Efficient Multiplication in fo Elliptic Cuve Cyptogaphy JC Bajad, L Imbet, C Nège and T Plantad Laboatoie d Infomatique de Robotique et de Micoélectonique de Montpellie LIRMM, ue Ada, 3439 Montpellie cedex 5 Fance {bajad, imbet, nege, plantad}@limmf Abstact We pesent a new multiplication algoithm fo the implementation of elliptic cuve cyptogaphy (ECC) ove the finite extension fields whee is a pime numbe geate than In the context of ECC we can assume that is a to bit numbe, and easily find values!" fo which satisfy:, and fo secuity easons $%'&()*,+ All the computations ae pefomed within an altenate polynomial epesentation of the field elements which is diectly obtained fom the inputs No convesion step is needed We descibe ou algoithm in tems of matix opeations and point out some popeties of the matices that can be used to impove the design The poposed algoithm is highly paallelizable and seems well adapted to hadwae implementation of elliptic cuve cyptosystems Intoduction Cyptogaphic applications such as elliptic o hypeelliptic cuves cyptosystems (ECC, HECC),, 3] equie aithmetic opeations to be pefomed in finite fields This is the case, fo example, fo the DiffieHellman key exchange algoithm ] which bases its secuity on the discete logaithm poblem Efficient aithmetic in these fields is then a majo issue fo lots of moden cyptogaphic applications 4] Many studies have been poposed fo the finite field %, whee is a pime numbe 3] o the Galois field 4, 7, ] In ], D Bailey and C Paa use optimal extension fields $ and they popose an efficient aithmetic solution in those fields when is a Mesenne o pseudomesenne pime ] Although it could esult in a wide choice of cyptosystems, aithmetic ove the moe geneal finite extension fields $, with /, has not been extensively investigated yet Moeove it has been poved that elliptic cuves defined ove $ whee the cuves veify the usual conditions of secuity povide at least the same level of secuity as the cuves usually defined ove 0 o $% Fo ECC, a good level of secuity can be achieved with and pime and about + bit keylength Table gives some good candidates fo and and the coesponding keysize keysize fom of 7 9 75 +43(5 7 3 88 7,8 73 3 4 +43(9:3; 73 9 79 7,<< 7 9 3,9>=? 7 3 0 /@BA:/ A =? 7 9 0 7 57 7 3 C+D3 HG 57 9 5 FE4/ 3 57 3 84 7,8 Table Good candidates fo pimes and and the coesponding keysize in bits In this pape, we intoduce a Montgomey like modula multiplication algoithm in $ fo ;I (this condition comes fom technical easons that we shall explain futhe) Given the polynomials JKMLN and OPML of degee less than, and QLN of degee (we will give moe details on QLN in section ), ou algoithm computes JRML SOPQLNSML UTWY \ ML ^] whee MLN is a monic ieducible polynomial of degee ; and both the opeands and the esult ae given in an altenate epesentation intoduced in the next section In the classical polynomial epesentation, we can conside the elements of $ as polynomials of degee less than in `_ Lba and we epesent the field with espect to an ieducible polynomial QLN of degee ove Any element J of $ is then epesented using a polynomial JRQLN of degee c=? o less with coefficients in, ie, JKMLNd;egfg3ce Lh3jiikil3ce Tm L TW, whee esn;oqp,8]k`]qh=s Hee, we conside an al
tenate solution which consists of epesenting the polynomials with thei values at distinct points instead of thei coefficients As a esult, if we choose points ] ]kk`], we epesent the polynomial J with the sequence QJR ^]HJK ^]kk]hjr Within this epesentation, addition, subtaction and multiplication ae pefomed ove completely independent channels which has geat advantage fom a chip design viewpoint Montgomey Multiplication in Montgomey s technique fo modula multiplication of lage integes 5] has ecently been adapted to modula multiplication in by Koç and Aca 4] The poposed solution is a diect tanslation of the oiginal Montgomey algoithm in the field 0, with L playing the ole of the Montgomey facto ; ie it computes JRML SOPQLNgL T MLN, whee is a ode ieducible polynomial with coefficients in 0 In tun this method easily extends to, with As in 4], we epesent the field with espect to a monic ieducible polynomial QLN and we conside the field elements as polynomials of degee less than in `_ Lba ; ie we conside the elements of %k_ La we successively compute MLN Thus, if we take J and O in $, MLN =DJKMLNSOjMLN MLN _ JKMLN8OPML 3 MLN TW L MLN MLN aml T gz to get the esult JRML SOPQLNgL T QLN In tems of elementay opeations ove $%, the complexity of this method is 3I0 = multiplications (modulo ) and 0K=h 3/0K= 3( additions (modulo ) Altenate polynomial epesentation The geneal idea of ou appoach is the change of epesentation When dealing with polynomials the idea which fist comes in mind is to use a coefficient epesentation Howeve, the valued epesentation whee a polynomial is epesented by its values at sufficiently many points can be of use Thanks to Lagange s theoem we can actually epesent any polynomial of degee less than with its values at vaious distinct points p ] ]kk] s A vey good discussion on polynomial evaluation and intepolation can be found in ] In the following of the pape, we epesent a polynomial of degee at most =, say J, by the sequence QJR ^] JR ^]kk]hjk H In the following we conside the notation e n JR n At this point, it is vey impotant to undestand that the e n s do not epesent the coefficients of J, and that thee is nothing to do to obtain such a epesentation We diectly conside the polynomial in this fom As an example, the input,<,8,8< which would usually epesent the polynomial L 3;5L 3BC in the coefficient epesentation, is consideed hee as the sequence <]k5<] C This sequence coesponds to the unique polynomial of degee which has values N, j,5 and P C We can easily compute its coefficients by means of intepolation but as we shall see futhe, thee is no need to do so We will use this epesentation duing all the computational steps New algoithm As mentioned peviously, Koç and Aca used the polynomial L in thei adaptation of Montgomey multiplication to the field, and we have biefly shown in section that thei solution easily extends to In ou new appoach we athe conside the ode polynomial MLN ML = `QL = Wkk,ML = `] () whee n o p 8]]kk^]0;= s A fist emak is that this clealy implies q As we shall see futhe, distinct points ae actually needed Thus given the thee polynomials J 0e ] e ]kk]he, O ] ]kkk] and ] ]kkk] in $ ; and unde the condition, ou algoithm computes the poduct JRQLNSOPQLNS Tm ML ; \ MLN in two stages Stage : We define the polynomial of degee less than such that: QLN M=DJKMLN8OPML TW MLN"!d MLN`] in othe wods, we compute in paallel and in % n $l=degn%`n Tm n &! ]('*) kh Stage : Since _ JRML SOPQLN 3 MLN MLN a is a multiple of QLN, we compute MLN of degee less than such that QLN $+ JKMLN8OPML m3 QLN QLN&, TW MLN In this algoithm it is impotant to note that it is not possible to evaluate QLN diectly as mentioned in step Since _ JRML SOPQLNm3 MLN MLN a is a multiple of MLN its epesentation at the points p ] ]kkk] s is meely composed of The same clealy applies fo QLN? n/ ML =0 n0 As a diect consequence the division by MLN, which actually educes to the multiplication by TW MLN, has neithe effect no sense We addess this poblem by using exta values p ] ]kkk] s wheen43 57 fo all )U]98, and by computing _ JRML SOPQLN 3 MLN MLN a fo those exta values In algoithm, the opeations in step 3 ae then pefomed fo L onp : ] ]kk`] s Steps and 3 ae fully paallel opeations in $% The complexity of algoithm thus mainly depends on the two polynomial intepolations (steps, 4)
s s Algoithm New Multiplication in Step : Fo L onp ]kk`] s, compute in paallel ML Step : Extend in p s using Lagange intepolation Step 3: Fo L onp =DJRQLNSOjMLN ]kk`] ]k`] ML + JRQLN OjMLN 3 TW QLN s, compute in paallel QLN QLN, TW MLN Step 4: Extend back in p ]kk] s using Lagange intepolation Implementation In step we compute in $% and in paallel fo all ) in p]k`] %s n 7 =De n & n & n F ] () whee the n TW n H n s ae pecomputed constants If we denote QLN n/ n n = mn nw= the extension of MLN in p ] ]kkk] mn L = n =7! " " p]k^] %s We compute $ n Qe n & n 3 n & n &% n (3) ] (4) becomes (5) Opeations in step 3 ae pefomed in paallel fo )o whee the %`n s ae also pecomputed values ] () %^n ; n TW Tm j(') n = +*, gz It is easy to emak that n 3 8] '*)o(p ]kkk] %s Thus the modula invese, n TW, always exists At the end of step 3, the polynomial of degee less than is defined by its values at p ] ]kkk], namely $ ] $ ]kk] $ If we want to euse the obtained esult as the input of othe multiplications (which is fequently the case in exponentiation algoithms), we must also know the values of at p ] ]kk] s This is done in step 4 again by mean of Lagange intepolation As in step, we define and we compute Then in step, the extension is pefomed via Lagange intepolation: n mn = n= ] (7) (8) Anothe implementation option would be to inset some of the multiplications by constants into the matix opeations of steps and 4 We can intoduce the n s of () and the n s of () in the matix of equation (5) to gain one poduct in each step and 3 We do not give much details about this solution because we will see futhe that the oiginal matices have some vey attactive popeties fo the hadwae implementation Example In this example, we conside the finite field 0/k defined accoding to the monic ieducible polynomial ML L/S3 L;3 (j and C satisfyb; ) The two sets of points used fo Lagange epesentation ae p 8] ]H+8] 98]Ss and p,5<] C8]Ug]8]s Fo all n in andn in, we have Tm n R 0C8]W58]89<]W,C8]S (fo use in step ) and n ]m]8+<]w]sg (fo use in step 3) Also used in step 3 is the vecto %K 0+8]858]W<]W]W, The two intepolation matices needed in steps and 4 ae: and 9 5 C + + C 5 9 k 9, 9 k 9 5 C + + C 5 9 In Lemma we will obseve some symmety between the elements of these two matices
3 Given JRQLN and OPQLN in /, known by thei values at points of and, we compute ML * JRML OPQLN Tm QLNF gz QLN in the same epesentation We have: JR JR OP OP Q5<] 8]<<] 8]Sg CS]8<]W]W<]<C 0C8]858]m S],8]8 S]W]898]W5<]W5 In step of the algoithm we compute <]8+8]8<]m,8]g and we extend it in step (eq (5)) fom to 7 8]8 ]<S] 8] 5 Now in step 3 (eq ()), we evaluate in paallel fo each value of S]W,8]898]85<]8+ and we intepolate it back (eq (8)) to obtain the final esult in,s] <] g]8+<]w,` We can easily check that this actually is the coect esult If we conside the classical coefficient epesentation of J and O, we have JRML D L E 3hL 3?5, OPQLN: L 3 C L 3; and MLNc L E 3 C L 37 L evaluated at points of gives 3 Aithmetic ove 3/C, which Fom an hadwae point of view, this method is of inteest if and only if we can take advantage of an efficient aithmetic ove % In this section we give the idea of some algoithms fo the addition and the multiplication modulo a pime Diffeent solutions have been poposed but most of them only focus on lage pimes which ae useful if one wants to implement elliptic cuve cyptogaphy ove 3] Hee we only need aithmetic opeations modulo small pimes, say 9 to bits 3 Addition When we aim at computing the modula sum e 3, a classical appoach consists in evaluating in paallel the quantities e3 and e3 4= The coect esult is selected accoding to the sign of ep3 R= Fo a single opeation, this solution gives a esult less than Howeve, when seveal additions have to be computed, we do not need to educe the sum modulo afte each addition If TW, anothe solution is to keep the intemediate esults less than by only pefoming a eduction modulo when the patial sum becomes geate than In othe wods, we pefom the sum e3 and we subtact only if a cay has occued In 9], a edundant epesentation is used so that the modula addition is pefomed without cay popagation The edundant addition is then used within a adix and adix modula multiplication algoithms 3 Multiplication Multiplication modulo special numbes have been extensively studied Fo instance a multiplication modulo = is pesented in 7] and modulus of the fom 3, ae used in ] in the context of DSP applications Othe woks exists fo Femat numbes / 3\ and Mesenne pimes @/ =?, with pime In the geneal case, the poduct ej&d can be implemented by means of index calculus with two lookup tables and one addition We simply use the fact that any element of the goup $% coesponds to a powe of a geneato of the goup We etieve in a fist table the values and such that e and N, we evaluate 3 P=h and we ead in the second table the esult $ e d "! $!% (see figue ) This solution has been poposed in 9] fo the special case of the th Femat pime C The advantage hee is that addition modulo =? educes to a classical 9 bit addition e ] e ' () 3&b! )$!% ep&d =h Figue Index calculus modula multiplication An inteesting suggestion fo multiplication by means of lookup tables can be found in 0] unde the tem quatesquae multiplie It is based of the following equation: e4 *,+ e 3 = + er= 0/ ] (9)
= whee both squaes ae given by a lookup table of input bits This is illustated in figue Optimizations of e 3 = 70e 3 ` ep&d 7QeK= ` Figue Lookup based modula multiplication fo small opeands this geneal idea ae possible One can pefom the division by two (shifts) befoe the table lookup This divides the size of the table by a facto two, but when e3 is odd, the coecting tem must be added (modulo ) at the end The size can be futhe educed using the fact that = M In this case, the addess esolution poblem must be solved One can also conside a doubleandadd method, sometimes called the Russian peasant method fo multiplication 0], associated with a Booth ecoding of one of the opeands A table is used to stoe the double (modulo ) of each value less than If we want to multiply two bit numbes, this method equies at most additions Fo example the evaluation of Sc&( D : only equies additions and doublings which ae just table lookups Sm& 880<0<088 & : :F :F=? : :F : : 3; D : Modula multiplication by a constant is a lot easie Fo small opeands, one can simply implement the modula multiplication with some combinatoial logic implementing the function 4 Complexity In table we count the numbe of additions (A), multiplications by a constant (CM) and eal multiplications (M) ove $% of algoithm The time equied fo a sequential implantation coesponds to the numbe of opeations given in table Since A CM M step step W0K=?, step 3 step 4 W0K=?, total = 3h 5 Table Numbe of additions (A), constant multiplications (CM) and eal multiplications (M) ove $% fo a sequential implementation of the algoithm the poduct in $ can be totally paallelized into steams, the time equied is exactly times that fo the sequential vesion If we define the time equied fo one addition, fo one constant multiplication and fo one eal multiplication espectively, we can pecisely evaluate the time complexity of ou algoithm on a paallel achitectue Table 3 summaizes the fou steps of the algoithm step 3 W ] step 3 m ] 3 \3 m ] step 3 Tm step 4 R@m3 Tm Table 3 Time complexity estimation on a pipelined achitectue 5 Discussion 5 Simplified achitectue The majo advantage of this method is that the matices in (5) and (8) do not depend on the inputs Thus all the opeations educe to multiplications by constants which significantly simplify the hadwae implementation Moeove, in the example pesented in section we have detected symmeties between the elements of the two matices that can also contibute to a simplified achitectue We have the following Lemma Lemma As in the pevious example, let us denote n :) and 783c Accoding to equations (4) and (7) we have n )%3 = 78'= (0) and n )m= 0 3,H 0 843 =? 3,H ()
T Then fo evey ) ]&8oNp]kk`] s we have n : ^T n ^T () In othe wods equation (8) can be implemented with the same matix than eq (5), by $ simply $ evesing the ode of the elements of the vectos and : (3) Poof: We ae going to eaange each pat of the equality to make the identity appea Let us fist focus on the ighthand pat of the identity ^T n ^T 803 = ) = 0 3, ^T <03 =8gm3 =? 3, =:)3(<03; = =h UT =:78:3d3h803 = =? So fa we have just changed the position of 3 in each tem of the poduct Next just by multiplying each faction by =, and extacting all the s in the denominatos, we get: ^T n ^T UT UT ) = <03; = 3; 8'=?'3; = / UT :)3 = 8'= 3 4= We Hee we have eodeed the indices now do the same with the lefthand expession n )%3 = 78'= We extact the s in the denominatos: n :/^T )W3; = 8'= ] and we conclude that the new expessions fo n and ^T n ^T ae the same This lemma points out symmety popeties of the matices that mainly depend on the choice made in the example fo the points of and They can be taken into account to impove the hadwae achitectue Othe choices of points could be moe inteesting and could esult in vey attactive chip design solutions This is cuently wok in pogess in ou team 5 Cyptogaphic context In ECC, the main opeation is the addition of two points of an elliptic cuve defined ove a finite field Hadwae implementation of elliptic cuves cyptosystems thus equies efficient opeatos fo additions, multiplications and divisions Since division is usually a complex opeation, we use pojective (o homogeneous) coodinates to bypass this difficulty (only one division is needed at the vey end of the algoithm) Thus the only opeations ae addition and multiplication in Moeove it is woth noticing that we do not need to educe modulo afte each addition We only subtact fom the esult of the last addition if it is geate than (we ecall that is odd) In othe wods we just have to check one bit afte each addition The exact value is only needed fo the final esult In ECC potocols, additions chains of points of an elliptic cuve ae needed In homogeneous coodinates, those opeations consist in additions and multiplications ove Only one division is needed at the end and it can be pefomed in the Lagange epesentation using the FematEule theoem which states that fo all non zeo value in, then Hence we can com Tm pute the invese of by computing in $ It is also advantageous to use a polynomial equivalent to the Montgomey notation duing the computations We conside polynomials in the fom J ML ;JRQLNSQLNF gz MLN instead of JRQLN It is clea that adding two polynomials given in this notation gives the esult in the same notation, and fo the poduct, since MontQJ'] O ] we have JKMLN8OPML S TW MLNF Mont0J ]HO ] J ML SO MLN8 TW QLNF c MLN /JRQLNSOPQLNSQLNF gz Conclusion ML ^] QLN^ Woks fom Bailey and Paa, ], Smat 8] and Candall 5] have shown that it is possible to obtain moe efficient softwae implementation ove than ove 0 o $% when is caefully chosen (Mesenne, pseudomesenne, genealized Mesenne pimes, etc) In this aticle we have pesented a new modula multiplication algoithm ove the finite extension field $, fo B7, which is highly paallelizable and well adapted to
hadwae implementation Ou algoithm is paticulaly inteesting fo ECC since it seems that thee exists fewe nonsingula cuves ove $ than ove 0 Finding "good" cuves fo elliptic cuve cyptogaphy would then be easie This could esult in a wide choice of cuves than in the case j This method can be extended to finite fields of the fom 0, whee j? In this case j/ is no longe a pime numbe which foces us to choose the values of and in 08 Fields of this fom can also be useful fo the ecent tipatite DiffieHellamn key exchange algoithm 8] o the shot signatue scheme 3], whee which equie an efficient aithmetic ove + C and is a pime numbe geate than 0 Acknowledgements The authos would like to thank the anonymous eviewes fo thei vey useful comments This wok has been suppoted by an ACI cyptologie 00 gant fom the Fench ministy of education and eseach Refeences ] D Bailey and C Paa Optimal extension fields fo fast aithmetic in publickey algoithms In H Kawczyk, edito, Advances in Cyptogaphy CRYPTO 98, volume 4 of Lectue Notes in Compute Science (LNCS), pages 47 485 Spingeelag, 998 ] D Bailey and C Paa Efficient aithmetic in finite field extensions with application in elliptic cuve cyptogaphy Jounal of Cyptology, 4(3):53 7, 00 3] D Boneh, H Shacham, and B Lynn Shot signatues fom the Weil paiing In poceedings of Asiacypt 0, volume 39 of Lectue Notes in Compute Science, pages 54 53 Spingeelag, 00 4] Ç K Koç and T Aca Montgomey multiplication in GF Designs, Codes and Cyptogaphy, 4():57 9, Apil 998 5] R Candall Method and appaatus fo public key exchange in a cyptogaphic system US Patent numbe 5593, 99 ] W Diffie and M E Hellman New diections in cyptogaphy IEEE Tansactions on Infomation Theoy, IT ():44 54, Novembe 97 7] A Halbutoǧullai and Ç K Koç Paallel multiplication in GF using polynomial esidue aithmetic Designs, Codes and Cyptogaphy, 0():55 73, June 000 8] A Joux A one ound potocol fo tipatite DiffieHellman In 4th Intenational Algoithmic Numbe Theoy Symposium (ANTSI, volume 838 of Lectue Notes in Compute Science, pages 385 393 Spingeelag, July 000 9] G A Jullien, W Luo, and N Wigley High Thoughput LSI DSP Using Replicated Finite Rings Jounal of LSI Signal Pocessing, 4():07 0, Novembe 99 0] D E Knuth The At of Compute Pogamming, ol : Seminumeical Algoithms AddisonWesley, Reading, MA, thid edition, 997 ] N Koblitz Elliptic cuve cyptosystems Mathematics of Computation, 48(77):03 09, Januay 987 ] N Koblitz A Couse in Numbe Theoy and Cyptogaphy, volume 4 of Gaduate texts in mathematics Spingeelag, second edition, 994 3] N Koblitz Algebaic aspects of cyptogaphy, volume 3 of Algoithms and computation in mathematics Spingeelag, 998 4] A J Menezes, P C an Ooschot, and S A anstone Handbook of applied cyptogaphy CRC Pess, 000 NW Copoate Blvd, Boca Raton, FL 3343988, USA, 997 5] P L Montgomey Modula multiplication without tial division Mathematics of Computation, 44(70):59 5, Apil 985 ] C Paa, P Fleischmann, and P Roelse Efficient multiplie achitectues fo galois fields GF IEEE Tansactions on Computes, 47(): 70, Febuay 998 7] A Skavantzos and P B Rao New multiplies modulo IEEE Tansactions on Computes, 4(8):957 9, August 99 8] N P Smat A compaison of diffeent finite fields fo use in elliptic cuve cyptosystems Reseach epot CSTR00 007, Univesity of Bistol, June 000 9] N Takagi and S Yajima Modula multiplication hadwae algoithms with a edundant epesentation and thei application to RSA cyptosystem IEEE Tansactions on Computes, 4(7):887 89, July 99 0] F J Taylo Lage moduli multiplies fo signal pocessing IEEE Tansactions on Cicuits and Systems, C8:73 73, Jul 98 ] J on Zu Gathen and J Gehad Moden Compute Algeba Cambidge Univesity Pess, 999 ] Z Wang, G A Jullien, and W C Mille An Efficient Tee Achitectue fo Modulo Multiplication Jounal of LSI Signal Pocessing, 4(3):4 48, Decembe 99 3] T Yanik, E Savaş, and Ç K Koç Incomplete eduction in modula aithmetic IEE Poceedings: Computes and Digital Technique, 49():4 5, Mach 00