37.3.5.2 Modular Exponentiation (Without CRT)

Purpose

This service is used to perform the Modular Exponentiation computation. This service processes integers in GF(p) only.

The options available for this service are:

  • Fast implementation
  • Regular implementation
  • Exponent is located in Crypto RAM or not in Crypto RAM
  • Exponent window size

How to Use the Service

Description

Important: Before using these functions, ensure that the constant Cns has been calculated with the Setup of the Modular Reductions service.

This service processes the following operation:

The service name for this operation is ExpMod.

R = XExpmod(N)

In this computation, the following parameters need to be provided:

  • X: input number (pointed by {nu1XBase,u2ModLength +16})
  • N: modulus (pointed by {nu1ModBase,u2ModLength +4}).
  • Exp: exponent (pointed by {pfu1ExpBase,u2ExpLength +4})
  • Cns: Fast Modular Constant (pointed by {nu1CnsBase,u2ModLength +8})
  • Precomp: precomputation workspace (pointed by{nu1PrecompBase,PrecompLen})
  • Blinding: exponent blinding value (provided inu1Blinding)

The length PrecompLen depends on the lengths and options chosen; its calculus is detailed in Options below.

Note: The minimum value for u2ModLength is 12 bytes. Therefore, the significant length of N must be at least three 32-bit words.

Parameters Definition

Table 37-50. ExpMod Service Parameters
Parameter Type Direction Location Data Length Before Executing the Service After Executing the Service
u2Options u2 I Options (see below) Options (see below)
nu1ModBase nu1 I Crypto RAM u2ModLength + 4 Base of N Base of N untouched
nu1CnsBase nu1 I Crypto RAM u2ModLength + 8 Base of Cns Base of Cns untouched
u2ModLength u2 I Length of N Length of N
nu1XBase(1) nu1 I Crypto RAM u2ModLength + 16 Base of X

Base of X

Filled with the result
nu1PrecompBase nu1 I Crypto RAM See below Base of Precomp as a workspace Base of Precomp workspace corrupted
pfu1ExpBase(2) pfu1 I Any place(3) u2ExpLength + 4 Base of the Exponent Base of the Exponent untouched
u2ExpLength(4) u2 I Significant length of Exponent Significant length of Exponent
u1Blinding(5) u1 I Exponent unblinding value Exponent unblinding value untouched
Note:
  1. This zone contains the number to be exponentiated (u2ModLength bytes) and is used during the computations as a workspace (four 32-bit words longer than the number to be exponentiated). At the end of the computation, it contains the correct result of the operation.
  2. The exponent must be given with a supplemental word on the LSB side (low addresses). This word shall be set to zero.
  3. If the PUKCL_EXPMOD_EXPINPUKCCRAM option is not set, the location of the exponent MUST NOT be the Crypto RAM, even partially.
  4. The u2ExpLength parameter does not take into account the supplemental word needed on the LSB side of the exponent.
  5. It is possible to mask the exponent in memory using an 8-bits XOR mask value. Be aware that not only the exponent, but also the supplemental word has to be masked. If masking is not desired, then this parameter must be set to 0.

Options

The options are set by the u2Options input parameter, which is composed of:

  • the mandatory Calculus Mode Option described in Table 37-51
  • the mandatory Window Size Option described in Table 37-52
  • the indication of the presence of the exponent in Crypto RAM
Note: Please check precisely if one part of the exponent is in Crypto RAM. If this is the case the PUKCL_EXPMOD_EXPINPUKCCRAM must be used.

The u2Options number is calculated by an “Inclusive OR” of the options. Some examples in C language are:

  • Operation:Fast Modular Exponentiation with the window size equal to 1 and with no part of the Exponent in the Crypto RAM

    PUKCL(u2Options) = PUKCL_EXPMOD_FASTRSA | PUKCL_EXPMOD_WINDOWSIZE_1;

  • Operation: Regular Modular Exponentiation with the window size equal to 2 and with one part of the Exponent in the Crypto RAM

    PUKCL(u2Options) = PUKCL_EXPMOD_REGULARRSA | PUKCL_EXPMOD_WINDOWSIZE_2 | PUKCL_EXPMOD_EXPINPUKCCRAM;

There is no difference on the final result when using any of the options for this service. The choice has to be made according to the available resources (RAM, Time) and also taking into account the expected security level.

For this service, two exclusive Calculus Modes are possible. The following table describes the Calculus Mode Options.

Table 37-51. ExpMod Service Calculus Mode Option
Option Explanation
PUKCL_EXPMOD_FASTRSA Performs a Fast computation
PUKCL_EXPMOD_REGULARRSA Performs a Regular computation, slower than the Fast version, but using Regular calculus methods

For this service, four window sizes are possible. The window size in bits is those of the windowing method used for the exponent.

The choice of the window size is a balance between the size of the parameters and the computation time:

  • Increasing the window size increases the precomputation workspace.
  • Increasing the window size reduces the computation time (may not be relevant for very small exponents).

The following table details the size of the precomputation workspace, depending on the chosen window size option.

Table 37-52. ExpMode Service Window Size Options and Precomputation Space Size
Option specified Size of the PrecompBase Workspace (bytes) Content of the Workspace
PUKCL_EXPMOD_WINDOWSIZE_1 3*(u2ModLength + 4) + 8 x
PUKCL_EXPMOD_WINDOWSIZE_2 4*(u2ModLength + 4) + 8 x x3
PUKCL_EXPMOD_WINDOWSIZE_3 6*(u2ModLength + 4) + 8 x x3 x5 x7
PUKCL_EXPMOD_WINDOWSIZE_4 10*(u2ModLength + 4) + 8 x x3 x5 x7 x9 x11 x13 x15

The exponent can be located in RAM or in the data space. If one part of the exponent is in Crypto RAM this must be mandatory signaled by using the option PUKCL_EXPMOD_EXPINPUKCCRAM.

The following table describes this option.

Table 37-53. ExpMod Service Exponent in Crypto RAM Option
Option Purpose
PUKCL_EXPMOD_EXPINPUKCCRAM The exponent can be read from any data space of memory, including Flash, RAM or even Crypto RAM. When at least one word the exponent is in Crypto RAM, this option has to be set.

Code Example

PUKCL_PARAM PUKCLParam;
PPUKCL_PARAM pvPUKCLParam = &PUKCLParam;


PUKCL(u2Option) =...;

// Depending on the option specified, not all fields must be filled 
PUKCL_ExpMod(nu1ModBase) = <Base of the ram location of N>; 
PUKCL_ExpMod(u2ModLength) = <Length of N>;
PUKCL_ExpMod(nu1CnsBase) = <Base of the ram location of Cns>; 
PUKCL_ExpMod(nu1XBase) = <Base of the ram location of X>; 
PUKCL_ExpMod(nu1PrecompBase) = <Base of the ram location of Precomp>; 
PUKCL_ExpMod(pfu1ExpBase) = <Base of the location of Exp>; 
PUKCL_ExpMod(u2ExpLength) = <Length of Exp>;
...

// vPUKCL_Process() is a macro command, which populates the service name
// and then calls the library... 
vPUKCL_Process(ExpMod, pvPUKCLParam);
if (PUKCL_Param.Status == PUKCL_OK)
            {
            // operation has been performed correctly
            ...
            }
else // Manage the error

Constraints

The following combinations of input values must be avoided in the case of a modular reduction ‘alone’, meaning that it has not been requested as an option of any other command:

  • nu1ModBase,nu1CnsBase, nu1XBase,nu1PrecompBase,nu1ExpBase are not aligned on 32-bit boundaries
  • {nu1ModBase, u2ModLength + 4}, {nu1CnsBase, u2ModLength + 8}, {nu1XBase, u2ModLength +16},{nu1PrecompBase, <PrecompLength>} are not in Crypto RAM
  • {nu1ExpBase,u2ExpLength + 4} has no part in Crypto RAM and PUKCL_EXPMOD_EXPINPUKCCRAM is specified
  • u2ModLength or u2ExpLength are either: < 4, > 0xffc or not a 32-bit length
  • None or both PUKCL_EXPMOD_REGULARRSA and PUKCL_EXPMOD_FASTRSA are specified.
  • {nu1PrecompBase,<PrecompLength>} overlaps with either: {nu1ModBase, u2ModLength +4},{nu1CnsBase, u2ModLength + 8} {nu1XBase, u2ModLength + 16} or {nu1ExpBase, u2ExpLength + 4}
  • {nu1XBase,u2ModLength + 16} overlaps with either: {nu1ModBase, u2ModLength + 4},{nu1CnsBase, u2ModLength + 8} or {nu1ExpBase, u2ExpLength + 4}
  • {nu1ModBase, u2ModLength + 4} overlaps {nu1CnsBase, u2ModLength +8}

Maximum Sizes for the Modular Exponentiation

The following table provides the maximum sizes for the Modular Exponentiation, depending on the window size and the presence of the exponent in Crypto RAM.

  • The figures below are calculated supposing that u2ExpLength =u2ModLength.
  • In case of the PUKCL_EXPMOD_EXPINPUKCCRAM option is specified, for the computation of the maximum acceptable size, it is assumed the Exponent is entirely in the Crypto RAM and its length is equal to the Modulus one.
  • Otherwise, the Exponent is entirely out of the Crypto RAM and so the computation do not depend on its length.
Table 37-54. Maximum Exponentiation Sizes
Option Specified Maximum Modulus Size (bytes) Maximum Modulus Size (bits)
Exponent in Crypto RAM, 1 bit window 576 4608
Exponent in Crypto RAM, 2 bits window 504 4032
Exponent in Crypto RAM, 3 bits window 400 3200
Exponent in Crypto RAM, 4 bits window 284 2272
Exponent not in Crypto RAM, 1 bit window 672 5376
Exponent not in Crypto RAM, 2 bits window 576 4608
Exponent not in Crypto RAM, 3 bits window 448 3584
Exponent not in Crypto RAM, 4 bits window 308 2464

Status Returned Values

Table 37-55. ExpMod Service Return Codes
Returned Status Importance Meaning
PUKCL_OK Service functioned correctly