A Survey of Hardware Implementations of RSA

Abstract

Today, a dozen years after the discovery of the RSA encryption algorithm [12], there are many chips available for performing RSA encryption [l] [3] [4] [S] [S] [9] [13] [15]. The purpose of this paper is to briefly describe some of the different computational algorithms that have been used in the chip designs and to provide a list of all of the currently available chips. In this abstract, we will simply mention some of these computational algorithms and give references. The full paper will contain more details of these algorithms and will appear in a book on survey articles in Cryptology which is being edited by Gus Simmons and will be published by IEEE in 1990. Recall that the RSA encryption function consists of computing me mod N, where N = pq for primes p and q. All of the chips perform the exponentiation as a series of modular multiplications. The modular multiplications are computed either as a standard multiplication followed by a modular reduction, or, more commonly, the computation of the multiplication and the modular reduction is combined. Finally, the multiplications are implemented as a series of additions. For each of these arithmetic functions, we will mention some choices in how they can be implemented on a chip. By using redundant number systems to avoid carries the addition can be speeded up at a cost of more storage. Multiplication can be speeded up by the techniques of multiple bit scanning. See for instance [S]. There are several techniques that have been developed for implementing modular reduction. The quotient digits can be approximated using only the high order bits of the divisor and the current remainder[3]. D ivision can be avoided all together by several different methods. The reciprocal of the modulus can be stored, thus replacing division by multiplication. For well chosen values of i, the reduced values of 2' mod N can be stored, so that modular reduction can be achieved through multiplication by these values. Peter Montgomery (101 h as a method for modular reduction without division which uses a nonstandard technique of identifying the residue classes. There are also techniques available to save on the number of multiplications needed to perform an exponentiation.