Study of Extended Euclidean and Itoh-Tsujii Algorithms in GF (2m) using polynomial bases by Fan Zhou B.Eng., Zhejiang University, 2013 A Report Submitted in Partial Fulfillment of the Requirements for the Degree of MASTER OF ENGINEERING in the Department of Electrical and Computer Engineering c Fan Zhou, 2018 University of Victoria All rights reserved. This report may not be reproduced in whole or in part, by photocopying or other means, without the permission of the author. ii Study of Extended Euclidean and Itoh-Tsujii Algorithms in GF (2m) using polynomial bases by Fan Zhou B.Eng., Zhejiang University, 2013 Supervisory Committee Dr. Fayez Gebali, Supervisor (Department of Electrical and Computer Engineering) Dr. Watheq El-Kharashi, Departmental Member (Department of Electrical and Computer Engineering) iii ABSTRACT Finite field arithmetic is important for the field of information security. The inversion operation consumes most of the time and resources among all finite field arithmetic operations. In this report, two main classes of algorithms for inversion are studied. The first class of inverters is Extended Euclidean based inverters. Extended Euclidean Algorithm is an extension of Euclidean algorithm that computes the greatest common divisor. The other class of inverters is based on Fermat's little theorem. This class of inverters is also called multiplicative based inverters, because, in these algorithms, the inversion is performed by a sequence of multiplication and squaring. This report represents a literature review of inversion algorithm and implements a multiplicative based inverter and an Extended Euclidean based inverter in MATLAB. The experi- mental results show that inverters based on Extended Euclidean Algorithm are more efficient than inverters based on Fermat's little theorem. iv Contents Supervisory Committee ii Abstract iii Table of Contents iv List of Tables vi List of Figures vii List of Acronyms viii Acknowledgements ix Dedication x 1 Introduction 1 1.1 Background . 1 1.2 Preliminaries: Binary Finite Field Arithmetic . 2 1.3 Related Work . 4 1.4 Project Contributions . 5 1.5 Report Organization . 5 2 Extended Euclidean algorithm 6 2.1 Extended Euclidean algorithm . 6 2.2 An example of Extended Euclidean algorithm . 9 3 Itoh-Tsujii algorithm 11 3.1 Inversion based on Fermat's little theorem . 11 3.2 Itoh-Tsujii algorithm . 12 3.3 An example of Itoh-Tsujii algorithm . 15 v 4 MATLAB Implementation 17 4.1 MATLAB results . 17 4.2 Analysis and comparison . 18 5 Conclusion 20 Appendix A 22 Bibliography 26 vi List of Tables Table 2.1 An example of binary polynomial division . 8 Table 2.2 An example of EEA . 10 Table 3.1 Inverse of a 2 GF (2233) using an addition chain [1] . 15 Table 4.1 Execution time of EEA and Itoh-Tsujii Algorithms on a quad- core processor . 18 Table 4.2 Execution time of EEA and Itoh-Tsujii Algorithms on a dual-core processor . 18 vii List of Figures Figure 1.1 ECC Arithmetic Architecture . 2 Figure 3.1 Flowchart of Itoh-Tsujii Algorithm . 14 viii List of Acronyms EEA Extended Euclidean Algorithm ECC Elliptic Curve Cryptography FLT Fermat's Little Theorem GCD Greatest Common Divisor SM scalar multiplication VLSI Very Large Scale Integration ix ACKNOWLEDGEMENTS I would like to thank my supervisor Dr. Gebali, who provided my valuable gudance and advice throughout my graduate study. Besides my supervisor, I would like to thank Ibrahim Hazmi for helping me improve my project. My gratitude also goes to my parents and my roommate who constantly support me when I am in need. x DEDICATION To my parents Chapter 1 Introduction 1.1 Background Elliptic Curve Cryptography (ECC) is a public-key cryptosystem based on the alge- braic structure of elliptic curves over finite fields, which can be used to create faster and more efficient cryptographic schemes. The hierarchy of the computations involved in the implementation of ECC cryptosys- tems is in a pyramid of four levels of operations. Finite field or modular arithmetic is the foundation of the pyramid, as it is the basic building block of elliptic curve point addition and point doubling. Whereas the scalar multiplication (SM) is per- formed by repeating point addition and point doubling operations and is used by all ECC cryptographic protocols. Figure 1.1 illustrates the arithmetic architecture of SM computational processes. An elliptic curve E(K) over a field K is defined by an equation [2]: 2 3 2 y + a1xy + a3y = x + a2 x + a4x + a6 (1.1) where a1; a2; a3; a4; a6 2 K, and the discriminant of E is 4 6= 0. In the binary field, E(K) could be simplified as: 2 y3 + xy = x3 + ax2 + b (1.2) where a; b 2 K. Figure 1.1: ECC Arithmetic Architecture [3] 1.2 Preliminaries: Binary Finite Field Arithmetic The finite field GF (2m) of order 2m is called binary finite field. The element a(x) 2 GF (2m) can be expressed as a binary polynomial of degree m − 1 [2]: m−1 m−2 2 1 a(x) = am−1x + am−2x + ··· + a2x + a1x + a0 (1.3) where ai = 0 or 1. A polynomial f(x) of degree m is said to be irreducible in GF (2m) if there does not exist two polynomials g(x) and h(x) of lesser degree in GF (2m) such that f(x) = g(x)h(x). In polynomial arithmetic, as the coefficients ai of the polynomial can be either 0 or 1, an irreducible polynomial f(x) is used to reduce the result of any operation if its degree is greater than m − 1. For instance, the operations defined in field GF (25) are on an irreducible polynomial f(x) = x5 + x2 + 1. 3 Computing point multiplication requires point doubling and point addition, which can be implemented using four basic operations, namely, addition, subtraction, mul- tiplication and division. Addition and subtraction in binary fields can be achieved by adding or subtracting two of these polynomials together, and reducing the result modulo 2. For instance, m−1 1 m−1 1 let a(x) = am−1x + ··· + a1x + a0, b(x) = bm−1x + ··· + b1x + b0 and m−1 1 c(x) = a(x) + b(x) = cm−1x + ··· + c1x + c0. If ak, bk and ck are the coefficients of a(x), b(x) and c(x) respectively, then: ck = (ak + bk) mod 2 (1.4) The computational complexity of addition and subtraction in binary field is usually neglected. Multiplication in a finite field is multiplication modulo an irreducible polynomial. Let a(x) and b(x) be the elements of GF (2m) and let modular multiplication c(x) also be an element of the field. c(x) might be accomplished in two steps, by performing first a polynomial product of the two operands a(x) and b(x), followed by a modular reduction step using the irreducible polynomial f(x). Then, we have: c(x) = a(x) · b(x) mod f(x) (1.5) A great deal of work has been done in studying aspects of inversion in a finite field since inversion is the most time-consuming of the four basic operations. The inverse of a polynomial a(x) in GF (2m) is defined as the computation process to find a polynomial a−1(x) in GF (2m), such that: a(x) · a−1(x) mod f(x) = 1 (1.6) Inversion algorithms can be classified into two main categories, the Extended Eu- clidean Algorithm, and the Fermat's Little Theorem based algorithm. These two algorithms will be discussed in chapters 2 and 3. 4 1.3 Related Work Several algorithms for computing the Extended Euclidean based algorithms have been proposed in the literature [3-5]. In [4], a class of bit serial unidirectional systolic ar- chitectures for inversion and division in polynomial basis has been proposed. They also presented a variant of Extended Euclidean Algorithm (EEA) optimized for uni- directional systolization with no carry propagation structure. Also, in this design, a simpler distributed counter structure which is suitable for applications where the field dimension may be large or variable is introduced. Yan [5] presents two-dimensional systolic architectures for inversion based on a modified extended Euclidean algorithm. The new architecture uses a distributed control mechanism for a variety of field sizes and is suitable for Very Large Scale Integration (VLSI) implementation. In compari- son to similar architectures, their architectures have smaller critical path delays and use considerably fewer hardware costs. An optimized inversion algorithm that can be applied very well in hardware was proposed in [6]. A two-dimensional multipli- cation/inversion systolic architecture and a one-dimensional multiplication/inversion systolic architecture was implemented and can apply very well to an Elliptic Curve arithmetic unit required in elliptic curve cryptography. In terms of the Itoh-Tsujii inverse algorithm in GF (2m), Rebeiro [7] proposed a mod- ification of the Itoh-Tsujii algorithm called quad-Itoh-Tsujii algorithm which was implemented on field-programmable gate-array platforms. That adapted algorithm requires shorter addition chains and reduces the clock cycles significantly by using a parallel architecture. A modified Itoh-Tsujii algorithm algorithm for inversion with polynomial basis was proposed in [8]. An optimal addition chain was used for inver- sion to reduce the operation time by the parallel computation between part of mul- tiplications and squarings. Their inversion architecture with a digit serial multiplier experimentally obtained 61% timing improvement and 69% less resources on average than previous designs with normal basis. Another parallel version of the Itoh-Tsujii algorithm was proposed in [9]. It used a special class of irreducible trinomials, namely, P (x) = xm + xk + 1 to achieve its best performance. This special class of irreducible trinomials reduces the computation complexity and yields a 30% timing improvement on average compared to the standard version of it.