Low Complexity Systolic Montgomery Multiplication over Finite Fields GF(2^m)

유한체상의 낮은 복잡도를 갖는 시스톨릭 몽고메리 곱셈

Abstract

Galois field arithmetic is important in error correcting codes and public-key cryptography schemes. Hardware realization of these schemes requires an efficient implementation of Galois field arithmetic operations. Multiplication is the main finite field operation and designing efficient multiplier can clearly affect the performance of compute-intensive applications. Diverse algorithms and hardware architectures are presented in the literature for hardware realization of Galois field multiplication to acquire a reduction in time and area. This paper presents a low complexity semi-systolic multiplier to facilitate parallel processing by partitioning Montgomery modular multiplication (MMM) into two independent and identical units and two-level systolic computation scheme. Analytical results indicate that the proposed multiplier achieves lower area-time (AT) complexity compared to related multipliers. Moreover, the proposed method has regularity, concurrency, and modularity, and thus is well suited for VLSI implementation. It can be applied as a core circuit for multiplication and division/exponentiation.

Ⅰ. Introduction

Many important applications, such as digital signal processing, cryptography, and coding theory, are based on finite field GF(2^m) arithmetic. In particular, elliptic curve cryptography (ECC) which needs smaller key sizes than RSA public key cryptography by offering same security level require finite field operations [1, 2]. In the finite field, the performance of a cryptosystem is primarily determined by an efficient implementation of the arithmetic operations, e.g., addition, multiplication, division and exponentiation. Addition is relatively inexpensive, whereas division and exponentiation can be carried out using repeated multiply and square algorithm. Therefore, efficient multiplication architectures over GF(2^m) should be designed to implement elliptic curve cryptosystem.

The efficiency of finite field multiplications depends on the selected basis representations for elements in GF(2^m). There are several basis representations such as polynomial basis (PB), normal basis, dual basis, and redundant basis. Each basis has its own distinct advantages. Among these basis, polynomial basis arithmetic is more simple, regular, and scalable in hardware realization. Furthermore, the efficiency of finite field multiplier is dependent on the irreducible polynomial chosen. Irreducible polynomials are categorized into generic polynomial, equally spaced polynomial (ESP), trinomial, and pentanomial. A 1-ESP is known as an all one polynomial (AOP). Trinomial and pentanomial-based multipliers are more effective, while generic polynomial-based multipliers are suitable for a broader range of applications. According to the implementation method, varied multipliers can be devised. Bit serial multipliers require a small area, but are slow and take m clock cycles to carry out the multiplication of two elements. Conversely, bit parallel multipliers get the result in one clock cycle at the expense of immoderate hardware. A systolic array architecture has the characteristic features of regularity, modularity, local homogeneous interconnection and concurrency. Due to the nature of pipelining, it is possible to use a high clock frequency under high resource utilization.

In this paper, we propose a semi-systolic modular multiplier array over GF(2^m) to reduce the time and area overhead by partitioning MMM into two independent and identical parts. These two can be processed efficiently in a pipelined manner on a semi-systolic array. The proposed systolic array architecture is based on the general irreducible polynomial and can be adopted to any more efficient types of special polynomials, i.e., trinomial and pentanomial. We develop a parallel-in-parallel-out systolic array by deriving the dependence graph (DG) of the proposed MMM algorithm and applying the cut-set systolization to the DG array. This structure is very regular and has local interconnections, making it very suitable for VLSI implementations. The proposed scheme can be used as a kernel component for both inversion/exponentiation and multiplication.

Ⅱ. Montgomery multiplication for finite field

Several systolic modular multiplication algorithms and architectures have been proposed [3-12]. Lee et al. [3] and Chiou et al. [4] presented a semi-systolic array multiplier with an error detection. Huang et al. [5] proposed an efficient semi-systolic array multiplier to decrease the time and area costs. Choi and Lee [6] proposed new bit-parallel and bit-serial systolic multipliers simplifying quotient determination necessary for an exact division when performing MMM in a prime field GF(p). The critical operation of the integer MMM is a three-operand addition within an iteration loop, where addition of long integers can cause a significant delay due to carry propagation, which limits the clock frequency. One way of solving this problem is to employ a systolic array. Note that GF(p) arithmetic is different from the binary field GF(2^m) arithmetic because no carry computation exists in GF(2^m). Choi and Lee [7] developed highly area-time efficient serial and parallel systolic array for unified multiplication and squaring with little hardware overhead. It has the feature that it computes both multiplication and squaring concurrently for fast modular exponentiation. The performance of this architecture is based on the new LSB-first multiplication and LSB-first exponentiation. Chiou et al. [8] presented a semi-systolic array multiplier to lessen the time complexity. Recently, Lee [9] proposed a new resource and delay efficient semi-systolic MMM multiplier with two-level systolic computation and LSB-first Montgomery multiplication. The multiplier presented by Mathe and Boppana [10] has both serial input and parallel input. Ibrahim [11] presented the systolic array structure for multiplication and squaring. Recently, Pillutla and Boppana [12] proposed a polynomial basis GF(2^m) systolic multiplier applicable for a narrow class of trinomials which includes both the recommended trinomials for m = 233 and 409 fields. Although several multipliers have been developed with a polynomial basis of GF(2^m), their high hardware complexities and long delay times are important limitations in security applications. Thus, further research on efficient multiplication architectures with low area and time complexities is needed.

The development of fast algorithms and structures of modular multiplications has received considerable interest. The Montgomery modular multiplication algorithm without a division operation was first proposed by P. L. Montgomery to improve the performance of modular integer multiplications [6, 13]. It was proved that MMM is appropriate to GF(2^m) [14]. The basic idea is to convert input values to Montgomery residues, and compute the modular multiplication using these residues. Finally, the output is transformed back to the original representation.

Let G = ∑^m_j=0g_jx^j be the irreducible polynomial generating the finite field GF(2^m), where g_m = g₀ = 1 and g_j ∈ GF(2) for 1 ≤ j ≤ m – 1. It is conventional to represent the elements of GF(2^m) as a power of the primitive element z where z is the root of G. The set {1, z, ..., z^m–1} is referred to as the polynomial basis. Each element in GF(2^m) is a unique linear combination consisting of polynomials of degree less than m in GF(2). The addition is bitwise exclusive-OR (XOR); but, the multiplication is a little complicated since the intermediate result needs further modular reduction by x^m = ∑^m-1_j=0g_jx^j.

Let x and y be two elements of GF(2^m) to be multiplied. Instead of computing S = xy mod G, using a novel notation of the residue class, Montgomery multiplication of A (= xR mod G = ∑^m-1_j=0α_jx^j) and B (= yR mod G =∑^m-1_j=0b_jx^j) is computed by T = ABR^–1 mod G = ∑^m-1_j=0t_jx^j, where A (resp., B) is the Montgomery residue of x (resp., y) and R is a special element satisfying gcd(R, G) = 1. The final result S is then taken by computing MMM using inputs T and 1, i.e., S = TR^–1 mod G = xy mod G. Therefore, MMM is favourable in several applications involving successive multiplications, such as inversion, exponentiation, and elliptic curve point multiplication due to the pre- and post-transformation needs.

Note that in most practical applications, m is an odd number. For elliptic curve cryptography (ECC), the National Institute of Standard and Technology (NIST) recommends five binary fields: GF(2¹⁶³), GF(2²³³), GF(2²⁸³), GF(2⁴⁰⁹), and GF(2⁵⁷¹). Of these five fields, m = 233 and 409 are irreducible trinomials and the others are pentanomials. In this paper, we only consider odd values of m and we construct a low complexity semi-systolic Montgomery multiplier. Using R = x^(m–1)/2, the Montgomery multiplication T = ABR^–1 mod G can be formulated as

T = A(b₀ + b₁x +⋯+ b_(m–1)/2x^(m–1)/2 +⋯+ b_m–1x^m–1)x^–(m–1)/2 mod G

= A(b₀x ^–(m–1)/2+b₁x^–(m–3)/2+⋯+b _(m–3)/2x^–1) +A(b_(m–1)/2x⁰+b_(m+1)/2x¹+⋯+b_m–1x ^(m–1)/2) mod G       (1)

To derive the recurrence relations for the proposed semi-systolic MMM multiplier, (1) is represented as the sum of two polynomials C and D as follows:

C = Ab_m–1x^(m–1)/2 + Ab_m–2x^(m–3)/2 +⋯ + Ab_(m+1)/2x¹ + Ab_(m–1)/2 mod G

= (⋯((Ab_m–1)x mod G + Ab_m–2)x mod G +⋯+ Ab_(m+1)/2)x mod G + Ab_(m–1)/2       (2)

D = Ab_(m–3)/2x^–1 + Ab_(m–5)/2x^–2 +⋯+ Ab₁x^–(m–3)/2 + Ab₀x^–(m–1)/2 mod G

= (⋯((Ab₀)x^–1 mod G + Ab₁)x^–1 mod G +⋯+ Ab_(m–3)/2)x^–1 mod G       (3)

Let C_i and D_i be the results of i-th recursion of (2) and (3), respectively, which can be computed recursively from the results of (i – 1)-th pair of recursions. The recursive equation of (2) at step i for 1 ≤ i ≤ (m + 1)/2 can be obtained as

C_i = C_i–1x mod G + Ab_m–i,       (4)

where C₀ = 0.

Similar to (4), we can express (3) recursively as

D_i = D_i–1x^–1 mod G + Ab_i–1,       (5)

where D₀ = b_(m–1)/2 = 0

Note that the value b_(m–1)/2 = 0 is required in the computation of the last D_(m+1)/2. According to (4) and (5), it is clear that there is no data dependency in C_i and D_i, so they can be computed concurrently. With the bit-level representation, substituting the expansion of x^m on (4), the reduced form of C_i for 1 ≤ i ≤ (m + 1)/2 can be obtained by

C_i = c_i–1,m–2x^m–1 +…+ c_i–1,1x² + c_i–1,0x + c_i–1,m–1(g_m–1x^m–1 + … + g₁x + g₀) + b_m–i(a_m–1x^m–1 + … + a₁x + a₀)

= c_i,m–1x^m–1 + … + c_i,1x + c_i,0       (6)

Finally, C at step i can be represented in a recursive manner as

c_i,m–1–j = c_{i–1,m–2–j} + c_i–1,m–1g_m–1–j + b_m–ia_m–1–j,       (7)

where c_{0, j} = c_i–1,–1 = 0 and m – 1 ≥ j ≥ 0.

For any irreducible polynomial, g₀ = 1 and g_m = 1, and we notice that x is a root of G. Thus, multiplying each side of G by x^–1 , and reorganizing the terms, we obtain x^–1 = ∑^m_j=1g_jx^j-1. Similar to (6), substituting the expansion of x^–1 on (5), D_i can be rewritten as follows:

D_i = d_i–1,m–1x^m–2 + … + d_i–1,1 + d_i–1,0(g_mx^m–1 + … + g₂x + g₁) + b_i–1(a_m–1x^m–1 + … + a₁x + a₀)

= d_i,m–1x^m–1 + … + d_i,1x + d_i,0.       (8)

The recursive equation of (8) at step i for 1 ≤ i ≤ (m+1)/2 can be represented as

d_{i, j} = d_i–1,j+1 + d_i–1,0g_j+1 + b_i–1a_j,       (9)

where d_{0, j} = d_i–1,m = b_(m–1)/2 = 0 and 0 ≤ j ≤ m – 1. Finally, C^(m+1)/2 and D^(m+1)/2 should be summed up by using m 2-input XOR gates (XOR₂) to obtain T.

For simplicity of discussion, the binary field GF(2⁵) is used to illustrate the semi-systolic architecture. A most significant bit (MSB)-first semi-systolic array for the computation of C based on (7) is shown in <Figure 1>, where m × (m + 1)/2 basic cells of <Figure 2> are used and “●” denotes a 1-bit latch. In <Figure 2>, the cell at position (i, j) computes (7). In Fig. 1(a), the cell at position (i, j) receives c_{i–1,m–2–j} from the neighbor cell at the position (i – 1, j + 1) of the previous row and computes c_i,m–1–j.

<Figure 1> Array architecture for C

<Figure 2> Circuit of (i, j) cell

The index points and initial locations of all inputs are as following. First, b_m–i, 1 ≤ i ≤ (m + 1)/2, enters index (i, 0) from the left direction and flows into the direction of [0, 1]. The values a_m–1–j and g_m–1–j, m – 1 ≥ j ≥ 0, then enter index [1, j] from the top and flow in the direction of [1, 0], respectively. Next, c_0,m–2–j, 0 ≤ j ≤ m – 1, enters [1, j] index from the top, and then is computed with the partial products generated by the previous row to give new partial products that are passed on to the next row, and then flows in the direction of [1, –1].

The values a_m–1–j and g_m–1–j, m – 1 ≥ j ≥ 0, then enter index [1, j] from the top and flow in the direction of [1, 0], respectively. Next, c_0,m–2–j, 0 ≤ j ≤ m – 1, enters [1, j] index from the top, and is computed with the partial products generated by the previous row to give new partial products that are passed on to the next row, and then flows in the direction of [1, –1]. Then, c_{i–1, m–1}, 1 ≤ i ≤ (m+1)/2, the MSB of C_i–1, enters index [i, 0] from the left direction and flows into the direction of [0, 1]. The result, C_(m+1)/2, is obtained from the bottom row of the array after (m+1)/2 iterations. In <Figure 2>, the basic cell consists of two 2-input AND gates (AND₂) and one 3-input XOR gate (XOR₃). The (i, j) cell receives c_{i–1, m–2–j} as its input from the (i – 1, j + 1)-th cell; a_m–1–j and g_m–1–j, from the (i – 1, j)-th cell; and b_m–i, from the (i, j – 1)-th cell. The critical path delay of this structure is the total delay of one AND₂ and one XOR₃. In <Figure 1>, the left side input b_m–i+1 is delayed by one clock cycle relative to b_m–i for 2 ≤ i ≤ (m+1)/2.

Similar to <Figure 1>, the least significant bit (LSB)-first semi-systolic array can be adopted efficiently to compute D by rearranging coefficients of B, A, and G based on (9), as depicted in <Figure 3>, where m × (m+1)/2 basic cells of <Figure 4> are used. Note that (m+1)/2-th row is added for the final x^–1 operation.

<Figure 3> Array architecture for D

<Figure 4> Circuit of (i, j) cell

The proposed multiplier can be implemented by using the above two arrays and m XOR₂. It is noted that the structures and data flows of <Figure 1> are the same as those of <Figure 3>. Since (7) and (9) have an identical and independent computation structure, we can process two equations in pipelined fashion using one systolic array. Therefore, by unifying and retiming <Figure 1> and <Figure 3>, the new semi-systolic multiplier architecture in <Figure 5> and <Figure 6> can be derived. In <Figure 5>, each cell (i, j) includes two AND₂ and one XOR₃, and computes C of (7) and D of (9) in sequence. After (m+1)/2 iterations, the final result T is the summation of C_(m+1)/2 and D_(m+1)/2, where C_(m+1)/2 is delayed by one clock cycle relative to D_(m+1)/2. The latency of the presented multiplier is (m+1)/2 + 3 clock cycles; the critical propagation delay time is the total delay of one AND₂ and one XOR₃. Note that for the further parallel computation and critical propagation delay reduction, a 3-input XOR gate in <Figure 6> can be constructed using two 2-input XOR gates. The architecture of <Figure 6> can be reorganized similarly to the cell structure of the systolic array in [9]. As a result, the critical path delay can be reduced to the total delay of one AND₂ and one XOR₂ with a little area overhead.

<Figure 5> Proposed multiplier for T = C + D

<Figure 6> Circuit of (i, j) cell

Ⅲ. Analysis and comparison

The analytical expressions shown in <Table 1> are analyzed for m = 571 using the time and area complexity approximations of logic gates built from the Samsung electronics, where m = 571 is one of the finite field sizes preferred by NIST for elliptic curve applications.

<Table 1> Complexity comparison of semi-systolic multipliers

We obtained the area of the gates and latch along with their worst-case intrinsic delays pertaining to unit drive-strength from the Samsung STD 150 0.13μm 1.2V CMOS Standard Cell Library databook. Using these data, we estimate the time and area complexities of the proposed and related works. The following is the area and time requirements of the cells used in <Table 1>, where T represents the time (ns), A represents the area (transistor count), and Gaten represents the n-input logic gate, respectively [7]: T_AND2: 0.094, A_AND2: 6.68, T_XOR2: 0.167, A_XOR2: 12.00, T_LATCH: 0.157, and A_LATCH: 16.00.

<Table 1> shows the analytical comparison of data flow, latency, throughput, time complexity, area complexity, AT complexity, and improvement of the presented multiplier with the multipliers considered for comparison. The area requirement for the presented multiplier is analyzed in terms of number of XOR₂, AND₂, latches, and transistors.

It is noticed that the presented multiplier needs a comparable number of transistors. It is evident from <Table 1> (% reduction in #transistors row) that the presented multiplier gets area efficiency of 38%, 42%, and -18% when compared with multipliers [5, 8, 9], respectively. The critical path delay (i.e., cell delay) and latency of the presented multiplier are 0.26 ns and (m+7)/2 clock cycles, respectively and the total delay time is (latency) × (cell delay). <Table 1> (% reduction in total delay row) indicates that the presented architecture gets time efficiency of 49%, 82%, and 0% when compared with multipliers [5, 8, 9], respectively. It is noticed that the multiplier [9] needs the same total delay (0%) and less hardware (–18%) compared to the proposed multiplier. Although the proposed multiplier needs a little high-chip area, it is realizable and affordable by VLSI implementation.

The presented systolic multiplier takes the high throughput with one multiplication result per clock cycle if data independent multiplications are applied in order and computed in parallel in the proposed multiplier. The high-throughput systolic multiplier is desperately required because the elliptic curve digital signature algorithm (ECDSA) needs a large number of field multiplications and inversions, where the inversion operation can be done by repetitive multiplications. A comparison of results notices that the proposed systolic multiplier is pipelined to multiply operands with high throughput rate. Thus, the proposed high-throughput low AT-complexity systolic multiplier is suitable for executing digital signatures of ECDSA, which needs many multiplications.

Ⅳ. Conclusion

This study proposes a new low-complexity semi-systolic multiplier for efficient MMM, which is the crucial operation in finite field arithmetic. Note that the proposed multiplier consists of the MSB-first PB array (Figure 1) and the LSB-first MMM array (Figure 3). Two equally divided arrays can be independently performed, and it is well suited to implement both arrays in the same hardware. In this way, we can decrease the hardware and time requirements. The effectiveness of our study is demonstrated by the reduced AT complexity as compared to related works. Due to its low-complexity, the proposed array can be particularly useful for implementing applications in resource constrained environments. The regularity, simplicity, modularity, and concurrency of our proposed architecture allow for easy extension and thus are well suitable for VLSI implementation.