在資訊爆炸的時代裡，網路在生活中扮演著相當重要的角色，人們在公開網路上傳送、接收資料，有可能被未經授權人士擷取並從中獲得個人的重要資料。為了避免在傳送重要資料時被竊取，我們必須在資料傳送前進行加密動作，以確保資料在傳送過程中的安全及隱密性。

RSA是最為廣泛使用的公開金鑰密碼系統之一，其加密、解密過程需要大量的指數運算及模數運算，為了增加安全性，其運算位元數通常大於512位元，若使用一般處理器上的軟體來執行，恐怕很難達到網路的即時性要求，因此將RSA加解密做成硬體，來提升運行速度有其必要性。

指數模數運算是RSA加解密系統中唯一的運算，而透過重覆的乘法模數運算，就可以達到指數模數運算的結果。而蒙哥馬利乘法模數演算法(Montgomery's Algorithm)是目前公認最適合應用在RSA加解密中的乘法模數演算法，為了改善RSA加解密系統的執行速度，有很多論文都提出方法來改善蒙哥馬利演算法及其架構，本論文也針對蒙哥馬利模數乘法器之效能及功率消耗進行改善。

本論文提出改良的蒙哥馬利模數乘法器及RSA加解密系統之架構，此架構只須使用一層進位節省加法器(Carry Save Adder)，大量降低傳統乘法器的延遲時間及面積，再加上本論文提出的低功率位移暫存器，將可有效地降低蒙哥馬利模數乘法器的功率消耗。實驗結果顯示我們提出的RSA加解密系統具有高效能及低功率的特性，未來應用在可攜式電子產品上將有更大的競爭力。

The explosive growth in the data communications industry has positioned the internet to hold very important roles in our lives. Sending or receiving data on an open network is an invitation for unauthorized users to obtain your personal information. In order to avoid compromising sensitive information while transferring data, the data needs to be encrypted before transmission to ensure that the information remains safe and confidential.

RSA is the most widely used public-key cryptosystem. An RSA operation is a modular exponentiation, which is usually achieved by repeated modular multiplications. For security reasons, RSA operand sizes need to be 512 bits or greater. It would be difficult to achieve real time transmission on the internet by running software programs on typical processors. For this reason, we believe it is necessary to implement RSA by hardware circuit in order to speed up RSA operations.

Modular exponentiation is the only operation in RSA cryptosystem and it can be done through repeated modular multiplications. The Montgomery multiplication algorithm is widely recognized as the most efficient modular multiplication algorithm. In order to improve the speed of RSA operation, many papers have proposed ways to refine the Montgomery Algorithm and its architecture. In this thesis, we focus on further improving the performance and power consumption of RSA cryptosystems.

This research presents an improved Montgomery multiplier and RSA cryptosystem architecture using only one carry saver adder to significantly reduce the delays of conventional multipliers. We also proposed a low power shift register to reduce power consumption of shift register in Montgomery multiplier. Experimental results show that the proposed RSA cryptosystem not only runs with higher performance but also consumes less power, leading to this system more competitive and suitable for implementations in portable electronic products.

1 緒論 1
1.1 研究動機 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 論文大綱 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 研究背景 3
2.1 蒙哥馬利演算法 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 進位節省之蒙哥馬利演算法 . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.1 5-to-2 CSA 蒙哥馬利演算法 . . . . . . . . . . . . . . . . . . . 5
2.2.2 4-to-2 CSA 蒙哥馬利演算法 . . . . . . . . . . . . . . . . . . . 5
2.3 管線化蒙哥馬利乘法模數演算法及架構 . . . . . . . . . . . . . . . . . 10
2.3.1 管線化蒙哥馬利演算法 . . . . . . . . . . . . . . . . . . . . . 10
2.3.2 管線化模數乘法器架構 . . . . . . . . . . . . . . . . . . . . . 11
2.4 指數模數演算法 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4.1 L 演算法 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4.2 H 演算法 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3 3-to-2 CSA 蒙哥馬利演算法及架構 17
3.1 傳統 3-to-2 CSA 蒙哥馬利乘法模數演算法及架構 . . . . . . . . . . . 17
3.2 改良式 3-to-2 CSA 蒙哥馬利乘法模數演算法 . . . . . . . . . . . . . 19
3.3 改良式指數模數演算法 . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.4 改良式乘法模數硬體架構 . . . . . . . . . . . . . . . . . . . . . . . . 21
3.5 改良式指數模數硬體架構 . . . . . . . . . . . . . . . . . . . . . . . . 22
3.6 低功率設計 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.6.1 閘控時脈電路 . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.6.2 低功率移位暫存器 . . . . . . . . . . . . . . . . . . . . . . . . 28
4 提出的 3-to-2 CSA 蒙哥馬利演算法及架構 33
4.1 商數前看 (Quotient Lookahead) . . . . . . . . . . . . . . . . . . . . . 33
4.2 省略多餘運算 (Superfluous Operation Elimination) . . . . . . . . . . 34
4.3 有號數乘法 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.4 提出的乘法模數演算法 . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.5 提出的指數模數演算法 . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.6 提出的乘法模數硬體架構 . . . . . . . . . . . . . . . . . . . . . . . . 41
4.7 提出的指數模數硬體架構 . . . . . . . . . . . . . . . . . . . . . . . . 41
5 實驗數據 44
5.1 實驗步驟 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.2 實驗結果 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.2.1 蒙哥馬利乘法器 . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.2.2 指數模數運算器 . . . . . . . . . . . . . . . . . . . . . . . . . 46
6 結論與未來展望 51
6.1 結論 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
6.2 未來展望 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
參考文獻52

R. L. Rivest, A. Shamir, and L. Adleman, ``A method for obtaining digital signature and public-key cryptosystems,' Communications of th ACM, vol. 21, pp. 120-126, Feb. 1978.

P. L. Montgomery, ``Modular multiplication without trial division,' Mathmatics Computation, vol. 44, pp.519-521, Apr. 1985.

C. D. Walter, ``Montgomery exponentiation needs no final subtractions,' Elextron. Lett., vol. 32, no.21, pp. 1831-1832, Oct. 1999.

T. W. Kwon, C. S. You, W. S. Heo, Y. K. Kang, and J. R. Choi, ``Two implementation methods of a 1024-bit RSA cryptoprocessor based on modified montgomery algorithm,' in Proc. IEEE Int. Symp. Circuits Syst., May 2001, vol. 4, pp. 650-653.

A. Cilardo, A. Mazzeo, L. Romano, and G. P. Saggese, ``Carry-save Montgomery modular exponentiation on reconfigurable hardware,' in Proc. Des., Autom. Test Eur. Conf. Exhibition, Feb. 2004, vol. 3, pp.206-211.

C. McIvor, M. McLoone, and J. V. McCanny, ``Modified Montgomery modular multiplication and RSA exponentiation techniques,' IEE Proc. Computers and Digital Techniques, Dec. 2004, pp.144-147.

D. E. Knuth, The Art of Computer Programming: Seminumeral Algorithms. New York: Addison-Wesley, 1981, vol. 2.

Z. Hu,R. M. Al Shboul, V. P. Shirochin, ``An efficient architecture of 1024-bits cryptoprocessor for RSA cryptosystem based on modified Montgomery's algorithm,' in Proc. 4th IEEE Workshop on IDAACS, Sept. 2007, pp.643-646.

K. Manochehri, and S. Pourmozafari, ``Modified radix-2 Montgomery modular multiplication to make it faster and simpler,' in Proc. IEEE int. Cont. on Information Technology, Apr. 2005, vol. 1, pp. 598-602.

M. D. Shieh, J. H. Chen, W. C. Lin, and H. H. Wu, ``A new algorithm for high-speed modular multiplication design,' IEEE Trans. Circuits and Systems I, vol. 56, no. 9, pp. 2009-2019, Sept. 2009.

C. C. Yang, T. S. Chang, and C. W. Jen, `` A new RSA cryptosystem hardware design based on Montgomery's algorithm,' IEEE Trans. CIrcuits Syst. II, Analog Digit. Signal Process., vol. 45, no. 7, pp. 908-913, July 1998.

CIC Referenced Flow for Cell-based IC Design, CHIP Implementation Center, CIC, Taiwan, Document no. CIC-DSD-RD-08-01, 2008.

張凱程,``適用於RSA加解密系統之高效能低功率可調式模數乘法器,'國立中山大學,碩士論文,2010.

B. Parhami, Computer Arithmetic Algorithms and Hardware Designs, Oxford University Press, 2000.