37.3.5.4 Modular Exponentiation (With CRT)

Purpose

The purpose of this service is to perform the Modular Exponentiation with the Chinese Remainders Theorem (CRT). This service processes integers in GF(p) only.

The options available for this service are:

  • Fast implementation
  • Regular implementation
  • Exponent is located in Crypto RAM or not
  • Exponent window size

How to Use the Service

Description

This service processes a Modular Exponentiation with the Chinese Remainder Theorem:

R = XDmod(N) with N = P *Q

Important: For this service, be sure to follow the directives given for the RSA implementation on the chip you use.

This service requires that the modulus N is the product of two co-primes P and Q and that the decryption exponents D is co-prime with the product ((P-1)*(Q-1)).

The Input data are P, Q, EP, EQ, Rvalue, and X. P and Q are the co-primes so that N = P*Q.

X is the number to exponentiate.

EP, EQ and Rval are calculated as follows:

EP = Dmod(P – 1) EQ = Dmod(Q – 1) Rval = P–1mod(Q)

In some cases, the decryption exponent D may not be available and the encryption exponent E may be available instead. The possibilities to calculate the parameters are:

  • Calculate D from E with the formula:

    D = E–1mod((P – 1) × (Q – 1))

  • Calculate the parameters from E:

    EP = E–1mod(P – 1) EQ = E–1mod(Q – 1) Rval = P–1mod(Q)

In this computation, the following parameters need to be provided:

  • X the input number (pointed by {nu1XBase,2*u2ModLength +16})
  • P and Q the primes (pointed by {nu1ModBase,2*u2ModLength +8}).
  • EP and EQ the reduced exponents (pointed by {pfu1ExpBase,2*u2ExpLength +8})
  • Rval and Precomp (pointed by{nu1PrecompBase,RAndPrecompLen})
  • Blinding the exponent blinding value (provided inu1Blinding)

The length RAndPrecompLen depends on the lengths and options chosen; its calculus is detailed in Options below.

The service for this operation is CRT.

Note: The minimum value for u2ModLength is 12 bytes. Therefore, the significant length of P or Q must be at least three 32-bit words.

Parameters Definition

The following table shows the parameter block for the CRT service.

Many parameters have complex placement in memory; therefore, detailed figures are provided in CRT Service Placement below.

Table 37-62. CRT Service Parameters
Parameter Type Direction Location Data Length Before Executing the Service After Executing the Service
u2Options u2 I Options (see below) Options (see below)
nu1ModBase nu1 I Crypto RAM 2*u2ModLength + 8 Base of P, Q Base of P, Q untouched
u2ModLength u2 I Length of P or Q greater than or equal to 12 Length of P or Q
nu1XBase(1) nu1 I Crypto RAM 2*u2ModLength + 16 Base of X

Base of X

Filled with the result
nu1PrecompBase nu1 I Crypto RAM See Options below Base of Rvalue and Pre computations workspace Corrupted
pfu1ExpBase(2) pfu1 I Any place 2*u2ExpLength + 8 Base of EP, EQ Base of EP, EQ untouched
u2ExpLength u2 I Significant length of EP or EQ Significant length of EP or EQ
u1Blinding(3) u4 I Exponent unblinding value Exponent unblinding value
Note:
  1. This zone contains the number to be exponentiated (u2ModLength bytes) and is used during the computations as a workspace (four 32-bit words longer than the number to be exponentiated). At the end of the computation, it contains the correct result of the operation.
  2. If the PUKCL_EXPMOD_EXPINPUKCCRAM option is not set, the location of the exponent MUST NOT be placed in the Crypto RAM, even partially.
  3. It is possible to mask the exponent in memory using a 32-bit XOR mask value. Be aware that not only the exponent, but also the supplemental spill word has to be masked. If masking is not desired, the parameter must be set to 0.

Options

Most of the CRT options configure the Modular Exponentiation steps of the CRT and so are very similar to the Fast Modular Exponentiation options.

The options are set by the u2Options input parameter, which is composed of:

  • the mandatory Calculus Mode Option described in Table 37-63
  • the mandatory Window Size Option described in Table 37-64
  • the indication of the presence of the exponent in Crypto RAM
Important: Please check precisely if one part of the exponent area (containing EP and EQ) is in Crypto RAM. If this is the case, the PUKCL_EXPMOD_EXPINPUKCCRAM option must be used.

The u2Options number is calculated by an “Inclusive OR” of the options. Some Examples in C language are:

  • Operation: CRT using the Fast Modular Exponentiation with the window size equal to 1 and with no part of the Exponent area in the Crypto RAM

    PUKCL(u2Options) = PUKCL_EXPMOD_FASTRSA | PUKCL_EXPMOD_WINDOWSIZE_1;

  • Operation:CRT using the Regular Modular Exponentiation with the window size equal to 2 and with one part the Exponent area in the Crypto RAM

    PUKCL(u2Options) = PUKCL_EXPMOD_REGULARRSA | PUKCL_EXPMOD_WINDOWSIZE_2 | PUKCL_EXPMOD_EXPINPUKCCRAM;

For this service, two exclusive Calculus Modes for the Modular Exponentiation steps of the CRT are possible. The following table describes the Calculus Mode Options.

Table 37-63. CRT Service Calculus Mode Options
Option Explanation
PUKCL_EXPMOD_FASTRSA Perform a Fast computation.
PUKCL_EXPMOD_REGULARRSA Performs a Regular computation, slower than the Fast version, but using regular calculus methods.

For this service, four window sizes for the Modular Exponentiation Steps are possible. The window size in bits is those of the windowing method used for the exponent.

The choice of the window size is a balance between the size of the parameters and the computation time:

  • Increasing the window size increases the precomputation workspace.
  • Increasing the window size reduces the computation time (may not be relevant for very small exponents). The length of the Rval and Precomp area depends on the window size W and u2ModLength.

The Rval and Precomp area length is:

RandPrecompLen = 4 * (u2ModLength + 4) + max(64 , 2(W-1) * (u2ModLength + 4)) + 8

Important: Please calculate precisely the length RandPrecompLen with the formula and the max() macro, which takes the maximum of two values.

The following table shows the size of the Rval and Precomp area, depending on the chosen window size option.

Table 37-64. CRT Service Window Size Options and Rval and Precomp Area Size
Option Specified Size of the Rval and Precomp Area (bytes) Precomputation Values
PUKCL_EXPMOD_WINDOWSIZE_1 4*(u2ModLength + 4) + max(64 , (u2ModLength + 4)) + 8 x
PUKCL_EXPMOD_WINDOWSIZE_2 4*(u2ModLength + 4) + max(64 , 2*(u2ModLength + 4)) + 8 x x3
PUKCL_EXPMOD_WINDOWSIZE_3 4*(u2ModLength + 4) + max(64 , 4*(u2ModLength + 4)) + 8 x x3 x5 x7
PUKCL_EXPMOD_WINDOWSIZE_4 10*(u2ModLength + 4) + max(64 , 8*(u2ModLength + 4)) + 8 x x3 x5 x7 x9 x11 x13 x15

The exponent area can be located in RAM or in the data space. If one part of the exponent area is in Crypto RAM this must be mandatory signaled by using the PUKCL_EXPMOD_EXPINPUKCCRAM option.

The following table describes this option.

Table 37-65. CRT Service Crypto RAM Option Exponent Area
Option Purpose
PUKCL_EXPMOD_EXPINPUKCCRAM The exponent area can be read from any data space of memory, including Crypto RAM. When at least one word the exponent is in Crypto RAM, this option has to be set.

Code Example

PUKCL_PARAM PUKCLParam;
PPUKCL_PARAM pvPUKCLParam = &PUKCLParam;


PUKCL(u2Option) =...;

// Depending on the option specified, not all fields must be filled PUKCL_CRT(nu1ModBase) = <Base of the ram location of P and Q>; PUKCL_CRT(u2ModLength) = <Length of P or Q>;
PUKCL_CRT(nu1XBase) = <Base of the ram location of X>; 
PUKCL_CRT(nu1PrecompBase) = <Base of the ram location of RVal and Precomp>; 
PUKCL_CRT(pfu1ExpBase) = <Base of the ram location of EP and EQ>; 
PUKCL_CRT(u2ExpLength) = <Length of EP or EQ>;
PUKCL_CRT(u1Blinding) = <Blinding value>;
...

// vPUKCL_Process() is a macro command, which populates the service name
// and then calls the library... 
vPUKCL_Process(CRT, pvPUKCLParam);
if (PUKCL_Param.Status == PUKCL_OK)
            {
            // operation has been performed correctly
            ...
            }
else // Manage the error

Constraints

The following conditions must be avoided to ensure that the service works correctly:

  • nu1ModBase, nu1XBase, nu1PrecompBase, pfu1ExpBase are not aligned on 32-bit boundaries
  • {nu1XBase, 2*u2ModLength + 16}, {nu1ModBase, 2*u2ModLength + 8},{nu1PrecompBase,<PrecompLength>} are not in Crypto RAM
  • {nu1ExpBase,2*u2ExpLength + 8} is not in Crypto RAM and PUKCL_EXPMOD_EXPINPUKCCRAM is specified
  • u2ModLength or u2ExpLength are either: < 4, > 0xffc or not a 32-bit length
  • None or both PUKCL_EXPMOD_REGULARRSA and PUKCL_EXPMOD_FASTRSA are specified.
  • {nu1XBase,2*u2ModLength + 16} overlaps with either: {nu1ModBase, 2*u2ModLength +8},{nu1PrecompBase, <PrecompLength>} or {pfu1ExpBase, 2*u2ExpLength + 8}
  • {nu1ModBase,2*u2ModLength + 8} overlaps with either: {nu1PrecompBase, <PrecompLength>} or {pfu1ExpBase, 2*u2ExpLength + 8}
  • {nu1PrecompBase, <PrecompLength>} overlaps {pfu1ExpBase, 2*u2ExpLength +8}

CRT Service Parameter Placement

The parameters’ placements are described in detail in the following figures.

Figure 37-2. Modulus P and Q in {nu1ModBase, 2*u2ModLength + 8}
Figure 37-3. Value X in {nu1XBase, 2*u2ModLength + 16}
Figure 37-4. Exponents EP and EQ in {fnu1ExpBase, 2*u2ExpLength + 8}
Figure 37-5. Value Rval and Precomp in {nu1PrecompBase, RandPrecompLen}

CRT Service Modular Exponentiation Maximum Size

The following table details the maximum size in bits of P or Q, of N and of EP or EQ.

  • The maximum size in bits of P or Q equals:

    <Max Size Bits P> = <Max Size Bits Q> = 8 * <Max u2ModLength bytes>

  • The maximum size in bits of N=P*Q equals:

    <Max Size Bits N> = 2 * <Max Size Bits P>

  • The maximum size in bits of EP or EQ equals:

    <Max Size Bits EP> = <Max Size Bits EQ> = 8 * <Max u2ExpLength bytes>

  • In case of the PUKCL_EXPMOD_EXPINPUKCCRAM option is specified, for the computation of the maximum acceptable size, it is assumed the Exponent is entirely in the Crypto RAM and its length equal the Modulus one.
  • Otherwise, the Exponent is entirely out of the Crypto RAM and so the computation do not depend on its length.
Table 37-66. CRT Service Maximum Sizes
Characteristics of the Operation P or Q Max Bit Sizes N Max Bit Sizes EP or EQ Max Bit Sizes
Exponent in Crypto RAM, 1 bit window 2912 5824 2912
Exponent in Crypto RAM, 2 bits window 2688 5376 2688
Exponent in Crypto RAM, 3 bits window 2464 4928 2464
Exponent in Crypto RAM, 4 bits window 2304 4608 2304
Exponent not in Crypto RAM, 1 bit window 3584 7168 <application dependent>
Exponent not in Crypto RAM, 2 bits window 3232 6464 <application dependent>
Exponent not in Crypto RAM, 3 bits window 2912 5824 <application dependent>
Exponent not in Crypto RAM, 4 bits window 2688 5376 <application dependent>

Status Returned Values

Table 37-67. CRT Service Return Codes
Returned Status Importance Meaning
PUKCL_OK Information Service functioned correctly