An Algorithm for Inversion in GF(2 m ) Suitable for Implementation Using a Polynomial Multiply Instruction on GF(2)

Size: px

Start display at page:

Download "An Algorithm for Inversion in GF(2 m ) Suitable for Implementation Using a Polynomial Multiply Instruction on GF(2)"

Clara Webster
6 years ago
Views:

1 An Algorithm for Inversion in GF2 m Suitable for Implementation Using a Polynomial Multiply Instruction on GF2 Katsuki Kobayashi, Naofumi Takagi, and Kazuyoshi Takagi Department of Information Engineering, Graduate School of Information Science, Nagoya University, Furo-cho, Chikusa-ku, Nagoya, Japan. {katsu,ntakagi,ktakagi}@takagi.i.is.nagoya-u.ac.jp Abstract An algorithm for inversion in GF2 m suitable for implementation using a polynomial multiply instruction on GF2 is proposed. It is based on the etended Euclid s algorithm. In the algorithm, operations corresponding to several contiguous iterations of the VLSI algorithm proposed by Brunner et al. is represented as a matri. They are calculated at once through the matri efficiently by means of a polynomial multiply instruction on GF2. For eample, in the case where the word size of a processor and m are 32 and 571, respectively, the algorithm calculates inversion with about the half number of instructions of the conventional algorithm on the average. 1 Introduction Galois field GF2 m, i.e. etension field of GF2, plays important roles in many applications, such as errorcorrecting codes and cryptography. In widely used elliptic curve cryptography ECC, the value of m is large, i.e. 163 or more [1, 2]. Among basic arithmetic operations in GF2 m, multiplicative inversion is the most timeconsuming. Therefore, there is a demand for a fast algorithm for inversion in GF2 m. In recent years, several instruction set etensions for cryptosystem have been proposed [3 6]. These instruction set etensions can increase performance of a processor with small cost. They include a polynomial multiply instruction on GF2. In this paper, we propose a new algorithm for inversion in GF2 m which is suitable for implementation using a polynomial multiply instruction on GF2. The algorithm to be proposed is based on the etended Euclid s algorithm. In the algorithm, operations corresponding to several contiguous iterations of the conventional algorithm for VLSI implementation [7] are represented as a matri which is obtained only with single-word operations. Then, they are calculated at once through the matri efficiently by means of a polynomial multiply instruction on GF2. For eample, in the case where the word size of a processor and m are 32 and 571, respectively, the algorithm calculates inversion with about the half number of polynomial multiply instructions on GF2 and XOR instructions for the conventional algorithm evaluated in [8] on the average. This paper is organized as follows. In the net section, we show conventional algorithms for inversion in GF2 m based on the etended Euclid s algorithm and a polynomial multiply instruction on GF2. In Sect. 3, we proposea fast algorithm for inversion in GF2 m using polynomial multiply instruction on GF2, which is based on the etended Euclid s algorithm. In Sect. 4, we evaluate the algorithm. In Sect. 5, we make several discussions. 2 Preliminaries 2.1 Multiplicative Inverse in GF2 m Let G = m + g m 1 m g 1 +1 be an irreducible polynomial on GF2. Then, we can represent an element in GF2 m defined by G as A =a m 1 m a 1 + a 0, where a i GF2 [9]. Addition and subtraction of two elements in GF2 m are defined as polynomial addition and subtraction on GF2, respectively. Thus, both addition and subtraction are eecuted by eclusive-or operation for every coefficient. Multiplication in GF2 m is defined as a polynomial multiplication modulo G. The multiplicative inverse A 1 of A in GF2 m is defined as the element that satisfies A A 1 =1, where denotes multiplication in GF2 m.

2 j R j U j W j Q j Figure 1. An eample of inversion by Algorithm 1 m =7, G = and A = Algorithm for Inversion in GF2 m based on Etended Euclid s Algorithm Euclid s algorithm for polynomial calculates the greatest common divisor GCD polynomial of two polynomials. The algorithm can be etended for calculating the two polynomials [9], U and W, that satisfy GCDA,B = U A+W B. The etended Euclid s algorithm is as follows, where denotes the operation that calculates a quotient polynomial. [Algorithm 1] Etended Euclid s Algorithm R 1 :=B; U 1 :=0; W 1 :=1; R 0 :=A; U 0 :=1; W 0 :=0; j := 0; repeat j := j +1; Q j :=R j 2 R j 1 ; R j :=R j 2 Q j R j 1 ; U j :=U j 2 Q j U j 1 ; W j :=W j 2 Q j W j 1 ; until R j =0; output R j 1, U j 1 and W j 1 as the results. Rj 1 =GCDA,B = U j 1 A+W j 1 B Let G be the irreducible polynomial with degree m that defines the field, and A be the polynomial representation of an element in the field. Since the greatest common divisor polynomial of A and G is 1, we can obtain the multiplicative inverse A 1 of A as U j 1 modg by replacing B with G in Algorithm 1. This is eplained as follows. GCDA,G = U j 1 A+W j 1 G 1 U j 1 A mod G A 1 U j 1 mod G Figure 1 shows an eample of inversion by Algorithm 1, where m = 7, G = and A = In this eample, the inverse A 1 is U 3. It is reported by Hankerson et al. that an algorithm based on the etended Euclid s algorithm is faster than the other algorithms [8]. The algorithm evaluated in [8] is as follows, where deg is the function to calculate the degree of a polynomial. [Algorithm 2] Algorithm for Inversion in GF2 m Based on Etended Euclid s Algorithm [8] S :=G; V :=0; R :=A; U :=1; while degr 0do δ := degs degr; if δ<0 then temp := S; S := R; R := temp; temp := V ; V :=U; U :=temp; δ := δ; S :=S δ R; V :=V δ U; end while output U as the result. U =A 1 Note that, in Algorithm 1, since calculation of U j is independent of calculation of W j, inversion can be calculated without calculation of W j. Note also that, R j and U j can be calculated by the two most recent polynomials of the series R j and U j, respectively. Therefore, Algorithm 2 keeps only four polynomi-

3 R S U V δ Figure 2. An eample of inversion by Algorithm 2 m =7, G = and A = als, R, S, U,andV, that correspond to R j, R j 1, U j,andu j 1, respectively. Figure 2 shows an eample of inversion by Algorithm 2, where m = 7, G = and A = Net, we eplain the algorithm for inversion in GF2 m based on the etended Euclid s algorithm proposed by Brunner et al. [7]. Although the algorithm is developed for VLSI implementation, we can use it to develop an algorithm suitable for implementation using the polynomial multiply instruction on GF2 as we will describe in the net section. For VLSI implementation, the algorithm tests only the m-th coefficients of two polynomials in the calculation of GCD, thus the polynomials are multiplied by some power of relative to proper ones. The algorithm is as follows, where {O1,O2} means that two operations, O1 and O2, are performed in parallel. r m and s m denote the m- th coefficients of R and S, respectively. δ holds the difference of deg R and deg S, wheredeg denotes the upper bound of the degree of the proper one. [Algorithm 3] VLSI Algorithm for Inversion in GF2 m [7] S :=G; V :=0; R :=A; U :=1; δ := 0; for i =1 to 2m do if r m =0then R := R; U := U; δ = δ +1; if s m =1then S :=S R; V :=V U; S := S; if δ =0then {R :=S,S :=R}; {U := V,V :=U}; δ := 1; U :=U/; δ := δ 1; end for output U as the result. U =A 1 Although the VLSI algorithm proposed in [7] calculates U and V with modulo G arithmetics, we do not need modulo reductions by using m +1-bit registers to hold U and V. Figure 3 shows an eample of inversion by Algorithm 3, where m =7, G = ,andA = Whenitisimplemented in software directly, the algorithm needs multiword shifts in each iteration because shift amount in each iteration is always 1-bit. 2.3 Polynomial Multiply Instruction on GF2 In this paper, we consider the typical multiply instruction on GF2 that was proposed in [3 6]. We call it MULGF2 instruction as in [3]. MULGF2 instruction calculates the 2- word product from two 1-word operands, rs and rt, and writes the product to two special registers, HI and LO as shown in Fig.4. A polynomial multiplier on GF2 can be very simply realized as an AND-array followed by an XOR-tree, i.e. carry-free version of an integer multiplier. Since there are no carry propagation, the multiplier is fast and small. In addition, we can combine this multiplier with an integer HI rs rt LO Figure 4. MULGF2 instruction.

4 i R S U V δ Figure 3. An eample of inversion by Algorithm 3 m =7, G = and A = multiplier with little cost as described in [, 11]. 3 An Algorithm for Inversion in GF2 m Suitable for Implementation Using a Polynomial Multiply Instruction on GF2 In this section, we propose an algorithm for inversion in GF2 m suitable for implementation using a polynomial multiply instruction on GF2. The algorithm is based on Algorithm 3, and processes multiple bits in each iteration for fast calculation. First, we replace the operation U :=U/; with the operation V := V ; in Algorithm 3. By this modification, the final result will become U = m A 1, instead of the desired value A 1 [12]. Net, we describe a matri which represents operations corresponding to several contiguous iterations of Algorithm 3. In Algorithm 3, R,S,U, andv are calculated according to the values of the m-th coefficients of R and S. In the same way, we can decide the operations for updating R, S, U, andv in several contiguous iterations of Algorithm 3 according to the values of several coefficients of R and S. Therefore, we represent the operations to update R, S, U, and V in several contiguous iterations in a matri, as proposed in [13] for Montgomery modular inversion case. The operations in k times iteration of Algorithm 3 can be calculated as follows, where H is the 2 2 matri which is obtained by coefficients from degree m k + 1 to m of R and S, and the elements in H are polynomials on GF2 with degree k or less. R R := H ; 1 S S U U := H ; 2 V V We eplain how to obtain the matri H by using an eample, where m =7, G = , A = 6 + 4,andk =3. In this case, the initial values of variables are R = 6 + 4, S = , U =,andv =0. In the first iteration of Algorithm 3, the following operations are eecuted: R := R; U := U; These operations can be represented in matrices as follows: R R S 0 1 S U U V 0 1 V By the above operations, we get R = 7 + 5, S = , U = 2,andV =0.Inthe same way, in the net iteration of Algorithm 3, the following operations are eecuted: S := S+R; V := U+V;

5 R M 1 R M 2 R 2 R 2 R 1 h R 1 R 0 h h R 0 h R M 3 h R M 2 h R M 1 h Figure 5. multi-word single-word-multiplication. These operations can be represented in matrices as follows: R R S S U U V V By the above operations, we get R = 7 + 5, S = , U =,andv = 2. Then, in the net iteration of Algorithm 3, the following operations are eecuted: {R := S+R, S :=R}; {U := V +U, V :=U}; These operations can be represented in matrices as follows: R R S S U U V V The operations in the above three iterations of Algorithm 3 can be calculated at once by using the following matri H. H = = 0 1 For the word-level description of the algorithm, we partition a polynomial representation on GF2 m into polynomials with degree w 1. Since the degree of a polynomial representation is up to m, we can represent an element in GF2 m by polynomials with degree w 1 as follows: R =R M 1 M 1w + + R 1 w + R 0 R i =r iw+w 1 w r iw+1 + r iw, where M = m +1/w and r j =0for j>m.thematri H, whose elements are polynomials on GF2 with the degree less than w, can be calculated from R M 1 and S M 1 by only single-word operations, where w is the word size of a processor. Equations 1 and 2 include multi-word singleword-multiplication. The multiplication is calculated as follows. R h =R M 1 M 1w +...+R 1 w +R 0 h = R M 1 h M 1w +R M 2 h M 2w +...+R 1 h w +R 0 h Using MULGF2 instruction this calculation is calculated by M MULGF2 and M 1 word XOR instructions as shown in Fig. 5. Therefore, we can calculate them efficiently by using MULGF2 instruction. An algorithm for inversion in GF2 m suitable for implementation using a polynomial multiply instruction on GF2 is as follows. In the algorithm, we assume that the degrees of the initial values of R and S are Mw 1 instead of m. This assumption does not affect the result. [Algorithm 4] The Proposed Algorithm S :=G; V :=0; R :=A; U :=; M := m +1/w ; deg r := Mw 1; deg s := Mw 1; while deg r > 0 do C :=R M 1 ; D :=S M 1 ; if C =0then R := w R; U := w U; deg r := deg r w; H := ; 0 1 j := 1;

6 while j<wand deg r > 0 do j := j +1; if c w 1 =0then C := C; H := H; 0 1 deg r := deg r 1; if deg r = deg s then deg r := deg r 1; if d w 1 =1then temp := C; C := C D ; D :=temp; H := temp := C; C := D; D :=temp; H := 0 deg s := deg s 1; if d w 1 =1then H; H; D := C D ; H := H; D := D; H := H; 0 end while R R := H ; S S U U := H ; V V end while { U/ Mw if deg r =0 output V / Mw otherwise as the result. Note that, we initialize U to instead of 1. Hereby, since a result becomes A 1 Mw we can avoid a multiword shift at the end of the algorithm. Although it would seem that U and V need 2M-word, since U and V are just multiplied by some power of, U and V are M +1-word or less. Figure 6 shows an eample of inversion by Algorithm 4, where m =7, w =4, G = ,andA = Evaluation We have evaluated the proposed algorithm by comparing the number of MULGF2 and XOR instructions of it with that of Algorithm 2. We assume that MULGF2 instruction has a single-cycle latency. We count the number of MULGF2 and XOR instructions in the following operations in Algorithm 2, since they need multi-word single-word-multiplication. R :=R j S; U :=U j V ; In the same way, we count the number of MULGF2 and XOR instructions in the equations 1 and 2, in Algorithm 4. In addition, we also count the number of MULGF2 and XOR instructions in operations for calculating H which is in the form h00 h H := H;. h h 11 Table 1 shows the number of MULGF2 and XOR instructions of the above operations. These figures are the average of inversion of 00 random elements, and we used NIST-recommended irreducible polynomials [2]. In the case where w =32and w =16, Algorithm 4 can calculate inversion faster than Algorithm 2 in almost all m on the average. Especially, in the case where m and w are 571 and 32, respectively, the algorithm calculates inversion with about the half number of instructions of Algorithm 2 on the average. Table 1 also shows no advantage when either the number of words or the word size is small. In these cases, it seems that the cost of the calculation for the matri H is bigger than the benefit from the calculation at once through the matri. 5 Discussion In the proposed algorithm, from the most significant words of R and S, we can obtain the matri H whose elements are polynomials on GF2 with degree w or less. Therefore, modifying a polynomial multiply instruction to calculate w w+1-bit multiplication, the proposed algorithm will become faster. We can reduce the calculation time for the matri H by using a look-up table. In this case, the table has w 2 2w 1 entries, and each entry is 4w log 2 w -bit. For large w, we can obtain the matri H by calculating it from a smaller table instead of direct table look-up. For

7 R S U V C D deg rdegs H ` ` ` ` ` ` ` ` / 8 = Figure 6. An eample of inversion by Algorithm 4 m =7, w =4, G = ,and A = Table 1. Comparison of Algorithm 2 and Algorithm 4 by Using MULGF2 instruction. Algorithm 2 Algorithm 4 Algorithm 4 m w M #MULGF2 #XOR Total #MULGF2 #XOR Total Algorithm 2 [%]

8 eample, in the case where m =7, w =8, G = ,andA = First, according to coefficients from degree 4 to 7 of C and D, we can obtain the matri H 1 = from the smaller table. Then, we can update C, D using H 1, and obtain the matri H 2 = Finally, we can calculate H by H 1 and H 2 as follows: H =H 2 H 1 = Concluding Remarks We have proposed an algorithm for inversion in GF2 m suitable for implementation using a polynomial multiply instruction on GF2. In the algorithm, operations corresponding to several contiguous iterations of the VLSI algorithm proposed by Brunner et al. is represented as a matri. They are calculated at once through the matri. In the case where the word size of a processor and m are 32 and 571, respectively, the algorithm calculates inversion with about the half number of polynomial multiply instructions on GF2 and XOR instructions for the conventional algorithm for software implementation on the average. We can accelerate the proposed algorithm by using look-up table. References [1] IEEE P1363 Working Group, IEEE P1363/D13 Draft Version 13:Standard Specifications for Public Key Cryptography, Nov [Online]. Available: [2] National Institute of Standards and Technology, FIPS PUB 186-2: Digital Signature Standard DSS. pub-nist, Jan [Online]. Available: [3] J. Großschädl and E. Saveş, Instruction set etensions for fast arithmetic in finite fields GFp and GF2 m, in Proceeding of Cryptographic Hardware and Embedded Systems CHES 2005, Aug.29 Sept , pp [4] A. M. Fiskiran and R. B. Lee, Evaluating instruction set etensions for fast arithmetic on binary finite fields, in Proceeding of International Conference on Application-specific Systems, Architectures and Processors ASAP 2004, Sept , pp [5] S. Tillich and J. Großschädl, AcceleratingAES using instruction set etensions for elliptic curve cryptography, in International Conference on Computational Science and Its Applications ICCSA 2005, 2005, pp [6] H. Eberle, A. Wander, N. Gura, and S. Chang- Shantz, Architectural etensions for elliptic curve cryptography over GF2 m, Sun Labs Open House, [Online]. Available: [7] H. Brunner, A. Curiger, and M. Hofstetter, On computing multiplicative inverses in GF2 m, IEEE Trans. Comput., vol. 42, no. 8, pp. 15, Aug [8] D. Hankerson, J. Hernandez, and A. Menezes, Software implementation of elliptic curve cryptography over binary fields, in Proceeding of Cryptographic Hardware and Embedded Systems CHES 2000, Aug , pp [9] IEEE P1363 Working Group, IEEE P1363/D13 Draft Version 13:Standard Specifications for Public Key Cryptography, Anne A: Number- Theoretic Background, Nov [Online]. Available: [] A. Satoh and K. Takano, A scalable dual-field elliptic curve cryptographic processor, IEEE Trans. Comput., vol. 52, pp , Apr [11] J. Garcia and M. J. Schulte, A combined 16-bit binary and dual galois field multiplier, in Signal Processing Systems, SPIS 02. IEEE Workshop on, Oct , pp [12] J. Guo and C. Wang, Systolic array implementation of Euclid s algorithm for inversion and division in GF2 m, IEEE Trans. Comput., vol. 47, no., pp , Oct [13] T. Kobayashi and H. Morita, Fast modular inversion algorithm to match any operation unit, IEICE Trans. Fund., vol. E82-A, no. 5, pp , May 1999.

A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m )

A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m ) Stefan Tillich, Johann Großschädl Institute for Applied Information Processing and