1 Introduction

It is well known that cryptographic algorithms like Elliptic Curve Cryptography (ECC), and ElGamal use modular multiplication; especially the modular exponentiation uses modular multiplication. For instance, among other algorithms, RSA is the most used, since proposed by Rivest, Shamir, and Adleman in the year 1977 at the MIT [¹⁶].

RSA is based on the modular exponentiation to encrypt and decrypt critical data. Regarding this mentioned algorithm, it can be said that the main operation used is modular multiplication.

Even so, some difficulties are dealing with division and modular reduction. However, proposals like those made by Brickell [³], Barret [¹], and Montgomery [¹¹] help to solve somehow these problems and they are widely cited by many authors in the literature.

After this, it can be said that the Montgomery modular multiplication is the most efficient algorithm for modular multiplication, so the proposal made in this paper will deal with it.

The regular procedure used in this algorithm begins with a translation of the conventional representation of positive integers and brings back this translation to its original conventional integer representation at the end of the multiplication procedure.

Besides, Montgomery modular multiplication replaces the trial division with a series of additions and divisions by a power of 2, this makes it suitable to be implemented in programmable devices, like Field Programmable Gate Array (FPGA) [²⁰, ², ⁹, ¹⁹, ¹⁴]. Divisions by the power of two can be made by making only shifts to the right.

This considerably reduces the consumption of resources on the programmable device. In the search for solving issues like those mentioned above, many authors have proposed some architectures, for example, Karatsuba based Montgomery modular multiplication [⁴, ⁷], Carry Save Adders (CSA) [⁸, ¹⁸, ⁶], Compact Signed Digits (SD) [¹⁵], and Systolic Architectures [², ⁹, ¹⁹, ¹⁴, ¹⁷, ²¹, ⁵], to speed up the modular multiplication.

Specifically, the proposal Karatsuba based Montgomery modular multiplication is a high speed modular multiplication, it requires a few clock cycles compared with other proposals. However, it requires a large consumption of dedicated multipliers and resources. CSA is an interesting proposal since it uses only digital logic and no dedicated multipliers.

However, it requires a large consumption of resources and clock cycles to do the modular multiplication. Among these proposals, the Systolic Architecture is particularly interesting because it has a balance between the two earlier proposals. It reduces the resources compared with CSA and reduces the dedicated multipliers compared with Karatsuba-based Montgomery modular multiplication. To do the mentioned before, Systolic Architecture uses regular blocks called Processing Elements (PEs).

For example, authors like Guilherme Perin et al. [¹⁴] , compared a high radix systolic architecture with a high radix multiplexed multiplication in an FPGA. Amine Mrabet et al. [¹²] proposed the implementation of the Coarsely Integrated Operand Scanning (CIOS) method of Montgomery modular multiplication using a two-dimensional array of PEs. Hence, an improvement of PEs is presented in this work, from which the associated process can be speeded up and the resources used in the FPGA are reduced as well. For this, a Montgomery modular multiplication is implemented that can deal with long integers within the finite field GF(p), where p is a prime number digitally expressed between 512 and 2048 bits.

This will be explained in the next section. The rest of the paper is organized as follows: Section 2 reviews the Montgomery modular multiplication algorithm and shows the improvements made. Section 3 shows the architecture proposed for implementation in an FPGA. In section 4, it is implemented the proposed architecture in modular exponentiation for use in the RSA algorithm. In section 5, it is presented the results obtained of the implementation and it is presented a comparison with other works reported. Finally, in section 6, we make the conclusions of this work.

2 Montgomery Multiplication

To perform a modular multiplication, it must have a residue of a division of the multiplication of the two positive integers. However, the arithmetic division is an operation that consumes high resources and time in hardware and software implementation, to avoid this there is a proposal called Montgomery modular multiplication algorithm [¹¹].

The Montgomery modular multiplication is an algorithm that can be used to perform the modular multiplication x⋅y mod⁡ m without the need to divide by the modulus m. In the next subsections, we will explain the Montgomery modular multiplication from the software and hardware point of view.

2.1 Software-base Montgomery Multiplication

First, from the software point of view, Montgomery modular multiplication implementations use Algorithm 1, shown next, which is the original algorithm [¹⁰]. This algorithm is the basis of many RSA software and hardware implementation systems.

Algorithm 1 Montgomery multiplication 

In Algorithm 1, the operands x and y are positive integers with a radix b. The result is placed on A and after n iterations, it is equal to xyR−1 mod⁡ m, which must retrieve the result xy mod⁡ m.

Initially, it is required that x and y must be in the Montgomery domain, this is done applying the same Algorithm 1, with x˜ and R2 as operands for x value and y˜ and R2 as operands for y value, where x˜ and y˜ are the original operands for the modular multiplication. Next, to get the correct result A˜, it is needed to apply an additional Montgomery Multiplication with A and 1 as operands.

In modular exponentiation these added operations are inexpensive since they are done one time after the whole exponentiation. Since the mathematician Peter L. Montgomery published his algorithm in 1985, a lot of improvements were proposed by much research. The next section explains one of these approaches for hardware implementation.

2.2 Hardware-based Montgomery Modular Multiplication

On the other side, from the hardware point of view, FPGAs have been widely used to perform readily modular multiplications. It can be found proposals using several techniques that can improve Montgomery Multiplication implemented in FPGA [¹¹, ²⁰, ¹³]. One of these proposals is particularly interesting because it avoids the final subtraction used in the original algorithm [²⁰]. To achieve this, x and y are set to be less than 2m, and 2m must be less than bn. This proposal is shown in Algorithm 2.

Algorithm 2 Montgomery multiplication with no final subtraction 

As was mentioned earlier, there is a technique that was proposed for the implementation that performs the Montgomery modular multiplication. This technique, called Systolic Architecture, uses a regular array based on a basic elemental PE. Therefore, an advantage is taken from the fact that operands are represented in a radix b of power of 2, this is b=2k, where k is the number of bits. This simplifies the operations in the digital implementation into the FPGA.

Each PE internally contains multipliers and adders, which manage large operands in a multi-precisión context, based on Algorithm 2. Specifically, PEs are settled in a one dimensional array, all being identical, this was first proposed by Tenca et al. [¹⁷].

Their Montgomery multiplier has a scalable architecture, and it is based on the Multiple Word Radix-2 Multiplication Algorithm (MWR2MM). As was mentioned before, a Systolic Architecture can reduce the resources needed for the hardware implementation. Besides, it is possible to increase the number of bits of the operands adding only the required PEs for the specific dimension.

3 Systolic Architecture Proposed

Talking about the structure of the implemented system, a systolic architecture consists on a one-dimensional array of PEs [⁹, ²⁰, ¹³], most of them are identical, the only different PEs are the first one and the last one, this will be explained Ylater.

The proposed architecture is based on Algorithm 2, where the operands are divided into n words having a length of k-bits. This is shown in Algorithm 3. Based on what was mentioned above, this shows that the total number of PEs in the systolic architecture has the same number as the total of words considered, this is, there will be n PEs.

Algorithm 3 Montgomery multiplication for FPGA 

The array of PEs performs step 4 outlined in Algorithm 2, this is, A←(A+xiy+uim)/b, where A has been represented with the same radix as the rest of the operands. This step is performed by steps 4 and 5 in Algorithm 3.

Since the systolic architecture works in a multi-precisión context, each PE is responsible to perform the arithmetic operations of each word involved in the equation, step 5 in Algorithm 3.

The value cj in step 3 stands for the carry obtained during the operation of each PE. As it was already said, the operands are represented in a radix b, this is, the numerical basis is the power of 2. So, the division by b of step 4 of Algorithm 2 is performed by a right shift operation of one word of k bits in step 5 of Algorithm 3.

The operation of step 3, this is, ui←(a0+xiy0)m′, in Algorithm 3, is performed in a separated block, called CU. To perform the inner loop of the Algorithm 3, a Finite State Machine (FSM) was implemented, called Montgomery Multiplier Controller (MMC).

The MMC block is designed to supply the corresponding words to the one-dimensional array of PEs and the block CU. The logic implementation of the MMC is shown in Algorithm 4 4. The MMC implemented works as follows:

Algorithm 4 Montgomery multiplier controller 

While states are performing within the MMC, Block CU is calculating at the same time the value of ui. Fig 1 shows the block diagram of systolic architecture as was implemented in an FPGA.

Fig. 1 Block diagram of systolic architecture 

In Fig 1., the value j shows the corresponding PE. In this work, it has been proposed three different types of PEs, which are based on step 5 of Algorithm 3. These PEs are Initial Processing Element (IPE), General Processing Element (GPE), and Final Processing Element (FPE). These PEs have been settled in a one-dimensional array as originally proposed.

To reduce resources, and area, and speed up the implementation of the PEs, it has been used Digital Signal Processing slices (DSP) integrated into the FPGA. For our implementation in the family Artix 7 of Xilinx, it is used DPS48E1. The main features of these DSPs are that they have internally a 25 × 18 two-complement multiplier and a 48-bit accumulator.

This DSP indicates that the maximum radix that can be implemented is with 18 bits, however, in this work 16 bits were used. Description of the elements in Fig. 1 is as follows: PE(0) is an IPE, PE(n−1) is equivalent to an FPE and finally, the rest of PEs correspond to the type of GPE; then, there will be n−2 GPEs. Now, each type of PEs is explained in the next subsections:

3.1 Initial Processing Element

This first type of PE is called Initial Processing Element (IPE) and has direct communication with the MMC block. It receives an enabling signal, together with the value of xi and ui. The values xi and ui are saved in a register. Fig. 2 shows the block diagram implemented.

Fig. 2 Block diagram of initial processing element (IPE) 

The performance of the IPE block is controlled by an FSM, which consists of three states. The performance is explained as follows: During the first state, xi and ui are saved in registers, and at the same time they are sent to the first GPE. Upon the reception of the enabling signal, the fist GPE is enabled and proceeds to the next state.

While yet in this first state, values of m0 and ui are sent to the multiplier across the multiplexers 1 and 2 respectively, also a value of 0 is sent to the pre-adder integrated into the DSP across the multiplexer 3 and then the result is saved in a register into a block called Accumulator of the DSP.

Next, during the second state the multiplication of xi and y0 is performed and it is added the value a0 and the result is added to the earlier value of state 1 using the Accumulator of the DSP. Finally, when the third sate is reached, the results of the multiplications with the adders are stored into the block Memory. The result of this addition has a length of 2k+2 bits.

However, the first k bits are discarded, this means the division by b in A←(A+xiy+uim)/b, and the rest of the bits are saved in a register and sent to the next PE as a carry. After this it is reset the accumulator of the DSP. Since operation time is important from the performance point of view, it should be mentioned that passing through each one of the states takes one clock cycle.

To save resources and speed up the operations, a DSP has been used as a 16×16 bits multiplier, pre-adder, and an accumulator.

3.2 General Processing Element

The second type of PE is called General Processing Element (GPE). The GPE unlike the IPE receives as input a carry and gives the output aj−1. Fig. 3 shows the block diagram of a GPE implemented into the FPGA. The GPE is replicated n−2 times, the first GPE receives the input carry from the IPE, and this first GPE sends its carry to the second GPE, this is made until the last GPE is reached and is then when the respective carry is sent to the last type of PE. The performance of this GPE is like the IPE, which is controlled by an FSM with three states. However, in the first state it is performed an addition of the carry input value.

Fig. 3 Block diagram of general processing element (GPE) 

The result, the same as in an IPE, has a length of 2k+2 bits. The first k bits are equivalent to aj−1 and the rest of the bits are the output carry. The output aj−1 of each GPE is left-shifted to complement the operation of the division by b, as was mentioned in the description of the IPE.

3.3 Final Processing Element

The third and last type of PE is the Final Processing Element (FPE). The performance of this type of element is like GPE, however, the output carry of this PE is avoided. The block diagram of this PE is shown in Fig. 4. As we mentioned before, the output carry is avoided, and the output of this FPE has a length of 2k bits. The first k bits of the output are called aj−2 and the last k bits are called aj−1 which is equivalent to the value an−1. As the IPE and GPE, this kind of PE is controlled by an FSM with three states.

Fig. 4 Block diagram of final processing element (FPE) 

3.4 Block CU

Finally, the block named CU calculates the value ui of step 3 as pointed out in Algorithm 2. As specified previously, the numerical basis is the power of 2, so for this block, the mod⁡ b operation needs only the LSB of k in the result. Fig. 5 shows the block diagram implemented for Block CU, where two DSPs were used to perform the multiplications.

Fig. 5 Block diagram of calculus of ui (CU) 

4 Modular Exponentiation

In this section, modular exponentiation, which uses the modular multiplier proposed, is implemented into an FPGA. The modular exponentiation implemented is the Square and Multiply Always, Left to Right (SMAL2R). Algorithm 5 shows the regular modular exponentiation Square and Multiply Always algorithm and it is in a left-to-right form. This form begins the exponentiation with the most significant bit (MSB) of the exponent e and ends with the least significant bit (LSB).

Algorithm 5 Square and multiply always, left to right 

From Algorithm 5, it is required that gcd(m,R)=1. The values of R mod⁡ m and R2 mod⁡ m may be provided as inputs. As was mentioned at the beginning, the operands for the Montgomery modular multiplication were settled into the Montgomery domain, this is done in step 1 and at the end the result was retrieved in step 9 of the Algorithm 5. The function called MontMult(​) in Algorithm 5 performs the Montgomery modular multiplication. In this function, the first and the second parameter are the operands and finally the third parameter is the modulus.

An FSM was implemented to control the Montgomery modular exponentiation. In Fig. 6, it is shown the general block diagram which shows the implementation in FPGA. In Fig. 6 the block labeled as Control is the FSM which controls the whole modular exponentiation according to the exponent e. The blocks labeled as S[0], S[1] and x˜ are registers working as memories, and they are set and reset according to the block labeled as Control.

Fig. 6 Block diagram of the SaMAL2R exponentiation using montgomery multiplication 

The block labeled as MontMult in Fig. 6 holds the modular multiplication proposed. The operands for this block are set by the block Control. RSA algorithm was chosen to provide both the public key and the private key. From the RSA algorithm, the value e, also known as public-key in Montgomery modular exponentiation, is used to encrypt, and x is the data to be encrypted, also known as plain text. This is shown in 1:

To decrypt the data encrypted, the same modular exponentiation is used, however, the exponent is now d, also known as private-key, in this case, the value x is known cipher-text. This is shown in 2:

Since e or d are represented as a binary with t+1 bits, there will be t+1 cycles as it was mentioned before. Now, considering that Square-and-multiply Always, Left to Right Algorithm is regular, no matter if the corresponding bit of the exponent during the cycle is one or zero, the two multiplications will be performed in the loop as well. Thus, the total number of multiplications during the complete process of the exponentiation is:

The two extras multiplications in 3 are due to steps 3 and 9 in Algorithm 5. Once the blocks were defined and the function of each one was explained, implementation on a FPGA was made and results are presented in the following section.

5 Results

The proposed design was implemented into an FPGA Artix-7 XC7A100T-CSG324 working at 100 MHz; no area or speed optimization was set for the synthesis. The synthesis into the FPGA for the proposed design was settled to a module m of 512, 1024, and 2048 bits of length, and the radix b of 16 bits and performance of the multiplications were evaluated. Besides, the final subtraction was avoided settling the conditions x<2m and y<2m.

First, Table 1 shows the resources used for the proposed implementation of a module of 512 bits. In this case, the implementation used 1 IPE, 1 FPE, and 30 GPE’s. Table 2 shows the resources used for the proposed implementation using a module of 1024 bits. The implementation used 1 IPE, 1 FPE, and 62 GPEs. Finally, Table 3 shows the resources used for the proposed implementation using a module of 2048 bits. The implementation used 1 PE, 1 FPE, and 126 GPEs.

Additionally, the implementation takes 98 clock cycles to perform the Montgomery modular multiplication for a module of 512 bits, 194 clock cycles for a module of 1024 bits, and 386 clock cycles for a module of 2048 bits. Table 4 shows a comparison of this work with other implementations using 1024 bits modular multiplication, and a radix of sixteen bits.

From the above, it can be seen that the proposal allows a reduction of resources consumption within the programmable device, compared with other developments. On the other side, the implementation of the Montgomery modular exponentiation uses a module m of a length of 1024 bits.

The resources used by the implementation into the FPGA for the modular exponentiation are shown in Table 5. As it was already said, in this proposal, the implementation of the Montgomery modular exponentiation was used to encrypt and to decrypt data.

The public-key and the private-key were generated with the RSA algorithm. According to Table 4, the proposed architecture reduces 5 clock cycles compared with the performance reported in[⁹] and [²¹]. With these 5 clocks cycles, the time consumption in the Modular Exponentiation of Algorithm 5 is reduced.

For example, with t=1023 bits and using 3, there will be a total of 2,050 multiplications. So, this means that for the works [⁹] and [²¹] this process takes a total of 407,950 clock cycles while the proposed architecture here reported takes a total of 397,700 clock cycles, having considerable differences of 10,250 clock cycles. Therefore, time reduction with this algorithm is evident. Therefore, time reduction with this algorithm is clear. This proposal compared to that Mrabet [¹²] reduces the number of DSPs used, hower, it requires a greater number of clock cycles.

6 Conclusions

As can be seen in the tables reported, the most resources in the modular exponentiation are due to the modular multiplication, so it is important to reduce them. As we can see from the results of this work, the proposed architecture, compared with the other works that use a high-radix modular multiplication reduces the time consumption and the resources used for the FPGA, as well.

Due to this low use of resources into the FPGA, the implementation of the Modular Exponentiation and Multiplication using the proposed Algorithm can allow its use in programmable devices that have limited available resources. Therefore, the programmable device to be used will be cheaper than a high-end programmable device.

This work implements modular exponentiation for RSA cryptographic algorithms; however, it is possible to use in other cryptographic algorithms like ECC, ElGamal, DH. Even more it is possible to implement this proposal to different modular exponentiation algorithms. Besides, it is important to say also that the proposed architecture is scalable to another module. For example, making, this same procedure with a device that has more DSPs, it will be possible to increase the module to a value up-to 4,096 bits with the use of 258 DSPs.