43.3.5.4 Modular Exponentiation (With CRT)

Purpose

The purpose of this service is to perform the Modular Exponentiation with the Chinese Remainders Theorem (CRT). This service processes integers in GF(p) only.

The options available for this service are:

Fast implementation
Regular implementation
Exponent is located in Crypto RAM or not
Exponent window size

How to Use the Service

Description

This service processes a Modular Exponentiation with the Chinese Remainder Theorem:

R = X^Dmod(N) with N = P *Q

Important: For this service, be sure to follow the directives given for the RSA implementation on the chip you use.

This service requires that the modulus N is the product of two co-primes P and Q and that the decryption exponents D is co-prime with the product ((P-1)*(Q-1)).

The Input data are P, Q, EP, EQ, Rvalue, and X. P and Q are the co-primes so that N = P*Q.

X is the number to exponentiate.

EP, EQ and Rval are calculated as follows:

EP = Dmod(P – 1) EQ = Dmod(Q – 1) Rval = P^–1mod(Q)

In some cases, the decryption exponent D may not be available and the encryption exponent E may be available instead. The possibilities to calculate the parameters are:

Calculate D from E with the formula:
D = E^–1mod((P – 1) × (Q – 1))
Calculate the parameters from E:
EP = E^–1mod(P – 1) EQ = E^–1mod(Q – 1) Rval = P^–1mod(Q)

In this computation, the following parameters need to be provided:

X the input number (pointed by {nu1XBase,2*u2ModLength +16})
P and Q the primes (pointed by {nu1ModBase,2*u2ModLength +8}).
EP and EQ the reduced exponents (pointed by {pfu1ExpBase,2*u2ExpLength +8})
Rval and Precomp (pointed by{nu1PrecompBase,RAndPrecompLen})
Blinding the exponent blinding value (provided inu1Blinding)

The length RAndPrecompLen depends on the lengths and options chosen; its calculus is detailed in Options below.

The service for this operation is CRT.

Note: The minimum value for u2ModLength is 12 bytes. Therefore, the significant length of P or Q must be at least three 32-bit words.

Parameters Definition

The following table shows the parameter block for the CRT service.

Many parameters have complex placement in memory; therefore, detailed figures are provided in CRT Service Placement below.

Table 43-62. CRT Service Parameters
Parameter	Type	Direction	Location	Data Length	Before Executing the Service	After Executing the Service
u2Options	u2	I	–	–	Options (see below)	Options (see below)
nu1ModBase	nu1	I	Crypto RAM	2*u2ModLength + 8	Base of P, Q	Base of P, Q untouched
u2ModLength	u2	I	–	–	Length of P or Q greater than or equal to 12	Length of P or Q
nu1XBase (see Note 1)	nu1	I	Crypto RAM	2*u2ModLength + 16	Base of X	Base of X Filled with the result
nu1PrecompBase	nu1	I	Crypto RAM	See Options below	Base of Rvalue and Pre computations workspace	Corrupted
pfu1ExpBase (see Note 2)	pfu1	I	Any place	2*u2ExpLength + 8	Base of EP, EQ	Base of EP, EQ untouched
u2ExpLength	u2	I	–	–	Significant length of EP or EQ	Significant length of EP or EQ
u1Blinding (see Note 3)	u4	I	–	–	Exponent unblinding value	Exponent unblinding value

Note:

This zone contains the number to be exponentiated (u2ModLength bytes) and is used during the computations as a workspace (four 32-bit words longer than the number to be exponentiated). At the end of the computation, it contains the correct result of the operation.
If the PUKCL_EXPMOD_EXPINPUKCCRAM option is not set, the location of the exponent MUST NOT be placed in the Crypto RAM, even partially.
It is possible to mask the exponent in memory using a 32-bit XOR mask value. Be aware that not only the exponent, but also the supplemental spill word has to be masked. If masking is not desired, the parameter should be set to 0.

Options

Most of the CRT options configure the Modular Exponentiation steps of the CRT and so are very similar to the Fast Modular Exponentiation options.

The options are set by the u2Options input parameter, which is composed of:

the mandatory Calculus Mode Option described in Table 43-63
the mandatory Window Size Option described in Table 43-64
the indication of the presence of the exponent in Crypto RAM

Important: Please check precisely if one part of the exponent area (containing EP and EQ) is in Crypto RAM. If this is the case, the PUKCL_EXPMOD_EXPINPUKCCRAM option must be used.

The u2Options number is calculated by an “Inclusive OR” of the options. Some Examples in C language are:

Operation: CRT using the Fast Modular Exponentiation with the window size equal to 1 and with no part of the Exponent area in the Crypto RAM
PUKCL(u2Options) = PUKCL_EXPMOD_FASTRSA | PUKCL_EXPMOD_WINDOWSIZE_1;
Operation:CRT using the Regular Modular Exponentiation with the window size equal to 2 and with one part the Exponent area in the Crypto RAM
PUKCL(u2Options) = PUKCL_EXPMOD_REGULARRSA | PUKCL_EXPMOD_WINDOWSIZE_2 | PUKCL_EXPMOD_EXPINPUKCCRAM;

For this service, two exclusive Calculus Modes for the Modular Exponentiation steps of the CRT are possible. The following table describes the Calculus Mode Options.

Table 43-63. CRT Service Calculus Mode Options
Option	Explanation
PUKCL_EXPMOD_FASTRSA	Perform a Fast computation.
PUKCL_EXPMOD_REGULARRSA	Performs a Regular computation, slower than the Fast version, but using regular calculus methods.

For this service, four window sizes for the Modular Exponentiation Steps are possible. The window size in bits is those of the windowing method used for the exponent.

The choice of the window size is a balance between the size of the parameters and the computation time:

Increasing the window size increases the precomputation workspace.
Increasing the window size reduces the computation time (may not be relevant for very small exponents). The length of the Rval and Precomp area depends on the window size W and u2ModLength.

The Rval and Precomp area length is:

RandPrecompLen = 4 * (u2ModLength + 4) + max(64 , 2^(W-1) * (u2ModLength + 4)) + 8

Important: Please calculate precisely the length RandPrecompLen with the formula and the max() macro, which takes the maximum of two values.

The following table shows the size of the Rval and Precomp area, depending on the chosen window size option.

Table 43-64. CRT Service Window Size Options and Rval and Precomp Area Size
Option Specified	Size of the Rval and Precomp Area (bytes)	Precomputation Values
PUKCL_EXPMOD_WINDOWSIZE_1	4*(u2ModLength + 4) + max(64 , (u2ModLength + 4)) + 8	x
PUKCL_EXPMOD_WINDOWSIZE_2	4(u2ModLength + 4) + max(64 , 2(u2ModLength + 4)) + 8	x x³
PUKCL_EXPMOD_WINDOWSIZE_3	4(u2ModLength + 4) + max(64 , 4(u2ModLength + 4)) + 8	x x³ x⁵ x⁷
PUKCL_EXPMOD_WINDOWSIZE_4	10(u2ModLength + 4) + max(64 , 8(u2ModLength + 4)) + 8	x x³ x⁵ x⁷ x⁹ x¹¹ x¹³ x¹⁵

The exponent area can be located in RAM or in the data space. If one part of the exponent area is in Crypto RAM this must be mandatory signaled by using the PUKCL_EXPMOD_EXPINPUKCCRAM option.

The following table describes this option.

Table 43-65. CRT Service Crypto RAM Option Exponent Area
Option	Purpose
PUKCL_EXPMOD_EXPINPUKCCRAM	The exponent area can be read from any data space of memory, including Crypto RAM. When at least one word the exponent is in Crypto RAM, this option has to be set.

Code Example

PUKCL_PARAM PUKCLParam;
PPUKCL_PARAM pvPUKCLParam = &PUKCLParam;


PUKCL(u2Option) =...;

// Depending on the option specified, not all fields should be filled PUKCL_CRT(nu1ModBase) = <Base of the ram location of P and Q>; PUKCL_CRT(u2ModLength) = <Length of P or Q>;
PUKCL_CRT(nu1XBase) = <Base of the ram location of X>; 
PUKCL_CRT(nu1PrecompBase) = <Base of the ram location of RVal and Precomp>; 
PUKCL_CRT(pfu1ExpBase) = <Base of the ram location of EP and EQ>; 
PUKCL_CRT(u2ExpLength) = <Length of EP or EQ>;
PUKCL_CRT(u1Blinding) = <Blinding value>;
...

// vPUKCL_Process() is a macro command, which populates the service name
// and then calls the library... 
vPUKCL_Process(CRT, pvPUKCLParam);
if (PUKCL_Param.Status == PUKCL_OK)
            {
            // operation has been performed correctly
            ...
            }
else // Manage the error

Constraints

The following conditions must be avoided to ensure that the service works correctly:

nu1ModBase, nu1XBase, nu1PrecompBase, pfu1ExpBase are not aligned on 32-bit boundaries
{nu1XBase, 2*u2ModLength + 16}, {nu1ModBase, 2*u2ModLength + 8},{nu1PrecompBase,<PrecompLength>} are not in Crypto RAM
{nu1ExpBase,2*u2ExpLength + 8} is not in Crypto RAM and PUKCL_EXPMOD_EXPINPUKCCRAM is specified
u2ModLength or u2ExpLength are either: < 4, > 0xffc or not a 32-bit length
None or both PUKCL_EXPMOD_REGULARRSA and PUKCL_EXPMOD_FASTRSA are specified.
{nu1XBase,2*u2ModLength + 16} overlaps with either: {nu1ModBase, 2*u2ModLength +8},{nu1PrecompBase, <PrecompLength>} or {pfu1ExpBase, 2*u2ExpLength + 8}
{nu1ModBase,2*u2ModLength + 8} overlaps with either: {nu1PrecompBase, <PrecompLength>} or {pfu1ExpBase, 2*u2ExpLength + 8}
{nu1PrecompBase, <PrecompLength>} overlaps {pfu1ExpBase, 2*u2ExpLength +8}

CRT Service Parameter Placement

The parameters’ placements are described in detail in the following figures.

Figure 43-2. Modulus P and Q in {nu1ModBase, 2*u2ModLength + 8}

Figure 43-3. Value X in {nu1XBase, 2*u2ModLength + 16}

Figure 43-4. Exponents EP and EQ in {fnu1ExpBase, 2*u2ExpLength + 8}

Figure 43-5. Value Rval and Precomp in {nu1PrecompBase, RandPrecompLen}

CRT Service Modular Exponentiation Maximum Size

The following table details the maximum size in bits of P or Q, of N and of EP or EQ.

The maximum size in bits of P or Q equals:
<Max Size Bits P> = <Max Size Bits Q> = 8 * <Max u2ModLength bytes>
The maximum size in bits of N=P*Q equals:
<Max Size Bits N> = 2 * <Max Size Bits P>
The maximum size in bits of EP or EQ equals:
<Max Size Bits EP> = <Max Size Bits EQ> = 8 * <Max u2ExpLength bytes>
In case of the PUKCL_EXPMOD_EXPINPUKCCRAM option is specified, for the computation of the maximum acceptable size, it is assumed the Exponent is entirely in the Crypto RAM and its length equal the Modulus one.
Otherwise, the Exponent is entirely out of the Crypto RAM and so the computation do not depend on its length.

Table 43-66. CRT Service Maximum Sizes
Characteristics of the Operation	P or Q Max Bit Sizes	N Max Bit Sizes	EP or EQ Max Bit Sizes
Exponent in Crypto RAM, 1 bit window	2912	5824	2912
Exponent in Crypto RAM, 2 bits window	2688	5376	2688
Exponent in Crypto RAM, 3 bits window	2464	4928	2464
Exponent in Crypto RAM, 4 bits window	2304	4608	2304
Exponent not in Crypto RAM, 1 bit window	3584	7168	<application dependent>
Exponent not in Crypto RAM, 2 bits window	3232	6464	<application dependent>
Exponent not in Crypto RAM, 3 bits window	2912	5824	<application dependent>
Exponent not in Crypto RAM, 4 bits window	2688	5376	<application dependent>

Status Returned Values

Table 43-67. CRT Service Return Codes
Returned Status	Importance	Meaning
PUKCL_OK	Information	Service functioned correctly