WO1999004332A1 - Composite field multiplicative inverse calculation for elliptic curve cryptography - Google Patents

Composite field multiplicative inverse calculation for elliptic curve cryptography Download PDF

Info

Publication number
WO1999004332A1
WO1999004332A1 PCT/IL1998/000327 IL9800327W WO9904332A1 WO 1999004332 A1 WO1999004332 A1 WO 1999004332A1 IL 9800327 W IL9800327 W IL 9800327W WO 9904332 A1 WO9904332 A1 WO 9904332A1
Authority
WO
WIPO (PCT)
Prior art keywords
field
memory unit
elements
stored
contents
Prior art date
Application number
PCT/IL1998/000327
Other languages
French (fr)
Inventor
Benjamin Arazi
Original Assignee
Cipherit Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cipherit Ltd. filed Critical Cipherit Ltd.
Priority to AU82395/98A priority Critical patent/AU8239598A/en
Publication of WO1999004332A1 publication Critical patent/WO1999004332A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/724Finite field arithmetic
    • G06F7/726Inversion; Reciprocal calculation; Division of elements of a finite field
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/724Finite field arithmetic
    • G06F7/725Finite field arithmetic over elliptic curves

Definitions

  • the present invention relates to a method and apparatus for efficiently implementing elliptic curve cryptographic operations over the Galois field GF((2 m ) n ) based on an efficient software or hardware operator which calculates modular multiplicative inverses and the product and the square of elements of said field.
  • ECC Elliptic Curve Cryptography
  • ECC Three fundamental arithmetic operations are required for implementing ECC: a) the calculation of modular multiplicative inverses of finite field elements; b) modular multiplication of such elements and c) their modular squaring.
  • This invention concerns fast and efficient software and hardware methods for executing these operations in the arithmetic field known as the Galois field GF((2 m ) n ).
  • ECC implementations over Galois field were indicated in G. Harper, A. Menezes and V. Vanstone, "Public Key Cryptosystems with Very Small Key Lengths", Eurocrypt '92, LNCS 658 pp.
  • Two polynomials with binary coefficients are used when operating over said GF((2 ) n ).
  • One polynomial, g(x), of degree n defines an 'external field'.
  • Another polynomial, f(x), of degree m defines an 'internal field', n and m should be relatively prime.
  • the elements of said GF((2 m ) n ) are polynomials of degree n-1 or less, which involve operations over said polynomial g(x).
  • the coefficients of these polynomials are themselves binary polynomials of degree m-1 or less, which involve operations in the field GF(2 m ) over said polynomial fix). Operations over said GF((2 m ) n ) can be executed either over the polynomial basis or the normal basis, as is clear to persons skilled in the art.
  • Rij denotes an element of the field GF(2 m ) stored in the j-th place in memory unit Ri, wherein the index of the first (left) element is 0.
  • the index i can have the values 0, 1 or 2. That is, the notation Rij refers to elements stored in memory units R0, Rl or R2.
  • Pseudo-code 1 Multiplying two elements of the field GF((2 m ) n )
  • RO and R2 are memory units that store n+1 elements of the field GF(2 m ), while memory units Rl stores n elements.
  • RO contains the multiplier b(x) of the field GF((2 m ) n ) followed by a O;
  • R2 contains the multiplicand c(x) of said field followed by a 0;
  • Rl contains O's.
  • R2s R2s + R2n
  • the final content of Rl is b(x)-c(x).
  • the above process is a shift-and-add process, in which the right shift operations of R2 modulo the generating polynomial generate successive values of x ⁇ c(x). These values are multiplied by the corresponding coefficient of b(x) and the results of said multiplications are accumulated in Rl.
  • Pseudo-code 2 Squaring an element of the field GF((2 m ) n )
  • Rl is a memory unit that stores n elements of the field GF(2 m ), while memory unit R2 stores n+1 elements.
  • Rl contains the element b(x) to be squared
  • R2 contains 0's.
  • R2(n-1) R2(n-1) + Rl(n-l) shift-right Rl from index (2i-l)
  • R2s R2s + R2n (Comment: The execution of the above three lines is repeated twice. The first execution processes the element moved from Rl as x n mod g(x). The second execution ensures that finally this coefficient is placed, mod g(x) at a place with a doubled index.
  • i (n-l)/2 the elements stored in Rl stand for the coefficients of b(x)2 of degrees n-1 or less. The following operation adds this lower part of b(x)2 to R2.
  • R2 R2 + Rl
  • This method is based on the fundamental fact that the square of b(x) is obtained by taking the square over the field GF(2 m ) of each of the coefficients of b(x) and then placing each of the coefficients at a location whose index is the double of the original index, where placements in indices higher than n- 1 are accompanied with operations modulo the generating polynomial g(x) of the field GF((2 m ) n ).
  • Rli [Rli] indicated in Pseudo Code 2
  • Rli [Rli] indicated in Pseudo Code 2
  • Modular multiplicative inverse operations needed to be executed when implementing ECC operations, can be based on exponentiations such as indicated in G.B. Agnew et al., "An Implementation of Elliptic Curve Cryptosystems over F2 155 ", IEEE J. on Sel. Areas in Communications, 1993, pp. 804-813, or on the Euclid algorithm. Euclid-based calculations of the multiplicative inverse of an element of the field GF(2 n ) are shown in E.R. Berlekamp, Algebraic Coding Theory, McGraw-Hill, 1968, pp. 36-44.
  • the invention relates to a first method for calculating modular multiplicative inverses of a Galois Field GF((2 m ) n ), by an apparatus having first, second and third memory units, the method comprising the steps of:
  • each one of said elements of the field GF(2 m ) is a single bit.
  • the invention further relates to a second method for effecting the operations of calculating the product of two elements of the field GF((2 ) n ), calculating the square of an element of said field and calculating the multiplicative inverse of an element of said field, comprising the steps of:
  • the value of said m equals the product of two different prime numbers p and r and the calculation of the modular multiplicative inverses is performed by processing p-bit values at a time.
  • the invention further relates to an apparatus for carrying out said first method, in which a multiplication of a plurality of elements of the field GF(2 m ) which is stored in said specific memory unit, by one element of said field which is stored in a buffer memory, is effected by using a plurality of circuits, each such circuit multiplying one element by an element stored in said specific memory unit.
  • the multiplication of a plurality of elements of the field GF(2 m ) stored in said specific memory unit by one element of said field is effected by using one pre-processing circuit which processes said one element and a plurality of post-processing circuits, each such circuit operating on two values, one being the output of said pre-processing circuit and the other value being an element stored in said specific memory unit.
  • the invention relates to an apparatus for effecting Elliptic Curve Cryptographic operations over the field GF((2 m ) n ), which comprises: a buffer memory for storing one element of the field GF(2 m ), a first memory unit (RO) for storing n+1 elements of the field GF(2 m ), a second memory unit (R2) for storing n+1 elements of the field GF(2 ), a third memory unit (Rl) for storing n elements of the field GF(2 m ), at least one multiplying unit for multiplying the contents of said second memory unit by said one element of the field GF(2 m ) stored in said buffer memory, wherein the contents of said second memory unit is not obtained by an exchange with the contents of another memory means prior to effecting said multiplication operation, means for shifting either one of said first, second or third memory units and means for adding the contents of said second memory unit or a part of it to the contents of said first or third memory unit or a part thereof, or vice versa.
  • an apparatus for effecting Elliptic Curve Cryptographic operations over the field GF((2 m ) n ) comprises dedicated hardware means for multiplying two elements of the field GF(2 ).
  • said dedicated hardware means further comprise means for performing adding operation.
  • an apparatus for effecting Elliptic Curve Cryptographic operations over the field GF((2 ) n ) comprises dedicated hardware means for squaring an element of the field GF(2 m ) over the polynomial basis.
  • Fig. 1 shows in block diagram form a preferred method according to an embodiment of the invention for the calculation of modular multiplicative inverse of an element of the arithmetic field GF((2 m ) n ;
  • Fig. 2 shows the validity of a process for multiplying a plurality of elements of the field GF(2 m ) by an element of said field and further shows the utilization of said process.
  • Fig. 3 shows dedicated means for multiplying two elements of the field GF(2 8 ) over what is known as the polynomial basis;
  • Fig. 4 shows other dedicated means for multiplying two elements of the field GF(2 8 ) over the polynomial basis
  • Fig. 5 shows dedicated means for multiplying two elements of the field GF(2 8 ) over what is known as the normal basis
  • Figs. 6 A and 6B show in block diagram form two variations of an apparatus according to an embodiment of the invention which comprises means for multiplying two elements of the field GF(2 m ) and means for performing an addition operation, both of said means being integrawithin one unit.
  • the case of effecting such a multiplication and addition without the use of a preprocessing unit is shown in Fig. 6A.
  • the case of effecting such a multiplication and addition with the use of a pre-processing unit is shown in Fig. 6B;
  • Fig. 7 shows an apparatus for multiplying a plurality of elements of the field GF(2 m ) by an element of said field according to an embodiment of the invention.
  • Said apparatus which uses one hardware multiplier of two elements of the field GF(2 m ), is shown in Fig. 7 A.
  • Said apparatus, which uses a plurality of hardware multipliers without the use of a pre-processing unit is shown in Fig. 7B.
  • Said apparatus, which uses a plurality of hardware multipliers and which further uses a pre-processing unit is shown in Fig. 7C;
  • Fig. 8A shows the use of a dedicated unit which according to an embodiment of the invention squares an element of the field GF(2 m ).
  • Fig. 8B shows one implementation of said dedicated unit, which squares an element of the field GF(28);
  • Fig. 9A shows a method of calculating the modular multiplicative inverse of an internal field GF((2 5 )3), which replaces the field GF(2 ).
  • Fig. 9B shows a preferred apparatus for effecting the shift operations executed in the implementation of said method.
  • Fig. 9C shows a preferred apparatus for effecting the multiplication operations executed in the implementation of said method.
  • the invention provides an improved method for calculating multiplicative inverses over the field GF((2 m ) n , a method in which the number of moving operations among various memory means is significantly reduced and the control over said operations is significantly simplified in comparison to the existing prior art methods.
  • the invention further provides an apparatus for calculating multiplicative inverses over the field GF((2 m ) n according to said method and means of integrating the three fundamental operations effected in the implementation of Elliptic Curve Cryptography over GF((2 ) n (the calculation of the multiplicative inverse of an element of the field GF((2 m ) n ), the calculation of the product of two elements of said field and the squaring of an element of said field) into one efficient process, which can be carried out by software or hardware means.
  • the calculation of modular multiplicative inverses over the field GF((2 m ) n ) is effected by having two memory units, a first one for initially storing the generating polynomial of said external field and the second one for initially storing the field element to be inverted. Said two memory units are used to reduce the contents of said second memory unit by cancelling elements both from the most significant location and from the least significant location. This is done by reducing the degree of the polynomial stored in said second memory unit such that whenever zeros are generated by default, or exist at the least significant location, these zeros are cancelled as well, thereby reducing the overall number of the executed arithmetic operations.
  • a particular feature of the invention is the ability to effect a multiplication operation of a plurality of elements of the field GF(2 m ) by one element of said field, by always multiplying the contents of one specific memory unit by one element of said field, while the size of said one specific memory unit is fixed to store n+1 elements of said field. Furthermore, no exchange of contents between said one specific memory unit and other memory units precedes said multiplication. In particular, the final result is generated in a location designated at the beginning of the process.
  • the method of the invention is valid for the case in which m and n are relatively prime and where the generating polynomial g(x) of the external field of GF((2 m ) n has binary coefficients.
  • the generating polynomial f(x) of the internal field GF(2 m ) has binary coefficients as well.
  • a left-shift of any memory unit in all explanations hereinafter refers to performing a division operation over the field GF((2 m ) n ), as will be clear to those skilled in the art. If for any technical purpose a division operation is effected by a right-shift operation, then the direction of the indicated shifts (left or right) should be inverted.
  • the method of the invention comprises having memory units RO, Rl and R2, wherein RO and R2 are capable of storing n+1 elements of the field GF(2 ) and Rl is capable of storing n elements of said field. While said memory unit Rl physically stores n elements, the index of the left-most element stored in Rl is denoted as i.
  • Rij denotes an element of the field GF(2 m ) stored in the j-th place in memory unit Ri, wherein the index of the first (left) element is 0.
  • h denotes the location within said memory unit RO of the rightmost non-zero element.
  • the value of this non-zero element is 1 (as an m-bit value) throughout the entire process.
  • Said memory unit R2 consists of three sections.
  • the left section, denoted as R2] becomes shorter during the process, k denotes the index of the last element of R2] within R2, where the index of the first element is 0.
  • the middle section of R2, which can be of length 0, is irrelevant to the process and contains 0s in practice.
  • R00*R2 ⁇ "1 denotes an element of the field GF(2 ) obtained by multiplying the elements R00 and R20 in which Rij "1 denotes the modular multiplicative inverse over said field of the element Rij.
  • Rk*Y means multiplying each element of the field GF(2 m ) stored in memory unit Rk by the field element Y.
  • the method of the invention suits the case in which the polynomial g(x) is a trinomial in which s is the index of the middle non-zero coefficient. Extensions to other forms of g(x) will be clear to those skilled in the art.
  • h, i and j are set to n; k is set to n-1; p is set to 0.
  • RO contains the coefficients of the trinomial g(x) which are 1 elements (as elements of the field GF(2 m )) at locations 0, s and n;
  • R2 contains the element b(x) of the field GF((2 m ) n ) which is to be inverted;
  • R2 (comment: currently, R2] consists of a single non-zero element of the field GF(2TM).)
  • R2 R2*Y shift R2 j times (as indicated in 106 in Fig. 1)
  • R2n R2o
  • R2s R2s + R2o shift
  • RO initially contains the generating polynomial g(x) of the field GF((2 m ) n ).
  • the two memory units RO and R2] always contain two polynomials which are obtained from g(x) and b(x) by multiplying both by the same element of the field GF(2 m ), or by divisions by x over the field GF((2 m ) n ), or by adding the content of one of said two memory units to the other.
  • the GCD Greatest Common Divisor
  • R2] is shortened by cancelling, one at a time, the right (highest-degree) coefficient stored in R2] (whose index is k). Whenever the left element in R2] is 0, R2] is left-shifted and said 0 is cancelled. All other operations are executed, while the left element in R2] is non-zero.
  • the initial value of the right element in R0 is 1 (as an element of the field GF(2 )). Throughout the process, the value of this element never changes.
  • This element 'slides' across R2], via shifts of R0 and cancels the right non-zero element in R2]. Said shifts of R0 are effected by first cancelling the lowest- degree coefficient stored in R0 and then left-shifting R0.
  • said memory unit [R2 is not shifted, (p is the accumulated number of left-shifts of [R2 which should have taken place, where said p is used in the post-processing starting at line 4 in said Pseudo-code 3.) [R2, which is not shifted and which initially contains a single non-zero value, 'grows' towards its left by additions of Rl's elements to [R2. It is observed that not shifting [R2 creates the following conditions regarding various operations indicated in Pseudocode 3:
  • said one memory unit R2 is addressed as one unit which stores a fixed number of n+1 elements of the field GF(2 m ).
  • Another feature in accordance with an embodiment of the invention concerns the fact that no exchange of contents between said memory unit R2 and another memory unit precedes the multiplication of the plurality of elements of the field GF(2 m ) stored in said memory unit R2 by one element of said field.
  • Embodiments of the invention hereinafter described concern the use of dedicated means for multiplying two elements of the field GF(2 m ).
  • the two multiplied field elements are (aO, al, a2, a3, a4, a5, a6, a7) and (bo, bl, b2, b3, b4, b5, b6, b7) yielding the field element (cO, cl, c2, c3, c4, c5, c6, c7).
  • the unit 11 comprises eight 'AND' logic gates, which perform the multiplication aO*(bo + blx + b2x 2 + b3x 3 + b4x 4 + b ⁇ x 5 + b6x 6 + b7x 7 ).
  • each of the other groups of eight 'AND' logic gates shown in Fig. 3 below unit 11 multiply the elements al, a2, a3, a4, a5, a6, a7 by the polynomial (bo + blx + b2x 2 + b3x 3 + b4x 4 + b ⁇ x 5 + b6x 6 + b7x 7 ).
  • the unit 12 comprises five 'XOR' logic gates which perform the modular arithmetic operation over (1 + x + x 6 + x 7 + x 8 ) in the generation of the coefficient cO of the result (co, cl, c2, c3, c4, c5, c6, c7).
  • each of the other groups of 'XOR' logic gates shown in Fig. 3 below unit 12 performs the modular arithmetic operation over (1 + x + x 6 + x 7 + x 8 ) in the generation of other coefficients of the result (cO, cl, c2, c3, c4, c5, c6, c7).
  • the unit 20 is a pre-processing unit which operates on the input field element (aO, al, a2, a3, a4, a5, a6, a7) and which performs in advance the modular arithmetic operations over (1 + x + x 6 + x 7 + x 8 ).
  • the output of unit 20 enters a post-processing unit 21, whose other input is the field element (bO, bl, b2, b3, b4, b5, b6, b7).
  • the output of unit 21 are the coefficients of the -£ ⁇ J- field element (cO, cl, c2, c3, c4, c5, c6, c7), which is the result of the operation (aO + alx + a2x 2 + a3x 3 + a4x 4 + a ⁇ x 5 + a6x 6 + a7x 7 ) * (bo + blx + b2x 2 + b3x 3 + b4x 4 + b ⁇ x 5 + b6x 6 + b7x 7 ) mod (1 + x + x 6 + x 7 + x 8 ).
  • the unit 21 comprises eight of the units 22, each one generating one of the coefficients c ⁇ , cl, c2, c3, c4, c ⁇ , c6, c7, where said unit 22 comprises eight 'AND' logic gates and a multiple input 'XOR' gate.
  • the unit 30 is a pre-processing unit which operates on the input field element (aO, al, a2, a3, a4, a ⁇ , a6, a7) and performs all the modular arithmetic operations needed to be effected when executing operations over a normal basis.
  • Unit 30 consists of seven units 32, each one receiving a cyclic shift of the eight input bits (aO, al, a2, a3, a4, a ⁇ , a6, a7), as will be clear to persons skilled in the art.
  • the unit 30 further has a unit 33, which differs from said unit 32 by having one less 'XOR' gate.
  • the output of unit 30 consists of eight groups, each consisting of eight bits.
  • Each output group of unit 30 enters an array of eight 'AND' logic gates in the post-processing unit 31, while the other input to each of said 'AND' gates is a corresponding bit from (bo, bl, b2, b3, b4, b ⁇ , b ⁇ , b7).
  • Unit 31 consists of eight units, each of which is the same as said unit 22 of Fig. 4.
  • the output of unit 31 is the field element (cO, cl, c2, c3, c4, c ⁇ , c6, c7), which is the result of the multiplication of the field element (aO, al, a2, a3, a4, a ⁇ , a6, a7) by the field element (bo, bl, b2, b3, b4, b ⁇ , b6, b7).
  • Figs. 3, 4 and 5, which show dedicated means for multiplying elements of the field GF(2 8 ) generated by f(x) 1 + x + x 6 + x 7 + x 8 , are given for illustration purposes. Similar circuits can be constructed by those skilled in the art for other values of m and for other generating polynomials fix).
  • An apparatus for effecting Elliptic Curve Cryptographic operations over the field GF((2 m ) n ), in which two elements of the field GF(2 m ) are multiplied by dedicated hardware means, forms an embodiment of the invention.
  • Fig. 6A shows a circuit according to an embodiment of the invention which integrates said multiplication and addition operations.
  • Unit 40 framed by a broken line, comprises unit 41 followed by unit 42 for summing the result of unit 41 with the value Rij.
  • Unit 41 multiplies the values of R2j and Y as two elements of the field GF(2 m ) and can be implemented by one of the circuits of Fig. 3, 4 or 5 and their generalization to other values of m.
  • Fig. 6B shows in block diagram form a circuit according to an embodiment of the invention in which the multiplication and addition operations are integrated.
  • Unit 45 is a pre-processor, such as unit 20 of Fig. 4 or unit 30 of Fig. 5 and can be generalized for different values of m.
  • Unit 44 comprises a post-processor such as unit 21 of Fig. 4 (when the pre-processor is of unit 20 type), or such as unit 31 of Fig. 5 (when the pre-processor is of unit 30 type) and may be generalized for different values of m.
  • Unit 43 framed by broken lines, is comprised of said unit 44, followed by summing unit 42 , for summing the result of unit 44 with the value Rij.
  • one part of the inventive method for calculating a modular multiplicative inverse of an element of the field GF((2 m ) n ) concerns an ability to perform all multiplications of a plurality of elements of the field GF(2 m ) by one element of said field, by means of always storing said plurality of elements in one memory unit R2, addressed as one unit of a fixed length.
  • Fig. 7A which comprises a unit 51 for effecting multiplication of each element stored in R2 by one element which is stored in a buffer memory 50.
  • Said unit 51 can be implemented, for example, by any of the circuits shown in Fig. 3, 4 or 5.
  • the multiplication of the plurality of elements of the field GF(2 m ), which are stored in memory unit R2, by one element of said field, is executed by applying a plurality of dedicated means, each one of the form of said unit 51, for effecting a simultaneous multiplication of said plurality of elements by said one element, where said one element is stored in said buffer memory 50.
  • a plurality of dedicated means each one of the form of said unit 51, for effecting a simultaneous multiplication of said plurality of elements by said one element, where said one element is stored in said buffer memory 50.
  • Fig. 7C shows another embodiment of the invention for effecting, in a slightly different way from that of Fig. 7B, a simultaneous multiplication of a plurality of elements by one element.
  • said pre-processing unit may comprise a unit such as unit 20 of Fig. 4 (when operating over the polynomial basis) or an alternative unit such as unit 30 of Fig. 5 (when operating over the normal basis).
  • Each of the plurality of post-processing units 53 has two inputs, a first input for receiving a GF(2 ) element from memory unit R2 and a second input for receiving the output from pre-processing unit 52. If the preprocessing unit 52 is of the form of unit 20 (Fig. 4) then each of the postprocessing units 53 has the form of unit 21 of Fig. 4. If, however, the preprocessing unit 52 has the form of unit 30 (Fig. 5), then each post-processing unit 53 should have the form of unit 31 of Fig. 5.
  • Fig. 8A shows an apparatus for effecting the method of squaring an element of the field GF((2 m ) n ) stored in memory unit Rl, hereinbefore described in Pseudo Code 2, according to one embodiment of the invention.
  • the operation of said unit 60 is effected by a dedicated circuit, which utilizes the fact that squaring an element of the field of GF(2 m ), when operating over the polynomial basis, can be implemented as a vector-matrix multiplication, as will be clear to persons skilled in the art.
  • An embodiment of the invention concerns an apparatus which composes into one operator the calculation of the multiplicative inverse of an element of the field GF((2 m ) n ), the calculation of the product of two elements of said field and the squaring of an element of said field.
  • Said apparatus preferably comprises three memory units RO, Rl and R2, which store respectively, n+1, n and n+1 elements of the field GF(2 m ), where said memory units are effected by the following operations:
  • a first operation in which all the elements of the field GF(2 m ) stored in said memory unit R2 are multiplied by one element of the same field stored in a buffer memory, where no such multiplication is effected in connection with the said memory units RO or Rl and where no exchange of contents between said memory unit R2 and either one of said memory units RO or Rl takes place prior to said multiplication;
  • a second operation in which a variable number of elements of the field GF(2 m ) stored in said memory unit R2 are added, element by element, to elements stored in said memory unit RO;
  • a third operation in which a variable number of elements of the field GF(2 ) stored in said memory unit RO are added, element by element, to elements stored in said memory unit R2;
  • a fourth operation in which a variable number of elements of the field GF(2 m ) stored in said memory unit R2 are added, element by element, to elements stored in said memory unit Rl;
  • a fifth operation in which a variable number of elements of the field GF(2 m ) stored in said memory unit Rl are added, element by element, to elements stored in said memory unit R2;
  • a sixth operation in which the elements of said memory unit RO are left-shifted, either physically or by manipulations with indices;
  • a seventh operation in which a variable number of the elements of said memory unit R2 are left- shifted, either physically or by manipulations with indices;
  • a ninth operation in which a variable number of elements of said memory unit Rl are right-shifted, either physically or by manipulations with indices.
  • the operation shift-right Rl from index (2i-l) of Pseudo-Code 2 is effected by the said ninth operation.
  • the internal sub-field GF(2 m ) can be replaced by a sub-field of 2 r elements, which in itself has a sub-field.
  • the calculation of modular multiplicative inverses over a sub-field of 2 r elements can be efficiently performed by the application of a dedicated hardware which processes p-bit values at a time, for p being a divisor of r.
  • the functioning of the method of Fig. 9A is better understood from the following Pseudo-Code 4, which executes the same process. The comments of Pseudo-Code 4 further clarify the method.
  • Figs. 9B and 9C show a preferred apparatus for effecting some of the operations indicated in the method shown in Fig. 9A and the following Pseudo-Code 4.
  • the four registers RO, Rl, R2 and R3 of Fig. 9B act on 5-bit values.
  • the thick lines in Fig. 9B represent 5-bit lines.
  • the thick XOR gate operates on 5-bit values.
  • Rij denotes the 5 bits stored in location j of register i.
  • the four flags, flagO, flagl, flag2 and flag3, respectively indicate the existence of conditions under which R2o, R2l, R22 and ROo contain zeros. It should be noted that the value of the flag is 1 when the corresponding five bits are all 0s.
  • Fig. 9C shows a possible apparatus to be used for effecting the multiplication operations of Fig. 9A.
  • These operations concern multiplying the contents of R3, or the contents of R2-R3 (altogether, six values of 5-bit each), by a 5-bit value Z.
  • the unit marked as 70 is a 5-bit invertor which yields the inverse of the element Y modulo the generating polynomial of the sub-field GF(2 5 ).
  • the unit marked as 71 multiplies two elements of the sub-field GF(2 5 ), one of which is Y" 1 and the other is ROo.
  • Unit 73 multiplies the contents of R3, or the contents of R2-R3, by the value Z.
  • Pseudo-Code 4 A method for calculating modular multiplicative inverses over the field GFf ⁇ 3 -)
  • ROo contains a 1
  • ROi contains a 1
  • R02 contains a 0
  • Rl contains zeros
  • R2 contains the element b(x) to be inverted
  • R3o contains a 1, R3 ⁇ and R32 contain a 0
  • R2-R3 (R2-R3)*Z (as indicated in 307 in Fig. 9A)
  • R0-R1 (R0-R1)+(R2-R3) (as indicated in 308 in Fig. 9A)
  • R2-R3 (R2-R3)*Z (as indicated in 312 in Fig. 9A)
  • R2-R3 (R2-R3)+(R0-R1) (as indicated in 313 in Fig. 9A)
  • R2-R3 (R2-R3)*Z (as indicated in 319 in Fig. 9A)
  • R0-R1 (R0-R1)+(R2-R3) (as indicated in 320 in Fig. 9A)
  • R2-R3 (R2-R3)*Z (as indicated in 323 in Fig. 9A)
  • R2-R3 (R2-R3)+(R0-R1) (as indicated in 324 in Fig. 9A)
  • R3 R3*Z (as indicated in 327 in Fig. 9A)
  • stop R3 contains the desired b(x) 1 (as indicated in 328 in Fig. 9A)
  • a major feature of the method of Fig. 9A concerns the fact that no loops are being used.
  • the execution of the complete process requires at most three shifts, four multiplications of R2-R3 by Z and one additional multiplication of R3 by Z and four additions of R0-R1 to R2-R3 , or vice versa.

Abstract

A method for calculating modular multiplicative inverses of a Galois Field GF((2m)n) comprising the steps of: having first (R0), second (R2) and third (R1) memory units, storing respectively, n+1, n+1 and n elements of the field GF(2m); storing in said first memory unit the generating polynomial (g(x)) of the external field of said Galois Field; storing in said second memory unit the field element to be inverted, followed with a 0; performing various adding, shifting and multiplication operations on these registers in the lines of the Euclid algorithm; whereby: a) to reduce the contents of said first part of said second memory unit in the lines of the Euclid algorithm by canceling elements both from the most significant location and from the least significant location of said first part of said second memory unit; and b) to calculate modular multiplicative inverses by effecting steps in which a multiplication of a plurality of elements of the field GF(2m) by one element of said field is always effected when said plurality of elements is stored in one specific memory unit (R2) of a fixed length, without a prior exchange of contents between said one specific memory unit and another memory unit.

Description

COMPOSITE FIELD MULTIPLICAΗVE INVERSE CALCULAΗON FOR ELLIPTIC CURVE CRYPTOGRAPHY
Field of the Invention
The present invention relates to a method and apparatus for efficiently implementing elliptic curve cryptographic operations over the Galois field GF((2m)n) based on an efficient software or hardware operator which calculates modular multiplicative inverses and the product and the square of elements of said field.
Background of the Invention
Elliptic Curve Cryptography (ECC) is one of the modern approaches for the implementation of key exchange over open channels and the generation of digital signatures. The underlying principles of ECC were published in N. Koblitz, "Elliptic Curve Cryptosystems", Mathematics of Computation, 48, pp. 203-209, 1987 and in V. Miller, "Uses of Elliptic Curves in Cryptography", Crypto '85, Springer-Verlag LNCS 218, pp. 417-426, 1986. ECC techniques and implementations are specified in ANSI X9.62-199x, Working Draft, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm, January 15, 1997, and in IEEE P1363 Working Drall, February 6, 1997.
Three fundamental arithmetic operations are required for implementing ECC: a) the calculation of modular multiplicative inverses of finite field elements; b) modular multiplication of such elements and c) their modular squaring. This invention concerns fast and efficient software and hardware methods for executing these operations in the arithmetic field known as the Galois field GF((2m )n). ECC implementations over Galois field were indicated in G. Harper, A. Menezes and V. Vanstone, "Public Key Cryptosystems with Very Small Key Lengths", Eurocrypt '92, LNCS 658 pp. 163-173 and in De Win et al, "A Fast Software Implementation for Arithmetic Operations in GF(2n)", Asiacrypt '96. The advantages in implementing ECC-related operations over said GF((2m)n) stem from the ability to process m-bit values at a time, rather than single-bit values. Choosing values for m like 8, 16 or 32 are especially suitable for current CPUs.
Two polynomials with binary coefficients are used when operating over said GF((2 )n). One polynomial, g(x), of degree n, defines an 'external field'. Another polynomial, f(x), of degree m, defines an 'internal field', n and m should be relatively prime. The elements of said GF((2m)n) are polynomials of degree n-1 or less, which involve operations over said polynomial g(x). The coefficients of these polynomials are themselves binary polynomials of degree m-1 or less, which involve operations in the field GF(2m) over said polynomial fix). Operations over said GF((2m)n) can be executed either over the polynomial basis or the normal basis, as is clear to persons skilled in the art.
Hereinafter, Rij denotes an element of the field GF(2m) stored in the j-th place in memory unit Ri, wherein the index of the first (left) element is 0. The index i can have the values 0, 1 or 2. That is, the notation Rij refers to elements stored in memory units R0, Rl or R2.
Furthermore, forthcoming descriptions of operations over the field GF((2m)n) suit the case in which the polynomial g(x) is a trinomial in which s is the index of the middle non-zero coefficient. Extensions to a general polynomial g(x) will be clear to persons skilled in the art.
A method for effecting the operations of multiplying two elements of the field GF((2 )n) is described in the following Pseudo-code 1. A further explanation follows the description. Pseudo-code 1: Multiplying two elements of the field GF((2m)n)
RO and R2 are memory units that store n+1 elements of the field GF(2m), while memory units Rl stores n elements.
Initially: RO contains the multiplier b(x) of the field GF((2m)n) followed by a O;
R2 contains the multiplicand c(x) of said field followed by a 0;
Rl contains O's.
(comment: Said right-most 0 in RO and R2 is the 0 element of the field GF(2"»).)
for i = 0 to n-2
Rl = Rl + R2*R0i
(comment: The operation R2*R0i and the subsequent addition to Rl does not concern the right-most element in R2.) shift-right R2
R20 = R2n
R2s = R2s + R2n
(comment: The above right-shift multiplies the contents of R2 by x, modulo the generating trinomial g(x).)
Rl = Rl + R2*R0(n-l)
stop
The final content of Rl is b(x)-c(x). The above process is a shift-and-add process, in which the right shift operations of R2 modulo the generating polynomial generate successive values of x\c(x). These values are multiplied by the corresponding coefficient of b(x) and the results of said multiplications are accumulated in Rl.
A method for effecting the operation of squaring an element of the field GF((2m)n) is described in the following Pseudo-code 2. A further explanation follows the description.
Pseudo-code 2: Squaring an element of the field GF((2m)n)
Rl is a memory unit that stores n elements of the field GF(2m), while memory unit R2 stores n+1 elements.
Initially: Rl contains the element b(x) to be squared; R2 contains 0's.
for i = 0 to n-1 Rli = [Rli]2
for i = 1 to (n-l)/2
R2(n-1) = R2(n-1) + Rl(n-l) shift-right Rl from index (2i-l)
(Comment: after this stage, the element of the field GF(2m) that was originally at location i in memory unit Rl is now at location 2i and the element that was originally at location n-1 is shifted out of the memory unit.) shift-right R2 2x R20 = R2n
R2s = R2s + R2n (Comment: The execution of the above three lines is repeated twice. The first execution processes the element moved from Rl as xn mod g(x). The second execution ensures that finally this coefficient is placed, mod g(x) at a place with a doubled index. When i = (n-l)/2 the elements stored in Rl stand for the coefficients of b(x)2 of degrees n-1 or less. The following operation adds this lower part of b(x)2 to R2.)
R2 = R2 + Rl
stop
The final content of R2, while ignoring the right-most (n-th) element, is b(x)2
Explanation:
This method is based on the fundamental fact that the square of b(x) is obtained by taking the square over the field GF(2m) of each of the coefficients of b(x) and then placing each of the coefficients at a location whose index is the double of the original index, where placements in indices higher than n- 1 are accompanied with operations modulo the generating polynomial g(x) of the field GF((2m)n).
When operating over the normal basis of the field of GF(2m), said operation
2 Rli = [Rli] indicated in Pseudo Code 2, is effected as a single cyclic shift of the field element, as will be clear to persons skilled in the art. It would be possible to simultaneously cyclically shift all n elements of the field GF(2m) stored within said memory unit Rl.
Modular multiplicative inverse operations, needed to be executed when implementing ECC operations, can be based on exponentiations such as indicated in G.B. Agnew et al., "An Implementation of Elliptic Curve Cryptosystems over F2155", IEEE J. on Sel. Areas in Communications, 1993, pp. 804-813, or on the Euclid algorithm. Euclid-based calculations of the multiplicative inverse of an element of the field GF(2n) are shown in E.R. Berlekamp, Algebraic Coding Theory, McGraw-Hill, 1968, pp. 36-44. Euclid- based calculations of the multiplicative inverse of an element of GF((2m)n) are shown in De Win et al., "A Fast Software Implementation for Arithmetic Operations in GF(2n)", Asiacrypt '96 and in R. Schroeppel et al., "Fast Key Exchange with Elliptic Curve Systems", Crypto '95, LNCS 963, 1995, pp. 43-56.
Summary of the Invention
The invention relates to a first method for calculating modular multiplicative inverses of a Galois Field GF((2m)n), by an apparatus having first, second and third memory units, the method comprising the steps of:
- having first (RO), second (R2) and third (Rl) memory units storing respectively, n+1, n+1 and n elements of the field GF(2m);
- storing in said first memory unit the generating polynomial (g(x)) of the external field of said Galois Field;
- storing in said second memory unit the field element to be inverted, followed with a 0;
- adding the contents of the first part of said second memory unit (R2J) to the contents of said first memory unit and adding the contents of the second part of said second memory unit ([R2) to the contents of said third memory unit in the lines of the Euclid algorithm;
- adding the contents of a part of said first memory unit to the contents of the first part of said second memory unit (R2]) and adding the contents of a part of said third memory unit to the contents of the second part of said second memory unit ([R2) in the lines of the Euclid algorithm and in order to convert into a zero value the element of the field GF(2m) stored at the most significant place at said first part of said second memory unit;
- effecting shift operations on said first memory unit and said first part of said second memory unit, while not shifting said second part of said second memory unit, in order to cancel elements of the field GF(2m) stored at the least significant place at said first and second memory units;
- effecting multiplication operations in which the entire contents of said second memory unit are multiplied by one element of said field in the lines of the Euclid algorithm; whereby:
a. to reduce the contents of said first part of the second memory unit in the lines of the Euclid algorithm by canceling elements both from the most significant location and from the least significant location of said first part of second memory unit; and
b. to calculate modular multiplicative inverses by effecting steps in which a multiplication of a plurality of elements of the field GF(2m) by one element of said field is always effected when said plurality of elements is stored in one specific memory unit (R2) of a fixed length, without a prior exchange of contents between said one specific memory unit and another memory unit.
According to one embodiment of the invention, each one of said elements of the field GF(2m) is a single bit.
The invention further relates to a second method for effecting the operations of calculating the product of two elements of the field GF((2 )n), calculating the square of an element of said field and calculating the multiplicative inverse of an element of said field, comprising the steps of:
- having first (RO), second (R2) and third (Rl) memory units which store, respectively, n+1, n+1 and n elements of the field GF(2m);
- multiplying all the elements of the field GF(2m) stored in said second memory unit by one element of said field where no such multiplication is effected in connection with said first or third memory units and where no exchange of contents between said second memory unit and said first or third memory units takes place prior to said multiplication;
- adding a variable number of elements of the field GF(2m) stored in said first memory unit to elements stored in said second memory unit;
- adding a variable number of elements of the field GF(2m) stored in said second memory unit to elements stored in said first memory unit; - adding a variable number of elements of the field GF(2m) stored in said third memory unit to elements stored in said second memory unit;
- adding a variable number of elements of the field GF(2m) stored in said second memory unit to elements stored in said third memory unit;
- shifting, either physically or by manipulations with indices, the elements stored in said first memory unit;
- shifting, either physically or by manipulations with indices, a variable number of elements stored in said second memory unit;
- shifting, either physically or by manipulations with indices, the elements stored in said second memory unit while modular operations over the generating polynomial of the field GF((2m)n) are being performed; and
- shifting, either physically or by manipulations with indices, a variable number of elements stored in said third memory unit;
whereby to have a unified method which effects, by effecting any of the aforesaid steps, the operations of calculating the product of two elements of the field GF((2m)n), calculating the square of an element of said field and calculating the multiplicative inverse of an element of said field.
Preferably, the value of said m equals the product of two different prime numbers p and r and the calculation of the modular multiplicative inverses is performed by processing p-bit values at a time.
The invention further relates to an apparatus for carrying out said first method, in which a multiplication of a plurality of elements of the field GF(2m) which is stored in said specific memory unit, by one element of said field which is stored in a buffer memory, is effected by using a plurality of circuits, each such circuit multiplying one element by an element stored in said specific memory unit. Preferably, in said apparatus the multiplication of a plurality of elements of the field GF(2m) stored in said specific memory unit by one element of said field is effected by using one pre-processing circuit which processes said one element and a plurality of post-processing circuits, each such circuit operating on two values, one being the output of said pre-processing circuit and the other value being an element stored in said specific memory unit.
Furthermore, the invention relates to an apparatus for effecting Elliptic Curve Cryptographic operations over the field GF((2m)n), which comprises: a buffer memory for storing one element of the field GF(2m), a first memory unit (RO) for storing n+1 elements of the field GF(2m), a second memory unit (R2) for storing n+1 elements of the field GF(2 ), a third memory unit (Rl) for storing n elements of the field GF(2m), at least one multiplying unit for multiplying the contents of said second memory unit by said one element of the field GF(2m) stored in said buffer memory, wherein the contents of said second memory unit is not obtained by an exchange with the contents of another memory means prior to effecting said multiplication operation, means for shifting either one of said first, second or third memory units and means for adding the contents of said second memory unit or a part of it to the contents of said first or third memory unit or a part thereof, or vice versa.
According to one embodiment of the invention an apparatus for effecting Elliptic Curve Cryptographic operations over the field GF((2m)n) comprises dedicated hardware means for multiplying two elements of the field GF(2 ). According to still another embodiment of the invention said dedicated hardware means further comprise means for performing adding operation.
According to one embodiment of the invention an apparatus for effecting Elliptic Curve Cryptographic operations over the field GF((2 )n) comprises dedicated hardware means for squaring an element of the field GF(2m) over the polynomial basis.
Brief Description of ti?e Drawing*
In the drawings:
Fig. 1 shows in block diagram form a preferred method according to an embodiment of the invention for the calculation of modular multiplicative inverse of an element of the arithmetic field GF((2m)n; Fig. 2 shows the validity of a process for multiplying a plurality of elements of the field GF(2m) by an element of said field and further shows the utilization of said process. The relation among the various indices which concern the operation of certain registers Rl and [R2 when the operation Rl = Rl + [R2 is effected for a specified condition i<j is shown in Fig. 2A. The relation among the various indices which concern the operation of said registers Rl and [R2, when the operation Rl = Rl + [R2 is effected for a specified condition i>j, is shown in Fig. 2B. The relation among the various indices which concern the operation of said registers Rl and [R2 when the operation [R2 = [R2 + Rl is effected is shown in Fig. 2C;
Fig. 3 shows dedicated means for multiplying two elements of the field GF(28) over what is known as the polynomial basis;
Fig. 4 shows other dedicated means for multiplying two elements of the field GF(28) over the polynomial basis;
Fig. 5 shows dedicated means for multiplying two elements of the field GF(28) over what is known as the normal basis;
Figs. 6 A and 6B show in block diagram form two variations of an apparatus according to an embodiment of the invention which comprises means for multiplying two elements of the field GF(2m) and means for performing an addition operation, both of said means being integrawithin one unit. The case of effecting such a multiplication and addition without the use of a preprocessing unit is shown in Fig. 6A. The case of effecting such a multiplication and addition with the use of a pre-processing unit is shown in Fig. 6B;
Fig. 7 shows an apparatus for multiplying a plurality of elements of the field GF(2m) by an element of said field according to an embodiment of the invention. Said apparatus, which uses one hardware multiplier of two elements of the field GF(2m), is shown in Fig. 7 A. Said apparatus, which uses a plurality of hardware multipliers without the use of a pre-processing unit is shown in Fig. 7B. Said apparatus, which uses a plurality of hardware multipliers and which further uses a pre-processing unit, is shown in Fig. 7C;
Fig. 8A shows the use of a dedicated unit which according to an embodiment of the invention squares an element of the field GF(2m). Fig. 8B shows one implementation of said dedicated unit, which squares an element of the field GF(28);
Fig. 9A shows a method of calculating the modular multiplicative inverse of an internal field GF((25)3), which replaces the field GF(2 ). One preferred apparatus for effecting the shift operations executed in the implementation of said method is shown in Fig. 9B. Fig. 9C shows a preferred apparatus for effecting the multiplication operations executed in the implementation of said method.
P tøHerl Description of Preferred TCinlmflimpn
The invention provides an improved method for calculating multiplicative inverses over the field GF((2m)n, a method in which the number of moving operations among various memory means is significantly reduced and the control over said operations is significantly simplified in comparison to the existing prior art methods. The invention further provides an apparatus for calculating multiplicative inverses over the field GF((2m)n according to said method and means of integrating the three fundamental operations effected in the implementation of Elliptic Curve Cryptography over GF((2 )n (the calculation of the multiplicative inverse of an element of the field GF((2m)n), the calculation of the product of two elements of said field and the squaring of an element of said field) into one efficient process, which can be carried out by software or hardware means. At the fundamental algorithmic level, the calculation of modular multiplicative inverses over the field GF((2m)n) is effected by having two memory units, a first one for initially storing the generating polynomial of said external field and the second one for initially storing the field element to be inverted. Said two memory units are used to reduce the contents of said second memory unit by cancelling elements both from the most significant location and from the least significant location. This is done by reducing the degree of the polynomial stored in said second memory unit such that whenever zeros are generated by default, or exist at the least significant location, these zeros are cancelled as well, thereby reducing the overall number of the executed arithmetic operations.
A particular feature of the invention is the ability to effect a multiplication operation of a plurality of elements of the field GF(2m) by one element of said field, by always multiplying the contents of one specific memory unit by one element of said field, while the size of said one specific memory unit is fixed to store n+1 elements of said field. Furthermore, no exchange of contents between said one specific memory unit and other memory units precedes said multiplication. In particular, the final result is generated in a location designated at the beginning of the process.
All the modular arithmetic operations which are needed to be performed over the generating polynomial g(x) of the external field of GF((2m)n) concern only the contents of said one specific memory unit.
The method of the invention is valid for the case in which m and n are relatively prime and where the generating polynomial g(x) of the external field of GF((2m )n has binary coefficients. Of course, the generating polynomial f(x) of the internal field GF(2m) has binary coefficients as well.
A left-shift of any memory unit in all explanations hereinafter refers to performing a division operation over the field GF((2m)n), as will be clear to those skilled in the art. If for any technical purpose a division operation is effected by a right-shift operation, then the direction of the indicated shifts (left or right) should be inverted. The method of the invention comprises having memory units RO, Rl and R2, wherein RO and R2 are capable of storing n+1 elements of the field GF(2 ) and Rl is capable of storing n elements of said field. While said memory unit Rl physically stores n elements, the index of the left-most element stored in Rl is denoted as i.
As was defined, Rij denotes an element of the field GF(2m) stored in the j-th place in memory unit Ri, wherein the index of the first (left) element is 0.
Hereinafter, h denotes the location within said memory unit RO of the rightmost non-zero element. The value of this non-zero element is 1 (as an m-bit value) throughout the entire process.
Said memory unit R2 consists of three sections. The left section, denoted as R2], becomes shorter during the process, k denotes the index of the last element of R2] within R2, where the index of the first element is 0. The right section of R2, denoted as [R2, lengthens during the process, j denotes the index of the first element of [R2 within R2 wherein the index of the last element is n. The middle section of R2, which can be of length 0, is irrelevant to the process and contains 0s in practice.
The function of the method of the invention is shown in Fig. 1 and is better understood from observing the following Pseudo-code 3, which executes the same process. Comments under Pseudo-code 3 and the explanation which follows it further clarify the method of the invention. All the shifts indicated in the process are left shifts. (If the indexing is from the right, which is not the case in the following descriptions, then all shifts are to the right). The left element in a shifted memory unit is shifted out and discarded.
R00*R2υ"1 denotes an element of the field GF(2 ) obtained by multiplying the elements R00 and R20 in which Rij"1 denotes the modular multiplicative inverse over said field of the element Rij. Rk*Y means multiplying each element of the field GF(2m) stored in memory unit Rk by the field element Y. The method of the invention suits the case in which the polynomial g(x) is a trinomial in which s is the index of the middle non-zero coefficient. Extensions to other forms of g(x) will be clear to those skilled in the art.
Pseudo-code 3. Calculating the multiplicative inverse of an element of the field GF((2m)n)
Initially: (as indicated in 101 in Fig. 1)
h, i and j are set to n; k is set to n-1; p is set to 0.
RO contains the coefficients of the trinomial g(x) which are 1 elements (as elements of the field GF(2m)) at locations 0, s and n;
R2] contains the element b(x) of the field GF((2m)n) which is to be inverted;
[R2 contains a 1.
1 If R2k = 0 then k = k-1 and go to 1 (as indicated in 102 and 103 in Fig. 1)
(comment: the above loop decreases the value of k according to the number of 0's on the right of R2].)
2 If k = 0 go to 4 (as indicated in 104 in Fig. 1)
(comment: currently, R2] consists of a single non-zero element of the field GF(2™).)
If R2o not equal 0 go to 3 (as indicated in 111 in Fig. 1)
shift R2] k = k - l i = i +l p = p + l go to 2
(as indicated in 113 in Fig. 1)
(comment: the above loop shifts-left R2] until the left cell contains a non-zero element. [R2 does not shift. Instead of this, p is updated.) 3 If R00 ≠ 0 then Y = ROo*R2o -1 (as indicated in 112 and 119 in Fig. 1) and
R2 = R2*Y R0 = R0 + R2] R1 = R1 + [R2 if j < i then i = j
(as indicated in 120 in Fig. 1)
(comment: After the above is executed, R00 = 0. All + notations mean an XOR operation. By definition, the addition of [R2 to Rl is from index j to index n in Rl. i denotes, as defined, the inof the left-most element stored in Rl.)
shift RO i = i - l h = h - l (as indicated in 114 in Fig. 1)
If R2h = 0 go to 3 (as indicated in 115 in Fig. 1)
(comment: The above loop shifts RO and Rl to the left, while taking care that the element of the field GF(2m) stored on the left of RO is 0; the shift operation continues until the h-th element of RO, which always contains the value 1, is positioned across the k-th element of R2], where the next operations convert this element into 0. This way, R2] becomes shorter.)
Y = R2k_1 (as indicated in 116 in Fig. 1)
R2 = R2*Y R2] = R2] + R0 [R2 = [R2 + Rl (as indicated in 117 in Fig. 1)
j = i k = k - 1 go to 1 (as indicated in 118 in Fig. 1)
(comment: After the above is executed, R2]k = 0. By definition, the addition of Rl to [R2 is from index i to index n in R2.)
4 Y = R20"1 (as indicated in 105 in Fig. 1)
R2 = R2*Y shift R2 j times (as indicated in 106 in Fig. 1)
(comment: the last shift puts [R2 at the left side of the memory unit R2.)
r = n+p-j-1 (as indicated in 107 in Fig. 1)
for i = 0 to r
R2n = R2o R2s = R2s + R2o shift R2
(as indicated in 108 and 109 in Fig. 1) stop The final content of R2, starting with index 0, is b_1(x)
(as indicated in 110 in Fig. 1).
fft lnnnlinnϊ
RO initially contains the generating polynomial g(x) of the field GF((2m)n). The two memory units RO and R2] always contain two polynomials which are obtained from g(x) and b(x) by multiplying both by the same element of the field GF(2m), or by divisions by x over the field GF((2m)n), or by adding the content of one of said two memory units to the other. The GCD (Greatest Common Divisor) of the polynomials stored in these two memory units is 1, since g(x) is irreducible. Said GCD remains unchanged until R2] contains a guaranteed single non-zero element of the field GF(2m), when the procedure then gets to the line indicated by 4. Corresponding operations are performed on [R2 and Rl, whose initial contents are respectively 1 and 0. This is done in accordance with the Euclid algorithm and according to prior art, as will be clear to persons skilled in the art.
All the calculations up to line 4 in Pseudo-code 3 are intended to shorten R2], whose initial content consists of the element b(x) of the field GF((2m)n) and whose multiplicative inverse is to be calculated, the final contents of R2] before line 4 is executed being a single non-zero element of the field GF(2m).
R2] is shortened by cancelling, one at a time, the right (highest-degree) coefficient stored in R2] (whose index is k). Whenever the left element in R2] is 0, R2] is left-shifted and said 0 is cancelled. All other operations are executed, while the left element in R2] is non-zero. By definition, the initial value of the right element in R0 is 1 (as an element of the field GF(2 )). Throughout the process, the value of this element never changes. This element 'slides' across R2], via shifts of R0 and cancels the right non-zero element in R2]. Said shifts of R0 are effected by first cancelling the lowest- degree coefficient stored in R0 and then left-shifting R0. Different tasks are thereby assigned to each of said three memory units R0, Rl and R2, in order to perform said shortening of R2]. A clear feature of Pseudo-code 3, according to an embodiment of the method of the invention, concerns cancellations of right non-zero elements in R2] while shifting R2] in the case in which there is a left 0 in R2], thereby reducing the contents of R2] from both sides. This feature is also applicable to the calculation of modular multiplicative inverses over the field GF(2n), which can be viewed as the field GF((2 )n) for the case m=0, in which case the elements of the field GF(2 ) are a single bit.
According to an embodiment of the method of the invention, said memory unit [R2 is not shifted, (p is the accumulated number of left-shifts of [R2 which should have taken place, where said p is used in the post-processing starting at line 4 in said Pseudo-code 3.) [R2, which is not shifted and which initially contains a single non-zero value, 'grows' towards its left by additions of Rl's elements to [R2. It is observed that not shifting [R2 creates the following conditions regarding various operations indicated in Pseudocode 3:
1. The relation among the various indices which concern the operation of said registers Rl and R2 when the operation Rl = Rl + [R2 is effected for i<j is shown in Fig. 2A, clarifying a condition under which the last element of [R2, when added to a corresponding place in Rl, does not fall on the right of the element with index i+n-1 in Rl, thereby keeping the length of Rl as n.
2. The relation among the various indices which concern the operation of said registers Rl and R2, when the operation Rl = Rl + [R2 is effected for i>j, is shown in Fig. 2B, clarifying a condition under which said operation always takes place when the last (i-j) elements of Rl are 0. Therefore, while the index i of the first element of Rl, after the addition, points at an element which is (i-j) places to the left of the first element of Rl before the addition, the length of Rl is still kept as n, since the right (i-j) 0s are deleted.
3. The relation among the various indices which concern the operation of said registers Rl and R2 when the operation [R2 = [R2 + Rl is effected is shown in Fig. 2C. As clarified in the illustration, said operation always takes place under the condition where k<i<j. As observed in Pseudo-code 3, said operation [R2 = [R2 + Rl is always associated by updating the value of j to equal i. The condition i<j means that j gets lower or remains the same. This is the only way by which [R2 expands to the left, as [R2 never shifts. The condition i>k guarantees that the sum of the lengths of R2] and [R2 does not exceed n+1. Fig. 2C also shows the existence of a condition under which said operation [R2 = [R2 + Rl is effected when all the elements in Rl of index >n are 0. Therefore, R2 never grows to the right beyond the index n.
The existence of said conditions specified in 1, 2 and 3 above is guaranteed by not shifting [R2, where the existence of said conditions clearly enables the following features in accordance with an embodiment of the invention:
any multiplication of a plurality of elements of the field GF(2m) by one element of said field concerns the multiplication of the content of said one memory unit R2 by said one element, as indicated by the operation R2 = R2*Y of Pseudo-code 3;
said one memory unit R2 is addressed as one unit which stores a fixed number of n+1 elements of the field GF(2m).
Another feature in accordance with an embodiment of the invention concerns the fact that no exchange of contents between said memory unit R2 and another memory unit precedes the multiplication of the plurality of elements of the field GF(2m) stored in said memory unit R2 by one element of said field.
The operations indicated in Fig. 1 and in said Pseudo-code 3 as for i - 0 to r R2n = R2o R2s = R2s + R2o shift R2 -ιy- can be implemented by operating said memory unit R2 as a feedback shift register using circuitry of the form, indicated, for example, in W.W. Peterson and E.J. Weldon, Error Correcting Codes, The MIT Press, 1972, pp. 170-205.
Embodiments of the invention hereinafter described concern the use of dedicated means for multiplying two elements of the field GF(2m). A way of effecting said dedicated means is shown in Fig. 3 for the case m=8 and for a generating polynomial f(x) = 1 + x + x6 + x7 + x8, where the implementation is over what is known as the polynomial basis. The two multiplied field elements are (aO, al, a2, a3, a4, a5, a6, a7) and (bo, bl, b2, b3, b4, b5, b6, b7) yielding the field element (cO, cl, c2, c3, c4, c5, c6, c7). The shown dedicated means execute the modular polynomial multiplication (aO + alx + a2x2 + a3x3 + a4x4 + 5x5 + a6x6 + a7x7)*(bυ + blx + b2x2 + b3x3 + b4x4 + b5x5 + b6x6 + b7x7) mod (1 + x + x6 + x7 + x8) = (cO + clx + c2x2 + c3x3 + c4x4 + c5x5 + c6x6 + c7x7). The unit 11 comprises eight 'AND' logic gates, which perform the multiplication aO*(bo + blx + b2x2 + b3x3 + b4x4 + bδx5 + b6x6 + b7x7).
Similarly, each of the other groups of eight 'AND' logic gates shown in Fig. 3 below unit 11 multiply the elements al, a2, a3, a4, a5, a6, a7 by the polynomial (bo + blx + b2x2 + b3x3 + b4x4 + bδx5 + b6x6 + b7x7). The unit 12 comprises five 'XOR' logic gates which perform the modular arithmetic operation over (1 + x + x6 + x7 + x8) in the generation of the coefficient cO of the result (co, cl, c2, c3, c4, c5, c6, c7). Similarly, each of the other groups of 'XOR' logic gates shown in Fig. 3 below unit 12 performs the modular arithmetic operation over (1 + x + x6 + x7 + x8) in the generation of other coefficients of the result (cO, cl, c2, c3, c4, c5, c6, c7).
Fig. 4 shows another implementation of said dedicated means for multiplying two elements of the field GF(2m) for the case m=8 and for a generating polynomial fix) = 1 + x + x6 + x7 + x8 over the polynomial basis. The unit 20 is a pre-processing unit which operates on the input field element (aO, al, a2, a3, a4, a5, a6, a7) and which performs in advance the modular arithmetic operations over (1 + x + x6 + x7 + x8). The output of unit 20 enters a post-processing unit 21, whose other input is the field element (bO, bl, b2, b3, b4, b5, b6, b7). The output of unit 21 are the coefficients of the -£\J- field element (cO, cl, c2, c3, c4, c5, c6, c7), which is the result of the operation (aO + alx + a2x2 + a3x3 + a4x4 + aδx5 + a6x6 + a7x7) * (bo + blx + b2x2 + b3x3 + b4x4 + bδx5 + b6x6 + b7x7) mod (1 + x + x6 + x7 + x8). The unit 21 comprises eight of the units 22, each one generating one of the coefficients cθ, cl, c2, c3, c4, cδ, c6, c7, where said unit 22 comprises eight 'AND' logic gates and a multiple input 'XOR' gate.
Fig. 5 shows another implementation of said dedicated means for multiplying two elements of the field GF(2m), for the case m=8 and for a generating polynomial fix) = 1 + x + x6 + x7 + x8 over what is known as the normal basis. Such an implementation is possible, as the eight roots of fix) are independent and the multiplication of the field elements (aθ, al, a2, a3, a4, aδ, a6, a7) and (bo, bl, b2, b3, b4, bδ, b6, b7) of the field GF(2 ) can therefore be effected, over the normal basis, generated by fix), by the operation (aOx + alx2 + a2x4 + a3x8 + a4x16 + aδx32 + a6x64 + a7x128) * (box + blx2 + b2x4 + b3x8 + b4x16 + bδx32 + bβx64 + b7x128) mod (1 + x + x6 + x7 + x8) = (cOx + clx2 + c2x4 + c3x8 + c4x16 + cδx32 + c6x64 + c7x128).
The unit 30 is a pre-processing unit which operates on the input field element (aO, al, a2, a3, a4, aδ, a6, a7) and performs all the modular arithmetic operations needed to be effected when executing operations over a normal basis. Unit 30 consists of seven units 32, each one receiving a cyclic shift of the eight input bits (aO, al, a2, a3, a4, aδ, a6, a7), as will be clear to persons skilled in the art. The unit 30 further has a unit 33, which differs from said unit 32 by having one less 'XOR' gate. The output of unit 30 consists of eight groups, each consisting of eight bits. Each output group of unit 30 enters an array of eight 'AND' logic gates in the post-processing unit 31, while the other input to each of said 'AND' gates is a corresponding bit from (bo, bl, b2, b3, b4, bδ, bβ, b7). Unit 31 consists of eight units, each of which is the same as said unit 22 of Fig. 4. The output of unit 31 is the field element (cO, cl, c2, c3, c4, cδ, c6, c7), which is the result of the multiplication of the field element (aO, al, a2, a3, a4, aδ, a6, a7) by the field element (bo, bl, b2, b3, b4, bδ, b6, b7). Figs. 3, 4 and 5, which show dedicated means for multiplying elements of the field GF(28) generated by f(x) = 1 + x + x6 + x7 + x8, are given for illustration purposes. Similar circuits can be constructed by those skilled in the art for other values of m and for other generating polynomials fix).
An apparatus for effecting Elliptic Curve Cryptographic operations over the field GF((2m)n), in which two elements of the field GF(2m) are multiplied by dedicated hardware means, forms an embodiment of the invention.
Pseudo-code 3 includes the multiplication operation R2 = R2*Y, followed by addition operations of the general form R2 = R2 + Rl or Rl = Rl + R2. Fig. 6A shows a circuit according to an embodiment of the invention which integrates said multiplication and addition operations. Unit 40, framed by a broken line, comprises unit 41 followed by unit 42 for summing the result of unit 41 with the value Rij. Unit 41 multiplies the values of R2j and Y as two elements of the field GF(2m) and can be implemented by one of the circuits of Fig. 3, 4 or 5 and their generalization to other values of m.
Fig. 6B shows in block diagram form a circuit according to an embodiment of the invention in which the multiplication and addition operations are integrated. Unit 45 is a pre-processor, such as unit 20 of Fig. 4 or unit 30 of Fig. 5 and can be generalized for different values of m. Unit 44 comprises a post-processor such as unit 21 of Fig. 4 (when the pre-processor is of unit 20 type), or such as unit 31 of Fig. 5 (when the pre-processor is of unit 30 type) and may be generalized for different values of m. Unit 43, framed by broken lines, is comprised of said unit 44, followed by summing unit 42 , for summing the result of unit 44 with the value Rij.
As indicated hereinbefore, one part of the inventive method for calculating a modular multiplicative inverse of an element of the field GF((2m)n) concerns an ability to perform all multiplications of a plurality of elements of the field GF(2m) by one element of said field, by means of always storing said plurality of elements in one memory unit R2, addressed as one unit of a fixed length. One embodiment of the invention is shown in Fig. 7A, which comprises a unit 51 for effecting multiplication of each element stored in R2 by one element which is stored in a buffer memory 50. Said unit 51 can be implemented, for example, by any of the circuits shown in Fig. 3, 4 or 5.
According to another embodiment of the invention, the multiplication of the plurality of elements of the field GF(2m), which are stored in memory unit R2, by one element of said field, is executed by applying a plurality of dedicated means, each one of the form of said unit 51, for effecting a simultaneous multiplication of said plurality of elements by said one element, where said one element is stored in said buffer memory 50. Such implementation is shown in Fig. 7B.
Fig. 7C shows another embodiment of the invention for effecting, in a slightly different way from that of Fig. 7B, a simultaneous multiplication of a plurality of elements by one element. In order to multiply one element of the field GF(2m) by the plurality of field elements stored in said memory unit R2, said one element, stored in buffer memory 50, forms the input to the preprocessing unit 52, where said pre-processing unit may comprise a unit such as unit 20 of Fig. 4 (when operating over the polynomial basis) or an alternative unit such as unit 30 of Fig. 5 (when operating over the normal basis). Each of the plurality of post-processing units 53 has two inputs, a first input for receiving a GF(2 ) element from memory unit R2 and a second input for receiving the output from pre-processing unit 52. If the preprocessing unit 52 is of the form of unit 20 (Fig. 4) then each of the postprocessing units 53 has the form of unit 21 of Fig. 4. If, however, the preprocessing unit 52 has the form of unit 30 (Fig. 5), then each post-processing unit 53 should have the form of unit 31 of Fig. 5.
Fig. 8A shows an apparatus for effecting the method of squaring an element of the field GF((2m)n) stored in memory unit Rl, hereinbefore described in Pseudo Code 2, according to one embodiment of the invention. Unit 60 effects the operation Rli = [Rli] specified in said Pseudo Code. When operating over the polynomial basis of the field GF(2m), the operation of said unit 60 is effected by a dedicated circuit, which utilizes the fact that squaring an element of the field of GF(2m), when operating over the polynomial basis, can be implemented as a vector-matrix multiplication, as will be clear to persons skilled in the art. Fig. 8B shows a design of a dedicated circuit which effects said vector-matrix multiplication for a generating polynomial fix) = 1 + x + x6 + x7 + x8.
An apparatus for effecting Elliptic Curve Cryptographic operations over the field GF((2m)n), in which an element of the field GF(2m) is squared, over the polynomial basis, by dedicated hardware means, forms an embodiment of the invention.
An embodiment of the invention concerns an apparatus which composes into one operator the calculation of the multiplicative inverse of an element of the field GF((2m)n), the calculation of the product of two elements of said field and the squaring of an element of said field. Said apparatus preferably comprises three memory units RO, Rl and R2, which store respectively, n+1, n and n+1 elements of the field GF(2m), where said memory units are effected by the following operations:
A first operation, in which all the elements of the field GF(2m) stored in said memory unit R2 are multiplied by one element of the same field stored in a buffer memory, where no such multiplication is effected in connection with the said memory units RO or Rl and where no exchange of contents between said memory unit R2 and either one of said memory units RO or Rl takes place prior to said multiplication;
A second operation, in which a variable number of elements of the field GF(2m) stored in said memory unit R2 are added, element by element, to elements stored in said memory unit RO;
A third operation, in which a variable number of elements of the field GF(2 ) stored in said memory unit RO are added, element by element, to elements stored in said memory unit R2; A fourth operation, in which a variable number of elements of the field GF(2m) stored in said memory unit R2 are added, element by element, to elements stored in said memory unit Rl;
A fifth operation, in which a variable number of elements of the field GF(2m) stored in said memory unit Rl are added, element by element, to elements stored in said memory unit R2;
A sixth operation, in which the elements of said memory unit RO are left-shifted, either physically or by manipulations with indices;
A seventh operation, in which a variable number of the elements of said memory unit R2 are left- shifted, either physically or by manipulations with indices;
An eighth operation, in which the elements of said memory unit R2 are either left-shifted or right-shifted, either physically, or by manipulations with indices, while modular operations over the generating polynomial g(x) of the field GF((2m)n) are being performed;
A ninth operation, in which a variable number of elements of said memory unit Rl are right-shifted, either physically or by manipulations with indices.
It will now be shown how the aforesaid nine operations effect all the operations indicated in Pseudo-Codes 1, 2 and 3, concerning said memory units RO, Rl and R2, thereby forming a general operator which effects the three fundamental operations associated with Elliptic Curve Cryptographic applications, where said three operations are: a) calculating the product of two elements of the field GF((2 )n), b) squaring of an element of said field, and c) calculating the multiplicative inverse of an element of said field.
Said nine operations, or a part of them, effect the operation of calculating the product of two elements of the field GF((2m)n), indicated in said Pseudo-Code 1, as follows: The operation indicated in said Pseudo-Code 1 by R2 = R2*Y is effected by said first operation. The operation Rl = Rl + R2*R0i of Pseudo- Code 1 is preferably effected by said first and fourth operations, or by their integration, as shown in Fig. 6. The operations shift-right R2, R2o = R2n and R2s = R2s + R2n of Pseudo-Code 1 are effected by said eighth operation. Said nine operations, or a part of them, effect also the operation of squaring an element of the field GF((2m)n), indicated in said Pseudo-Code 2, as follows: The operation R2 = R2 + Rl of Pseudo-Code 2 is effected by the said fifth operation. The operations shift-right R2, R2o = R2n and R2s = R2s + R2n of Pseudo-Code 2 are effected by the said eighth operation. The operation shift-right Rl from index (2i-l) of Pseudo-Code 2 is effected by the said ninth operation.
Said nine operations, or a part of them, effect the operation of calculating the modular multiplicative inverse of an element of the field GF((2m)n), indicated in said Pseudo-Code 3, as follows: The operation indicated in said Pseudo-Code 3 by R2 = R2*Y is effected by said first operation. The operation indicated in said Pseudo-Code 3 by RO = RO + R2] is effected by said second operation. The operation indicated in said Pseudo-Code 3 by R2] = R2] + RO is effected by said third operation. The operation indicated in said Pseudo- Code 3 by Rl = Rl + [R2 is effected by said fourth operation. The operation indicated in said Pseudo-Code 3 by [R2 = [R2 + Rl is effected by said fifth operation. The operations indicated in said Pseudo-Code 3 by shift RO and shift R2] are respectively effected by said sixth and seventh operations. The operations R2n = R2o, R2s = R2s + R2o and shift (left) R2 of Pseudo-Code 3 are effected by said eighth operation.
According to still another embodiment of the invention the internal sub-field GF(2m) can be replaced by a sub-field of 2r elements, which in itself has a sub-field. The calculation of modular multiplicative inverses over a sub-field of 2r elements can be efficiently performed by the application of a dedicated hardware which processes p-bit values at a time, for p being a divisor of r.
Fig. 9A shows a method for calculating modular multiplicative inverses over an internal sub-field for the case r = 15 and p = 5. That is, the internal sub-field GF(2m) is replaced here by the field GF((25)3). The functioning of the method of Fig. 9A is better understood from the following Pseudo-Code 4, which executes the same process. The comments of Pseudo-Code 4 further clarify the method. Figs. 9B and 9C show a preferred apparatus for effecting some of the operations indicated in the method shown in Fig. 9A and the following Pseudo-Code 4. The four registers RO, Rl, R2 and R3 of Fig. 9B act on 5-bit values. That is, 5-bits are shifted at a time and are added or multiplied at a time. The thick lines in Fig. 9B represent 5-bit lines. The thick XOR gate operates on 5-bit values. Rij denotes the 5 bits stored in location j of register i. The four flags, flagO, flagl, flag2 and flag3, respectively indicate the existence of conditions under which R2o, R2l, R22 and ROo contain zeros. It should be noted that the value of the flag is 1 when the corresponding five bits are all 0s.
Fig. 9C shows a possible apparatus to be used for effecting the multiplication operations of Fig. 9A. These operations concern multiplying the contents of R3, or the contents of R2-R3 (altogether, six values of 5-bit each), by a 5-bit value Z. The unit marked as 70 is a 5-bit invertor which yields the inverse of the element Y modulo the generating polynomial of the sub-field GF(25). The unit marked as 71 multiplies two elements of the sub-field GF(25), one of which is Y"1 and the other is ROo. The unit marked as 72 is a multiplexor whose output is Z, while Z = Y 1 if sel = 0 and Z = R00*Y-! if sel = 1 (sel indicates the select input to the multiplexor). Unit 73 multiplies the contents of R3, or the contents of R2-R3, by the value Z.
Pseudo-Code 4: A method for calculating modular multiplicative inverses over the field GFf^ 3-)
Initially: ROo contains a 1, ROi contains a 1, R02 contains a 0
(As indicated in 301 in Fig. 9A. comment: said 1, 1, 0 are stored as elements of the field GF(25));
Rl contains zeros;
R2 contains the element b(x) to be inverted;
R3o contains a 1, R3ι and R32 contain a 0
(comment: said 1, 0, 0 are stored as elements of the field GF(25). RO stores the coefficients of the generating polynomial 1+x+x3 of the external field, while the coefficients of x3 are not stored in practice.) if flagO is not equal to 1, go to 1 (as indicated in 302 in Fig. 9A)
(comment: if flag0=l then the contents of R2 are of the form OXX where X denotes a general value, but the two Xs cannot be both 0. Otherwise, the contents of R2 are of the form NXX, wherein N denotes a non-zero value. The notations X and N are also used later.)
shift R2 and R3 (as indicated in 303 in Fig. 9A)
(comment: here the contents OXX of R2 are left-shifted, yielding XXO.)
if flagO not equal 1 go to 1 (as indicated in 304 in Fig. 9A)
(comment: if flagO = 1, then the contents of R2 are of the form 0X0. Otherwise, the content of R2 are NXO.)
shift R2-R3 and go to 4 (as indicated in 325 in Fig. 9A)
(comment: the current contents of R2 are N00.)
1 ifflagl=flag2=l, go to 4 (as indicated in 305 in Fig. 9A)
(comment: if flagl= flag2 = 1, then the current contents of R2 are N00. Otherwise, the current contents of R2 are NXX. )
set Y = R2o sel=0 (as indicated in 306 in Fig. 9A)
R2-R3 = (R2-R3)*Z (as indicated in 307 in Fig. 9A)
(comment: the current contents of R2 are 1XX.)
R0-R1 = (R0-R1)+(R2-R3) (as indicated in 308 in Fig. 9A)
(comment: the current contents of RO are OXX.)
shift R0-R1 set R02 = 1 (as indicated in 309 in Fig. 9A)
(comment: the current contents of RO are XXI.) if flag2=l go to 2 (as indicated in 310 in Fig. 9A)
(comment: if flag2=l, then the contents of R2 are 1N0. Otherwise, the contents of R2 are 1XN.)
set Y = R22 sel=0 (as indicated in 311 in Fig. 9A)
R2-R3 = (R2-R3)*Z (as indicated in 312 in Fig. 9A)
(comment: the current contents of R2 are NX1.)
R2-R3 = (R2-R3)+(R0-R1) (as indicated in 313 in Fig. 9A)
(comment: the current contents of R2 are XXO.)
if flag0=l, shift R2-R3 and go to 4 (as indicated in 314 and 316 in Fig. 9A)
(comment: if flag0=l, then the contents of R2 are ONO and the shift yields the contents NOO. If flagO=0 then the contents of R2 are NXO.)
if flagl=l, go to 4 (as indicated in 315 in Fig. 9A)
(comment: if flagl=l, then the contents of R2 are NOO. If flagl=0, then the contents of R2 are NNO.)
2 if flag3=l, go to 3 (as indicated in 317 in Fig. 9A)
(comment: if flag3=l, then the contents of RO are 0X1. If flag3=0, then the contents of RO are NN1.)
set Y = R2o sel=l (as indicated in 318 in Fig. 9A)
R2-R3 = (R2-R3)*Z (as indicated in 319 in Fig. 9A)
(comment: the current contents of R2 are ROoXO.)
R0-R1 = (R0-R1)+(R2-R3) (as indicated in 320 in Fig. 9A)
(comment: the current contents of RO are 0X1.) 3 shift R0-R1 (as indicated in 321 in Fig. 9A)
(comment: the current contents of RO are X10.)
set Y = R2ι sel=0 (as indicated in 322 in Fig. 9A)
R2-R3 = (R2-R3)*Z (as indicated in 323 in Fig. 9A)
(comment: the current contents of R2 are X10.)
R2-R3 = (R2-R3)+(R0-R1) (as indicated in 324 in Fig. 9A)
(comment: the current contents of R2 are NOO.)
4 set Y = R2o sel=0 (as indicated in 326 in Fig. 9A)
R3 = R3*Z (as indicated in 327 in Fig. 9A)
(comment: R3 is divided here by R2o.)
stop R3 contains the desired b(x) 1 (as indicated in 328 in Fig. 9A)
A major feature of the method of Fig. 9A concerns the fact that no loops are being used. The execution of the complete process requires at most three shifts, four multiplications of R2-R3 by Z and one additional multiplication of R3 by Z and four additions of R0-R1 to R2-R3 , or vice versa.
While some embodiments of the invention have been described by way of illustration, it will be apparent that the invention can be carried into practice with many modifications, variations and adaptations and with the use of the numerous equivalents or alternative solutions that are within the scope of persons skilled in the art, without departing from the spirit of the invention or exceeding the scope of the claims.

Claims

CTAIMS
1. A method for calculating modular multiplicative inverses of a Galois Field GF((2m)n) comprising the steps of:
- having first (RO), second (R2) and third (Rl) memory units, storing respectively, n+1, n+1 and n elements of the field GF(2m);
- storing in said first memory unit the generating polynomial (g(x)) of the external field of said Galois Field;
- storing in said second memory unit the field element to be inverted, followed with a 0;
- adding the contents of the first part of said second memory unit (R2]) to the contents of said first memory unit and adding the contents of the second part of said second memory unit ([R2) to the contents of said third memory unit in the lines of the Euclid algorithm;
- adding the contents of a part of said first memory unit to the contents of the first part of said second memory unit (R2]) and adding the contents of a part of said third memory unit to the contents of the second part of said second memory unit ([R2) in the lines of the Euclid algorithm and in order to convert into a zero value the element of the field GF(2m) stored at the most significant place at said first part of said second memory unit;
- effecting shift operations on said first memory unit and said first part of said second memory unit, while not shifting said second part of said second memory unit, in order to cancel elements of the field GF(2m) stored at the least significant place at said first and second memory units;
- effecting multiplication operations in which the entire contents of said second memory unit are multiplied by one element of said field in the lines of the Euclid algorithm;
whereby:
a. to reduce the contents of said first part of said second memory unit in the lines of the Euclid algorithm by canceling elements both from the most significant location and from the least significant location of said first part of said second memory unit; and b. to calculate modular multiplicative inverses by effecting steps in which a multiplication of a plurality of elements of the field GF(2m) by one element of said field is always effected when said plurality of elements is stored in one specific memory unit (R2) of a fixed length, without a prior exchange of contents between said one specific memory unit and another memory unit.
2. The method of claim 1, wherein each one of said elements of the field GF(2 ) is a single bit.
3. A method for effecting the operations of calculating the product of two elements of the field GF((2m)n), calculating the square of an element of said field and calculating the multiplicative inverse of an element of said field, comprising the steps of:
- having first (RO), second (R2) and third (Rl) memory units for storing respectively, n+1, n+1 and n elements of the field GF(2m);
- multiplying all the elements of the field GF(2m) stored in said second memory unit by one element of said field, where no such multiplication is effected in connection with said first or third memory units and where no exchange of contents between said second memory unit and said first or third memory units takes place prior to said multiplication;
- adding a variable number of elements of the field GF(2m) stored in said first memory unit, to elements stored in said second memory unit;
- adding a variable number of elements of the field GF(2 ) stored in said second memory unit, to elements stored in said first memory unit;
- adding a variable number of elements of the field GF(2m) stored in said third memory unit, to elements stored in said second memory unit;
- adding a variable number of elements of the field GF(2m) stored in said second memory unit, to elements stored in said third memory unit;
- shifting, either physically or by manipulations with indices, the elements stored in said first memory unit;
- shifting, either physically or by manipulations with indices, a variable number of elements stored in said second memory unit; - shifting, either physically or by manipulations with indices, the elements stored in said second memory unit, while modular operations over the generating polynomial of the field GF((2m)n) are being performed; and
- shifting, either physically or by manipulations with indices, a variable number of elements stored in said third memory unit;
whereby to have a unified method which effects, by effecting any of the aforesaid steps, the operations of calculating the product of two elements of the field GF((2 )n), calculating the square of an element of said field and calculating the multiplicative inverse of an element of said field.
4. A method for effecting Elliptic Curve Cryptographic operations over the field GF((2m)n), wherein said value m equals the product of two different numbers, p and r and wherein the calculation of modular multiplicative inverses over the internal field GF(2m) is performed by processing p-bit values at a time.
5. An apparatus for effecting Elliptic Curve Cryptographic operations over the field GF((2m)n), comprising:
- a buffer memory for storing one element of the field GF(2m).
- a first memory unit (RO) for storing n+1 elements of the field GF(2m).
- a second memory unit (R2) for storing n+1 elements of the field GF(2m).
- a third memory unit (Rl) for storing n elements of the field GF(2m).
- at least one multiplying unit for multiplying the contents of said second memory unit by one element of the field GF(2m) stored in said buffer memory, wherein the content of said second memory unit is not obtained by an exchange with the content of another memory means prior to effecting said multiplication operation.
- means for shifting either one of said first, second or third memory units.
- means for adding the contents of said second memory unit or a part of it to the contents of said first or third memory unit or a part thereof, or vice versa.
6. An apparatus for effecting Elliptic Curve Cryptographic operations over the field GF((2m)n), comprising dedicated hardware means for multiplying two elements of the field GF(2m).
7. An apparatus according to claim 6, wherein said dedicated hardware means include means for performing an adding operation.
8. An apparatus for carrying out the method of claim 1, in which a multiplication of a plurality of elements of the field GF(2 ) stored in said specific memory unit (R2) by one element of said field stored in a buffer memory is effected by using a plurality of circuits, each such circuit multiplying said one element by an element stored in said specific memory unit.
9. An apparatus for carrying out the method of claim 1, in which a multiplication of a plurality of elements of the field GF(2m) stored in said specific memory unit by one element of said field stored in a buffer memory is effected by using one pre-processing circuit which processes said one element and a plurality of post-processing circuits, each such circuit operating on two values, one being the output of said pre-processing circuit and the other value is an element stored in said specific memory unit.
10. An apparatus for effecting Elliptic Curve Cryptographic operations over the field GF((2m)n), comprising dedicated hardware means for squaring an element of the field GF(2m) over the polynomial basis.
11. An apparatus for effecting Elliptic Curve Cryptographic operations over the field GF((2m)n), essentially as described and with particular reference to the drawings.
PCT/IL1998/000327 1997-07-14 1998-07-13 Composite field multiplicative inverse calculation for elliptic curve cryptography WO1999004332A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU82395/98A AU8239598A (en) 1997-07-14 1998-07-13 Composite field multiplicative inverse calculation for elliptic curve cryptography

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IL12129797A IL121297A0 (en) 1997-07-14 1997-07-14 A method and apparatus for the efficient execution of elliptic curve cryptographic operations
IL121297 1997-07-14

Publications (1)

Publication Number Publication Date
WO1999004332A1 true WO1999004332A1 (en) 1999-01-28

Family

ID=11070385

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL1998/000327 WO1999004332A1 (en) 1997-07-14 1998-07-13 Composite field multiplicative inverse calculation for elliptic curve cryptography

Country Status (3)

Country Link
AU (1) AU8239598A (en)
IL (1) IL121297A0 (en)
WO (1) WO1999004332A1 (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001052051A2 (en) * 2000-01-16 2001-07-19 Cv Cryptovision Gmbh Method and devices for carrying out an inversion in the primary number field
WO2001071486A2 (en) * 2000-03-23 2001-09-27 Cipherit Ltd. Method and apparatus for the calculation of modular multiplicative inverses
DE10108916C1 (en) * 2001-02-23 2002-07-25 Infineon Technologies Ag Selective division circuit for cryptographic applications has multiplexer outputs coupled to different groups of multiplexer outputs when division is not required and required respectively
WO2004114123A2 (en) * 2003-06-21 2004-12-29 Koninklijke Philips Electronics N.V. Improved inversion calculations
WO2007048430A1 (en) * 2005-10-28 2007-05-03 Telecom Italia S.P.A. A method for scalar multiplication in elliptic curve groups over binary polynomial fields for side-channel attack-resistant cryptosystems
US8189775B2 (en) 2010-02-18 2012-05-29 King Fahd University Of Petroleum & Minerals Method of performing cipher block chaining using elliptic polynomial cryptography
US8331558B2 (en) 2010-02-18 2012-12-11 King Fahd University Of Petroleum And Minerals Method of cipher block chaining using elliptic curve cryptography
US8351601B2 (en) 2010-02-18 2013-01-08 King Fahd University Of Petroleum And Minerals Elliptic polynomial cryptography with secret key embedding
US8385541B2 (en) 2010-02-18 2013-02-26 King Fahd University Of Petroleum And Minerals Method of performing elliptic polynomial cryptography with elliptic polynomial hopping
US8509426B1 (en) 2010-12-01 2013-08-13 King Fahd University Of Petroleum And Minerals XZ-elliptic curve cryptography system and method
US8699701B2 (en) 2010-12-01 2014-04-15 King Fahd University Method of performing XZ-elliptic curve cryptography for use with network security protocols
US8804952B2 (en) 2012-12-26 2014-08-12 Umm Al-Qura University System and method for securing scalar multiplication against differential power attacks
US8913739B2 (en) 2005-10-18 2014-12-16 Telecom Italia S.P.A. Method for scalar multiplication in elliptic curve groups over prime fields for side-channel attack resistant cryptosystems

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0265336A1 (en) * 1986-10-22 1988-04-27 Thomson-Csf Galois field polynomial processing device and digital signal processor comprising such a device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0265336A1 (en) * 1986-10-22 1988-04-27 Thomson-Csf Galois field polynomial processing device and digital signal processor comprising such a device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DE WIN E ET AL: "A fast software implementation for arithmetic operations in GF(2/sup n/)", ADVANCES IN CRYPTOLOGY - ASIACRYPT'96. PROCEEDINGS, KYONGJU, SOUTH KOREA, 3-7 NOV. 1996, ISBN 3-540-61872-4, 1996, Berlin, Germany, Springer-Verlag, Germany, pages 65 - 76, XP002081362 *

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001052051A3 (en) * 2000-01-16 2001-10-25 Cv Cryptovision Gmbh Method and devices for carrying out an inversion in the primary number field
WO2001052051A2 (en) * 2000-01-16 2001-07-19 Cv Cryptovision Gmbh Method and devices for carrying out an inversion in the primary number field
WO2001071486A2 (en) * 2000-03-23 2001-09-27 Cipherit Ltd. Method and apparatus for the calculation of modular multiplicative inverses
WO2001071486A3 (en) * 2000-03-23 2002-02-28 Cipherit Ltd Method and apparatus for the calculation of modular multiplicative inverses
DE10108916C1 (en) * 2001-02-23 2002-07-25 Infineon Technologies Ag Selective division circuit for cryptographic applications has multiplexer outputs coupled to different groups of multiplexer outputs when division is not required and required respectively
WO2004114123A2 (en) * 2003-06-21 2004-12-29 Koninklijke Philips Electronics N.V. Improved inversion calculations
WO2004114123A3 (en) * 2003-06-21 2005-03-24 Koninkl Philips Electronics Nv Improved inversion calculations
US8913739B2 (en) 2005-10-18 2014-12-16 Telecom Italia S.P.A. Method for scalar multiplication in elliptic curve groups over prime fields for side-channel attack resistant cryptosystems
WO2007048430A1 (en) * 2005-10-28 2007-05-03 Telecom Italia S.P.A. A method for scalar multiplication in elliptic curve groups over binary polynomial fields for side-channel attack-resistant cryptosystems
US8243920B2 (en) 2005-10-28 2012-08-14 Telecom Italia S.P.A. Method for scalar multiplication in elliptic curve groups over binary polynomial fields for side-channel attack-resistant cryptosystems
US8189775B2 (en) 2010-02-18 2012-05-29 King Fahd University Of Petroleum & Minerals Method of performing cipher block chaining using elliptic polynomial cryptography
US8351601B2 (en) 2010-02-18 2013-01-08 King Fahd University Of Petroleum And Minerals Elliptic polynomial cryptography with secret key embedding
US8385541B2 (en) 2010-02-18 2013-02-26 King Fahd University Of Petroleum And Minerals Method of performing elliptic polynomial cryptography with elliptic polynomial hopping
US8331558B2 (en) 2010-02-18 2012-12-11 King Fahd University Of Petroleum And Minerals Method of cipher block chaining using elliptic curve cryptography
US8509426B1 (en) 2010-12-01 2013-08-13 King Fahd University Of Petroleum And Minerals XZ-elliptic curve cryptography system and method
US8699701B2 (en) 2010-12-01 2014-04-15 King Fahd University Method of performing XZ-elliptic curve cryptography for use with network security protocols
US8804952B2 (en) 2012-12-26 2014-08-12 Umm Al-Qura University System and method for securing scalar multiplication against differential power attacks

Also Published As

Publication number Publication date
AU8239598A (en) 1999-02-10
IL121297A0 (en) 1998-02-22

Similar Documents

Publication Publication Date Title
Solinas An improved algorithm for arithmetic on a family of elliptic curves
US5854759A (en) Methods and apparatus for efficient finite field basis conversion
Silverman Fast multiplication in finite fields GF (2 N)
US8862651B2 (en) Method and apparatus for modulus reduction
WO1999004332A1 (en) Composite field multiplicative inverse calculation for elliptic curve cryptography
KR20050061544A (en) Cryptography using finite fields of odd characteristic on binary hardware
US6430588B1 (en) Apparatus and method for elliptic-curve multiplication and recording medium having recorded thereon a program for implementing the method
Großschädl A bit-serial unified multiplier architecture for finite fields GF (p) and GF (2 m)
JP2002207589A (en) Arithmetic circuit and arithmetic method
Gong et al. Linear recursive sequences over elliptic curves
US6763366B2 (en) Method for calculating arithmetic inverse over finite fields for use in cryptography
US20030093450A1 (en) Block-serial finite field multipliers
Knežević et al. Modular Reduction in GF (2 n) without Pre-computational Phase
JP3659320B2 (en) Multiplication module, multiplication inverse element operation circuit, multiplication inverse element operation control system, device using the multiplication inverse element operation, encryption device, error correction decoder
Guajardo et al. Efficient software-implementation of finite fields with applications to cryptography
Gutub Efficient utilization of scalable multipliers in parallel to compute GF (p) elliptic curve cryptographic operations
KR100670780B1 (en) Apparatus for hybrid multiplier in GF2^m and Method for multiplying
US20010054052A1 (en) Method and apparatus for the calculation of modular multiplicative inverses
US7539719B2 (en) Method and apparatus for performing multiplication in finite field GF(2n)
Koyama et al. A signed binary window method for fast computing over elliptic curves
Gutub Fast 160-bits GF (p) elliptic curve crypto hardware of high-radix scalable multipliers
WO2000041068A1 (en) Method for generating a value for a multiplicative inverse of an element of a galois field
KR100297110B1 (en) Modular multiplier
Sanu et al. Parallel montgomery multipliers
Knezevic et al. Modular reduction without precomputational phase

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HR HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: KR

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: CA