37.3.4.10 Square

Purpose

The purpose of this service is to compute the square of a big number and optionally accumulate/subtract from a second big number.

Please note that this service uses an optimized implementation of the squaring. It also means that when the GF(2ⁿ) flag is set, the execution time will be smaller than when not set (in that case, the squaring execution time will still be smaller than for a standard multiplication).

The available options are as follows:

Work in the GF(2ⁿ) or in the standard integer arithmetic field
Add of a supplemental CarryOperand
Overlapping of the operands is possible, taking into account some constraints
Modular Reduction of the computation result

How to Use the Service

Description

This service provides the following (if not computing a modular reduction of the result):

R = [Z] ± (X² + CarryOperand)

Or (if computing a modular reduction of the result):

R = ([Z] ± (X² + CarryOperand))mod N

The service name for this operation is Square.

In these computations, the following data has to be provided:

R the result (pointed by {nu1RBase,2 *u2Xlength})
X one input number or GF(2n) polynomial (pointed by{nu1XBase,u2XLength})
Z one optional input number or GF(2n) polynomial (pointed by {nu1ZBase,2 *u2Xlength})
CarryOperand (provided through the CarryOptions and Carry values)

Important: Even if neither accumulation nor subtraction is specified, the nu1ZBase must always be filled and point to a Crypto RAM space. It this case, nu1ZBase can point to the same space as the nu1RBase.

If using the big modular reduction option, the Multiply operation is followed by a reduction (see Modular Reduction from Related Links). In this case, the length of Cns is 64 bytes.

If using the modular reduction option the Square operation is followed by a reduction (see Modular Reduction from Related Links). In this case the following parameters must be additionally provided:

N—the modulus (pointed by {nu1ModBase,u2Modlength +4}).
Cns—the reduction constant (pointed by {nu1CnsBase,u2Modlength +8})
- In case of big reduction option, the length of Cns is 64bytes.

Note:

The result buffer R must first be padded with zero bytes until its length is sufficient to perform the reduction (2*u2ModLength + 8) to be used by the Modular Reduction service as an input parameter.

The result of the reduction is written in the area X pointed by {nu1XBase, u2ModLength + 4}.

For example, if u2ModLength, u2XLength is 0x80 bytes, the length of the R space is 2*(u2ModLength + 4) = 0x108 bytes because of the constraints of modular reduction.

In case of Fast or Normalized Reduction, the length of the result is u2ModLength + 4 so 0x84 bytes. Thus, the zoneX has a length of 0x84 bytes (at least). The square of X provides a result of length 0x100 bytes in the zone R so the 8 MSB bytes previously must be previously padded with zero bytes (in offsets 0x100 to 0x107).

Parameters Definition

Table 37-30. Square Service Parameters
Parameter	Type	Direction	Location	Data Length	Before Executing the Service	After Executing the Service
u2Options	u2	I	–	–	Options (see below)	Options (see below)
Specific/Gf2n CarryIn	Bits	I	–	–	GF(2n) Bit and Carry In	–
Specific/CarryOut Zero Violation	Bits	I	–	–	–	Carry Out, Zero Bit and Violation Bit filled according to the result
nu1ModBase	nu1	I	Crypto RAM	u2ModLength + 4	Base of N	Base of N untouched
nu1CnsBase	nu1	I	Crypto RAM	u2ModLength + 8 or 64 bytes	Base of Cns	Base of Cns untouched
u2ModLength	u2	I	–	–	Length of N	Length of N
nu1XBase	nu1	I	Crypto RAM	u2XLength or u2ModLength + 4⁽¹⁾	Base of X	Base of X⁽²⁾
u2XLength	u2	I	–	–	Length of X	Length of X
nu1ZBase	nu1	I	Crypto RAM	2 * u2XLength	Base of Z	Base of Z
nu1RBase	nu1	I	Crypto RAM	2 * u2XLength	Base of R	Base of R⁽³⁾

Note:

In case of a reduction option is specified, the area X will be, if necessary, extended to u2ModLength + 4 bytes.
If Square is without reduction, X is untouched. If Square is with reduction, X is filled with the final result.
If Square is without reduction, R is filled with the final result. If Square is with reduction, R is corrupted.

Available Options

The options are set by the u2Options input parameter, which is composed of:

the mandatory Square operation option described in Table 37-31
the mandatory CarryOperand option described in Table 37-32 and Table 37-33
the facultative Modular Reduction option (see Modular Reduction from Related Links). If the Modular Reduction is not requested, this option is absent.

The u2Options number is calculated by an Inclusive OR of the options. Some Examples in C language are:

Operation: Square only without carry and without Modular Reduction
PUKCL(u2Options) = SET_MULTIPLIEROPTION(PUKCL_SQUARE_ONLY) | SET_CARRYOPTION(CARRY_NONE);
Operation: Square with addition with Specific/CarryIn addition and with Fast Modular Reduction
PUKCL(u2Options) = SET_MULTIPLIEROPTION(PUKCL_SQUARE_ADD) | SET_CARRYOPTION(ADD_CARRY) | PUKCL_REDMOD_REDUCTION | PUKCL_REDMOD_USING_FASTRED;

The following table lists all of the necessary parameters for the Square option. When the Addition or Subtraction option is not chosen it is not necessary to fill in the nu1ZBase parameter.

Table 37-31. Square Service Options
Option	Purpose	Required Parameters
SET_MULTIPLIEROPTION(PUKCL_ SQUARE_ONLY)	Perform R = X² + CarryOperand	nu1RBase, nu1ZBase, nu1XBase, u2XLength
SET_MULTIPLIEROPTION(PUKCL_ SQUARE_ADD)	Perform R = Z + X² + CarryOperand	nu1RBase, nu1ZBase, nu1XBase, u2XLength
SET_MULTIPLIEROPTION(PUKCL_ SQUARE_SUB)	Perform R = Z - (X² + CarryOperand)	nu1RBase, nu1ZBase, nu1Xlength, u2XLength

Code Example

PUKCL_PARAM PUKCLParam;
PPUKCL_PARAM pvPUKCLParam = &PUKCLParam;


// Gf2n and CarryIn shall be beforehand filled (with zero or one) 
PUKCL(Specific).Gf2n = ...;
PUKCL(Specific).CarryIn = ...; 

PUKCL(u2Option) =...;
// Depending on the option specified, not all fields must be filled 
PUKCL_Fmult(nu1XBase) = <Base of the ram location of X>; 
PUKCL_Fmult(u2XLength) = <Length of X>;
PUKCL_Fmult(nu1ZBase) = <Base of the ram location of Z>;

// vPUKCL_Process() is a macro command, which populates the service name
// and then calls the library... 
vPUKCL_Process(Square,pvPUKCLParam); 
if (PUKCL(u2Status) == PUKCL_OK)
            {
            // The Squaring has been executed correctly
            ...
            }
else // Manage the error

Important Considerations for Modular Reduction of a Square Computation

Note:

Additional options are available through the use of a modular reduction to be executed at the end of this operation. Some important considerations have to be taken into account concerning the length of resulting operands to get a mathematically correct result.

The output of this operation is not obviously compatible with the modular reduction as it may be either smaller or bigger. In the case (most of the time) the result (pointed by nu1RBase) is smaller in size than “twice the modulus plus one word” by one word, a padding word must be added to zero. Otherwise, the reduced value will be taken considering the high order words (potentially uninitialized) as part of the number, thus resulting in getting a mathematically correct but unexpected result.

In the case that the result is greater than twice the modulus plus one word, the modular reduction feature has to be executed as a separate operation, using an Euclidean division.

Constraints

When the options only indicate a square, the constraints involving nu1ZBase are not checked. The following conditions must be avoided to ensure that the service works correctly:

nu1XBase, nu1RBase or nu1ZBase are not aligned on 32-bit boundaries
{nu1XBase, u2XLength}, {nu1ZBase, 2*u2XLength} or {nu1RBase, 2*u2XLength} are not in Crypto RAM
u2XLength is either: < 4, > 0xffc or not a 32-bit length
{nu1RBase, 2*u2XLength} overlaps {nu1XBase,u2XLength}
{nu1RBase, 2*u2XLength} overlaps {nu1ZBase, 2*u2XLength} and nu1RBase >nu1ZBase

If a modular reduction is specified, the relevant parameters must be defined according to the chosen reduction and follow the description in Modular Reduction (see Modular Reduction from Related Links). Additional constraints to be respected and error codes are described in this section and in Table 37-49.

Multiplication with Accumulation or Subtraction

Where the options bits specify that either an Accumulation or a subtraction must be performed, this command performs the following operation:

R = (Z ± (X² + CarryOperand))mod B^{2 ˟
XLength}

Table 37-32. Multiplication with Accumulation or Subtraction
Option AND CARRYOPTIONS	CarryOperand	Resulting Operation
SET_CARRYOPTION(ADD_CARRY)	CarryIn	R = Z ± (X² + CarryIn)
SET_CARRYOPTION(SUB_CARRY)	- CarryIn	R = Z ± (X² - CarryIn)
SET_CARRYOPTION(ADD_1_PLUS_CARRY)	1 + CarryIn	R = Z ± (X² + 1 + CarryIn)
SET_CARRYOPTION(ADD_1_MINUS_CARRY)	1 - CarryIn	R = Z ± (X² + 1 - CarryIn)
SET_CARRYOPTION(CARRY_NONE)	0	R = Z ± (X²)
SET_CARRYOPTION(ADD_1)	1	R = Z ± (X² + 1)
SET_CARRYOPTION(SUB_1)	- 1	R = Z ± (X² - 1)
SET_CARRYOPTION(ADD_2)	2	R = Z ± (X² + 2)

Multiplication without Accumulation or Subtraction

Where the options bits specify that either an accumulation or a subtraction must be performed, this command performs the following operation:

R = (X² + CarryOperand)mod B^{2 ˟
XLength}

Table 37-33. Square Service Carry Settings
Option AND CARRYOPTIONS	CarryOperand	Resulting Operation
SET_CARRYOPTION(ADD_CARRY)	CarryIn	R = X² + CarryIn
SET_CARRYOPTION(SUB_CARRY)	- CarryIn	R = X² - CarryIn
SET_CARRYOPTION(ADD_1_PLUS_CARRY)	1 + CarryIn	R = X² + 1 + CarryIn
SET_CARRYOPTION(ADD_1_MINUS_CARRY)	1 - CarryIn	R = X² + 1 - CarryIn
SET_CARRYOPTION(CARRY_NONE)	0	R = X²
SET_CARRYOPTION(ADD_1)	1	R = X² + 1
SET_CARRYOPTION(SUB_1)	- 1	R = X² - 1
SET_CARRYOPTION(ADD_2)	2	R = X² + 2

Status Returned Values

Table 37-34. Square Service Return Codes
Returned status	Importance	Meaning
PUKCL_OK	–	Service functioned correctly