## Software multiplication using Gaussian normal bases (2006)

Venue: | IEEE Trans. Comput |

Citations: | 6 - 2 self |

### BibTeX

@ARTICLE{Dahab06softwaremultiplication,

author = {Ricardo Dahab and Darrel Hankerson and Men Long and Julio López and Alfred Menezes},

title = {Software multiplication using Gaussian normal bases},

journal = {IEEE Trans. Comput},

year = {2006},

volume = {55},

pages = {974--984}

}

### OpenURL

### Abstract

Fast algorithms for multiplication in finite fields are required for several cryptographic applications, in particular for implementing elliptic curve operations over binary fields F2m. In this paper we present new software algorithms for efficient multiplication over F2m that use a Gaussian normal basis representation. Two approaches are presented, direct normal basis multiplication, and a method that exploits a mapping to a ring where fast polynomial-based techniques can be employed. Our analysis including experimental results on an Intel Pentium family processor shows that the new algorithms are faster and can use memory more efficiently than previous methods. Despite significant improvements, we conclude that the penalty in multiplication is still sufficiently large to discourage the use of normal bases in software implementations of elliptic curve systems. Key words Multiplication in F2 m, Gaussian normal basis, elliptic curve cryptography. 1

### Citations

461 | Guide to Elliptic Curve Cryptography
- Hankerson, Menezes, et al.
- 2004
(Show Context)
Citation Context ...table (followed by reduction). Experimentally, the ratio of multiplication to squaring costs (for polynomial basis representations) is estimated between 6.5 and10form∈{163, 233, 283} on a Pentium III =-=[14]-=-. In short, the 18 field squarings between point additions have cost below 3 multiplications in a polynomial basis. Point addition requires 8 multiplications (assuming mixed coordinates). Regardless o... |

171 | Software implementation of elliptic curve cryptography over binary
- Hankerson, Hernandez, et al.
- 1965
(Show Context)
Citation Context .... Further, the comparison against a polynomial-based multiplication is with a Montgomery-like method from [19]. However, the comparison of interest is against fast methods such as comb multiplication =-=[21, 13]-=- with a suitable reduction polynomial. We present improved algorithms with significantly faster times, although in contrast to [6] we will argue that the evidence is strongly in favor of polynomial-ba... |

152 | Constructive and destructive facets of Weil descent on elliptic curves
- Gaudry, Hess, et al.
- 2002
(Show Context)
Citation Context ...revision of ANSI X9.62 explicitly forbid the use of elliptic curves over F2 m with m composite due to concerns that discrete logarithm problems over such curves are vulnerable to Weil descent attacks =-=[10, 23]-=-. Although our focus is on prime m, the type 1 case provides a benchmark for methods with low-complexity bases. Ning and Yin [25] exploit the special form of the multiplication matrix in the type 1 ca... |

142 |
CM-curves with good cryptographic properties
- Koblitz
- 1991
(Show Context)
Citation Context ...or software implementations? We consider two well-known examples in methods based on elliptic curves where operations in a normal basis appear to be especially attractive. The first is Koblitz curves =-=[18, 29]-=-, where point doubles are replaced by field squaring operations which are especially fast in a normal basis representation. As a second example, elliptic curve point multiplication methods based on po... |

89 | Efficient Arithmetic on Koblitz Curves
- Solinas
(Show Context)
Citation Context ...or software implementations? We consider two well-known examples in methods based on elliptic curves where operations in a normal basis appear to be especially attractive. The first is Koblitz curves =-=[18, 29]-=-, where point doubles are replaced by field squaring operations which are especially fast in a normal basis representation. As a second example, elliptic curve point multiplication methods based on po... |

69 | Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA - 62 - 1999 |

63 | Computational Method and Apparatus for Finite Field Arithmetic - Massey, Omura - 1986 |

57 | Field inversion and point halving revisited
- Fong, Hankerson, et al.
(Show Context)
Citation Context ...on the reduction polynomial. In the case of a pentanomial, the cost is estimated at M/2 provided that a small amount of per-field precomputation is done. The cost is significantly less for trinomials =-=[8]-=-. The quadratic x2 + x = c has a solution if and only if Tr(c) = 0; if x is a solution, then x + 1isa solution. In a normal basis representation, the solution can be found bitwise. Efficient implement... |

39 |
Elliptic scalar multiplication using point halving
- Knudsen
- 1999
(Show Context)
Citation Context ...n the desired representation. However, there are scenarios where multiple representations within the larger operation appears attractive. As an example, point multiplication methods via point halving =-=[17, 28]-=- require solutions for quadratic equations and square roots, operations which may be faster with a normal basis representation. Along with these operations is a field multiplication, where polynomial ... |

36 |
Montgomery multiplication
- Koç, Acar
- 1998
(Show Context)
Citation Context ..., given other published results. As with [26], their reported timings are generally quite slow. Further, the comparison against a polynomial-based multiplication is with a Montgomery-like method from =-=[19]-=-. However, the comparison of interest is against fast methods such as comb multiplication [21, 13] with a suitable reduction polynomial. We present improved algorithms with significantly faster times,... |

29 |
An Efficient Optimal Normal Basis Type II Multiplier
- Sunar, Koç
- 2001
(Show Context)
Citation Context ...nd are directly related to the methods in §4. For a type 1 basis, the conversion is a permutation. For type 2, there are two related approaches. The traditional approach, illustrated by Sunar and Koç =-=[30]-=-, exploits basis conversion. The “palindromic representation” in Blake, Roth, and Seroussi [4] is a special case of the method in §4 and maps field elements into a larger ring where polynomial-based m... |

26 |
Low complexity normal bases
- Ash, Blake, et al.
- 1989
(Show Context)
Citation Context ...l basis is said to be optimal if CM = 2m − 1. A generalization of optimal normal bases to normal bases of low complexity, known as Gaussian normal bases (GNB), was studied by Ash, Blake, and Vanstone =-=[3]-=-. Let p = mT + 1beaprime. LetK =〈u〉 where u ∈ Z∗ p has order T . Suppose that the index e of 〈2〉 in Z∗p satisfies gcd(e, m) = 1. Then Z∗p ={2iuj | 0≤i <m, 0≤ j <T},andKi = K2ifor 0 ≤ i < m are the cos... |

24 | Finite Field Multiplier Using Redundant Representation
- Wu, Hasan, et al.
- 2002
(Show Context)
Citation Context ...for multiplication using a polynomial basis [21]. However, the improvements in normal basis multiplication in [25] (and natural generalizations) and a method based on results concerning Gauss periods =-=[9, 33]-=- suggest that the penalty may be much smaller than previously reported. We are interested in more precise estimates of the actual costs for field multiplication in a given basis, and the possibility o... |

22 | Hardware and software normal basis arithmetic for pairing based cryptography in characteristic three
- Granger, Page, et al.
(Show Context)
Citation Context ...mal normal bases and the development of a precomputation technique for speeding up the multiplication), Reyhani-Masoleh and Hasan [27] (for Gaussian normal bases), and recently Granger, Page and Stam =-=[11]-=- (for normal bases in F3 m). All methods known for binary field multiplication in software that use a normal basis representation are slow in comparison to the best methods for multiplication using a ... |

21 |
A New Representation of Elements of Finite Fields GF(2m) Yielding Small Complexity Arithmetic Circuits
- Drolet
- 1998
(Show Context)
Citation Context ... the method in §4 and maps field elements into a larger ring where polynomial-based multiplication can be employed. This type of strategy where a mapping to a ring is exploited also appears in Drolet =-=[5]-=- and Katti and Brennan [16]. For an application to (hardware) exponentiation, see Kwon, Kim, and Hong [20]. 2sThe general method for Gaussian bases of mapping into an associated ring is described by G... |

21 | Analysis of the GHS Weil descent attack on the ECDLP over characteristic two finite fields of composite degree
- Maurer, Menezes, et al.
(Show Context)
Citation Context ...revision of ANSI X9.62 explicitly forbid the use of elliptic curves over F2 m with m composite due to concerns that discrete logarithm problems over such curves are vulnerable to Weil descent attacks =-=[10, 23]-=-. Although our focus is on prime m, the type 1 case provides a benchmark for methods with low-complexity bases. Ning and Yin [25] exploit the special form of the multiplication matrix in the type 1 ca... |

17 |
Optimal Normal Bases in GF(p n
- Mullin, Wilson
- 1989
(Show Context)
Citation Context ...−1)be two elements in F2m represented in this normal basis. Let C = (c0c1 ...cm−1)be their product. Let β2i 2 j β = �m−1 s=0 λ(s) ij β2s, where λ (s) ij ∈ F2.Thencs = �m−1�m−1 (0) i=0 j=0ai+sbj+sλ ij =-=[24]-=-. Thus, multiplication in F2m can be carried out using the multiplication matrix M =[λ (0) ij ]. The complexity of M, denoted by CM, isdefinedtobethe number of 1s in M. It is well known that CM ≥ 2m −... |

16 | Algorithms for exponentiation in finite fields
- Gao, Gathen, et al.
(Show Context)
Citation Context ...for multiplication using a polynomial basis [21]. However, the improvements in normal basis multiplication in [25] (and natural generalizations) and a method based on results concerning Gauss periods =-=[9, 33]-=- suggest that the penalty may be much smaller than previously reported. We are interested in more precise estimates of the actual costs for field multiplication in a given basis, and the possibility o... |

16 | Efficient Software Implementation for Finite Field Multiplication in 32 Basis
- Ning, Yin
- 2001
(Show Context)
Citation Context ...n normal basis arithmetic have focused on hardware implementation. Our focus is software implementation. Previous work on software multiplication for normal basis representations include Ning and Yin =-=[25]-=- (for optimal normal bases and the development of a precomputation technique for speeding up the multiplication), Reyhani-Masoleh and Hasan [27] (for Gaussian normal bases), and recently Granger, Page... |

15 | Fast normal basis multiplication using general purpose processors
- REYHANI-MASOLEH, HASAN
(Show Context)
Citation Context ...n for normal basis representations include Ning and Yin [25] (for optimal normal bases and the development of a precomputation technique for speeding up the multiplication), Reyhani-Masoleh and Hasan =-=[27]-=- (for Gaussian normal bases), and recently Granger, Page and Stam [11] (for normal bases in F3 m). All methods known for binary field multiplication in software that use a normal basis representation ... |

14 |
High-Speed Software Multiplication in F2m
- López, Dahab
- 2000
(Show Context)
Citation Context ...s in F3 m). All methods known for binary field multiplication in software that use a normal basis representation are slow in comparison to the best methods for multiplication using a polynomial basis =-=[21]-=-. However, the improvements in normal basis multiplication in [25] (and natural generalizations) and a method based on results concerning Gauss periods [9, 33] suggest that the penalty may be much sma... |

11 | On the number of trace-one elements in polynomial bases for F2n. Des
- Ahmadi, Menezes
- 2005
(Show Context)
Citation Context ... that the target platform has a W -bit architecture where W is the word-size (in bits). Let tW = ⌈m/W ⌉, andlets=WtW −m;thena=(a0,a1,...,am−1)can be stored in an array of tW W -bit words, A = (A[0], A=-=[1]-=-,...,A[tW−1]), where the leftmost bit of A[0] is a0 and the rightmost s bits of A[tW − 1] are unused. Ning and Yin [25] introduced a method for accelerating a software implementation of optimal normal... |

11 | Low Complexity Multiplication in a Finite Field Using Ring Representation
- Katti, Brennan
- 2003
(Show Context)
Citation Context ... field elements into a larger ring where polynomial-based multiplication can be employed. This type of strategy where a mapping to a ring is exploited also appears in Drolet [5] and Katti and Brennan =-=[16]-=-. For an application to (hardware) exponentiation, see Kwon, Kim, and Hong [20]. 2sThe general method for Gaussian bases of mapping into an associated ring is described by Gao, von zur Gathen, Panario... |

6 | Efficient algorithms and architectures for field multiplication using Gaussian normal bases - Reyhani-Masoleh - 2006 |

6 |
zur Gathen and M. Nöcker, “Polynomial and normal bases for finite fields
- von
- 2005
(Show Context)
Citation Context ...Gathen, Panario, and Shoup [9]; see also Wu, Hasan, Blake, and Gao [33]. The focus in the former is asymptotic complexity results, while the latter concentrates on hardware. Von zur Gathen and Nöcker =-=[32]-=- examine exponentiation with polynomial and normal bases representations and provide experimental results. The data and conclusions presented are compatible with our results, although their primary in... |

5 | Two Software Normal Basis Multiplication Algorithms for GF(2^n
- Fan, Dai
- 2004
(Show Context)
Citation Context ...Hasan [27], although the faster algorithm has significantly larger data-dependent storage requirements. During the development of our paper, independent work from Reyhani-Masoleh [26] and Fan and Dai =-=[6]-=- appeared. These papers and our paper contribute algorithms addressing normal basis arithmetic in software implementations; however, the specific approaches and conclusions are surprisingly different.... |

2 | Efficient arithmetic in GF(2n ) through palindromic representation
- Blake, Roth, et al.
- 1998
(Show Context)
Citation Context ...on. For type 2, there are two related approaches. The traditional approach, illustrated by Sunar and Koç [30], exploits basis conversion. The “palindromic representation” in Blake, Roth, and Seroussi =-=[4]-=- is a special case of the method in §4 and maps field elements into a larger ring where polynomial-based multiplication can be employed. This type of strategy where a mapping to a ring is exploited al... |

2 |
Simple multiplication algorithm for a class of GF(2n
- Haining
- 1996
(Show Context)
Citation Context ...per independently noted that the matrix decomposition of Hasan, Wang, and Bhargava [15] can be adapted to significantly improve on Ning and Yin [25]; in [6] this is called the “Hamming weight method” =-=[12]-=-. In particular, the analysis in [6] concludes that the decomposition is only beneficial for fields of sufficient size (roughly 2 260 elements). We show that in fact the decomposition can be efficient... |

2 |
A modified Massy-Omura parallel multiplier for a class of finite fields
- Hasan, Wang, et al.
- 1993
(Show Context)
Citation Context ...optimal normal bases. In the particular case of a type 1 optimal normal basis, Fan and Dai and the authors of this paper independently noted that the matrix decomposition of Hasan, Wang, and Bhargava =-=[15]-=- can be adapted to significantly improve on Ning and Yin [25]; in [6] this is called the “Hamming weight method” [12]. In particular, the analysis in [6] concludes that the decomposition is only benef... |

2 |
Efficient exponentiation for a class of finite fields GF(2n ) determined by Gauss periods
- Kwon, Kim, et al.
(Show Context)
Citation Context ... employed. This type of strategy where a mapping to a ring is exploited also appears in Drolet [5] and Katti and Brennan [16]. For an application to (hardware) exponentiation, see Kwon, Kim, and Hong =-=[20]-=-. 2sThe general method for Gaussian bases of mapping into an associated ring is described by Gao, von zur Gathen, Panario, and Shoup [9]; see also Wu, Hasan, Blake, and Gao [33]. The focus in the form... |

2 |
Elliptic curves: Twice as fast
- Schroeppel
- 2000
(Show Context)
Citation Context ...n the desired representation. However, there are scenarios where multiple representations within the larger operation appears attractive. As an example, point multiplication methods via point halving =-=[17, 28]-=- require solutions for quadratic equations and square roots, operations which may be faster with a normal basis representation. Along with these operations is a field multiplication, where polynomial ... |

2 |
Design of an elliptic curve processor over GF(2163
- Trujillo, Velasco, et al.
(Show Context)
Citation Context ...re � “⊙” denotes the bitwise AND operation, “⊕” denotes the bitwise XOR operation, and SB(i) = ni Bwik k=1 . Algorithm 2 is derived from this formula. For a hardware implementation of this method see =-=[31]-=-. Algorithm 2 Conventional vector-level GNB multiplication INPUT: A, B ∈ F2 m, wik ∈[0,m−1],1≤i ≤m−1, 1 ≤ k ≤ T . OUTPUT: C = AB. 1. C ← A ⊙ B1, L A ← A. 2. For i from 1 to m − 1do 2.1 L A ← L A ≪ 1, ... |