1 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Athar Mahboob and Nassar Ikram National University of Sciences & Technology, Pakistan Presented at WISA 2004 August 23-25, 2004 Jeju Island, South Korea

2 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Multiplication Multiplication is a fundamental arithmetic operation in many algebraic structures such as GF(2 m ) Other fundamental operations include Addition Subtraction Squaring Division Inversion Exponentiation Hence multiplication is the most important arithmetic op but... Multiplication more time consuming than addition, subtraction and squaring Addition and Subtraction are same in GF(2 m ). Addition is not a computational bottleneck Complexity is O(m) } Division can be replaced by inversion followed by multiplication. Inversion can be done using multiplication as per Fermat's Theorem } Squaring can be done as multiplication but there are very fast methods for squaring in GF(2 m ) Exponentiation (repeated multiplication) can be efficiently done using binary method and improved versions of it such as ITI

3 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Schoolbook Method X XX XXX XXXX XXXXX XXXXXX XXXXXXX Examines bits of the multiplier and adds shifted versions of the multiplicand based on the bit Maps easily into a Shift-and-Add Scheme Partial Products are first created Partial Products are added or accumulated to generate the Final Product Number of bit operations are O(m 2 )

4 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Our Research GF(2 m ) Multiplication performance is critical for ECC cryptosystems defined using Elliptic Curves over GF(2 m ) EC Point Addition and Doubling require 6 additions, 1 squaring, 2 multiplications and 1 inversion Inversions can be replaced by multiplications using projective coordinates Inversions can also be done using multiplications and squaring – Fermat's Little Theorem Typical ECC Field sizes are 112 < m < 600 Standard fields use m which is prime (for presumed security) Standard fields support fast polynomial modular reduction

5 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Issues with GF(2 m ) Multiplication in Software Lack of machine level GF(2 m ) word-level multiply instruction Bit level operations are required such as examining single bit at a time, shifts, ANDs, XORs Modular Reduction may be a computational bottleneck for a general field polynomial Decide on doing inter-leaved modular reduction or fast modular reduction at the end We do fast modular reduction using trinomial or pentanomial at the end like most typical ECC implementations

6 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Multitude of Multiplication Techniques Multiplication Classical Multiplication Modular Multiplication GF(p) Multiplication followed by classical long division Multiplication followed by Fast Reduction Techniques Barret Reduction Montgomery Multiplication dispenses with modular reduction step GF(2 m ) – Polynomial Basis Multiplication followed by classical long division Multiplication followed by Fast Reduction Techniques Trinomial/Pentanomial Modular Reduction Montgomery Multiplication dispenses with modular reduction step LookUp Tables based Multiplication Any m Composite m GF(2 m ) – Normal Basis Massey Omura Multiplier

7 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Classical Multiplication Techniques Schoolbook – if nothing else makes sense... Karatsuba – recursive binary subdivision technique Toom-Cook – recursive three-way subdivision technique FFT – asymptotically fastest technique, not used for sizes typical in PKC Comba – something similar to what we have proposed, little known in cryptographic circles, we do not have access to the source, never has been proposed for use in GF(2 m ) There are typical cutoff values where one technique starts to be more efficient than others due to inherent overheads of each technique

8 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Classical Shift and Add

9 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Shift and Add with Precomputation

10 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Other LUT Techniques Composite m Generally use composite extension fields m = ab in GF(2 m ) Perform arithmetic using LUT in the subfield where LUT is small enough to fit in memory Use log and antilogs to convert from multiplication to addition (which are just XORs) resulting processing a bits at a time instead of one bit for Shift and Add Not applicable to standardized fields for ECC Any m One general LUT technique creates LUT on fly for each different multiplier, it is more of a windowing technique Our LUT is calculated once and for all for all m and for all multipliers

11 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Our LUT Technique Uses mullut a 128 kbyte LookUp Table Calculates output one byte/one word at a time instead of first calculating partial products and then adding them Two versions B-LUT: generates output one byte at a time F-LUT: generates output one word (32-bits) at a time

12 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance The LookUp Table (LUT) The algorithm precomputes the product of all polynomials up to degree 7 with coefficients in GF(2).

13 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Multiplication using mullut[256][256] A0A0 B0B0 A0A0 B0B0 A1A1 B1B1 A0B0A0B0 A0B0A0B0 A0B1A0B1 A1B0A1B0 A1B1A1B1 C0C0 C1C1 C2C2 C3C3 A i and B i are 8-bit values 8 8 multiplication multiplication C0C0 C1C1 C 0 = A 0 B 0 & 0xFF C 1 = (A 0 B 0 8) & 0xFF C 0 = A 0 B 0 & 0xFF C 1 = ((A 0 B 0 8) &0xFF) (A 0 B 1 & 0xFF) (A 1 B 0 & 0xFF) C 2 = ((A 0 B 1 8) &0xFF) ((A 1 B 0 8) & 0xFF) (A 1 B 1 & 0xFF) C 3 = (A 1 B 1 8) & 0xFF

14 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance 32 × 32 multiplication using mullut[256][256] A0A0 B0B0 A1A1 B1B1 A0B0A0B0 A0B1A0B1 A1B0A1B0 A0B2A0B2 C0C0 C1C1 C2C2 C3C3 A2A2 B2B2 A3A3 B3B3 C4C4 C5C5 C6C6 C7C7 A1B1A1B1 A2B0A2B0 A0B3A0B3 A1B2A1B2 A2B1A2B1 A3B0A3B0 A1B3A1B3 A2B2A2B2 A3B1A3B1 A2B3A2B3 A3B2A3B2 A3B3A3B3 A i and B i are 8-bit values Shaded portions indicate something that effects neighbours Each C i depends on A i and B i whose indices add up to i Effects of processing in word-size is that bytes of the boundaries of words have to result in some sort of carry

15 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance The Pattern Emerges C 0 = A 0 B 0 & 0xFF C 1 = ((A 0 B 0 8) &0xFF) (A 0 B 1 & 0xFF) (A 1 B 0 & 0xFF) C 2 = ((A 0 B 1 8) &0xFF) ((A 1 B 0 8) & 0xFF) (A 0 B 2 & 0xFF) (A 1 B 1 & 0xFF) (A 2 B 0 & 0xFF) C 3 = ((A 0 B 2 & 0xFF) 8) ((A 1 B 1 & 0xFF) 8) ((A 2 B 0 & 0xFF)) 8) (A 0 B 3 & 0xFF) (A 1 B 2 & 0xFF) (A 2 B 1 & 0xFF) (A 3 B 0 & 0xFF) C 4 = ((A 0 B 3 8) & 0xFF) ((A 1 B 2 8) & 0xFF) ((A 2 B 1 8) & 0xFF) ((A 3 B 0 8) & 0xFF) (A 1 B 3 & 0xFF) (A 2 B 2 & 0xFF) (A 3 B 1 & 0xFF) C 5 = ((A 1 B 3 8) & 0xFF) ((A 2 B 2 8) & 0xFF) ((A 3 B 1 8) & 0xFF) (A 2 B 3 & 0xFF) (A 3 B 2 & 0xFF) C 6 = ((A 2 B 3 8) & 0xFF) (A 3 B 2 8)& 0xFF) (A 3 B 3 & 0xFF) C 7 = (A 3 B 3 8) & 0xFF

16 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance B-LUT We process 8 bits of the inputs at a time. The number of 8-bit units present in the inputs a and b is given as d. Output c before reduction would consist of 2·d bytes. Each byte of the output is calculated by performing lookups into the table mullut and adding (XOR) looked up values after they have been shifted by necessary amounts. The symbol & represents the bit-wise AND operation.

17 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance GF(2 16 ) Multiply Using mullut

18 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance F-LUT

19 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Comparison with Other Techniques

20 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Multiplier Performance Data

21 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Impact on ECC Performance

22 A New Multiplication Technique for GF(2 m ) with Cryptographic Significance Conclusions and Future Work We presented: Two new algorithms for GF(2 m ) multiplication using Lookup Table and results of an implementation of the new LUT based finite field multiplication techniques. We provided the results of our ECC implementation showing performance impact of our new GF(2 m ) multiplication technique. Future ideas: Combine Karatsubas algorithm with our LUT based technique to cut down the base number of XORs, Shifts and Table Lookups. We also intend to explore more efficient EC scalar multiplication techniques and use of our multiplication technique for HECC.