Problems on Gaussian Normal Basis Multiplication for Elliptic Curve ...

Problems on Gaussian Normal Basis Multiplication for Elliptic Curve Cryptosystem C.W. Chiou, Y.-S. Sun, C.-M. Lee, Y.-L. Chiu, J.-M. Lin and C.-Y. Lee

Abstract Several standards such as IEEE Standard 1363-2000 and FIPS 186-2 employ Gaussian normal basis (GNB). Gaussian normal basis is a special class of normal basis. Gaussian normal basis can solve the problem that multiplication in normal basis is an very difficult and complicated operation. Two equations have been proposed in the literature to transfer GNB to polynomial basis for easy multiplication. However, we find that GNB is not correctly transformed to polynomial basis for some m values over G F(2m ). We will show the problems and expect some feedback about this problem from other researchers.

1 Introduction Elliptic curve cryptosystem (ECC) [1, 2] is a powerful public-key cryptosystem for insuring information security of M-commerce on resource constrained smart phones. The arithmetic operations in G F(2m ) have been largely applied in Elliptic curve cryptosystem and pairing-based cryptography [3]. ECC requires a smaller key size than RSA cryptosystem [4]. For example, ECC with 160-bit key has same security level as RSA with 1024-bit key. Therefore, ECC is suitable for resource constrained devices other than RSA. NIST and ANSI suggested finite fields for use in the ECDSA [5, 6]. The finite field multiplication is the most important arithmetic operation in G F(2m ). C.W. Chiou(B) · Y.-S. Sun · C.-M. Lee · Y.-L. Chiu Chien Hsin University of Science and Technology, Taoyuan City 32097, Taiwan e-mail: {cwchiou,sunys,cmlee,B10013136}@uch.edu.tw J.-M. Lin Feng Chia University, Taichung City 407, Taiwan e-mail: [email protected] C.-Y. Lee Lunghwa University of Science and Technology, Taoyuan City 33306, Taiwan e-mail: [email protected] © Springer International Publishing Switzerland 2016 T.T. Zin et al. (eds.), Genetic and Evolutionary Computing, Advances in Intelligent Systems and Computing 388, DOI: 10.1007/978-3-319-23207-2_20

201

202

C.W. Chiou et al.

Because, other complicated arithmetic operations such as exponentiation, division, and inversion can be computed by repeated multiplications. Therefore, it is important to explore efficient multiplier over large finite fields for resource-constrained devices. Efficiency of Multiplications in G F(2m ) heavily depends on field element representations. There are three popular bases to represent field elements: polynomial basis (PB)[7]-[15], dual basis (DB) [16]-[21], and normal basis (NB) [22]-[35]. The major advantage of normal basis is its almost hardware-free squaring operation which can be easily carried out by cyclically shifting its binary representation. Thus, NB multipliers are very efficient in carrying out square operations in squaring, multiplicative inversion, and exponentiation operations. However, multiplication in normal basis is hardily realized. To overcome this problem, some special classes of normal basis have been presented to simplify normal basis multiplication. Optimal normal basis (ONB) [27] is one special class with the low-est space complexity in normal basis. But, only two types of ONB, type-1 and type-2, have been founded in the literature. Gaussian normal basis (GNB) is a special class of normal basis with low hardware complexity. All positive integers, except for those are divisible by eight, have GNB [36]. Both type-1 and type-2 ONB are same as type-1 and type2 GNB, respectively. GNB now has been widely applied in several standards such as IEEE Standard 1363-2000 [5], FIPS 186-2 [37], ISO 11770-3 [38], and ANSI X9.62 [6]. Ash et al. [36] said that all positive integers except those are divisible by eight have GNB. As aforementioned, multiplication using GNB is hardly realized. Thus, GNB with type-t (t is an integer number) over G F(2m ) is transformed to a polynomial basis with mt elements. In other words, PB transformed from GNB has t multiples of m elements in type-t GNB. However, some integer m values can not find sufficient t multiples. Two equations in the literature for computing t multiples of elements in GNB are applied for giving elements in PB from GNB. Results show that they both can not find sufficient t multiples of elements in GNB for some integer m values. This study will show this problem.

2 Background 0

1

m−1

There is always a normal basis ψ = {β 2 , β 2 , · · · , β 2 } for a finite field G F(2m ) for any positive integer m, where β is a normal element. Let any elements A and B m−1 i ai β 2 and B = in G F(2m ) can be represented as A = (a0 , a1 , · · · , am−1 ) = i=0 m−1 i (b0 , b1 , · · · , bm−1 ) = i=0 bi β 2 where ai and bi ∈ G F(2) for 0 ≤ i ≤ m − 1. The major features of the normal basis are as follows: Proposition 1. Let A and B be two normal elements in G F(2m ), we have obtained as m−1 r i 1. A2 = i=0 am β 2 for 0 ≤ i ≤ m − 1. 2. A2m = A. 3. (A + B)2 = A2 + B 2 .

Problems on Gaussian Normal Basis Multiplication

203

Proposition-1 shows that the squaring of an element A in normal basis is just a right cyclic shift of its coordinates and it is almost hardware-free. The normal basis is termed the Gaussian normal basis with type-t (t is an integer and ) if p = mt + 1 is a prime number and gcd(mt/k, m) = 1, where k is the multiplication order of 2 modulo p. It is noted that GNBs exist for any positive integer m, except that m is not divisible by eight. The GNB with type-t has the following properties: β=

t−1 

γ2

mi

(1)

i=0

γ mt+1 = γ (mt+1)mod(mt+1) = 1

(2)

where γ is primitive (mt + 1)th root of unity in G F(2m ). Then, β is called Gaussian period of type (m, t).

3 The Proposed Problems for GNB with Type-t 0

1

m−1

A Gaussian normal basis with type-t ψ = {β 2 , β 2 , · · · , β 2 } can be transformed to a polynomial basis ψ ∗ = {γ 1 , γ 2 , · · · , γ mt } using one of the following two equations: t−1  i γ τ , and τ t = 1 mod (mt + 1)[34] (3) β= i=0 m

β = γ + γ2 + ··· + γ2

(t−1)m

[33]

(4)

m−1 i Let any one element A = (a0 , a1 , · · · , am−1 ) = i=0 ai β 2 belong to GNB ψ can ∗ ) in PB ψ ∗ using (3) as follows: be represented to A = (a0∗ , a1∗ , · · · , amt m−1 

A∗ =

ai (

i=0

=

m−1 

(ai γ τ

t−1 

γ τ )2 = j

i

j=0

0 2i

m−1  i=0

+ ai γ τ

1 2i

ai

t−1 

γτ

j 2i

(5)

j=0

+ · · · + ai γ τ

t−1 2i

)

i=0

The element A also can be represented as A∗ using (4) as follows: A∗ =

m−1  i=0

m

(ai γ + ai γ 2 + · · · + ai γ 2

(t−1)m

i

)2

(6)

204

C.W. Chiou et al.

=

m−1 

i

(ai γ 2 + ai γ 2

m 2i

+ · · · + ai γ 2

(t−1)m 2i

)

i=0

From (5), ai of A is expanded to t multiples of A∗ as follows: ∗ ∗ ∗ ai = a = a = · · · = a

(7)

where < x > denotes the x mod mt + 1 operation. Similarly, from (6), we have ∗ ∗ ∗ ai = a = a = · · · = a

(8)

Let us use the following examples to describe (7) and (8). Example 1. Let m = 7 and an element A be represented as (a0 , a1 , · · · , a6 ) in GNB. We can find type-4 for m = 7. Based on (3), τ = 12 and mt + 1 = 29. A in GNB is ∗ ) in PB according to (5) and (7) as follows: transferred to A∗ = (a1∗ , a2∗ , · · · , a28 ∗ ∗ ∗ ∗ a0 = a = a = a = a ∗ ∗ ∗ = a0∗ = a12 = a28 = a17

where < 120 20 >= 1, < 121 20 >= 12, < 122 20 >= 28, and < 123 20 >= 17. Similarly, we have the following results. ∗ = a∗ = a∗, a = a∗ = a∗ = a∗ = a∗ , a = a∗ = a∗ = a∗ = a∗ , a1 = a2∗ = a24 27 4 19 10 3 8 9 21 20 5 2 25 ∗ = a∗ = a∗ = a∗ , a = a∗ = a∗ = a∗ = a∗ , a = a∗ = a∗ = a∗ = a∗ . a4 = a16 18 13 11 5 3 7 26 22 6 6 14 23 15

Example 2. Let m = 7, thus type-4 is given. Based on another equation (6) and (8), results are listed as follows: ∗ ∗ ∗ ai = a = a = · · · = a ∗ ∗ ∗ ∗ a0 = a = a = a = a ∗ ∗ ∗ = a1∗ = a12 = a28 = a17 ,

where < 20 >= 1, < 27 20 >= 12, < 22×7 20 >= 28, and < 23×7 20 >= 17. Using (8), we can obtain the following results: ∗ = a∗ = a∗, a = a∗ = a∗ = a∗ = a∗ , a = a∗ = a∗ = a∗ = a∗ , a1 = a2∗ = a24 27 4 19 10 3 8 9 21 20 5 2 25 ∗ = a∗ = a∗ = a∗ , a = a∗ = a∗ = a∗ = a∗ , a = a∗ = a∗ = a∗ = a∗ . a4 = a16 18 13 11 5 3 7 26 22 6 6 14 23 15

Problems on Gaussian Normal Basis Multiplication

205

For m = 7, we correctly expands a GNB into a PB according to (7) and (8). Examples 1 and 2 show such correct results. But, some m values can not correctly expand a GNB to a PB using (7) and (8). The following examples show such results. Example 3. Suppose m = 15, and therefore any one element A be represented as (a0 , a1 , · · · , a14 ) in GNB. We can find type-2, and mt + 1 = 31 for m = 15. If A ∗ ) according to (5) and (7) as in GNB can be transferred to A∗ = (a1∗ , a2∗ , · · · , a14 follows. ∗ , a = a∗ = a∗ , a = a∗ = a∗ , a = a∗ = a∗ , a = a∗ = a∗ , a0 = a1∗ = a30 1 2 29 2 4 27 3 8 23 4 16 15 ∗ , a = a∗ = a∗ , a = a∗ = a∗ , a = a∗ = a∗ , a = a∗ = a∗ , a5 = a1∗ = a30 6 2 29 7 4 27 8 8 23 9 16 15 ∗ , a = a∗ = a∗ , a = a∗ = a∗ , a = a∗ = a∗ , a = a∗ = a∗ . a10 = a1∗ = a30 11 2 29 12 4 27 13 8 23 14 16 15 ∗ . We noted that a0 , a5 , and a10 are expanded same coefficients of A∗ , a1∗ and a30 Another coefficients of A have similar results. Such expanding results are not correct. We use another equation, to check whether m = 15 has same expanding results.

Example 4. Let m = 15, thus type-2 is given. Based on another equation (6) and (8), results are listed as follows: ∗ , a = a∗ = a∗ , a = a∗ = a∗ , a = a∗ = a∗ , a = a∗ = a∗ , a0 = a1∗ = a30 1 2 29 2 4 27 3 8 23 4 16 15 ∗ , a = a∗ = a∗ , a = a∗ = a∗ , a = a∗ = a∗ , a = a∗ = a∗ , a5 = a1∗ = a30 6 2 29 7 4 27 8 8 23 9 16 15 ∗ , a = a∗ = a∗ , a = a∗ = a∗ , a = a∗ = a∗ , a = a∗ = a∗ . a10 = a1∗ = a30 11 2 29 12 4 27 13 8 23 14 16 15

Computation results also give same wrong results. Why equations (5) and (7) can not give correct expanding results from a GNB to a PB for some m values?

4 Conclusions The major advantage of normal basis is its almost cost-free square operation. But, the multiplication in normal basis is very difficult. Therefore, some special classes of normal basis such as optimal normal basis and Gaussian normal basis are employed to overcome this problem. In general, Gaussian normal basis is firstly transferred to polynomial basis. Two equations have been found in the literature to transform any one element in Gaussian normal basis to be represented in polynomial basis. The multiplication in polynomial basis is an easy operation. However, we pointed out that Gaussian normal basis can not be correctly transferred to polynomial basis for some m values. We will solve this problem for the future research.

206

C.W. Chiou et al.

References 1. Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986) 2. Koblitz, N.: Elliptic curve cryptosystems. Mathematics of Computation 48, 203–209 (1987) 3. Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. SIAM Journal on Computing 32(3), 586–615 (2003) 4. Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21, 120–126 (1978) 5. IEEE Standard 1363–2000: IEEE standard specifications for public-key cryptography (January 2000) 6. ANSI X9.62-2005: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA). American National Standards Institute (ANSI) (November 2005) 7. Bartee, T.C., Schneider, D.J.: Computation with finite fields. Information and Computing 6, 79–98 (1963) 8. Mastrovito, E.D.: VLSI architectures for multiplication over finite field G F(2m ). Applied algebra, algebraic algorithms, and error-correcting codes. In: Mora, T. (ed.) Proc. Sixth Int’l Conf., AAECC-6, Rome, pp. 297–309, July 1988 9. Koç, Ç.K., Sunar, B.: Low-complexity bit-parallel canonical and normal basis multipliers for a class of finite fields. IEEE Trans. Computers 47(3), 353–356 (1998) 10. Itoh, T., Tsujii, S.: Structure of parallel multipliers for a class of fields G F(2m ). Information and Computation 83, 21–40 (1989) 11. Lee, C.-Y., Yang, C.-S., Meher, B.K., Meher, P.K., Pan, J.-S.: Low-complexity digit-serial and scalable SPB/GPB multipliers over large binary extension fields using (b, 2)-way Karatsuba decomposition. IEEE Trans. Circuits and Systems-I: Regular Papers 61(11), 3115–3124 (2014) 12. Fan, H., Hasan, M.A.: A new approach to subquadratic space complexity parallel multipliers for extended bina-ry fields. IEEE Trans. Computers 56(2), 224–233 (2007) 13. Huang, W.-T., Chang, C.H., Chiou, C.W., Tan, S.-Y.: Non-XOR approach for low-cost bit-parallel polynomial basis multiplier over G F(2m ). IET Information Security 5(3), 152–162 (2011) 14. Xie, J., He, J.J., Meher, P.K.: Low latency systolic Montgomery multiplier for finite field G F(2m ) based on pentanomials. IEEE Trans. VLSI Systems 21(2), 385–389 (2013) 15. Lee, C.-Y., Meher, P.K., Lee, W.-Y.: Subquadratic space complexity digit-serial multiplier over binary extension fields using Toom-Cook algorithm. In: Proc. of 2014 International Symposium on Integrated Circuits (ISIC), Singapore, pp. 176–179, December 10–12, 2014 16. Berlekamp, E.R.: Bit-serial reed-solomon encoder. IEEE Trans. Inf. Theory IT–28, 869–874 (1982) 17. Wu, H., Hasan, M.A., Blake, I.F.: New low-complexity bit-parallel finite field multipliers using weakly dual bases. IEEE Trans. Computers 47(11), 1223–1234 (1998) 18. Wang, M., Blake, I.F.: Bit serial multiplication in finite fields. SIAM J. Disc. Math. 3(1), 140–148 (1990) 19. Wang, J.-H., Chang, H.W., Chiou, C.W., Liang, W.-Y.: Low-complexity design of bitparallel dual basis multiplier over G F(2m ). IET Information Security 6(4), 324–328 (2012) 20. Hua, Y.Y., Lin, J.-M., Chiou, C.W., Lee, C.-Y., Liu, Y.H.: A novel digit-serial dual basis Karatsuba multiplier over G F(2m ). Journal of Computers 23(2), 80–94 (2012)

Problems on Gaussian Normal Basis Multiplication

207

21. Pan, J.-S., Azarderakhsh, R., Kermani, M.M., Lee, C.-Y., Lee, W.-Y., Chiou, C.W., Lin, J.-M.: Low-latency digit-serial systolic double basis multiplier over G F(2m ) using subquadratic Toeplitz matrix-vector product approach. IEEE Trans. Computers 63(5), 1169–1181 (2014) 22. Massey, J.L., Omura, J.K.: Computational method and apparatus for finite field arithmetic. U.S. Patent Number 4,587,627 (May 1986) 23. Wang, C.C., Troung, T.K., Shao, H.M., Deutsch, L.J., Omura, J.K., Reed, I.S.: VLSI architectures for computing multiplications and inverses in G F(2m ). IEEE Trans. Computers C–34(8), 709–717 (1985) 24. Reyhani-Masoleh, A.: Efficient algorithms and architectures for field multiplication using Gaussian normal bases. IEEE Trans. Computers 55(1), 34–47 (2006) 25. Agnew, G.B., Mullin, R.C., Onyszchuk, I.M., Vanstone, S.A.: An implementation for a fast public-key cryptosystem. Journal of Cryptology 3, 63–79 (1991) 26. Hasan, M.A., Wang, M.Z., Bhargava, V.K.: A modified Massey-Omura parallel multiplier for a class of finite fields. IEEE Trans. Computers 42(10), 1278–1280 (1993) 27. Kwon, S.: A low complexity and a low latency bit parallel systolic multiplier over G F(2m ) using an optimal normal basis of type II. In: Proc. of the 16th IEEE Symposium on Computer Arithmetic, Santiago de Compostela, Spain, pp. 196–202, June 15–18, 2003 28. Fan, H., Hasan, M.A.: Subquadratic computational complexity schemes for extended binary field multiplication using optimal normal bases. IEEE Trans. Computers 56(10), 1435–1437 (2007) 29. Lee, C.-Y., Chiou, C.W.: Scalable Gaussian normal basis multipliers over G F(2m ) using Hankel matrix-vector representation. Journal of Signal Processing Systems for Signal Image and Video Technology 69(2), 197–211 (2012) 30. Chiou, C.W., Chuang, T.-P., Lin, S.-S., Lee, C.-Y., Lin, J.-M., Yeh, Y.-C.: Palindromiclike representation for Gaussian normal basis multiplier over G F(2m ) with odd type-t. IET Information Security 6(4), 318–323 (2012) 31. Chiou, C.W., Chang, H.W., Liang, W.-Y., Lee, C.-Y., Lin, J.-M., Yeh, Y.-C.: Lowcomplexity Gaussian normal basis multiplier over G F(2m ). IET Information Security 6(4), 310–317 (2012) 32. Azarderakhsh, R., Reyhani-Masoleh, A.: Low-complexity multiplier architectures for single and hybrid-double multiplications in Gaussian normal bases. IEEE Trans. Computers 62(4), 744–757 (2013) 33. Yang, C.-S., Pan, J.-S., Lee, C.-Y.: Digit-serial GNB multiplier based on TMVP approach over G F(2m ). In: Proc. of 2013 Second International Conference on Robot, Vision and Signal Processing, Kitakyushu, Japan, pp. 123–128, December 10–12, 2013 34. Chiou, C.W., Chang, C.-C., Lee, C.-Y., Hou, T.-W., Lin, J.-M.: Concurrent Error detection and Correction in Gaussian Normal Basis Multiplier over G F(2m ). IEEE Trans. Computers 58(6), 851–857 (2009) 35. Leone, M.: A new low complexity parallel multiplier for a class of finite fields. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 160–170. Springer, Heidelberg (2001) 36. Ash, D.W., Blake, I.F., Vanstone, S.A.: Low complexity normal bases. Discrete Applied Math. 25, 191–210 (1989) 37. FIPS 186–2: Digital Signature Standard (DSS). Federal Information Processing Standards Publication 186–2, Nat’l Inst. of Standards and Technology (2000) 38. ISO/IEC 11770–3:2008: Information technology - Security techniques - Key management - Part 3: Mechanisms using asymmetric techniques (2008)