New Algorithms and Architectures for Arithmetic in GF(^2m) Suitable for Elliptic Curve Cryptography

151 

Loading....

Loading....

Loading....

Loading....

Loading....

Texto completo

(1)
(2)

FranisoRodrguez-Henrquez forthe degreeof Dotor of Philosophy

inEletrial& Computer Engineering presented on June 07,2000.

Title: New Algorithmsand Arhitetures forArithmeti inGF(2 m

)

Suitable for ElliptiCurve Cryptography

Abstratapproved:

Cetin K. Ko

Duringthelastfewyearswehaveseenformidableadvanesindigitaland

mo-bileommuniationtehnologiessuhasordlessandellulartelephones,personal

ommuniation systems, Internet onnetion expansion, et. The vast majority

of digital information used in all these appliations is stored and also proessed

withinaomputersystem,andthentransferredbetweenomputersviaberopti,

satellitesystems, and/or Internet. In all these new senarios, seure information

transmission and storage has a paramount importane in the emerging

interna-tional information infrastruture, espeially, for supporting eletroni ommere

and other seurity related servies.

The tehniques for the implementation of seure information handling and

management are provided by ryptography, whih an be suintly dened as

the study of how to establish seure ommuniation in an adversarial

environ-ment. Among the most importantappliations of ryptography, we an mention

dataenryption, digital ash,digital signatures, digitalvoting,network

authenti-ation,data distribution and smart ards.

The seurity of urrently used ryptosystems is based on the omputational

omplexity of anunderlyingmathematialproblem, suh as fatoringlarge

num-bers or omputing disrete logarithms for large numbers. These problems, are

(3)

mathe-Abelian group. In partiular, the disrete logarithm problem in this group is

believed to be an extremely hard mathematial problem. High performane

im-plementations of ellipti urve ryptography depend heavily on the eÆieny in

the omputation of the nite eld arithmeti operations needed for the ellipti

urveoperations.

Themain fousof thisdissertation isthe study and analysisofeÆient

hard-ware andsoftware algorithmssuitable forthe implementationof niteeld

arith-meti. This fous is ruial for a number of seurity and eÆieny aspets of

ryptosystemsbasedonniteeldalgebra,andspeiallyrelevantforelliptiurve

ryptosystems. Partiularly,weareinterestedintheproblemofhowtoimplement

eÆiently three of the most ommon and ostly nite eld operations:

(4)

June 07, 2000

(5)

Suitable forEllipti Curve Cryptography

by

Franiso Rodrguez-Henrquez

A THESIS submitted

to

Oregon State University

inpartial fulllmentof the

requirementsfor the degreeof

Dotor of Philosophy

Completed June 07,2000

(6)

June 07,2000

APPROVED:

Major Professor, representing Eletrial &Computer Engineering

Chairof Department of Eletrial& Computer Engineering

Deanof Graduate Shool

I understand that my thesis will beome part of the permanent olletion of

Oregon State University libraries. My signature below authorizes release of my

thesis toany reader uponrequest.

(7)

I aknowledge the fellowships reeived through my aademi life from the

organizationof Amerian states (OAS), and the governments of El Salvador and

Mexio.

I thank my advisor, Cetin K. Ko for his guidane and help to obtain the

resultspresented in this dissertation.

I alsowould like to thank Juan Carlos Oa~nafor hisgentle reviewing of the

Englishstyleof this manusript.

Finally, I thank all the good friends of mine who have helped me, tolerated

me,andsupportedme, insomanyways, duringtheompliatedandlongproess

thatledmetothe ompletionof my degree. Partiularly,I would like tomention

MiguelRohaPerez andDanielOrtiz Arroyowith whomI havehad the pleasure

(8)

Page

1 INTRODUCTION 1

2 ELLIPTIC CURVECRYPTOSYSTEMS IN GF(2 m

) 7

2.1 Bakground . . . 7

2.1.1 Rings . . . 7

2.1.2 Fields . . . 8

2.1.3 FiniteFields . . . 8

2.1.4 BinaryFinite Fields . . . 9

2.1.5 BinaryFinite FieldArithmeti . . . 10

2.2 Ellipti Curves overGF(2 m ) . . . 11

2.2.1 Denition . . . 11

2.2.2 Operations. . . 11

2.2.3 OrderDenitions . . . 12

2.2.4 Representations . . . 13

2.2.5 AdditionFormulae . . . 13

2.2.6 SalarMultipliation inAÆne Coordinates . . . 14

2.2.7 AnExample . . . 15

2.3 Ellipti Curve Cryptography . . . 19

2.3.1 Disrete LogarithmProblem . . . 19

2.3.2 ElliptiCurve Disrete Logarithms . . . 20

2.3.3 ElliptiCurve Cryptosystem Parameters . . . 20

2.3.4 KeyPair Generation . . . 21

2.3.5 Signature . . . 21

2.3.6 Veriation . . . 21

3 DUAL BASIS MULTIPLIERS 23 3.1 Introdution . . . 23

3.2 PolynomialBasis and Dual Basis . . . 24

3.3 Proposed Dual Basis Multipliation . . . 27

(9)

3.4.3 Equally-Spaed Trinomialsx m

+x m=2

+1 . . . 32

3.4.4 Equally-Spaed Polynomials x kd ++x

2d +x d +1 . 33 3.5 Summary of Results and Conlusions . . . 38

4 PARALLELMULTIPLIERSBASEDONSPECIALIRREDUCIBLE PENTANOMIALS 40 4.1 Introdution . . . 40

4.2 Mastrovito Multipliersand their Analysis . . . 42

4.2.1 Type 1Pentanomials . . . 44

4.2.2 SpeialPentanomialsx m +x 3 +x 2 +x+1 . . . 48

4.3 Dual Basis Multipliation . . . 49

4.4 Analysis of DualBasis Multipliers forIrreduible Pentanomials 52 4.4.1 SpeialPentanomialsx m +x 3 +x 2 +x+1 . . . 52

4.4.2 Type 2Pentanomials . . . 55

4.5 Summary of Results and Conlusions . . . 58

5 KARATSUBA MULTIPLIERS FORGF(2 m ) 62 5.1 Introdution . . . 62

5.2 2 k n-bitKaratsuba Multipliers . . . 64

5.2.1 Complexity Analysis . . . 67

5.2.2 rn-bit KaratsubaMultipliers . . . 70

5.3 Binary Karatsuba Multipliers . . . 72

5.3.1 BinaryKaratsuba Strategy. . . 73

5.3.2 Complexity Analysis . . . 76

5.4 Binary Karatsuba MultipliersRevisited . . . 77

5.4.1 AnExample . . . 79

5.4.2 Programmability . . . 82

(10)

5.6 Conlusions and Disussion of the Results . . . 85

6 EFFICIENTSOFTWAREIMPLEMENTATIONSFORGF(2 m ) ARITHMETIC 88 6.1 Introdution . . . 88

6.2 PolynomialMultipliation and Squaring inGF(2 m ) . . . 90

6.2.1 Look-up Table Method forSquaring Operation. . . 90

6.2.2 KaratsubaMultipliers . . . 91

6.3 Standard Redution. . . 95

6.3.1 Standard Redution with Trinomialsand Pents. . . 95

6.3.2 Standard Redution with GeneralPolynomials . . . 101

6.4 Montgomery Redution . . . 107

6.4.1 Montgomery Redution with Generalpolynomials . . . 109

6.4.2 Montgomery Redution with Trinomialsand Pents. . . 114

6.5 Timings . . . 117

6.6 Conlusions . . . 118

7 CONCLUSIONS 119 BIBLIOGRAPHY 123 APPENDIX 130 Appendix A ALGORITHMS 130 A.1 Computing OptimalDual Basis . . . 130

A.2 Findingthe Trae CoeÆients of Equation (3.41) . . . 131

A.3 Obtaining the m modular Coordinates of Equation(4.3) . . . 132

(11)
(12)

Figure Page

2.1. Montgomery binary methodfor salar multipliation . . . 15

2.2. Elementsin the ellipti urve of equation (2.15) . . . 18

5.1. m =2 k n-bitKaratsuba multiplier. . . 66

5.2. Spae omplexities of hybrid Karatsuba multipliers for arbi-trary musing n =1;2;3 . . . 73

5.3. Binary Karatsuba strategy . . . 74

5.4. m-bit binary Karatsuba multiplier. . . 75

5.5. m-bit binary Karatsuba multiplierif ondition (5.19)holds. . 79

5.6. Shematidiagramofageneralizedm=193-bitbinary Karat-suba multiplier . . . 81

5.7. Programmable binary Karatsuba multiplier . . . 82

5.8. Spae omplexity of the modiedbinary Karatsuba multiplier 83 5.9. Totalareaomplexityofthemodiedbinaryandhybrid Karat-suba multipliers . . . 84

6.1. Generating a look-up table with the rst 2 n 1squares . . . 91

6.2. Generalwordpolynomialmultiplier,basedonalook-uptable tehnique . . . 93

6.3. An algorithmfor standard redution using irreduible trino-mials . . . 97

6.4. Standard redution for irreduible trinomials. . . 98

6.5. An improved version of standard redution using irreduible trinomials . . . 100

6.6. Redution of a single word. . . 101

6.7. Standard redution using irreduible pentanomials . . . 102

6.8. A methodto reduek bits atone . . . 103

(13)

6.11.Standard redution using general irreduible polynomials . . . 106

6.12.A naive algorithmto ompute the Montgomery redution . . 108

6.13.A methodto Montgomery reduek bits atone . . . 110

6.14.Finding the look-up table that ontains all the 2 k

possible

salars in equation(6.22) . . . 112

6.15.Montgomery redution using general irreduible polynomials . 113

6.16.n-bit Montgomery redution for irreduible trinomials . . . . 115

(14)

Table Page

2.1. ElementsoftheeldF =GF(2 4

),dened usingtheprimitive

trinomialof equation (2.12). . . 16

2.2. Salar multiples of the point P of equation (2.16) . . . 19

4.1. The omputation of C(x)using equation (4.4). . . 44

4.2. The oordinates inequation (4.7)lassiedby the numberof operands. . . 47

4.3. ThetraeoeÆientsinequation(4.23)lassiedbythe num-berof operands. . . 57

4.4. Summary of the omplexity results. . . 58

4.5. Type 1 irred. pentanomials x m +x n+1 +x n +x+1 enoded as m(n). . . 60

4.6. Type2irred. pentanomialsx m +x n+2 +x n+1 +x n +1enoded as m(n). . . 61

5.1. Spae and time omplexities for several m = 2 k -bit hybrid Karatsuba multipliers. . . 71

5.2. A generalizedm=193-bitbinaryKaratsuba multiplierusing the algorithmingure 5.4 . . . 80

5.3. Summary of omplexitiesfor the redution step. . . 85

6.1. Look-up table for algorithm6.2. . . 94

(15)

A mishermanos, Andres, AnaMara,LilMaray Jose;

on el mismoamor de siempre.

A mi abuelitaRosita, in memoriam.

(16)

GF(2 )

Suitable for Ellipti Curve Cryptography

Chapter 1

INTRODUCTION

"...Tambieneljugadoresprisionero

(LasenteniaesdeOmar)deotrotablero

Denegrasnohesydeblanosdas.

Diosmuevealjugador,yeste,lapieza.

>QuediosdetrasdeDioslatramaempieza

Depolvoytiempoysue~noyagonas?"

Ajedrez,JorgeLuisBorges.

Althoughhistorially the most prevalent tehnique for the exhange of

infor-mationdata has been the so-alledanalog ommuniation,during the latterpart

of the XX entury, its ounterpart, digital ommuniation, has learly beome

the predominant type used in pratial appliations. Furthermore, all urrent

preditions learly indiate that this trend will ontinue in the foreseen future.

Indeed,duringthe lastfewyears wehaveseen formidableadvanesindigitaland

mobileommuniationtehnologies, suhasordlessand ellulartelephones,

per-sonalommuniationsystems, Internetonnetion expansiontonameafew. The

vast majority of digital information used in all these appliations is stored and

alsoproessedwithin aomputersystem. Digitalinformationisthen,transferred

between omputers viaberopti, satellitesystems, and/orInternet. Inall these

new senarios, seure informationtransmission and storage has a paramount

im-portane in the emerging international information infrastruture, speially, for

supporting eletroni ommere and other seurity related servies.

The tehniques for the implementation of seure information handling and

managementareprovidedby ryptography,whihanbesuintlydenedasthe

(17)

and military ativities. However, in reent years and due to the numerous

teh-nologialimprovementsmentionedabove,researhinryptography hasaddressed

a whole new spetrum of more advaned pratial problems, ranging from the

authorization of user aess to omputer systems, to the implementation of

un-traeable eletroni ash. This evolutionin the originalpurpose of ryptography

has propelled this researh area to beome as one of the most applieddisiplines

in omputer siene. Among the most important appliations of ryptography,

we an mention data enryption, digital ash, digital signatures, digital voting,

network authentiation, data distribution and smartards.

EÆieny and serey are two natural but ontraditing goals in

ryptogra-phy. Onlyin1948themaintheoretialideasofriptographyweremathematially

formulated,thusestablishingryptographyasamodernsiene. In1948and1949,

Shannonpublishedtwopapersthatnowareonsideredtobetheoriginof

informa-tiontheory. OneofthepossibleappliationsofthistheoryenvisionedbyShannon

wasmodernryptography.

AfterShannon'swork,allryptographisystemsdesignedbyresearherswere

based on a seret key, needed to enrypt and to derypt the information. In all

these shemes, alled seret-key ryptosystems, it is assumed that the

ommuni-atingparties are the onlyones who haveaess tothe seretkey. Suh methods

implement symmetri enryption/deryption shemes, whih ontrast with the

methods used in publi-key ryptography, that were rst proposed in the work

of DiÆe and Hellman in 1976. The DiÆe-Hellman protool allows two parties

to agree on a shared, seret key, even though, they an only exhange messages

in publi. Shortly after them, Rivest, Shamir, and Adleman proposed the RSA

ryptosystem in 1978. Today, RSA is one of the most widely known publi-key

systems. In the publi-key model, eah party has a pair of keys, one seret and

one publi,and the enryption/deryptionproess is not symmetri anymore.

The seurity of urrently used ryptosystems, whether they are publi-key

(18)

underly-ingmathematialproblem,suhasfatoringlargenumbers oromputingdisrete

logarithms for large numbers. These problems, without omplete ertainty, are

believed tobe very hard tosolve. In the pratie, only a small number of

math-ematialstrutures ould sofar beapplied to build publi-key mehanisms. The

majorityofthesestruturesarebasedonnumbertheory,inpartiularonthe

mul-tipliative group of integers modulo a large number, whih quite often happens

tobea primenumber. Consequently, omputationalnumber theory traditionally

has played animportantrole in modern ryptography.

This wasthe panoramaof appliedryptography until1985,when N.Koblitz

[17℄ and V. Miller[29℄ proposed independently the use of ellipti urvesfor

ryp-tographi purposes.

Ellipti urves as algebrai/geometri entities have been studied sine the

latter part of the XIX entury. Originally, ellipti urves were investigated for

purely aestheti reasons, but after 1985, they have been utilized in devising

al-gorithms for fatoring integers, primality tests, and in publi-key ryptography.

When an elliptiurve is dened over anite eld, the points on the urve form

anAbelian group. The disretelogarithmprobleminthis group isbelieved to be

an extremely hard mathematial problem, muh harder than the analogous one

dened over nite elds of the same size.

Due to the high diÆulty to ompute the disrete logarithm problem in

el-lipti urves over nite elds, one an obtain the same seurity provided by the

other existing publi-key ryptosystems, but at the prie of muh smaller elds,

whihautomatiallyimpliesshorterkeylengths. Havingshorterkeylengthsmeans

smallerbandwidth and memoryrequirements. Theseharateristis are speially

importantinsomeappliationssuhassmartards,wherebothmemoryand

pro-essingpower are limited.

Furthermore,andindeepontrastwithmost ofthepreviouspubli-key

ryp-tosystemswhih areinspiredinthe appliationof anumber-theory problems,the

(19)

inorpo-rates and takes advantage of the onepts of the Galois eld algebra, by using

elliptiurves dened over nite elds.

Although ellipti urves an be also dened over elds of integers modulo a

large prime number, GF(p), it is usually more advantageous for hardware and

software implementationsto use nite elds of harateristi two, GF(2 m

). This

isduelargelytothearry-freebinarynatureexhibitbythistypeofelds,whihis

anespeiallyimportantharateristifor hardware systems, yielding both higher

performane and less area onsumption.

Highperformaneimplementationsofelliptiurveryptographydepend

heav-ily on the eÆieny in the omputation of the nite eld arithmeti operations

needed for the ellipti urve operations. On the other hand, the level of

seu-rity oered by protools suh as DiÆe-Hellmankey exhange algorithmrelies on

exponentiation in a large group. Typially, the implementation of this protool

requires a large number of exponentiation omputations in relatively big elds.

Therefore,hardware/software implementationsofthegroupoperationsare,forall

the pratialsizes of the group, omputationallyintensive.

Themain fousof thisdissertation isthe study and analysisofeÆient

hard-ware andsoftware algorithmssuitable forthe implementationof niteeld

arith-meti. This fous is ruial for a number of seurity and eÆieny aspets of

ryptosystemsbasedonniteeldalgebra,andspeiallyrelevantforelliptiurve

ryptosystems. Partiularly,weareinterestedintheproblemofhowtoimplement

eÆiently three of the most ommon and ostly nite eld operations:

multipli-ation,squaring, and inversion.

Inhapter2thereaderisintroduedtoelliptiurveryptosystems. The

ma-terialpresentedinthishapter,disussthemostimportantmathematialonepts

that are fundamental for understanding ellipti urve publi-key ryptosystems.

The materialpresented inthis hapter was written basedon [35℄.

In hapter 3, a new approah for dual basis multipliation is presented. In

(20)

operands are given in the polynomial basis. We then give detailed analyses of

thespae andtimeomplexitiesofthe proposed multipliationalgorithmfor

irre-duibletrinomials and equally-spaed polynomials. We show that the time

om-plexity of the proposed multiplier for an equally-spaed polynomial is less than

that of a reently reported multiplier. Furthermore, the proposed approah an

be used todesign polynomialbasis multipliersusing dual basis multipliation.

Thestate-of-the-artGalois eldGF(2 m

)multipliersoeradvantageousspae

and time omplexities when the eld is generated by some speial irreduible

polynomial. Todate, thebest omplexityresultshavebeen obtainedwhenthe

ir-reduiblepolynomialiseitheratrinomialoranequally-spaed polynomial(ESP).

Forthe ases whereneither anirreduible trinomialoranirreduible ESP exists,

theuse ofirreduible pentanomialshas been suggested. Irreduible pentanomials

are abundant, and there are several eligible andidates for a given m. In

hap-ter 4 we analyze the use of two speial types of irreduible pentanomials. We

propose new Mastrovito and dual basis multiplier arhitetures based on these

speialirreduible pentanomials,andwe giverigorousanalyses oftheir spaeand

time omplexity.

In hapter 5, we present a new approah that generalizes the lassi

Kara-tusbamultipliertehnique. In ontrast withversions of this algorithmpreviously

disussed [26, 28℄, in our approah we do not use omposite elds to perform

the groundeld arithmeti. One of the most attrative features of the algorithm

presentedinthishapter,isthearbitraryseletionofthedeningirreduible

poly-nomial'sdegree. Inaddition,theneweldmultipliershemeleadstoarhitetures

thatshowaonsiderablyimprovedgateomplexitywhenomparedtotraditional

approahes.

In hapter 6, we address the problem of how to implement eÆiently nite

eld arithmeti for software appliations. This hapter ontains our analysis of

omplexitiesas well as the timingsobtained by diret C ode implementationof

(21)

arith-meti versus Standard arithmeti for software appliations. The main new ideas

presentedinthishapterareonentratedintheredutionpart. Weanalyze

sepa-ratelytheaseoftrinomialandpentanomialirreduiblepolynomials,andthease

ofgeneral irreduiblepolynomials. Weintrodueafast way toompute standard

redutionfor irreduibletrinomialsand pentanomials. Our tehniquerequires

al-most no restritions in the size of the middle term n of the irreduible trinomial

P = x m

+x n

+1. In addition, the timing results ahieved using our tehnique

are faster than the ones published in other works. We also introdue a fast way

to ompute Montgomery redution for irreduible trinomials and pentanomials.

Themainfeatureofthis methodisthenouseofalook-up table,whihyieldsfast

timing results. To the best of our knowledge, similar redution tehniques, with

equivalentperformane harateristis,havenot beenproposedbeforeinprevious

(22)

Chapter 2

ELLIPTIC CURVE CRYPTOSYSTEMS IN GF(2

m

)

"CodingTheorist'sPledge: IswearbyGalois

thatIwill betrueto the nobletraditionsof

oding theory; that Iwill speak of it in the

seretlanguageknown onlytomyfellow

ini-tiates;andthatIwillvigilantlyguardthe

sa-redtheory fromthosewhowouldprofaneit

bypratialappliations"

J.L.Massey

In this hapter the reader is introdued to elliptiurve ryptosystems. The

material presented in this hapter, disuss some of the most important

mathe-matial onepts, fundamental for the understanding of ellipti urve publi-key

ryptosystems. For a more detailed treatment of these aspets, the reader is

referred to Number theory books like [49, 26,4, 41℄, and to ellipti Curve

math-ematial books like [28, 16, 27, 8℄. The material presented in this hapter was

writtenbased on[35℄.

2.1 Bakground

2.1.1 Rings

A ring R is a set whose objets an be added and multiplied, satisfying the

fol-lowing onditions:

Under addition,R is anadditive(Abelian)group.

Forallx;y;z 2 R we have,

x(y+z) = xy+xz;

(23)

Forallx;y2 R , wehave (xy)z = x(yz).

Thereexists anelement e2R suh that ex = xe = x for allx2R .

The integer numbers, the rational numbers, the real numbers and the omplex

numbers are allrings.

Anelement xofaring issaidtobeinvertible ifxhas amultipliativeinverse

inR , thatis,if thereisa uniqueu2R suhthat: xu = ux = 1. 1isalledthe

unit element of the ring.

2.1.2 Fields

A eld is a ring in whih the multipliation is ommutative and every element

exept 0 has a multipliative inverse. We an dene the eld F with respet to

the additionand the multipliationif:

F is aommutativegroup with respet to the addition.

F nf0g is aommutativegroup with respet tothe multipliation.

The distributivelaws mentionedfor rings hold.

2.1.3 Finite Fields

A niteeld or Galoiseld denoted by GF(q=p n

),is a eld with harateristi

p, and a number q of elements. Suh a nite eld exists for every prime p and

positive integer n, and ontains a subeld having p elements. This subeld is

alled ground eld of the original eld. For every non-zero element 2 GF(q),

theidentity q 1

= 1holds. Furthermore,anelement2GF(q m

)liesinGF(q)

itselfif and only if q

= .

For the rest of this work, we will onsider only the two most used ases in

ryptography: q = p, with p a prime and q = 2 m

. The former ase, GF(p),

is denoted as the prime eld, whereas the latter, GF(2 m

(24)

2.1.4 Binary Finite Fields

A polynomial p in GF(q) is irreduible if p is not a unit element and if p = fg

then f or g must be aunit, that is, a onstantpolynomial.

Let p(x) bean irreduible polynomialover GF(2)of degree m, and let be

a root of p(x), i.e., p( ) =0. Then, we an use p(x) toonstrut a binary nite

eld F = GF(2 m

) with exatly q =2 m

elements, where itself is one of those

elements. Furthermore, the set f1; ; 2

;:::; m 1

g forms a basis for F, and is

alled the polynomial (anonial) basis of the eld [26℄. Any arbitrary element

A2GF(2 m

) an be expressed in this basis as

A = m 1

X

i=0 a

i

i

:

NotiethatalltheelementsinF anberepresentedas(m 1)-degreepolynomials.

The order of an element 2 F is dened as the smallest positive integer k

suh that k

= 1. Any nite eld ontains always at least one element, alled

a primitive element, whih has order q 1. We say that p(x) is a primitive

polynomial if any of its roots is a primitive element in F. If p(x) is primitive,

then all the q elements of F an be expressed as the union of the zero element

and the set of the rst q 1 powers of [26, 4℄

n

0; ; 2

; 3

;:::; q 1

= 1 o

: (2.1)

Some speial lasses of irreduible polynomials are more onvenient for the

im-plementationof eÆient binary nite eld arithmeti. Some important examples

are: trinomials, pentanomials, and equally-spaed polynomials. Trinomials are

polynomialswith three non-zero oeÆientsof the form,

T(x) = x k

+x n

+1 (2.2)

Whereaspentanomialshavevenon-zero oeÆients:

P(x) = x k

+x n2

+x n1

+x n0

(25)

Finally, irreduible equally-spaed polynomials have the same spae separation

between two onseutive non-zero oeÆients. They an be dened as

p(x) =x m

+x (k 1)d

++x 2d

+x d

+1 ; (2.4)

where m = kd. The ESP speializes to the all-one-polynomials (AOPs) when

d=1,i.e., p(x)=x m

+x m 1

++x+1, and to the equally-spaed trinomials

when d = m

2

, i.e., p(x)=x m

+x m

2

+1.

2.1.5 Binary Finite Field Arithmeti

Inthis thesis we are mostly interested ina polynomial basis representation of the

elementsof the binary nite elds. We represent eah element as abinary string

(a

m 1 :::a

2 a

1 a

0

),whihisequivalentlyonsideredapolynomialofdegreelessthan

m:

a

m 1 x

m 1

+:::+a

2 x

2

+a

1 x+a

0

: (2.5)

The additionof two elementsa;b 2F is simplythe addition of two polynomials,

wheretheoeÆientsareaddedinGF(2), orequivalently,thebit-wiseXOR

oper-ationonthe vetors a and b. Multipliationis dened asthe polynomial produt

of the two operands followed by a redution modulo the generating polynomial

p(x). Finally,the inversion of anelement a2F isthe proess tond an element

a 1

2F suh that aa 1

= modp(x).

Addition is by far the less ostly eld operation. Thus, its omputational

omplexity isusually negleted (i.e., onsidered 0). Inversion,on the other hand,

is usually the most ostly eld operation. For instane, inversion based on F

er-mat's theorem requires at least 7 multipliations in F if m 128. In general,

inversion needs O(log

2

(26)

2.2 Ellipti Curves over GF(2 m

)

Thetheoryofelliptiurveshasbeenintensivelystudiedinnumbertheoryand

al-gebraigeometryfor over 150years. Initiallypursued mainlyforpurely aestheti

reasons,elliptiurveshavereentlybeenutilizedinprimalityproving,publi-key

ryptography, and also they gured prominently in the reent proof of Fermat's

last theorem. Ellipti urve ryptosystems were rst proposed in 1985

indepen-dently by N. Koblitz[17℄ and V. Miller[29℄. Sine then, anenormous amountof

literature onthis subjet has been aumulated.

Ellipti urves an be dened over real numbers, omplex numbers, and any

othereld. However, fromtheryptography pointofview, weareonlyonerned

with those over nite elds. More speially, for the rest of this work, we will

onsider only the main theoretial aspets of binary ellipti urves, i.e., ellipti

urvesover GF(2 m

).

2.2.1 Denition

Let F

q

= GF(2 m

) be a nite eld of harateristi two. A non-supersingular

elliptiurve E(F

q

) is dened tobethe set of points(x;y)2GF(2 m

)GF(2 m

)

that satisfythe equation,

y 2

+xy = x 3

+ax 2

+b; (2.6)

wherea and b2F

q

;b6=0, together with the point atinnity denoted by 0.

2.2.2 Operations

Thereexistsanadditionoperationonthepointsofanelliptiurvewhihpossesses

the ring properties disussed inthe previous setion. Letus dene the inverse of

the point P = (x;y) as P = (x;x+y). Then, the point R = P +Q is

(27)

P +0 = P ;

P +( P) = 0:

(2.7)

For the ase when P = Q, the addition operation 2P = P +P is referred as

doublingoperation.

Elliptiurvepointsan beaddedbutnot multiplied. Itis,however, possible

to perform salar multipliation, whih is another name for repeated additionof

the same point. If n is a positive integer and P a point on an ellipti urve, the

salarmultiplenP is the result of adding n 1 opies ofP to itself.

2.2.3 Order Denitions

Notie that the ellipti urve E(F

q

), namely the olletionof all the points inF

q

that satisfy the equation (2.6) an only be nitely many. Even if every possible

pair (x;y)were on the urve,there would be onlyq 2

possibilities. As amatterof

fat,the urve E(F

q

)ouldhaveatmost 2q+1pointsbeause wehaveone point

atinnityand 2q pairs (x;y)(for eahx we have two values of y).

The total number of points in the urve, inludingthe point 0, is alled the

order of the urve. The order is written #E(F

q

). A elebrated result disovered

by Hasse givesthe lower and the upperbounds for this number.

Theorem [28℄ Let #E(F

q

) bethe numberof points inE(F

q

). Then,

j#E(F

q

) (q+1)j 2 p

q (2.8)

As we did in the ase of nite elds, we an also introdue the onept of the

order of an element in ellipti urves. The order of a point P on E(F

q

) is the

smallestintegerk suhthatkP = 0. Theorder ofanypointitis alwaysdened,

and divides the order of the urve #E(F

q

). This guarantees that if r and l are

(28)

2.2.4 Representations

There exist several representations for points on ellipti urves, for purposes of

internal omputation and for external ommuniation. In aÆne-oordinate

rep-resentation, a nite point on E(F

q

) is speied by two oordinates x;y 2 F

q

satisfyingequation (2.6). By denition, the point atinnite 0has no

representa-tion inaÆne oordinates.

Wean make use of the onept of a \projetive plane" overthe eld F

q [1℄.

Inthis way, one an represent anumber usingthree rather thantwooordinates.

Then, given a point P with aÆne-oordinate representation x;y; there exists a

orrespondingprojetive-oordinaterepresentation X;Y and Z suh that,

P(x;y)P(X;Y;Z)

Theformulae foronverting fromaÆneoordinates toprojetive oordinatesand

vieversa are given as,

aÆne-to-projetive: X = x; Y = y; Z = 1

projetive-to-aÆne: x = X

Z 2

; y = Y

Z 3

(2.9)

2.2.5 Addition Formulae

Expliit rational formulae for the addition rule involve several arithmeti

oper-ations in the underlying eld: addition, squaring, multipliation and inversion

[28, 16, 27℄. The formulae for adding points in aÆne oordinates are given as

follows [28℄. Let P = (x

1 ;y

1

) and Q = (x

2 ;y

2

) be two points in E(F

q

), suh

that Q6= P. ThenP +Q = (x

3 ;y

3

)is given as,

x 3 = 8 > < > : y1+y2 x 1 +x 2 2 + y1+y2 x 1 +x 2 +x 1 +x 2 +a

; if P 6=Q ;

x 2 1 + b x 2 1

if P =Q :

(2.10) and y 3 = 8 > < > : y 1 +y 2 x 1 +x 2 (x 1 +x 3 )+x

3 +y

1

; if P 6=Q ;

x 2 1 + x 1 + y1 x1 x 3 +x 3

if P =Q :

(29)

Notie that the addition operation (P 6= Q) an be omputed with three eld

multipliations,oneeldinversion,andseveraleldadditions. Normally,however,

we do not pay attention to the number of eld additions needed, beause as

it was pointed out before, its omputational omplexity is muh less than the

orresponding ones needed for eld multipliation and eld inversion. We notie

alsothat the doubling operationan be omputed with four eld multipliations

and one eld inversion.

2.2.6 Salar Multipliation in AÆne Coordinates

The basi method for omputing the salar multipliation operation, kP, is the

addition-subtrationmethoddesribed in[13℄. This methodis animproved

ver-sion over the well known \add-and-double" or binary method. For a random

multiplierk,this algorithmperforms onaverage 8

3 log

2

k eld multipliationsand

4

3 log

2

k eld inversions inaÆne oordinates [22℄.

A dierent approah for omputing the salar multipliation was rst

intro-dued by Montgomery in [30℄. He presented an algorithm based on the binary

methodandtheobservationthatthe x-oordinateofthe sumoftwopointswhose

diereneisknown an beomputedintermsofthe x-oordinatesofthe involved

points only. The algorithmshown in 2.1 performs an additionand adoubling in

eah iteration, while maintaining the invariant relationship P

2 P

1

= P. At

the end of the exeution of the loopin lines 4-9, the salar produt Q = kP is

obtained in the variable P

1

. An improved version of the algorithm in gure 2.1

was presented in [22℄. There, it was found that the operation Q = kP an be

omputed with N +1 eld inversions, N +4 eld multipliations, 2N +6 eld

additions, and N +2 eld squarings, whereN = 2blog

2 k.

Fortheommonasewhereeldinversionisarelativelyexpensiveoperation,

itisalsopossibletoobtainaprojetiveversion ofthisalgorithm,wherethe salar

multipliation an be obtained with only one inversion. This is ahieved at the

(30)

3N +10 and 5

2

N +3,respetively. These results yield anspeedup of about 14%

when ompared to the original Montgomery algorithm for the ase of projetive

oordinates [22℄.

Input: An integer k >0 and a point P

Output: The salar produt Q = kP.

Proedure Binary Method(P;k).

0. begin

1. k = (k

n 1 :::k

1 k

0 )

2 ;

2. P

1

= P, P

2

= 2P;

4. for i fromn 2downto 0do

5. if (k

i

== 1)then

6. P

1 = P

1 +P

2 ,P

2

= 2P

2 ;

7. else

8. P

2 = P

2 +P

1 ,P

1

= 2P

1 ;

9. end

10. end

Figure 2.1. Montgomery binary method for salarmultipliation

2.2.7 An Example

Let F = GF(2 4

) be a binary nite eld with dening primitive trinomial p(x)

given as,

p(x) = x 4

+x+1: (2.12)

Then,if is a rootof p(x), wehave p( ) = 0,whih implies,

p( ) = 4

(31)

Forbinaryeldarithmeti,additionisequivalenttosubtration. Hene,theabove

equationan berewritten as

4

= +1: (2.14)

Usingequations(2.1)and (2.14),one an nowexpress eah one ofthe 15nonzero

elementsof F as is shown in Table 2.1. Notie that wean dene any one of the

q = 2 4

elements of F usingonly four oordinates.

Elementin GF(2 m

) Polynomial Coordinates

0 0 (0000)

(0010)

2

2

(0100)

3

3

(1000)

4

+1 (0011)

5

2

+ (0110)

6

3

+ 2

(1100)

7

3

++1 (1011)

8

2

+1 (0101)

9

3

+ (1010)

10

2

++1 (0111)

11

3

+ 2

+ (1110)

12

3

+ 2

++1 (1111)

13

3

+ 2

+1 (1101)

14

3

+1 (1001)

15

1 (0001)

Table 2.1. Elements of the eld F =GF(2 4

), dened using the primitive

trino-mialof equation(2.12).

Notie that allthe elements inF an bedesribed by any of the three

(32)

Let us now onsider a non-supersingular ellipti urve dened as the set of

points(x;y)2F F that satisfy

y 2

+xy = x 3 + 13 x 2 + 6 (2.15)

Notie that for the oeÆients a and b of equation (2.6), we have seleted the

values 13

and 6

,respetively. Thereexistatotal of14solutionsinsuhaurve,

inluding the point at innite 0. Using table 2.1, we an see that, for example,

the point

P = (x

p ;y p ) = ( 3 ; 2 ) (2.16)

satisesequation (2.15) overF 4

2

, sine

y 2

+xy = x

3 + 13 x 2 + 6 ( 2 ) 2 + 3 2 = ( 3 ) 3 + 13 ( 3 ) 2 + 6 4 + 5 = 9 + 19 + 6 = 9 + 4 + 6

(0011)+(0110) = (1010)+(0011)+(1100)

(0101) = (0101);

(2.17)

Where we have used the identity 15

= 1. All the thirteen nite points whih

satisfy equation(2.15) are shown in gure 2.2.

Letusnowuse equations(2.10)and(2.11)todoublethepointP = ( 3

; 2

).

Usingone again table 2.1, we obtain,

x 2p = x 2 p + b x 2 p = ( 3 ) 2 + 6 ( 3 ) 2 = 6 + 6 6 = 6

(33)

0

a

a

2

a

2

a

3

a

3

a

4

a

4

a

5

a

5

a

6

a

6

a

7

a

7

a

8

a

8

a

9

a

9

a

10

a

10

a

11

a

11

a

12

a

12

a

13

a

13

a

14

a

14

a

a

15

a

15

x

y

Figure 2.2. Elements inthe ellipti urve of equation(2.15)

It an beveried fromgure 2.2that the result obtained above isindeed a point

inthe ellipti urve of equation(2.15).

As wementioned inx2.2.3, we an keep adding P to itssalar multiples,but

eventually, after k #E(F

q

) salar multipliations, we will obtain the point at

innite0 as aresult. Reall that the integer k isalled the order of the point P.

For the ase in hand, P happens to have a prime order k = 7. Notie that as

itwas laimed inx2.2.3, the order k of P divides the order of the urve #E(F

q ).

Table 2.2listsall the six nite multiples of P.

Obviously, in a true ryptographi appliation the parameter m should be

hosenlarge enoughsothat eÆientgeneration ofsuha look-up tableapproah,

(34)

P 2P 3P 4P 5P 6P

( 3

; 2

) (

13

; 6

) ( 14

; 9

) (

14

; 4

) ( 13

; 15

) ( 3

; 6

)

Table 2.2. Salarmultiplesof the pointP of equation (2.16)

2.3 Ellipti Curve Cryptography

Webrieydisussedintheprevioussetionsthemathematialbakgroundneeded

todesribe the behavior of ellipti urves, theirurve operations and the various

methods for doing salar multipliation. Using this material we an now build a

publi-key ryptosystem based on the theory of ellipti urves. The main

appli-ations of these ryptosystems inlude establishing seret keys for further use in

symmetrial-key ryptosystems and the reation of digital signatures as well as

their digitalveriation

In essene, ellipti urve salar multipliation is the basi operation that is

used inall the elliptiryptosystem appliationsknown to date.

Inthe remainingpart ofthishapter,wewillbrieydisusssome ofthe most

relevant aspets in the onstrutionand designof ellipti urve ryptosystems.

2.3.1 Disrete Logarithm Problem

LetG be amultipliative nite yli group of order n, a primitiveelement of

Gand 2G. The disretelogarithm of tothebase ,denoted by log

,isthe

uniqueinteger ;0 n suh that =

. The disretelogarithm problem is

tond an\easy", i.e.,omputationallyfeasible methodforomputing logarithms

(35)

2.3.2 Ellipti Curve Disrete Logarithms

Suppose that the point P in E(F

q

) has prime order k, where k 2

does not divide

theorderoftheurve#E(F

q

). ThenapointQsatisesQ = lP forsomeinteger

l if and only if kP = 0. The oeÆient l is alled the ellipti urve disrete

logarithm of Q,with respet tothe base pointP. Bydenition, the elliptiurve

disretelogarithmis aninteger modulo k [13, 15,14,42℄.

There are many analogies between the disrete logarithm problem in nite

eldsGF(F

q

)and theelliptiurvedisretelogarithm. Insome sense,both

prob-lems are the same intwo dierent mathematialsettings. As a result,the

primi-tivesandshemes ofboth problemsare losely analogoustoeahother. However,

for a single large q there exist many dierent ellipti urves and many dierent

orders to hoose from. Also, the intratability of the ellipti urve disrete

loga-rithmproblemappears tobemuhharderthanthe disretelogarithmproblemin

niteelds GF(F

q ).

2.3.3 Ellipti Curve Cryptosystem Parameters

Letussupposethatanon-supersingularelliptiurveE(F

q

)asdenedinequation

(2.6)hasbeenseletedand thatitsunderlyingeldF

q

,itsoeÆientsa;b, andits

order #E(F

q

), are all given. Additionally,suppose that abase point P 2E(F

q ),

withprimeorder k, asitwasdesribed inthe preedingsubsetion, hasalsobeen

seleted. Then, aprivate/publi key pair an be dened as follows:

The private key s is aninteger modulok.

Theorrespondingpubli key W is apointonE(F

q

)dened byW := sP.

Notiethatitisneessary toomputeanelliptiurvedisretelogarithminorder

to derive a private key from its orresponding publi key. It is beause of this

reasonthatwe say thatthe seurity of thisryptosystem reliesinthe diÆultyof

(36)

2.3.4 Key Pair Generation

Toompute apubli/privatekeypair,wersthoosearandomintegerd2[1;k

1℄,whih isthe private key. After that, wegenerate the publi keyby omputing

the point

Q = (x

Q ;y

Q

)=dP (2.19)

2.3.5 Signature

The holder of a private key an uniquely digitally sign a message using the

fol-lowing proedure:

1. Aompressedversionofthe messagetosignisobtainedviaahashfuntion,

e = H(M).

2. A randominteger n 2[1;k 1℄is seleted. n is seret and isvalidonly for

that spei message.

3. Usingn, obtain the elliptiurve point,(x

1 ;y

1

) = nP.

4. Usingonlythe eld element x

1

generated inthe step before, generate

r = x

1

(mod k): (2.20)

and

s = n 1

(e+dr) (mod k): (2.21)

The signature for this message is the pair r and s. Notie that the signature

depends on both the message and the private key. This implies that no one an

substitute adierent messagefor the same signature.

2.3.6 Veriation

(37)

re-pair(r 0

;s 0

). Ifthepair (r;s)isequaltothe reeived one, wesaythat thesignature

has been veried.

1. Verify that r 0

and s 0

are between [1;k 1℄. If they are not, the signature is

rejeted.

2. Hashthe reeived messageM 0

, obtaina value e 0

= H(M 0

).

3. Compute

= (s

0

) 1

(modk)

u

1

= e 0

(modk)

u

2

= r 0

(modk)

(2.22)

4. Compute the point (x

1 ;y

1

) = u

1 P +u

2

Q. If this point is the point at

innity 0,the signature is rejeted.

5. Compute = x

1

modk.

Ifr 0

(38)

Chapter 3

DUAL BASIS MULTIPLIERS

"...Iholdwithinmyhand

Grainsofthegolden

sand-Howfew! yethowtheyreep

Throughmyngerstothedeep,

WhileIweep-whileIweep!

OGod! anInotgrasp

Themwithatighterlasp?

OGod! anInotsave

Onefromthepitilesswave?

Isallthatweseeorseem

Butadreamwithinadream?"

EdgarAllanPoe,1827

In this hapter we present a new approah for dual basis multipliation. In

ontrast tothe onventionalapproah,the proposedtehnique assumesthatboth

operands are given in the polynomial basis. We then give detailed analyses of

the spae and time omplexitiesof the proposed multipliation algorithm for

ir-reduible trinomialsand equally-spaed polynomials.

3.1 Introdution

EÆient hardware implementations of the arithmeti operations in the Galois

eld GF(2 m

) are frequently desired in oding theory, omputer algebra, and

el-lipti urve ryptosystems [26, 28℄. For these implementations, the measure of

eÆieny is the spae omplexity, i.e., the number of XOR and AND gates, and

the time omplexity, i.e., the total gate delay of the iruit.

Therepresentationof theeld elementshavearuialroleinthe eÆienyof

the arhitetures for the arithmeti operations. Several arhitetures have been

reported for multipliation in GF(2 m

). For example, eÆient bit-parallel

(39)

Anothertehnique whihwasrst suggested in[3℄isknown asthe dualbasis

multiplier [31, 5, 53, 54℄. Conventional dual basis multipliers have the property

that one of the input operands is given in the polynomial basis while the other

input is in the dual basis. The produt is then obtained in the dual basis [3℄.

In this hapter we present a new approah for dual basis multipliers. Wemodify

the onventional dual basis algorithmso that the neessity of having one of the

operandsin the dual basis an beavoided.

3.2 Polynomial Basis and Dual Basis

Aset of m elementsf

0 ; 1 ; 2 ;:::; m 1

g formsabasis for GF(2 m

)if the

i sare

linearly independent over the eld GF(2). Let p(x) be a degree-m polynomial,

irreduible over GF(2). Let also be a root of p(x), i.e., p( ) = 0. Then,

the set f1; ; 2

;:::; m 1

g is a basis for GF(2 m

), and is alled the polynomial

(anonial) basis of the eld [26℄. An element A 2 GF(2 m

) is expressed in this

basis asA= m 1 X i=0 a i i

. The traeof 2GF(2 m

) relativetothe subeldGF(2)is

dened by

Tr ()= m 1 X i=0 2 i : (3.23)

It is well-known [26℄ that the trae funtion is a linear mapping from the

-nite eld GF(2 m

) onto the nite eld GF(2). Let f

0 ; 1 ; 2 ;:::; m 1 g and f 0 ; 1 ; 2 ;:::; m 1

g be any two bases for GF(2 m

), and also let 2 GF(2 m

)

with 6=0. Then,these two bases are said to bedual with respet to if [5℄,

Tr (

i j ) = 8 > < > :

1 if i=j ;

0 if i6=j :

(3.24)

Let be a xed nonzero element of the eld GF(2 m

) and let the basis of m

elements, f 0 ; 1 ; 2 ;:::; m 1

g be a dual basis of f1; ; 2

;:::; m 1

g, the

poly-nomialbasis previously dened. Then, any element A an be expressed either in

the polynomial basis orin the dual basis as

(40)

Usingequation (3.24), we an obtain the jth oordinate of the element A in the

dual basis as

Tr ( j

A)=Tr( j m 1 X i=0 a i i )= m 1 X i=0 a i Tr( j i )=a

j

: (3.26)

Combining equations (3.24)and (3.26), we an express a j as a j

=Tr( j

A)=Tr( j m 1 X i=0 a i i )= m 1 X i=0 a i Tr( i+j

): (3.27)

Therefore, the onversion from the polynomial basis to the dual basis an be

expressed as amatrix-vetor produt

a 0 a 1 a 2 a m 1 T = G a 0 a 1 a 2 a m 1 T ; (3.28)

wherethe onversion matrix G isknown as the Gram matrix, and isdened as

G = 2 6 6 6 6 6 6 6 6 6 6 6 6 4

Tr () Tr( ) Tr ( 2

) Tr(

m 1

)

Tr ( ) Tr( 2

) Tr ( 3

) Tr(

m

)

Tr ( 2

) Tr(

3

) Tr ( 4

) Tr(

m+1 ) . . . . . . . . . . . . . . .

Tr ( m 1

) Tr( m

) Tr ( m+1

) Tr( 2m 2 ) 3 7 7 7 7 7 7 7 7 7 7 7 7 5 : (3.29)

TheGrammatrixGisafuntionoftheparameter 2 GF(2 m

)andtheirreduible

polynomialp(x) generating the eld. Sine the Gram matrix is guaranteed to be

nonsingular [26℄, we an also obtain the onversion from the dual basis to the

polynomialbasis asa matrix-vetorprodut

a 0 a 1 a 2 a m 1 T = G 1 a 0 a 1 a 2 a m 1 T : (3.30)

In some ases, the Gram matrix is justa permutation matrix, i.e., a matrix

on-taining a single one ineah row orolumn. For example, this is always the ase

when an irreduible trinomial p(x) = x m

+x n

+1 is used to onstrut the eld

GF(2 m

)[31, 5℄. By seleting 2GF(2 m

) suhthat

Tr( i )= 8 > < > :

1 fori=n 1 ;

(41)

Then,it ispossibleto obtainthe so-alledself dual basis ofthe polynomialbasis as, f 0 ; 1 ;:::; m 1

g=f n 1

; n 2

;:::;1; m 1

; m 2

;:::; n

g: (3.32)

In otherwords, wehave

j = 8 > < > :

n 1 j

for j =0;1;:::;(n 1);

m 1+n j

for j =n;n+1;:::;(m 1) :

(3.33) whih implies Tr( i i

)=Tr( i

n 1 i

)=Tr( n 1

)=1 for i=0;1;:::;(n 1);

Tr( i

i

)=Tr( i

m 1+n i

)=Tr ( m 1+n

)=1 for i=n;n+1;:::;(m 1) :

(3.34)

Thus, inthe rstn rows ofthe Grammatrixthereisaone ineveryolumnwhere

thereisthetermTr( n 1

). Intheremainingrows,thereisaoneineveryolumn

wherethere isthe term Tr( m 1+n

). The otherloationsontain onlyzeros. As

anexample, fortheirreduible trinomialx m

+x n

+1=x 7

+x 3

+1,weobtainthe

77 dimension Gram matrix as

G= 2 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 4

0 0 1 0 0 0 0

0 1 0 0 0 0 0

1 0 0 0 0 0 0

0 0 0 0 0 0 1

0 0 0 0 0 1 0

0 0 0 0 1 0 0

0 0 0 1 0 0 0 3 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 5 :

Sine the Gram matrix G is a permutation matrix for the irreduible trinomial

x m

+x n

+1generatingtheeldGF(2 m

),theonversionfromthepolynomialbasis

to the dual basis and vie versa requires no gates or delays. A rewiring of the

(42)

3.3 Proposed Dual Basis Multipliation

In this setion, we give the derivation of the proposed dual basis multipliation

algorithm. The proposed algorithmwill take its input operands A and B in the

polynomial basis, and will ompute the produt C

in the dual basis. This is in

ontrast tothe standard denition of the dual basis multipliation, where one of

the input operandsneeds to be represented inthe dual basis.

Let A;B 2 GF(2 m

) be given in the polynomial basis as A = m 1 X i=0 a i i and B = m 1 X i=0 b i i

, where a

i ;b

i

2 GF(2) are their oordinates, respetively. Given a

xed element 2GF(2 m

),we are interested in omputing the produtC

inthe

dual basis with respet to given as,

C = m 1 X k=0 k k : (3.35)

Usingequation(3.26), the oeÆient

k

is given by

k

=Tr( k

C)=Tr( k

AB)

fork =0;1;:::;(m 1)as

k =Tr

0 k m 1 X i=0 a i i ! 0 m 1 X j=0 b j j 1 A 1 A = m 1 X i=0 m 1 X j=0

Tr ( i+j+k )b j a i : (3.36)

Thus, the oeÆient

k

an bewritten as

k = m 1 X i=0 t i+k a i : (3.37)

wherethe trae oeÆientst

i+k

for i;k =0;1;:::;(m 1) are dened by

t i+k = m 1 X j=0 Tr( i+j+k )b j : (3.38)

Therefore, the eld produt C

an be expressed asa matrix-vetor produt

(43)

Eah row of the multipliation matrix in equation (3.39), orresponds to a state

of the shift register in Berlekamp's bit-serial multiplier of [3℄, holding the dual

basis fator . Provided that the trae oeÆients t

k

for k = 0;1;:::;(2m 2)

areallavailable,thespae andtimeomplexitiesforomputingthe matrix-vetor

produtin equation (3.39)are obtained as

AND Gates = m 2

;

XOR Gates = m 2

m ;

TotalDelay = T

A +dlog 2 meT X : (3.40)

Ontheotherhand,fromequation(3.38)weseethatinordertoobtainall(2m 1)

traeoeÆientsrequiredinequation(3.39)weneedtoomputeatotalof(3m 2)

dierent traes. This an be aomplished by using the following transformation

matrixof dimension(2m 1)m, whihwewillallthe extended Grammatrix.

2 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 4 t 0 t 1 t 2 . . . t m 1 t m t m+1 . . . t 2m 2 3 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 5 = 2 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 4

Tr() Tr( ) Tr(

2

) Tr( m 1

)

Tr( ) Tr( 2

) Tr(

3

) Tr( m

)

Tr( 2

) Tr(

3

) Tr(

4

) Tr( m+1 ) . . . . . . . . . . . . . . . Tr( m 1

) Tr( m

) Tr( m+1

) Tr( 2m 2

)

Tr( m

) Tr( m+1

) Tr( m+2

) Tr( 2m 1

)

Tr( m+1

) Tr( m+2

) Tr( m+3

) Tr( 2m ) . . . . . . . . . . . . . . . Tr( 2m 2

) Tr( 2m 1

) Tr( 2m

) Tr( 3m 3 ) 3 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 5 2 6 6 6 6 6 6 6 6 6 6 6 6 4 b 0 b 1 b 2 . . . b m 1 3 7 7 7 7 7 7 7 7 7 7 7 7 5 (3.41)

The rst m rows of the extended Gram matrix are simply equal to the mm

Gram matrix. The matrix-vetor equations (3.28) and (3.41) show that the rst

m trae oeÆients are infat the oordinates of B inthe dual basis, i.e.,

t 0 t 1 t 2 t m 1 T = b 0 b 1 b 2 b m 1 T : (3.42)

(44)

the operand B in the polynomial basis. The spae omplexity for omputing

all trae oeÆients dened in equation (3.41) depends only on the number of

nonzeroentriesintheextendedGrammatrix,whihisafuntionoftheirreduible

polynomial p(x) generating the eld and the element 2 GF(2 m

). One the

parameter is xed, the elements of the extended Gram matrix are xed zero

and one values. Thus, the trae oeÆients in equation (3.41) an be omputed

using only XORgates, i.e., noAND gates are required. A goodseletion of is

ruialinorder toobtain anextended Gram matrix withas fewones as possible.

The total omplexity of the proposed multiplieronsistsof twoparts:

Thespaeomplexityforomputingall(2m 1)traeoeÆientswhihare

dened in equation (3.38) or (3.41), and used in equation (3.39). The rst

mtraeoeÆientsaresimplyequaltotheoordinatesoftheoperandB

ex-pressedinthedualbasis. Theremaining(m 1)oeÆientsare determined

usingthe extended Gram matrix given by equation (3.41).

Theomplexityof omputingthe matrix-vetor produtinequation (3.39),

whih was established in equation (3.40) assuming that the oordinates of

the operand A expressed in the polynomial basis and all (2m 1) trae

oeÆientsare given.

3.4 Complexity Analysis

In this setion, we analyze the omplexity of the proposed multipliation

algo-rithmfor severaltypesofirreduiblepolynomials. First,insubsetionsx3.4.1and

x3.4.2 we give the omplexity analysis of the proposed algorithm for irreduible

trinomials. Irreduible trinomials over GF(2)are abundant. For example, there

exist 556 m values less than 1024 suh that at least one irreduible trinomialof

degree m exists [53℄. In subsetions x3.4.3 and x3.4.4 we present the omplexity

(45)

3.4.1 General Trinomials x m

+x n

+1

Takingadvantageofthefatthat, ifp(x) = x m

+x n

+1isirreduibleoverGF(2)

thensoisx m

+x m n

+1[27℄,theomplexityanalysisforgeneraltrinomialsan be

restrited without loss of generality, to irreduible trinomialsp(x) satisfying the

onditionn j

m

2 k

. In the rest of this subsetion, this onditionwillbeassumed.

Asitwasdisussedinsetionx3.2,whenirreduibletrinomialsareusedto

on-struttheeldGF(2 m

),aselfdualbasisofthepolynomialbasisf1; ; 2

;:::; m 1

g

an be found by just permuting the polynomial basis as follows [31,5℄,

f n 1

; n 2

;:::;1; m 1

; m 2

;:::; n

g (3.43)

Hene,the traeoeÆientst

k

fork =0;1;:::;(m 1)areobtained diretlyfrom

the polynomial basis oordinates of the operand B using this permutation:

t

k =b

k =b

n 1 k

for k=0;1;:::;(n 1);

t

n+k =b

n+k =b

m 1 k

for k=0;1;:::;(m n 1) :

(3.44)

Last equation implies that the rst m trae oeÆients an be obtained using

rewiring only, and therefore, their omputation requires no gates or delays. In

orderto obtainthe remainingtrae oeÆientst

m+k

for k =0;1;:::;(m 2), we

willuse the property p( )=0, and write

m

= 1+ n

;

m+1

= +

n+1

;

.

.

.

2m 2

=

m 2

+ m+n 2

:

Due tothe linearityproperty of the trae funtion, we an write

t

m+k

= Tr( m+k

B)=Tr ( k

B)+Tr( n+k

B) for k=0;1;:::;(m 2):

(3.45)

Therefore, these remaining(m 1)trae oeÆients an bewritten as

t =t +t for k =0;1;:::;(m 2):

(46)

This last equation implies that we an ompute the trae oeÆients t

m+k =

t

k +t

n+k

for k = 0;1;:::;(m n 1) using exatly (m n) XOR gates with a

time delay of T

X .

In addition, in order to obtain the last (n 1) trae oeÆients t

m+k for

k=m n;:::;(m 2),weanmakeuseofthe(m n)traeoeÆientspreviously

omputed. Notie that the ondition n j

m

2 k

guarantees that the entire set of

(n 1)pairs(t

k +t

n+k

)isinludedinthepreviouslyomputedsetof(m n)pairs.

Therefore, this omputation requires only (n 1) XOR gates and an additional

T

X

gate delay.

In summary, m n+n 1 =(m 1) XOR gates and 2T

X

gate delays are

suÆienttoobtaintheentireset oft

k

termsfork =0;1;:::;(2m 2). This result

ombinedwithequation(3.40)givesthe omplexityof theproposedmultiplierfor

anirreduible trinomialof the form x m

+x n

+1 with 2nbm=2 as

ANDGates = m 2

;

XORGates = m 2

1;

TotalDelay = T

A

+(2+dlog

2 me)T

X :

(3.47)

3.4.2 Speial Trinomials x m

+x+1

When n =1, a smallredution in the time omplexity an be obtained. Forthis

ase, we an followthe same analysis used inthe previous subsetion. Thus, the

rst m trae oeÆients are obtained from the polynomial basis oordinates of

the operand B using the permutation of equation (3.44). This omputation is

performed using rewiring only, and requires no gates or delays. Then, we an

ompute t

m+k

for k = 0;1;:::;(m 2) using (m 1) XOR gates with a time

delay of T

X

. This result ombined with equation (3.40) gives the omplexity of

the proposed multiplierfor anirreduible trinomialof the form x m

+x+1 as

ANDGates = m 2

;

XORGates = m 2

1;

TotalDelay = T

A

+(1+dlog me)T

X :

(47)

3.4.3 Equally-Spaed Trinomials x m

+ x m=2

+1

Inthis setion, wegivethe omplexityanalysis of the proposed multiplierforthe

irreduibleequally-spaed trinomialp(x) = x m

+x m=2

+1where mis even. It is

known [13℄ that a trinomialof the form x m

+x m=2

+1is irreduible over GF(2)

ifand onlyif m isaneven number suh that m

2

isapowerof three. Forthisase,

thereexists a dual basis of the polynomial basis given as

f m=2 1

; m=2 2

;:::;1; m 1

; m 2

;:::; m=2

g : (3.49)

As before, the rst m trae oeÆients t

k

for k =0;1;:::;(m 1) are obtained

diretly from the polynomial basis oordinates of the operand B using the

per-mutationas

t

k

= b

m=2 1 k

for k =0;1;:::;(m=2 1);

t

n+k

= b

m 1 k

for k =0;1;:::;(m=2 1):

(3.50)

InordertoobtaintheremainingtraeoeÆientst

k

fork =m;m+1;:::;(2m 2),

we write

m

= 1+ m=2

;

m+1

= +

m=2+1

;

.

.

.

3m=2 1

=

m=2 1

+ m 1

;

3m=2

=

m=2

+ m

=

m=2

+1+ m=2

= 1;

3m=2+1

= ;

3m=2+2

=

2

;

.

.

.

2m 2

=

m=2 2

:

Theseidentities an besummarized asfollows:

m+k

= k

+ m=2+k

fork =0;1;:::;(m=2 1) ;

3m=2+k k

(48)

Takingadvantageofthelinearityofthetraefuntion,weanrewritetheprevious

identity as,

t

m+k

= Tr( m+k

B)=Tr( k

B)+Tr( m=2+k

B)=t

k +t

m=2+k ;

t

3m=2+k

= Tr( 3m=2+k

B)=Tr( k

B)=t

k :

We obtainthe trae oeÆientsas

t

m+k =t

k +t

m=2+k

for k =0;1;:::;(m=2 1);

t

3m=2+k =t

k

for k =0;1;:::;(m=2 2):

(3.52)

Therefore, the rst m trae oeÆients are obtained from the polynomial basis

oordinatesoftheoperandBusingthepermutationgivenbyequation(3.49). This

omputation is performed using rewiring only, and requires no gates or delays.

Using equation (3.52), we then ompute t

m+k

for k = 0;1;:::;(m=2 1) using

(m=2) XOR gates with an assoiated time delay of T

X

. The remaining terms

t

3m=2+k

for k = 0;1;:::;(m=2 2) are also omputed from the previous values

using rewiring, as given in equation (3.52). Therefore, (m=2) XOR gates with

a time delay of T

X

, are suÆient to obtain the entire set of t

k

terms for k =

0;1;:::;(2m 2). This resultombinedwithequation(3.40)givestheomplexity

oftheproposedmultiplierfortheirreduibleequally-spaedtrinomialx m

+x m=2

+1

with m even as

ANDGates = m 2

;

XORGates = m 2

m=2;

TotalDelay = T

A

+(1+dlog

2 me)T

X :

(3.53)

3.4.4 Equally-Spaed Polynomials x kd

++ x 2d

+x d

+1

Letthe eldGF(2 m

)be onstrutedusing the irreduibleequally-spaed

polyno-mial(ESP)

p(x) =x m

+x (k 1)d

++x 2d

+x d

+1 ; (3.54)

where m = kd. The ESP speializes to the all-one-polynomial (AOP) when

(49)

setionan alsobeapplied to the equally-spaed trinomialswhere d=m=2, i.e.,

p(x)=x m

+x m=2

+1.

Wewillrst show thatwean hoose a whihwillresultin aGrammatrix

with2(m d) ones. Our resultimprovesthe result obtained in[53℄, inwhihthe

Grammatrix has (2m d 1)ones. Let p( )=0. Thus, we an write

m

= 1+ d

+ 2d

+:::+ (k 1)d

;

m+1

= +

d+1

+ 2d+1

+:::+

(k 1)d+1

;

.

.

.

m+d 1

=

d 1

+ 2d 1

+ 3d 1

+:::+ kd 1

;

m+d

= 1 ;

m+d+1

= ;

.

.

.

2m 2

=

m d 2

:

Theseidentities an besummarized as

m+i

= i

+ d+i

+ 2d+i

++

(k 1)d+i

fori=0;1;:::;(d 1);

m+d+i

= i

fori=0;1;:::;(m d 2):

(3.55)

Therefore, fromthe seondequation above, wean write

Tr( m+d+i

)=Tr( i

) (3.56)

fori=0;1;:::;(m d 2). Let usselet 2GF(2 m

) suh that

Tr( i

)= 8

>

<

>

:

1 fori=d 1 ;

0 fori=0;1;:::;d 2;d;d+1;:::;(m 1) :

(3.57)

The seletion of as above is easy to aomplish [26, 31, 5℄. The oordinates

of an diretly be obtained from the d-th olumn of the inverse Gram matrix

G 1

onstruted using =1. Usingequations (3.55),(3.56), and (3.57), and the

linearity property of the trae funtion,we obtain

(50)

for i= 0;1;:::;(d 2). Furthermore, we onsider the followingtwo trae

oeÆ-ients,

Tr ( m+d 1

) = Tr( d 1

)+Tr( 2d 1

)++Tr( kd 1

)=Tr( d 1

)=1;

Tr( m+2d 1

) = Tr( d 1

)=1:

The remainder of the traes are obtained as

Tr( m+d+i

)=Tr( i

)=0 ;

fori=0;1;:::;(m 2 d) and i6=d 1. Therefore, we have exatlythree trae

oeÆients whih are nonzero:

Tr( d 1

)=Tr( m+d 1

)=Tr( m+2d 1

)=1 : (3.58)

Due to the symmetry of the Gram matrix, the term Tr( i

) appears in exatly

i+1 ells if i <m and in(2m i 1)ells if i m. Therefore, the numberof

ones inthe Gram matrix willbe

(d 1+1)+(2m (m+d 1) 1)+(2m (m+2d 1) 1) =2(m d): (3.59)

Theseletionof asinequation(3.57)yieldsaGrammatrixwheretherows from

0to(d 1)have asingle one, the rows from d to(2d 1) alsohave a singleone,

andnallytherows from2dto(m 1)havetwoones. ThisGrammatrixgivesthe

transformationfromthe polynomial basisrepresentation of the operandB tothe

dualbasis representation. From this analysis,partiularlyfromthe nonzero trae

oeÆient termsgiven by equation (3.58),we an givethe dual basis oordinates

of the operand B as

b

i =

8

>

>

>

>

>

<

>

>

>

>

>

: b

d i 1

for i=0;1;:::;(d 1) ;

b

m+d i 1

for i=d;d+1;:::;(2d 1) ;

b

m+2d i 1 +b

m+d i 1

for i=2d;2d+1;:::;(m 1):

(3.60)

Therefore,giventhe polynomialbasisoordinates b

i

,wean obtainthedualbasis

oeÆientsb

(51)

of T

X

. We also prove by equation (3.60) that the dual basis of the polynomial

basis f1; ; 2

;:::; m 1

g isgiven as

f d 1

;:::;1; kd 1 ;:::; (k 1)d ; kd 1 +

(k 1)d 1

; kd 2

+

(k 1)d 2

;; d + 2d g: (3.61)

As we have seen, the rst m trae oeÆients t

i

for i = 0;1;:::;(m 1) in

the extended Gram matrix are simply given as t

i = b

i

. In order to obtain the

remaining trae oeÆients, we will use the identities in equations (3.55) and

(3.60). Wean writefor i=0;1;:::;(d 1)as

t

m+i

=Tr( m+i

B)=Tr( i

)+Tr( d+i

)+Tr( 2d+i

)+Tr(

(k 1)d+i

) :

Similarly,we anwrite fori=0;1;:::;(m d 2)ast

m+d+i

=Tr( 2m n+i

B)=

t

i

. Thus, the trae oeÆients are obtained as

t m+i =t i +t d+i +t 2d+i

++t

(k 1)d+i

for i=0;1;:::;(d 1);

t

m+d+i =t

i

for i=0;1;:::;(m d 2) :

(3.62)

Inordertoobtainaoniseexpressionfort

m+i

fori=0;1;:::;(d 1)inequation

(3.62), we write the individual termsas

t

i

= b

d i 1 ;

t

d+i

= b

m i 1 ;

t

2d+i

= b

m i 1 +b

m i d 1 ;

t

3d+i

= b

m i d 1 +b

m i 2d 1 ; . . . t (k 2)d+i = b

4d i 1 +b

3d i 1 ;

t

(k 1)d+i

= b

3d i 1 +b

2d i 1 :

Adding these quantities, we obtain

t

m+i =b

d i 1 +b

2d i 1

: (3.63)

(52)

The rst m trae oeÆients t

i

for i =0;1;:::;(m 1) are obtained from

the polynomial basis oordinates of the operand B using (m 2d) XOR

gates witha time delay of T

X

. This is aomplishedusing equation (3.60).

In parallel, we ompute the trae oeÆients t

m+i

for i = 0;1;:::;(d 1)

usingequation (3.63), whih requires d XORgates.

Thetrae oeÆientst

m+d+i

fori=0;1;:::;(m d 2)donot requireany

gates, as seen in equation (3.62). These values are obtained from the ones

omputed earlierby rewiring.

In summary, a single T

X

gate delay and m 2d+d = (m d) XOR gates are

suÆient to obtainthe trae oeÆients t

i

for i =0;1;:::;(2m 2). This result

ombinedwithequation(3.40)givestheomplexityof theproposedmultiplierfor

anirreduible equally-spaed polynomial as

AND Gates = m 2

;

XOR Gates = m 2

m+(m d)=m 2

d ;

TotalDelay = T

A

+(1+dlog

2 me)T

X

:

(3.64)

Foranequally-spaed trinomial,we haved =m=2,and thus, the numberofXOR

gates beomesm 2

m=2 whih isthe result weobtained inx3.4.3. Furthermore,

the XOR omplexity for anAOP isfound as m 2

1 sine d=1.

The proposed tehnique produes the produt in the dual basis. However,

this result may also be diretly onverted to the polynomial basis. For the ase

of the irreduible trinomialsstudiedpreviously, the penalty for this onversion is

zero sine the Gram matrix is a permutation matrix and so is its inverse. Given

C

, wean obtain C usingrewiringonly. Therefore, the proposedmethodan be

usedfor polynomialbasis multipliation. Theresultingmultiplierhas exatlythe

same spae and time omplexity for diret polynomial basis multipliation, e.g.,

theMastrovitomultipliation[48℄,foranirreduibletrinomialgeneratingtheeld

GF(2 m

Figure

Actualización...

Referencias

Actualización...