Hardware Implementation of Finite-Field Arithmetic About the Authors Jean-Pierre Deschamps received an MS degree in elec- trical engineering from the University of Louvain, Belgium, in 1967, a PhD degree in computer science from the Autonomous University of Barcelona, Spain, in 1983, and a PhD degree in electrical engineering from the Polytechnic School of Lausanne, Switzerland, in 1984. He worked in several companies and universities. He is currently a professor at the University Rovira i Virgili, Tarragona, Spain. His research interests include ASIC and FPGA design, digital arithmetic, and cryptography. He is the author of seven books and about a hundred international papers. José Luis Imaña received the MS and PhD degrees, both in Physics, from Complutense University of Madrid, Spain, where he is currently a professor. His research interests include algorithms and VLSI architectures for computations in finite fields, cryptography, computer arithmetic, reconfigurable computing architectures, and formal methods in verification. He is the author of about 30 international papers and communications. Gustavo D. Sutter received an MS degree in computer science from State University UNCPBA of Tandil (Buenos Aires), Argentina, and a PhD degree from the Autonomous University of Madrid, Spain. He has been a professor at the UNCPBA, Argentina, and is currently a professor at the Autonomous University of Madrid, Spain. His research interests includes ASIC and FPGA design, digital arithmetic, and development of embed- ded systems. He is the author of one book and about 30 international papers and communications. Hardware Implementation of Finite-Field Arithmetic Jean-Pierre Deschamps José Luis Imaña Gustavo D. Sutter New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Copyright © 2009 by The McGraw-Hill Companies, Inc. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. ISBN: 978-0-07-154582-2 MHID: 0-07-154582-4 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-154581-5, MHID: 0-07-154581-6. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please visit the Contact Us page at www.mhprofessional.com. Information contained in this work has been obtained by The McGraw-Hill Companies, Inc. (“McGraw- Hill”) from sources believed to be reliable. However, neither McGraw-Hill nor its authors guarantee the accuracy or completeness of any information published herein, and neither McGraw-Hill nor its authors shall be responsible for any errors, omissions, or damages arising out of use of this information. This work is published with the understanding that McGraw-Hill and its authors are supplying information but are not attempting to render engineering or other professional services. If such services are required, the assistance of an appropriate professional should be sought. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior co sent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARAN- TEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESS- LY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licen- sors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii 1 Mathematical Background . . . . . . . . . . . . . . . . . . . . . 1 1.1 Number Theory . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.1 Basic Defi nitions . . . . . . . . . . . . . . . . . 1 1.1.2 Euclidean Algorithms . . . . . . . . . . . . . 2 1.1.3 Congruences . . . . . . . . . . . . . . . . . . . . . 4 1.2 Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2.1 Groups . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2.2 Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.2.3 Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.2.4 Polynomials . . . . . . . . . . . . . . . . . . . . . 11 1.2.5 Congruences of Polynomials . . . . . . . 15 1.3 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1.3.1 Basic Properties . . . . . . . . . . . . . . . . . . 17 1.3.2 Field Extensions . . . . . . . . . . . . . . . . . . 18 1.3.3 Roots of Irreducible Polynomials . . . 20 1.3.4 Bases of Finite Fields . . . . . . . . . . . . . . 20 1.3.5 Finite Fields GF(2m) . . . . . . . . . . . . . . . 22 1.4 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2 mod m Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.1 Integer Division . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.1.1 Digit Recurrence Algorithms . . . . . . . 25 2.1.2 Nonrestoring Reducer . . . . . . . . . . . . 27 2.1.3 SRT Reducer . . . . . . . . . . . . . . . . . . . . . 29 2.2 Reduction mod 2k− a . . . . . . . . . . . . . . . . . . . . . 33 2.3 Precomputation of 2ik mod m . . . . . . . . . . . . . . 38 2.4 Barrett Reduction Algorithm . . . . . . . . . . . . . . 43 2.4.1 n-Digit to (k+ t)-Digit Reduction . . . 43 2.4.2 An Approximation of q . . . . . . . . . . . . 44 2.5 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 2.6 Specifi c Circuits . . . . . . . . . . . . . . . . . . . . . . . . . 49 2.6.1 mod 239 Reducer . . . . . . . . . . . . . . . . . 49 2.6.2 mod (2192 − 264 − 1) Reducer . . . . . . . . 50 2.7 FPGA Implementation . . . . . . . . . . . . . . . . . . . 54 2.7.1 Nonrestoring Reducers . . . . . . . . . . . . 55 2.7.2 SRT Reducers . . . . . . . . . . . . . . . . . . . . 55 2.7.3 Reduction mod 2k− a . . . . . . . . . . . . . . 55 v vi Contents 2.7.4 Precomputation of 2ik mod m . . . . . . . 57 2.7.5 Barrett Reduction . . . . . . . . . . . . . . . . 58 2.7.6 Specifi c Circuits . . . . . . . . . . . . . . . . . . 59 2.8 Comments and Conclusions . . . . . . . . . . . . . . 59 2.9 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3 mod m Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.1 Addition mod m . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.2 Subtraction mod m . . . . . . . . . . . . . . . . . . . . . . 63 3.3 Adder/Subtractor mod m . . . . . . . . . . . . . . . . 64 3.4 Multiplication mod m . . . . . . . . . . . . . . . . . . . . 66 3.4.1 Multiply and Reduce . . . . . . . . . . . . . 66 3.4.2 Double, Add, and Reduce . . . . . . . . 70 3.4.3 Montgomery Multiplication . . . . . . . 75 3.4.4 Comparison . . . . . . . . . . . . . . . . . . . . . 81 3.5 Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . 82 3.6 FPGA Implementations . . . . . . . . . . . . . . . . . . 87 3.6.1 mod m Adders/Subtractors . . . . . . . . 87 3.6.2 mod m Multipliers . . . . . . . . . . . . . . . . 87 3.6.3 mod m Exponentiators . . . . . . . . . . . . 88 3.7 Comments and Conclusions . . . . . . . . . . . . . . 88 3.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 4 Operations over GF(p) . . . . . . . . . . . . . . . . . . . . . . . . 91 4.1 Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . . 92 4.1.1 Integer Division . . . . . . . . . . . . . . . . . . 93 4.1.2 Multiplication and Subtraction . . . . . 96 4.1.3 mod p Division . . . . . . . . . . . . . . . . . . 98 4.2 Binary Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 100 4.3 Plus-Minus Algorithm . . . . . . . . . . . . . . . . . . . 104 4.4 Fermat’s Little Theorem . . . . . . . . . . . . . . . . . . 110 4.5 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 4.6 FPGA Implementations . . . . . . . . . . . . . . . . . . 113 4.6.1 Euclidean Algorithm . . . . . . . . . . . . . . 113 4.6.2 Binary Algorithm . . . . . . . . . . . . . . . . . 114 4.6.3 Plus-Minus Algorithm . . . . . . . . . . . . 114 4.6.4 Fermat’s Little Theorem . . . . . . . . . . . 115 4.7 Comments and Conclusions . . . . . . . . . . . . . . 116 4.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 5 Operations over Z[x]/f(x) . . . . . . . . . . . . . . . . . . . . . 117 p 5.1 Addition and Subtraction mod f(x) . . . . . . . . . 117 5.2 Multiplication mod f(x) . . . . . . . . . . . . . . . . . . 121 5.2.1 Two-Step Multiplication . . . . . . . . . . . 121 5.2.2 Serial Multiplication . . . . . . . . . . . . . . 123 5.3 Exponentiation mod f(x) . . . . . . . . . . . . . . . . . 128 Contents vii 5.4 Optimal Extension Fields . . . . . . . . . . . . . . . . . 132 5.5 FPGA Implementations . . . . . . . . . . . . . . . . . . 136 5.5.1 Adders of Polynomials mod p . . . . . . 136 5.5.2 Subtractors of Polynomials mod p . . . . . . . . . . . . . . . . . . . . . . . . . . 136 5.5.3 Adders/Subtractors of Polynomials mod p . . . . . . . . . . . . . . . . . . . . . . . . . . 137 5.5.4 Serial Multipliers . . . . . . . . . . . . . . . . . 137 5.5.5 Exponentiation . . . . . . . . . . . . . . . . . . . 137 5.6 Comments and Conclusions . . . . . . . . . . . . . . 138 5.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 6 Operations over GF(pm) . . . . . . . . . . . . . . . . . . . . . . . 139 6.1 Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . . 140 6.2 Binary Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 147 6.3 Reduction to Multiplications over GF(pm) and Inversion over Z . . . . . . . . . . . . . . . . . . . . 154 p 6.4 Optimal Extension Fields . . . . . . . . . . . . . . . . . 156 6.5 FPGA Implementations . . . . . . . . . . . . . . . . . . 162 6.6 Comments and Conclusions . . . . . . . . . . . . . . 162 6.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 7 Operations over GF(2m)—Polynomial Bases . . . . . . 163 7.1 Multiplication . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 7.1.1 Two-Step Classic Multiplication . . . . 164 7.1.2 Karatsuba-Ofman Polynomial Multiplication . . . . . . . . . . . . . . . . . . . 169 7.1.3 Interleaved Multiplication . . . . . . . . . 171 7.1.4 Matrix-Vector Multipliers . . . . . . . . . . 174 7.1.5 Montgomery Multiplication . . . . . . . 182 7.2 Squaring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 7.3 Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . 195 7.4 Division . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 7.5 Inversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 7.6 Important Irreducible Polynomials . . . . . . . . 213 7.6.1 Equally Spaced Polynomials (ESPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 7.6.2 General Irreducible Polynomials . . . 214 7.6.3 All-One Polynomials (AOPs) . . . . . . . 216 7.6.4 Trinomials . . . . . . . . . . . . . . . . . . . . . . . 219 7.6.5 Pentanomials . . . . . . . . . . . . . . . . . . . . 221 7.7 FPGA Implementations . . . . . . . . . . . . . . . . . . 223 7.7.1 Classic Multipliers . . . . . . . . . . . . . . . . 224 7.7.2 Interleaved Multiplication . . . . . . . . . 224 7.7.3 Mastrovito Multipliers . . . . . . . . . . . . 224 viii Contents 7.7.4 Mastrovito Multipliers, Second Version . . . . . . . . . . . . . . . . . . . . . . . . . . 225 7.7.5 Interleaved Multiplication, Advanced Version . . . . . . . . . . . . . . . 225 7.7.6 Montgomery Multipliers . . . . . . . . . . 225 7.7.7 Classic Squaring . . . . . . . . . . . . . . . . . 227 7.7.8 LSB First Squarer, Second Version . . . . . . . . . . . . . . . . . . . . . . . . . . 227 7.7.9 Montgomery Squarer . . . . . . . . . . . . . 228 7.7.10 Binary Exponentiation . . . . . . . . . . . . 228 7.7.11 Montgomery Exponentiation . . . . . . . 229 7.7.12 Division . . . . . . . . . . . . . . . . . . . . . . . . . 229 7.7.13 Extended Euclidean Algorithm (EEA) for Inversion . . . . . . . . . . . . . . . 229 7.7.14 Modifi ed Almost Inverse Algorithm (MAIA) for Inversion . . . . . . . . . . . . . 230 7.7.15 Important Irreducible Polynomials . . . . . . . . . . . . . . . . . . . . . 230 7.8 Comments and Conclusions . . . . . . . . . . . . . . 231 7.9 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 8 Operations over GF(2m)—Normal Bases . . . . . . . . . 235 8.1 Some Properties of Normal Bases . . . . . . . . . . 236 8.2 Squaring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 8.3 Multiplication . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 8.4 Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . 249 8.5 Inversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 8.6 Optimal Normal Bases . . . . . . . . . . . . . . . . . . . 259 8.7 FPGA Implementations . . . . . . . . . . . . . . . . . . 264 8.7.1 Multiplier . . . . . . . . . . . . . . . . . . . . . . . 265 8.7.2 Exponentiation . . . . . . . . . . . . . . . . . . . 265 8.7.3 Inversion . . . . . . . . . . . . . . . . . . . . . . . . 266 8.7.4 Type-I Optimal Normal Basis Multiplier with AOPs . . . . . . . . . . . . . 266 8.8 Comments and Conclusions . . . . . . . . . . . . . . 266 8.9 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 9 Operations over GF(2m)—Other Bases . . . . . . . . . . 269 9.1 Dual Bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 9.2 Triangular Bases . . . . . . . . . . . . . . . . . . . . . . . . . 277 9.3 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 10 An Example of Application—Elliptic Curve Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 10.1 Public-Key Cryptography . . . . . . . . . . . . . . . . 287 10.2 Elliptic Curve over a Finite Field . . . . . . . . . . 288 Contents ix 10.3 Group Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 10.4 Point Multiplication . . . . . . . . . . . . . . . . . . . . . 292 10.4.1 Defi nition . . . . . . . . . . . . . . . . . . . . . . . 292 10.4.2 Basic Algorithms . . . . . . . . . . . . . . . . . 293 10.4.3 Some Alternative Methods . . . . . . . . 294 10.5 Example of Implementation . . . . . . . . . . . . . . 304 10.5.1 Computation Resources . . . . . . . . . . . 305 10.5.2 Point Addition . . . . . . . . . . . . . . . . . . . 305 10.5.3 Point Multiplication . . . . . . . . . . . . . . 306 10.6 FPGA Implementation . . . . . . . . . . . . . . . . . . . 310 10.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 A p = 2192 – 264 – 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 A.1 Hexadecimal Representation . . . . . . . . . . . . . . 313 A.2 mod pReduction . . . . . . . . . . . . . . . . . . . . . . . . 313 A.2.1 Generic Sequential Circuit . . . . . . . . . . . 313 A.2.2 Specifi c Combinational Circuit. . . . . . . . 314 A.2.3 FPGA Implementation . . . . . . . . . . . . . 314 A.3 mod p Addition and Subtraction . . . . . . . . . . . 314 A.4 mod p Multiplication . . . . . . . . . . . . . . . . . . . . . 315 A.4.1 Generic Circuit . . . . . . . . . . . . . . . . . . . 315 A.4.2 Specifi c Circuit . . . . . . . . . . . . . . . . . . . 315 A.5 mod p Exponentiation . . . . . . . . . . . . . . . . . . . . 316 A.6 mod p Division . . . . . . . . . . . . . . . . . . . . . . . . . . 317 B Optimal Extension Fields . . . . . . . . . . . . . . . . . . . . . . 319 B.1 GF(23917) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 B.1.1 VHDL Models and Constant Defi nitions . . . . . . . . . . . . . . . . . . . . . . . 319 B.1.2 FPGA Implementations . . . . . . . . . . . . 320 B.2 GF((232− 387)6) . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 B.2.1 Constants . . . . . . . . . . . . . . . . . . . . . . . . 321 B.2.2 mod p Reduction . . . . . . . . . . . . . . . . . . 323 B.2.3 mod p Addition and Subtraction . . . . . . 323 B.2.4 mod p Multiplication . . . . . . . . . . . . . . 324 B.2.5 mod p Division . . . . . . . . . . . . . . . . . . . 324 B.2.6 mod (x6− 2) Multiplication . . . . . . . . . 325 B.2.7 mod (x6− 2) Division . . . . . . . . . . . . . . 326 C Binary Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 C.1 GF(2163) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 C.1.1 mod f(x) Multiplication . . . . . . . . . . . . 331 C.1.2 mod f(x) Division . . . . . . . . . . . . . . . . . 331 C.1.3 Squaring . . . . . . . . . . . . . . . . . . . . . . . . . 332 C.1.4 Elliptic-Curve Operations . . . . . . . . . . 332