Electronics Guide

Fundamental Concepts

Modular arithmetic confines calculations within a finite range, with all operations performed modulo some integer n:

• Modular addition: (a + b) mod n, straightforward with possible subtraction of n if the sum exceeds the modulus
• Modular subtraction: (a - b) mod n, potentially requiring addition of n if the difference is negative
• Modular multiplication: (a * b) mod n, the core operation requiring efficient reduction techniques
• Modular reduction: Computing the remainder after division by n, critical for maintaining operand sizes

The modulus n in cryptographic applications is typically 2048 bits or larger for RSA, making naive division-based reduction impractical.

Montgomery Multiplication

Montgomery multiplication transforms modular multiplication to avoid expensive division operations:

• Montgomery domain: Values are represented as aR mod n, where R is a power of 2 larger than n
• Domain conversion: Converting to Montgomery form requires one multiplication and reduction; converting back requires another
• Montgomery product: Computing abR^(-1) mod n using only multiplication and addition with shifts
• Interleaved approach: Combining multiplication and reduction steps to avoid double-width intermediate products

The Montgomery reduction process adds a carefully chosen multiple of n to make the result divisible by R, allowing a simple right shift instead of division. For a sequence of modular multiplications, the overhead of domain conversion is amortized across many operations.

Exponentiation Algorithms

Computing a^e mod n directly by repeated multiplication would require an impractical number of operations for cryptographic exponents. Efficient algorithms reduce this to roughly log2(e) modular multiplications:

• Square-and-multiply (binary method): Processing exponent bits from most or least significant, squaring for each bit and multiplying by the base for each 1 bit
• m-ary exponentiation: Pre-computing a table of powers and processing multiple exponent bits per iteration
• Sliding window: Variable-length windows reducing the number of multiplications while limiting table size
• Fixed-window: Constant-time variant accessing all table entries regardless of exponent bits

The choice of algorithm affects both performance and security, as different algorithms exhibit different patterns of operations that may leak information about the exponent.

Chinese Remainder Theorem Optimization

For RSA private key operations where the modulus n = pq is the product of two primes, the Chinese Remainder Theorem (CRT) enables significant acceleration:

• Split computation: Computing separately modulo p and modulo q, then combining results
• Speedup factor: Approximately 4x improvement because the exponentiations use half-size operands
• Recombination: Using Garner's formula or similar to reconstruct the final result from the two partial results
• Security considerations: CRT-based implementations are particularly vulnerable to fault injection attacks

Hardware Implementation Considerations

Implementing modular exponentiation in hardware requires balancing multiple design factors:

• Operand width: Supporting 2048-bit, 3072-bit, and 4096-bit operations for current and future security requirements
• Multiplier architecture: Word-serial multipliers trade throughput for area, while parallel arrays maximize speed
• Memory requirements: Storing pre-computed powers and intermediate values
• Pipeline depth: Breaking long operations into stages for higher throughput in batch processing

Elliptic Curve Mathematics

Cryptographic elliptic curves are defined by equations over finite fields, with points on the curve forming a mathematical group:

• Weierstrass form: The general equation y^2 = x^3 + ax + b over a prime field GF(p)
• Point at infinity: The identity element for the group operation, analogous to zero in addition
• Point addition: Given two points P and Q, computing a third point R = P + Q using geometric construction
• Point doubling: Computing 2P, a special case with optimized formulas
• Point negation: For a point (x, y), the negation is (x, -y)

The security of ECC relies on the elliptic curve discrete logarithm problem: given points P and Q = kP, finding the scalar k is computationally infeasible for properly chosen curves and sufficiently large k.

Coordinate Systems

Different coordinate representations offer trade-offs between operation count and inversion requirements:

• Affine coordinates: Standard (x, y) representation requiring modular inversion for each point operation
• Projective coordinates: Representing points as (X:Y:Z) where x = X/Z and y = Y/Z, deferring inversion
• Jacobian coordinates: Using (X:Y:Z) where x = X/Z^2 and y = Y/Z^3, optimizing doubling operations
• Mixed coordinates: Combining systems to minimize total operation count

Projective coordinates are preferred for hardware implementation because modular inversion is significantly more expensive than multiplication. A single inversion at the end of scalar multiplication converts the result back to affine coordinates.

Scalar Multiplication Algorithms

Scalar multiplication computes Q = kP for a large scalar k and base point P, the fundamental operation for ECC protocols:

• Double-and-add: Analogous to square-and-multiply, processing scalar bits with doubling and conditional addition
• Montgomery ladder: A constant-time algorithm performing one addition and one doubling per bit regardless of bit value
• Window methods: Pre-computing small multiples of P to process multiple scalar bits per iteration
• NAF (Non-Adjacent Form): Representing the scalar with digits from {-1, 0, 1} to reduce the number of additions
• w-NAF: Generalized NAF with width-w digits for further optimization

The Montgomery ladder is widely used in security-focused implementations because it naturally provides constant-time execution, making it resistant to timing attacks.

Field Arithmetic for ECC

Elliptic curve operations reduce to field arithmetic in GF(p) or GF(2^m):

• Prime field operations: Modular addition, subtraction, multiplication, and inversion in GF(p)
• Special primes: NIST primes like 2^256 - 2^224 + 2^192 + 2^96 - 1 enable fast reduction
• Pseudo-Mersenne primes: Primes close to powers of 2 allowing efficient reduction through addition
• Montgomery reduction: Applicable to ECC field arithmetic as well as RSA

Modern Curve Implementations

Contemporary curve designs simplify secure implementation:

• Curve25519: Designed specifically for the Montgomery ladder with complete formulas and efficient field arithmetic
• Edwards curves: Providing unified addition formulas that eliminate exceptional cases
• Ed25519: An Edwards curve offering high performance with built-in side-channel resistance
• Curve448: A higher-security curve for applications requiring 224-bit security

Binary Extension Fields

Fields of the form GF(2^m) are particularly suited to digital hardware:

• Polynomial representation: Field elements are polynomials over GF(2) of degree less than m
• Addition: Coefficient-wise XOR, requiring no carries
• Multiplication: Polynomial multiplication followed by reduction modulo an irreducible polynomial
• Irreducible polynomials: The field-defining polynomial, analogous to a prime modulus for prime fields

The carry-free nature of addition in GF(2^m) makes these fields highly efficient for hardware implementation.

AES Field Operations

The Advanced Encryption Standard operates in GF(2^8) with the irreducible polynomial x^8 + x^4 + x^3 + x + 1:

• S-box computation: Multiplicative inverse in GF(2^8) followed by an affine transformation
• MixColumns: Matrix multiplication with coefficients in GF(2^8)
• XTime operation: Multiplication by x (0x02) with conditional reduction
• Composite field implementations: Decomposing GF(2^8) into GF((2^4)^2) or GF(((2^2)^2)^2) for smaller hardware

Composite field techniques trade gate complexity for logic depth, enabling significant area savings at the cost of increased latency.

GF(2^128) for Authentication

Galois/Counter Mode (GCM) authentication uses multiplication in GF(2^128):

• GHASH operation: Sequential multiplication and XOR accumulating the authentication tag
• Parallel implementations: Processing multiple blocks simultaneously for high throughput
• Karatsuba multiplication: Reducing the number of bit-wise multiplications at the cost of extra additions
• Lookup table approaches: Trading memory for computation in software implementations

Multiplication Algorithms

Various algorithms implement Galois field multiplication with different trade-offs:

• Shift-and-XOR: Basic bit-serial multiplication analogous to shift-and-add for integers
• Mastrovito multiplier: Parallel multiplication with built-in reduction
• Karatsuba method: Divide-and-conquer reducing multiplication complexity from O(n^2) to O(n^1.58)
• Tower field constructions: Hierarchical field decomposition enabling recursive implementation

Inversion Methods

Multiplicative inverse in Galois fields is required for several cryptographic operations:

• Extended Euclidean Algorithm: Iteratively computing the inverse using polynomial GCD
• Fermat's Little Theorem: Computing a^(-1) = a^(2^m - 2) through exponentiation
• Itoh-Tsujii algorithm: Optimized exponentiation using addition chains and Frobenius automorphism
• Lookup tables: Pre-computing all inverses for small field sizes like GF(2^8)

Primality Testing

Probabilistic primality tests determine whether a candidate is likely prime:

• Miller-Rabin test: The most widely used probabilistic test, based on modular exponentiation
• Fermat test: A simpler but less reliable test checking a^(n-1) = 1 mod n
• Lucas test: Often combined with Miller-Rabin for additional confidence
• False positive probability: With k iterations, the probability of falsely accepting a composite is at most 4^(-k)

For cryptographic applications, 40-80 Miller-Rabin iterations are typical, providing astronomically low false positive rates.

Sieving and Trial Division

Pre-filtering candidates before expensive primality testing dramatically improves efficiency:

• Trial division: Testing divisibility by small primes (typically the first few hundred or thousand)
• Sieve methods: Generating candidate sequences that avoid obvious composites
• Incremental sieving: Efficiently updating residues as candidates are tested
• Expected attempts: For an n-bit prime, approximately n/ln(2) candidates are tested on average

Special Prime Forms

Cryptographic applications often require primes with specific properties:

• Safe primes: Primes p where (p-1)/2 is also prime, used for Diffie-Hellman groups
• Strong primes: Various additional requirements for RSA resistance to specific attacks
• Primes for ECC: Field primes with efficient reduction properties
• Balanced RSA primes: Similar bit lengths for the two factors

Hardware Prime Generation

Implementing prime generation in hardware presents specific challenges:

• Modular exponentiator reuse: Using the same hardware for primality testing and other operations
• Candidate generation: Efficient random candidate selection with basic filtering
• Parallel testing: Testing multiple candidates simultaneously when hardware permits
• Timing considerations: Variable generation time may leak information about prime values

Entropy Sources

True randomness originates from physical processes with inherent unpredictability:

• Thermal noise: Johnson-Nyquist noise in resistors and transistors
• Shot noise: Statistical fluctuations in electron flow
• Ring oscillator jitter: Timing variations in free-running oscillators
• Metastability: Unpredictable resolution of flip-flops in metastable states
• Quantum effects: Inherently random processes at the quantum level

Hardware random number generators must carefully extract entropy from these sources while accounting for potential biases and environmental influences.

Conditioning and Extraction

Raw entropy sources typically exhibit biases that must be removed:

• Von Neumann extraction: Converting biased bits to unbiased by examining pairs
• Cryptographic hashing: Compressing entropy pool contents through hash functions
• Linear feedback shift registers: Whitening sequences to remove obvious patterns
• XOR combination: Combining multiple independent sources for improved quality

Deterministic Random Bit Generators

DRBGs expand true random seeds into longer sequences while maintaining cryptographic security:

• CTR_DRBG: Based on AES in counter mode, widely deployed
• Hash_DRBG: Using cryptographic hash functions for generation
• HMAC_DRBG: Based on HMAC, providing backtracking resistance
• Reseeding: Periodically incorporating fresh entropy to limit damage from state compromise

NIST SP 800-90A specifies requirements for approved deterministic random bit generators.

Health Monitoring

Hardware random number generators require continuous monitoring to detect failures:

• Startup tests: Verifying proper operation before generating output
• Continuous tests: Checking each output for obvious failures like stuck values
• Statistical tests: Monitoring entropy estimates and distribution properties
• Alarm mechanisms: Halting output and alerting when anomalies are detected

Implementation Standards

Cryptographic random number generators must meet rigorous standards:

• FIPS 140-2/140-3: Requirements for random number generators in certified modules
• AIS 31: German BSI evaluation methodology for random number generators
• SP 800-90B: NIST specification for entropy source assessment
• Common Criteria: Protection profiles addressing random generation

SHA-2 Family

SHA-256 and SHA-512 dominate current deployments, sharing a common Merkle-Damgard construction:

• Message padding: Appending a 1 bit, zeros, and the message length to achieve a block-aligned input
• Message schedule: Expanding 512-bit (SHA-256) or 1024-bit (SHA-512) blocks into 64 or 80 words
• Compression function: Iterating rounds that mix working variables with scheduled message words and constants
• Finalization: Adding the compression output to the running hash state

The primary hardware optimization challenge is breaking the adder chains in the compression function critical path.

SHA-3 and Keccak

SHA-3 uses the Keccak sponge construction with fundamentally different characteristics:

• State array: A 1600-bit state organized as a 5x5 array of 64-bit lanes
• Permutation rounds: 24 rounds of theta, rho, pi, chi, and iota operations
• Absorbing phase: XORing message blocks into the state followed by permutation
• Squeezing phase: Extracting output blocks with intervening permutations

SHA-3's highly parallel structure maps efficiently to hardware, with the 1600-bit state being the primary resource requirement.

Optimization Techniques

Hardware hash implementations employ various optimization strategies:

• Carry-save arithmetic: Maintaining sums in redundant form to reduce critical paths
• Pipelining: Breaking rounds into stages for throughput improvement
• Unrolling: Implementing multiple rounds in parallel where data dependencies permit
• Message schedule optimization: Pre-computing or pipelining the message expansion

Hash-Based Constructions

Hash functions serve as building blocks for larger cryptographic constructions:

• HMAC: Keyed hashing for message authentication using two nested hash operations
• HKDF: Key derivation extracting and expanding keying material
• Merkle trees: Hierarchical hashing for efficient verification of large data sets
• Commitment schemes: Hash-based commitments for cryptographic protocols

Timing Attack Prevention

Constant-time execution eliminates timing-based information leakage:

• Uniform control flow: Executing the same sequence of instructions regardless of secret values
• Constant-time selection: Using arithmetic rather than branches for conditional operations
• Regular algorithms: Preferring algorithms like the Montgomery ladder that naturally exhibit constant timing
• Memory access patterns: Avoiding secret-dependent array indexing that could leak through cache timing

Power Analysis Countermeasures

Masking and hiding techniques protect against power consumption analysis:

• Boolean masking: XORing sensitive values with random masks, processing masked values throughout
• Arithmetic masking: Adding random values to operands in modular arithmetic
• Mask conversion: Securely converting between Boolean and arithmetic masks
• Higher-order masking: Using multiple mask shares for stronger protection against advanced attacks

Blinding Techniques

Randomizing computations prevents correlation with known values:

• Message blinding: For RSA, computing (m * r^e)^d * r^(-1) instead of m^d directly
• Exponent blinding: Adding random multiples of the group order to exponents
• Point blinding: For ECC, randomizing the base point representation
• Projective coordinate randomization: Using random equivalent projective representations

Fault Attack Resistance

Protecting against induced computational errors:

• Computation redundancy: Performing operations twice and comparing results
• Check values: Verifying algebraic relationships that should hold for correct computation
• CRT fault detection: Checking m^e = c before returning RSA decryption results
• Point validation: Verifying ECC intermediate points lie on the curve

Implementation Patterns

Secure implementation follows established patterns:

• Algorithm selection: Choosing algorithms with inherent resistance properties
• Constant-time primitives: Building from verified constant-time basic operations
• Randomization integration: Systematically incorporating randomness throughout computation
• Defense in depth: Combining multiple countermeasures for comprehensive protection

Basic Operations

Multi-precision arithmetic builds complex operations from word-level primitives:

• Addition with carry: Propagating carries across the full operand width
• Subtraction with borrow: Managing borrow chains analogously to carries
• Word-by-word multiplication: Computing partial products and accumulating with proper alignment
• Comparison: Determining ordering through high-to-low word comparison

Multiplication Algorithms

Large operand multiplication employs algorithms with sub-quadratic complexity:

• Schoolbook multiplication: O(n^2) complexity, practical for smaller operands
• Karatsuba multiplication: Divide-and-conquer achieving O(n^1.58) complexity
• Toom-Cook: Generalized polynomial evaluation approach for further improvement
• Number Theoretic Transform: FFT-like multiplication achieving O(n log n log log n) for very large operands

Modular Reduction

Efficient reduction is critical for modular arithmetic performance:

• Barrett reduction: Pre-computing a scaled reciprocal for approximate division
• Montgomery reduction: Avoiding division through careful construction
• Special form moduli: Exploiting structure in primes like Mersenne or pseudo-Mersenne forms
• Residue number systems: Representing values by residues modulo several smaller moduli

Hardware Architecture Choices

Multi-precision arithmetic hardware spans a design spectrum:

• Word-serial: Processing one word at a time with minimal hardware, maximizing area efficiency
• Digit-serial: Intermediate parallelism with multiple-word processing
• Full parallel: Complete operand-width datapaths for maximum throughput
• Systolic arrays: Regular structures with local communication for scalable implementation

Polynomial Ring Arithmetic

Lattice-based schemes operate on polynomials in rings like Z[x]/(x^n + 1):

• Polynomial addition: Coefficient-wise addition modulo the coefficient ring
• Polynomial multiplication: Convolution followed by reduction modulo x^n + 1
• Negacyclic property: The reduction x^n = -1 enabling efficient implementation
• Coefficient operations: Modular arithmetic for each polynomial coefficient

Number Theoretic Transform

The NTT accelerates polynomial multiplication in post-quantum schemes:

• FFT analog: Transforming polynomial multiplication to point-wise multiplication in the transform domain
• Finite field roots: Using primitive roots of unity in the coefficient modulus
• Butterfly operations: The basic computational unit combining addition, subtraction, and modular multiplication
• Memory access patterns: Bit-reversal or constant-geometry arrangements

Sampling from Distributions

Lattice schemes require sampling from specific probability distributions:

• Discrete Gaussian: Bell-shaped distribution over integers, required by some schemes
• Centered binomial: Simpler distribution used by CRYSTALS-Kyber and Dilithium
• Rejection sampling: Generating candidates and rejecting those outside bounds
• Constant-time sampling: Avoiding timing variations that could leak information

Hardware Considerations

PQC hardware implementation presents new challenges:

• Large state sizes: Polynomial degrees of 256-1024 with multi-bit coefficients
• NTT units: Dedicated butterfly processors with modular arithmetic
• Memory bandwidth: Moving large polynomials efficiently between computation and storage
• Hybrid designs: Supporting both classical and post-quantum algorithms during transition