Binary Fields on Limited Systems

# Binary Fields on Limited Systems

Gábor Péter Nagy
University of Szeged, Hungary
nagyg@math.u-szeged.hu
Valentino Lanzone
University of Basilicata, Italy
valentinoweb@alice.it
###### Abstract

The intrinsic structure of binary fields poses a challenging complexity problem from both hardware and software point of view. Motivated by applications to modern cryptography, we describe some simple techniques aimed at performing computations over binary fields using systems with limited resources. This is particularly important when such computations must be carried out by means of very small and simple machines. The algorithms described in the present paper provide an increased efficiency in computations, when compared to the previously known algorithms for the arithmetic over prime fields.

Keywords Binary field, cryptography, limited system.

AMS classification Primary 14G50 - Secondary 11T55.

## 1 Introduction

From the introduction of public key chryptography, numerous papers dealing with the problem of constructing efficient algorithms for the arithmetics of finite fields were published. With this respect, a vast amount of research has been carried out for Elliptic Curve Cryptography (ECC), [6].

Recently, cryptosystems have been increasingly used in machines with very limited resources, like for instance smart cards, microchips and microcontrollers. This posed the problem of finding fast and efficient algorithms for field arithmetics when computations are to be performed by such simple devices.

The NIST111National Institute of Standards and Technology. gave the recommendations for the selection of the underlying finite fields and elliptic curves. The latest revision of these standards was made available in the publication called FIPS 186-3 [9]. This publication recommended 5 prime fields , with chosen among the following primes: , , , , , plus 5 binary fields: , , , and . The NIST also gave detailed instructions on the use of elliptic curves over such finite fields.

Below we describe briefly some standard algorithms for the arithmetic of prime fields [3].

The primes for the prime fields are chosen with a bitsize divisible by 32. Further, must be either a Mersenne prime of the form , or a pseudo-Mersenne prime of the form with the smallest possible integer . We assume that the implementation platform has an -bit architecture, with . Let and , where denotes the least integer such that ; the elements of prime fields are the integers between and stored in software in an array of -bit words: .

These primes allow an efficient modular reduction by using the replacement , repeating it as necessary until the equivalent number modulo is obtained.

Let and be two elements of a prime field . The addition is carried out by first finding the sum word by word and then reducing it modulo . The modular addition is implemented by using the classic algorithm “add with carry”, and the modular subtraction is implemented in a similar fashion where the carry is interpreted as a “borrow”.

The multiplication is carried out by using the classic “product term by term”, interpreted as “product word by word”, and then reducing it modulo . We observe that, during the computation, we can easily represent each terms still by the -bit words .

The inverse of a non zero field element is carried out by using a variant of the Extended Euclidean Algorithm. The algorithm maintains the invariants and for some and which are not explicitly computed. The algorithm terminates when , in which case , and , hence . Then, the division is carried out as .

We have developed similar algorithms for binary fields in limited systems—whose small efficiency requires simple techniques—for the representation of bit sequences by suitable integers, with the property that addition and subtraction are the same, and with equality .

In this paper we describe some simple algorithms that are designed to work with the arithmetic of the binary fields in limited systems such as microcontrollers, smart cards, etc. These algorithms are presented in form of pseudo-code.

## 2 Arithmetic on binary fields and algorithms

In a hardware circuit the data is represented by logical signals and it uses the arithmetic of -bits binary sequences. Therefore, the most appropriate choice for a finite field is . We have the following isomorphism:

 GF(2t)≃GF(2)[x]/p(x)

where

 p(x)=xt+r(x)=xt+t−1∑i=0pixi,p=(p0,p1,…,pt−1,1)∈GF(2t+1)

is an irreducible polynomial of degree over . Using this isomorphism, the operations between -bits binary sequences are identified with the operations between polynomials of degree modulo .

To optimize the use of hardware memory, we can represent any sequence of bits with an unsigned integer between and . More precisely, an element of corresponds to unsigned integers. Then, using an appropriate representation of binary numbers as integers, we are able to access the bits representing the coefficients of the polynomials with appropriate functions and statements in terms of integers.

Let be the difference between and the degree of the polynomial . For practical reasons, polynomials with few terms and degree as small as possible are preferable. One can use irreducible polynomials with three or five terms (trinomials and pentanomials, respectively) and such that .

The existence and the properties of certain irreducible polynomials, such as trinomials and pentanomials over , have been extensively investigated for at least 40 years following the paper of R.A. Shwan [12]. The relevant contributions prior to 1983 are surveyed in [8]; see Chapter 3, Notes 5. Recent references on irreducible polynomials with few terms are [1, 2, 5, 7, 10]. In particular, a theorem due to Swan [12] implies that irreducible trinomials do not exist for . Furthermore, it follows from a result due to Bluher [2] that they are rare when ; this fact originates from observations on trinomials and pentanomials arising from computations of Ahmadi and Menezes [1]: If and is an irreducible monic polynomial of degree such that for each with , then contains a term with and . In particular, this shows for irreducible trinomials that the degree of the second term cannot be chosen to be of small.

When an irreducible trinomial of degree does not exist, the next best choice is a pentanomial. Usually, the polynomials are generated by deterministic irreducibility tests using computer computing, and a table of trinomials or pentanomials is available for in [11].

We can write with two zero terms in case of trinomials.

The addition of polynomials corresponds to the logical XOR operation, also called exclusive or, between bits of their corresponding binary sequences. Generally, programming languages for microcontrollers provide the XOR operator for the integers.

Algorithm 1 computes the sum of two elements of with computational complexity . The symbol “^” stands for the binary operator XOR of unsigned integers.

### 2.2 Reduction modulo p(x)

Let be a polynomial of degree , with , represented by the binary sequence with .

Let and , where for , then we can write the polynomial as .

Since , we carry out the reduction of modulo using the following:

• the equivalence

 a≡l+hr(x)=l+r0hxi0+r1hxi1+r2hxi2+r3hxi3(modp(x));
• the operations “” and “”, which are the respective equivalents of shifting up and down positions in the binary sequence of the polynomial .

When we shift a binary sequence by bits up or down, the ones into upmost or downmost bits, respectively, are lost. Our algorithms must guarantee that none of the ones are being shifted into oblivion, in order to assert that

 [f(x)⋅xi]=[f(x)≪i]and[f(x)/xi]=[f(x)≫i].

When a polynomial has degree greater than , we can delete the terms of degree greater than by using the equivalence and repeating it if necessary. Since , we need to iterate this operation no more than twice. So, we obtain Algorithm 2, which has computational complexity , with or according as is a trinomial or a pentanomial.

### 2.3 Square

Since is a field of characteristic 2, the following equality holds

 (t−1∑i=0αixi)2=t−1∑i=0αix2i,αi∈GF(2).

Therefore, we can compute the square of a polynomial simply by doubling its indices and then performing the reduction modulo . We obtain Algorithm 3, whose main computational cost is due to reduction.

### 2.4 Product

Let be two polynomials, with

 a=t−1∑i=0αixi.

Since the product between and is

 a⋅b=t−1∑i=0αixi⋅b=t−1∑i=0αi⋅(bxi)=t−1∑i=0αi⋅(b≪i),

which has computational complexity plus shifts and the reduction’s cost.

But, we can perform the product faster as follows. Let , , , and define the operation . We note that , where , if and otherwise.

By using the operation , we only need to do shift operations, instead of , in this way:

 a⋅b=L−1∑e=0{m−1∑i=0αiL+e⋅[Sh((b≪e),i)]}

We have Algorithm 4, which has computational complexity plus shifts and the reduction’s cost.

### 2.5 Inversion and division

To compute the inverse of polynomials we use a variant of the classical Euclidean algorithm. We can carry out the division between two polynomials by multiplying the first one by the inverse of the second one.

Let and be two polynomials in . Then, for all polynomials . If and , we can compute and hold .

With this variant, we can use the extended Euclidean algorithm and obtain Algorithm 5 which has computational complexity , see [4].

## 3 Tests performed

We tested these algorithms on a commercially available and very cheap board. Such a board, called Arduino™ Duemilanove, has computing power similar to smart cards and has the following features:

• ATmega168 microcontroller333Low Power AVR® Microcontroller manufactured by ATMEL®. ;

• 16 KB (available 14 KB) in system self-programmable flash memory;

• 1 KB SRAM and 512 Bytes EEPROM;

• 16 MHz clock speed;

• language based on C/C++;

• standard serial communication.

Below, we show the most significant results obtained on the 5 binary fields that NIST recommended in the publication FIPS 186-3, with following polynomial basis representation:

• ,

• ,

• ,

• ,

• .

In order to do a comparison, we have also implemented the algorithms on the NIST prime fields shown in the Introduction 1. In Tables 1 and 2, we put the execution times to multiply and invert on the NIST binary fields and on the NIST prime fields respectively. In Figure 1 we provide a visual comparison between the execution times on binary fields and prime fields.

## 4 Conclusion

In this paper, we presented an implementation of the arithmetic in with basic polynomial, using straightforward algorithms with low use of memory.

The algorithms we used are as generic as possible, so we can easily change the parameters and the underlying field . For their flexibility, these algorithms can be used in systems with limited computing resources.

From the comparison between the execution times, we observe that the multiplication on prime fields requires an execution time which is shorter than on binary fields, while the operation of inversion on prime fields has an execution time much larger than on binary fields, and this grows very rapidly.

Furthermore, we can observe that our algorithms proved to be very efficient and particularly suitable for small devices and tasks which require the use of arithmetic inversions.

## Acknowledgements

The authors would like to thank the referee for many helpful comments and hints. This work was finantially supported by the TÁMOP-4.2.2/08/1/2008-0008 program of the Hungarian National Development Agency, by the Italian Ministry MIUR PRIN 2011-12, by Italian Institute of high Mathematics INdAM-GNSAGA. The paper is based on the talk given by V. Lanzone in the The Second Conference of PhD Students in Mathematics (CSM 2), Szeged, Hungary, 2012.

## References

• [1] O. Ahmadi, A. Menezes, On the number of trace-one elements in polynomial bases for . Des. Codes Cryptogr. 37 (2005), 493–507.
• [2] A.W. Bluher, A Swan-like theorem. Finite Fields Appl. 12 (2006), 128–138.
• [3] M. Brown, D. Hankerson, J. López, A. Menezes, Software Implementation of the NIST Elliptic Curves Over Prime Fields. Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer’s Track at RSA. Springer-Verlag, London (2001), 250–265.
• [4] D. Hankersjon, A. Menezes, S. Vanstone, Guide to Elliptic Curve Cryptography. Springer Verlag, New York (2004).
• [5] B. Hanson, D. Panario, D. Thomson, Swan-like results for binomials and trinomials over finite fields of odd characteristic. Des. Codes Cryptogr. 61 (2011), 273–283.
• [6] J.W.P. Hirschfeld, G. Korchmáros, F. Torres, Algebraic Curves over a Finite Field. Princeton University Press (2008).
• [7] W. Koepf, R. Kim, The parity of the number of irreducible factors for some pentanomials Finite Fields Appl. 15 (2009), 585–603.
• [8] R. Lidl, H. Niederreiter, Finite Fields. Encyclopedia of Mathematics and its Applications. First edition Addison-Wesley Publishing Inc. (1983). Second edition Cambridge University Press (1997). Reprinted (2000).
• [9] National Institute of Standards and Technology, Digital Signature Standard (DSS). DRAFT FIPS Publication 186-3 (2009).
• [10] D. Panario, G. Tzanakis, A generalization of the Hansen-Mullen conjecture on irreducible polynomials over finite fields. Finite Fields Appl. 18 (2012), 303–315.
• [11] G. Seroussi, Table of Low-Weight Binary Irreducible Polynomials. Computer Systems Laboratory, HPL-98-135 (1998).
• [12] R.G. Swan, Factorization of polynomials over finite fields. Pacific J. Math., 12 (1962), 1099–1106.
You are adding the first comment!
How to quickly get a good reply:
• Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
• Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
• Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters