Efficient Multiplication of Somewhat Small Integers Using Number-Theoretic Transforms

Abstract

Conventional wisdom purports that FFT-based integer multiplication methods (such as the Schönhage–Strassen algorithm) begin to compete with Karatsuba and Toom–Cook only for integers of several tens of thousands of bits. In this work, we challenge this belief, leveraging recent advances in the implementation of number-theoretic transforms (NTT) stimulated by their use in post-quantum cryptography. We report on implementations of NTT-based integer arithmetic on two Arm Cortex-M CPUs on opposite ends of the performance spectrum: Cortex-M3 and Cortex-M55. Our results indicate that NTT-based multiplication is capable of outperforming the big-number arithmetic implementations of popular embedded cryptography libraries for integers as small as 2048 bits. To provide a realistic case study, we benchmark implementations of the RSA encryption and decryption operations. Our cycle counts on Cortex-M55 are about \(10\times \) lower than on Cortex-M3.

Appendices

A Reduction Algorithms for Cortex-M3 and Cortex-M55

B On Precomputing the Montgomery Constant

Montgomery multiplication (see Sect. 2.4) requires the precomputation of \(q^{-1} \bmod {\texttt {R}}\). When implementing RSA via “large” Montgomery multiplication, rather than a FIOS approach, this means that we need to precompute \(n^{-1}\bmod {}\texttt {R}\) for encryption and \(p^{-1} \bmod {\texttt {R}}\) and \(q^{-1} \bmod {\texttt {R}}\) for decryption. For decryption this can be computed as a part of key generation and stored as a part of the secret key. For encryption, however, it needs to be computed online.

Modular inversion \(x^{-1}\bmod {2^r}\) can be performed using “Hensel lifting”: If \(xy-1= 2^ka\), so that y is an inverse to x modulo \(2^k\), then \(y^{\prime }=2y-x^2y\) satisfies \(xy^{\prime }-1 = -(xy-1)^2 = 2^{2k}a^2\), and hence \(y^{\prime }\) is an inverse of x modulo \(2^{2k}\). This yields \(x^{-1}\bmod 2^k\) after \(\mathcal {O}(\log k)\) iterations. One may observe that this is the sequence of approximate solutions to \(xy=1\) for x via the Newton–Raphson method in the 2-adic integers.

We prototyped Hensel-lifting to assess its relative cost compared to the modular exponentiation; we did not seek a fully optimized version. On the Cortex-M3 we implement both a variable-time variants using umlal for encryption and a constant-time variant using mla for key generation. For the Cortex-M55, we achieve the best performance using umaal. We list the performance in Table 4. We see that already a basic implementation has only a small performance overhead compared to an exponentiation (e.g., \(<5\%\) for RSA-4096).

Table 4. Performance of Hensel lifting; numbers for RSA-4096 in bold.

C Table Lookup

D Pipeline Efficiency of Cortex-M55 Implementation

Table 5 shows Performance Monitoring Unit (PMU) statistics for the subroutines of our Cortex-M55 modular exponentiation (\(N=4096\)). We use \(\texttt {ARM\_PMU\_CYCCNT}\), \(\texttt {ARM\_PMU\_INST\_RETIRED}\), \(\texttt {ARM\_PMU\_MVE\_INST\_RETIRED}\), and \(\texttt {ARM\_PMU\_MVE\_STALL}\) for counting cycles, retired instructions, retired MVE instructions, and MVE instructions causing a stall, respectively. We derive the rate of Instructions per Cycle (IPC), as well as \(\texttt {ARM\_PMU\_MVE\_INST\_RETIRED}/\texttt {ARM\_PMU\_MVE\_STALL}\) as a measure of the MVE overlapping efficiency. Despite most MVE instructions running for 2 cycles, instruction overlapping allows achieving an IPC \(>0.9\).

Table 5. Performance Monitoring Unit statistics for Cortex-M55 implementation.

E High-level Multiplication Structure

See Fig. 2.

Fig. 2.

High-level structure of our integer multiplication algorithm. Finely dotted arrows denote a conceptual reinterpretation with no change in representation. Dashed arrows denote a canonical choice of lift, e.g., a representative of minimal degree for polynomials or a smallest non-negative representative for integers.