Sequential Multiplier with Sub-linear Gate Complexity

Size: px

Start display at page:

Download "Sequential Multiplier with Sub-linear Gate Complexity"

Ashlee Payne
5 years ago
Views:

Sequential Multiplier with Sub-linear Gate Complexity Anwar Hasan, Christophe Negre To cite this version: Anwar Hasan, Christophe Negre.

fr/hal-71285 Submitte on 26 Jun 212 HAL is a multi-isciplinary open access archive for the eposit an issemination of scientific research

The ocuments may come from teaching an research institutions in France or abroa, or from public or private research centers.

1 Sequential Multiplier with Sub-linear Gate Complexity Anwar Hasan, Christophe Negre To cite this version: Anwar Hasan, Christophe Negre. Sequential Multiplier with Sub-linear Gate Complexity. [Research Report] 212, pp.12. <hal-71285> HAL I: hal Submitte on 26 Jun 212 HAL is a multi-isciplinary open access archive for the eposit an issemination of scientific research ocuments, whether they are publishe or not. The ocuments may come from teaching an research institutions in France or abroa, or from public or private research centers. L archive ouverte pluriisciplinaire HAL, est estinée au épôt et à la iffusion e ocuments scientifiques e niveau recherche, publiés ou non, émanant es établissements enseignement et e recherche français ou étrangers, es laboratoires publics ou privés.

2 Sequential Multiplier with Sub-linear Gate 1 Complexity M. Anwar Hasan an Christophe Negre Abstract In this article, we present a new sequential multiplier for extene binary finite fiels. Like its existing counterparts, the propose multiplier has a linear complexity in flip-flop or temporary storage requirements, but a sub-linear complexity in gate counts. For the unerlying polynomial multiplication, the propose fiel multiplier relies on the Horner scheme. Inex Terms Binary polynomial multiplication, sequential multiplier, Horner scheme, sub-linear gate complexity. 1 INTRODUCTION Multiplication over finite fiels is use in both symmetric an asymmetric key cryptosystems, an has been a subject of stuy, especially for its improve implementation, among many researchers as evience in their publications, see for example [8], [13], [5], [1], [14], [11], [4]. In this article, we consier a class of harware architectures for multiplication over extene binary finite fiel F 2 n. For a small size fiel like the one use in the well known symmetric key system Avance Encryption Stanar (AES) [1], multiplication can be easily realize with a simple look-up-table (LUT), where the prouct of each combination of input is pre-store, preferably in a rea-only-memory (ROM). This table base metho is however impractical for large size fiels use in moern asymmetric key cryptosystems like Elliptic Curve Cryptography (ECC) [9], [6]. Asymptotically, a look-up table for multiplication can take as much as O(n2 2n ) bits of ROM an the time elay woul be essentially equal to the table access time, which is normally a function of the table size. Techniques exist to reuce the table size at the expense of an increase number of table accesses along with logic circuits. For high spee multiplication over a large fiel, an alternative approach is to use only logic circuits or gates in some parallel way an to perform a multiplication on-the-fly, e.g., a fully bit parallel multiplier. June 26, 212 DRAFT

3 For ECC, where the value of n is only a few hunres, a practical bit-parallel multiplier woul take O(n 1+ǫ ) logic gates, where < ǫ 1, an have a time elay of O(logn) layers of gates. In constraine environments, where silicon space is of prime concern, a fully bit parallel multiplier for a large fiel is generally too big to fit the esign. On the other en of the spectrum of choices, it is possible, at least in theory, to realize a multiplier with as few as only two gates one XOR an one AND where the gates will be use repeately an many intermeiate bit-level results will nee to be store. We will refer to this type of multipliers as super-sequential, since they woul take O(n 1+ǫ ) iterations or clock cycles.the storage requirement for a super-sequential multiplier woul be at least O(n 1+ǫ ). Because of large timing an memory requirements, super-sequential multipliers are likely to be least attractive for both constraine an high spee applications an this is perhaps why no practical esign of the super-sequential multiplier has been reporte in the literature. Between the above two extremes, namely fully parallel an super-sequential multipliers, one can fin various sequential multipliers, either at bit or igit-level. A sequential multiplier operates in an iterative way over a number of clock cycles, typically O(n) cycles for bit sequential or O(n/) cycles for igit sequential architecture, where is the igit size. A bit sequential multiplier has a shorter critical path than its igit sequential counterpart. For a bit or igit sequential multiplier, since intermeiate results are store in registers or rea-write memories, the storage requirement is at least O(n) bits. Besies registers, a sequential multiplier also requires logic gates, generally in the amount of O(n), i.e., linear to n. In our work, we ifferentiate ROM from registers in the usual way. In other wors, while the content of a ROM is fixe an specific to a certain arithmetic operation, the content of a register can change. More importantly, registers are time-share, i.e., a set of registers can be use by multiple operations, for example, aitions, multiplication an inversion, provie that these operations are not execute simultaneously. On the other han, like ROM but unlike registers, most of the logic gates are assume to be specific to a certain operation an not share. As a result, even if an arithmetic unit, such as a multiplier, can be esigne to take avantage of time share registers, there is still a nee to reuce the amount of logic gates, especially for area constraine applications. In this article, we propose a new sequential multiplier. Like its existing counterparts the propose one requires O(n) bits of registers, but only O(n 1 ǫ ), < ǫ 1, logic gates. To the best of our knowlege, no sequential multiplier has been reporte earlier that has a gate count sub-linear to n. To give an iea about where the propose multiplier fits with respect to various others, in Table 1 we list their space an time complexities in an asymptotic or general way. The remainer of this article is organize as follows. In Section 2, we briefly review schemes for a fully bit parallel an a igit-sequential multiplier. In Section 3, we present our sequential multiplier which is base on the Horner metho an has a sub-linear gate complexity. Finally, a complexity comparison an 2

4 concluing remarks are given Section 4. TABLE 1 List of ifferent types of multipliers an their complexities Architecture # Logic gates or ROM cells # Flip-flops in registers Critical Path Delay # Clock Cycles Full LUT n2 2n O(n) 1 Fully parallel circuit O(n 1+ε ) O(log(n)) 1 Digit-sequential circuit O(n) O(n) O(log()) n/ Bit-sequential circuit O(n) O(n) O(1) n Propose O(n 1 ǫ ) O(n) O(log(n)) O(n) 2 REVIEW OF EXTENDED BINARY FIELD MULTIPLIERS Fiel F 2 n can be viewe as the set of binary polynomials in t moulo an irreucible polynomial P(t) of egree n. Let A(t) an B(t) be two elements of F 2 n. The multiplication of these two elements is C(t) = A(t) B(t) mo P(t), for which we can use the following two steps: C (t) = A(t) B(t), (1) an then reuce C (t) moulo P(t) to get C(t) = C (t) mo P(t). (2) 2.1 Bit parallel architectures In this type of architectures, all the bits of the prouct C = AB mo P are generate in parallel. The esign of the circuit is base on pure combinatorial logic an oes not make any use of storage or flip-flops. Computations are one with no reuse of circuits. The approach we recall here performs the polynomial multiplication (1) an the reuction (2) separately. The reuction moulo P is generally quite simple when P is sparse (i.e., P is a pentanomial or a trinomial) an in this situation the reuction operation can be implemente with O(n) XOR gates an a elay of O(1). Consequently, we will focus here to the polynomial multiplication which is the most costly an the most complicate part of a finite fiel multiplier. Quaratic multiplier. Let C = 2n 2 i= c i ti be the prouct C = A B where A an B are egree n 1 3

5 polynomials in t. The coefficients c i are given in terms of a i an b i as follows c = a b, c 1 = a b 1 +a 1 b,.. c n = a b n +a 1 b n 1 + +a n b, c n+1 = a 1 b n +a 2 b n 1 + +a n b 1,.. c 2n 3 = a n 2 b n 1 +a n 1 b n 2, c 2n 2 = a n 1 b n 1. The computation of each c i is performe in parallel with AND gates (for the proucts a l b j ) an a binary tree of XOR gates. The resulting gate complexity of this polynomial multiplier is equal to n 2 AND gates an n(n 1) XOR gates. The critical path of the multiplier is log 2 (n) D X +D A where D X an D A are elays for a two input XOR an AND gates respectively. Subquaratic multiplier [2]. A secon strategy, which was first propose in [4], is base on the metho of Karatsuba. Specifically, the multiplication is performe by applying the following formula recursively Splitting: A = A +A 1 t n/2 an B = B +B 1 t n/2, Recursive proucts: M = A B,M 1 = (A +A 1 ) (B +B ) an M 2 = A 1 B 1, Reconstruction: C = M +t n/2 (M 1 +M +M 2 )+t n M 2, As state in [4], this approach requires 6n log 2 (3) + 8n 2 XOR gates, n log 2 (3) AND gates an has a elay of 3log 2 (n)d X + D A. Recently, some optimizations have been propose: Leone in [7] has notice that it is possible to slightly reuce the space complexity of the Karatsuba multiplier if we stop the recursion when we reach polynomials of egree 4 or 8 an then apply quaratic metho. More recently, Fan et al. in [3] have propose to use an o/even splitting which reuces the elay to 2log 2 (n)d X +D A. In Table 2, we recall the complexity of the schoolbook metho an then give the complexity of multipliers base on the Karatsuba combine with the optimization approaches of Leone [7] an Fan et al. [3]. 2.2 Digit Sequential Multiplier In sequential multipliers, computations are one with reuse of circuits an the final result is obtaine over several clock cycles. Here, we review the igit sequential version of the multiplier of Song an Parhi [12]. Song an Parhi fix a igit size an efine m = n an then they rewrite the two polynomials A an 4

6 TABLE 2 Complexity of bit parallel binary polynomial multiplier architectures Metho Space Complexity Delay # XOR # AND Quaratic n 2 1 n 2 D A + log 2 (n) D X Subquaratic [3] 6n log 2 (3) 8n+2 n log 2 (3) D A +(2log 2 (n))d X Subquaratic [3] an [7] combine 13 3 nlog 2 (3) 8n nlog 2 (3) D A +(2log 2 (n) 2)D X B as follows A(t) = m 1 i= A i(t)t i with eg t A i (t) <, B(t) = m 1 i= B i(t)t i with eg t B i (t) <. The left-to-right (L-to-R) metho for igit-serial multiplication is base on the following expansion of the prouct A B mo P C = A B mo P = ((...((AB m 1 mo P)t +AB m 2 mo P)t + )t +AB 1 mo P)t +AB mo P. The previous expression results in the following L-to-R multiplication algorithm. It consists of a sequence of multiplications by t followe by the accumulation of AB i in C moulo P. Algorithm 1 Left-to-right igit sequential multiplication [12] Require: A(t) = m 1 i= A i(t)t i an B(t) = m 1 i= B i(t)t i. Ensure: C = A B C for i = m 1 to o C (t C +B i A) mo P en for Return(C) In Algorithm 1, the multiplication byt is performe by shifting the coefficients ofc. The multiplication B i A is one using m parallel quaratic space complexity polynomial multipliers of size. These igit multipliers compute the prouct B i A j for j =,...,m 1. Each prouct B i A j has egree 2 2: thus the upper part of this prouct is ae to C j+1 an the lower part to C j. Then the upate value of C has m + 1 igits, since in C m we store the upper part of the prouct B i A m 1. If we assume that 5

7 P = t m + m 1 i= P i(t)t i, then we reuce C m moulo P using the following expression C m t m = m 1 i= P i C m t i. In practical applications, P can be taken as a pentanomial or a trinomial, so the P i s are in general either equal to zero or sparse. Here, for the sake of simplicity, we will further assume that the only non-zero P i is P. This means that the reuction step consists of C m t m = P C m an can be performe with at most 3( 1) XOR gates (inee, if P is a pentanomial, then P has 4 non-zero coefficients). The resulting igit sequential multiplier is epicte in Fig. 1. The Digit Mult. boxes represent the quaratic parallel polynomial multipliers for egree polynomials. Fig. 1. Left-to-right igit sequential multiplier of [12] B,...,B m 2,B m 1 A m 1 A m 2 A 1 A Digit Mult. Digit Mult. Digit Mult. Digit Mult C m 1 C m 2 C 1 C 1 Mult. by P The complexity of this igit sequential multiplier is given below. Note that S represents the number of XOR gates, S represents the number of AND gates an D represents the elay of the critical path of the architecture. We remark that the total computational elay is the number of clock cycles times the clock perio, whose uration is at least the critical path elay. S = m( 2 + 1)+5 4, S = m 2, D = log 2 ()+5 D X +D A, #Flip-flops = 3m, # Clock cycles = m. Remark 1: We have restricte our stuy to a quite specific P but in general when P has egree n an is a pentanomial, a similar approach can be applie with no aitional significant complexity. Our choice was motivate only by the simplicity of this special case in the igit sequential esign. 6

8 3 SUB-LINEAR GATE COMPLEXITY USING HORNER S METHOD In this section, we present a multiplier with sub-linear gate complexity base on the Horner metho. Our approach takes avantage of a subquaratic multiplier as well as a igit sequential multiplier. As before, let A(t) an B(t) be two polynomials of egree < n. Let m an be two integers such that m = n. We rewrite A an B in a igit form as follows: A(t) = m 1 i= A i(t)t i with eg t A i (t) < B(t) = m 1 i= B i(t)t i with eg t B i (t) < We multiply A an B using Horner s metho. Here we assume that the irreucible polynomial P has the form P = X m +P where P has a egree less than an has at most four non-zero coefficients. This assumption is not restrictive, a similar multiplier with the same orer of area an elay complexity can be esigne with a more general pentanomial P. The resulting metho is escribe in Algorithm 2 an uses the Left-to-Right approach. We have exhibite all the m 2 igit multiplications an we have separate the operations C +A j B i t j, j < m 1 an i < m, from the operations t (C +A m 1 B i t (m 1) ) mo P an (C +A m 1 B i t (m 1) ) mo P which involve reuction moulo P. The architecture base on Algorithm 2 is shown in Fig. 2. In this architecture, elements A an B are each store in a register of m cells, each cell containing bits. The prouct C is also store in a register of m cells an is initialize with m zeros. Registers containing A an C are shifte cyclically once in every clock cycle. On the other han, B is shifte once after every m clock cycles. At each clock cycle one of the following cases is performe an in Fig. 2 these three cases are inicate in re, blue an green.: Case 1 (Re). A igit A j for j < m 1 is output from the A register an the igit B i is output from B. The A an C registers are left shifte but no shift is operate in the B register. The two igits A j an B i are multiplie in the igit multiplier. Then the ata follows the blue lines. This correspons to the aition of A j B i to C j an the result moves in the right most cell of the C register. The carry of A j B i is ae to C j+1 an the result is store in the left most cell of C. Case 2 (Blue). The igit A m 1 an B i are output from A an B respectively. The A register is left shifte an theb register is right shifte, but no left shifts are applie to thec register. The two igits A m 1 an B i are multiplie an then, the ata follows the re paths. The operation correspons to the multiplication by t an the computation of ((C m 1 +A m 1 B i )t m mo P). Case 3 (Green). This is the last step before the output of the prouct C. At this step, the C register is left shifte. The igits A m 1 an B are output from the A an B registers an then multiplie through the igit multiplier. Then the lower part of the prouct is ae to C m 1 an the upper part is reuce moulo P, i.e., is multiplie by P an ae to C an C 1. 7

9 Algorithm 2 Horner s metho with reuction moulo P Require: A = m 1 j= Ajtj,B(t) = m 1 i= Biti in F 2[t] with ega(t),egb(t) < n an ega j,egb i < Ensure: C = A B C for i = m 1 to 1 for j = to m 2 en for U L +t U H A jb i, C j C j +U L,C j+1 C j+1 +U H temp C m 1 for j = m 1 to 3 Case 1: Comp. of C +( m 2 j= Ajtj )B i C j C j 1 en for U L +t U M +t 2 U H (temp+a mb i) P C 2 C 1 +U H, C 1 C +U M, C U L en for for j = to m 2 U L +t U H A jb C j C j +U L, C j+1 C j+1 +U H en for U L +t U H B m 1A C m 1 C m 1 +U L V L +t V H U H P C = C +V L,C 1 = C 1 +V H return(c) Case 2: Comp. of (C +A m 1t (m 1) B i) t mo P Case 1: Comp. of C +( m 2 j= Ajtj )B Case 3: Comp. of (C +A m 1t (m 1) B ) mo P To avoi any confusion between Case 2 an Case 3, in Fig. 2 we have use two Mult. by P boxes which perform a multiplication by P in the two istinct paths. The main ifferences between Algorithm 1 an Algorithm 2 an their respective architectures are the following: 1) in Algorithm 2 an in the corresponing architecture in Fig. 2, the igit multiplications are one in sequence an not through m parallel igit multipliers. 2) In the propose multiplier, the igit multiplication uses a subquaratic multiplier, an the igit size in Fig. 2 is generally larger than the one in Fig. 1. In Fig. 3, we illustrate the functioning of the propose multiplier by presenting the first four cycles of the sequential multiplier for n = 32. Complexity evaluation. Below we list, along with a brief explanation, the number of flip-flops, AND gates 8

10 Fig. 2. Sub-linear sequential multiplier base on the Horner metho B B m 2 B m 1 Digit Multiplier A m 1 A 1 A H L re re re L M H Mult. byp re re re re blue green C C 1 blue C 2 C 3 C 4 C m 2 C m 1 green green H green green Mult. byp L blue blue green an XOR gates an the critical path of the architecture in terms of m an. For the sake of simplicity, we assume that each path in Fig. 2 is of with. 3m cells of bits each for A, B an C. Thus, the architecture in Fig. 2 requires 3m flip flops in total. The number of AND gates is equal to S () which is the number of AND gates of the igit multiplier. The number of XOR gates is equal to S ()+5, where we have counte the following: the XOR gates of one multiplier of size, five aers of size, an XORs for the two multiplications by P. The architecture in Fig. 2 also requires one 1:2 an three 1:3 emultiplexers, an one 2:1 multiplexer where each input/output is bits wie. The critical path elay is equal to D()+4D X +D A where D() is the elay of the igit multiplier. The number of clock cycles is equal to m 2. Using the subquaratic complexity results base on [3] an [7] as given in Table 2, we obtain the 9

11 Fig. 3. First four steps of the multiplication of A = (t + 1) + (t + 1) t 24 an B = t + t 7 t 24 moulo P = t 4 8 +t 7 +t 6 +t+1 with m = 4 an = 32 (note that after the emultiplexer, the followe paths are inicate with bol lines) A = t+1 B = t 7 A1 = B = t 7 Digit Mult. 1 t 7 Digit Mult. Mult. by P Mult. by P C1 C2 C3 C C2 C3 C C1 1 t 7 t 7 1 Mult. by P Mult. by P (a) Step 1. Case 1 applies an the ata follows the re paths. A2 = B = t 7 (b) Step 2. Case 1 applies an the ata follows the re paths. A1 = t+1 B = t 7 Digit Mult. Digit Mult. Mult. by P t 7 t 7 +t 6 +t 2 +t+1 Mult. by P 1 t 7 1 t 7 C3 C C1 t 7 1 C2 C C1 C2 C3 t 7 t 6 +t 2 +t+1 1 Mult. by P Mult. by P (c) Step 3. Case 1 applies an the ata follows the re paths. () Step 4. Case 2 applies (blue paths). In this step, the prouct A 3 B = (t 8 + t 7 ) is multiplie by P. The result is t 15 + t 13 + t 1 + t 9 + t 8 + t 7 = t 7 + (t 7 + t 6 + t 2 +t+1)t 8 + t 16. following complexity for the multiplier in Fig. 2 #XOR = 13 3 log 2 (3) +3+2, #AND = 16 9 log 2 (3), #Flip-flops = 3m, Delay = (2log 2 ()+2)D X +D A, #Clock cycles = m 2. (3) 1

12 4 COMPLEXITY COMPARISON AND CONCLUSION We finally obtain a sub-linear gate complexity by fixing the value of an m as = n an m = n. The resulting complexity is given in Table 3. In the same table, we recall the complexity of the igit sequential multiplier of Song an Parhi [12] reviewe earlier in Section 2 (for which we assume that m = n/). TABLE 3 Comparison with the propose sequential multiplier Architecture # AND # XOR #FFs Critical # Clock Overall elay Path Delay Propose 1.77n n n+2 3n (log 2 (n)+4)d X +D A n n((log 2 (n)+2)d X +D A ) Song an Parhi [12] n n(+1 1 )+5 4 3n log 2 ()+5 D X +D A n cycles n( log 2 ()+5 D X +D A ) The results in Table 3 suggest that the propose sequential multiplier has a gate count which is much smaller than that of the multiplier of [12]. On the other han, the propose multiplier has a longer critical path resulting in a much larger overall elay. Thus the propose sub-linear gate complexity multiplier offers a new area-time trae-off. For example, if we consier n = 256 (i.e, = m = 16), the multiplier of [12] woul require 8596 XORs, 8192 ANDs, 16 clock cycles with 9 levels of gates on the critical path, whereas the corresponing values of the propose multiplier are 397 XORs, 143 ANDs, 256 clock cycles an 11 levels of gates. REFERENCES [1] J. Daemen an V. Rijmen. The Design of Rijnael: AES - The Avance Encryption Stanar. Springer Verlag, 22. [2] H. Fan an M. A. Hasan. A New Approach to Sub-quaratic Space Complexity Parallel Multipliers for Extene Binary Fiels. IEEE Trans. Computers, 56(2): , September 27. [3] Haining Fan, Jiaguang Sun, Ming Gu, an Kwok-Yan Lam. Overlap-free karatsuba-ofman polynomial multiplication algorithms. Cryptology eprint Archive, Report 27/393, 27. [4] G. Guajaro, T. Guneysu, C. Paar,, S. Kumar, an J. Pelzl. Efficient Harware Implementation of Finite Fiels with Applications to Cryptography. Acta Applicanae Mathematicae, 93(1-3):75 118, September 26. [5] M. A Hasan, M. Wang, an V. K. Bhargava. A Moifie Massey-Omura Parallel Multiplier for a Class of Finite Fiels. IEEE Trans. Computers, 42(1): , [6] N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48:23 29, [7] M. Leone. A New Low Complexity Parallel Multiplier for a Class of Finite Fiels. In Proceeings of CHES 1, pages 16 17, Lonon, UK, 21. Springer-Verlag. [8] E. Mastrovito. VLSI Designs for Multiplication over Finite Fiels F (2 m ). In 6th International Conference on Applie Algebra, Algebraic Algorithm an Error-Correcting Coes (AAECC-6), pages , [9] V. Miller. Use of elliptic curves in cryptography. In Avances in Cryptology, proceeing s of CRYPTO 85, volume 218 of LNCS, pages Springer-Verlag,

13 [1] C. Paar. A New Architecture for a Parallel Finite Fiel Multiplier with Low Complexity Base on Composite Fiels. IEEE Trans. Comput., 45(7): , [11] A. Reyhani-Masoleh. A New Bit-Serial Architecture for Fiel Multiplication Using Polynomial Bases. In CHES 28, pages 3 314, 28. [12] L. Song an K. K. Parhi. Low-Energy Digit-Serial/Parallel Finite Fiel Multipliers. J. VLSI Signal Process. Syst., 19(2): , [13] B. Sunar an C. Koc. Mastrovito Multiplier for All Trinomials. IEEE Trans. Computers, 48(5): , [14] M. Wang an I. F. Blake. Bit serial multiplication in finite fiels. SIAM J. Discret. Math., 3(1):14 148,

Efficient Subquadratic Space Complexity Binary Polynomial Multipliers Based On Block Recombination

Efficient Subquadratic Space Complexity Binary Polynomial Multipliers Based On Block Recombination Murat Cenk, Anwar Hasan, Christophe Negre To cite this version: Murat Cenk, Anwar Hasan, Christophe Negre.