43.3.5.2 Modular Exponentiation (Without CRT)

Purpose

This service is used to perform the Modular Exponentiation computation. This service processes integers in GF(p) only.

The options available for this service are:

Fast implementation
Regular implementation
Exponent is located in Crypto RAM or not in Crypto RAM
Exponent window size

How to Use the Service

Description

Important: Before using these functions, ensure that the constant Cns has been calculated with the Setup of the Modular Reductions service.

This service processes the following operation:

The service name for this operation is ExpMod.

R = X^Expmod(N)

In this computation, the following parameters need to be provided:

X: input number (pointed by {nu1XBase,u2ModLength +16})
N: modulus (pointed by {nu1ModBase,u2ModLength +4}).
Exp: exponent (pointed by {pfu1ExpBase,u2ExpLength +4})
Cns: Fast Modular Constant (pointed by {nu1CnsBase,u2ModLength +8})
Precomp: precomputation workspace (pointed by{nu1PrecompBase,PrecompLen})
Blinding: exponent blinding value (provided inu1Blinding)

The length PrecompLen depends on the lengths and options chosen; its calculus is detailed in Options below.

Note: The minimum value for u2ModLength is 12 bytes. Therefore, the significant length of N must be at least three 32-bit words.

Parameters Definition

Table 43-50. ExpMod Service Parameters
Parameter	Type	Direction	Location	Data Length	Before Executing the Service	After Executing the Service
u2Options	u2	I	–	–	Options (see below)	Options (see below)
nu1ModBase	nu1	I	Crypto RAM	u2ModLength + 4	Base of N	Base of N untouched
nu1CnsBase	nu1	I	Crypto RAM	u2ModLength + 8	Base of Cns	Base of Cns untouched
u2ModLength	u2	I	–	–	Length of N	Length of N
nu1XBase (see Note 1)	nu1	I	Crypto RAM	u2ModLength + 16	Base of X	Base of X Filled with the result
nu1PrecompBase	nu1	I	Crypto RAM	See below	Base of Precomp as a workspace	Base of Precomp workspace corrupted
pfu1ExpBase (see Note 2)	pfu1	I	Any place (see Note 3)	u2ExpLength + 4	Base of the Exponent	Base of the Exponent untouched
u2ExpLength (see Note 4)	u2	I	–	–	Significant length of Exponent	Significant length of Exponent
u1Blinding (see Note 5)	u1	I	–	–	Exponent unblinding value	Exponent unblinding value untouched

Note:

This zone contains the number to be exponentiated (u2ModLength bytes) and is used during the computations as a workspace (four 32-bit words longer than the number to be exponentiated). At the end of the computation, it contains the correct result of the operation.
The exponent must be given with a supplemental word on the LSB side (low addresses). This word shall be set to zero.
If the PUKCL_EXPMOD_EXPINPUKCCRAM option is not set, the location of the exponent MUST NOT be the Crypto RAM, even partially.
The u2ExpLength parameter does not take into account the supplemental word needed on the LSB side of the exponent.
It is possible to mask the exponent in memory using an 8-bits XOR mask value. Be aware that not only the exponent, but also the supplemental word has to be masked. If masking is not desired, then this parameter should be set to 0.

Options

The options are set by the u2Options input parameter, which is composed of:

the mandatory Calculus Mode Option described in Table 43-51
the mandatory Window Size Option described in Table 43-52
the indication of the presence of the exponent in Crypto RAM

Note: Please check precisely if one part of the exponent is in Crypto RAM. If this is the case the PUKCL_EXPMOD_EXPINPUKCCRAM must be used.

The u2Options number is calculated by an “Inclusive OR” of the options. Some examples in C language are:

Operation:Fast Modular Exponentiation with the window size equal to 1 and with no part of the Exponent in the Crypto RAM
PUKCL(u2Options) = PUKCL_EXPMOD_FASTRSA | PUKCL_EXPMOD_WINDOWSIZE_1;
Operation: Regular Modular Exponentiation with the window size equal to 2 and with one part of the Exponent in the Crypto RAM
PUKCL(u2Options) = PUKCL_EXPMOD_REGULARRSA | PUKCL_EXPMOD_WINDOWSIZE_2 | PUKCL_EXPMOD_EXPINPUKCCRAM;

There is no difference on the final result when using any of the options for this service. The choice has to be made according to the available resources (RAM, Time) and also taking into account the expected security level.

For this service, two exclusive Calculus Modes are possible. The following table describes the Calculus Mode Options.

Table 43-51. ExpMod Service Calculus Mode Option
Option	Explanation
PUKCL_EXPMOD_FASTRSA	Performs a Fast computation
PUKCL_EXPMOD_REGULARRSA	Performs a Regular computation, slower than the Fast version, but using Regular calculus methods

For this service, four window sizes are possible. The window size in bits is those of the windowing method used for the exponent.

The choice of the window size is a balance between the size of the parameters and the computation time:

Increasing the window size increases the precomputation workspace.
Increasing the window size reduces the computation time (may not be relevant for very small exponents).

The following table details the size of the precomputation workspace, depending on the chosen window size option.

Table 43-52. ExpMode Service Window Size Options and Precomputation Space Size
Option specified	Size of the PrecompBase Workspace (bytes)	Content of the Workspace
PUKCL_EXPMOD_WINDOWSIZE_1	3*(u2ModLength + 4) + 8	x
PUKCL_EXPMOD_WINDOWSIZE_2	4*(u2ModLength + 4) + 8	x x³
PUKCL_EXPMOD_WINDOWSIZE_3	6*(u2ModLength + 4) + 8	x x³ x⁵ x⁷
PUKCL_EXPMOD_WINDOWSIZE_4	10*(u2ModLength + 4) + 8	x x³ x⁵ x⁷ x⁹ x¹¹ x¹³ x¹⁵

The exponent can be located in RAM or in the data space. If one part of the exponent is in Crypto RAM this must be mandatory signaled by using the option PUKCL_EXPMOD_EXPINPUKCCRAM.

The following table describes this option.

Table 43-53. ExpMod Service Exponent in Crypto RAM Option
Option	Purpose
PUKCL_EXPMOD_EXPINPUKCCRAM	The exponent can be read from any data space of memory, including Flash, RAM or even Crypto RAM. When at least one word the exponent is in Crypto RAM, this option has to be set.

Code Example

PUKCL_PARAM PUKCLParam;
PPUKCL_PARAM pvPUKCLParam = &PUKCLParam;


PUKCL(u2Option) =...;

// Depending on the option specified, not all fields should be filled 
PUKCL_ExpMod(nu1ModBase) = <Base of the ram location of N>; 
PUKCL_ExpMod(u2ModLength) = <Length of N>;
PUKCL_ExpMod(nu1CnsBase) = <Base of the ram location of Cns>; 
PUKCL_ExpMod(nu1XBase) = <Base of the ram location of X>; 
PUKCL_ExpMod(nu1PrecompBase) = <Base of the ram location of Precomp>; 
PUKCL_ExpMod(pfu1ExpBase) = <Base of the location of Exp>; 
PUKCL_ExpMod(u2ExpLength) = <Length of Exp>;
...

// vPUKCL_Process() is a macro command, which populates the service name
// and then calls the library... 
vPUKCL_Process(ExpMod, pvPUKCLParam);
if (PUKCL_Param.Status == PUKCL_OK)
            {
            // operation has been performed correctly
            ...
            }
else // Manage the error

Constraints

The following combinations of input values should be avoided in the case of a modular reduction ‘alone’, meaning that it has not been requested as an option of any other command:

nu1ModBase,nu1CnsBase, nu1XBase,nu1PrecompBase,nu1ExpBase are not aligned on 32-bit boundaries
{nu1ModBase, u2ModLength + 4}, {nu1CnsBase, u2ModLength + 8}, {nu1XBase, u2ModLength +16},{nu1PrecompBase, <PrecompLength>} are not in Crypto RAM
{nu1ExpBase,u2ExpLength + 4} has no part in Crypto RAM and PUKCL_EXPMOD_EXPINPUKCCRAM is specified
u2ModLength or u2ExpLength are either: < 4, > 0xffc or not a 32-bit length
None or both PUKCL_EXPMOD_REGULARRSA and PUKCL_EXPMOD_FASTRSA are specified.
{nu1PrecompBase,<PrecompLength>} overlaps with either: {nu1ModBase, u2ModLength +4},{nu1CnsBase, u2ModLength + 8} {nu1XBase, u2ModLength + 16} or {nu1ExpBase, u2ExpLength + 4}
{nu1XBase,u2ModLength + 16} overlaps with either: {nu1ModBase, u2ModLength + 4},{nu1CnsBase, u2ModLength + 8} or {nu1ExpBase, u2ExpLength + 4}
{nu1ModBase, u2ModLength + 4} overlaps {nu1CnsBase, u2ModLength +8}

Maximum Sizes for the Modular Exponentiation

The following table provides the maximum sizes for the Modular Exponentiation, depending on the window size and the presence of the exponent in Crypto RAM.

The figures below are calculated supposing that u2ExpLength =u2ModLength.
In case of the PUKCL_EXPMOD_EXPINPUKCCRAM option is specified, for the computation of the maximum acceptable size, it is assumed the Exponent is entirely in the Crypto RAM and its length is equal to the Modulus one.
Otherwise, the Exponent is entirely out of the Crypto RAM and so the computation do not depend on its length.

Table 43-54. Maximum Exponentiation Sizes
Option Specified	Maximum Modulus Size (bytes)	Maximum Modulus Size (bits)
Exponent in Crypto RAM, 1 bit window	576	4608
Exponent in Crypto RAM, 2 bits window	504	4032
Exponent in Crypto RAM, 3 bits window	400	3200
Exponent in Crypto RAM, 4 bits window	284	2272
Exponent not in Crypto RAM, 1 bit window	672	5376
Exponent not in Crypto RAM, 2 bits window	576	4608
Exponent not in Crypto RAM, 3 bits window	448	3584
Exponent not in Crypto RAM, 4 bits window	308	2464

Status Returned Values

Table 43-55. ExpMod Service Return Codes
Returned Status	Importance	Meaning
PUKCL_OK	–	Service functioned correctly