Hardware Implementation of Finite-Field Arithmetic

Citation preview

Hardware Implementation of Finite-Field Arithmetic

About the Authors Jean-Pierre Deschamps received an MS degree in electrical engineering from the University of Louvain, Belgium, in 1967, a PhD degree in computer science from the Autonomous University of Barcelona, Spain, in 1983, and a PhD degree in electrical engineering from the Polytechnic School of Lausanne, Switzerland, in 1984. He worked in several companies and universities. He is currently a professor at the University Rovira i Virgili, Tarragona, Spain. His research interests include ASIC and FPGA design, digital arithmetic, and cryptography. He is the author of seven books and about a hundred international papers. José Luis Imaña received the MS and PhD degrees, both in Physics, from Complutense University of Madrid, Spain, where he is currently a professor. His research interests include algorithms and VLSI architectures for computations in finite fields, cryptography, computer arithmetic, reconfigurable computing architectures, and formal methods in verification. He is the author of about 30 international papers and communications. Gustavo D. Sutter received an MS degree in computer science from State University UNCPBA of Tandil (Buenos Aires), Argentina, and a PhD degree from the Autonomous University of Madrid, Spain. He has been a professor at the UNCPBA, Argentina, and is currently a professor at the Autonomous University of Madrid, Spain. His research interests includes ASIC and FPGA design, digital arithmetic, and development of embedded systems. He is the author of one book and about 30 international papers and communications.

Hardware Implementation of Finite-Field Arithmetic Jean-Pierre Deschamps José Luis Imaña Gustavo D. Sutter

New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto

Copyright © 2009 by The McGraw-Hill Companies, Inc. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. ISBN: 978-0-07-154582-2 MHID: 0-07-154582-4 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-154581-5, MHID: 0-07-154581-6. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please visit the Contact Us page at www.mhprofessional.com. Information contained in this work has been obtained by The McGraw-Hill Companies, Inc. (“McGrawHill”) from sources believed to be reliable. However, neither McGraw-Hill nor its authors guarantee the accuracy or completeness of any information published herein, and neither McGraw-Hill nor its authors shall be responsible for any errors, omissions, or damages arising out of use of this information. This work is published with the understanding that McGraw-Hill and its authors are supplying information but are not attempting to render engineering or other professional services. If such services are required, the assistance of an appropriate professional should be sought. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior co sent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.

Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xi xiii

1

Mathematical Background . . . . . . . . . . . . . . . . . . . . . 1.1 Number Theory . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1 Basic Definitions . . . . . . . . . . . . . . . . . 1.1.2 Euclidean Algorithms . . . . . . . . . . . . . 1.1.3 Congruences . . . . . . . . . . . . . . . . . . . . . 1.2 Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1 Groups . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2 Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3 Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.4 Polynomials . . . . . . . . . . . . . . . . . . . . . 1.2.5 Congruences of Polynomials . . . . . . . 1.3 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.1 Basic Properties . . . . . . . . . . . . . . . . . . 1.3.2 Field Extensions . . . . . . . . . . . . . . . . . . 1.3.3 Roots of Irreducible Polynomials . . . 1.3.4 Bases of Finite Fields . . . . . . . . . . . . . . 1.3.5 Finite Fields GF(2m) . . . . . . . . . . . . . . . 1.4 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 1 1 2 4 8 8 9 10 11 15 17 17 18 20 20 22 23

2

mod m Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Integer Division . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1 Digit Recurrence Algorithms . . . . . . . 2.1.2 Nonrestoring Reducer . . . . . . . . . . . . 2.1.3 SRT Reducer . . . . . . . . . . . . . . . . . . . . . 2.2 Reduction mod 2k − a . . . . . . . . . . . . . . . . . . . . . 2.3 Precomputation of 2ik mod m . . . . . . . . . . . . . . 2.4 Barrett Reduction Algorithm . . . . . . . . . . . . . . 2.4.1 n-Digit to (k + t)-Digit Reduction . . . 2.4.2 An Approximation of q . . . . . . . . . . . . 2.5 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6 Specific Circuits . . . . . . . . . . . . . . . . . . . . . . . . . 2.6.1 mod 239 Reducer . . . . . . . . . . . . . . . . . 2.6.2 mod (2192 − 264 − 1) Reducer . . . . . . . . 2.7 FPGA Implementation . . . . . . . . . . . . . . . . . . . 2.7.1 Nonrestoring Reducers . . . . . . . . . . . . 2.7.2 SRT Reducers . . . . . . . . . . . . . . . . . . . . 2.7.3 Reduction mod 2k − a . . . . . . . . . . . . . .

25 25 25 27 29 33 38 43 43 44 48 49 49 50 54 55 55 55

v

vi

Contents 2.7.4 Precomputation of 2ik mod m . . . . . . . 2.7.5 Barrett Reduction . . . . . . . . . . . . . . . . 2.7.6 Specific Circuits . . . . . . . . . . . . . . . . . . Comments and Conclusions . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

57 58 59 59 60

3

mod m Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Addition mod m . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Subtraction mod m . . . . . . . . . . . . . . . . . . . . . . 3.3 Adder/Subtractor mod m . . . . . . . . . . . . . . . . 3.4 Multiplication mod m . . . . . . . . . . . . . . . . . . . . 3.4.1 Multiply and Reduce . . . . . . . . . . . . . 3.4.2 Double, Add, and Reduce ........ 3.4.3 Montgomery Multiplication . . . . . . . 3.4.4 Comparison . . . . . . . . . . . . . . . . . . . . . 3.5 Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6 FPGA Implementations . . . . . . . . . . . . . . . . . . 3.6.1 mod m Adders/Subtractors . . . . . . . . 3.6.2 mod m Multipliers . . . . . . . . . . . . . . . . 3.6.3 mod m Exponentiators . . . . . . . . . . . . 3.7 Comments and Conclusions . . . . . . . . . . . . . . 3.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

61 61 63 64 66 66 70 75 81 82 87 87 87 88 88 89

4

Operations over GF(p) . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . . 4.1.1 Integer Division . . . . . . . . . . . . . . . . . . 4.1.2 Multiplication and Subtraction . . . . . 4.1.3 mod p Division . . . . . . . . . . . . . . . . . . 4.2 Binary Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Plus-Minus Algorithm . . . . . . . . . . . . . . . . . . . 4.4 Fermat’s Little Theorem . . . . . . . . . . . . . . . . . . 4.5 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.6 FPGA Implementations . . . . . . . . . . . . . . . . . . 4.6.1 Euclidean Algorithm . . . . . . . . . . . . . . 4.6.2 Binary Algorithm . . . . . . . . . . . . . . . . . 4.6.3 Plus-Minus Algorithm . . . . . . . . . . . . 4.6.4 Fermat’s Little Theorem . . . . . . . . . . . 4.7 Comments and Conclusions . . . . . . . . . . . . . . 4.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

91 92 93 96 98 100 104 110 112 113 113 114 114 115 116 116

5

Operations over Zp[x]/f (x) . . . . . . . . . . . . . . . . . . . . . 5.1 Addition and Subtraction mod f(x) . . . . . . . . . 5.2 Multiplication mod f(x) .................. 5.2.1 Two-Step Multiplication . . . . . . . . . . . 5.2.2 Serial Multiplication . . . . . . . . . . . . . . 5.3 Exponentiation mod f(x) .................

117 117 121 121 123 128

2.8 2.9

Contents 5.4 5.5

5.6 5.7 6

7

Optimal Extension Fields . . . . . . . . . . . . . . . . . FPGA Implementations . . . . . . . . . . . . . . . . . . 5.5.1 Adders of Polynomials mod p . . . . . . 5.5.2 Subtractors of Polynomials mod p . . . . . . . . . . . . . . . . . . . . . . . . . . 5.5.3 Adders/Subtractors of Polynomials mod p . . . . . . . . . . . . . . . . . . . . . . . . . . 5.5.4 Serial Multipliers . . . . . . . . . . . . . . . . . 5.5.5 Exponentiation . . . . . . . . . . . . . . . . . . . Comments and Conclusions . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Operations over GF (p m ) . . . . . . . . . . . . . . . . . . . . . . . 6.1 Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . . 6.2 Binary Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 6.3 Reduction to Multiplications over GF(p m) and Inversion over Zp . . . . . . . . . . . . . . . . . . . . 6.4 Optimal Extension Fields . . . . . . . . . . . . . . . . . 6.5 FPGA Implementations . . . . . . . . . . . . . . . . . . 6.6 Comments and Conclusions . . . . . . . . . . . . . . 6.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Operations over GF (2m)—Polynomial Bases . . . . . . 7.1 Multiplication . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.1 Two-Step Classic Multiplication . . . . 7.1.2 Karatsuba-Ofman Polynomial Multiplication . . . . . . . . . . . . . . . . . . . 7.1.3 Interleaved Multiplication . . . . . . . . . 7.1.4 Matrix-Vector Multipliers . . . . . . . . . . 7.1.5 Montgomery Multiplication . . . . . . . 7.2 Squaring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3 Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . 7.4 Division . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5 Inversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6 Important Irreducible Polynomials . . . . . . . . 7.6.1 Equally Spaced Polynomials (ESPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6.2 General Irreducible Polynomials . . . 7.6.3 All-One Polynomials (AOPs) . . . . . . . 7.6.4 Trinomials . . . . . . . . . . . . . . . . . . . . . . . 7.6.5 Pentanomials . . . . . . . . . . . . . . . . . . . . 7.7 FPGA Implementations . . . . . . . . . . . . . . . . . . 7.7.1 Classic Multipliers . . . . . . . . . . . . . . . . 7.7.2 Interleaved Multiplication . . . . . . . . . 7.7.3 Mastrovito Multipliers . . . . . . . . . . . .

132 136 136 136 137 137 137 138 138 139 140 147 154 156 162 162 162 163 164 164 169 171 174 182 187 195 204 206 213 213 214 216 219 221 223 224 224 224

vii

viii

Contents 7.7.4

7.8 7.9

Mastrovito Multipliers, Second Version . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7.5 Interleaved Multiplication, Advanced Version ............... 7.7.6 Montgomery Multipliers . . . . . . . . . . 7.7.7 Classic Squaring . . . . . . . . . . . . . . . . . 7.7.8 LSB First Squarer, Second Version . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7.9 Montgomery Squarer . . . . . . . . . . . . . 7.7.10 Binary Exponentiation . . . . . . . . . . . . 7.7.11 Montgomery Exponentiation . . . . . . . 7.7.12 Division . . . . . . . . . . . . . . . . . . . . . . . . . 7.7.13 Extended Euclidean Algorithm (EEA) for Inversion . . . . . . . . . . . . . . . 7.7.14 Modified Almost Inverse Algorithm (MAIA) for Inversion . . . . . . . . . . . . . 7.7.15 Important Irreducible Polynomials . . . . . . . . . . . . . . . . . . . . . Comments and Conclusions . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

225 225 225 227 227 228 228 229 229 229 230 230 231 231

Operations over GF(2m)—Normal Bases . . . . . . . . . 8.1 Some Properties of Normal Bases . . . . . . . . . . 8.2 Squaring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.3 Multiplication . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.4 Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . 8.5 Inversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.6 Optimal Normal Bases . . . . . . . . . . . . . . . . . . . 8.7 FPGA Implementations . . . . . . . . . . . . . . . . . . 8.7.1 Multiplier . . . . . . . . . . . . . . . . . . . . . . . 8.7.2 Exponentiation . . . . . . . . . . . . . . . . . . . 8.7.3 Inversion . . . . . . . . . . . . . . . . . . . . . . . . 8.7.4 Type-I Optimal Normal Basis Multiplier with AOPs . . . . . . . . . . . . . 8.8 Comments and Conclusions . . . . . . . . . . . . . . 8.9 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

235 236 238 238 249 255 259 264 265 265 266

9

Operations over GF (2m)—Other Bases . . . . . . . . . . 9.1 Dual Bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.2 Triangular Bases . . . . . . . . . . . . . . . . . . . . . . . . . 9.3 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

269 269 277 284

10

An Example of Application—Elliptic Curve Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.1 Public-Key Cryptography . . . . . . . . . . . . . . . . 10.2 Elliptic Curve over a Finite Field . . . . . . . . . .

287 287 288

8

266 266 267

Contents 10.3 10.4

Group Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Point Multiplication . . . . . . . . . . . . . . . . . . . . . 10.4.1 Definition . . . . . . . . . . . . . . . . . . . . . . . 10.4.2 Basic Algorithms . . . . . . . . . . . . . . . . . 10.4.3 Some Alternative Methods . . . . . . . . Example of Implementation . . . . . . . . . . . . . . 10.5.1 Computation Resources . . . . . . . . . . . 10.5.2 Point Addition . . . . . . . . . . . . . . . . . . . 10.5.3 Point Multiplication . . . . . . . . . . . . . . FPGA Implementation . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

290 292 292 293 294 304 305 305 306 310 311

A

p = 2192 – 264 – 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.1 Hexadecimal Representation . . . . . . . . . . . . . . A.2 mod p Reduction . . . . . . . . . . . . . . . . . . . . . . . . A.2.1 Generic Sequential Circuit . . . . . . . . . . . A.2.2 Specific Combinational Circuit. . . . . . . . A.2.3 FPGA Implementation . . . . . . . . . . . . . A.3 mod p Addition and Subtraction . . . . . . . . . . . A.4 mod p Multiplication . . . . . . . . . . . . . . . . . . . . . A.4.1 Generic Circuit . . . . . . . . . . . . . . . . . . . A.4.2 Specific Circuit . . . . . . . . . . . . . . . . . . . A.5 mod p Exponentiation . . . . . . . . . . . . . . . . . . . . A.6 mod p Division . . . . . . . . . . . . . . . . . . . . . . . . . .

313 313 313 313 314 314 314 315 315 315 316 317

B

Optimal Extension Fields . . . . . . . . . . . . . . . . . . . . . . B.1 GF(23917) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.1.1 VHDL Models and Constant Definitions . . . . . . . . . . . . . . . . . . . . . . . B.1.2 FPGA Implementations . . . . . . . . . . . . B.2 GF((232 − 387)6) . . . . . . . . . . . . . . . . . . . . . . . . . . . B.2.1 Constants . . . . . . . . . . . . . . . . . . . . . . . . B.2.2 mod p Reduction . . . . . . . . . . . . . . . . . . B.2.3 mod p Addition and Subtraction . . . . . . B.2.4 mod p Multiplication . . . . . . . . . . . . . . B.2.5 mod p Division . . . . . . . . . . . . . . . . . . . B.2.6 mod (x6 − 2) Multiplication . . . . . . . . . B.2.7 mod (x6 − 2) Division . . . . . . . . . . . . . .

319 319 319 320 321 321 323 323 324 324 325 326

Binary Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C.1 GF(2163) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C.1.1 mod f(x) Multiplication . . . . . . . . . . . . C.1.2 mod f(x) Division . . . . . . . . . . . . . . . . . C.1.3 Squaring . . . . . . . . . . . . . . . . . . . . . . . . . C.1.4 Elliptic-Curve Operations . . . . . . . . . .

331 331 331 331 332 332

10.5

10.6 10.7

C

ix

x

Contents C.2

D

GF(2233) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C.2.1 mod f(x) Multiplication . . . . . . . . . . . . C.2.2 mod f(x) Division . . . . . . . . . . . . . . . . . C.2.3 Squaring . . . . . . . . . . . . . . . . . . . . . . . . . C.2.4 Elliptic-Curve Operations . . . . . . . . . .

Ada versus VHDL Index

333 333 334 334 334

............................

337

.......................................

341

Preface

F

inite fields are used in different types of computers and digital communication systems. Two well-known examples are errorcorrection codes and cryptography. The traditional way of implementing the corresponding algorithms is software, running on general-purpose processors or on digital-signal processors. Nevertheless, in some cases the time constraints cannot be met with instructionset processors, and specific hardware must be considered, that is, circuits specifically designed for executing those complex algorithms: they implement the particular computation primitives of the algorithms and profit from their inherent parallelism. Apart from the application-specific integrated circuits (ASICs) solution, another technology at hand for developing specific circuits is constituted by field-programmable gate arrays (FPGA). They form an attractive option for small production quantities as their nonrecurrent engineering costs are much lower than those corresponding to ASICs. They also offer flexibility and fast time-to-market. Furthermore, in order to reduce their size, and so the unit cost, an interesting possibility is to reconfigure them at run time so that the same programmable device can execute different predefined functions. This book describes algorithms and circuits for executing the main finite-field operations, that is, addition, subtraction, multiplication, squaring, exponentiation, and division. It is mainly addressed to hardware engineers involved in the development of embedded systems, including finite-field operations. Distinguishing features of this book are the following: • The emphasis is different from the classic texts on finite fields. It is not limited to the description of algebraic and algorithmic aspects. The main topic is circuit synthesis. • A special importance has been given to FPGA implementations. The particular architecture of these components leads the designer to use synthesis techniques somewhat different than the ones applied for ASIC for which standard cell libraries exist. Throughout the book examples of FPGA implementation are described.

xi

xii

Preface • Most algorithms are described in Ada, a programming language similar to VHDL, so that they can be executed and the correctness of the proposed algorithms can be verified with actual input data. • In what concerns the description of the circuits, logic schemes are presented as well as VHDL models, in such a way that the corresponding circuits can be easily simulated and synthesized.

Overview The book is divided into 10 chapters. The first chapter (mathematical background) gives the main definitions and properties of finite fields. Chapters 2 to 4 are dedicated to the operations modulo m and the corresponding circuits. Chapter 2 deals with the modulo m reduction, Chap. 3 with the modulo m addition, subtraction, multiplication, and exponentiation, and Chap. 4 with the modulo p division, where p is a prime. Chapters 5 and 6 are dedicated to the operations modulo f(x), where f(x) is a polynomial over a finite field, and to the corresponding circuits. Chapter 5 deals with the modulo f(x) addition, subtraction, multiplication, and exponentiation, and Chap. 6 with the modulo f(x) division, where f(x) is an irreducible polynomial. Chapters 7 to 9 are dedicated to the main arithmetic operations over GF(2m). In Chap. 7 polynomial bases are considered (thus, a particular case of the topics dealt with in Chaps. 5 and 6). In Chap. 8 normal bases are used, and in Chap. 9 dual and triangular bases are considered. Chapter 10 is dedicated to elliptic-curve cryptography, currently one of the main finite-field applications. There are four appendices. Three of them describe circuits for performing arithmetic operations over some particular fields, namely a prime field GF(2192 − 264 − 1) in App. A, two optimal extension fields GF(23917) and GF((232 − 387)6) in App. B, and two binary extension fields GF(2163) and GF(2233) in App. C. Appendix D is a brief comparison of the syntaxes of Ada and VHDL. All the chapters, but the first one, include algorithms, circuits, and results of FPGA implementations. The algorithms are described in Ada and the circuits are modeled in VHDL. Complete and executable source files (Ada and VHDL) are available at the authors’ Web site www.arithmetic-circuits.org.

Acknowledgments

T

he authors are grateful to the following universities for providing them the means for carrying this work through to a successful conclusion: University Rovira i Virgili (Tarragona, Spain), Autonomous University of Madrid (Spain), and Complutense University of Madrid (Spain).

xiii

This page intentionally left blank

Hardware Implementation of Finite-Field Arithmetic

This page intentionally left blank

CHAPTER

1

Mathematical Background

T

his chapter presents some topics in mathematics; it is intended to make this book self-contained. For further details the reader can refer to textbooks on Algebra ([Coh93], [GN03], [Her75], [Hun74]), Number Theory ([Kob94], [Ros92], [Ros00], [Gar59]), Finite Fields ([LN83], [LN94], [McC87], [Men93]), and Cryptography [MOV96], from where the following material has been mainly extracted.

1.1

Number Theory 1.1.1

Basic Definitions

Definitions 1.1 1. The set of natural numbers1 N = {0, 1, 2, 3, . . .}. 2. The set of integers Z = { . . . , −3, −2, −1, 0, 1, 2, 3, . . . }.

Definition 1.2 Given two integers x and y, y divides x (y is a divisor of x) if there exists an integer z such that x = zy. Definition 1.3 Given two integers x and y, with y > 0, there exist two integers q (the quotient) and r (the remainder) such that x = qy + r

where 0 ≤ r < y

It can be proven that q and r are unique. Then (notation) r = x mod y

q = x div y

An alternative definition:

1

For convenience, the element zero has been included in N.

1

2

Chapter One Given two integers x and y, with y > 0, there exist two integers q (the quotient) and r (the remainder) such that

Definition 1.4 (integer division)

x = qy + r

where 0 ≤ r < y if x ≥ 0 and −y < r ≤ 0 if x < 0

It can be proven that q and r are unique. Then (notation) r = x rem y

q = x/y

Examples 1.1 1. x = −16, y = 3: −16 mod 3 = 2, −16 div 3 = −6, −16 = −6 ⭈ 3 + 2 −16 rem 3 = −1, −16/3 = −5, −16 = −5 ⭈ 3 + (−1) 2. x = −15, y = 3: −15 mod 3 = 0, −15 div 3 = −5, −15 = −5 ⭈ 3 + 0 −15 rem 3 = 0, −15/3 = −5, −15 = −5 ⭈ 3 + 0

Definitions 1.5 1. Given two integers x and y, z is the greatest common divisor of x and y if z is a natural number (nonnegative integer), z divides both x and y, any other common divider of x and y is also a divider of z. Notation: z = gcd(x, y). 2. Given two integers x and y, they are said to be relatively prime if gcd(x, y) = 1. 3. An integer p > 1 is said to be prime if its only positive divisors are 1 and p.

1.1.2

Euclidean Algorithms

Given two natural numbers x and y, the Euclidean algorithm for natural numbers computes gcd(x, y). It is based on a series of integer divisions: r (i − 1) = q (i )r (i ) + r (i + 1)

where 0 ≤ r (i + 1) < r (i )

Observe that any divider of r (i − 1) and r (i ) is also a divider of r (i ) and r (i + 1) so that gcd(r (i − 1), r (i )) = gcd(r (i ), r (i + 1)) Initially r (0) = x

and

r (1) = y

Mathematical Background Then compute r (0) = q (1)r (1) + r (2) r (1) = q (2)r (2) + r (3) r (2) = q (3)r (3) + r (4) ... r (n − 3) = q (n − 2)r (n − 2) + r (n − 1) r (n − 2) = q (n − 1)r (n − 1) + r (n)

where r (1) > r (2) > . . . > r (n) = 0 and gcd (r (i − 1), r (i )) = gcd(r (i ), r (i + 1)), so that gcd (x, y) = gcd (r (0), r (1)) = . . . = gcd (r (n − 1), r (n)) = gcd (r (n − 1), 0) = r (n − 1)

Example 1.2 Let r (0) = x = 9520; r (1) = y = 3120; 9520 = 3.3120 + 160 3120 = 19.160 + 80 160 = 2.80 + 0 Then gcd(9520, 3120) = 80.

In the extended Euclidean algorithm a series of coefficients b(i ) and c(i ) is calculated in parallel with the computation of r (0), r (1), r (2), . . . , r (n): b(0) = 1

c(0) = 0

b(1) = 0

c(1) = 1

b(2) = b(0) − b(1)q (1) ... b(n − 1) = b(n − 3) − b(n − 2)q (n − 2)

c(2) = c(0) − c(1)q (1) c(n − 1) = c(n − 3) − c(n − 2) q (n − 2)

It can be demonstrated by induction that r (i ) = b(i )x + c(i )y

∀ i = 0, 1, 2, . . . , n − 1

In particular gcd(x, y) = r (n − 1) = b(n − 1)x + c(n − 1)y In conclusion the extended Euclidean algorithm expresses the greatest common divisor z of two natural numbers x and y as a linear combination of x and y, that is, z = bx + cy

(1.1)

3

4

Chapter One Algorithm 1.1—Extended Euclidean algorithm if x = 0 then z := y; b := 0; c := 1; elsif y = 0 then z := x; b := 1; c := 0; else r_i := x; r_iplus1 := y; b_i := 1; c_i := 0; b_iplus1 := 0; c_iplus1 := 1; while r_iplus1 > 0 loop q := r_i/r_iplus1; r_iplus2 := r_i mod r_iplus1; b_iplus2 := b_i - b_iplus1*q; c_iplus2 := c_i - c_ iplus1*q; r_i := r_iplus1; r_iplus1 := r_iplus2; b_i := b_iplus1; b_iplus1 := b_iplus2; c_i := c_iplus1; c_iplus1 := c_iplus2; end loop; z := r_i; b := b_i; c := c_i; end if;

Example 1.3 Let ri = x = 230490; ri + 1 = y = 43290; bi = ci + 1 = 1; bi + 1 = ci = 0; Step 1 q = 230490/43290 = 5; ri + 2 = 230490 mod 43290 = 14040 bi + 2 = 1– 0 ⋅ 5 = 1; ci + 2 = 0 – 1 ⋅ 5 = −5 ri = 43290; ri + 1 = 14040 bi = 0; bi + 1 = 1 ci = 1; ci + 1 = −5 Step 2 q = 43290/14040 = 3; ri + 2 = 43290 mod 14040 = 1170 bi + 2 = 0 − 1 ⋅ 3 = −3; ci + 2 = 1 + 5 ⋅ 3 = 16 ri = 14040; ri + 1 = 1170 bi = 1; bi + 1 = −3 ci = −5; ci + 1 = 16 Step 3 q = 14040/1170 = 12; ri + 2 = 14040 mod 1170 = 0 bi + 2 = 1 + 3 ⋅ 12 = 37; ci + 2 = −5 − 16 ⋅ 12 = −197 ri = 1170; ri + 1 = 0 bi = −3; bi + 1 = 37 ci = 16; ci + 1 = −197 b = bi = −3; c = ci = 16; gcd(230490, 432900) = z = ri = 1170 = −3 ⋅ 230490 + 16 ⋅ 43290

1.1.3

Congruences

Definition 1.6 Given two integers x and y, and a positive integer n, x is congruent to y modulo n if n divides the difference (x − y).

Mathematical Background Notation: x ≡ y (mod n)

Properties 1.1 (basic properties of congruences) 1. x ≡ y (mod n) if and only if (x mod n) = (y mod n) (Definition 1.3). 2. The relation x ≡ y (mod n) is an equivalence relation (reflexive, symmetric, and transitive). 3. If x1 ≡ y1 (mod n) and x2 ≡ y2 (mod n), then (x1 − x2) (x1 + x2) ≡ (y1 + y2) (mod n) ≡ (y1 − y2) (mod n) (x1x2) ≡ (y1y2) (mod n)

(1.2)

From Properties 1.1(1 and 2), it can be seen that the mod n congruence relation partitions Z into n equivalence classes. Each equivalence class contains exactly one element of the set {0, 1, 2, . . . , n −1}, namely the common value (x mod n) for all elements x of the class. Furthermore, according to Property 1.1(3), the addition, subtraction, and multiplication of congruence classes can be defined. As a matter of fact the set of equivalence classes is isomorphic to Zn = {0, 1, 2, . . . , n − 1} where the addition, the subtraction, and the multiplication are defined by (x + y) mod n

(x − y) mod n

(xy) mod n

∀ x and y in Zn

Definition 1.7 Given two elements x and y of Zn, such that xy mod n = 1,

then y is said to be the multiplicative inverse of x. If such an inverse exists, it is unique. Notation: y = x − 1 mod n

Property 1.2 x has a multiplicative inverse if and only if gcd(x, n) = 1. Proof If xy ≡ 1 mod n, then xy = qn + 1 so that any divisor of x and n is also a divisor of 1. Thus, gcd(x, n) = 1. If gcd(x, n) = 1, then (relation 1.1) there exist b and c such that 1 = bx + cn, so that x − 1 = b mod n.

5

6

Chapter One More generally:

Properties 1.3 1. Let g = gcd(a, n). Then the equation ax ≡ d (mod n) has a solution x if and only if g divides d. 2. The solutions of ax ≡ d (mod n) are the same as the solutions of (a/g)x ≡ (d/g) (mod n/g). 3. There are g solutions, all of them congruent modulo n/g.

Proofs 1. If ax ≡ d (mod n), then ax − d = qn. As g divides both a and n, it also divides d. If g divides d, then d = qg. According to Eq. (1.1), g is a linear combination of a and n, that is g = ba + cn. So d = q(ba + cn) and x = qb is a solution. 2. If g divides d and ax ≡ d (mod n), that is ax − d = qn, then (a/g)x − (d/g) = q(n/g) and (a/g)x ≡ (d/g) (mod n/g). Inversely, if (a/g)x ≡ (d/g) (mod n/g) then ax ≡ d (mod n). 3. As a/g and n/g are relatively prime, there is a unique solution within Zn/g, namely, x = x0 = (d/g)(a/g) − 1 mod n/g. The complete set of solutions within Zn is xk = x0 + k(n/g)

∀k = 0, 1, . . . , g − 1

Observe that if k < g and x0 < (n/g), then xk ≤ (n/g) − 1 + ( g − 1)(n/g) = n − 1.

Definitions 1.8 1. The set of elements x of Zn relatively prime with n is the multiplicative group Zn*: Zn* = {x ∈ Zn | gcd(x, n) = 1} 2. The Euler phi function φ (n) is the number of elements in Zn*. According to Property 1.2, Zn* is the set of invertible elements of Zn. In particular, if p is a prime number then Zp* = {1, 2, . . . , p − 1}

and

φ (p) = p − 1

Property 1.4 (Fermat’s little theorem) Let p be a prime. Any integer x satisfies x p ≡ x (mod p), and any integer x not divisible by p satisfies xp − 1 ≡ 1 (mod p). If x is not divisible by p and if ix ≡ jx (mod p), that is, (i − j)x = qp, then i ≡ j (mod p). Thus

Proof

(1x)(2x) . . . ((p − 1)x) ≡ 1 ⭈ 2 . . . ⭈ (p − 1) (mod p)

Mathematical Background As the p − 1 above multiples of x are distinct and nonzero, they must be congruent to 1, 2, 3, . . . , p − 1 in some order. So (p − 1)!xp − 1 ≡ ( p − 1)! (mod p) or ( p − 1)!(xp − 1 − 1) ≡ 0 (mod p) As p does not divide (p − 1)!, (x p − 1 − 1) ≡ 0 (mod p) that is, xp − 1 ≡ 1 (mod p)

xp ≡ x (mod p)

and

If x is divisible by p, then xp ≡ x ≡ 0 (mod p). Let p be a prime. If x is not divisible by p and if r ≡ s (mod p − 1), then

Corollary 1.1

xr ≡ x s (mod p) Assume that r > s. Then r = q(p − 1) + s and 1 ≡ 1q ≡ (xp − 1)q ≡ xr − s (mod p), so that x r ≡ x s (mod p).

Proof

Definitions 1.9 1. The order of an element x of Zn* is the least positive integer t such that xt ≡ 1 (mod n). 2. If the order of x is equal to the number φ (n) of elements in Zn*, then x is said to be a generator or primitive element of Zn*. 3. If Zn* has a generator, then Zn* is said to be cyclic. Observe that if x is a generator, then Zn* = {x1, x2, x3, . . . , xφ(n)}.

Example 1.4 Z7 = {0, 1, 2, 3, 4, 5, 6}

and

Z7* = {1, 2, 3, 4, 5, 6};

7 is prime and φ (7) = 6;

11 ≡ 1 (mod 7), 23 ≡ 1 (mod 7), 36 ≡ 1 (mod 7), 43 ≡ 1 (mod 7), 56 ≡ 1 (mod 7), 62 ≡ 1 (mod 7); there are two generators: 3 and 5; for example:

31 ≡ 3 (mod 7), 32 ≡ 2 (mod 7), 33 ≡ 6 (mod 7), 34 ≡ 4 (mod 7), 35 ≡ 5 (mod 7), 36 ≡ 1 (mod 7).

7

8

Chapter One

1.2 Algebra 1.2.1

Groups

Definitions 1.10 A group ( G, *) consists of a set G with a binary operation* on G satisfying the following three axioms:

1. x * (y * z) = (x * y) * z, ∀ x, y, z ∈ G (associativity). 2. There is an identity (or unity) element 1 in G, such that x * 1 = 1 * x = x, ∀ x ∈ G. 3. For each element x of G there exists an element x − 1, called the inverse of x, such that x * x − 1 = x − 1 * x = 1. If, furthermore, 4. x * y = y * x, ∀ x, y ∈ G (commutativity), the group is said to be commutative (or abelian). Axioms 1 and 2 define a semigroup.

Examples 1.5 • The set of integers Z with the operation + forms a group, with 0 as identity element. • The set Zn with the operation of addition modulo n forms a group, with 0 as identity element. • The set Z n with the operation of multiplication modulo n is not a group, since not all elements have multiplicative inverses. • The set Zn* with the operation of multiplication modulo n forms a group, with 1 as identity element. The following definitions generalize the Definitions 1.9:

Definitions 1.11 1. The order of an element x of a finite group G is the least positive integer t such that xt = x * x * . . . * x = 1 2. If the order of x is equal to the number n of elements in G, then x is said to be a generator of G. 3. If G has a generator, then G is said to be cyclic.

Property 1.5 The order of an element x of a finite group G divides the number of elements in G.

Mathematical Background First observe that if H is a subgroup of G, then an equivalence relation on G can be defined: g1 ≡ g2 if there exists an element h in H such that g1h = g2. The number of elements in an equivalence class is equal to the number |H| of elements in H. Thus the number |G| of elements in G is equal to |H||G/H|, G/H being the set of classes and |G/H| the number of classes. In other words the number of elements of a subgroup divides the number of elements of the group. It remains to observe that the set {x, x2, . . . , xt = 1}, where t is the order of x, is a subgroup, so that the number t of elements of the subgroup divides the number of elements in G.

Proof

Example 1.6 Consider the multiplicative group Z7* = {1, 2, 3, 4, 5, 6}.

In this case, 3 and 5 are generators; the subgroup generated by 2 is {2, 4, 1}; the corresponding classes are then {2, 4, 1} and {6, 5, 3}; the number of elements (3) of the subgroup divides the number of elements (6) of Z7*.

1.2.2

Rings

Definitions 1.12 A ring (R, +, *) consists of a set R with two binary operations + and *, satisfying the following axioms: 1. (R, +) is a commutative group with additive identity element 0. 2. x * (y * z) = (x * y) * z, ∀ x, y, z ∈ R (associativity). 3. There is a multiplicative identity element 1, with 1 ≠ 0, such that x * 1 = 1 * x = x, ∀ x ∈ R. 4. x * (y + z) = (x * y) + (x * z) and (x + y) * z = (x * z) + (y * z), ∀ x, y, z ∈ R (distributivity). If, furthermore, 5. x * y = y * x, ∀ x, y ∈ R (commutativity), the ring is said to be commutative.

Examples 1.7 • The set of integers Z with the usual operations + and · is a commutative ring. • The set Zn with the addition and multiplication modulo n operations is a commutative ring.

Definitions 1.13 1. A subset S of a ring R is called a subring of R, provided that S is closed under + and * and forms a ring under these operations. 2. A subset J of a ring R is called an ideal, provided that J is a subring of R and for all a ∈ J and b ∈ R we have that ab ∈ J and ba ∈ J.

9

10

Chapter One

1.2.3

Fields

Definitions 1.14 A field (F, +, *) consists of a set F with two binary operations + and *, with an additive identity element 0 and a multiplicative identity element 1 satisfying the following axioms: 1. (F, +, *) is a commutative ring. 2. All nonzero elements of F have a multiplicative inverse.

Definition 1.15 The characteristic of a field is the least positive integer m such that ∑ im=1 1 = 0. Otherwise, the characteristic of a field is 0 if 1 + 1 + . . . + 1 (m times) is never equal to 0 for any m > 0. Examples 1.8 • The real numbers R form a field of characteristic 0 under the usual operations. • The set of integers Z with the usual operations of addition (+) and multiplication (·) is not a field, because the only nonzero elements with multiplicative inverses are 1 and −1. • The set Zp with the usual operations of addition and multiplication modulo p is a field if and only if p is a prime. If p is prime, then Zp has characteristic p. • Consider the field Z5. The tables for the addition and multiplication operations modulo 5 are as follows (Table 1.1):

+

0

1

2

3

4

⋅

0

1

2

3

4

0

0

1

2

3

4

0

0

0

0

0

0

1

1

2

3

4

0

1

0

1

2

3

4

2

2

3

4

0

1

2

0

2

4

1

3

3

3

4

0

1

2

3

0

3

1

4

2

4

4

0

1

2

3

4

0

4

3

2

1

TABLE 1.1 Addition and Multiplication over Z5

Definitions 1.16 1. A subset E of a field F is a subfield of F if E is itself a field with respect to the operations of F. In such a case, F is said to be an extension field of E. If E ≠ F, we say that E is a proper subfield of F. 2. A field containing no proper subfields is called a prime field.

Mathematical Background

1.2.4

Polynomials

Definitions 1.17 1. If R is a commutative ring, then a polynomial in the indeterminate x over R is an expression of the form f (x) = anxn + an − 1xn − 1 + . . . + a1x + a0 where ai ∈ R, ∀ i ∈ {0, 1, . . . , n}. The element ai is called the coefficient of xi in f (x). 2. The largest integer m (if any) such that am ≠ 0 is the degree of f (x). It is denoted deg (f) and am is called the leading coefficient. If all the coefficients of f (x) are equal to 0 then f (x) is called the zero polynomial and its degree defined to be equal to −∞. The zero-degree polynomials are also called constant polynomials. 3. A monic polynomial is a polynomial whose leading coefficient is equal to 1. 4. The polynomial ring R[x] is the ring formed by the set of all polynomials in the indeterminate x with coefficients in R. The two operations are the standard polynomial addition and multiplication, with coefficient arithmetic performed in R. The additive identity element 0 is the zero polynomial. The multiplicative identity element 1 is the monic constant polynomial.

Example 1.9 Let f (x) = x4 + 3x3 + 2x + 4 and g (x) = 4x3 + 3x + 4 be elements of the polynomial ring Z5[x]. The addition and multiplication of the two polynomials is as follows: f (x) + g (x) = x4 + 2x3 + 3 f (x)g (x) = 4x7 + 2x6 + 3x5 + x4 + 3x3 + x2 + 1 In the following text, we will deal almost exclusively with polynomials over an arbitrary field F.

Definition 1.18 Thanks to the fact that F is a field, all the nonzero coefficients have an inverse and the standard polynomial division can also be performed. Thus, if g (x) and h(x) ≠ 0 are polynomials in F[x], then there exist two polynomials q (x) (the quotient) and r (x) (the remainder) in F[x] such that g (x) = q (x)h(x) + r (x)

where deg (r) < deg (h)

Notation: r (x) = g (x) mod h(x)

q (x) = g (x) div h(x)

(1.3)

11

12

Chapter One Definitions 1.19 1. Given two polynomials g (x) and h(x), h(x) divides g (x) (or h(x) is a divisor of g (x)) if there exists a polynomial q (x) such that g (x) = q (x)h(x). 2. Given two polynomials g (x) and h(x), not both equal to 0, the greatest common divisor of g (x) and h(x) is the monic polynomial of greatest degree which divides both g (x) and h(x). 3. gcd(0, 0) = 0. 4. A polynomial f (x) of degree at least 1 is said to be irreducible if it cannot be written as the product of two polynomials, each of positive degree. A variant of the Euclidean algorithm for polynomials [GG03] expresses the greatest common divisor of two polynomials g (x) and h(x) in the form gcd( g, h) = b(x)g (x) + c(x)h(x) The algorithm is based on the fact that if u(x) and v(x) are two polynomials such that deg (u) = m

deg (v) = t

and

m>t

that is, u(x) = umxm + um − 1xm − 1 + . . . + u1x + u0 v(x) = vtxt + vt − 1xt − 1 + . . . + v1x + v0 then v(x)um(vt) − 1xm − t = (vtxt + vt − 1xt − 1 + . . . + v1x + v0)um(vt) − 1xm − t = umxm + r’(x) where deg (r’) < m, so that u(x) = (v(x)um(vt) − 1xm − t − r’(x)) + um − 1xm − 1 + . . . + u1x + u0 = v(x)um(vt) − 1xm − t + r (x) where r (x) = um − 1xm − 1 + . . . + u1x + u0 − r’(x) so that deg (r) < m

and

max(deg (r), deg (v)) < deg (u)

Furthermore, gcd(u, v) = gcd(v, r)

(1.4)

Mathematical Background The sequence of operations is almost the same as for computing the greatest common divisor of two integers. A series of polynomials r (0), r (1), r (2), . . . are generated. Initially assume that deg ( g) > deg (h) and define r (0) = g (x)

and

r (1) = h(x)

At each step the decomposition [Eq. (1.4)] is used: u(x) = r (i − 1), v(x) = r (i ), m = deg (r (i − 1)), t = deg (r (i )), deg (r (i − 1)) > deg (r (i )) so that r (i − 1) = q (i )r (i ) + r (i + 1) where q (i ) = um(vt) − 1xm − t , r (i + 1) = r (i − 1) − q (i )r (i ), deg (r (i + 1))< m = deg (r (i − 1)) At the end of the step, r (i ) and r (i + 1) are interchanged if deg (r (i )) < deg (r (i + 1)). Operations: r (0) = g (x) r (1) = h(x) r (0) = r (1)q (1) + r (2), if deg (r (1)) < deg (r (2)) interchange r (1) and r (2) r (1) = r (2)q (2) + r (3), if deg (r (2)) < deg (r (3)) interchange r (2) and r (3) r (2) = r (3)q (3) + r (4), if deg (r (3)) < deg (r (4)) interchange r (3) and r (4) ... r (n − 3) = r (n − 2)q (n − 2) + r (n − 1), if deg (r (n − 2)) < deg (r (n − 1)) interchange r (n − 2) and r (n − 1) r (n − 2) = r (n − 1)q (n − 1) + r (n) where

deg (r (0)) > deg (r (1)) > . . . > deg (r (n)) = 0 and gcd(r (i ), r (i + 1)) = gcd(r (i + 1), r (i + 2)) so that gcd( g, h) = gcd(r (0), r (1)) = . . . = gcd(r (n − 1), r (n)) Let r0 be the coefficient of x0 in r (n). If r0 = 0, then gcd( g, h) = gcd(r (n −1 ), 0) = r (n − 1)

13

14

Chapter One If r0 ≠ 0, then gcd( g, h) = gcd(r (n − 1), r0) = 1 In parallel with the computation of r (0), r (1), r (2), . . . , r (n) two series of polynomials b(i ) and c(i ) are generated: b(0) = 1 b(1) = 0 b(2) = b(0) − b(1)q (1), if deg (r (1)) < deg (r (2)) interchange b(1) and b(2) ... b(n − 1) = b(n − 3) − b(n − 2)q (n − 2), if deg (r (n − 2)) < deg (r (n − 1)) interchange b(n − 2) and b(n − 1) b(n) = b(n − 2) − b(n − 1)q (n − 1) c(0) = 0 c(1) = 1 c(2) = c(0) − c(1)q (1), if deg (r (1)) < deg (r (2)) interchange c(1) and c(2) ... c(n − 1) = c(n − 3) − c(n − 2)q (n − 2), if deg (r (n − 2)) < deg (r (n − 1)) interchange c(n − 2) and c(n − 1) c(n) = c(n − 2) − c(n − 1)q (n − 1) It can be demonstrated by induction that r (i ) = b(i )g (x) + c(i )h(x), ∀ i = 0, 1, 2, . . . , n

So, if r0 = 0 then gcd( g, h) = r (n − 1) = b(n − 1)g (x) + c(n − 1)h(x) and if r0 ≠ 0, then gcd( g, h) = 1 = r0 − 1r (n) = r0 − 1b(n)g (x) + r0 − 1c(n)h(x) In the following algorithm u stands for r (i − 1), v for r (i ), r for r (i + 1), b for b(i − 1), d for b(i ), bb for b(i + 1), c for c(i − 1), e for c(i ), cc for c(i + 1):

Algorithm 1.2— Variant of the extended Euclidean algorithm for polynomials u := g; v := h; b := 1; c := 0; d := 0; e := 1; m := degree(u); t := degree(v); if t = 0 then if v(0) = 0 then z = u; else z := 1; b := 0; c := (v(0)) - 1; end if; elsif m = 0 then if u(0) = 0 then z = v; b := 0; c := 1; else z := 1; b := (u(0)) - 1; end if; else

Mathematical Background while t > 0 loop if m < t then swap(u, swap(m, t); end if; q := u(m)*(v(t)) - 1*xm - t; cc := c - e*q; u := v; v := r; b := d; m := t; t := degree(v); end loop; if v(0) = 0 then z := u; c := e*(v(0)) - 1; end if; end if;

1.2.5

v); swap(b, d); swap(c, e); r := u - v*q; bb := b - d*q; c := e; d := bb; e := cc;

else z := 1; b := d*(v(0)) - 1;

Congruences of Polynomials

Definition 1.20 Given three polynomials g (x), h(x), and f (x) in F[x], g (x) is congruent to h(x) modulo f (x) if f (x) divides g (x) − h(x). Notation: g (x) ≡ h(x) (mod f (x))

Properties 1.6 (properties of congruences) 1. g (x) ≡ h(x) (mod f (x)) if and only if ( g (x) mod f (x)) = (h(x), mod f (x)) (Definition 1.15). 2. The relation g (x) ≡ h(x) (mod f (x)) is an equivalence relation (reflexive, symmetric, and transitive). 3. If g1(x) ≡ h1(x) (mod f (x)) and g2(x) ≡ h2(x) (mod f (x)), then g1(x) + h1(x) ≡ g2(x) + h2(x) (mod f (x)), g1(x) − h1(x) ≡ g2(x) − h2(x) (mod f (x)), (1.5) g1(x)h1(x) ≡ g2(x)h2(x) (mod f (x)) From Properties 1.6(1 and 2) it can be seen that the congruence relation partitions F[x] into equivalence classes. If n is the degree of f (x) then each equivalence class contains exactly one polynomial of degree d < n. So, if F is a finite field, then the number of equivalence classes is equal to |F|n, where |F| is the number of elements in F. Furthermore, according to Property 1.6(3), the addition, subtraction, and multiplication of congruence classes can be defined. As a matter of fact the set of equivalence classes is isomorphic to { g (x) ∈ F[x] | deg ( g) < n} where the addition, the subtraction, and the multiplication are defined by ( g (x) + h(x)) mod f (x) ( g (x) − h(x)) mod f (x) ( g (x)h(x)) mod f (x) The set of equivalence classes is denoted by F[x]/f (x).

15

16

Chapter One Properties 1.7 1. F[x]/f (x) is a commutative ring. 2. If f (x) is irreducible, then F[x]/f (x) is a field.

Proofs 1. Consequence of Property 1.6(3). 2. If f (x) is irreducible, then the greatest common divisor of f (x) and g (x) ≠ 0 is 1. Using the Euclidean algorithm, b(x) and c(x) can be computed such that 1 = b(x)f (x) + c(x)g (x) and c(x) = ( g (x)) − 1 mod f (x)

Example 1.10 Let f (x) = x3 + x + 1 ∈ Z2[x]. From the irreducibility of

f (x) over Z2, it follows that Z2[x]/f (x) is a field. In this case Zp = Z2, and the field Z2[x]/f (x) has the pn = 23 elements (residue classes) [0], [1], [x], [x2], [x + 1], [x2 + 1], [x2 + x], [x2 + x + 1]. The addition and multiplication tables are obtained by performing the required operations and by carrying out reduction mod f (x) if necessary (Table 1.2):

+

[0]

[1]

[x]

[x2]

[x + 1]

[x2 + 1]

[x2 + x]

[x2 + x + 1] [x2 + x + 1]

[0]

[0]

[1]

[x]

[x ]

[x + 1]

[x + 1]

[x + x]

[1]

[1]

[0]

[x + 1]

[x2 + 1]

[x]

[x2]

[x2 + x + 1] [x2 + x]

[x]

[x]

[x + 1]

[0]

[x2 + x]

[1]

[x2 + x + 1] [x2]

[x2]

[x2]

[x2 + 1]

[x2 + x]

[0]

[x2 + x + 1] [1]

[x2 + x + 1] [0]

2

[x + 1]

[x + 1]

[x]

[1]

[x2 + 1]

[x2 + 1]

[x2]

[x2 + x + 1] [1]

[x2 + x]

[x2 + x]

[x2 + x + 1] [x2]

2

2

[x2 + 1]

[x]

[x + 1]

[x2 + x]

[x2 + 1]

[x2]

[x2 + x]

[0]

[x + 1]

[x]

[x]

[x2 + 1]

[x + 1]

[0]

[1]

[x2 + x + 1] [x2 + x + 1] [x2 + x]

[x2 + 1]

[x + 1]

[x2]

[x]

[1]

[0]

⋅

[0]

[1]

[x]

[x2]

[x + 1]

[x2 + 1]

[x2 + x]

[x2 + x + 1]

[0]

[0]

[0]

[0]

[0]

[0]

[0]

[0]

[0]

[1]

[0]

[1]

[x]

[x2]

[x + 1]

[x2 + 1]

[x2 + x]

[x2 + x + 1]

2

[1]

[x + x + 1] [x2 + 1]

[x]

[0]

[x]

[x ]

[x + 1]

[x + x]

[x2]

[0]

[x2]

[x + 1]

[x2 + x]

[x2 + x + 1] [x]

[x + 1]

[0]

[x + 1]

[x2 + x]

[x2 + x + 1] [x2 + 1]

[x2 + 1]

[0]

[x2 + 1]

[1]

[x]

[x2 + x]

[0]

[x2 + x]

[x2 + x + 1] [x2 + 1]

[x2 + x + 1] [0]

[x2 + x + 1] [x2 + 1]

[1]

2

[x2]

2

[x2 + 1]

[1]

[1]

[x]

[x2]

[x2 + x + 1] [x + 1]

[x2 + x]

[1]

[x + 1]

[x]

[x2]

[x]

[x2 + x]

[x2]

[x + 1]

TABLE 1.2 Addition and Multiplication over Z2 [x]/f(x)

Mathematical Background

1.3

Finite Fields 1.3.1

Basic Properties

A finite field is a field F which contains a finite number of elements. The order of a finite field F is the number of elements in F.

Definition 1.21 Let p be a prime, F = Zp, and f (x) an irreducible polynomial of degree n over Zp. The corresponding field F[x]/f (x) contains q = pn elements and is called either Fq or GF (q) (Galois field). Two fields are isomorphic if they have the same structure, although the representation of their elements may be different. It can be demonstrated that any finite field contains q = pn elements, for some prime p and some positive integer n, and is isomorphic to Fq (whatever the irreducible polynomial f (x) of degree n over Zp). In particular, if n = 1, then the corresponding field Fp is isomorphic to Zp. The finite field Fp can henceforth be identified with Zp. If Fq is a finite field of order q = pn, with p a prime, then the characteristic of F q is p. Furthermore, Fq contains a copy of Z p as a subfield. Therefore, Fq can be considered as an extension field of Zp of degree n. The set of zero-degree polynomials (the constants) is a subfield of Fq isomorphic to Fp. If g (x) is a zero-degree polynomial (an element of Fp) then, according to the Fermat’s little theorem, ( g (x))p = g (x). Conversely, it can be demonstrated that if a polynomial g (x) satisfies the condition ( g (x))p = g (x), then g (x) is a constant. Another interesting property of Fq is that the set Fq* of nonzero polynomials is a cyclic group. Let g (x) be a nonzero polynomial, that is an element of Fq*, and assume that the order of g (x) is t. According to Properties 1.6, t divides q − 1, so that ( g (x))q − 1 = ( g (x))tk = 1k = 1. Consider now a polynomial g (x) and define h(x) = ( g (x))r where r = (q − 1)/(p − 1). According to the previous property, (h(x))p − 1 = ( g (x))q − 1 = 1 and (h(x))p = h(x), so that h(x) is a constant polynomial. A last property, useful for performing arithmetic operations, is that ( g (x) + h(x))p = ( g (x))p + (h(x))p. It is a straightforward consequence of the fact that all the binomial coefficients (p!/(i!)(p − i )!) are multiples of p, except for i = 0 or p. To summarize: Properties 1.8 (some useful properties of finite fields) 1. The set of zero-degree polynomials in Fq is a subfield of Fq isomorphic to Fp. 2. Given g (x) in Fq such that ( g (x))p = g (x), then g (x) ∈ Fp. 3. The set of nonzero polynomials of Fq is a cyclic group denoted by Fq*. 4. Given g (x) in Fq, then ( g (x))q = g (x) (Fermat’s little theorem).

17

18

Chapter One 5. Given g (x) and h(x) in Fq, then ( g(x) + h(x))p = ( g(x))p + (h(x))p , for all s ≥ 0. 6. If r = (pn − 1)/(p − 1), that is r = 1 + p + p2 + . . . + pn − 1, and g (x) is an element of Fq, then ( g (x))r is an element of Fp. s

s

s

Example 1.11 p = 2, n = 4, f (x) = 1 + x + x4 so that x4 ≡ 1 + x mod f (x); α = x is a generator of the cyclic group F16*: α1 = x α2 = x2 α3 = x3 α4 = x4 ≡ 1 + x α5 = x(1 + x) = x + x2 α6 = x(x + x2) = x2 + x3 α7 = x(x2 + x3) = x3 + x4 ≡ 1 + x + x3 α8 = (α4)2 = (1 + x)2 = 1 + x2 α9 = x(1 + x2) = x + x3 α10 = x(x + x3) = x2 + x4 ≡ 1 + x + x2 α11 = x(1 + x + x2) = x + x2 + x3 α12 = x(x + x2 + x3) = x2 + x3 + x4 ≡ 1 + x + x2 + x3 α13 = x(1 + x + x2 + x3) = x + x2 + x3 + x4 ≡ 1 + x2 + x3 α14 = x(1 + x2 + x3) = x + x3 + x4 ≡ 1 + x3 α15 = x(1 + x3) = x + x4 ≡ 1 Given a polynomial g (x) = g0 + g1x + g2x2 + g3x3, then ( g (x))2 = g0 + g1x2 + g2x4 + g3x6 ≡ g0 + g1x2 + g2(1 + x) + g3x2(1 + x) = ( g0 + g2) + g2x + ( g1 + g3)x2 + g3x3 if ( g (x))2 = g (x), then g0 + g2 = g0, g2 = g1, g1 + g3 = g2 thus g1 = g2 = g3 = 0 and g (x) = g0, that is, an element of Fp (Property 1.8(3)).

1.3.2

Field Extensions

Definition 1.22 Let E be a subfield of the field F and M any subset of F. Then the field E(M) is defined as the intersection of all subfields of F containing both E and M and is called the extension field of E obtained by adjoining the elements in M. For a finite subset M = {θ1 , . . . , θn },

Mathematical Background E( M) = E(θ1 , . . . , θn ). If M consists of a single element θ ∈ F, then L = E(θ) is said to be a simple extension of E and θ is a defining element of L over E.

Definition 1.23 Let E be a subfield of F and θ ∈ F. If θ satisfies a nontrivial polynomial equation with coefficients in E, that is, if a0 + a1θ + . . . + anθn = 0 with ai ∈ E not all being 0, then θ is said to be algebraic over E. An extension L of E is called an algebraic extension of E if every element of L is algebraic over E.

Definition 1.24 If θ ∈ F is algebraic over E, then the uniquely

determined monic polynomial f ∈ E[x] generating the ideal J = { g ∈ E[x] : g(θ) = 0} of E[x] is called the minimal (or irreducible, or defining) polynomial of θ over E. The degree of θ over E means the degree of f. An extension field L of E may be viewed as a vector space over E. L forms an abelian group under addition. Furthermore, each “vector” α in L can be multiplied by a “scalar” k in E so that kα is in L and the laws for multiplication by scalars are satisfied: (k + r)α = kα + rα, k(α + β) = kα + kβ, (kr)α = k(rα) and 1α = α, where α, β ∈ L and k, r ∈ E [LN94].

Definition 1.25 Let L be an extension field of E. If L, considered as a vector space over E, is finite-dimensional, then L is called a finite extension of E. The dimension of the vector space L over E is called the degree of L over E, and it is represented as [L:E]. Given a simple extension E(θ ) of E obtained by adjoining an algebraic element θ, it can be observed that if F is an extension of E and if θ ∈ F is algebraic over E, then E(θ) is an algebraic and finite extension of E. Furthermore, E(θ) is isomorphic to E[x]/f if θ ∈ F is algebraic of degree n over E and f is the minimal polynomial of θ over E. It can also be proven that the elements of the simple algebraic extension E(θ) of E are polynomial expressions in θ, and that any element of E(θ) can be uniquely represented in the form a0 + a1θ + . . . + anθ n−1 with ai ∈ E for 0 ≤ i ≤ n – 1, where n= [E(θ):E] and {1, θ, θ2, . . . , θ n−1} is a basis of E(θ) over E. Let f ∈ E[x] be irreducible over the field E. Then there exists a simple algebraic extension of E with a root of f as a defining element. Following is an example of root adjunction.

Theorem 1.1

Example 1.12 Let f (x) = x2 + x + 2 ∈ F3[x], which is irreducible over F3, and let θ be a root of f. It can be proven that the other root of f in L = F3[x]/f is 2θ + 2, since f (2θ + 2) = (2θ + 2)2 + (2θ + 2) + 2 = θ2 + θ + 2 = 0. Therefore, the simple algebraic extension L = F3(θ) consists of the following nine elements: {0, 1, 2, θ, θ + 1, θ + 2 , 2θ, 2θ + 1, 2θ + 2}.

19

20

Chapter One It must be noted that in Example 1.12 we may adjoin either the root θ or the root 2θ + 2 of f, and the same field would be obtained. This fact is covered as follows. Let α and β be two roots of the polynomial f ∈ E[x] that is irreducible over E. Then E(α) and E(β) are isomorphic under an isomorphism, mapping α to β and keeping the elements of E fixed.

1.3.3

Roots of Irreducible Polynomials

As described previously, starting from the prime fields Fp, other finite fields can be constructed by the process of root adjunction. If f ∈ Fp[x] is an irreducible polynomial over Fp of degree n, then a finite field with pn elements can be obtained by adjoining a root of f to Fp. Furthermore, for every prime p and every positive integer n there exists a finite field with pn elements and therefore we can speak of the finite field (or the Galois field) with q = pn elements, or of the finite field of order q. This field is denoted by Fq or GF (q), where q is a power of the prime characteristic p of Fq.

Theorem 1.2 If f is an irreducible polynomial in Fq [x] of degree m, then f has a root α in Fq m . Furthermore, all the roots of f are simple and are 2 m− 1 given by the m distinct elements α , α q , α q , . . . , α q of Fqm . Let Fqm be an extension of Fq and let α ∈ Fqm. Then the elements 2 m−1 are called the conjugates of α with respect α, α q , α q , . . . , α q to Fq, that are distinct if and only if the minimal polynomial of α over Fq has degree m. It can also be proven that if α is a primitive element of Fq, then so are all its conjugates with respect to any subfield of Fq. Example 1.13 Let α ∈ F24 = F16 be a root of f (x) = x4 + x + 1 ∈ F2[x]. The

conjugates of α with respect to F2 are α, α2, α4 = α + 1, and α8 = α2 + 1, where each of them is a primitive element of F16.

1.3.4

Bases of Finite Fields

Considering a finite extension F = Fqm of the finite field E = Fq as a vector space over E, then F has dimension m over E. Moreover, if {α1, α2, . . . , αm} is a basis of F over E, then each element α in F can be uniquely represented by α = a1α 1 + a2α 2 + . . . + amα m , with ai ∈ E for 1 ≤ i ≤ m.

Definition 1.26 If α ∈ F = Fqm and E = Fq, then the trace of α over E is defined by m− 1 Tr(α) = α + α q + . . . + α q

(1.6)

It must be noted that the trace of α over E is the sum of the conjugates of α with respect to E. Furthermore, Tr (α) is an element of E. Let F = Fqm and E = Fq. Then the trace function satisfies the following properties:

Mathematical Background Properties 1.9 1. Tr(α + β) = Tr(α) + Tr(β), for all α , β ∈ F. 2. Tr(aα) = aTr(α), forall a ∈ E, α ∈ F. 3. The trace is a linear transformation from F onto E, where F and E are viewed as vector spaces over E. 4. Tr(a ) = ma, forall a ∈ E . 5. Tr(α q ) = Tr(α), forall α ∈ F. The important definition of duality is given in the following.

Definition 1.27 Let E be a finite field and F a finite extension of E. Then two bases {α 1 , α 2 . . . α m } and {β1 , β 2 . . . β m } of F over E are said to be dual bases if ⎧1, if i = j Tr(α iβ j ) = ⎨ ⎩0, if i ≠ j

(1.7)

where 1 ≤ i, j ≤ m. There exist many distinct bases of F over E, but there are two types of bases particularly important. The first is a polynomial basis {1, α , α 2 , . . . , α m−1 } , made up of the powers of a defining element α of F over E, where α is often taken to be a primitive element of F. The other type of important basis is a normal basis, defined by a suitable element of F. By an E-automorphism of F (or an automorphism of F over E) we mean an automorphism of F = Fqm = GF(qm) that fixes the elements of E = Fq = GF(q). The set of the E-automorphisms of F is a group, named the Galois group of F over E, generated by the Frobenius automorphism ϕ (α) = α q, for α ∈ F, and made up of the m distinct elements G0, G 1, . . . , Gm − 1 defined as follows: Gi : F → F α → α q = αGi , α ∈ F , i

(1.8)

where Gi = G1i and G1m = G10 = G0 = I (identity automorphism). Then, a basis {β0, β1, . . . , βm − 1} is a normal basis for F over E if βi = αGi 2 m− 1 for some element α ∈ F. Therefore, the set {α , α q , α q . . . , α q , where α is a suitable element of F, will be a normal basis if the m elements are linearly independent and α will be the generator or normal element of the normal basis.

Definition 1.28 Let F = Fqm and E = Fq . Then a basis of F over E of the m− 1

form {α , α q , α q . . . α q } consisting of a suitable element α ∈ F and its conjugates with respect to E, is called a normal basis of F over E. 2

Example 1.14 Let α ∈ F23 = F8 be a root of the irreducible polynomial

f (x) = x3 + x2 + 1 ∈ F2[x]. Then the basis {α , α 2 , α 4 = α 2 + α + 1} is a

21

22

Chapter One normal basis of F8 over F2, because α4 = αα3 = α(α2 + 1) = α3 + α = α2 + α + 1.

Finite Fields GF (2m)

1.3.5

Finite fields GF(2 m ) = F m are extension fields of GF (2) = F2 = Z2. Finite 2 fields of order 2m are characteristic 2 finite fields, also known as binary extension fields. Binary fields GF (2m) have fundamental interest due to their wide number of technical applications, such as algebraic codes, cryptographic schemes, random number generators, digital signal processing or VLSI testing. The elements of the finite field GF (2m) are the polynomials {0, 1, α, α + 1, α2, α2 + 1, . . . , αm − 1 + αm − 2 + . . . + α + 1}, where α is a root of an irreducible polynomial f (x) over GF (2), f (α) = 0, and where the polynomial coefficients are in GF (2) = {0,1}. Let α ∈GF(2 4 ) = F2 4 be a root of the irreducible polynomial f (x) = x + x3 + 1 ∈ GF (2)[x]. Then the elements of GF (24) represented in the polynomial basis {α 3 , α 2 , α , 1} are given in Table 1.3. All the concepts studied in previous subsections can be easily adapted to this particular case of GF (2m).

Example 1.15

4

Elements in GF (24)

Polynomial

Coordinates

0

0

(0,0,0,0)

α

α

(0,0,1,0)

α2

α2

(0,1,0,0)

α

3

α

(1,0,0,0)

α

4

α +1

α

5

α +α+1

α

6

3 3

(1,0,0,1)

3

(1,0,1,1)

α +α +α+1

(1,1,1,1)

α7

α2 + α + 1

(0,1,1,1)

α8

α3 + α2 + α

(1,1,1,0)

9

α

α +1

(0,1,0,1)

α

10

α +α

α

11

3

2

2 3

(1,0,1,0)

α +α +1

(1,1,0,1)

α12

α+1

(0,0,1,1)

α13

α2 + α

α

14

α +α

α

15

1

3

3

2

(0,1,1,0) 2

(1,1,0,0) (0,0,0,1)

TABLE 1.3 Representation of Elements of GF(24) in the Polynomial Basis {α3, α2, α, 1}

Mathematical Background

1.4

References [Coh93] H. Cohen. A Course in Computational Algebraic Number Theory. SpringerVerlag, Berlin, 1993. [Gar59] H. Garner. “The residue number system,” IRE Transactions on Electronic Computers. EC-8, 1959, pp. 140–147. [GG03] J. von zur Gathen and J. Gerhard. Modern Computer Algebra. Cambridge University Press, New York, 2003. [GN03] W. J. Gilbert and W. K. Nicholson. Modern Algebra with Applications. John Wiley & Sons, New York, 2003. [Her75] I. N. Herstein. Topics in Algebra. 2d ed. Xerox College Pub., Lexington, Massachusetts, 1975. [Hun74] T. W. Hungerford. Algebra. Holt, Rinehart and Winston, New York, 1974. [Kob94] N. Koblitz. A Course in Number Theory and Cryptography. Springer-Verlag, New York, 1994. [LN83] R. Lidl and H. Niederreiter. Finite Fields. Addison-Wesley, Reading, Massachusetts, 1983. [LN94] R. Lidl and H. Niederreiter. Introduction to Finite Fields and Their Applications. Cambridge University Press, New York, 1994. [McC87] R. J. McCeliece. Finite Fields for Computer Scientists and Engineeers. Kluwer Academic Publishers, Boston, 1987. [Men93] A. J. Menezes (ed). Applications of Finite Fields. Kluwer Academic, BostonLondon-Dordrecht, 1993. [MOV96] A. J. Menezes, P.C. van Oorschot, and S. C. Vanstone. Handbook of Applied Cryptography. CRC Press, Boca Raton, Florida, 1996. [Ros92] K. H. Rosen. Elementary Number Theory and Its Applications. Addison-Wesley, Reading, Massachusetts, 1992. [Ros00] K. H. Rosen (editor-in-chief). Handbook of Discrete and Combinatorial Mathematics. CRC Press, Boca Raton, 2000.

23

This page intentionally left blank

CHAPTER

2

mod m Reduction

A

rithmetic operations over the finite ring Zm = {0, 1, . . . , m − 1} are used as computation primitives for executing numerous cryptographic algorithms, especially those related with the use of public keys (asymmetric cryptography). Classical examples are ciphering/deciphering, authentication, and digital signature protocols based on RSA-type or elliptic-curve algorithms. One of the basic operations is the modulo m reduction. Given two naturals x and m, it computes z = x mod m. Combined with operations over the set Z of integers (sum, subtraction, product, and so on) it allows one to perform the same operations over Zm. In this chapter several algorithms are described, namely, the integer division, the reduction mod Bk − a, the precomputation of Bik mod m, and the Barrett algorithm. All the mentioned algorithms have been synthesized and implemented within field programmable components.

2.1

Integer Division A straightforward method for computing z = x mod m consists in performing the integer division of x by m, that is, x = qm + z

z