Upload
arthur-turrell
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
1A New Multiplication Technique for GF(2m) with Cryptographic Significance
A New Multiplication Technique for GF(2m) with Cryptographic
SignificanceAthar Mahboob and Nassar Ikram
National University of Sciences & Technology, Pakistan
Presented at WISA 2004
August 23-25, 2004
Jeju Island, South Korea
2A New Multiplication Technique for GF(2m) with Cryptographic Significance
Multiplication
Multiplication is a fundamental arithmetic operation in many algebraic structures such as GF(2m)
Other fundamental operations includeAdditionSubtractionSquaringDivisionInversionExponentiation
Hence multiplication is the most important arithmetic op but ... Multiplication more time consuming than addition, subtraction
and squaring
Addition and Subtraction are same in GF(2m). Addition is not a computational bottleneck Complexity is O(m)
}
Division can be replaced by inversion followed by multiplication. Inversion can be done using multiplication as per Fermat's Theorem
}
Squaring can be done as multiplication but there are very fast methods for squaring in GF(2m)
Exponentiation (repeated multiplication) can be efficiently done using binary method and improved versions of it such as ITI
3A New Multiplication Technique for GF(2m) with Cryptographic Significance
Schoolbook Method
11110011 10000101 ----------------- 11110011 00000000X 11110011XX 00000000XXX 00000000XXXX 00000000XXXXX 00000000XXXXXX 11110011XXXXXXX ----------------- 111101010111111 -----------------
Examines bits of the multiplier and adds shifted versions of the multiplicand based on the bit
Maps easily into a Shift-and-Add Scheme
Partial Products are first created
Partial Products are added or accumulated to generate the Final Product
Number of bit operations are O(m2)
4A New Multiplication Technique for GF(2m) with Cryptographic Significance
Our Research
GF(2m) Multiplication performance is critical for ECC cryptosystems defined using Elliptic Curves over GF(2m)
EC Point Addition and Doubling require 6 additions, 1 squaring, 2 multiplications and 1 inversion
Inversions can be replaced by multiplications using projective coordinates
Inversions can also be done using multiplications and squaring – Fermat's Little Theorem
Typical ECC Field sizes are 112 < m < 600 Standard fields use m which is prime (for presumed security) Standard fields support fast polynomial modular reduction
5A New Multiplication Technique for GF(2m) with Cryptographic Significance
Issues with GF(2m) Multiplication in Software
Lack of machine level GF(2m) word-level multiply instruction
Bit level operations are required such as examining single bit at a time, shifts, ANDs, XORs
Modular Reduction may be a computational bottleneck for a general field polynomial
Decide on doing inter-leaved modular reduction or fast modular reduction at the end
We do fast modular reduction using trinomial or pentanomial at the end like most typical ECC implementations
6A New Multiplication Technique for GF(2m) with Cryptographic Significance
Multitude of Multiplication Techniques
Multiplication Classical Multiplication Modular Multiplication
GF(p) Multiplication followed by classical long division Multiplication followed by Fast Reduction Techniques
• Barret Reduction Montgomery Multiplication dispenses with modular reduction step
GF(2m) – Polynomial Basis Multiplication followed by classical long division Multiplication followed by Fast Reduction Techniques
• Trinomial/Pentanomial Modular Reduction Montgomery Multiplication dispenses with modular reduction step LookUp Tables based Multiplication
• Any m• Composite m
GF(2m) – Normal Basis Massey Omura Multiplier
This list is not exhaustive by any means ...
7A New Multiplication Technique for GF(2m) with Cryptographic Significance
Classical Multiplication Techniques
Schoolbook – if nothing else makes sense ... Karatsuba – recursive binary subdivision technique Toom-Cook – recursive three-way subdivision technique FFT – asymptotically fastest technique, not used for sizes
typical in PKC Comba – something similar to what we have proposed, little
known in cryptographic circles, we do not have access to the source, never has been proposed for use in GF(2m)
There are typical cutoff values where one technique starts to be more efficient than others due to inherent overheads of each technique
8A New Multiplication Technique for GF(2m) with Cryptographic Significance
Classical Shift and Add
9A New Multiplication Technique for GF(2m) with Cryptographic Significance
Shift and Add with Precomputation
10A New Multiplication Technique for GF(2m) with Cryptographic Significance
Other LUT Techniques
Composite mGenerally use composite extension fields m = ab in GF(2m)Perform arithmetic using LUT in the subfield where LUT is
small enough to fit in memoryUse log and antilogs to convert from multiplication to
addition (which are just XORs) resulting processing a bits at a time instead of one bit for Shift and Add
Not applicable to standardized fields for ECC Any m
One general LUT technique creates LUT on fly for each different multiplier, it is more of a windowing technique
Our LUT is calculated once and for all for all m and for all multipliers
11A New Multiplication Technique for GF(2m) with Cryptographic Significance
Our LUT Technique
Uses mullut a 128 kbyte LookUp Table Calculates output one byte/one word at a time instead
of first calculating partial products and then adding them
Two versionsB-LUT: generates output one byte at a timeF-LUT: generates output one word (32-bits) at a time
12A New Multiplication Technique for GF(2m) with Cryptographic Significance
The LookUp Table (LUT)The algorithm precomputes the product of all polynomials up to degree 7 with coefficients in GF(2).
13A New Multiplication Technique for GF(2m) with Cryptographic Significance
Multiplication using mullut[256][256]
A0
B0
A0
B0
A1
B1
A0B
0A
0B
0
A0B
1
A1B
0
A1B
1
C0
C1
C2
C3
Ai and B
i are 8-bit values
8 8 multiplication 16 16 multiplication
C0
C1
C0 = A
0B
0 & 0xFF
C1 = (A
0B
0 ≫ 8) & 0xFF
C0 = A
0B
0 & 0xFF
C1 = ((A
0B
0≫8) &0xFF)(A
0B
1& 0xFF)(A
1B
0 & 0xFF)
C2 = ((A
0B
1≫8) &0xFF)((A
1B
0≫8) & 0xFF)(A
1B
1& 0xFF)
C3 = (A
1B
1≫8) & 0xFF
14A New Multiplication Technique for GF(2m) with Cryptographic Significance
32 × 32 multiplication using mullut[256][256]
A0
B0
A1
B1
A0B
0
A0B
1
A1B
0
A0B
2
C0
C1
C2
C3
A2
B2
A3
B3
C4
C5
C6
C7
A1B
1
A2B
0
A0B
3
A1B
2
A2B
1
A3B
0
A1B
3
A2B
2
A3B
1
A2B
3
A3B
2
A3B
3
Ai and B
i are 8-bit values
Shaded portions indicate something that effects neighbours
Each Ci depends on
A
i and B
i whose
indices add up to i
Effects of processing in word-size is that bytes of the boundaries of words have to result in some sort of “carry”
15A New Multiplication Technique for GF(2m) with Cryptographic Significance
The Pattern Emerges
C0 = A
0B
0 & 0xFF
C1 = ((A
0B
0≫8) &0xFF) (A
0B
1& 0xFF) (A
1B
0 & 0xFF)
C2 = ((A
0B
1≫8) &0xFF) ((A
1B
0≫8) & 0xFF) (A
0B
2& 0xFF) (A
1B
1& 0xFF) (A
2B
0& 0xFF)
C3 = ((A
0B
2& 0xFF)≫8) ((A
1B
1& 0xFF)≫8) ((A
2B
0& 0xFF))≫8) (A
0B
3& 0xFF)
(A1B
2& 0xFF) (A
2B
1& 0xFF) (A
3B
0& 0xFF)
C4 = ((A
0B
3 ≫8) & 0xFF) ((A
1B
2≫8) & 0xFF) ((A
2B
1≫8) & 0xFF) ((A
3B
0≫8) & 0xFF)
(A1B
3& 0xFF) (A
2B
2& 0xFF) (A
3B
1& 0xFF)
C5 = ((A
1B
3≫8) & 0xFF) ((A
2B
2 ≫8) & 0xFF) ((A
3B
1≫8) & 0xFF)
(A2B
3& 0xFF) (A
3B
2& 0xFF)
C6 = ((A
2B
3≫8) & 0xFF) (A
3B
2≫8)& 0xFF) (A
3B
3& 0xFF)
C7 = (A
3B
3≫8) & 0xFF
16A New Multiplication Technique for GF(2m) with Cryptographic Significance
B-LUT
We process 8 bits of the inputs at a time.The number of 8-bit units present in the inputs a and b is given as d.Output c before reduction would consist of 2·d bytes. Each byte of the output is calculated by performing lookups into the table mullut and adding (XOR) looked up values after they have been shifted by necessary amounts. The symbol & represents the bit-wise AND operation.
17A New Multiplication Technique for GF(2m) with Cryptographic Significance
GF(216) Multiply Using mullut
18A New Multiplication Technique for GF(2m) with Cryptographic Significance
F-LUT
19A New Multiplication Technique for GF(2m) with Cryptographic Significance
Comparison with Other Techniques
20A New Multiplication Technique for GF(2m) with Cryptographic Significance
Multiplier Performance Data
21A New Multiplication Technique for GF(2m) with Cryptographic Significance
Impact on ECC Performance
22A New Multiplication Technique for GF(2m) with Cryptographic Significance
Conclusions and Future Work
We presented:Two new algorithms for GF(2m) multiplication using Lookup
Table and results of an implementation of the new LUT based finite field multiplication techniques.
We provided the results of our ECC implementation showing performance impact of our new GF(2m) multiplication technique.
Future ideas:Combine Karatsuba’s algorithm with our LUT based
technique to cut down the base number of XORs, Shifts and Table Lookups.
We also intend to explore more efficient EC scalar multiplication techniques and use of our multiplication technique for HECC.