WO2000041068A1 - Method for generating a value for a multiplicative inverse of an element of a galois field - Google Patents

Method for generating a value for a multiplicative inverse of an element of a galois field Download PDF

Info

Publication number
WO2000041068A1
WO2000041068A1 PCT/IL1999/000699 IL9900699W WO0041068A1 WO 2000041068 A1 WO2000041068 A1 WO 2000041068A1 IL 9900699 W IL9900699 W IL 9900699W WO 0041068 A1 WO0041068 A1 WO 0041068A1
Authority
WO
WIPO (PCT)
Prior art keywords
register
contents
field
bits
shift
Prior art date
Application number
PCT/IL1999/000699
Other languages
French (fr)
Inventor
Benjamin Arazi
Original Assignee
Cipherit Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cipherit Ltd. filed Critical Cipherit Ltd.
Priority to AU17951/00A priority Critical patent/AU1795100A/en
Publication of WO2000041068A1 publication Critical patent/WO2000041068A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/724Finite field arithmetic
    • G06F7/726Inversion; Reciprocal calculation; Division of elements of a finite field

Definitions

  • the present invention relates to a method and apparatus for efficiently implementing elliptic curve cryptographic operations over the Galois field GF(2 n ) based on a hardware operator which calculates modular multiplicative inverses and the product and the square of elements of said field.
  • ECC Elliptic Curve Cryptography
  • This invention concerns fast and efficient hardware methods for executing said three operations in the arithmetic field known as the Galois field GF(2 n ).
  • ECC implementations over Galois field were indicated in G. Harper, A. Menezes and V. Vanstone, "Public Key Cryptosystems with Very Small Key Lengths", Eurocrypt '92, LNCS 658 pp. 163-173.
  • the elements of said field GF(2 n ) are polynomials of degree n-1 or less, which involve operations over a primitive polynomial g(x) of degree n, as will be clear to persons skilled in the art.
  • Rij denotes the bit stored in the j-th place in register Ri, wherein the index of the first (left) bit is 0.
  • the index i can have the values 0 or 1. That is, the notation Rij refers to bits stored in registers R0 or Rl.
  • R0, R2 and R3 are registers that store n bits.
  • R3 is a shift-right register with linear feedback connections according to the coefficients of said polynomial g(x), where each shift of said register R3 multiplies the contents of R3 by x modulo the polynomial g(x), as will be clear to persons skilled in the art.
  • R0 is a shift-left register.
  • R0 contains the multiplier b(x) which is an element of the field GF(2 n ), where the left cell of R0 stores the least significant coefficient of b(x);
  • R3 contains the multiplicand c(x) which is an element of said field
  • R2 contains 0's.
  • the final content of R2 is b(x)-c(x) mod g(x).
  • Modular multiplicative inverse operations needed to be executed when implementing ECC operations, can be based on exponentiations such as indicated in G.B. Agnew et al., "An Implementation of Elliptic Curve Cryptosystems over F2 155 ", IEEE J. on Sel. Areas in Communications, 1993, pp. 804-813, or on the Euclid algorithm. Euclid-based calculations of the multiplicative inverse of an element of the field GF(2 n ) are shown in E.R. Berlekamp, Algebraic Coding Theory, McGraw-Hill, 1968, pp. 36-44.
  • Said Euclid-based calculations of the multiplicative inverse of an element of the field GF(2 n ) are based, in principle, on having registers RO, Rl, R2 and R3 which are shift-left registers, wherein R2 and R3 are with linear feedback connections according to the coefficients of said polynomial g(x).
  • Each shift of said registers R2 and R3 divides the contents of R2 by x modulo the polynomial g(x), as will be clear to persons skilled in the art.
  • Said register RO is capable of storing n+1 bits and initially stores the coefficients of said polynomial g(x).
  • Said registers Rl, R2 an R3 are capable of storing n bits, where Rl initially stores the element b(x) whose multiplicative inverse is to be calculated. Said registers R2 and R3 initially store, respectively, zeros and a single 1 at the left place.
  • the process is based on left shifting register RO or Rl whenever any of said registers has a
  • the invention is directed to a method for generating a value for a modular multiplicative inverse of an element of a Galois Field GF(2 n ) comprising the steps of:
  • a division operation modulo the generating polynomial (g(x)) of the Galois Field is effected by right-shifts of registers.
  • the invention further comprises a method for generating a value for the product of two elements of the Galois field GF(2 n ), for the square of an element of said field and for the multiplicative inverse of an element of said field, comprising the steps of:
  • the invention is directed to an apparatus for effecting Elliptic Curve Cryptographic operations over the field GF(2 n ), comprising:
  • Fig. 1 shows in block diagram form a preferred method according to an embodiment of the invention for the calculation of modular multiplicative inverse of an element of the arithmetic field GF(2 n );
  • Fig. 2A illustrates a shift-left register which performs a division operation modulo a primitive polynomial
  • Fig. 2B illustrates a shift-right register which performs a multiplication operation modulo a primitive polynomial
  • Fig. 3 A shows a circuit for multiplying two elements of the arithmetic field GF(2 ⁇ );
  • Fig. 3B shows a preferred circuit according to an embodiment of the invention for executing ECC operations over the arithmetic field GF(2 n );
  • the invention provides an improved method for calculating multiplicative inverses over the field GF(2 n ).
  • the invention further provides an apparatus for calculating multiplicative inverses over the field GF(2 n ) according to said method and means of integrating the three fundamental operations effected in the implementation of Elliptic Curve Cryptography over GF(2 n ) (the calculation of the multiplicative inverse of an element of the field GF(2 n ), the calculation of the product of two elements of said field and the squaring of an element of said field) into one efficient process carried out by hardware means.
  • the calculation of modular multiplicative inverses over the field GF(2 n ) is effected by initially storing the generating polynomial of said field in a first register and initially storing the field element to be inverted in a second register.
  • the contents of said first register are used to reduce the contents of said second register by canceling bits of value 1 both from the highest index and from the lowest index where such bits exist in said second register.
  • the improved method for calculating multiplicative inverses over the field GF(2 n ) comprises having registers RO, Rl, R2 and R3 which are shift-left registers, wherein R2 and R3 are with linear feedback connections according to the coefficients of said polynomial g(x).
  • Each shift of said registers R2 and R3 divides the contents of R2 by x modulo the polynomial g(x).
  • Said register RO is capable of storing n+1 bits
  • said registers Rl, R2 an R3 are capable of storing n bits.
  • RO contains the coefficients of the polynomial g(x);
  • Rl contains the element b(x) of the field GF(2 n ) which is to be inverted; R2 contains zeros.
  • R3 contains a 1 at the left place.
  • h is the index of the right-most bit of value 1 in register RO.
  • k is the index of the right-most bit of value 1 in register Rl.
  • Rl (comment: currently, Rl consists of a single 1 bit at the left place.)
  • the method according to said first embodiment of the invention facilitates the shortening of the contents of Rl by canceling, one at a time, the right-most bit of value 1 stored in Rl, where the index of this bit is k.
  • the contents of Rl is shortened in the sense of shortening the distance between the two extreme bits of value 1 stored in Rl.
  • Rl is left-shifted and said 0 is canceled.
  • the initial value of the right bit in RO is 1.
  • This bit 'sl ides' across Rl, via shifts of RO, and cancels the right 1 bit in Rl .
  • Said shifts of RO are effected by first forcing the left-most bit in RO to be 0, and then left-shifting R0.
  • This feature of said method distinctly differs said method from the standard Euclid algorithm in which only 1 bits on the left of either register R0 or Rl are cancelled.
  • Said register R3 according to the method of said first embodiment of the invention should provide for left shifts, wherein each left-shift of said register divides its contents by x modulo said polynomial g(x).
  • the invention further concerns an ability of operating said register R3 as shift-right register as well, where a control mechanism switches between said two possible directions of shifts.
  • Said register R3 is constructed in such a way that each right-shift of it multiplies the contents of R3 by x modulo said polynomial g(x).
  • Fig. 2 examplifies the structure of such a register R3 for the case where said g(x) is the polynomial 1 + x + ⁇ 3.
  • FIG. 2 A shows a structuring of register R3 wherein each left-shift of said register divides its contents by x modulo said polynomial g(x).
  • Fig. 2B shows a structuring of said register R3 wherein each right-shift of said register multiplies its contents by x modulo said polynomial g(x).
  • a control mechanism switches between the examplified two possible directions of shifts of said register R3.
  • a second embodiment of the invention concerns an apparatus which composes into one operator the calculation of the product of two elements of the field GF(2 n ) and the calculation of the square of an element of said field and the calculation of the multiplicative inverse of an element of said field. Said one operator is thereby capable of performing elliptic curve operations regarding the multiplication of a point on the curve by a scalar.
  • Said apparatus preferably comprises a first, second, third and fourth registers, respectively denoted as RO, Rl, R2 and R3, where RO stores n+1 bits and the other three said registers store n bits, where said registers are effected by the following operations:
  • a second operation in which the left bit (ROo) of said first register is read externally for control purposes such that when said left bit equals 1 the contents of said fourth register (R3) are added to those of said third register (R2);
  • a third operation in which said left bit (ROo) of said first register is read externally for control purposes such that when said left bit equals 1 the contents of said second register (Rl) are added to those of said first register (RO);
  • a fourth operation in which said fourth register (R3) is right-shifted in a way that multiplies its contents by x modulo said polynomial g(x);
  • a fifth operation in which said second and fourth registers (Rl and R3) are left-shifted and where each left shift of said fourth register divides its contents by x modulo said polynomial g(x);
  • the operations "shift-left RO shift-right R3" are preferably effected by said first and fourth operations.
  • Said seven operations, or a part of them, effect also the operation of squaring an element of the field GF(2 n ) by multiplying said element by itself, according to the operation indicated in said Pseudo-Code 1.
  • the operation indicated in said Pseudo-Code 2 by "shift RO and R2" is preferably effected by said sixth operation.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • General Engineering & Computer Science (AREA)
  • Error Detection And Correction (AREA)

Abstract

A method for generating a value for a modular multiplicative inverse of an element of a Galois Field GF(2n). A first (R0), a second (R1), a third (R2) and a fourth (R3) register are provided, wherein the first register stores n+1 bits, and wherein the second, third and fourth register store n bits. The third and fourth registers carry out, by a single left shift, a division operation by x modulo the generating polynomial (g(x)) of the Galois Field. The generating polynomial (g(x)) of the Galois Field is stored in the first register. The field element to be inverted is stored in the second register. Zeros are stored in the third register. A 1 bit is storing in the left cell of the fourth register and zeros are stored in the rest of the cells of the fourth register. The contents of the second register (R1) is added to the contents of the first register (R0) while adding simultaneously the contents of the fourth register (R3) to the contents of the third register (R2), so as to convert the bit of value 1 in the left cell of the first register into 0. The contents of the first register (R0) is added to the contents of the second register (R1) while adding simultaneously the contents of the third register (R2) to the contents of the fourth register (R3), so as to convert the right-most bit of value 1 in the second register into 0. Shift-left operations are performed simultaneously on the first register and the third register and shift-left operations are performed simultaneously on the second register and the fourth register. By doing so, bits of value 1 stored in the second register are canceled by canceling bits both from the most significant location and from the least significant location of the second register.

Description

METHOD FOR GENERATING A VALUE FOR A MULTIPLICATIVE INVERSE OF AN ELEMENT OF A GALOIS FIELD
Field of the Invention
The present invention relates to a method and apparatus for efficiently implementing elliptic curve cryptographic operations over the Galois field GF(2n) based on a hardware operator which calculates modular multiplicative inverses and the product and the square of elements of said field.
Background of the Invention
Elliptic Curve Cryptography (ECC) is one of the modern approaches for the implementation of key exchange over open channels and the generation of digital signatures. The underlying principles of ECC were published in N. Koblitz, "Elliptic Curve Cryptosystems", Mathematics of Computation, 48, pp. 203-209, 1987 and in V. Miller, "Uses of Elliptic Curves in Cryptography", Crypto '85, Springer-Verlag LNCS 218, pp. 417-426, 1986. ECC techniques and implementations are specified in ANSI X9.62-1998, Working Draft, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm, April 14, 1998, and in IEEE PI 363 Draft Version 6, Standard Specification for Public Key Cryptography, August 25, 1998.
Three fundamental arithmetic operations are required for implementing ECC: a) the calculation of modular multiplicative inverses of finite field elements; b) modular multiplication of such elements and c) modular squaring of such elements. (These three operations facilitate the multiplication of a point on the curve by a scalar, as will be clear to persons skilled in the art.)
This invention concerns fast and efficient hardware methods for executing said three operations in the arithmetic field known as the Galois field GF(2n). ECC implementations over Galois field were indicated in G. Harper, A. Menezes and V. Vanstone, "Public Key Cryptosystems with Very Small Key Lengths", Eurocrypt '92, LNCS 658 pp. 163-173.
The elements of said field GF(2n) are polynomials of degree n-1 or less, which involve operations over a primitive polynomial g(x) of degree n, as will be clear to persons skilled in the art.
Hereinafter, Rij denotes the bit stored in the j-th place in register Ri, wherein the index of the first (left) bit is 0. The index i can have the values 0 or 1. That is, the notation Rij refers to bits stored in registers R0 or Rl.
A method for effecting the operations of multiplying two elements of the field GF(2n) is described in the following Pseudo-code 1. A further explanation follows the description.
Pseudo-code 1 : Multiplying two elements of the field GFf2n)
R0, R2 and R3 are registers that store n bits.
R3 is a shift-right register with linear feedback connections according to the coefficients of said polynomial g(x), where each shift of said register R3 multiplies the contents of R3 by x modulo the polynomial g(x), as will be clear to persons skilled in the art. R0 is a shift-left register.
Initially: R0 contains the multiplier b(x) which is an element of the field GF(2n), where the left cell of R0 stores the least significant coefficient of b(x);
R3 contains the multiplicand c(x) which is an element of said field;
R2 contains 0's.
execute the following loop n- 1 times IfRO0 = l then R2 = R2 + R3 - shift-left RO shift-right R3
stop
IfR00 = l then R2 = R2 + R3
The final content of R2 is b(x)-c(x) mod g(x).
Explanation:
The above is a shift-and-add process, in which the contents of R3 are successive values of x'c(x) modulo the generating primitive polynomial g(x). These values are added or not added to the accumulated value stored in R2 according to the corresponding coefficient of b(x), which is the left bit in RO.
Modular multiplicative inverse operations, needed to be executed when implementing ECC operations, can be based on exponentiations such as indicated in G.B. Agnew et al., "An Implementation of Elliptic Curve Cryptosystems over F2155", IEEE J. on Sel. Areas in Communications, 1993, pp. 804-813, or on the Euclid algorithm. Euclid-based calculations of the multiplicative inverse of an element of the field GF(2n) are shown in E.R. Berlekamp, Algebraic Coding Theory, McGraw-Hill, 1968, pp. 36-44.
Said Euclid-based calculations of the multiplicative inverse of an element of the field GF(2n) are based, in principle, on having registers RO, Rl, R2 and R3 which are shift-left registers, wherein R2 and R3 are with linear feedback connections according to the coefficients of said polynomial g(x). Each shift of said registers R2 and R3 divides the contents of R2 by x modulo the polynomial g(x), as will be clear to persons skilled in the art. Said register RO is capable of storing n+1 bits and initially stores the coefficients of said polynomial g(x). Said registers Rl, R2 an R3 are capable of storing n bits, where Rl initially stores the element b(x) whose multiplicative inverse is to be calculated. Said registers R2 and R3 initially store, respectively, zeros and a single 1 at the left place.
The process is based on left shifting register RO or Rl whenever any of said registers has a
0 bit at the left place. When both said registers have a 1 bit at the left place, the contents of the register with the shorter contents is added to the contents of the other register, where the length of the contents of a register is measured in terms of the distance between the two extreme bits of value 1 stored in the register, and where the addition is a logic 'xor' operation. The process terminates when any of said RO or Rl contains a single bit of value
1 at the left place. The occurance of one of said two possibilities is guaranteed, due to the fact that said g(x) and b(x) are relatively prime, which stems from the fact that said g(x) is primitive. During the execution of the process, said registers R2 and R3 follow respectively the activities of said registers RO and Rl. That is, when RO or Rl are left shifted, then R2 or R3 are respectively shifted. When the contents of RO are added to those of Rl, then the contents of R2 are added to those of R3, and vice versa. Upon the termination of the process, if RO is the register that contains said single 1 bit, then the contents of said register R2 is the desired multiplicative inverse of said b(x). If Rl is the register that contains said single 1 bit, then the contents of said register R3 is the desired multiplicative inverse of said b(x).
However, there is still a need in the art for improved methods and apparatus for the efficient execution of elliptic curve cryptographic operations. It is a purpose of the present invention to provide such an improved method, which overcomes problems found in prior art methods.
It is a further object of the invention to provide apparatus for carrying out the method of the invention. Summarv of the Invention
In one aspect, the invention is directed to a method for generating a value for a modular multiplicative inverse of an element of a Galois Field GF(2n) comprising the steps of:
- providing a first (RO), a second (Rl), a third (R2) and a fourth (R3) register, wherein said first register stores n+1 bits, and wherein said second, third and fourth registers store n bits;
- causing said third and fourth registers to carry out, by a single left shift, a division operation by x modulo the generating polynomial (g(x)) of said Galois Field;
- storing in said first register said generating polynomial (g(x)) of said Galois Field;
- storing in said second register the field element to be inverted;
- storing zeros in said third register;
- storing in the left cell of said fourth register a 1 bit and storing zeros in the rest of the cells of said fourth register;
- adding the contents of said second register (Rl) to the contents of said first register (RO) while adding simultaneously the contents of said fourth register (R3) to the contents of said third register (R2) thereby to convert the bit of value 1 in the left cell of said first register into 0;
- adding the contents of said first register (RO) to the contents of said second register (Rl) while adding simultaneously the contents of said third register (R2) to the contents of said fourth register (R3) thereby to convert the right-most bit of value 1 in said second register into 0;
- carrying out simultaneously shift-left operations on said first register and said third register;
- carrying out simultaneously shift-left operations on said second register and said fourth register; thereby to cancel bits of value 1 stored in said second register by canceling bits both from the most significant location and from the least significant location of said second register.
According to a preferred embodiment of the invention, a division operation modulo the generating polynomial (g(x)) of the Galois Field is effected by right-shifts of registers.
The invention further comprises a method for generating a value for the product of two elements of the Galois field GF(2n), for the square of an element of said field and for the multiplicative inverse of an element of said field, comprising the steps of:
- providing a first (RO), a second (Rl), a third (R2) and a fourth (R3) register, wherein said first register stores n+1 bits, and wherein said second, third and fourth registers store n bits;
- causing said third and fourth registers to carry out, by a single left shift, a division operation by x modulo the generating polynomial (g(x)) of said Galois Field;
- causing said fourth register to carry out, by a single right shift and in addition to said left shift ability of said fourth register, a multiplication operation by x modulo said generating polynomial of said Galois Field;
- adding the contents of said second register (Rl) to the contents of said first register (RO);
- adding the contents of said fourth register (R3) to the contents of said third register
(R2);
- adding the contents of said first register (RO) to the contents of said second register (Rl) while adding simultaneously the contents of said third register (R2) to the contents of said fourth register (R3);
- carrying out simultaneously shift-left operations on said first register and said third register; - carrying out simultaneously shift-left operations on said second register and said fourth register;
thereby, by carrying out any of the aforesaid steps, generating a value for the product of two elements of the field GF(2n), for the square of an element of said field and for the multiplicative inverse of an element of said field.
In another aspect the invention is directed to an apparatus for effecting Elliptic Curve Cryptographic operations over the field GF(2n), comprising:
- a first register (RO) for storing n+1 bits;
- a second register (Rl) for storing n bits;
- a third register (R2) for storing n bits;
- a fourth register (R3) for storing n bits;
- circuitry for shifting left said first register (RO);
- circuitry for reading externally the left bit (ROo) of said first register such that when said left bit equals 1 the contents of said fourth register (R3) are added to those of said third register (R2);
- circuitry for reading externally the left bit (ROo) of said first register such that when said left bit equals 1 the contents of said second register (Rl) are added to those of said first register (RO);
- circuitry for shifting right said fourth register (R3) in a way that multiplies the contents of said fourth register by x modulo the generating polynomial (g(x)) of said field;
- circuitry for shifting left said second and fourth registers (Rl and R3) where each left shift of said fourth register divides its contents by x modulo said generating polynomial;
- circuitry for shifting left said first and third registers (RO and R2) where each left shift of said third register divides its contents by x modulo said generating polynomial; - circuitry for adding the contents of said first register (RO) to those of said second register (Rl) and circuitry for adding the contents of said third register (R2) to those of said fourth register (R3).
Brief Description of the Drawings
In the drawings:
Fig. 1 shows in block diagram form a preferred method according to an embodiment of the invention for the calculation of modular multiplicative inverse of an element of the arithmetic field GF(2n);
Fig. 2A illustrates a shift-left register which performs a division operation modulo a primitive polynomial;
Fig. 2B illustrates a shift-right register which performs a multiplication operation modulo a primitive polynomial;
Fig. 3 A shows a circuit for multiplying two elements of the arithmetic field GF(2π); and
Fig. 3B shows a preferred circuit according to an embodiment of the invention for executing ECC operations over the arithmetic field GF(2n);
Detailed Description of Preferred Embodiments
The invention provides an improved method for calculating multiplicative inverses over the field GF(2n). The invention further provides an apparatus for calculating multiplicative inverses over the field GF(2n) according to said method and means of integrating the three fundamental operations effected in the implementation of Elliptic Curve Cryptography over GF(2n) (the calculation of the multiplicative inverse of an element of the field GF(2n), the calculation of the product of two elements of said field and the squaring of an element of said field) into one efficient process carried out by hardware means.
At the fundamental algorithmic level, the calculation of modular multiplicative inverses over the field GF(2n) is effected by initially storing the generating polynomial of said field in a first register and initially storing the field element to be inverted in a second register. The contents of said first register are used to reduce the contents of said second register by canceling bits of value 1 both from the highest index and from the lowest index where such bits exist in said second register.
The improved method for calculating multiplicative inverses over the field GF(2n) according to a first embodiment of the invention comprises having registers RO, Rl, R2 and R3 which are shift-left registers, wherein R2 and R3 are with linear feedback connections according to the coefficients of said polynomial g(x). Each shift of said registers R2 and R3 divides the contents of R2 by x modulo the polynomial g(x). Said register RO is capable of storing n+1 bits, and said registers Rl, R2 an R3 are capable of storing n bits. The function of the method of the invention according to said first embodiment of the invention is shown in Fig. 1 and is better understood from observing the following Pseudo-code 2, which executes the same process. Comments under Pseudo-code 2 and the explanation which follows it further clarify the method of the invention. All the shifts indicated in the process are left shifts. The left bit in a shifted register is shifted out and discarded.
Pseudo-code 2. Calculating the multiplicative inverse of an element of the field GF(2n)
Initially: (as indicated in 101 in Fig. 1)
RO contains the coefficients of the polynomial g(x);
Rl contains the element b(x) of the field GF(2n) which is to be inverted; R2 contains zeros.
R3 contains a 1 at the left place.
h is set to n; k is set to n-1.
(comment: throughout the execution of the process, h is the index of the right-most bit of value 1 in register RO. k is the index of the right-most bit of value 1 in register Rl. The index of the left-most bit in any register is 0. Initially it is guaranteed that ROn = 1, since the degree of g(x) is n. That is, the initial value of h is exactly n. The process starts by adjusting k to its true value, when R10 = 1.)
1 IfRlθ = 0 then (shift Rl and R3 and k = k-l and go to 1) else go to 2
(as indicated in 102 and 103 in Fig. 1)
2 IfRlk = 0 then (k = k-l and go to 2) else go to 3
(as indicated in 104 and 105 in Fig. 1)
(comment: the above two loops decrease the value of k according to the number of O's on the left and on the right of Rl . These loops end when the value of k is that of the right-most bit of value 1 in Rl, and the bit on the left of Rl is 1.)
3 If k = 0 Stop The final content of R3 is b" ' (x)
(as indicated in 106 and 107 in Fig. 1)
(comment: currently, Rl consists of a single 1 bit at the left place.)
4 If ROO = 1 then (R0 = R0 + R1 and R2 = R2 + R3) else go to 5 (as indicated in 108 and 109 in Fig. 1)
(comment: All + notations mean a logic 'xor' operation. After step 4, ROo = 0.)
5 shift R0 and R2 h = h - 1 (as indicated in 110 in Fig. 1)
6 If h>k then (go to 4) else go to 7 (as indicated in 111 in Fig. 1)
(comment: The above loop shifts R0 and R2 to the left, after it was taken care that the bit stored on the left of R0 before the shift is 0; the shift operation continues until the h-th bit of R0, which by definition has the value 1, is positioned across the k-th bit of Rl.)
7 Rl = Rl + R0 R3 = R3 + R2 k = k - 1 go to 1
(as indicated in 112 in Fig. 1)
(comment: After the above is executed, Rlk = 0. This way, Rl becomes shorter in the sense that the right-most 1 bit in Rl gets closer to the left. There is further a 50% possibility that the left-most bit in Rl was also converted into a 0 by the operation Rl = Rl + R0.)
Explanation:
The validity of the method according to said Pseudo-code 2 is still based on the Euclid algorithm, where said registers R2 and R3 follow respectively the activities of said registers R0 and Rl. That is, when R0 or Rl are left shifted, then R2 or R3 are respectively shifted. When the contents of R0 are added to those of Rl, then the contents of R2 are added to those of R3, and vice versa. This is where the similarity between the method of the invention according to said first embodiment of the invention and the prior art Euclid algorithm ends. The method according to said first embodiment of the invention facilitates the shortening of the contents of Rl by canceling, one at a time, the right-most bit of value 1 stored in Rl, where the index of this bit is k. (As was defined, the contents of Rl is shortened in the sense of shortening the distance between the two extreme bits of value 1 stored in Rl.) Whenever the left bit in Rl is 0, Rl is left-shifted and said 0 is canceled. By definition, the initial value of the right bit in RO is 1. This bit 'slides' across Rl, via shifts of RO, and cancels the right 1 bit in Rl . Said shifts of RO are effected by first forcing the left-most bit in RO to be 0, and then left-shifting R0. Different tasks are thereby assigned to each of said two registers R0 and Rl, in order to perform said shortening of Rl, where the desired multiplicative inverse is stored at the end of the process in the pre-designated register R3. This feature of said method distinctly differs said method from the standard Euclid algorithm in which said desired multiplicative inverse is stored at the end of the process in either register R2 or R3.
A clear feature of the method presented in Pseudo-code 2, according to said first embodiment of the invention, concerns cancellations of right 1 bits in Rl while shifting Rl in the case there is a left 0 in Rl, thereby reducing the contents of Rl from both sides. This feature of said method distinctly differs said method from the standard Euclid algorithm in which only 1 bits on the left of either register R0 or Rl are cancelled.
Said register R3 according to the method of said first embodiment of the invention should provide for left shifts, wherein each left-shift of said register divides its contents by x modulo said polynomial g(x). The invention further concerns an ability of operating said register R3 as shift-right register as well, where a control mechanism switches between said two possible directions of shifts. Said register R3 is constructed in such a way that each right-shift of it multiplies the contents of R3 by x modulo said polynomial g(x). Fig. 2 examplifies the structure of such a register R3 for the case where said g(x) is the polynomial 1 + x + χ3. Fig. 2 A shows a structuring of register R3 wherein each left-shift of said register divides its contents by x modulo said polynomial g(x). Fig. 2B shows a structuring of said register R3 wherein each right-shift of said register multiplies its contents by x modulo said polynomial g(x). Each of the separate phases of operation of said register R3, as shown separately in Fig. 2A and 2B, is clear to persons skilled in the art. According to the invention, a control mechanism switches between the examplified two possible directions of shifts of said register R3.
A second embodiment of the invention concerns an apparatus which composes into one operator the calculation of the product of two elements of the field GF(2n) and the calculation of the square of an element of said field and the calculation of the multiplicative inverse of an element of said field. Said one operator is thereby capable of performing elliptic curve operations regarding the multiplication of a point on the curve by a scalar.
Said apparatus preferably comprises a first, second, third and fourth registers, respectively denoted as RO, Rl, R2 and R3, where RO stores n+1 bits and the other three said registers store n bits, where said registers are effected by the following operations:
A first operation, in which said first register (RO) is left shifted;
A second operation, in which the left bit (ROo) of said first register is read externally for control purposes such that when said left bit equals 1 the contents of said fourth register (R3) are added to those of said third register (R2);
A third operation, in which said left bit (ROo) of said first register is read externally for control purposes such that when said left bit equals 1 the contents of said second register (Rl) are added to those of said first register (RO);
A fourth operation, in which said fourth register (R3) is right-shifted in a way that multiplies its contents by x modulo said polynomial g(x); A fifth operation, in which said second and fourth registers (Rl and R3) are left-shifted and where each left shift of said fourth register divides its contents by x modulo said polynomial g(x);
A sixth operation, in which said first and third registers (RO and R2) are left-shifted and where each left shift of said third register divides its contents by x modulo said polynomial g(x);
A seventh operation, in which the contents of said first register (RO) are added to those of said second register (Rl) and the contents of said third register (R2) are added to those of said fourth register (R3) based on an equality between the contents of two counters (h=k).
Said seven operations, or a part of them, effect the operation of calculating the product of two elements of the field GF(2n), indicated in said Pseudo-Code 1, as follows: The operation "if ROo = 1 then R2 = R2 + R3" of Pseudo-Code 1 is preferably effected by said second operation. The operations "shift-left RO shift-right R3" are preferably effected by said first and fourth operations.
Said seven operations, or a part of them, effect also the operation of squaring an element of the field GF(2n) by multiplying said element by itself, according to the operation indicated in said Pseudo-Code 1.
Said seven operations, or a part of them, effect the operation of calculating the modular multiplicative inverse of an element of the field GF(2n), described in said Pseudo-Code 2, as follows: The operation indicated in said Pseudo-Code 2 by "if RlO = 0 then shift Rl and R3" is preferably effected by said fifth operation. The operation indicated in said Pseudo-Code 2 by "if ROO = 1 then RO = RO + Rl and R2 = R2 + R3" is preferably effected by said second and third operations. The operation indicated in said Pseudo-Code 2 by "shift RO and R2" is preferably effected by said sixth operation. The operation indicated in said Pseudo-Code 2 by "Rl = Rl + RO and R3 = R3 + R2" is preferably effected by said seventh operation.
While some embodiments of the invention have been described by way of illustration, it will be apparent that the invention can be carried into practice with many modifications, variations and adaptations and with the use of the numerous equivalents or alternative solutions that are within the scope of persons skilled in the art, without departing from the spirit of the invention or exceeding the scope of the claims.

Claims

1. A method for generating a value for a modular multiplicative inverse of an element of a Galois Field GF(2n) comprising the steps of:
- providing a first (RO), a second (Rl), a third (R2) and a fourth (R3) register, wherein said first register stores n+1 bits, and wherein said second, third and fourth registers store n bits;
- causing said third and fourth registers to carry out, by a single left shift, a division operation by x modulo the generating polynomial (g(x)) of said Galois Field;
- storing in said first register said generating polynomial (g(x)) of said Galois Field;
- storing in said second register the field element to be inverted;
- storing zeros in said third register;
- storing in the left cell of said fourth register a 1 bit and storing zeros in the rest of the cells of said fourth register;
- adding the contents of said second register (Rl) to the contents of said first register (RO) while adding simultaneously the contents of said fourth register (R3) to the contents of said third register (R2) thereby to convert the bit of value 1 in the left cell of said first register into 0;
- adding the contents of said first register (RO) to the contents of said second register (Rl) while adding simultaneously the contents of said third register (R2) to the contents of said fourth register (R3) thereby to convert the right-most bit of value 1 in said second register into 0;
- carrying out simultaneously shift-left operations on said first register and said third register; - carrying out simultaneously shift-left operations on said second register and said fourth register;
thereby to cancel bits of value 1 stored in said second register by canceling bits both from the most significant location and from the least significant location of said second register.
2. A method according to Claim 1, wherein a division operation modulo the generating polynomial (g(x)) of the Galois Field is effected by right-shifts of registers.
3. A method for generating a value for the product of two elements of the Galois field GF(2n), for the square of an element of said field and for the multiplicative inverse of an element of said field, comprising the steps of:
- providing a first (RO), a second (Rl), a third (R2) and a fourth (R3) register, wherein said first register stores n+1 bits, and wherein said second, third and fourth registers store n bits;
- causing said third and fourth registers to carry out, by a single left shift, a division operation by x modulo the generating polynomial (g(x)) of said Galois Field;
- causing said fourth register to carry out, by a single right shift and in addition to said left shift ability of said fourth register, a multiplication operation by x modulo said generating polynomial of said Galois Field;
- adding the contents of said second register (Rl) to the contents of said first register (RO);
- adding the contents of said fourth register (R3) to the contents of said third register (R2);
- adding the contents of said first register (RO) to the contents of said second register (Rl) while adding simultaneously the contents of said third register (R2) to the contents of said fourth register (R3); - carrying out simultaneously shift-left operations on said first register and said third register;
- carrying out simultaneously shift-left operations on said second register and said fourth register;
thereby, by carrying out any of the aforesaid steps, generating a value for the product of two elements of the field GF(2n), for the square of an element of said field and for the multiplicative inverse of an element of said field.
4. An apparatus for effecting Elliptic Curve Cryptographic operations over the field GF(2n), comprising:
- a first register (RO) for storing n+1 bits;
- a second register (Rl) for storing n bits;
- a third register (R2) for storing n bits;
- a fourth register (R3) for storing n bits;
- circuitry for shifting left said first register (RO);
- circuitry for reading externally the left bit (ROo) of said first register such that when said left bit equals 1 the contents of said fourth register (R3) are added to those of said third register (R2);
- circuitry for reading externally the left bit (ROo) of said first register such that when said left bit equals 1 the contents of said second register (Rl) are added to those of said first register (RO);
- circuitry for shifting right said fourth register (R3) in a way that multiplies the contents of said fourth register by x modulo the generating polynomial (g(x)) of said field;
- circuitry for shifting left said second and fourth registers (Rl and R3) where each left shift of said fourth register divides its contents by x modulo said generating polynomial; - circuitry for shifting left said first and third registers (RO and R2) where each left shift of said third register divides its contents by x modulo said generating polynomial;
- circuitry for adding the contents of said first register (RO) to those of said second register (Rl) and circuitry for adding the contents of said third register (R2) to those of said fourth register (R3).
5. Apparatus for effecting Elliptic Curve Cryptographic operations over the field GF(2n), essentially as described and illustrated.
6. A method for generating a value for modular multiplicative inverses of a Galois Field GF(2n), essentially as described and illustrated.
PCT/IL1999/000699 1998-12-31 1999-12-23 Method for generating a value for a multiplicative inverse of an element of a galois field WO2000041068A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU17951/00A AU1795100A (en) 1998-12-31 1999-12-23 Method for generating a value for a multiplicative inverse of an element of a galois field

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IL127878 1998-12-31
IL12787898A IL127878A0 (en) 1998-12-31 1998-12-31 Method and apparatus for the efficient execution of elliptic curve cryptographic operation

Publications (1)

Publication Number Publication Date
WO2000041068A1 true WO2000041068A1 (en) 2000-07-13

Family

ID=11072326

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL1999/000699 WO2000041068A1 (en) 1998-12-31 1999-12-23 Method for generating a value for a multiplicative inverse of an element of a galois field

Country Status (3)

Country Link
AU (1) AU1795100A (en)
IL (1) IL127878A0 (en)
WO (1) WO2000041068A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001071486A2 (en) * 2000-03-23 2001-09-27 Cipherit Ltd. Method and apparatus for the calculation of modular multiplicative inverses
GB2458665A (en) * 2008-03-26 2009-09-30 Advanced Risc Mach Ltd Polynomial divider for the GF(2) field in which the coefficient of the highest degree term has a value of one and is not stored in a register
JP2019211446A (en) * 2018-06-08 2019-12-12 アンリツインフィビス株式会社 Article inspection device, article inspection system and program

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
DE WIN E ET AL: "A fast software implementation for arithmetic operations in GF(2)", LECTURE NOTES IN COMPUTER SCIENCE,US,SPRINGER VERLAG, NEW YORK, NY, 1 January 1996 (1996-01-01), pages 65 - 76, XP002081362, ISSN: 0302-9743 *
GUO J -H ET AL: "SYSTOLIC ARRAY IMPLEMENTATION OF EUCLID'S ALGORITHM FOR INVERSION AND DIVISION IN GF(2M)", IEEE TRANSACTIONS ON COMPUTERS,US,IEEE INC. NEW YORK, vol. 47, no. 10, 1 October 1998 (1998-10-01), pages 1161 - 1167, XP000781998, ISSN: 0018-9340 *
SCHROEPPEL R ET AL: "FAST KEY EXCHANGE WITH ELLIPTIC CURVE SYSTEMS", PROCEEDINGS OF THE ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE (CRYPTO),DE,BERLIN, SPRINGER, vol. CONF. 15, 1995, pages 43 - 56, XP000533634, ISBN: 3-540-60221-6 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001071486A2 (en) * 2000-03-23 2001-09-27 Cipherit Ltd. Method and apparatus for the calculation of modular multiplicative inverses
WO2001071486A3 (en) * 2000-03-23 2002-02-28 Cipherit Ltd Method and apparatus for the calculation of modular multiplicative inverses
GB2458665A (en) * 2008-03-26 2009-09-30 Advanced Risc Mach Ltd Polynomial divider for the GF(2) field in which the coefficient of the highest degree term has a value of one and is not stored in a register
JP2011517496A (en) * 2008-03-26 2011-06-09 アーム・リミテッド Polynomial data processing operations
GB2458665B (en) * 2008-03-26 2012-03-07 Advanced Risc Mach Ltd Polynomial data processing operation
US8700688B2 (en) 2008-03-26 2014-04-15 U-Blox Ag Polynomial data processing operation
JP2019211446A (en) * 2018-06-08 2019-12-12 アンリツインフィビス株式会社 Article inspection device, article inspection system and program
JP7042166B2 (en) 2018-06-08 2022-03-25 アンリツ株式会社 Article inspection equipment, article inspection system and program

Also Published As

Publication number Publication date
IL127878A0 (en) 1999-10-28
AU1795100A (en) 2000-07-24

Similar Documents

Publication Publication Date Title
Solinas An improved algorithm for arithmetic on a family of elliptic curves
Koc et al. Montgomery multiplication in GF (2k)
Knezevic et al. Faster interleaved modular multiplication based on Barrett and Montgomery reduction methods
US5854759A (en) Methods and apparatus for efficient finite field basis conversion
US7069287B2 (en) Method for efficient computation of odd characteristic extension fields
US7831650B2 (en) Method for modular multiplication
US6611597B1 (en) Method and device for constructing elliptic curves
EP2350811B1 (en) Method and apparatus for modulus reduction
Großschädl A bit-serial unified multiplier architecture for finite fields GF (p) and GF (2 m)
WO1999004332A1 (en) Composite field multiplicative inverse calculation for elliptic curve cryptography
US7050579B1 (en) Cryptographic methods and apparatus using word-wise montgomery multiplication
US8244790B2 (en) Multiplier and cipher circuit
US8909689B2 (en) Arithmetic device
Knežević et al. Modular Reduction in GF (2 n) without Pre-computational Phase
KR101929984B1 (en) Modular multiplicator and modular multiplication method thereof
JP3659320B2 (en) Multiplication module, multiplication inverse element operation circuit, multiplication inverse element operation control system, device using the multiplication inverse element operation, encryption device, error correction decoder
Gutub Efficient utilization of scalable multipliers in parallel to compute GF (p) elliptic curve cryptographic operations
WO2000041068A1 (en) Method for generating a value for a multiplicative inverse of an element of a galois field
US20010054052A1 (en) Method and apparatus for the calculation of modular multiplicative inverses
Knežević et al. Speeding up bipartite modular multiplication
KR100297110B1 (en) Modular multiplier
Ko et al. Montgomery multiplication in
Vuillaume et al. Short-memory scalar multiplication for Koblitz curves
Knezevic et al. Modular reduction without precomputational phase
JP3626315B2 (en) Remainder calculation apparatus, information processing apparatus, and remainder calculation method

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref country code: AU

Ref document number: 2000 17951

Kind code of ref document: A

Format of ref document f/p: F

AK Designated states

Kind code of ref document: A1

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase