Montgomery Multiplier and Squarer in GF(2 m )

Size: px

Start display at page:

Download "Montgomery Multiplier and Squarer in GF(2 m )"

Herbert Hodge
5 years ago
Views:

1 Montgomery Multiplier and Squarer in GF( m ) Huapeng Wu The Centre for Applied Cryptographic Research Department of Combinatorics and Optimization University of Waterloo, Waterloo, Canada h3wu@cacrmathuwaterlooca Abstract Montgomery multiplication in GF( m ) is defined by a(x)b(x) r 1 (x) modf(x), where the field is generated by irreducible polynomial f(x), a(x) andb(x) are two field elements in GF( m ), and r(x) isa fixed field element in GF( m ) In this paper, first we present a generalized Montgomery multiplication algorithm in GF( m ) Then by choosing r(x) according to f(x), we show that efficient architecture for bit-parallel Montgomery multiplier and squarer can be obtained for the fields generated with irreducible trinomials Complexities in terms of gate counts and time propagation delay of the circuits are investigated and found to be comparable to or better than that of polynomial basis or weakly dual basis multiplier for the same class of fields 1 Introduction Finite field has applications in combinatorial designs, sequences, error-control codes, and cryptography Finite field arithmetic operations have been paid much attention recently mainly because its use in cryptography, especially in elliptic curve cryptosystems Research in this area has been characterized by its strong flavor of implementation both in software and in hardware For example, fields of characteristic two are prevailingly used because a ground field operation can be readily implemented with a VLSI gate 1 In this paper, we first give a generalized Montgomery multiplication algorithm in GF( m ) Then by choosing the fixed field element r(x) accordingtothe irreducible polynomial, we show that efficient multiplication and squaring architectures can be obtained using the generalized algorithm of Montgomery multiplication in GF( m ) The implementation complexities in terms of the number of gates (equivalent to the number of ground field operations) and time propagation delay are lower than or as good as these of previously proposed multipliers for the same class of fields The main implementation results are summarized in the two theorems 1 A multiplication operation in GF() can be implemented using an AND gate, while an addition operation in GF() can be implemented with an XOR gate ÇK Koç and C Paar (Eds): CHES 000, LNCS 1965, pp 64 76, 000 c Springer-Verlag Berlin Heidelberg 000

2 Montgomery Multiplier and Squarer in GF( m ) 65 Preliminaries Montgomery multiplication was first proposed for integer modular multiplication that can avoid trial division [] Later it was extended to finite field multiplication in GF( m ) [1] It was shown that the operation can be made simple if certain type of r(x) is selected [1] In the following, we give a brief review of the Montgomery multiplication in GF( m )proposedin[1] Let f(x) be the irreducible polynomial that defines the field GF( m )and r(x) be a fixed element in GF( m ) Since gcd(f(x),r(x)) = 1, we can use the extended Euclidean algorithm to determine f (x) andr (x) thatsatisfy r(x)r (x)+f(x)f (x) =1 (1) Clearly r (x) =r 1 (x)istheinverseofr(x) Given two field elements a(x),b(x) GF( m ), then an analogue for Montgomery multiplication in GF( m )canbe given by [1] c(x) =a(x)b(x)r 1 (x) modf(x), () and an algorithm to compute () is shown below: Algorithm 1 Montgomery multiplication in GF( m ) [1] Input: a(x),b(x),r(x),f (x) Output: c(x) =a(x)b(x)r 1 (x) modf(x) Step 1 t(x) a(x)b(x) Step u(x) t(x)f (x) modr(x) Step 3 c(x) [t(x) + u(x)f(x)]/r(x) The correctness of Algorithm 1 can be easily checked Note that deg[c(x)] max{deg[t(x)], deg[u(x)] + deg[f(x)]} deg[r(x)] =max{m, deg[r(x)] 1+m} deg[r(x)] =max{m deg[r(x)],m 1} Thus, to have deg[c(x)] m 1,thedegreeofr(x) mustbechosennotlessthan m 1 Since f(x) andf (x) can be considered as constants, it is noted in [1] that efficient multiplication can be achieved if r(x) is properly chosen In fact, r(x) was chosen to be the monomial x m in [1] and Algorithm 1 is equivalent to a polynomial multiplication, two constant multiplications in GF( m )andone addition in GF( m ) 3 Generalized Montgomery Multiplication in GF( m ) For bit-parallel realization of Montgomery multiplication in GF( m ), we find that efficient multiplier architecture can be obtained if r(x) is chosen according to the irreducible polynomial f(x) For example, if the field is generated with a trinomial f(x) =x m + x k +1,thenr(x) is selected to be the term of the second

3 66 Huapeng Wu low degree in the trinomial This choice of r(x) =x k turns out to be very helpful in obtaining low complexity multiplier and squarer architectures However, Algorithm 1 can not directly be used for these cases since k can be less than m 1 This leads us to consider a generalized form of Montgomery multiplication in GF( m ) In the following, we first present a generalized Montgomery algorithm in GF( m ), then compare it with Algorithm 1 Algorithm Generalized Montgomery multiplication in GF( m ) Input: a(x),b(x),r(x),f(x),f (x) Output: c(x) =a(x)b(x)r 1 (x) modf(x) Step 1 t(x) a(x)b(x) Step u(x) t(x)f (x) modr(x) Step 3 c(x) [t(x) + u(x)f(x)]/r(x) Step 4 If deg( c) >m 1, then c(x) c(x) modf(x), else c(x) c(x) The correctness check for the algorithm is similar to that of Algorithm 1 The degree range of c(x) can be estimated Since 0 deg[a(x)] m 1and 0 deg[b(x)] m 1, it follows 0 deg[t(x)] m Assume deg[r(x)] = k, then from Step we have 0 deg[u(x)] k 1 From Step 3, we have deg[ c(x)] max{m k,m 1} (3) When deg[r(x)] = k<m 1, the degree of c(x) ism k and higher than m 1 In this case, one more step of modulo reduction (Step 4) is needed Compared to Algorithm 1, Algorithm extends the degree range that r(x) can be chosen from Algorithm 1 can be considered as a specific case of Algorithm For example, when r(x) is chosen such that deg r(x) m 1, then c(x) obtained at Step 3 in Algorithm has a degree equal to or less than m 1 In this case, Step 4 will not be performed and the algorithm is the same as Algorithm 1 In fact, Algorithm looks more similar to the original Montgomery algorithm [] than Algorithm 1 This is because Step 4 in Algorithm corresponds to the final subtraction step in the original Montgomery algorithm [] In Algorithm 1 this step has been omitted provided that some condition has been applied to how to choose r(x) 4 Montgomery Multiplier in GF( m ) Consider the irreducible polynomial f(x) =x m + x k +1, m k m 1, and the fixed field element r(x) = x k for the Montgomery multiplication in GF( m ) (Algorithm ) From the Extended Euclidean Algorithm, we obtain r 1 (x) =1+x m k and f (x) =1thatsatisfy r(x)r 1 (x)+f(x)f (x) =1 To solve the coefficients of the product c(x) in terms of these of a(x) and b(x) and thus to find efficient multiplier architectures, we proceed with each step of Algorithm as follows

4 Montgomery Multiplier and Squarer in GF( m ) Step 1 in Algorithm Let polynomial basis representations of a(x) and b(x) be given by a(x) = m 1 a ix i,a i GF(), and b(x) = m 1 b ix i,b i GF(), respectively Then t(x) =a(x)b(x) can be obtained as follows; t(x) =a(x)b(x) = m t i x i, (4) where t i s are given by t i = i a j b i j, 0 i m 1, j=0 m 1 j=i m+1 a j b i j,m i m (5) It can be seen that total m bit multiplications and (m 1) bit additions in GF() are required to compute t i, i =0, 1,,m An implementation of (5) is straightforward, and the gate counts and time delays incurred with signals t i, i =0, 1,,m, are listed in Table 1 We denote the time delays of an AND gate and an XOR gate by T A and T X, respectively Table 1 Complexity and Time Delay Involved in Implementing t(x) Signal # AND gates # XOR gates Time delay t 0 = a 0b T A t 1 = a 0b 1 + a 1b 0 1 T A + T X t = a 0b + a 1b 1 + a b 0 3 T A +T X t 3 = a 0b 3 + a 1b + a b 1 + a 3b T A +T X = t m = a 0b m + + a m b 0 m 1 m T A + log (m 1) T X t m 1 = a 0b m a m 1b 0 m m 1 T A + log m T X t m = a 1b m a m 1b 1 m 1 m T A + log (m 1) T X = t m 3= a m b m 1 + a m 1b m 1 T A + T X t m = a m 1b m T A Total: m (m 1) T A + log m T X In the following, we will solve the rest three steps of Algorithm and show that they can be realized at one single implementation step

5 68 Huapeng Wu 4 Step in Algorithm Substitute t(x) in this step using(4) u(x) =t(x)f (x) modr(x) = t 0 + t 1 x + t x + + t m x m mod x k = t 0 + t 1 x + t x + + t k 1 x k 1 (6) Clearly, the degree of u(x) is not higher than that of r(x) If r(x) is chosen to have a low degree then we have a simple u(x) 43 Step 3 in Algorithm Define and t L (x) = t 0 + t 1 x + t x + + t k 1 x k 1, (7) t H (x) = t k + t k+1 x + + t m x m k (8) From (4) (7) and (8), it can be seen that and from (6) and (7) it follows t(x) =t L (x)+x k t H (x), (9) u(x) =t L (x) (10) Substitute t(x) and u(x) in Step 3 with (9) and (10), respectively, and note that f(x) =x m + x k +1,wehave c(x) =[t(x)+u(x)f(x)]/r(x) =[t L (x)+x k t H (x)+t L (x)(x m + x k +1)]/x k =[x k t H (x)+x k (x m k +1)t L (x)]/x k = t H (x)+x m k t L (x)+t L (x) (11) When k = m 1, from (3) we have deg c(x) m 1 Clearly, in this case the degree of c(x) has already been reduced to the proper range and Step 4 in Algorithm is not necessary Extend each of the three terms at the right hand side of (11) for the case of k = m 1, and from (7) and (8) we have t H (x) =t m 1 + t m x + + t m x m 1, xt L (x) =t 0 x + t 1 x + + t m x m 1, t L (x) =t 0 + t 1 x + + t m x m (1)

6 Montgomery Multiplier and Squarer in GF( m ) 69 Then by comparing (1) with (11), and note c(x) =c(x) = write c i as follows c 0 = t 0 + t m 1, c 1 = t 0 + t 1 + t m, c = t 1 + t + t m+1, c m = t m 3 + t m + t m 3, c m 1 = t m + t m m 1 c i x i,wecan Rewrite the above expressions as t 0 + t m 1, i =0, c i = t i 1 + t i + t m 1+i,i=1,,,m, t m + t m, i = m 1 (13) It can be seen from (13) that each c i can be obtained with bit additions in GF(), except that c 0 and c m 1 require one bit operation each Thus, a bitparallel realization of (13) needs m XOR gates Since the maximal number of terms on the right hand side of each equation in (13) is three, the maximal time propagation delay is T X When m k<m 1, from (3) we have deg c(x) >m 1 In this case, a step of modulo reduction is still needed 44 Step 4 in Algorithm From (8) we divide t H (x) intotwoparts:t H (x) =t (1) H (x)+t() H (x), where and t (1) H (x) = t k + t k+1 x + + t k+m 1 x m 1, (14) t () H (x) = t k+m x m + t k+m+1 x m t m x m k (15) Substitute t H (x) in (11) with t (1) H f(x), we have (x) +t() H (x) and note that c(x) = c(x) mod c(x) = c(x) modf(x) =[t (1) H (x)+t() H (x)+xm k t L (x)+t L (x)] mod f(x) = t (1) H (x)+xm k t L (x)+t L (x)+[t () H (x)] mod f(x) (16)

7 70 Huapeng Wu Apply the modulo operation to each term on the right hand side of (15), it follows t k+m x m mod f(x) =t k+m (1 + x k ), t k+m+1 x m+1 mod f(x) =t k+m+1 (x + x k+1 ), t m x m k mod f(x) =t m (x m k + x m ) Adding the above m k 1 equations together, we obtain Split t () H (x) intotwoparts: m k t () H (x) modf(x) = m t m+k+i x i + t m+i x i i=k t (,1) H (x) modf(x) = m k t m+k+i x i, (17) Substitute t () H it follows m 1 t (,) H (x) modf(x) = m t m+i x i (18) (x) witht(,1) H (x)+t(,) H c i x i = t L (x)+x m k t L (x)+t (1) i=k m 1 (x) in (16) and note that c(x) = c i x i, H (x)+t(,1) H (x)+t(,) H (x) (19) Rewrite the equations (7), (14), (17), (18) and extend the term x m k t L (x) using (7), we have the following five equations for the five terms on the right hand side of (19), respectively: (a) t L (x) =t 0 + t 1 x + t x + + t k 1 x k 1 [0,k 1] (b) x m k t L (x) =t 0 x m k + t 1 x m k t k 1 x m 1 [m k, m 1] (c) t (1) H (x) =t k + t k+1 x + + t k+m 1 x m 1 [0,m 1] (d) t (,1) H (x) =t m+k + t m+k+1 x + + t m x m k [0,m k ] (e) t (,) H (x) =t m+kx k + t m+k+1 x k t m x m [k, m ] (0) The last column in the above array is the degree range of the terms on the right-hand side of each equation Now we are ready to solve the coefficients c i by comparing (19) with (0)

8 Montgomery Multiplier and Squarer in GF( m ) 71 In the following, we consider three cases: Case 1: If m +1 <k<m 1 We have m k <m k<k 1 <kby comparing (19) with (0), we can solve c i s (the coefficient of the term x i in c(x)) When 0 i m k, it can be seen from (0) that c i takes on the terms from equations (a), (c) and(d) When i = m k 1, c m k 1 has only two terms, one is from equation (a) and the other from (c) When i runs through from m k to k 1, c i picks up the terms from equations (a), (b) and(c) When k i m, c i has three terms: one from equation (b), one from (c) and the other from (e) Finally, c m 1 hastwotermsfrom equations (b) and(c), respectively We can write c i s as follows (a) (b) (c) (d) (e) c 0 = t 0 +t k +t k+m c 1 = t 1 +t k+1 +t k+m+1 c = t m k m k +t m +t m c m k 1 = t m k 1 +t m 1 c m k = t m k +t 0 +t m (1) c k 1 = t k 1 +t k m 1 +t k 1 c k = +t k m +t k +t k+m c m = +t k +t m+k +t m c m 1 = +t k 1 +t m+k 1 where all the terms at the column (a), (b), are from the equations (a), (b), in (0), respectively Now we can estimate the complexity to obtain the coefficients of the product from t i s From (1), it can be seen that m bit addition in GF() are used to solve c i s The longest time delay to generate c i from t i is T X Case If k = m +1 Wehavem k <m k = k 1 <k By comparing (19) to (0) the coefficients of c(x) can be written as follows (a) (b) (c) (d) (e) c 0 = t 0 +t k +t k+m c 1 = t 1 +t k+1 +t k+m+1 c m k = t k 3 +t k 3 +t m c m k 1 = t k +t k () c m k = t k 1 +t 0 +t k 1 c k = +t 1 +t k t k+m c m = +t k +t m+k +t m c m 1 = +t k 1 +t m+k 1

9 7 Huapeng Wu It can be seen that a realization of the above expressions requires m ground field operations Since the most terms to sum up for each c i is three, the maximal time delay is T X Case 3 If k = m Wehavem k =k <k 1 <m k = k The coefficients of the Montgomery product can be obtained from (19) and (0) as follows: (c) (a) (d) (b) (e) c 0 = t k +(t 0 +t k+m ) c 1 = t k+1 +(t 1 +t k+m+1 ) c k = t m +(t k +t m ) c k 1 = t m 1 +t k 1 c k = t m +(t 0 +t k+m ) c k+1 = t m+1 +(t 1 +t k+m+1 ) c m = t m+k +(t k +t m ) c m 1 = t m+k 1 +t k 1 (3) Note that the resued partial sums are put in the brackets Then it can be seen from (3) that m (k 1) = 3 m 1 bit additions in GF() are required to compute c 0,,c m 1 from t 0,,t m The time delay incurred here is still T X 45 Bit-Parallel Multiplier Architecture From the above discussion, it can be seen that a bit-parallel Montgomery multiplication in GF( m ) is decided by (5) and one of the expressions (1), () and (3) A diagram for the bit-parallel multiplier architecture is shown in Fig 1 The upper two modules (one all-and-gate circuits and one all-xor-gate circuits) are used to perform polynomial multiplication (Step 1 in Algorithm ), while the module at the bottom (all-xor-gate circuits) corresponds to the implementation of Steps to 4 in Algorithm It can be seen from Table 1 that m AND agtes and (m 1) XOR gates are required for generating t i Then the coefficients of c(x) can be generated from t i using one of (1), () and (3) Obviously, the total number of gates required are AND gates, m 1 XOR gates, m if the irreducible trinomial is f(x) =x m + x k +1, m <k m 1 When f(x) =x m + x m + 1, the complexity is only m m m AND gates, XOR gates

10 Montgomery Multiplier and Squarer in GF( m ) 73 a0 :::a m 1 b0 :::b m 1 Step 1 AND network XOR network t0 :::t m Steps -4 XOR network c0 :::c m 1 Fig 1 Bit-Parallel Montgomery Multiplier Architecture when f(x) =x m +x k + 1andr(x) =x k Total time delay of the multiplier is not greater than T A +( log m +)T X In many cases the total propagation delay is less than the above bound Note from the Table 1 that the time delay incurred with different t i is different In fact, circuits for generating t i has a time delay log (i +1) T X if i m 1, and log (m i 1) T X if i m From (13), (1), () and (3), it can be seen that most c i s is a sum of three terms Write them as c i = t i1 + t i + t i3,where we assume that the time delays for generating t i1,t i,andt i3 are d 1,d,andd 3, respectively If d 1 d d 3, then it can be seen that the propagation delay for generating c i depends on d and d 3 if the circuit is designed using c i =(t i1 t i ) t i3 The time delay incurred with the above logic equation for generating c i is T ci =max{d +,d 3 +1} Using this method, we search and find the maximal time delays incurred with the expressions (13), (1), () and (3) 46 Complexity Results and Example We summarize the implementation results on Montgomery multiplier in GF( m ) as follows: Theorem 1 Let the finite field GF( m ) be defined by irreducible trinomial f(x) =x m + x k +1, m k m 1 Then a bit-parallel Montgomery multiplier in GF( m ) can be constructed from the expression (5), and one of the expressions (13), (1), () and (3) The complexity and time propagation delay are given as follows

11 74 Huapeng Wu 1 The complexity is m AND gates and m 1 XOR gates The incurred time delay is T A +( log (m ) +)T X,ifk = m 1 The complexity is m AND gates and m 1 XOR gates The incurred time delay is T A +( log (m k ) +)T X,if m +1 k m 1 3 The complexity is m AND gates and m 1 XOR gates The incurred time delay is T A +( log k +)T X,ifk = m +1 4 The complexity is m AND gates and m m XOR gates The incurred time delay is T A +( log (m 1) + 1)T X,ifk = m 47 Montgomery Squarer in GF( m ) When Algorithm is used for squaring operation, only the first step needs to be changed We rewrite Algorithm for Montgomery squaring in GF( m ) as follows Algorithm 3 Generalized Montgomery squaring in GF( m ) Input: a(x),r(x),f(x),f (x) Output: c(x) =a (x)r 1 (x) modf(x) Step 1 t(x) a (x) Step u(x) t(x)f (x) modr(x) Step 3 c(x) [t(x) + u(x)f(x)]/r(x) Step 4 If deg( c) >m 1, then c(x) c(x) modf(x), else c(x) c(x) With the same selection of the field f(x) =x m +x k +1 and the fixed element r(x) =x k, we proceed with Algorithm 3 step by step Step 1 From t(x) =a (x), we have m 1 a i x i = It can be seen from the above expression m t i x i t i = { a i,,,,m ; 0, i =1, 3,,m 3 (4) Not like multiplication, there is no bit operations needed here to obtain t i Step -4 These three steps are very similar to these in Algorithm, and many intermediate results obtained in the last section can also be used here In the following we only consider the case that k = m 1andm is even For the other cases the deduction is similar From (1) and (4), we have (a) t L (x) =a 0 + a 1 x + a x a m x m [0,m ] (b) xt L (x) =a 0 x + a 1 x a m x m 1 [1,m 1] (c) t H (x) =a m x a m+ m 1 x m 1 [1,m 1] (5)

12 Montgomery Multiplier and Squarer in GF( m ) 75 Note that the expression (a) in (5) has only even power terms and (b) and (c) have only odd power terms Comparing (5) to (11) and note c(x) = c(x) when k = m 1, the coefficients c i can be obtained as follows c i = { a i, i =0,,,m ; + a m+i 1,i=1, 3,,m 1 a i 1 (6) It can be seen that m bit additions in GF() are required to compute c i using (6) Then we know that to implement a bit-parallel Montgomery squarer needs only m XOR gates The time delay for this Montgomery squarer is equivalent to the delay of one XOR gate T X The implementation results can be summarized as follows: Theorem Let the finite field GF( m ) be defined by irreducible trinomial f(x) =x m +x k +1, m k m 1 Then a bit-parallel Montgomery squarer in GF( m ) can be built with m 1 XOR gates and the time propagation delay is T X 5 Comparison Table Comparison of Bit-Parallel Multipliers Proposals # AND #XOR Time delay f(x) =x m + x +1 Wu, Hasan and Blake [6] m m 1 T A +( log m +1)T X Sunar and Koc [3] m m 1 T A +( log m +1)T X Wu [5] m m 1 T A +( log (m ) +)T X Presented here m m 1 T A +( log (m ) +)T X f(x) =x m + x k +1, 1 <k< m l l mm Wu, Hasan and Blake [6] m m 1 T A + log m + k 1 + T X Sunar and Koc [3] m m 1 T A +( log m +)T X Wu [5] m m 1 T A +( log (m 1) +)T X Presented here m m 1 T A +( log (m k ) +)TX f(x) =x m + x m +1 Wu, Hasan and Blake [6] m m m l m m T A + llog m + m4 T X Sunar and Koc [3] m m m Wu [5] m m m Presented here m m m T A +( log m +1)T X T A +( log (m 1) +1)T X T A +( log (m 1) +1)T X Table gives a comparison of four different implementations of bit-parallel multiplier in the same class of fields Note that we consider the fields generated

13 76 Huapeng Wu with two irreducible reciprocal trinomials are the same The bit-parallel multiplier proposed by Wu, Hasan and Blake uses weakly dual basis (WDB) [6] Sunar and Koc presented all trinomial Mastrovito multiplier using polynomial basis The polynomial basis multiplier proposed in [5] has a different architecture from the Mastrovito multiplier It can be seen that all the multipliers achieve the same complexity in terms of the numbers of AND and XOR gates The time propagation delay incurred with the multiplier presented here comparable to that of the previously proposed multipliers Table 3 Comparison of Polynomial Basis Bit-Parallel Squarers Proposals #XOR Time delay f(x) =x m + x k +1,wherem + k odd Wu [5] m + k 1 T X l m Presented here m 1 T X f(x) =x m + x k +1, where bothm and k are odd Wu [5] m 1 T X Presented here m 1 T X It can be seen from Table 3 that Montgomery squarer has both lower complexityand lowertimepropagationdelayfor thecase that m+k is odd, compared to the regular polynomial basis squarer presented in [5] References 1 C K Koc and T Acar Montgomery multiplication in GF( k ) Designs, Codes and Cryptography, 14:57 69, 1998 P L Montgomery Modular multiplication without trial division Mathematics of Computation, 44:519 51, B Sunar and C K Koc Mastrovito multiplier for all trinomials IEEE Trans Comput, 48(5):5 57, M Wang and I F Blake Bit serial multiplication in finite fields SIAM Discrete Mathematics, 3(1): , H Wu Low-complexity arithmetic in finite field using polynomial basis In CHES 99, pages Springer-Verlag, H Wu, M A Hasan, and I F Blake Low complexity weakly dual basis bit-parallel multiplier over finite fields IEEE Trans Comput, 47(11):13 134, November 1998 A PB bit-parallel multiplier can be readily made by adding a basis conversion module to both the input and the output ends By a theorem proposed in [4], when the field is generated with an irreducible trinomial, the coefficients of a field element in WDB is nothing but a permutation of the coefficients of the element in PB Thus a weakly dual basis bit-parallel multiplier proposed in [4] can be used as a polynomial basis bit-parallel multiplier without additional gates and time delay

BSIDES multiplication, squaring is also an important

BSIDES multiplication, squaring is also an important 1 Bit-Parallel GF ( n ) Squarer Using Shifted Polynomial Basis Xi Xiong and Haining Fan Abstract We present explicit formulae and complexities of bit-parallel shifted polynomial basis (SPB) squarers in