Hardware Architectures of Elliptic Curve Based Cryptosystems over Binary Fields

Size: px

Start display at page:

Download "Hardware Architectures of Elliptic Curve Based Cryptosystems over Binary Fields"

Collin Sutton
5 years ago
Views:

1 Hardware Architectures of Elliptic Curve Based Cryptosystems over Binary Fields Chang Shu Doctoral Dissertation Defense Feb. 8, 007 Advisor: Dr. Kris Gaj Dept. of Electrical & Computer Engineering George Mason University 1

2 Acknowledgements Dr. Kris Gaj Dissertation Director) Dr. Soonhak Kwon Dept. of Mathematics, Sungkyunkwan University, Korea) Dr. Shih-Chun Chang Committee Member) Dr. Brian L. Mark Committee Member) Dr. Ravi Sandu Committer Member) Dr. Andre Manitius Chair of ECE) Dr. Yariv Ephraim Ph.D. Coordinator) Dr. Tarek El-Ghazawi Dept. of ECE at The George Washington University)

3 Overview Introduction Elliptic Curve Cryptography Tate Pairing Based Cryptography Architectures for Finite Field Arithmetic Polynomial basis multiplier Normal basis multiplier Composite field arithmetic Architectures for Elliptic Curve Cryptosystems Optimizations for a single FPGA device Reconfigurable computing approach Architectures for Tate Pairing Based Cryptosystems Optimizations for a single FPGA device Reconfigurable computing approach Summary 3

4 Elliptic Curve Cryptosystems Family of public key cryptosystems Invented in 1985 by Miller and Koblitz independently Used primarily for digital signatures & key exchange Included in multiple industry, government, and banking standards, such as IEEE p1363, ANSI 9.6, and FIPS 186- Part of standard security protocols, such as IPSec and SSL proposed extension) 4

5 Why Elliptic Curve Cryptography? Key size comparison: ECC vs. RSA Security Level bits) SKIPJACK Triple-DES AES AES AES ECC n RSA n Hardware implementation consideration: Less area, less memory, narrower bandwidth, and more efficient underlying arithmetic Flexibility: There exists a family of cryptosystems for ECC 5

6 Why Hardware Implementations of Cryptography SOFTWARE security of data during transmission HARDWARE speed low cost flexibility new cryptoalgorithms, protection against new attacks) random key generation access control to keys tamper resistance viruses, internal attacks) 6

7 Why Hardware Accelerators for Elliptic Curve Cryptosystems? Hardware accelerators for web servers SSL Secure Socket Layer), high speed requirements for a large number of key exchanges Hardware accelerators for Virtual Private Networks VPNs) IPSec Secure Internet Protocol), establishment of a large number of security association Hardware accelerators for wireless gateways IEEE 80.11, secure key exchange, achieving low power Secure smart cards Need to shorten latency, due to limitations, such as low power, low frequency, and low cost embedded microprocessors Selected cryptographic chip manufacturers 7

8 What is Elliptic Curve Cryptography? Elliptic Curve Cryptosytems ECC) are a class of public key cryptosystems The security of ECC is based on the hardness of the elliptic curve discrete logarithm problem ECDLP). E Let be an elliptic curve over a finite field. Let be a point in E F q, and suppose that P has a prime order n. Then the cyclic subgroup of E F generated by is. P F q < P >= P P L n 1 P P q d Private key: an integer chosen randomly from the interval 1 n 1 Public key: Q = dp Encryption: C = V U = kp M kq Decryption: M = U dv = U d kp = U kq 8

9 Elliptic Curve Arithmetic Group Law Point addition: P Q Point doubling: P = P P Scalar Multiplication: kp = P P L P k times 9

10 Pairing Based Cryptography New family of public key cryptosystems First proposed by Menezes, Okamoto, and Vanstone in 1993 for Weil decent attack against ECC Applied to identity based cryptography, key exchange, and digital signature by Boneh, Joux, Sakai, et al. Not a part of any standard yet Very limited number of software and hardware implementations Believed to be slower than elliptic curve cryptography 10

11 Mathematical Basics of Pairing Based Cryptography Pairing is a map between groups, where, and e: G 1 x G 1 G G 1 = E F q ) G = F q k The most important property of this map is bilinearity eap, bq) = ep, Q) ab a, b: integers P,Q: points on elliptic curves In practice, Tate or Weil pairing are used. 11

12 Identity-Based Encryption Trusted Authority IDBob) s: secret value P: public value H 1 P TA IDBob) S IDBob) P TA = s P public key of TA M P IDBob) r P Alice Encryption C Bob Decryption M P IDBob) = H 1 IDBob)) Bob s public key S IDBob) = s P IDBob) Bob s private key C = U, V) = rp, M H ep IDBob), P TA ) r ) r: random number M = V H es IDBob), U )) By bilinearity, es IDBob, U) = esp IDBob), rp) = ep IDBob ), sp) r = ep IDBob), P TA ) r 1

13 Major Contributions of this Thesis Finite field arithmetic A novel large extension field multiplier architecture for Tate pairing based cryptosystems A novel hybrid multiplier architecture for composite fields A new mathematical scheme for basis conversion for selected field degrees Elliptic curve cryptosystems Latency optimization scheme for a single FPGA device Analysis of several partitioning schemes for a reconfigurable computer, SRC 6 Extensive library of over 5 hardware macros for SRC 6 and SGI Altix-4700 Tate pairing based cryptosystems Comparative analysis of two novel algorithms from the point of view of hardware efficiency First published implementations via a single FPGA device Porting the IP core of pairing over 8 binary fields to SGI Altix-4700 Comparative analysis of Tate pairing based cryptosystems vs. elliptic curve cryptosystems in hardware 13

14 Architectures for Finite Field Arithmetic 14

15 Basis Choices in Finite Fields m 1 Polynomial basis: the subsequent powers 1 α α α of the root of an irreducible polynomial x. Low Hamming weight irreducible polynomial, e.g., trinomial or pentanomial Maximum Hamming weight irreducible polynomial, e.g., All-One- Polynomial m 1 Normal basis: the conjugates β β β β, where β is the root of an irreducible polynomial x. Type I or Type II optimal normal basis f m f m γ Hybrid basis for composite fields α β γ 15

16 Polynomial Basis Multiplier 1) Bit-serial multiplier is area efficient while the operational speed is sacrificed 9 f x) = x x 1 9 Linear feedback shift registers LFSRs) are adopted in both architectures. Least significant bit-serial multiplier based on right-to-left algorithm The registers of bx) can be saved in MSB-serial multiplier because only the partial products need to be updated in each clock cycle Less power is consumed in the second architecture because the value of bx) is fixed during computations. Most significant bit-serial multiplier based on left-to-right algorithm 16

17 Polynomial Basis Multiplier ) Bit-parallel multiplier can complete one multiplication in one clock cycle. It is impossible to be implemented in case of large field sizes. But it can be applied to the ground field arithmetic of the composite multiplier. 5 f5 x) = x x 1 Two steps to derive the bit-parallel multiplier: 1. Use Mastrovito s method to compute the partial product with m-1 bits. Perform the reduction exploiting the standard technique for low Hamming weight irreducible polynomials. 17

18 Polynomial Basis Multiplier 3) The digit-serial multiplier is a parallel version of the bit-serial one. Instead of computing one bit of the product, the digit-serial multiplier can compute multiple bits each clock cycle. Allows the tradeoff between area and latency. MSD serial multiplier in F 39, where the digit size D=4, f39 x) = x x 1 Two parts: 1. LFSRs,. AND-XOR arrays D 1 D i for c x) c x) x an D ix b x) mod f m x) i= 0 18

19 Normal Basis Multiplier 1) Massey-Omura s architecture for normal basis multiplier is to use the same combinational circuits together with rotate registers computing the product serially. 1 γ = θ θ is the normal basis generator of F 5 θ F 11 θ =

20 Normal Basis Multiplier ) Agnew et al. improved the original Massey-Omura s architecture by shortening the critical path Kwon et al. improved the Agnew et al s architecture by decreasing the circuit complexity 0

21 A Novel Normal Basis Hybrid Multiplier for Composite Binary Fields 1) 1. Kwon s bit-serial structure is applied to the tower field multiplication in GF 3x5 ).. Special irreducible trinomial is used to construct the ground field, so that the bit-parallel structure can be efficient. 1

22 A Novel Normal Basis Hybrid Multiplier for Composite Binary Fields ) Squarer: Inverter: d0 d01 d00 d'0 d'01 d'00 a 1 = a A = a 1 r a 1 r, r = nm n 1 1 Obviously, is an element in r n F Since r-1 can be represented as a sum of powers Computation at the top level is free and equivalent to cyclic shift. The standard technique for polynomial basis can be applied to the ground field. a r 1 r 1 = n n... m 1) n can be computed using the addition chain, the method requires log m 1) HW m 1) 1 general multiplications.

23 A Novel Normal Basis Hybrid Multiplier for Composite Binary Fields 3) To apply hybrid multipliers in cryptography properly, another issue must be taken into account. The matrix for basis conversion can be obtained within reasonable amount of time. g g t 1 1 Special irreducible trinomials of the form f x) = x x 1 or f x) = x x 1 can be used to construct the ground field so that computing such a conversion matrix is equivalent to solving a set of linear equations. Field Size n trinomials Field Size n trinomials x x1 15 x 15 x1 3 x 3 x1 31 x 31 x x 4 x1 63 x 63 x1 7 x 7 x1 17 x 17 x1 Summary: 1. Circuit complexity can be decreased considerably due to the efficient bit-serial architecture at the top level.. Compared with the straightforward method of parallelizing normal basis multiplier, this hybrid multiplier is more regular since the bit-parallel component has the same structure. Therefore it is easy for EDA tools to place and route. 3. The bit-parallel multiplier of ground field is very efficient in terms of timing and area due to the chosen trinomial. 3

24 Architectures for Elliptic Curve Cryptosystems 4

25 Lopez-Dahab Algorithm , -. /0 -, Input: An integer k 0 and a point Input: P1= X1, Z1), P= X, Z) P= P1 P, P = x, 1). Output: Q = P1 P = X3, Z3). Z3 = X1 * Z X * Z1 ) X3 = x * Z3 X1 * Z)* X * Z1 ) P = x,y) E. Output: Q = k P.. Set k k k k ) 1. If k=0 or x=0 then Q= 0,0) and stop. Set X 3. x, Z 1, X x Z b, x , 0 / : I G HF D EFG C ; <=> 4. for i from L- downto 0 do k if =1 then I N HM D EMG C AB L C K? J >?= O HF R Q P O EF C EM ).,Z ), Mdouble X,Z,X,Z Madd X S EF S R HF C HM else ).,Z ), Mdouble X,Z,X,Z Madd X ] C < T Z U[\?U U Z? = Y > X W U? U T V U A T <? )).,Z,X,Z 5. Return Q=Mxy X ` C < T Z U[\?U U Z? = Y > X _ QZU ^T> U A T <? U d <_ > f b< e W W b UT a U d\ Ud T< c ; <ab!" ó? bd \ < WU T c [ b a g b[? U= ct * " ) ' $ % & #! " 5

26 Scalar Multiplication Montgomery Ladder Concept k i =0 k i =1 P, P k i =1 k i =0 P, 3P 3P, 4P k i =1 k i =0 k i =1 4P, 5P 5P, 6P 6P, 7P 7P, 8P k i =0 k i =1 k i =0 k i =1 k i =0 k i =1 k i =0 k i =1 8P,9P 9P,10P 10P,11P 11P,1P 1P,13P 13P,14P 14P,15P 15P,16P 11=1011 6

27 Latency Optimization Scheme for ECC Processor in a Single FPGA Device Block Diagram Choices of optimal digit sizes of Multipliers for Xilinx XCV000E Digit size D mul_1 mul_ mul_3 GF 163 ) GF 33 ) GF 83 ) mul_4 mul_5 mul_6 GF 163 ) GF 33 ) GF 83 ) Features: Lopez-Dahab algorithm / parallel computation 7

28 Timing Diagram L = log k T 1 : Latency of one multiplication done by mul_1, mul_ and mul_3 T : Latency of one multiplication done by mul_4 and mul_5 8

29 Comparisons with Software and Previous Work Timing, resource utilization and performance comparison vs. software implementation based on LiDIA, run on Intel Xeon.8 GHz Hardware, Xilinx XCV6000 Software, LiDIA Clock FPGA LiDIA Speedup Fields FFs LUTs Period Latency Latency vs. ns) us) us) LiDIA GF 163 ) 10,918 6, GF 33 ) 14,15 36, GF 83 ) 4,664 35, Performance comparison vs. design by Gura et al. Target device: Xilinx XCV000E) Gura et al. Our design D=16 Our design D=3 GF 163 ) GF 33 ) GF 163 ) GF 33 ) GF 163 ) GF 33 ) FFs 6,44 NA 7,45 10,474 7,467 10,637 LUTs 19,508 NA 18,749 5,838 5,768 35,800 Frequency MHz) Latency us) Speed-up vs. Gura et al

30 Reconfigurable Computing Systems Definition: Microprocessors reconfigurable components FPGAs) Advantages: faster and more flexible than conventional computing technology Two selected systems: SRC-6 & SGI ) A B, > = W S TUV R Q P O q _ q ) A B D > ) A B E > = ; < 9: a ` _ ^ ] [ \Y X YZ r ž ` p s r ž ` p s f f e d c X ) A B F > = %$ )%* #." /!"#, ' & -.##! x i l f q r }~[ q e e p }~[ q e k [jj c Ÿ t i l x f c Ÿ t uvw x t yz { ) A B G > = Y \ o l mn ir k l q i Yj\ c p g Zh t x X g l i l f i l c µ *.# N* "!/ M $ / >K L! J I FH x uvw x ƒ t ƒ ˆ Š x uvw x ƒ t ƒ ˆ ) A B, > = w «ª ˆš i l c µ b X h ) A B D > = ; < 9: c a ` _ ^ Œ Ž ) A B E > = f s a f ` e d _ c ^ X b %$ )%* #." /!"#, ' & -.##! f f e d c X b y w { ²³ ) A B F > = uvw x t ˆš uvw x t ˆš W S TUV ) A B G > = i l f q c [\ ~ j ZœY X SRC-6 architecture SGI RASC Blade architecture SRC-6 chosen for our experiments with ECC and SGI Altix-4700 chosen for our experiments with Tate pairing 30

31 Hierarchy of Elliptic Curve Operations 31

32 SRC Program Partitioning µp system FPGA system C function for µp C function for MAP VHDL macro HLL HDL 3

33 Partitioning Schemes of ECC in SRC 6 µ P µ P 0HL1 0HL µp µp 0HM 00H 33

34 Results and Comparisons for Scalar Multiplication over GF 33 ) Results of the timing measurements for several investigated partitioning schemes and implementation approaches System level architecture End-toend time us) DMA data-in time us) FPGA computation time us) DMA data-out time us) Total overhead us) Speedup vs. software Slowdown vs. VHDL macro H00 Software) 9710 NA NA NA NA HL HL HM H VHDL) Resource utilization for several investigated partitioning schemes and implementation approaches System level architecture % of CLB slices out of 33,79) CLB slice Increase vs. pure VHDL % of LUTs out of 67,584) LUT Increase vs. pure VHDL % of FFs out of 67,584) FF count increase vs. pure VHDL 0HL HL HM H

35 Library of Hardware Macros for Reconfigurable Computers 5 hardware macros for operations in the Galois Fields, and elliptic curve cryptography Developed as a part of the DoD-sponsored project, Library Development and Experiments using Prototype Reconfigurable Parallel Computers LUCITE), in Ported to two high-performance reconfigurable computers, SRC 6 & SGI Altix 4700 Made available to other groups for research regarding reconfigurable computers and cryptography Thoroughly tested using reference software implementations based on the public-domain mathematical package, LiDIA 35

36 Macro Library for Elliptic Curve Cryptosystems Trinomial squarer NIST NB squarer Trinomial multiplier GFm_NB NIST NB multiplier Trinomial inverter NIST NB inverter Pentanomial squarer PB point adder Pentanomial multiplier PB point doubler Pentanomial inverter PB coordinater converter GFm_PB Special PB squarer Special PB multiplier Special PB inverter NIST PB squarer NIST PB multiplier NIST PB inverter ECC_GFm PB scalar multiplier NB point adder NB point doubler NB coordinater converter NB scalar multiplier Three kinds of macro library for SRC 6, totally 5 macros in VHDL, thoroughly tested 36

37 Architectures for Tate Pairing Cryptosystems 37

38 Hierarchy of Tate Pairing Operations 38

39 Analysis of Two New Algorithms Optimized by Kwon Algorithm 1: Input: P = x, y), Q = α, β ) x, y, α, β F m Output: C τ P, Q), where C 1, = C F 4m 4 4 α α, β β, v x 1, m 1 u x y b for i=0 to m-1 do A β θ u α v) s t C C C C A α α 4, 4 β β, u u v, v v 1, θ α v end for C C m 1 θ α v Accumulative multiplication Final powering Algorithm : Input: P = x, y), Q = α, β ) x, y, α, β F m Output: C τ P, Q), where = C F 4m α β β 1, C 1, α 1, u y b 1, θ α for i=0 to m-1)/ do C C, C C A if i<m-1) then 4 4 α α, β β, u u v 1, v v v 1, θ α end if end for A A α v 1) s C C A MT m C C, MT = v m 1) 1) m 1 m 1 39 ± 1)

intermediate results Main controller designed as a finite state machine

40 Top Architecture of Pairing Processor Features: Hardwired logic instead of stored-programmed machine Iterative structure Register files for intermediate results Main controller designed as a finite state machine The extension field multiplier CA and Multiplier 1 are working for both stages 40

41 Two Architectures Investigated for CA 6 multipliers: 1. lower latency. larger area 3. lower product of latency by area 3 multipliers: 1. higher latency. smaller area 3. higher product of latency by area 41

42 Timing Diagram for Algorithm 1 Initialization of MUL 1 REG C A α v θ Storing results to Registers MUL 1 REG C A MUL 1 REG m times Accumulative multiplications C A MUL 1 REG A B MUL 1 : Multiplication over F m MUL REG MUL REG MUL 1 c c 0 1 REG INV 1 c c c c Notations: T1: Latency of CA and Multiplier 1 T: Latency of Multiplier T3: Latency of Inverter MUL 1 : Multiplier 1 MUL : Multiplier C A : Special multiplier over F 4m INV : Inverter 1 c c c c MUL 1 c 0 MUL c s 1)) 1 REG C A Final exponentiation 0: start T 1 m 1) T1 ) m 1) T1 ) T m ) T1 ) T ) m 1) T ) T ) m ) T ) T T m 3) T1 ) 3T T3 8 6 done Time clock cycles) 4

43 43 θ α v T T m B A 0 c 1 c c c c c 1)) s c c c c c c 5 1 T T m 7 1 T T m 5 1 T T m T T T m T T T m 3 1 T m T T T m = T T m T ck Timing Diagram for Algorithm

44 Implementation Results for GF 39 ) 4 x 104 Target device: Xilinx XCCP100-6FF # CLB slices 3.5 Algorithm 1 D=3 Algorithm D=16 Lower product of latency by area Algorithm 1 D= Latency us) 44

45 Implementation Results for GF 83 ) 4 x 10 4 Target Device: Xilinx XCVP100-6FF # CLB slices Algorithm 1 D=3 Algorithm D=16 Lower product of latency by area.6.4. Algorithm 1 D= Latency us) 45

46 Speed-up over Software Software Platform: Intel Xeon.8 GHz; C library, LiDIA, for subfield arithmetic Hardware Platform: Xilinx XCVP100-6FF Algorithm 1, D = 3 Algorithm, D = Speed-up GF 39 ) GF 83 ) GF 39 ) GF 83 ) 46

47 Comparison with Hardware Implementation of Comparable Schemes 1) Elliptic Curve Discrete Logarithm Problem Over EGFq)) MOV Security Menezes-Okamoto-Vanstone algorithm Discrete Logarithm Problem over GFq k ) Field F q MOV Security Binary elliptic 4 m q = m k m Binary hyper- 1 m elliptic Cubic elliptic q = 3 m k log 3) m 9.5 m 47

48 Comparison with Hardware Implementation of Comparable Schemes ) 8 x 104 Our Kerin Grabher 7 Alg. 6 Kerin Curves Elliptic Elliptic Elliptic # CLB slices Our Alg. Lower product of latency by area Fields MOV Security FPGA Device GF 39 ) 956 XCVP 100 GF3 97 ) 9 XCVP 15 GF3 97 ) 9 XCVP4 FF67 1 Grabher Controller Hard wired logic Hard wired logic Micropr ocessor Latency us) 48

49 Comparison with Hardware Implementation of Comparable Schemes 3) 8 x 10 4 Alg. 1 Ronan 7 6 Curves Elliptic Hyperelliptic # CLB slices Our Alg. 1 Lower product of latency by area Ronan Fields MOV Security FPGA Device GF 83 ) 113 XCVP 100 GF 103 ) 136 XCVP 15 1 Controller Hardwired logic Hardwired logic Latency us) 49

50 Porting Tate Pairing to SGI Altix-4700 Features: 1. Serial-in-parallel-out registers. Two SRAMs for input and output 3. Computations and communications between SRAMs and FPGAs scheduled by the controller 50

51 Performance and Cost of Tate Pairing on SGI Altix 4700 Underlying fields Digit size of multiplier in CA Frequency MHz) Algorithm block resource utilization # slices / %) Total resource utilization #slices / %) Latency of software LiDIA ms) Latency of SGI Altix 4700 us) Speed-up Altix vs. Software GF 39 ) ,90 34%) 41,641 46%) GF 41 ) ,86 34%) 41,989 47%) GF 83 ) ,481 41%) 48,0 56%) GF 353 ) ,543 51%) 57,64 64%) GF 367 ) ,71 53%) 58,99 66%) GF 379 ) ,819 56%) 61,540 69%) GF 457 ) ,956 66%) 70,677 79%) GF 557 ) ,931 43%) 49,65 55%) binary fields ranging from GF 39 ) to GF 557 ) are selected for our experiments 51

52 Performance and Cost Comparisons between ECC and Tate Pairing Software performance comparisons for one operation between pairing and ECC, implemented via LiDIA and run on Intel Xeon.8 GHz Tate Pairing Field sizes Latency ms) Field sizes ECC Latency ms) Speed-up, Pairing vs. ECC Hardware performance/cost comparisons for one operation between pairing and ECC, target on SGI Altix-4700, Field sizes Digit sizes Tate Pairing f MHz CLB #slices %) Latency us) Field sizes Digit sizes f MHz ECC CLB #slices%) Latency us) Speed-up Pairing vs. ECC %) %) %) %) %) %) %) %) Note: 1. Virtex-4 LX00 FPGAs are used in Altix ,71 slices for core services, and 89,088 slices in LX00 5

53 Conclusions for Tate Pairing First published FPGA implementation of the Tate pairing schemes for binary elliptic curves Two algorithms improved, implemented and compared Algorithm is faster, but its implementation takes more area Speed-ups in the range demonstrated for Xilinx XCVP100 vs. Xeon.8 GHz Our designs outperform existing implementations of comparable schemes in terms of the execution time by a factor 10-0, and in terms of the product of latency by area by a factor The first complete investigation of pairing cryptosystems over binary elliptic curves on a reconfigurable system Tate pairing cryptosystems are comparable with ECC in terms of software/hardware performance, against the common belief that Tate pairings are slower than traditional elliptic curve cryptosystems 53

54 Summary of Contributions 54

55 Future Work Comparison of three schemes of Tate pairing by the same research group Identical assumptions Design techniques Optimization schemes Tools and coding style Development of a general processor for elliptic curve based cryptosystems, including ECC, HECC, and pairing FPGAs for underlying field arithmetic ASICs for a stored programmable machine 55

56 Publications 1. S. Bajracharya, C. Shu, K. Gaj, and T. El-Ghazawi, Implementation of Elliptic Curve Cryptosystems over GF n ) in Optimal Normal Basis on a Reconfigurable Computer, 14 International Conference on Field Programmable Logic and Applications FPL 04, Antwerp, Belgium, Aug C. Shu, K. Gaj, and T. El-Ghazawi, Low Latency Elliptic Curve Cryptography Accelerator for NIST Curves over Binary Fields, IEEE International Conference on Field Programmable Technology FPT 05, Singapore, Dec C. Shu, S. Kwon, and K. Gaj, FPGA Accelerated Tate Pairing Based Cryptosystems over Binary Fields, IEEE International Conference on Field Programmable Techonology FPT 06, Thailand, Dec C. Shu, S. Kwon, and K. Gaj, FPGA Accelerated Multipliers over Binary Composite Fields Constructed via Low Hamming Weight Irreducible Polynomials, submitted to IEE proceeding of Computer & Digital Techniques. 5. C. Shu, S. Kwon, and K. Gaj, A Hybrid Multiplier of Binary Composite Field with Efficient Basis Conversion, submitted to IEEE Transactions on Computers. 6. C. Shu, S. Kwon, and K. Gaj, Reconfigurable Computing Approach for Tate Pairing Cryptosystems over Binary Fields submitted to IEEE Transactions on Computers. 56

57 Questions? Thank you! 57

FPGA accelerated multipliers over binary composite fields constructed via low hamming weight irreducible polynomials

FPGA accelerated multipliers over binary composite fields constructed via low hamming weight irreducible polynomials C. Shu, S. Kwon and K. Gaj Abstract: The efficient design of digit-serial multipliers