key for decryption. RSA algorithms are a well known NP complete problem that it is computationally infeasible to determine the decryption key given only knowledge of the cryptographic algorithm and the encryption key. The whole process involves computing the remainder after exponential and modular operation of large number. Encryption and decryption have the following form, for some plaintext block M and cipher text block C: C = M Kp mod n M = C Ks mod n Generally, it includes a third party to generate a pair of public key and to distribute keys to transmitter and receiver. Transmitter and receiver should both know the value of n. The transmitter has the knowledge of public key Kp, and only the receiver knows the private key Ks. Thus, a public key of (Kp, n) and secret key (Ks, n) generated by third party is distributed to transmitter and receiver separately. For this algorithm to be satisfactory for public-key encryption, the following requirements must be met: 1. It is possible to find values of e, d, n that M Ks*Kp mod n = M 1 for all M < n. 2. It is relatively easy to calculate M Kp mod n and C Ks for all values of M < n. 3. It is infeasible to determine Ks given Kp and n. 2 Implementation of RSA The following step is taken to implement the RSA public key scheme: 1. Choose two large prime numbers, p and q. Let n=p*q, Let Ф(n) = (p-1)*(q-1). 2. Randomly choose a value Kp (1< Kp < Ф(n)), which is relative prime to Ф(n) that gcd (Kp, Ф(n)). 3. Calculate Ks Kp -1 mod Ф(n), send public key (Kp, n) to transmitter and secret key (Ks, n) to receiver. 4. Transmitter encrypt the original message, C=M Kp mod n, then send cipher text to receiver. 5. Receiver decrypt cipher text by M=C Ks mod n and retrieve the original message. 1

2 Therefore, in the total three steps of RSA implementation, we mainly require three algorithms. 1. Miller-Robin test to find two large prime numbers. (Step1) 2. Extended Euclidean algorithm to calculate private key Ks, which is multiplicative inverse Ф(n). (Step 3) 3. Fast integer exponent (square and multiply) algorithm. (Step 5, 6), which is critical for time consideration. 2.1 Miller- Robin test Miller-Robin test is a primarily testing algorithm to determine an integer n is composite number or prime number. The probability that an odd integer value < N is a prime number is 2/lnN. The implementation algorithm is described as following: 1. Find integer k, q with k>0, q is odd so that (n-1) =2 k *q. 2. Select random integer a, 1< a < n Z a q mod n 4. If Z=1 then return (true) test A. 5. For j=1 to k do 6. If Z= (n-1) mod n then return (true) test B. 7. If testa and testb are both false, then the integer number must be composite, otherwise it may be a prime number or a composite number. If we choose the integer randomly, the probability that the integer is composite with roughly (0.25) t where t is the number of tests. Since the random number generator and Miller-Robin test may take some time in hardware implementation, in our implementation we use java to generate two large prime numbers, which are both 32 bits long. 2.2 The Euclidean algorithm and extended Euclidean algorithm Euclidean algorithm After Ф(n) have been calculated, we randomly choose a number Kp which satisfies the condition that Kp is less than Ф(n) and greater than 1, and calculate gcd (Ф(n), Kp) = 1 to make sure there exits one and only one multiplicative inverse Ks. The implementation algorithm described as following: 1. First we generate two positive integers a, b, and also have i = If a and b are both even number, then a <= a/2, b <= b/2, i <= i If a is odd number and b is even number, then b <= b/2; 4. If a and b are both odd number, then a <= b, b <= abs (a-b), and if a and b are not equal, go back to step 2, 5. Finally, if a and b are equal, then we get the gcd (a, b) = a * 2^i. (In the hardware, the divide 2 operation can be simply implemented by as shifting the number to right for 1 bit) The extended Euclidean algorithm After we get the public key Kp, we should find the multiplicative inverse Ks of Kp and Ф(n) which means Ks*Kp mod Ф(n) =1. So we use the extended Euclidean algorithm to calculate the multiplicative inverse. The implementation algorithm described as following: 1. We have two nonzero integer x and y, and let a2 = x, a1= 1, a0 = 0, b2 = y, b1 = 0, b0=1, 2. q <= x / y, r <= x mod y, 3. If r is not equal to 0, then a2 <= b2; b2 <= r; a1 <= a2; b1 <=b2; a2 <= a1 - q * a2; b2 <= t - q * b2; then back to step If r is equal to 0, then we get the formula x*b1 + y*a1 = b2. In this formula, b1 is the multiplicative inverse of y to x, and b a1 is the multiplicative inverse of x to y, b2 is the gcd of x and y. 2.3 Fast exponent algorithm In of RSA scheme: Encryption process: C=M Kp mod nstep6: Decryption process: M=C Ks mod n M stands for the plaintext, C stands for the ciphertext, K p is the public key, K s is the private key and n stands for a large composition number of two prime numbers. In order to compute the exponentiation efficiently, the exponentiation operation can be replaced by the several steps of multiple and modular operation. For example, X 23 mod n = (X 16 *X 4 *X 2 *X 1 ) mod n According to the modular arithmetic and number theory, above equation can be expressed by several rounds of multiply and modular operation. X 23 mod n = (X 16 mod n) *(X 4 mod n)*(x 2 mod n)*(x 1 mod n) mod n For example, calculate x 26 mod n. B=23=10111 (bin) round = 5 i=4, z x mod n b4=1 i=3, z z 2 mod n b3=0; i=2, z z 2 mod n b2=1; z z*x mod n 2

3 i=1, z z 2 mod n b1=1; z z*x mod n i=0, z z 2 mod n b0=1; z z*x mod n 3 VHDL implementation 3.1 Top-down design In our design, we separate the whole system into three parts according to three different algorithms. 1. Miller-Robin test, we use java to generate two large prime numbers p and q which are both 32-bit integers, generating a file called prime.txt. 2. Reading prime.txt, calculating the composite number n=p*q, ф (n) = (p-1)*(q-1), Kp and Ks, generating a file called keys.txt, where n, ф (n) is 64-bit. Kp and Ks are less than 64-bit integer but extended to 64-bit. 3. Reading keys.txt and message.txt, calculating C=M Kp mod n, generating file cipher.txt. 4. Reading cipher.txt, calculating M=C Ks mod n and generating file plain.txt, comparing the content of plain.txt and message.txt, verifying the results. 3.2 Bottom-up implementation The extended Euclidean algorithm After the two prime numbers p and q have been tested. We can begin to calculate the composite number n, the public key Kp, and the private key Ks. The implementation of the RSA datapath is showed as follows: particular, Fibonacci LFSR was implemented because it is more suitable for hardware implementation than Galios LFSR. In theory, an n-bit linear feedback shift register can generate a (2 n -1)-bit long pseudo random sequence before repeating [2]. So for simply reasons, we just use the formula x^63 + x ^17+1 to generate the random number. And when we design the following part which is the GCD part in the design, we modified the LFSR a little to ensure the first bit is always 0 and the last bit is always 1.In that case, we can make sure the random number is always odd. The purpose is to is simplify the algorithm and get the right Kp faster because Ф(n) is originally even before we apply the modified LFSR. 4. The register after LFSR is to store the random number e1; first input the Ф (n) and e1 to a 64-bit divider and output reminder is e2 in order to ensure e2 is less than Ф (n). 5. Test1 is to check whether e2 is equal to zero. If it is zero or 1, we choose Ф (n) / as the new output number e3. This is to make sure the e3 is greater than The datapath of the gcd part is shown in the Figure 2. After the change in the part2, we only deal with the situation of one even number and one odd number so that we do not need the integer any more. in this situation, we require two shift registers and the abs component to calculate the absolute value of that x y. However we can only test the number to see if the gcd is greater than 1 of these two numbers. We still have to design a component called test2 to deal with number to get the right one. The inputs of this component are e3 and Ф (n), and the output is e4. Figure 1 the datapath of the implementation 1. Generating a 64-bit composite number n by multiplying two unsigned 32-bit inputs p and q. 2. Calculating Ф(n) = (p-1) and (q -1) (? Make sure the expression is correct) by 32*32 multiplier and two substractor, where Ф(n) is always even. 3. To make the public key Kp randomly, we design a linear feedback register. Linear Feedback Shift Register (LFSR) is used to generate pseudo random numbers. In Figure 2 GCD datapath 7. The test 2 part is used to check if the number e4 is the right one. When the gcd is 1, we can set the e4 as the right output Kp. If the gcd is not 1, we just subtract the e4 by 2, as the new input of the gcd part. And one problem should be noticed, if e4 is 3, we should use add instead of subtract to prevent the e4 goes to 1. In practice this strategy works well. We have tested in common cases, and 3

4 it only needs 1 or 2 recalculate to get the right Kp. In this part, the state machine design is very important because we should consider about several different situations. We have spent lots of time to design the state diagram, and sometimes we figure out that inserting one waiting state to delay outputs is necessary for smoothing the state transactions. 8. The extended Euclidean algorithm is implemented in the EEA part. First we input the Kp and Ф(n) to the eea component. We have modified the algorithm as we have been mentioned before. Because we only need one multiplier inverse, we do not need to calculate b1, b0 except for the situation where gcd = 1. The problem we met here is the clock cycle management. The divider and the multiplier have a small clock, and the FSM should have a large clock cycle because it needs to wait for the result and then do the next operation. To solve this problem, we design the ocl components to generate different kinds of clock cycle. This strategy has other benefits in the whole implementation. We design an ocl (shown in the attach codes) components to generate different clock cycles so that the divided parts can operate under different clock cycles. And we can design it in asynchronies mode which means the output changes when the input changes. This setting is reasonable and gives us convenient to ignore the effect of the different clock cycles. derived from the two inputs multiplexer. Inside mulmod, clock cycle is set to which make the 64-bit multiplier operation finish in 128 ns and set muldone flag. Figure 4 Fast exponent algorithm datapath 2. The 128-bit product is stored in a 128-bit register. 3. The 128-bit product is input to divider-128 as dividend. The other input is 128-bit n with the highest 64 zeros. The total operation time for 128-bit divider operation is around 260 ns [3]. Thus, the total operation time for each round is around 400 ns or 800 ns which depend on the whether it executes a square operation or square and multiplies operation. Therefore, we set the large clock to 1 second which ensures the result of each round operation is correct. In addition, this setting of set a constant interval can prevent the time analysis attack. Figure 5 Mulmod component 4 conclusion Figure 3 the extended Euclidean datapath The other small thing is that in this algorithm we have the signed number, so we need to add a positive component to get the positive number by adding the result with the Ф (n) Fast exponent algorithm MULMOD component MULMOD is the critical component to perform rounds of multiply and modular operation. 1. One input to multiplier64 is remainder z and the other is either 64-bit plaintext m or remainder z which is In our VHDL implementation of RSA, we have implemented GCD algorithm in binary system simply. In the practice the strategy works well. We can gain more security than the other strategy because we use the random numbers. And our implementation can easily extend to large bits such as 256 or 1024 or even longer. Meanwhile, there are several limitations in our system. First, we use RSA to realize block cipher, the plaintext, ciphertexts and keys have length limitations. Second, since we use constant intervals in the calculation, the system will always take some time even when there is no data operation. 4

5 Bibliography: [1] William Stallings, Cryptography and Network Security Principles and Practices, 4 th.ed., Prentice Hall, Nov., [2] P. Kocher, J. Jaffe, and B. Jun, "Differential Power Analysis", Proc. Advances in Cryptology (CRYPTO 99), pp , [3] T. Messerges, E. Dabbish, and R. Sloan, Examining smart-card security under the threat of power analysis attacks, IEEE Transactions on Computers, vol.51, pp , May