1 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Athar Mahboob and Nassar Ikram National University of Sciences & Technology,

1A New Multiplication Technique for GF(2m) with Cryptographic Significance

A New Multiplication Technique for GF(2m) with Cryptographic

SignificanceAthar Mahboob and Nassar Ikram

National University of Sciences & Technology, Pakistan

Presented at WISA 2004

August 23-25, 2004

Jeju Island, South Korea


Multiplication

Multiplication is a fundamental arithmetic operation in many algebraic structures such as GF(2m)

Other fundamental operations includeAdditionSubtractionSquaringDivisionInversionExponentiation

Hence multiplication is the most important arithmetic op but ... Multiplication more time consuming than addition, subtraction

and squaring

Addition and Subtraction are same in GF(2m). Addition is not a computational bottleneck Complexity is O(m)

}

Division can be replaced by inversion followed by multiplication. Inversion can be done using multiplication as per Fermat's Theorem

}

Squaring can be done as multiplication but there are very fast methods for squaring in GF(2m)

Exponentiation (repeated multiplication) can be efficiently done using binary method and improved versions of it such as ITI


Schoolbook Method

11110011 10000101 ----------------- 11110011 00000000X 11110011XX 00000000XXX 00000000XXXX 00000000XXXXX 00000000XXXXXX 11110011XXXXXXX ----------------- 111101010111111 -----------------

Examines bits of the multiplier and adds shifted versions of the multiplicand based on the bit

Maps easily into a Shift-and-Add Scheme

Partial Products are first created

Partial Products are added or accumulated to generate the Final Product

Number of bit operations are O(m2)


Our Research

GF(2m) Multiplication performance is critical for ECC cryptosystems defined using Elliptic Curves over GF(2m)

EC Point Addition and Doubling require 6 additions, 1 squaring, 2 multiplications and 1 inversion

Inversions can be replaced by multiplications using projective coordinates

Inversions can also be done using multiplications and squaring – Fermat's Little Theorem

Typical ECC Field sizes are 112 < m < 600 Standard fields use m which is prime (for presumed security) Standard fields support fast polynomial modular reduction


Issues with GF(2m) Multiplication in Software

Lack of machine level GF(2m) word-level multiply instruction

Bit level operations are required such as examining single bit at a time, shifts, ANDs, XORs

Modular Reduction may be a computational bottleneck for a general field polynomial

Decide on doing inter-leaved modular reduction or fast modular reduction at the end

We do fast modular reduction using trinomial or pentanomial at the end like most typical ECC implementations


Multitude of Multiplication Techniques

Multiplication Classical Multiplication Modular Multiplication

GF(p) Multiplication followed by classical long division Multiplication followed by Fast Reduction Techniques

• Barret Reduction Montgomery Multiplication dispenses with modular reduction step

GF(2m) – Polynomial Basis Multiplication followed by classical long division Multiplication followed by Fast Reduction Techniques

• Trinomial/Pentanomial Modular Reduction Montgomery Multiplication dispenses with modular reduction step LookUp Tables based Multiplication

• Any m• Composite m

GF(2m) – Normal Basis Massey Omura Multiplier

This list is not exhaustive by any means ...


Classical Multiplication Techniques

Schoolbook – if nothing else makes sense ... Karatsuba – recursive binary subdivision technique Toom-Cook – recursive three-way subdivision technique FFT – asymptotically fastest technique, not used for sizes

typical in PKC Comba – something similar to what we have proposed, little

known in cryptographic circles, we do not have access to the source, never has been proposed for use in GF(2m)

There are typical cutoff values where one technique starts to be more efficient than others due to inherent overheads of each technique


Classical Shift and Add


Shift and Add with Precomputation


Other LUT Techniques

Composite mGenerally use composite extension fields m = ab in GF(2m)Perform arithmetic using LUT in the subfield where LUT is

small enough to fit in memoryUse log and antilogs to convert from multiplication to

addition (which are just XORs) resulting processing a bits at a time instead of one bit for Shift and Add

Not applicable to standardized fields for ECC Any m

One general LUT technique creates LUT on fly for each different multiplier, it is more of a windowing technique

Our LUT is calculated once and for all for all m and for all multipliers


Our LUT Technique

Uses mullut a 128 kbyte LookUp Table Calculates output one byte/one word at a time instead

of first calculating partial products and then adding them

Two versionsB-LUT: generates output one byte at a timeF-LUT: generates output one word (32-bits) at a time


The LookUp Table (LUT)The algorithm precomputes the product of all polynomials up to degree 7 with coefficients in GF(2).


Multiplication using mullut[256][256]

A0

B0

A0

B0

A1

B1

A0B

0A

0B

0

A0B

1

A1B

0

A1B

1

C0

C1

C2

C3

Ai and B

i are 8-bit values

8 8 multiplication 16 16 multiplication

C0

C1

C0 = A

0B

0 & 0xFF

C1 = (A

0B

0 ≫ 8) & 0xFF

C0 = A

0B

0 & 0xFF

C1 = ((A

0B

0≫8) &0xFF)(A

0B

1& 0xFF)(A

1B

0 & 0xFF)

C2 = ((A

0B

1≫8) &0xFF)((A

1B

0≫8) & 0xFF)(A

1B

1& 0xFF)

C3 = (A

1B

1≫8) & 0xFF


32 × 32 multiplication using mullut[256][256]

A0

B0

A1

B1

A0B

0

A0B

1

A1B

0

A0B

2

C0

C1

C2

C3

A2

B2

A3

B3

C4

C5

C6

C7

A1B

1

A2B

0

A0B

3

A1B

2

A2B

1

A3B

0

A1B

3

A2B

2

A3B

1

A2B

3

A3B

2

A3B

3

Ai and B

i are 8-bit values

Shaded portions indicate something that effects neighbours

Each Ci depends on

A

i and B

i whose

indices add up to i

Effects of processing in word-size is that bytes of the boundaries of words have to result in some sort of “carry”


The Pattern Emerges

C0 = A

0B

0 & 0xFF

C1 = ((A

0B

0≫8) &0xFF) (A

0B

1& 0xFF) (A

1B

0 & 0xFF)

C2 = ((A

0B

1≫8) &0xFF) ((A

1B

0≫8) & 0xFF) (A

0B

2& 0xFF) (A

1B

1& 0xFF) (A

2B

0& 0xFF)

C3 = ((A

0B

2& 0xFF)≫8) ((A

1B

1& 0xFF)≫8) ((A

2B

0& 0xFF))≫8) (A

0B

3& 0xFF)

(A1B

2& 0xFF) (A

2B

1& 0xFF) (A

3B

0& 0xFF)

C4 = ((A

0B

3 ≫8) & 0xFF) ((A

1B

2≫8) & 0xFF) ((A

2B

1≫8) & 0xFF) ((A

3B

0≫8) & 0xFF)

(A1B

3& 0xFF) (A

2B

2& 0xFF) (A

3B

1& 0xFF)

C5 = ((A

1B

3≫8) & 0xFF) ((A

2B

2 ≫8) & 0xFF) ((A

3B

1≫8) & 0xFF)

(A2B

3& 0xFF) (A

3B

2& 0xFF)

C6 = ((A

2B

3≫8) & 0xFF) (A

3B

2≫8)& 0xFF) (A

3B

3& 0xFF)

C7 = (A

3B

3≫8) & 0xFF


B-LUT

We process 8 bits of the inputs at a time.The number of 8-bit units present in the inputs a and b is given as d.Output c before reduction would consist of 2·d bytes. Each byte of the output is calculated by performing lookups into the table mullut and adding (XOR) looked up values after they have been shifted by necessary amounts. The symbol & represents the bit-wise AND operation.


GF(216) Multiply Using mullut


F-LUT


Comparison with Other Techniques


Multiplier Performance Data


Impact on ECC Performance


Conclusions and Future Work

We presented:Two new algorithms for GF(2m) multiplication using Lookup

Table and results of an implementation of the new LUT based finite field multiplication techniques.

We provided the results of our ECC implementation showing performance impact of our new GF(2m) multiplication technique.

Future ideas:Combine Karatsuba’s algorithm with our LUT based

technique to cut down the base number of XORs, Shifts and Table Lookups.

We also intend to explore more efficient EC scalar multiplication techniques and use of our multiplication technique for HECC.

Documents

1 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Athar Mahboob and Nassar Ikram National University of Sciences & Technology,