Binary Fields on Limited Systems
Abstract
The intrinsic structure of binary fields poses a challenging complexity problem from both hardware and software point of view. Motivated by applications to modern cryptography, we describe some simple techniques aimed at performing computations over binary fields using systems with limited resources. This is particularly important when such computations must be carried out by means of very small and simple machines. The algorithms described in the present paper provide an increased efficiency in computations, when compared to the previously known algorithms for the arithmetic over prime fields.
Keywords Binary field, cryptography, limited system.
AMS classification Primary 14G50  Secondary 11T55.
1 Introduction
From the introduction of public key chryptography, numerous papers dealing with the problem of constructing efficient algorithms for the arithmetics of finite fields were published. With this respect, a vast amount of research has been carried out for Elliptic Curve Cryptography (ECC), [6].
Recently, cryptosystems have been increasingly used in machines with very limited resources, like for instance smart cards, microchips and microcontrollers. This posed the problem of finding fast and efficient algorithms for field arithmetics when computations are to be performed by such simple devices.
The NIST^{1}^{1}1National Institute of Standards and Technology. gave the recommendations for the selection of the underlying finite fields and elliptic curves. The latest revision of these standards was made available in the publication called FIPS 1863 [9]. This publication recommended 5 prime fields , with chosen among the following primes: , , , , , plus 5 binary fields: , , , and . The NIST also gave detailed instructions on the use of elliptic curves over such finite fields.
Below we describe briefly some standard algorithms for the arithmetic of prime fields [3].
The primes for the prime fields are chosen with a bitsize divisible by 32. Further, must be either a Mersenne prime of the form , or a pseudoMersenne prime of the form with the smallest possible integer . We assume that the implementation platform has an bit architecture, with . Let and , where denotes the least integer such that ; the elements of prime fields are the integers between and stored in software in an array of bit words: .
These primes allow an efficient modular reduction by using the replacement , repeating it as necessary until the equivalent number modulo is obtained.
Let and be two elements of a prime field . The addition is carried out by first finding the sum word by word and then reducing it modulo . The modular addition is implemented by using the classic algorithm “add with carry”, and the modular subtraction is implemented in a similar fashion where the carry is interpreted as a “borrow”.
The multiplication is carried out by using the classic “product term by term”, interpreted as “product word by word”, and then reducing it modulo . We observe that, during the computation, we can easily represent each terms still by the bit words .
The inverse of a non zero field element is carried out by using a variant of the Extended Euclidean Algorithm. The algorithm maintains the invariants and for some and which are not explicitly computed. The algorithm terminates when , in which case , and , hence . Then, the division is carried out as .
We have developed similar algorithms for binary fields in limited systems—whose small efficiency requires simple techniques—for the representation of bit sequences by suitable integers, with the property that addition and subtraction are the same, and with equality .
In this paper we describe some simple algorithms that are designed to work with the arithmetic of the binary fields in limited systems such as microcontrollers, smart cards, etc. These algorithms are presented in form of pseudocode.
2 Arithmetic on binary fields and algorithms
In a hardware circuit the data is represented by logical signals and it uses the arithmetic of bits binary sequences. Therefore, the most appropriate choice for a finite field is . We have the following isomorphism:
where
is an irreducible polynomial of degree over . Using this isomorphism, the operations between bits binary sequences are identified with the operations between polynomials of degree modulo .
To optimize the use of hardware memory, we can represent any sequence of bits with an unsigned integer between and . More precisely, an element of corresponds to unsigned integers. Then, using an appropriate representation of binary numbers as integers, we are able to access the bits representing the coefficients of the polynomials with appropriate functions and statements in terms of integers.
Let be the difference between and the degree of the polynomial . For practical reasons, polynomials with few terms and degree as small as possible are preferable. One can use irreducible polynomials with three or five terms (trinomials and pentanomials, respectively) and such that .
The existence and the properties of certain irreducible polynomials, such as trinomials and pentanomials over , have been extensively investigated for at least 40 years following the paper of R.A. Shwan [12]. The relevant contributions prior to 1983 are surveyed in [8]; see Chapter 3, Notes 5. Recent references on irreducible polynomials with few terms are [1, 2, 5, 7, 10]. In particular, a theorem due to Swan [12] implies that irreducible trinomials do not exist for . Furthermore, it follows from a result due to Bluher [2] that they are rare when ; this fact originates from observations on trinomials and pentanomials arising from computations of Ahmadi and Menezes [1]: If and is an irreducible monic polynomial of degree such that for each with , then contains a term with and . In particular, this shows for irreducible trinomials that the degree of the second term cannot be chosen to be of small.
When an irreducible trinomial of degree does not exist, the next best choice is a pentanomial. Usually, the polynomials are generated by deterministic irreducibility tests using computer computing, and a table of trinomials or pentanomials is available for in [11].
We can write with two zero terms in case of trinomials.
2.1 Addition
The addition of polynomials corresponds to the logical XOR operation, also called exclusive or, between bits of their corresponding binary sequences. Generally, programming languages for microcontrollers provide the XOR operator for the integers.
Algorithm 1 computes the sum of two elements of with computational complexity . The symbol “^” stands for the binary operator XOR of unsigned integers.
2.2 Reduction modulo
Let be a polynomial of degree , with , represented by the binary sequence with .
Let and , where for , then we can write the polynomial as .
Since , we carry out the reduction of modulo using the following:

the equivalence

the operations “” and “”, which are the respective equivalents of shifting up and down positions in the binary sequence of the polynomial .
When we shift a binary sequence by bits up or down, the ones into upmost or downmost bits, respectively, are lost. Our algorithms must guarantee that none of the ones are being shifted into oblivion, in order to assert that
When a polynomial has degree greater than , we can delete the terms of degree greater than by using the equivalence and repeating it if necessary. Since , we need to iterate this operation no more than twice. So, we obtain Algorithm 2, which has computational complexity , with or according as is a trinomial or a pentanomial.
2.3 Square
Since is a field of characteristic 2, the following equality holds
Therefore, we can compute the square of a polynomial simply by doubling its indices and then performing the reduction modulo . We obtain Algorithm 3, whose main computational cost is due to reduction.
2.4 Product
Let be two polynomials, with
Since the product between and is
which has computational complexity plus shifts and the reduction’s cost.
But, we can perform the product faster as follows. Let , , , and define the operation . We note that , where , if and otherwise.
By using the operation , we only need to do shift operations, instead of , in this way:
We have Algorithm 4, which has computational complexity plus shifts and the reduction’s cost.
2.5 Inversion and division
To compute the inverse of polynomials we use a variant of the classical Euclidean algorithm. We can carry out the division between two polynomials by multiplying the first one by the inverse of the second one.
Let and be two polynomials in . Then, for all polynomials . If and , we can compute and hold .
3 Tests performed
We tested these algorithms on a commercially available and very cheap board. Such a board, called Arduino™ Duemilanove^{2}^{2}2http://www.arduino.cc/, has computing power similar to smart cards and has the following features:

ATmega168 microcontroller^{3}^{3}3Low Power AVR® Microcontroller manufactured by ATMEL®. ;

16 KB (available 14 KB) in system selfprogrammable flash memory;

1 KB SRAM and 512 Bytes EEPROM;

16 MHz clock speed;

language based on C/C++;

standard serial communication.
Below, we show the most significant results obtained on the 5 binary fields that NIST recommended in the publication FIPS 1863, with following polynomial basis representation:

,

,

,

,

.
Degree of field  163  233  283  409  571 

multiplication on binary fields  16  29  40  80  149 
inversion on binary fields  60  105  145  282  505 
Degree of field  192  224  256  384  521 

multiplication on prime fields  6  7  9  18  29 
inversion on prime fields  234  344  490  1442  3258 
In order to do a comparison, we have also implemented the algorithms on the NIST prime fields shown in the Introduction 1. In Tables 1 and 2, we put the execution times to multiply and invert on the NIST binary fields and on the NIST prime fields respectively. In Figure 1 we provide a visual comparison between the execution times on binary fields and prime fields.
4 Conclusion
In this paper, we presented an implementation of the arithmetic in with basic polynomial, using straightforward algorithms with low use of memory.
The algorithms we used are as generic as possible, so we can easily change the parameters and the underlying field . For their flexibility, these algorithms can be used in systems with limited computing resources.
From the comparison between the execution times, we observe that the multiplication on prime fields requires an execution time which is shorter than on binary fields, while the operation of inversion on prime fields has an execution time much larger than on binary fields, and this grows very rapidly.
Furthermore, we can observe that our algorithms proved to be very efficient and particularly suitable for small devices and tasks which require the use of arithmetic inversions.
Acknowledgements
The authors would like to thank the referee for many helpful comments and hints. This work was finantially supported by the TÁMOP4.2.2/08/1/20080008 program of the Hungarian National Development Agency, by the Italian Ministry MIUR PRIN 201112, by Italian Institute of high Mathematics INdAMGNSAGA. The paper is based on the talk given by V. Lanzone in the The Second Conference of PhD Students in Mathematics (CSM 2), Szeged, Hungary, 2012.
References
 [1] O. Ahmadi, A. Menezes, On the number of traceone elements in polynomial bases for . Des. Codes Cryptogr. 37 (2005), 493–507.
 [2] A.W. Bluher, A Swanlike theorem. Finite Fields Appl. 12 (2006), 128–138.
 [3] M. Brown, D. Hankerson, J. López, A. Menezes, Software Implementation of the NIST Elliptic Curves Over Prime Fields. Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer’s Track at RSA. SpringerVerlag, London (2001), 250–265.
 [4] D. Hankersjon, A. Menezes, S. Vanstone, Guide to Elliptic Curve Cryptography. Springer Verlag, New York (2004).
 [5] B. Hanson, D. Panario, D. Thomson, Swanlike results for binomials and trinomials over finite fields of odd characteristic. Des. Codes Cryptogr. 61 (2011), 273–283.
 [6] J.W.P. Hirschfeld, G. Korchmáros, F. Torres, Algebraic Curves over a Finite Field. Princeton University Press (2008).
 [7] W. Koepf, R. Kim, The parity of the number of irreducible factors for some pentanomials Finite Fields Appl. 15 (2009), 585–603.
 [8] R. Lidl, H. Niederreiter, Finite Fields. Encyclopedia of Mathematics and its Applications. First edition AddisonWesley Publishing Inc. (1983). Second edition Cambridge University Press (1997). Reprinted (2000).
 [9] National Institute of Standards and Technology, Digital Signature Standard (DSS). DRAFT FIPS Publication 1863 (2009).
 [10] D. Panario, G. Tzanakis, A generalization of the HansenMullen conjecture on irreducible polynomials over finite fields. Finite Fields Appl. 18 (2012), 303–315.
 [11] G. Seroussi, Table of LowWeight Binary Irreducible Polynomials. Computer Systems Laboratory, HPL98135 (1998).
 [12] R.G. Swan, Factorization of polynomials over finite fields. Pacific J. Math., 12 (1962), 1099–1106.