Professional Documents
Culture Documents
F a
>
b
H a
+
b
0+
H . . . H a
b
>
H a
H+
b
:0+
H a
H+
b
:0-
H . . . a
:0+
b
H+
.
In modern terminology, 7 is called the 7ing of Truncated /olynomials NKILO2I
:
0+3
The "78/T197A/8 #%TH1& /)", uses the ring of truncated polynomials 7 combined
with the modular arithmetic described earlier. These are combined by reducing the coefficients
of a polynomial a modulo an integer !. Thus the expression a 2modulo !3 means to reduce the
coefficients of a modulo !. That is, divide each coefficient by ! and tae the remainder .
To mae storage and computation easier, it is convenient to 'ust list the coefficients of a
polynomial without explicitly writing the powers of I. .or example, the polynomial
a F a
>
H a
+
I H a
-
I
-
H a
J
I
J
H . . . H a
:0-
I
:0-
H a
:0+
I
:0+
is conveniently written as the list of : numbers$ a F 2a
>
, a
+
, a
-
, . . . ,, a
:0-
, a
:0+
3.
:ote that *eros should be included in the list if some of the powers of I are missing. .or
example, when : F A the polynomial a F JH-I
-
0JI
?
HI
=
is stored as the list 2J,>,-,>,0J,>,+3. 6ut
if : F <, then a would be stored as the list 2J,>,-,>,0J,>,+,>,>3
Inver(e( in Tr*nc!te. Poyno%i! Rin#(
The inverse modulo ! of a polynomial a is a polynomial A with the property that
aMA F + 2modulo !3
:ot every polynomial has an inverse modulo !, but it is easy to determine if a has an inverse, and
to compute the inverse if it exists .
%xample$ Tae :FA, !F++, a F JH-I
-
0JI
?
HI
=
.
The inverse of a modulo ++ is AF 0-H?IH-I
-
H?I
J
0?I
?
H-I
B
0-I
=
, since
2JH-I
-
0JI
?
HI
=
3M20-H?IH-I
-
H?I
J
0?I
?
H-I
B
0-I
=
3 F 0+>H--IH--I
J
0--I
=
F + 2modulo ++3.
CHAPTER 0
DESIGN OF CR1PTOGRAP1 METHOD P&CS
This section explains the architecture of the "78/T197A/8 #%TH1& system built in this
pro'ect starting from the smallest unit in the design and moving up higher to the bigger blocs.
The "78/T197A/8 #%TH1& system basically consists of three blocs$ )ey "reator,
%ncryptor and &ecryptor. All the J blocs use polynomial multiplication and hence, it is
important to choose a fast multiplication algorithm that will !uicly multiply the polynomials,
yielding an effective design.
0.1 CR1PTOGRAP1 METHOD M*tipier De(i#n
"78/T197A/8 #%TH1& is based on polynomial additions and multiplications in the ring 7
ZKILO2I
:
0+3, as explained earlier. /olynomial multiplication is the cyclic convolution of two
polynomials, denoted by PM. The "78/T197A/8 #%TH1& multiplier designed here has a
scalable architecture and to explain this architecture, we shall consider the following parameter
values$ pFJ, ! F-B=, : F B.
The partial product array shown below is parallel in nature, this is because since the polynomials
in the multiplication are all reduced modulo I
:0+,
all the partial product terms are exceeding the
degree I
:0+
after being reduced modulo I
:0+,
will be added bac to the lower portion of the
partial product array. Coo at the illustration below0
,ince each partial product term is reduced modulo !, the carry propagation is confined within
each column but not across the columns. This eliminates the need to propagate the carry across
columns.
"onsider,
a F a
>
H a
+
I H a
-
I
-
H a
J
I
J
H a
?
I
?
and Qeach a
i
is a @0bit coefficient0since !F-B= R
b F b
>
H b
+
I H b
-
I
-
H b
J
I
J
H b
?
I
?
Qeach b
i
is a -0bit coefficient0since pFJ R
:ow consider the multiplication aMb
.igure J$ /olynomial #ultiplication K-L
Thus, the above partial product array gets simplified to the array shown below $
.igure ?$ /artial /roduct Array
.or the partial product column , a single processing unit 2/;3, which will be explained later,
performs the following operation$
cKL F cKL H aKiL MbK'L 2mod !3 where, ' F >,+,S.:0+ and i F 0' mod :
This /; consists of one coefficient multiplication, one coefficient addition, and a reduction
modulo !. %ach of the partial product terms that have been 4boxed5 need one /; for their
computation and from the figure above, we see that for a given column we need B /;s to
compute product coefficient.
The next section will explain the design of the /rocessing ;nit 2/;3
0., Proce((in# Unit
The /rocessing ;nit 2/;3 is the heart of the "78/T197A/8 #%TH1& multiplier which
performs the following coefficient operation $ cKL F cKL H aKiL MbK'L 2mod !3K-L
We now that bK'L, the multiplicand, is a -0bit coefficient and can either be Q0+,>,+R and aKiL, the
multiplier, is any @0bit coefficient since it is reduced mod !2F-B=3. cKL, product coefficient is
also @0bit wide since it is reduced mod !2F-B=3 as well .
.igure B$ /rocessing ;nit K@L
The /; consists of a coefficient multiplier and an adder, both of which incorporate the reduction
modulo !. The components of the processing unit consist solely of combinational logic and are
not dependent upon a rising edge cloc signal. The coefficient multiplier computes # F aKiL M
bK'L 2mod !3 portion of the operation . The main hardware consists of eight - by +0bit multipliers,
each of which was designed to behave according to the truth table shown on the next page.
:ote that$ aKiL
>
F 6it > of the @0bit aKiL coefficient
bK'L
>
F 6it > of the -0bit bK'L coefficient
bK'L
+
F 6it + of the -0bit bK'L coefficient
Ii F 7esult of multiplication of aKiL
>
and bK'L
Table +$ /; Truth Table K-L
I is nothing but dont care case.
In the above truth table the values mared by M may seem odd which is explained below$
This design infers the -0bit demonstration for bK'L dissimilarly than its decimal e!uivalent
according to the table shown below
Table -$ /; Integer Galue K-L
,o for the case bK'L F 2++3
-
F 0+, it is necessary that aKiL
>
be converted into its -0s complement
representation in order for the adder to subtract. However, to eep the design simple, the
multiplier only inverts the value of aKiL
>
. The twoEs complement conversion is completed by
setting the carry0in of the adder to T+E. This is accomplished by the A:& gate shown in figure J.
.or the case bK'L F 2+>3
-
F -, it should be noted that this operation is not performed by the main
hardware of the multiplier as indicated by the donEt care 2I3 condition in the table. Hence, a
multiplexer is needed to pass the left shifted value of aKiL
>
for when bK'L F -, otherwise for the
other J combinations of bK'L, I is passed to # .
The reduction modulo ! portion of the e!uation is handled by ignoring any carries that exceed
the @0bit boundary, which would only occur for the case bK'L F - .
The )arnaugh0map for the truth table of IKiL is as follows$
Table J$ /; )0map K-L
This gives us the expression for all the IKiLs.
As shown in the figure ? on the next page, if bK'L F 2+>3
-
, the output of the A:& gate is F +
which maes the selector input of the multiplexer F+ and the left0shifted0by0- value of a
=..>
KiL
appears at the output of the multiplexer, otherwise the value of I appears as the output of the
multiplexer.
.inally, the output of the multiplexer, #, is passed on to the @0bit adder for accumulation which
is responsible for computing cKL F # H cKL. Again, the reduction modulo ! portion of the
e!uation is handled by ignoring any carries that exceed the @0bit boundary.
The @0by0@ bit adder is a .ull adder with the .inal carry out ignored.
.igure =$ @0bit .ull Adder
.igure A$ "oefficient #ultiplier
0./ CR1PTOGRAP1 METHOD M*tipier or PM 'Poyno%i! M*tipier)
:ow that the operation of the /; has been fully understood, the next bloc to be studied is the
"78/T197A/8 #%TH1& #ultiplier in detail 2also referred to as /olynomial #ultiplier or
/#3.
This bloc consists of "1%.., ,HI.T%7 A:& "1;:T%7 blocs
.igure @$ "78/T197A/8 #%TH1& #ultiplier &esign
0./.1 Coe++icient$
.rom the above figure, we see that each column can be processed independently. In this case,
each column of partial products consists of B /;s i.e. number of /;s needed for a given
columnF:. Add the output of the previous /; as input carry to the one below it and finally, we
arrive at the coefficient of that corresponding column. In this case, since the product is also
reduced mod!, this coefficient cKL is @0bits too.
0./., S$i+ter !n. co*nter
.rom the above figure, we see that in each column, the order in which b
0
b
1
b
2
b
3
b
4
are listed is
the same, it is the values of a
0
a
1
a
2
a
3
a
4
that change their se!uence 2loo at direction of arrows3.
This capability has been implemented using a 6arrel ,hifter, which is used to shift the multiplier
coefficients that are input to the /#, such that partial products of the next column are computed
in the correct order. The si*e of this shifter will be @M?F?> ie, !M:.
To determine how many times the shift needs to be performed, a counter has been designed.
These counter increments with each shift and goes to *ero when the shift has to stop. In this case,
we have to shift the coefficients of the multiplier B times0 which means, the counter needs to be a
J0bit counter i.e :log-0counter. ,ince each coefficient of the multiplier is @bits long, each shift
rotates the multiplier by @ bits.
0.0 &ey Cre!tor$
This bloc creates the public ey Ph for each "78/T197A/8 #%TH1& user. /ublic ey is
given as,
h F p.f!Mg mod q ,where pFJ
This computation is done with two blocs0 "onstant #ultiplier and /olynomial #ultiplier2/#3
"onstant multiplier 2"#30 #ultiplies each coefficient of the polynomial f! with the constant p
/olynomial multiplier0 #ultiplies two polynomials as described above0 output of the "# with g0
and reduces the output modulo !, generates public ey h.
.igure <$ )ey "reator
0.6 CR1PTOGRAP1 METHOD Encryptor $
This bloc computes the encrypted message for secure data exchange. %ncrypted message is
given as,
e F rMh H m 2mod !3
Where, r is the random polynomial selected
h is the public ey
m is the message to be encrypted.
/# 0 #ultiplies the polynomials r and h
"oefficient adder0 adds the output of /# to message m, generates encrypted message e.
.igure +>$ "78/T197A/8 #%TH1& %ncryptor
0.7 CR1PTOGRAP1 METHOD Decryptor $
This bloc performs the final and most important operation of the system, decrypting the
received encrypted message. This process is explained as below0
,tep +$ a F fMe 2 mod ! 3
,tep -$ ,hift the coefficients of a from 2>,!0+3 to 20!O-, !O-3
,tep J$ b F a 2 mod p 3
,tep ?$ c F fpMb 2mod p3
&ecryption basically involves polynomial multiplication and reduction of the product mod p.
/olynomial multiplication only performs mod ! on the product and hence, we design another
bloc that performs mod p on the output of the /#.
.igure ++$ #ultU#od
The multUmod bloc is the basic bloc of the decryption process.
,tep+0J is performed by one multUmod bloc i.e. polynomials f and e are multiplied and reduced
mod p.
.or eg, if the result of the multiplication fMe mod ! is$
a F J 0 AI 0 +>I
-
0 ++I
J
H +>I
?
H AI
B
H =I
=
H AI
A
H BI
@
0 JI
<
0 AI
+>
2mod -B=3
The multUmod bloc returns,
b F 0 I 0 I
-
H I
J
H I
?
H I
B
H I
A
0 I
@
0 I
+>
2mod J3
KJmodJF>, 0AmodJF0+, 0+>modJF0+, 0++modJF+, +>modF+, AmodJF+, =modJF> etc.L
:ext, ,tep ?$ c F fpMb 2mod p3 is performed by another multUmod bloc. The output of the
previous multUmod bloc and fp are given as inputs to this bloc, which agin performs
polynomial multiplication followed by mod p on the product. This result is the final decrypted
messageV This message should be e!ual to the message initially sent.
.igure +-$ "78/T197A/8 #%TH1& &ecryptor
0.8 CR1PTOGRAP1 METHOD P&CS
A bloc diagram of the entire cryptosystem with inputs and outputs from the three main blocs
discussed above can be drawn as$
.igure +J$ "78/T197A/8 #%TH1& /)",
C$!pter36
RSA
,ecurity of information is a national security issue in addition to being of commercial
importance. It is very important to test the security of encryption methods used such as
the 7,A encryption techni!ue. The 7,A represents a class of encryption methods called
public ey systems where a ey, n, is publicly now n. We have developed an original
method of factoring the public ey n, to find out the prime numbers p and ! which
effectively allows us to brea the encryption. We show that the method is efficient when
p and ! are close. The number of trials needed to factor the public ey is !uadratic and is
given by
-
2 3
@
p q
n
,ince C F
2p 0 !3
-
and n F p Y !, we have
r
-
2p 0 !3
@ n
2@3
.or example, if 2p ( !3 Y .>>+ p, then ' Y .>>>>>>+ p. If p is a +>> digit prime number
and 2p ( !3 is a ?> digit number, then r F +. Which means the solution can be found in
one trial in this case. In conclusion, our method is !uite efficient for prime numbers p and
! which differ by less then +>` in value.
To see how efficient the method is, we chose a prime number p F <<<<+ and a second
variable prime number !. We calculated n F p Y ! and used n to factor the original prime
numbers p and ! using our method. The number of trial integers 2r3 needed to factor n
was noted. A plot of the number of trials as a function of the difference 2p 0 !3 is plotted
below. The plot shows very clearly the efficiency of the method when 2p 0 !3 is relatively
small. In many cases re!uiring a single trial number. The dependence on 2p 0 !3 is
essentially !uadratic. We have found the same behavior with huge integers of orders
more than +-@ digits.
Fi#*re '1!) The dependence of the number of trials 2r3 vs the difference 2p 0 !3
In figure 2+b3 we plot the results of running the computer program on the supercomputer.
We plot time taen by the computer as a function of 2p 0 !3. :otice that the behavior is
again !uadratic near the origin and becomes linear for large 2p 0 !3 .
Number of Trials (r) vs (p - q)
0
5000
10000
15000
20000
25000
30000
35000
40000
45000
0 20000 40000 60000 80000 100000 120000
(p - q)
N
u
m
b
e
r
o
f
t
r
i
a
l
s
(
r
)
Fi#*re '1-) ,upercomputer factoring time vs 2p 0 !3
<. .uture "onsiderations
If given a chance to continue our pro'ect, several step could be taen to further enhance our research.
+3 A plausible way to speed up our factori*ation method would be to choose random
points for r, and scan the area at which ' approaches a complete s!uare
"hoose a random value r from a set of N Y Q>, +, - S
n
R
time vs (p - q)
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
0 5E+29 1E+30 1.5E+30 2E+30 2.5E+30
(p-q)
t
i
m
e
(
s
e
c
o
n
d
)
'
i
F 0
-
2m H r3 n
/oints at which ' approaches an integer, scan that area
' F 0
-
2m H r3 n _ r F Q'
i
0+>>, '
i
0<< S '
i
H<<, '
i
H+>>R
We would lie to improve on the method so that it will wor on more general cases of
prime numbers p and !. We noticed that the efficiency of the method can be
understood graphically as follows,
n H '
-
F C
-
where
C F
p 0 ! p H !
and F
- -
$
Cet us replace CA by x and ' by y and divide through by n, we get
- -
y x
0 F +
n n
This is the e!uation of a hyperbola as shown in the figure 2.ig. -3
:otice that the slope of the curve represents the efficiency which is very high near the x0
axis when y is small. As y becomes large, the slope approaches unity which means that
the efficiency of the method becomes relatively small. If we could find a way to mae
this region of high efficiency extend over a large region or mae a position variable, then
we can slide the region of high efficiency at will. We hope to find a way to tae
advantage of this observation.
J3 "ompare our factoring method against other methods for factoring n such as the p ( +,
elliptic curve, and !uadratic sieve method 2not mentioned in this report, yet currently
considered the most successful algorithm3.
CHAPTER 7
2ALIDATION OF CR1PTOGRAP1 METHOD P&CS
7.1 De(i#n 2eri+ic!tion
The previous section showed the different steps involved in the design of the "78/T197A/8
#%TH1& /)",. This section will show the implementation and verification of the design with
some examples. %ach bloc of the design has been written in H&C Gerilog and compiled and
simulated using G", ,ynopsys. A bottom up approach has been used in this design. %ach
blocOmodule has been individually written and verified and then mergedOinstantiated into
another bloc.
The "78/T197A/8 #%TH1& /)", taes the following inputs$
#aximum degree of polynomials, :
,mall modulo, p
6ig modulo, !
/olynomials f, g
Inverse of f mod p, fp
Inverse of f mod !, f!
7andom polynomial, r chosen by message sender
#essage polynomial, m sent by sender
To demonstrate the system designed, we use the below inputs
:F++ qF -
B
FJ- pFJ.
Cet, f F 0+ H I H I
-
0 I
?
H I
=
H I
<
0 I
+>
g F 0+ H I
-
H I
J
H I
B
0 I
@
0 I
+>
Cet us represent the above polynomials as$
f F Q0+,+,+,>,0+,>,+,>,>,+,0+R
g F Q0+,>,+,+,>,+,>,>,0+,>,0+R
%ach coefficient of a given degree has a fixed position in the array and hence if any degree is
missing, that corresponding coefficient should be represented by a >.
,ince :F++, f and g have ++ coefficients, each - bits wide. Hence, f, g are ++M-F-- bits wide.
The inverses of these polynomials are
f
p
F Q+,-,>,-,-,+,>,-,+,-,>R
f
!
F QB,<,=,+=,?,+B,+=,--,->,+@,J> R
fp has ++ coefficients, each - bits long, hence fp F -- bits
f! has ++ coefficients, each B bits long, hence f!FBB bits
;sing h F pf! Mg mod !, the public ey is calculated.
The ey created h is Q@,-B,--,->,+-,-?,+B,+<,+-,+<,+=R.
h has ++ coefficients, each B bits long, hence hFBB bits
:ow that the public ey is generated, we are ready to encrypt and send a message. To create this
message, we use a C.,7. The C.,7 is a Cinear ,hift .eedbac 7egister that is used to generate
random numbers.
The message generated is, m F QJ,>,J,+,>,+,>,>,J,>,JR.
m has ++ coefficients, each - bits long, hence m F -- bits
;sing e F prMh H m, the encrypted message is calculated and transmitted to the receiver.
The encrypted message generated is, e F Q+?,++,-B,-?,+B,+A,J>,A,-B,B,+AR
m has ++ coefficients, each B bits long, hence mFBB bits
;sing b F fMe 2 mod p3 and c F fpMb 2mod p3, the received encrypted message is decrypted
The first multUmod bloc generates b F Q>,+,J,J,>,J,>,+,J,J,+R
b has ++ coefficients, each - bits long, hence b F -- bits
The decrypted message generated by the second multUmod bloc is c F
QJ,>,J,+,>,+,>,>,J,>,JR
c has ++ coefficients, each - bits long, hence c F -- bits
This decrypted message, c is the same as the message, m sent by the sender and
hence the "78/T197A/8 #%TH1& /)", design is verifiedV
This system may not function properly only in the case where all the coefficients
of the message to be send are the same
7., CR1PTOGRAP1 METHOD P&CS3 Te(t-enc$
After designing the )ey "reator, %ncryptor and &ecryptor blocs, a unified testbench module
was written, which instantiates the above blocs in it. This way, we can consider the J blocs as
part of one system, versus separately providing inputs to each of them. The values of the input
polynomials0 f, g, r, the inverses fp, f! are accepted in this bloc and passed on to the appropriate
sub0module. The testbench also has a cloc generator bloc that generates the cloc signals of a
given period.
The testbench contains J signals that signify the completion of each stage of the cryptosystem0
eyUcomplete, encryptUcomplete, decryptUcomplete. These signals become high after their
corresponding stage is complete. 1nce all the J signals are high, it means that the decryption
process is complete. At this point, a comparator bloc in the testbench checs the sent message
and the decrypted message. If they are the same, it gives out a message showing a successful
output, while if they do not match, an unsuccessful message is sent out.
%ncrypted message, e
i
F r
i
Mh H m
i
2mod =?3 F AM= F ?- bits
&ecrypted message, c F AM- F +? bits
1nce this was verified, we applied the same design above to calculate the results for the
"78/T197A/8 #%TH1& low level security parameters. The upper +> bits of the message
were set to *eros since the actual message to be sent was +>AM-F-+? bits wide. The message was
split into smaller chuns, each of which was encrypted and decrypted individually to give the
final result. The polynomials in this design are explained below.
: F +=MAF++-
f, g, fp, m, r F +=MAM- F -+? bits 2Top +> bits set to >3
)ey, h F pf!Mg 2mod =?3 F +=MAM= F =A- bits
%ncrypted message, e
i
F r
i
Mh H m
i
2mod =?3 F +=MAM= F =A- bits
&ecrypted message, c F +=MAM- F -+? bits 2Top +> bits set to >3
Hence, the "78/T197A/8 #%TH1& cryptosystem was verified for different sets of input
values.This system was synthesi*ed using Iilinx I,% &esign ,uite. The )ey creator, %ncryptor
and &ecryptor blocs were individually synthesi*ed and all the blocs of the system were found
to be perfectly synthesi*able, without any issues.
CHAPTER 8
S1NTHESIS RESULTS AND SIMULATION RESULTS
8.1 Device *tii<!tion (*%%!ry o+ .ecryption=54
7elease +-.- 0 xst #.=Jc 2nt=?3
"opyright 2c3 +<<B0->+> Iilinx, Inc. All rights reserved.00Z /arameter T#/&I7 set to
xstOpro'nav.tmp
Total 7%AC time to Ist completion$ +.>> secs
Total "/; time to Ist completion$ >.J> secs
HDL Synt$e(i( Report
#acro ,tatistics
a 71#s $ --?
=?x=0bit 71# $ --?
a #ultipliers $ J-
?xJ0bit multiplier $ J-
a AddersO,ubtractors $ ?@>
?-0bit adder $ J-
=0bit adder $ ??@
a "ounters $ J-
?0bit up counter $ J-
a 7egisters $ =?
+0bit register $ J-
?-0bit register $ J-
a #ultiplexers $ J-
?-0bit +=0to0+ multiplexer $ J-
a Cogic shifters $ J-
?-0bit shifter logical left $ J-
Advanced H&C ,ynthesis
#acro ,tatistics
a 71#s $ --?
=?x=0bit 71# $ --?
a #ultipliers $ J-
?xJ0bit multiplier $ J-
a AddersO,ubtractors $ ?@>
?-0bit adder $ J-
=0bit adder $ ??@
a "ounters $ J-
?0bit up counter $ J-
a 7egisters $ +JA=
.lip0.lops $ +JA=
a #ultiplexers $ J-
?-0bit +=0to0+ multiplexer $ J-
a Cogic shifters $ J-
?-0bit shifter logical left $ J-
#acro ,tatistics
a 7egisters $ +=>>
.lip0.lops $ +=>>
8., Device *tii<!tion (*%%!ry o+ encryption
:umber of ,lices JA-- <=> J@A`
:umber of ,lice .lip .lops @>> +<-> ?+`
:umber of ? input C;Ts =<A- +<-> J=J`
:umber of bonded I16s ++?B +>@ +>=>`
:umber of 9"C)s +A -? A>`
HDL Synt$e(i( Report
#acro ,tatistics
a #ultipliers $ +=
?xJ0bit multiplier $ +=
a AddersO,ubtractors $ ?=?
?-0bit adder $ +=
=0bit adder $ JJ=
=0bit subtractor $ ++-
a "ounters $ +=
?0bit up counter $ +=
a 7egisters $ A->
+0bit register $ A>?
?-0bit register $ +=
a #ultiplexers $ +=
?-0bit +=0to0+ multiplexer $ +=
a Cogic shifters $ +=
?-0bit shifter logical left $ +=
A.v!nce. HDL Synt$e(i( Report
#acro ,tatistics
a #ultipliers $ +=
?xJ0bit multiplier $ +=
a AddersO,ubtractors $ ?=?
?-0bit adder $ +=
=0bit adder $ JJ=
=0bit subtractor $ ++-
a "ounters $ +=
?0bit up counter $ +=
a 7egisters $ +JA=
.lip0.lops $ +JA=
a #ultiplexers $ +=
?-0bit +=0to0+ multiplexer $ +=
a Cogic shifters $ +=
?-0bit shifter logical left $ +=
Total memory usage is JA?A-> ilobytes
8./ Device *tii<!tion S*%%!ry o+ &ey Cretor=54
Lo#ic Utii<!tion U(e. Av!i!-e Utii<!tion
:umber of ,lices --- <=> -J`
:umber of ,lice .lip .lops ?A +<-> -`
:umber of ? input C;Ts ?++ +<-> -+`
:umber of bonded I16s +>+ +>@ <J`
:umber of 9"C)s + -? ?`
8.0 RTL Sc$e%!tic !n. Tec$noo#y (c$e%!tic o+ Crypto#r!p$y Met$o.
=Decryptor=54
.igure +?$7TC "78/T197A/8 #%TH1&U&ecryptorU6l Top Cevel
.igure +B$ 7TC "78/T197A/8 #%TH1&U&ecryptorU6l Cogic 6loc
.igure +=$ "78/T197A/8 #%TH1&U&ecryptor Top Cevel
.igure +A$ "78/T197A/8 #%TH1&U&ecryptor Cogic 6loc
8.6 RTL !n. Tec$noo#y Sc$e%!tic( o+ CR1PTOGRAP1
METHOD=Encryptor=54
.igure +@$ "78/T197A/8 #%TH1&U%ncryptorU6l Top Cevel
.igure +<$ "78/T197A/8 #%TH1&U%ncryptorU6l Cogic 6loc
.igure ->$ "78/T197A/8 #%TH1&U%ncryptor Top Cevel
.igure -+$ "78/T197A/8 #%TH1&U%ncryptor Cogic 6loc
8.7 RTL !n. Tec$noo#y Sc$e%!tic( o+ CR1PTOGRAP1 METHOD=&ey
.igure --$ "78/T197A/8 #%TH1&U)ey Top Cevel
.igure -J$ "78/T197A/8 #%TH1&U)ey Cogic 6loc
8.8 M*t=Mo.
.igure -?$ #ultU#od Cogic 6loc
8.> Poyno%i!=M*t
.igure -B$ /olynomialU#ult Cogic 6loc
8.? Proc=Unit
.igure -=$ /rocU;nit Cogic 6loc
8.1@ Si%*!tion Re(*t(
Sec*rity eve !t NA11,B PA/BCA7
Me((!#e -it % A ,,09$ 8+6c.8+6c.8+1c.
.ig$ ,imulation waveform
Co*nc*(ion( !n. F*t*re Scope
Co*nc*(ion$ The "78/T197A/8 #%TH1& /ublic0ey cryptosystem was studied and a
hardware implementation for this sytem was designed using Gerilog H&C. This system has been
verified for different input values, :FA, :F++, :F+>A, !FJ-, !F=?. This is a very flexible
design, since we have been able to test out different values of input polynomials with minor
changes made to the design for different sets of inputs. The si*e of polynomials in the /rocessing
;nit, need to be modified for different values of !. The si*e of the barrel shifter needs to be
modified for different values of :. 1nce these values are changed, the system can easily encrypt
and decrypt a given message.
F*t*re (copeD The next step would be to implement this system for higher levels of security
lie moderate 2:F+=?3 and high 2:FB>J3 levels. This can be done by starting with a smaller set
of inpouts and then building the bigger design by instantiating the smaller blocs in them. In
order to do this, we need to find the different input polynomial values to the design. The
"78/T197A/8 #%TH1& "ompany has not made this data public for all values of security.
The testbench designed in this pro'ect is very user0friendly and is able to cater to any different
value of input provided. The output generated by the decryptor goes to a comparaotor, which
checs this output against the input message sent and depending on the outcome gives out a
success or failure message. This maes sure that the process is totally automated and is not prone
to any ind of calculation error.
An implementation based on #ontgomery #ultiplication was also studied as part of the pro'ect
research. A hardware implementation of "78/T197A/8 #%TH1& using this multiplication
algorithm can be done to increase the multiplication speed .
The field of data security is a very important field and will always continue to be one. Hence,
accurate and reliable encryption0decryption algorithms are very essential. A hardware
implementation of this algorithm enables us to implement this algorithm on ./9As, which help
execute the algorithm much faster with more reliability. Thus the "78/T197A/8 #%TH1&
/ublic )ey "ryptosystem designed in this pro'ect is of significant importance in the field of data
security today.
5I5LOGRAPH1
K+L William ,tallings, :etwor ,ecurity %ssentials$ Application and ,tandards, ->>>,
/rentice Hall, Inc., ;pper ,addle 7iver, :ew Wersey >A?B@
K-L "olleen #arie 17oure, Worcester /olytechnic Institute, %fficient :T7;
Implementations, ->>-
KJL http$OOwww.ntru.comOcryptolabOpdfOntrututorials.pdf
K?L #ohan Atreya, 6en Hammond, ,tephen /aine, /aul ,tarrett, ,tephen Wu
&igital ,ignature, ->>-,The #c9raw0Hill "ompanies.
KBL 9unar 9aubat*, Worcester /olytechnic Institute, Gersatile #ontgomery #ultiplier
Architectures, ->>-
K=L Weffrey Hoffstein, Will /ipher, Woseph H. ,ilverman, :T7;0 A 7ing0based /ublic0)ey
"ryptosystem, +<<@ 2;nited ,tates /atent$ =,-<@,+JA3.
KAL www.securityinnovation.com
K@L )atherine "ompton, ,cott Hauc, An Introduction to 7econfigurable "omputing,
->>>
K<L 7odney &,ou*a, The :T7; "ryptosystem$ Implementation and "omparative
Analysis ->>>