43.3.5.1 Modular Reduction

Purpose

This service is used to perform the various steps necessary to perform a modular reduction and accepts as input numbers in GF(p) or polynomials in GF(2n) .

The available options for this service are:

  • Work in the GF(2n) or in the standard integer arithmetic field GF(p)
  • Operation is the generation of the reduction constant.
  • Operation is a Modular Reduction.
  • Operation is a Normalization.

How to Use the Service

Description

This service performs one of the following operations:

  • Setup of the Fast or Normalize functions: generation of the reduction constant
  • Fast Modular Reduction
  • Big Modular Reduction (using Euclide’s division)
  • Normalization

The service name for this operation is RedMod.

Modular Reduction Setup

This service calculates the constant Cns, computed from the modulus and used to speed up the modular reduction:

Cns = SetupConstant(N)

This service must be processed before the use of the Fast or Normalize functions. In the Setup computations, the following data must be provided:

  • N the modulus (pointed by {nu1ModBase,u2ModLength +4}).
  • Cns the Setup Constant Result (pointed by {nu1CnsBase,u2ModLength +12}).
  • X used as a workspace (pointed by {nu1XBase,2 * u2ModLength + 8}) (include the supplementary bytes; see Note 2 in Table 43-44
  • R used as a workspace (pointed by {nu1RBase,64 or 68bytes}).
  • u2ModLength is the Aligned Significant Length of the modulus and is not the byte Significant Length (see Aligned Significant Length).

Fast Reductions and Normalization

These commands calculate an approximated or exact Modular Reduction, that is, the result may be greater than the modulus, but is always congruent to the true result.

Important: Before using these functions, ensure that the constant Cns has been calculated with the setup for the Modular Reduction service.

Input and Result significant values verify:

  • For the Fast Modular Reduction:
0X<N2×232
R=Xmod(N)+k×Nwith0k4
  • For the Normalize:
XLength<(NLength+4)bytesR
=Xmod(N)

In these Fast Modular Reduction and Normalize computations, the following data have to be provided:

  • X (pointed by {nu1XBase,2 * u2ModLength +8})
    • The Normalize computation accept as entry a value whose length is lower or equal to u2ModLength + 4 (that is, for example, a value yet reduced but not normalized.). The u2ModLength + 4 MSB bytes are cleared at the beginning of the computation.
    • in case of Fast RedMod computations, the value X mayverify: X < (N2) *(232).
    • include the supplementary bytes; see Note 3 in Table 43-45)
  • R (pointed by {nu1RBase,u2Modlength +4})
  • N (pointed by {nu1ModBase,u2ModLength +4})
  • Cns (pointed by {nu1CnsBase,u2ModLength +12})
  • u2ModLength is the Aligned Significant Length of the modulus and is not the byte Significant Length (see Aligned Significant Length).

The Fast Modular Reduction is able to reduce inputs up to <2*u2ModLength + 4> bytes. The input can come from a multiplication of 2 <u2ModLength + 4> bytes numbers. The input X is considered as a <2*u2ModLength + 8> bytes number.

Important: Additionally the Fast Reduction and Normalize functions need supplemental bytes located on the MSB side of the number to be reduced but these bytes are restored at the end of the operation and are therefore unchanged. However, these bytes are to be taken into account when the mapping is created, and could lead to unexpected results if overlapping with other area used by the function.

The Fast Modular Reduction returns a <u2ModLength + 4> bytes number, but this number is in fact a <u2ModLength + 2> significant bytes number. When using the Fast Modular Reduction, the two MSB bytes of the <u2ModLength + 2> can have a maximum of two lsb bits set (depending on the reduced number and the modulo).

The Normalize computation accepts as entry a resulting value of Fast Modular Reduction and computes an exact result. It can not be applied to the result of the product of two numbers of size NLength: a Fast Modular Reduction must be applied before.

For the Normalize computation, the X value is limited by the preceding formula but the area in memory is bigger as described in Table 43-45.

As input, the Normalize sub-service only accept values, which length is lower or equal to u2ModLength + 4. The Most Significant u2ModLength + 4 bytes are firstly cleared by this service.

Big Modular Reduction Using Euclide's Division

This command calculates:

XLength<(2×NLength+4)bytesR
=Xmod(N)

In this Big Modular Reduction computations, the following data must be provided:

  • X (pointed by {nu1XBase,2 * u2ModLength + 8}) (include the supplementary bytes; see Note 1 in Table 43-46)
  • R (pointed by {nu1RBase,u2Modlength +4})
  • N (pointed by {nu1ModBase,u2ModLength +4})
  • u2ModLength is the Aligned Significant Length of the modulus and is not the byte Significant Length (see Aligned Significant Length)
  • Workspace (pointed by {nu1CnsBase,64 or 68}).

Modular Reductions Service Parameters Definition

Table 43-44. RedMod Service Parameters
ParameterTypeDirectionLocationData LengthBefore Executing the ServiceAfter Executing the Service
u2Optionsu2IOptions (see below)Options (see below)
Specific/CarryInBitsIMust be set to zero.
Specific/Gf2nBitIGF(2n) Bit
Specific/CarryOut Zero ViolationBitsICarry Out, Zero Bit and Violation Bit filled according to the result
nu1ModBase ( see Note 1)nu1ICrypto RAMu2ModLength + 4Base of NBase of N untouched
nu1CnsBasenu1ICrypto RAMu2ModLength + 12Base of CnsBase of Cns filled with the Setup Constant
u2ModLengthu2ILength of NLength of N
nu1RBasenu1ICrypto RAM

GF(p): 64 bytes

GF(2n): 68 bytes

Base of R

as a workspace

Base of R workspace corrupted
nu1XBase (see Note 2)nu1ICrypto RAM2*u2ModLength + 8

Base of X as a workspace

Base of X workspace corrupted
Note:
  1. The Modulus is to be given as a u2ModLength Aligned Significant Length Bytes however, it has to be provided as a u2ModLength + 4 bytes long number, having the four high-order bytes set to zero.
  2. Before the X (pointed by {nu1XBase,2 * u2ModLength + 8}) LSB bytes, four supplementary bytes will be saved/restored. Other four supplementary bytes will also be saved/restored after the X MSB bytes. All these supplementary bytes may be entirely in the Crypto RAM (therefore, do not place the X area too near the end of the Crypto RAM) and shall not overlap with other area used by the service.

Fast Modular Reductions Service Parameters Definition

Table 43-45. Fast RedMode and Normalize Service Parameters
ParameterTypeDirectionLocationData LengthBefore Executing the ServiceAfter Executing the Service
u2Optionsu2IOptions (see below)Options (see below)
Specific/CarryInBitsIMust be set to zero.
Specific/Gf2nBitIGF(2n) Bit
Specific/CarryOut Zero ViolationBitsICarry Out, Zero Bit and Violation Bit filled according to the result
nu1ModBase (see Note 1)nu1ICrypto RAMu2ModLength + 4Base of NBase of N untouched
nu1CnsBasenu1ICrypto RAMu2ModLength + 12Base of CnsBase of Cns untouched
u2ModLengthu2ILength of NLength of N
nu1RBase (see Note 2)nu1ICrypto RAMu2ModLength + 4Base of RBase of R filled with the result
nu1XBase (see Note 3)nu1ICrypto RAM2*u2ModLength + 8Base of X the number to reduceBase of X corrupted
Note:
  1. The Modulus is to be given as a u2ModLength Aligned Significant Length Bytes however, it has to be provided as a u2ModLength + 4 bytes long number, having the four high-order bytes set to zero.
  2. To make profitable the space memory, it is possible to set nu1RBase exactly equal to nu1XBase.
  3. After the X (pointed by {nu1XBase,2 * u2ModLength + 8}) MSB bytes, supplementary bytes will be saved/restored (8 bytes in case of Fast RedMod, otherwise; 12 bytes). These supplementary bytes may be entirely in the Crypto RAM (therefore, do not place the X area too near the end of the Crypto RAM) and shall not overlap with other area used by the service.

Big Modular Reduction Parameters Definition

Table 43-46. Big RedMod Service Parameters
ParameterTypeDirectionLocationData LengthBefore Executing the ServiceAfter Executing the Service
u2Optionsu2IOptions (see below)Options (see below)
Specific/CarryInBitsIMust be set to zero
Specific/Gf2nBitIGF(2n) Bit
Specific/CarryOut Zero ViolationBitsICarry Out, Zero Bit and Violation Bit filled according to the result
nu1ModBasenu1ICrypto RAMu2ModLength + 4Base of NBase of N untouched
nu1CnsBasenu1ICrypto RAM

GF(p): 64 bytes

GF(2n): 68 bytes

Base of Cns as a workspaceBase of Cns corrupted
u2ModLengthu2ILength of NLength of N
nu1RBasenu1ICrypto RAMu2ModLength + 4Base of RBase of R filled with the result
nu1XBase (see Note 1)nu1

I

Crypto RAM2*u2ModLength + 8Base of X the number to reduceBase of X filled with the result
Note:
  1. Before the X (pointed by {nu1XBase,2 * u2ModLength + 8}) LSB bytes, four supplementary bytes will be saved/restored. Other four supplementary bytes will also be saved/restored after the X MSB bytes. All of these supplementary bytes may be entirely in the Crypto RAM (therefore, do not place the X area too near the end of the Crypto RAM) and shall not overlap with other area used by the service.

Options

The options are set by the u2Options input parameter, which is composed of:

  • the mandatory Operation Option described in Table 43-47
  • if the Operation Option is PUKCL_REDMOD_REDUCTION, the Modular Reduction Sub-Option described in Table 43-48

The u2Options number is calculated by an Inclusive OR of the options. Some Examples in C language are:

  • Operation: Setup for the ModularReductions.

    PUKCL(u2Options) = PUKCL_ REDMOD_SETUP;

  • Operation: Fast ModularReduction.

    PUKCL(u2Options) = PUKCL_REDMOD_REDUCTION | PUKCL_REDMOD_USING_FASTRED;

For this command three exclusive options can be specified. The following table lists the operations that can be performed.

Table 43-47. RedMod Service Options
OptionPurposeRequired Parameters
PUKCL_REDMOD_SETUPPerform the Cns value computationnu1ModBase, u2ModLength, nu1CnsBase, nu1XBase
PUKCL_REDMOD_REDUCTIONPerform R ≡ X Mod N, see sub-option for detailsnu1ModBase, u2ModLength, nu1CndBase, nu1XBase, nu1RBase
PUKCL_REDMOD_NORMALIZEPerform R = X Mod Nnu1ModBase, u2ModLength, nu1CndBase, nu1XBase, nu1RBase

When selecting the PUKCL_REDMOD_REDUCTION option, one of the two sub-options listed in the following table must be selected.

Table 43-48. RedMode Service Options with PUKCL_RED_MOD_REDUCTION
OptionPurposeRequired Parameters
PUKCL_REDMOD _USING_DIVISION

Perform R = X Mod N

nu1ModBase, u2ModLength, nu1CndBase, nu1XBase
PUKCL_REDMOD _USING_FASTRED

Perform R ≡ X Mod N

The entropy is minimized (~2 bits)

nu1ModBase, u2ModLength, nu1CndBase, nu1XBase, nu1RBase

Code Example

PUKCL_PARAM PUKCLParam;
PPUKCL_PARAM pvPUKCLParam = &PUKCLParam;

PUKCL(Specific).CarryIn = 0; 
PUKCL(Specific).GF2n = ...;

PUKCL(u2Option) =...;

// Depending on the option specified, not all fields should be filled 
PUKCL_RedMod(nu1ModBase) = <Base of the ram location of N>; 
PUKCL_RedMod(u2ModLength) = <Length of N>;
PUKCL_RedMod(nu1CnsBase) = <Base of the ram location of Cns>;
...

// vPUKCL_Process() is a macro command, which populates the service name
// and then calls the library... 
vPUKCL_Process(RedMod,pvPUKCLParam); 
if (PUKCL_Param.Status == PUKCL_OK)
            {
            // operation has correctly been performed
            ...
            }
else // Manage the error

Constraints

Depending on the options chosen the lengths of the R area and Cns area differ:

  • For the Setup:
    • RLength = 64bytes
    • CnsLength = u2ModLength +12
  • For the Fast Reduction and Normalize:
    • RLength = u2ModLength +4
    • CnsLength = u2ModLength +8
  • For the BigRedMod:
    • RLength = u2ModLength +4
    • CnsLength =64

The following combinations of input values should be avoided in the case of a modular reduction ‘alone’, meaning that it has not been requested as an option of any other command:

  • nu1ModBase, nu1CnsBase, nu1RBase, nu1XBase are not aligned on 32-bit boundaries
  • {nu1ModBase, u2ModLength + 4}, {nu1CnsBase, u2CnsLength}, {nu1XBase, 2*u2XLength + 8 + s} or {nu1RBase, u2RLength} are not in Crypto RAM
  • u2ModLength is either: < 4, > 0xffc or not a 32-bit length
  • Overlaps exist between two or more of the areas: {nu1ModBase, u2ModLength + 4},{nu1CnsBase, u2CnsLength}, {nu1XBase, 2*u2XLength + 8 + s} or {nu1RBase, u2RLength}
Note: Overlaps between {nu1RBase, RLength} and {nu1XBase, 2*u2XLength + 8} are forbidden; but if the operation is the Fast, Normalized or Big Modular Reduction, the equality between nu1RBase and nu1XBase is authorized.

Status Returned Values

Table 43-49. RedMod Service Return Codes
Returned StatusImportanceMeaning
PUKCL_OKService functioned correctly
PUKCL_DIVISION_BY_ZEROSevereWhen computing an Euclidean division, the Modulus was found to be zero. This occurs ONLY when either reducing using an Euclidean division or computing the reduction constant usable for a Fast or Normalize Reduction.
PUKCL_UNEXPLOITABLE_OPTIONSSevereA bad combination of options has been detected.
PUKCL_MALFORMED_MODULUSSevereThe Msw of the modulus is not zero.