在現今資訊的時代，網路已成為人類生活中不可或缺的一部分。人們在公開的網路上傳送與接收資料時，可能會被有心人士從中獲得個人的私密資料。為了確保資料的安全及隱密性，在資料傳送時需要進行加密的動作。此舉突顯出密碼系統的重要性。

在眾多的公開金鑰密碼系統中，RSA密碼系統是被大家廣泛使用的系統之一。RSA其原理建立於質數的數學理論，其加解密過程中需要大量的指數與模數運算。若使用軟體來實作RSA加解密會相當緩慢，難以達成網路傳輸的即時性。所以我們將RSA密碼系統以硬體的方式來設計與實現。

RSA加解密過程中主要的運算為模數乘法運算(A × B mod N)。若將其以硬體實現，通常使用蒙哥馬利模數乘法演算法來達成傳統的餘數運算。蒙哥馬利演算法是利用加法與右移的運算來獲得取餘數的運算結果，由於只需要操作加法及右移，所以可以大大地降低硬體實作的複雜度。然而為了RSA的安全性，其金鑰長度至少需要512位元以上，若是以傳統的方式來設計蒙哥馬利模數乘法器，需要相當多的執行時脈週期。

本論文所提出的高基數蒙哥馬利模數乘法器，能一次處理多位元的加法及右移，解決執行模數乘法需要花費大量時脈週期的問題。除了高基數的設計外，我們也以進位節省加法的方式來實作，以避免加法運算的進位傳遞問題。經實驗顯示我們提出的預先運算及分段處理設計，可以降低電路的延遲時間，進一步達到高效能的目標。

In this information age, the internet plays a very important role in our lives. When people send and receive data on the public network, their personal data may be stolen by the other people. In order to ensure that the data remains safe and confidential, the data have to be encrypted before transmission. Therefore, the cryptosystem is important and popular today.

RSA is the one of widely used public-key cryptosystems. Its principle was established in theory of prime numbers. The RSA operation is a modular exponentiation, which is usually achieved by repeated modular multiplications. It would be difficult to achieve real-time transmission on the internet by running software programs. Hence we will implement RSA cryptosystems with hardware architectures.

Modular multiplication (A × B mod N) is the key operation in RSA cryptosystems. A famous approach to implement the modular multiplication into hardware architectures is based on the Montgomery modular multiplication algorithm, which replaces the traditional division with a series of addition and shift operations. For security reasons, RSA operand sizes need to be 512 bits or greater. However, a large amount of clock cycles is required to complete a modular multiplication by traditional Montgomery modular multiplication algorithm.

The thesis presents an improved High-radix Montgomery modular multiplier. It computes multi-bit addition and shift operations in a clock cycle. Therefore, the drawback of great clock cycles is solved. In addition, carry save adders are used to avoid the carry propagation. Experimental results show that the proposed pre-computation and sub-processing design significantly reduce the delays of modular multiplier, leading to higher performance.

第一章 緒論 . . . . . . . . . . . . . . . . . 1
1.1 研究動機 . . . . . . . . . . . . . . . . . 1
1.2 論文大綱 . . . . . . . . . . . . . . . . . 2
第二章 研究背景 . . . . . . . . . . . . . . . . . 3
2.1 RSA密碼系統 . . . . . . . . . . . . . . . . . 3
2.2 蒙哥馬利演算法 . . . . . . . . . . . . . . . . . 5
2.3 進位節省之蒙哥馬利演算法 . . . . . . . . . . . . . . . . . 8
2.3.1 5-to-2 CSA 蒙哥馬利演算法 . . . . . . . . . . . . . . . . . 9
2.3.2 4-to-2 CSA 蒙哥馬利演算法 . . . . . . . . . . . . . . . . . 13
2.3.3 3-to-2 CSA 蒙哥馬利演算法 . . . . . . . . . . . . . . . . . 16
第三章 高基數蒙哥馬利模數乘法器 . . . . . . . . . . . . . . . . . 20
3.1 基數4蒙哥馬利演算法 . . . . . . . . . . . . . . . . . 20
3.1.1 基數4迴圈展開法蒙哥馬利模數乘法器 . . . . . . . . . . . . . . . . . 20
3.1.2 基數4布斯編碼法蒙哥馬利模數乘法器 . . . . . . . . . . . . . . . . . 24
3.2 高基數蒙哥馬利演算法 . . . . . . . . . . . . . . . . . 28
3.3 提出之高基數蒙哥馬利模數乘法器 . . . . . . . . . . . . . . . . . 34
3.3.1 進位節省加法架構 . . . . . . . . . . . . . . . . . 34
3.3.2 預先運算處理 . . . . . . . . . . . . . . . . . 35
3.3.3 運算元分段處理 . . . . . . . . . . . . . . . . . 37
3.4提出之高基數蒙哥馬利演算法及架構 . . . . . . . . . . . . . . . . . 41
3.4.1改良式高基數蒙哥利演算法 . . . . . . . . . . . . . . . . . 41
3.4.2改良式高基數蒙哥馬利模數乘法器架構 . . . . . . . . . . . . . . . . . 43
第四章 實驗結果 . . . . . . . . . . . . . . . . . 46
4.1 實驗步驟與方法 . . . . . . . . . . . . . . . . . 46
4.2 實驗數據比較 . . . . . . . . . . . . . . . . . 48
第五章 結論與未來展望 . . . . . . . . . . . . . . . . . 53
5.1 結論 . . . . . . . . . . . . . . . . . 53
5.2 未來展望 . . . . . . . . . . . . . . . . . 53
參考文獻 . . . . . . . . . . . . . . . . . 54

[1] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signature and public-key cryptosystems,” Communications of th ACM, vol. 20, pp. 120-126, Feb. 1978.
[2] William Stallings, “Cryptography and Network Security Principles and Practice,” Forth Edition.
[3] P. L. Montgomery, “Modular multiplication without trial division,” Mathematics Computation, vol. 44, pp. 1831-1832, Apr. 1985.
[4] C. D. Walter, “Montgomery exponentiation needs no final subtractions,” Electronics Letters, vol. 35, no. 21, pp. 1831-1832, Oct. 1999.
[5] C. McIvor, M. McLoone, and J. V. McCanny, “Modified Montgomery modular multiplication and RSA exponentiation techniques,” IEE Proc. Computers and Digital Techniques, vol. 151, no. 6, pp. 402-408, Nov. 2004.
[6] Z. Hu, R. M. Al Shboul, and V. P. Shirochin, “An efficient architecture of 1024-bits cryptoprocessor for RSA cryptosystem based on modified Montgomery’s algorithm,” in Proc. 4th IEEE Workshop on IDAACS, pp. 643-646, Sept. 2007.
[7] R.V. Kamala and M.B. Srinivas, “High-Throughput Montgomery Modular Multiplication,” IFIP International Conference on Very Large Scale Integration, 2006.
[8] P. Kornerup, “High-Radix Modular Multiplication for Cryptosystems,” Proc. IEEE Symp. Computer Arithmetic, pp. 277-283, Jun. 1993.
[9] H. Orup, “Simplifying Quotient Determination in High-Radix Modular Multiplication,” Proc. IEEE Symp. Computer Arithmetic, pp. 193-199, Jul.1995.
[10] G. Sassaw, C.J. Jimenez, and M. Valencia, “High Radix Implementation of Montgomery Multipliers with CSA,” International Conference on Microelectronics (ICM), 2010.
[11] CIC Referenced Flow for Cell-based IC Design, CHIP Implementation Center, CIC, Taiwan, Document no. CIC-DSD-RD-08-01, 2008.
[12] “TSMC 0.13μm (CL013G) Process 1.2-Volt SAGE-X^TM Standard Cell Library Databook,” Jan. 2004.
[13] J. C. Neto, A. F. Tenca, and W. V. Ruggiero, “A Parallel k-Partition Method to perform Montgomery Multiplication,” in Proc. IEEE International Conference on Application-Specific Systems, Architectures and Processors (ASAP), pp. 251-254, Sept. 2011.
[14] A. Cilardo, A. Mazzeo, L. Romano, and G. P. Saggese, “Carry-save Montgomery modular exponentiation on reconfigurable hardware,” in Proc. Des., Autom. Test Eur. Conf. Exhibition, vol. 3, pp. 206-211, Feb. 2004.
[15] T. W. Kwon, C. S. You, W. S. Heo, Y, K. Kang, and J. R. Choi, “Two implementation methods of a 1024-bit RSA cryptoprocessor based on modified Montgomery algorithm,” in Proc. IEEE Int. Symp. Circuits Syst., vol. 4, pp. 650-653, May 2001.
[16] C. C. Yang, T. S. Chang, and C. W. Jen, “A new RSA cryptosystem hardware design based on Montgomery’s algorithm,” IEEE Trans. CIrcuits Syst.II, Analog Digit. Signal Process., vol. 45, no. 7, pp. 908-913, July 1998.
[17] 許桓偉, “適用於RSA加解密系統之高效能低功率模數乘法器,” 國立中山大學, 碩士論文, 2011.
[18] 許弘譯, “適用於RSA密碼系統的高效能基數-4蒙哥馬利模數乘法器,” 國立中山大學, 碩士論文, 2011.
[19] Ping-hua Chen, and Juan Zhao, “High-speed Parallel 32×32-b Multiplier Using a Radix-16 Booth Encoder,” in Proc. IEEE International Symposium on Intelligent Information Technology Application Workshops, 2009.