IMPLEMENTATOIN OF MODULAR MULTIPLICATION

FOR RSA ALGORITHAM

CHAPTER 1
INTRODUCTION
1.1 Overview
Todays world is growing with the technology and power. The growth of the world depends on
communication. This means, communication is growing exponentially. As the growth of the
communication increases, the need for its security also increases in the same manner. In the last
century, communication over the telephone was very limited. It was only for the short distance
communication. Today, one can handle his entire business in a different country or continent by
sitting in the comforts of his office elsewhere. Here comes the role of security of data. When we
tal about the confidentiality of the data, the best techni!ue that one can point out to is
"ryptography.
"ryptography is the best techni!ue to shield the integrity and the confidentiality of the message
stream or data transmitted on communication channel or networ . In simple words, we can say,
cryptography is an algorithm that enables us to have a secure communication between the
transmitter and the receiver. "ryptography contains mathematical operations designed to guard
data communication . #ainly, cryptography is based on mathematical techni!ues to modify the
data. If the original message bits are converted in some random message bits and transmitted
over a communication channel then if some person intercepts the message or overhears the
message, he would not be able to figure out the exact message that was sent by the transmitter
due to its randomness. We can come up with this randomness of data by applying some
mathematical operation such as multiplication, addition, and transformation. It involves
encryption and decryption as bac bones of the entire algorithm.
1


Encryption$ %ncryption is the process where data gets encrypted which means the message to be
sent is converted into another message stream. The new message stream contains the original
data bits as well as some pseudo bits to hide the original message from unwanted entities.
Decryption$ &ecryption is the process where the encrypted message stream is converted bac to
the original message bits. The original message bits can be retrieved bac by discarding the
pseudo bits those are being merged while encrypting the original message.
A "onventional "ryptosystem has the following five ma'or terminologies$
P!inte"t ( The plaintext is the original message bits that are to be transferred securely between
two parties.
Encryption A#orit$% ( The encryption algorithm execute different mathematical application
and transformation on the plain text.
&ey'() ( )ey can be described as some particular critical data utili*ed by the user at the
transmitter side to encrypt the data and also utili*ed by the user at receiver side to decrypt the
data.
Cip$er ( "ipher is an algorithm to convert the plaintext into the coded message stream by
performing some mathematical steps such as multiplication, addition, and substitution.
Cip$erte"t ( "iphertext is the processed plaintext by applying an algorithm nown as cipher
using the )ey. In short, ciphertext is the secured message that is to be transmitted over the
communication channel.
Decryption A#orit$% ( &ecryption algorithm is the reverse engineering algorithm to retrieve
bac the original message bits using the ciphertext, and the ey.
There are two constraints for protected use of conventional encryption.
+. ,trong %ncryption Algorithm
-. ,ecurity of )ey
Encryption A#orit$%$ We re!uire a strong encryption algorithm that means we have to have
an encryption algorithm such as a person who nows the algorithm and have the access of few or
more cipher text cannot decipher other cipher texts that are unnown to him. The strength of an
encryption algorithm is defined on the basis of the level of access of the algorithm and the cipher
techni!ues.


Sec*rity o+ &ey$ We re!uire a most excellent security for our )ey that is being used to encrypt
the data. If someone got to now about the ey and if he can access it and also he does now the
algorithm then he can read as well as modify the whole communication. Thus, the
communication is no longer private or confidential. Therefore, the users must eep the ey top
secret .
It is very vital to eep the ey secret because the confidentiality of the ey impacts more on the
private communication than the privacy of the algorithm because if someone nows the
algorithm and does not now the ey then he cannot access the communication. Instead if he
nows the ey that is being used to encrypt the message stream then he can easily read the
message and also he might change the message and send a counterfeit message to mislead the
user at the other of the communication channel. Thus, we can say that privacy of the ey is more
important than the secrecy of the encryption algorithm .
Today, private ey cryptosystem and public ey cryptosystem are the most commonly used
cryptosystems.
1., Priv!te &ey Crypto(y(te%
Encryption Decryption
Sy%%etric &ey Sy%%etric &ey
Ori#in! D!t! Scr!%-e. D!t! Ori#in! D!t!
.igure +$ /rivate )ey "ryptosystem
/rivate )ey$ This ind of ey is also nown as conventional ey or single ey or symmetric ey.
In such algorithm symmetric ciphers are used to encrypt the message bits. The message bits are
encrypted using a ey and the same ey can be used to decrypt the message. This means the
nowledge of 'ust one ey does the encryption as well as decryption. Therefore, in such system
the ey must be secret between the end users.
7
2
8
4
9
2
2
9
2
4
3
8
9
4
2
2#4!
&$*39
2p432
%
$#123*
7&
7
2
8
4
9
2
2
9
2
4
3
8
9
4
2
2


/rivate0ey encryption methodology can provide a good level of substantiation. The data
encrypted using a ey cannot be decrypted using another ey. 1ne needs to have the exact same
cipher to decrypt the transferred data. Thus, if the symmetric ey is ept clandestine between the
end users, they can be sure that their communication is secured. They can get confidential and
correct data as long as the communication channel wors fine and the data travels unaffected.
/rivate0ey encryption is efficient only when the symmetric ey is ept top secret by the end
users involved in the communication. If the third person somehow identifies the ey, it affects
not only the confidentiality but also the data. A third party, with the nowledge of the symmetric
ey, can not only decrypt the message, but he can also send the false data mimicing that he is
the one of the end users.
The &ata %ncryption ,tandard 2&%,3 and the Advanced %ncryption ,tandard 2A%,3 are the
examples of this encryption system.
1./ RSA P*-ic &ey Crypto(y(te%

Encryption Decryption
Ori#in! D!t! Scr!%-e. D!t! Ori#in! D!t!
.igure -$ /ublic )ey "ryptosystem
/ublic0ey cryptosystem is the system in which awareness of encryption ey gives no indication
about the decryption ey. The public0ey cryptosystem uses asymmetric ciphers. ,ince there are
different eys to encrypt and decrypt the data, it gives more secured communication. In public0
ey cryptosystem, each end user has his own private ey and a public ey. /ublic ey can be


nown by anyone. To encrypt and decrypt the message bits, the private ey as well as the public
ey, both are used.
The methodology depicted in the above figure, lets you liberally dispense a public ey, and you
will be capable to read data encrypted using this ey. To transfer the data to another person, one
encrypts the message stream using his public ey, and the person receives the encrypted
message. He decrypts the received message bits with the appropriate private ey. This is how,
the whole algorithm wor$ data encrypted with the private ey 4A5 can only be decrypted with
the appropriate public ey 465. 2/rivate0ey 4A5 corresponds to public ey 4653.
"ompared with private0ey encryption, public0ey encryption re!uires more computation and is
therefore not always appropriate for large amounts of data.
The "78/T197A/8 #%TH1&, 7,A, and %"" are the examples of this encryption system.
1.0 CR1PTOGRAP1 METHOD P*-ic &ey Crypto(y(te%
/ublic0)ey "ryptosystem, named "78/T197A/8 #%TH1& stands for :umber
Theorist 7esearch ;nit. "78/T197A/8 #%TH1& is ring0based cryptosystem.
"78/T197A/8 #%TH1& was set up in +<<= and turned in to an absolutely efficient
company in ->>>. "78/T197A/8 #%TH1& was recently taen over by ,ecurityInnovation,
an application security company. "78/T197A/8 #%TH1& is comparatively a new
cryptography techni!ue that is nown to be more proficient than the existing and more
extensively used public0ey cryptosystem lie 7,A. In contrast to 7,A, "78/T197A/8
#%TH1& necessitates approximately >2 3 process steps and a ey length of >2:3, whereas
7,A needs >2 3 process steps and a ey length of >2 3. .or this reason, "78/T197A/8
#%TH1& has lesser complexity and its ey si*e scales at slower rate. "78/T197A/8
#%TH1& has lesser number of multiplications for encryption and decryption. Hence, it can be
implemented more resourcefully than 7,A. As a result this cryptosystem is showing more
potential choice to the more established public0ey cryptosystem.
The core of "78/T197A/8 #%TH1& is designed over an integer ring. )ey creation,
encryption, and decryption are the most time consuming processes which point out the


multiplication of two polynomials defined over an integer ring 2described with more feature in
the following section3. The time consuming operation is the multiplication of the polynomials. If
we are able to save some time for the multiplication or else we can say that if we speed up the
multiplication process then we can come up with the improved performance of the
"78/T197A/8 #%TH1& system. .or that, it is essential to develop software algorithm or a
hardware speed up mechanism such as pipelining. At this point, few software and hardware
implementations are published. It is a well growing field in the field of communication security.
To understand the mechanism or the process steps of encryption and decryption in
"78/T197A/8 #%TH1&, first we need to be aware of the algorithm that controls the flow of
the process and how the information gets processed in order to secure the communication
between two parties. /erson, who reads, should now polynomial algebra and number theory that
is being used in this pro'ect to create a ey, encrypt the data and to decrypt the data. The
polynomial courses are described in the next chapter in depth.




,.CHAPTER
LITERATURE SUR2E1
%lectronic computers have evolved from exiguous experimental enterprises in the +<?>s
to prolific practical data processing systems in the +<@>s. As we have come to rely on these
systems to process and store data, we have also come to wonder adout their ability to protect
valuable data.
&ata security has evolved rapidly since +<AB. We have seen exiciting development in
cryptography. /ublic ey encryption, &igital signatures, the data encryption standared 2&%,3,
)ey safeguarding schemes, and ey distribution protocols. we have developed techni!ues for
verifying that programs do not lea confidential data, or transimit classified data to users with
lower security clearances.
In +<A@, 7on 7ivest, Adi ,hamir, and Ceonard Adleman introduced a cryptography
which was essentially to replace the less secure :ational 6ureau of ,tandards 2:6,3 algorithm.
#ost importantly, 7,A implements a public0ey cryptosystem, as well as digital signatures.
7,A is motivated by the published wors of &iffe and Hellman from several years before, who
described the idea of such an algorithm,but never truly developed it.
Introduced at the time when the era of electronic email was expected to soon arise, 7,A


Implemented two important ideas$
P*-ic34ey encryption$This idea omits the need for a 4courierD to deliver eys to recipients over
another secure channel before transmitting the originally0intended message. In 7,A, encryption
eys arepublic, while the decryption eys are not, so only the person with the correct decryption
ey can decipheran encrypted message. %veryone has their own encryption and decryption eys.
The eys must be made in such a way that the decryption ey may not be easily deduced from
the public encryption ey.
Di#it! (i#n!t*re($ The receiver may need to verify that a transmitted message actually
1riginated from the sender 2signature3, and didnEt 'ust come from there 2authentication3. This is
done using the senderEs decryption ey, and the signature can later be verified by anyone, using
the corresponding public encryption ey. ,ignatures therefore cannot be forged. Also, no signer
can later deny having signed the message.
This is not only useful for electronic mail, but for other electronic transactions and
transmissions, such as fund transfers. The security of the 7,A algorithm has so far been
validated, since nonown attempts to brea it have yet been successful, mostly due to the


dificulty of factoring large numbers n F p!, where p and ! are large prime numbers.
.ounded as :T7; "ryptosystems in +<<= by four 6rown ;niversity mathematicians. :T7; is
only a stones throw from the 6ay ,tateEsleader in computer security, 7,A ,ystems. :T7; is
competing with 7,A as ithas the advantage of speed in the operations of ey generation,
encryption and decryption.
This pro'ect will further invesitigate the throughout performance of the 7,A encryption
algorithm using modular polynomial multiplication . This sytem was designed using Gerilog


CHAPTER /
POL1NOMIAL ALGE5RA AND NUM5ER THEOR1


Mo.*!r Arit$%etic
#odular arithmetic is simply division with remainder, where you eep the remainder and throw
everything else away. .or example,
a F b 2modulo m3
simply means that a when divided by m leaves the remainder b. This is the same as saying that
the difference a0b is a multiple of m. The integer m is called the modulus of the congruence .
Tr*nc!te. Poyno%i! Rin#(
The principal ob'ects used by the "78/T197A/8 #%TH1& are polynomials of degree :0+
having integer coefficients$
a F a
>
H a
+
I H a
-
I
-
H a
J
I
J
H . . . H a
:0-
I
:0-
H a
:0+
I
:0+
.
The coefficients a
>
,...,a
:0+
are integers. ,ome of the coefficients are allowed to be >.
The set of all such polynomials is denoted by 7.
The polynomials in 7 are added together in the usual way by simply adding their coefficients$
a H b F 2a
>
Hb
>
3 H 2a
+
Hb
+
3I H . . . H 2a
:0+
Hb
:0+
3I
:0+
.
They are also multiplied in almost the usual manner, with one change. After doing the
multiplication, the power I
:
should be replaced by +, the power I
:H+
should be replaced by I,
the power I
:H-
should be replaced by I
-
, and so on KJL.
%xample $ ,uppose :FJ, and tae the two polynomials a F -(IHJI
-
and b F+H-I0I
-
. Then
a H b F 2-0IHJI
-
3 H 2+H-I0I
-
3 F JHIH-I
-
and
aMb F 2-0IHJI
-
3M2+H-I0I
-
3 F -HJI0I
-
HAI
J
0JI
?
F -HJI0I
-
HA0JI F <0I
-
.
The following is the general formula for multiplying polynomials in 7$
aMb F c
>
H c
+
I H c
-
I
-
H c
J
I
J
H . . . H c
:0-
I
:0-
H c
:0+
I
:0+
,
where the
th
coefficient c

is given by the formula

c

F a
>
b

H a
+
b
0+
H . . . H a

b
>
H a
H+
b
:0+
H a
H+
b
:0-
H . . . a
:0+
b
H+
.
In modern terminology, 7 is called the 7ing of Truncated /olynomials NKILO2I
:
0+3
The "78/T197A/8 #%TH1& /)", uses the ring of truncated polynomials 7 combined
with the modular arithmetic described earlier. These are combined by reducing the coefficients
of a polynomial a modulo an integer !. Thus the expression a 2modulo !3 means to reduce the
coefficients of a modulo !. That is, divide each coefficient by ! and tae the remainder .


To mae storage and computation easier, it is convenient to 'ust list the coefficients of a
polynomial without explicitly writing the powers of I. .or example, the polynomial
a F a
>
H a
+
I H a
-
I
-
H a
J
I
J
H . . . H a
:0-
I
:0-
H a
:0+
I
:0+
is conveniently written as the list of : numbers$ a F 2a
>
, a
+
, a
-
, . . . ,, a
:0-
, a
:0+
3.
:ote that *eros should be included in the list if some of the powers of I are missing. .or
example, when : F A the polynomial a F JH-I
-
0JI
?
HI
=
is stored as the list 2J,>,-,>,0J,>,+3. 6ut
if : F <, then a would be stored as the list 2J,>,-,>,0J,>,+,>,>3
Inver(e( in Tr*nc!te. Poyno%i! Rin#(
The inverse modulo ! of a polynomial a is a polynomial A with the property that
aMA F + 2modulo !3
:ot every polynomial has an inverse modulo !, but it is easy to determine if a has an inverse, and
to compute the inverse if it exists .
%xample$ Tae :FA, !F++, a F JH-I
-
0JI
?
HI
=
.
The inverse of a modulo ++ is AF 0-H?IH-I
-
H?I
J
0?I
?
H-I
B
0-I
=
, since
2JH-I
-
0JI
?
HI
=
3M20-H?IH-I
-
H?I
J
0?I
?
H-I
B
0-I
=
3 F 0+>H--IH--I
J
0--I
=
F + 2modulo ++3.



CHAPTER 0
DESIGN OF CR1PTOGRAP1 METHOD P&CS
This section explains the architecture of the "78/T197A/8 #%TH1& system built in this
pro'ect starting from the smallest unit in the design and moving up higher to the bigger blocs.
The "78/T197A/8 #%TH1& system basically consists of three blocs$ )ey "reator,
%ncryptor and &ecryptor. All the J blocs use polynomial multiplication and hence, it is
important to choose a fast multiplication algorithm that will !uicly multiply the polynomials,
yielding an effective design.
0.1 CR1PTOGRAP1 METHOD M*tipier De(i#n
"78/T197A/8 #%TH1& is based on polynomial additions and multiplications in the ring 7
ZKILO2I
:
0+3, as explained earlier. /olynomial multiplication is the cyclic convolution of two
polynomials, denoted by PM. The "78/T197A/8 #%TH1& multiplier designed here has a
scalable architecture and to explain this architecture, we shall consider the following parameter
values$ pFJ, ! F-B=, : F B.
The partial product array shown below is parallel in nature, this is because since the polynomials
in the multiplication are all reduced modulo I
:0+,
all the partial product terms are exceeding the
degree I
:0+
after being reduced modulo I
:0+,
will be added bac to the lower portion of the
partial product array. Coo at the illustration below0
,ince each partial product term is reduced modulo !, the carry propagation is confined within
each column but not across the columns. This eliminates the need to propagate the carry across
columns.
"onsider,
a F a
>
H a
+
I H a
-
I
-
H a
J
I
J
H a
?
I
?
and Qeach a
i
is a @0bit coefficient0since !F-B= R


b F b
>
H b
+
I H b
-
I
-
H b
J
I
J
H b
?
I
?
Qeach b
i
is a -0bit coefficient0since pFJ R
:ow consider the multiplication aMb


.igure J$ /olynomial #ultiplication K-L
Thus, the above partial product array gets simplified to the array shown below $


.igure ?$ /artial /roduct Array
.or the partial product column , a single processing unit 2/;3, which will be explained later,
performs the following operation$
cKL F cKL H aKiL MbK'L 2mod !3 where, ' F >,+,S.:0+ and i F 0' mod :
This /; consists of one coefficient multiplication, one coefficient addition, and a reduction
modulo !. %ach of the partial product terms that have been 4boxed5 need one /; for their
computation and from the figure above, we see that for a given column we need B /;s to
compute product coefficient.
The next section will explain the design of the /rocessing ;nit 2/;3
0., Proce((in# Unit
The /rocessing ;nit 2/;3 is the heart of the "78/T197A/8 #%TH1& multiplier which
performs the following coefficient operation $ cKL F cKL H aKiL MbK'L 2mod !3K-L


We now that bK'L, the multiplicand, is a -0bit coefficient and can either be Q0+,>,+R and aKiL, the
multiplier, is any @0bit coefficient since it is reduced mod !2F-B=3. cKL, product coefficient is
also @0bit wide since it is reduced mod !2F-B=3 as well .
.igure B$ /rocessing ;nit K@L
The /; consists of a coefficient multiplier and an adder, both of which incorporate the reduction
modulo !. The components of the processing unit consist solely of combinational logic and are
not dependent upon a rising edge cloc signal. The coefficient multiplier computes # F aKiL M
bK'L 2mod !3 portion of the operation . The main hardware consists of eight - by +0bit multipliers,
each of which was designed to behave according to the truth table shown on the next page.
:ote that$ aKiL
>
F 6it > of the @0bit aKiL coefficient
bK'L
>
F 6it > of the -0bit bK'L coefficient
bK'L
+
F 6it + of the -0bit bK'L coefficient
Ii F 7esult of multiplication of aKiL
>
and bK'L


Table +$ /; Truth Table K-L
I is nothing but dont care case.
In the above truth table the values mared by M may seem odd which is explained below$
This design infers the -0bit demonstration for bK'L dissimilarly than its decimal e!uivalent
according to the table shown below

Table -$ /; Integer Galue K-L
,o for the case bK'L F 2++3
-
F 0+, it is necessary that aKiL
>
be converted into its -0s complement
representation in order for the adder to subtract. However, to eep the design simple, the


multiplier only inverts the value of aKiL
>
. The twoEs complement conversion is completed by
setting the carry0in of the adder to T+E. This is accomplished by the A:& gate shown in figure J.
.or the case bK'L F 2+>3
-
F -, it should be noted that this operation is not performed by the main
hardware of the multiplier as indicated by the donEt care 2I3 condition in the table. Hence, a
multiplexer is needed to pass the left shifted value of aKiL
>
for when bK'L F -, otherwise for the
other J combinations of bK'L, I is passed to # .
The reduction modulo ! portion of the e!uation is handled by ignoring any carries that exceed
the @0bit boundary, which would only occur for the case bK'L F - .
The )arnaugh0map for the truth table of IKiL is as follows$
Table J$ /; )0map K-L
This gives us the expression for all the IKiLs.
As shown in the figure ? on the next page, if bK'L F 2+>3
-
, the output of the A:& gate is F +
which maes the selector input of the multiplexer F+ and the left0shifted0by0- value of a
=..>
KiL
appears at the output of the multiplexer, otherwise the value of I appears as the output of the
multiplexer.
.inally, the output of the multiplexer, #, is passed on to the @0bit adder for accumulation which
is responsible for computing cKL F # H cKL. Again, the reduction modulo ! portion of the
e!uation is handled by ignoring any carries that exceed the @0bit boundary.
The @0by0@ bit adder is a .ull adder with the .inal carry out ignored.


.igure =$ @0bit .ull Adder


.igure A$ "oefficient #ultiplier


0./ CR1PTOGRAP1 METHOD M*tipier or PM 'Poyno%i! M*tipier)
:ow that the operation of the /; has been fully understood, the next bloc to be studied is the
"78/T197A/8 #%TH1& #ultiplier in detail 2also referred to as /olynomial #ultiplier or
/#3.
This bloc consists of "1%.., ,HI.T%7 A:& "1;:T%7 blocs
.igure @$ "78/T197A/8 #%TH1& #ultiplier &esign
0./.1 Coe++icient$
.rom the above figure, we see that each column can be processed independently. In this case,
each column of partial products consists of B /;s i.e. number of /;s needed for a given


columnF:. Add the output of the previous /; as input carry to the one below it and finally, we
arrive at the coefficient of that corresponding column. In this case, since the product is also
reduced mod!, this coefficient cKL is @0bits too.
0./., S$i+ter !n. co*nter
.rom the above figure, we see that in each column, the order in which b
0
b
1
b
2
b
3
b
4
are listed is
the same, it is the values of a
0
a
1
a
2
a
3
a
4
that change their se!uence 2loo at direction of arrows3.
This capability has been implemented using a 6arrel ,hifter, which is used to shift the multiplier
coefficients that are input to the /#, such that partial products of the next column are computed
in the correct order. The si*e of this shifter will be @M?F?> ie, !M:.
To determine how many times the shift needs to be performed, a counter has been designed.
These counter increments with each shift and goes to *ero when the shift has to stop. In this case,
we have to shift the coefficients of the multiplier B times0 which means, the counter needs to be a
J0bit counter i.e :log-0counter. ,ince each coefficient of the multiplier is @bits long, each shift
rotates the multiplier by @ bits.
0.0 &ey Cre!tor$
This bloc creates the public ey Ph for each "78/T197A/8 #%TH1& user. /ublic ey is
given as,
h F p.f!Mg mod q ,where pFJ
This computation is done with two blocs0 "onstant #ultiplier and /olynomial #ultiplier2/#3
"onstant multiplier 2"#30 #ultiplies each coefficient of the polynomial f! with the constant p
/olynomial multiplier0 #ultiplies two polynomials as described above0 output of the "# with g0
and reduces the output modulo !, generates public ey h.
.igure <$ )ey "reator


0.6 CR1PTOGRAP1 METHOD Encryptor $
This bloc computes the encrypted message for secure data exchange. %ncrypted message is
given as,
e F rMh H m 2mod !3
Where, r is the random polynomial selected
h is the public ey
m is the message to be encrypted.
/# 0 #ultiplies the polynomials r and h
"oefficient adder0 adds the output of /# to message m, generates encrypted message e.
.igure +>$ "78/T197A/8 #%TH1& %ncryptor
0.7 CR1PTOGRAP1 METHOD Decryptor $
This bloc performs the final and most important operation of the system, decrypting the
received encrypted message. This process is explained as below0
,tep +$ a F fMe 2 mod ! 3
,tep -$ ,hift the coefficients of a from 2>,!0+3 to 20!O-, !O-3
,tep J$ b F a 2 mod p 3
,tep ?$ c F fpMb 2mod p3
&ecryption basically involves polynomial multiplication and reduction of the product mod p.
/olynomial multiplication only performs mod ! on the product and hence, we design another
bloc that performs mod p on the output of the /#.


.igure ++$ #ultU#od
The multUmod bloc is the basic bloc of the decryption process.
,tep+0J is performed by one multUmod bloc i.e. polynomials f and e are multiplied and reduced
mod p.
.or eg, if the result of the multiplication fMe mod ! is$
a F J 0 AI 0 +>I
-
0 ++I
J
H +>I
?
H AI
B
H =I
=
H AI
A
H BI
@
0 JI
<
0 AI
+>
2mod -B=3
The multUmod bloc returns,
b F 0 I 0 I
-
H I
J
H I
?
H I
B
H I
A
0 I
@
0 I
+>
2mod J3
KJmodJF>, 0AmodJF0+, 0+>modJF0+, 0++modJF+, +>modF+, AmodJF+, =modJF> etc.L
:ext, ,tep ?$ c F fpMb 2mod p3 is performed by another multUmod bloc. The output of the
previous multUmod bloc and fp are given as inputs to this bloc, which agin performs
polynomial multiplication followed by mod p on the product. This result is the final decrypted
messageV This message should be e!ual to the message initially sent.



.igure +-$ "78/T197A/8 #%TH1& &ecryptor
0.8 CR1PTOGRAP1 METHOD P&CS
A bloc diagram of the entire cryptosystem with inputs and outputs from the three main blocs
discussed above can be drawn as$
.igure +J$ "78/T197A/8 #%TH1& /)",

C$!pter36
RSA
,ecurity of information is a national security issue in addition to being of commercial
importance. It is very important to test the security of encryption methods used such as
the 7,A encryption techni!ue. The 7,A represents a class of encryption methods called
public ey systems where a ey, n, is publicly now n. We have developed an original
method of factoring the public ey n, to find out the prime numbers p and ! which


effectively allows us to brea the encryption. We show that the method is efficient when
p and ! are close. The number of trials needed to factor the public ey is !uadratic and is
given by
-
2 3
@
p q
n

. We wrote a computer program using the "HH language. The program

can handle integers of any length, which is necessary since the 7,A method usually uses
huge integers larger than +>> digits.


6.1 T$e Hi(tory o+ Crypto#r!p$y
The use of encryption can be traced bac to ->>> 6" to the %gyptians and their use of
hieroglyphics. Hieroglyphics were meant to be cryptic however, they were not intended
to hide text, rather they were used for )ings because they were thought to loo more
regal and prestigious. #uch lie the %gyptians the #ayans also used a language system
based on the use of pictures. These early encrypted languages served the purpose of
being a basis of communication rather than a means for concealing information. Wulius
"aesar and his substitution cipher, the "aesar "ipher, is one of the earliest encryptions
that had the sole purpose of concealing information as he used it to protect private
communications between 7oman legions that were scattered over %urope, Africa and the
#iddle %ast. The "aesar "ipher, as previously stated, was a substitution or additive
cipher that wored by replacing each letter of the alphabet with the third letter that came
after it. ,imilar to "aesars "ipher, the 1ne Time /ad developed by ATXT engineer,
9ilbert Gernam, was also an additive cipher. &eveloped to aid the war effort, lie most
of the advancements in cryptology were, the 1ne Time /ad was used as a new perfect
security to replace the failed codeboo system. With this system each plaintext is
enciphered using an additive cipher shift, but the catch and element that made this system
so secure was that for every letter the shift is different, hence the name 1ne Time.
&uring the nineteenth century an approach using statistics was favored. ;sing the
fre!uency average of each letter of the alphabet codebreaers were able to devise a
system in which they would go through a document, count the letter fre!uencies and then
compare them to those of the alphabet. Throughout history there were do*ens of
advancements made. The Arabs, 9ree, %nglish and Americans all came up with their
own ciphering methods that were more or less effective.
6.,. Intro.*ction
7,A, named after its inventors 27ivest, ,hamir, and Adleman3 is an encryption system


made public in the mid seventies. ,ince 7,As advent the government and big
businesses have used the system to encrypt some of their most sensitive information.
Today with so much of the worlds population owning a computer and using the internet,
it was only a matter of time before the internet branched out and became the worlds
forum for mareting. In todays society it has become second nature for people to do
shopping over the internet. There are no limits as to what type of business one can find.
1ne can buy a car, do their baning, find clothing, purchase food, or find and purchase a
home. The list has really become endless. However, the comfort of shopping at home
does come at a price. ,ecurity. Home addresses, social security numbers, telephone
numbers, full names, bacground history as well as credit card numbers are all
information that a consumer can be re!uired to send over the internet in order to mae
purchases. This very personal and sensitive information when in the wrong hands could
mean a ma'or dishevelment of a persons life. Cately, there have been numerous news
reports of hacers breaing into the hard drive of big businesses and even the
government. ,ecurity is an issue of ma'or importance right now. With so many
businesses relying on the inability to decode 7,A, it is important to test the strength of
this encryption program.
?. ,tatement of the problem
The problem we are investigating concerns finding a method to brea an 7,A encryption.
We assume that we now the public ey n for an 7,A encryption and we try to find the
two prime number factors p and ! such that n F p Y !. We first describe the 7,A
encryption method, then we explain our method of solution.
B. The 7,A public0ey encryptosystem


A user 2say, Alice3 of the 7,A public0ey cryptosystem selects two large primes p and q,
and computes their product n, which is nown as her public modulus. ,he also selects an
integer e Z - such that
gcd2e, 2p ( +32! ( +33 F + 2+3
e is nown as her encryption exponent. Alice publishes the pair 2e, n3 as her public keys.
,he then computes d, or her decryption exponent, using the Euclidean formula, such that
de Y + 2mod 2n33 2-3
where, 2n3 F 2p ( +32! ( +3 2J3
2n3 is referred to as %ulers totient function,
2n3 F [ Qa $ > \ a Y n and gcd2a, n3 F +R[
which for n F p q is 2n3 F 2p ( +32! ( +3. Actually, e!. 2-3 can be improved slightly to
de Y + 2mod 2n33
where, 2n3 F lcm2p ( +, ! ( +3
After solving for d, she retains the pair 2d, n3 as her pri!ate keys.


Another user 2say, 6ob3 can send Alice an encrypted message #, where
> \ # \ n, by sending her the ciphertext
" F #
e
2mod n3 2?3
computed using AliceEs public eys 2e, n3. When Alice receives " she can
decipher it using the e!uation
# F "
d
2mod n3 2B3
computed using her private eys 2d, n3. ,ince no one but Alice possesses d, no one but
Alice should be able to compute # from ".
A text message would first be transformed to a number before the 7,A cryptosystem
could be used. .or example,
2+3 ,uppose Alice chooses three primes p F +A, q F ++, and e F A. :ormally, these
primes would be much larger.
2-3 That means n F p x q F 2+A32++3 F +@A. ,he then publishes her public keys 2n, e3
which are now n F +@A and e F A.


2J3 6ob wishes to send the letter PI securely to Alice, which is e!uivalent to @@ in
A,"II. He loos up her public keys and encrypts his message
" F #
e
mod n
" F @@
A
mod +@A
" F ++
Thus, he sends the encrypted message " F ++ to Alice.
2?3 Alice now wants to decrypt 6obs message. ,he proceeds by then
finding her decryption exponent as follows
de F + 2mod 2p ( +3 x 2q ( +33
d x A F + 2mod 2+A ( +3 x 2++ ( +33
d x A F + 2mod +=>3
d x A F +=+
d F -J
2d is found using the Euclidean formula3
2B3 &ecrypting 6obs message is now simple


# F "
d
mod n
# F ++
-J
mod +@A
# F @@ F I in A,"II
=. 6reaing the 7,A cryptosystem
.or an encrypted message to be safe, p, !, e, and even the message itself, must be large in
order to protect against someone decrypting it. With sufficiently large values of p
and q, 7,A is impregnable. .or a cryptanalyst 2say, %ve3 to crac an encrypted
message, she must first now p or !. To do this, she must first factor Alices public
ey n since
n " p x q.
8. Previo*( !tte%pt( to +!ctor n
There are various methods used to factor n. The obvious approach would be to divide
every odd integer up to Yn into n until either p or q were found. This method is
inade!uate, due to the enormous time
+
it would tae to factor large numbers. Therefore,
cryptanalysts needed a faster, more efficient way to factor n. All current methods to
factor n depend on a 4condition5 to be able to finish in a feasible amount of time. .or
example,
+
At n F +>
J>@
, the combined effort of a hundred million personal computers would tae
more then one thousand years to crac such a cipher.


+.3 Algorithms whose running time depends mainly on the si*e of n
-.3 Algorithms whose running time depends mainly on the si*e of p and the si*e of q
J.3 Algorithms whose running time depends on the si*e of p ( +, p ( -, or p H +
?.3 Algorithms whose running time depends on the Pcloseness of p and q
As seen later, our proposed method is based on condition four.
,ince the 7,A system was invented, people have been trying to find efficient methods to
factor n. ,ome of these where,
6./ Po!r.9( p : 1 Met$o. +or F!ctorin#
/ollards p ( + method is a techni!ue for splitting a given composite number n that is
divisible by at least two distinct primes, using any given multiple m of p ( +, for some
prime factor p of n.
+. "hoose an element a at random for ; F Q+, -, S, n ( +R.
-. "ompute d F gcd2a, n3. If d Z +, report that d is a factor of n and halt.
J. "ompute x " a
m
mod n.


?. "ompute d " gcd2x ( +, n3. If d Z +, report that d is a factor of n and halt.
B. If x F + and m is even, set m Y mO- and return to step J.
=. 7eport failure to find a factor. Halt.
6.0 T$e Eiptic C*rve Met$o. +or F!ctorin#
A generali*ation of the p ( + method, the elliptic curve method is considered one of the
most efficient methods of factoring. We will not discuss the theory of the method here,
but will mention that the success of the elliptic curve method depends on the liely
situation that an integer 4close to5 p has only 4small5 prime factors.
6.6 Cycin# Att!c4(
:ot involving any factori*ation of n, this method involves taing an
encrypted message and cycling values for the cyphertext until
the correct value is attained
# F "
e
mod n
@. 1ur #ethod of ,olution
1ur proposed method utili*es the two defining e!uations


n F p Y ! 2+3
]]]]]]2n3 F 2p ( +32! ( +3 2-3
where p and ! are prime numbers. The number n is the public ey and 2n3 is a !uantity
called the Totient function. Therefore using e!s. 2+3 and 2-3 we have,
2n3 F 2p ( +32
n
p
( +3
2n3 F n ( p (
n
p
H +
]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]2n3 Y p F n Y p ( p
-
( n H +
> F p
-
( 2n ( 2n3 H +3p H n 2J3
;sing the solution for a !uadratic e!uation we get,
-
2^2n3 H +3 2 ^2n3 H +3 ?
p, !
-
n n n
=
2?3
Hence, the difference between p and ! is


[ p ( ! [ F
-
2^2n3 H +3 ? n n
Therefore, if we set C to
C F
+
-
2n ( 2n3 H +3
and ' e!ual to the average difference between p and !_ ' F
+
2p 0 !3
-
_ we get
'
-
F
+
?
2n ( 2n3 H +3
-
( n
' F
0
-
C n
2B3
Thus, we need to solve for C such that C
-
0n is a complete s!uare. It is more convenient to
write C as 2m H r3, where m F Int2Yn3. Hence, the woring e!uation is
' F 0
-
2m H r3 n _ r Y Q>, +, - S
n
R 2=3


When the correct value for r is found, 2C
-
( n3 will be a complete s!uare.
6oth p and ! can now be found
p, ! F 2m H r3 0
-
2m H r3 n 2A3
Where m F Int2
n
3
The maximum number of trials needed can be estimated in terms of p and ! by rewriting
e!. 2=3 as
n H '
-
F 2m H r3
-
And r F
-
'
n2+ H 3 0 m
n
We may assume
#
n
\\ +, hence we can use binomial series expansion to expand the
s!uare root so that


-
C
r 2 n 0 Int2n33 H
- n

,ince C F
2p 0 !3
-
and n F p Y !, we have
r
-
2p 0 !3

@ n
2@3
.or example, if 2p ( !3 Y .>>+ p, then ' Y .>>>>>>+ p. If p is a +>> digit prime number
and 2p ( !3 is a ?> digit number, then r F +. Which means the solution can be found in
one trial in this case. In conclusion, our method is !uite efficient for prime numbers p and
! which differ by less then +>` in value.
To see how efficient the method is, we chose a prime number p F <<<<+ and a second
variable prime number !. We calculated n F p Y ! and used n to factor the original prime
numbers p and ! using our method. The number of trial integers 2r3 needed to factor n
was noted. A plot of the number of trials as a function of the difference 2p 0 !3 is plotted
below. The plot shows very clearly the efficiency of the method when 2p 0 !3 is relatively
small. In many cases re!uiring a single trial number. The dependence on 2p 0 !3 is
essentially !uadratic. We have found the same behavior with huge integers of orders
more than +-@ digits.


Fi#*re '1!) The dependence of the number of trials 2r3 vs the difference 2p 0 !3
In figure 2+b3 we plot the results of running the computer program on the supercomputer.
We plot time taen by the computer as a function of 2p 0 !3. :otice that the behavior is
again !uadratic near the origin and becomes linear for large 2p 0 !3 .
Number of Trials (r) vs (p - q)
0
5000
10000
15000
20000
25000
30000
35000
40000
45000
0 20000 40000 60000 80000 100000 120000
(p - q)
N
u
m
b
e
r

o
f

t
r
i
a
l
s

(
r
)


Fi#*re '1-) ,upercomputer factoring time vs 2p 0 !3
<. .uture "onsiderations
If given a chance to continue our pro'ect, several step could be taen to further enhance our research.
+3 A plausible way to speed up our factori*ation method would be to choose random
points for r, and scan the area at which ' approaches a complete s!uare
"hoose a random value r from a set of N Y Q>, +, - S
n
R
time vs (p - q)
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
0 5E+29 1E+30 1.5E+30 2E+30 2.5E+30
(p-q)
t
i
m
e

(
s
e
c
o
n
d
)


'
i
F 0
-
2m H r3 n
/oints at which ' approaches an integer, scan that area
' F 0
-
2m H r3 n _ r F Q'
i
0+>>, '
i
0<< S '
i
H<<, '
i
H+>>R
We would lie to improve on the method so that it will wor on more general cases of
prime numbers p and !. We noticed that the efficiency of the method can be
understood graphically as follows,
n H '
-
F C
-
where

C F
p 0 ! p H !
and F
- -
$
Cet us replace CA by x and ' by y and divide through by n, we get

- -
y x
0 F +
n n

This is the e!uation of a hyperbola as shown in the figure 2.ig. -3


:otice that the slope of the curve represents the efficiency which is very high near the x0
axis when y is small. As y becomes large, the slope approaches unity which means that
the efficiency of the method becomes relatively small. If we could find a way to mae
this region of high efficiency extend over a large region or mae a position variable, then
we can slide the region of high efficiency at will. We hope to find a way to tae
advantage of this observation.
J3 "ompare our factoring method against other methods for factoring n such as the p ( +,
elliptic curve, and !uadratic sieve method 2not mentioned in this report, yet currently
considered the most successful algorithm3.



CHAPTER 7
2ALIDATION OF CR1PTOGRAP1 METHOD P&CS
7.1 De(i#n 2eri+ic!tion
The previous section showed the different steps involved in the design of the "78/T197A/8
#%TH1& /)",. This section will show the implementation and verification of the design with
some examples. %ach bloc of the design has been written in H&C Gerilog and compiled and
simulated using G", ,ynopsys. A bottom up approach has been used in this design. %ach
blocOmodule has been individually written and verified and then mergedOinstantiated into
another bloc.
The "78/T197A/8 #%TH1& /)", taes the following inputs$
#aximum degree of polynomials, :
,mall modulo, p
6ig modulo, !
/olynomials f, g
Inverse of f mod p, fp
Inverse of f mod !, f!
7andom polynomial, r chosen by message sender
#essage polynomial, m sent by sender
To demonstrate the system designed, we use the below inputs
:F++ qF -
B
FJ- pFJ.
Cet, f F 0+ H I H I
-
0 I
?
H I
=
H I
<
0 I
+>
g F 0+ H I
-
H I
J
H I
B
0 I
@
0 I
+>

Cet us represent the above polynomials as$
f F Q0+,+,+,>,0+,>,+,>,>,+,0+R
g F Q0+,>,+,+,>,+,>,>,0+,>,0+R
%ach coefficient of a given degree has a fixed position in the array and hence if any degree is
missing, that corresponding coefficient should be represented by a >.


,ince :F++, f and g have ++ coefficients, each - bits wide. Hence, f, g are ++M-F-- bits wide.
The inverses of these polynomials are
f
p
F Q+,-,>,-,-,+,>,-,+,-,>R
f
!
F QB,<,=,+=,?,+B,+=,--,->,+@,J> R
fp has ++ coefficients, each - bits long, hence fp F -- bits
f! has ++ coefficients, each B bits long, hence f!FBB bits
;sing h F pf! Mg mod !, the public ey is calculated.
The ey created h is Q@,-B,--,->,+-,-?,+B,+<,+-,+<,+=R.
h has ++ coefficients, each B bits long, hence hFBB bits
:ow that the public ey is generated, we are ready to encrypt and send a message. To create this
message, we use a C.,7. The C.,7 is a Cinear ,hift .eedbac 7egister that is used to generate
random numbers.
The message generated is, m F QJ,>,J,+,>,+,>,>,J,>,JR.
m has ++ coefficients, each - bits long, hence m F -- bits
;sing e F prMh H m, the encrypted message is calculated and transmitted to the receiver.
The encrypted message generated is, e F Q+?,++,-B,-?,+B,+A,J>,A,-B,B,+AR
m has ++ coefficients, each B bits long, hence mFBB bits
;sing b F fMe 2 mod p3 and c F fpMb 2mod p3, the received encrypted message is decrypted
The first multUmod bloc generates b F Q>,+,J,J,>,J,>,+,J,J,+R
b has ++ coefficients, each - bits long, hence b F -- bits
The decrypted message generated by the second multUmod bloc is c F
QJ,>,J,+,>,+,>,>,J,>,JR
c has ++ coefficients, each - bits long, hence c F -- bits


This decrypted message, c is the same as the message, m sent by the sender and
hence the "78/T197A/8 #%TH1& /)", design is verifiedV
This system may not function properly only in the case where all the coefficients
of the message to be send are the same
7., CR1PTOGRAP1 METHOD P&CS3 Te(t-enc$
After designing the )ey "reator, %ncryptor and &ecryptor blocs, a unified testbench module
was written, which instantiates the above blocs in it. This way, we can consider the J blocs as
part of one system, versus separately providing inputs to each of them. The values of the input
polynomials0 f, g, r, the inverses fp, f! are accepted in this bloc and passed on to the appropriate
sub0module. The testbench also has a cloc generator bloc that generates the cloc signals of a
given period.
The testbench contains J signals that signify the completion of each stage of the cryptosystem0
eyUcomplete, encryptUcomplete, decryptUcomplete. These signals become high after their
corresponding stage is complete. 1nce all the J signals are high, it means that the decryption
process is complete. At this point, a comparator bloc in the testbench checs the sent message
and the decrypted message. If they are the same, it gives out a message showing a successful
output, while if they do not match, an unsuccessful message is sent out.
%ncrypted message, e
i
F r
i
Mh H m
i
2mod =?3 F AM= F ?- bits
&ecrypted message, c F AM- F +? bits
1nce this was verified, we applied the same design above to calculate the results for the
"78/T197A/8 #%TH1& low level security parameters. The upper +> bits of the message
were set to *eros since the actual message to be sent was +>AM-F-+? bits wide. The message was
split into smaller chuns, each of which was encrypted and decrypted individually to give the
final result. The polynomials in this design are explained below.
: F +=MAF++-
f, g, fp, m, r F +=MAM- F -+? bits 2Top +> bits set to >3


)ey, h F pf!Mg 2mod =?3 F +=MAM= F =A- bits
%ncrypted message, e
i
F r
i
Mh H m
i
2mod =?3 F +=MAM= F =A- bits
&ecrypted message, c F +=MAM- F -+? bits 2Top +> bits set to >3
Hence, the "78/T197A/8 #%TH1& cryptosystem was verified for different sets of input
values.This system was synthesi*ed using Iilinx I,% &esign ,uite. The )ey creator, %ncryptor
and &ecryptor blocs were individually synthesi*ed and all the blocs of the system were found
to be perfectly synthesi*able, without any issues.

CHAPTER 8
S1NTHESIS RESULTS AND SIMULATION RESULTS
8.1 Device *tii<!tion (*%%!ry o+ .ecryption=54


7elease +-.- 0 xst #.=Jc 2nt=?3
"opyright 2c3 +<<B0->+> Iilinx, Inc. All rights reserved.00Z /arameter T#/&I7 set to
xstOpro'nav.tmp
Total 7%AC time to Ist completion$ +.>> secs
Total "/; time to Ist completion$ >.J> secs
HDL Synt$e(i( Report
#acro ,tatistics
a 71#s $ --?
=?x=0bit 71# $ --?
a #ultipliers $ J-
?xJ0bit multiplier $ J-
a AddersO,ubtractors $ ?@>


?-0bit adder $ J-
=0bit adder $ ??@
a "ounters $ J-
?0bit up counter $ J-
a 7egisters $ =?
+0bit register $ J-
?-0bit register $ J-
a #ultiplexers $ J-
?-0bit +=0to0+ multiplexer $ J-
a Cogic shifters $ J-
?-0bit shifter logical left $ J-
Advanced H&C ,ynthesis
#acro ,tatistics
a 71#s $ --?
=?x=0bit 71# $ --?
a #ultipliers $ J-
?xJ0bit multiplier $ J-
a AddersO,ubtractors $ ?@>


?-0bit adder $ J-
=0bit adder $ ??@
a "ounters $ J-
?0bit up counter $ J-
a 7egisters $ +JA=
.lip0.lops $ +JA=
a #ultiplexers $ J-
?-0bit +=0to0+ multiplexer $ J-
a Cogic shifters $ J-
?-0bit shifter logical left $ J-
#acro ,tatistics
a 7egisters $ +=>>
.lip0.lops $ +=>>
8., Device *tii<!tion (*%%!ry o+ encryption
:umber of ,lices JA-- <=> J@A`
:umber of ,lice .lip .lops @>> +<-> ?+`
:umber of ? input C;Ts =<A- +<-> J=J`
:umber of bonded I16s ++?B +>@ +>=>`
:umber of 9"C)s +A -? A>`


HDL Synt$e(i( Report
#acro ,tatistics
a #ultipliers $ +=
?xJ0bit multiplier $ +=
a AddersO,ubtractors $ ?=?
?-0bit adder $ +=
=0bit adder $ JJ=
=0bit subtractor $ ++-
a "ounters $ +=
?0bit up counter $ +=
a 7egisters $ A->
+0bit register $ A>?
?-0bit register $ +=
a #ultiplexers $ +=
?-0bit +=0to0+ multiplexer $ +=
a Cogic shifters $ +=
?-0bit shifter logical left $ +=


A.v!nce. HDL Synt$e(i( Report
#acro ,tatistics
a #ultipliers $ +=
?xJ0bit multiplier $ +=
a AddersO,ubtractors $ ?=?
?-0bit adder $ +=
=0bit adder $ JJ=
=0bit subtractor $ ++-
a "ounters $ +=
?0bit up counter $ +=
a 7egisters $ +JA=
.lip0.lops $ +JA=
a #ultiplexers $ +=
?-0bit +=0to0+ multiplexer $ +=
a Cogic shifters $ +=
?-0bit shifter logical left $ +=
Total memory usage is JA?A-> ilobytes
8./ Device *tii<!tion S*%%!ry o+ &ey Cretor=54


Lo#ic Utii<!tion U(e. Av!i!-e Utii<!tion
:umber of ,lices --- <=> -J`
:umber of ,lice .lip .lops ?A +<-> -`
:umber of ? input C;Ts ?++ +<-> -+`
:umber of bonded I16s +>+ +>@ <J`
:umber of 9"C)s + -? ?`

8.0 RTL Sc$e%!tic !n. Tec$noo#y (c$e%!tic o+ Crypto#r!p$y Met$o.
=Decryptor=54


.igure +?$7TC "78/T197A/8 #%TH1&U&ecryptorU6l Top Cevel
.igure +B$ 7TC "78/T197A/8 #%TH1&U&ecryptorU6l Cogic 6loc
.igure +=$ "78/T197A/8 #%TH1&U&ecryptor Top Cevel


.igure +A$ "78/T197A/8 #%TH1&U&ecryptor Cogic 6loc
8.6 RTL !n. Tec$noo#y Sc$e%!tic( o+ CR1PTOGRAP1
METHOD=Encryptor=54


.igure +@$ "78/T197A/8 #%TH1&U%ncryptorU6l Top Cevel
.igure +<$ "78/T197A/8 #%TH1&U%ncryptorU6l Cogic 6loc


.igure ->$ "78/T197A/8 #%TH1&U%ncryptor Top Cevel

.igure -+$ "78/T197A/8 #%TH1&U%ncryptor Cogic 6loc

8.7 RTL !n. Tec$noo#y Sc$e%!tic( o+ CR1PTOGRAP1 METHOD=&ey


.igure --$ "78/T197A/8 #%TH1&U)ey Top Cevel
.igure -J$ "78/T197A/8 #%TH1&U)ey Cogic 6loc
8.8 M*t=Mo.
.igure -?$ #ultU#od Cogic 6loc


8.> Poyno%i!=M*t
.igure -B$ /olynomialU#ult Cogic 6loc
8.? Proc=Unit
.igure -=$ /rocU;nit Cogic 6loc


8.1@ Si%*!tion Re(*t(
Sec*rity eve !t NA11,B PA/BCA7
Me((!#e -it % A ,,09$ 8+6c.8+6c.8+1c.


.ig$ ,imulation waveform

Co*nc*(ion( !n. F*t*re Scope
Co*nc*(ion$ The "78/T197A/8 #%TH1& /ublic0ey cryptosystem was studied and a
hardware implementation for this sytem was designed using Gerilog H&C. This system has been
verified for different input values, :FA, :F++, :F+>A, !FJ-, !F=?. This is a very flexible
design, since we have been able to test out different values of input polynomials with minor
changes made to the design for different sets of inputs. The si*e of polynomials in the /rocessing
;nit, need to be modified for different values of !. The si*e of the barrel shifter needs to be
modified for different values of :. 1nce these values are changed, the system can easily encrypt
and decrypt a given message.
F*t*re (copeD The next step would be to implement this system for higher levels of security
lie moderate 2:F+=?3 and high 2:FB>J3 levels. This can be done by starting with a smaller set
of inpouts and then building the bigger design by instantiating the smaller blocs in them. In
order to do this, we need to find the different input polynomial values to the design. The
"78/T197A/8 #%TH1& "ompany has not made this data public for all values of security.
The testbench designed in this pro'ect is very user0friendly and is able to cater to any different
value of input provided. The output generated by the decryptor goes to a comparaotor, which
checs this output against the input message sent and depending on the outcome gives out a
success or failure message. This maes sure that the process is totally automated and is not prone
to any ind of calculation error.
An implementation based on #ontgomery #ultiplication was also studied as part of the pro'ect
research. A hardware implementation of "78/T197A/8 #%TH1& using this multiplication
algorithm can be done to increase the multiplication speed .
The field of data security is a very important field and will always continue to be one. Hence,
accurate and reliable encryption0decryption algorithms are very essential. A hardware


implementation of this algorithm enables us to implement this algorithm on ./9As, which help
execute the algorithm much faster with more reliability. Thus the "78/T197A/8 #%TH1&
/ublic )ey "ryptosystem designed in this pro'ect is of significant importance in the field of data
security today.

5I5LOGRAPH1
K+L William ,tallings, :etwor ,ecurity %ssentials$ Application and ,tandards, ->>>,
/rentice Hall, Inc., ;pper ,addle 7iver, :ew Wersey >A?B@
K-L "olleen #arie 17oure, Worcester /olytechnic Institute, %fficient :T7;
Implementations, ->>-


KJL http$OOwww.ntru.comOcryptolabOpdfOntrututorials.pdf
K?L #ohan Atreya, 6en Hammond, ,tephen /aine, /aul ,tarrett, ,tephen Wu
&igital ,ignature, ->>-,The #c9raw0Hill "ompanies.
KBL 9unar 9aubat*, Worcester /olytechnic Institute, Gersatile #ontgomery #ultiplier
Architectures, ->>-
K=L Weffrey Hoffstein, Will /ipher, Woseph H. ,ilverman, :T7;0 A 7ing0based /ublic0)ey
"ryptosystem, +<<@ 2;nited ,tates /atent$ =,-<@,+JA3.
KAL www.securityinnovation.com
K@L )atherine "ompton, ,cott Hauc, An Introduction to 7econfigurable "omputing,
->>>

K<L 7odney &,ou*a, The :T7; "ryptosystem$ Implementation and "omparative
Analysis ->>>