Skip to main content
Log in

Efficient binary polynomial multiplication based on optimized Karatsuba reconstruction

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

At Crypto 2009, Bernstein (LNCS, vol 5677. Springer, Berlin, pp 317–336, 2009) proposed two optimized Karatsuba formulas for binary polynomial multiplication. Bernstein obtained these optimizations by re-expressing the reconstruction of one or two recursions of the Karatsuba formula. In this paper we present a generalization of these optimizations. Specifically, we optimize the reconstruction of \(s\) recursions of the Karatsuba formula for \(s \ge 1\). To reach this goal, we express the recursive reconstruction through a tree and reorganize this tree to derive an optimized recursive reconstruction of depth \(s\). When we apply this approach to a recursion of depth \(s=\log _2(n)-2\) we obtain a parallel multiplier with a space complexity of \(3.75 n^{\log _2(3)}+O(n)\) XOR gates and \(1.78 n^{\log _2(3)}\) AND gates and with a delay of \((2\log _2(n)-1) D_\oplus +D_\otimes \) where \(D_\oplus \) represents the delay of an XOR gate and \(D_\otimes \) the delay of an AND gate.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. Berlekamp, E.R.: Bit-serial Reed–Solomon encoder. In: IEEE Transactions on Information Theory, IT-28 (1982)

  2. Bernstein, D.J.: Batch binary Edwards. In: Proceedings of Advances in Cryptology - CRYPTO 2009. LNCS, vol. 5677, pp. 317–336. Springer, Berlin (2009)

  3. Boneh, D., Franklin, M.K.: Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)

    Article  MATH  MathSciNet  Google Scholar 

  4. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil Pairing. J. Cryptol. 17(4), 297–319 (2004)

    Google Scholar 

  5. Cenk, M., Hasan, M.A., Negre, C.: Efficient subquadratic space complexity binary polynomial multipliers based on block recombination. IEEE Trans. Comp. (2014, to appear)

  6. Fan, H., Hasan, M.A.: A new approach to sub-quadratic space complexity parallel multipliers for extended binary fields. IEEE Trans. Comput. 56(2), 224–233 (2007)

    Article  MathSciNet  Google Scholar 

  7. Fan, H., Sun, J., Gu, M., Lam, K.-Y.: Overlap-free Karatsuba–Ofman polynomial multiplication algorithm. IET Inf. Secur. 4, 8–14 (March 2010)

  8. Hasan, M.A., Méloni, N., Namin, A.H., Negre, C.: Block recombination approach for subquadratic space complexity binary field multiplication based on Toeplitz matrix-vector product. IEEE Trans. Comp. (2014, to appear)

  9. Karatsuba, A., Ofman, Y.: Multiplication of multidigit numbers on automata. Sov. Phys. Dokl. (Engl. Transl.) 7(7), 595–596 (1963)

    Google Scholar 

  10. Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)

    Article  MATH  MathSciNet  Google Scholar 

  11. Leone, M.: A new low complexity parallel multiplier for a class of finite fields. In: Proceedings of the Third International Workshop on Cryptographic Hardware and Embedded Systems (CHES ’01), pp. 160–170, Springer, London (2001)

  12. Mastrovito, E.D.: VLSI Architectures for Computation in Galois Fields. PhD thesis, Linkoping University, Department of Electrical Engineering, Linkoping, Sweden (1991)

  13. Miller, V.: Use of elliptic curves in cryptography. In: Advances in Cryptology, Proceedings of CRYPTO’85. LNCS, vol. 218, pp. 417–426. Springer, Berlin (1986)

  14. Paar, C.: A new architecture for a parallel finite field multiplier with low complexity based on composite fields. IEEE Trans. Comput. 45(7), 856–861 (1996)

    Article  MATH  MathSciNet  Google Scholar 

Download references

Acknowledgments

This work was supported by PAVOIS ANR 12 BS02 002 02.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Chistophe Negre.

Appendices

Appendix A: Proof of Lemma 3

We prove the three cases \((i),(ii),(iii)\) of Lemma 3 as follows:

  • Proof of statement (i). The existence of \(i \in [0,2^s[\) such that \(j=\sigma (i)\) is given by Lemma 2. The key idea to obtain the label above \(C_j^{(s)}\) in the modified tree is to notice that this label is the product of the initial label, i.e., \((1+X^{n/2^s})\) or \(X^{n/2^s}(1+X^{n/2^s})\), multiplied by the factor \(X^{n/2^h}\) which appears on the path joining the root node \(C^{(0)}_0\) and \(C^{(s)}_{j}\). Let \(i=(i_{s-1},i_{s-2},\ldots ,i_1,i_0)_2\) be the binary representation of \(i\). Then we have \(j=\sigma (i)=(2i_{s-1},2i_{s-2},\ldots ,2i_1,2i_0)_3.\) The factors \(X^{n/2^h}\) appearing in the new label above \(C_j^{(s)}\) are on the labels of the right link on the path joining \(C_j^{(s)}\) and the root. But from Lemma 1, we know that the right links correspond to coefficients \(i_k=1\) for \(k={h-2},\ldots ,i_1,i_0\). This leads to the following expression of the new label

    $$\begin{aligned}&\!\!\!\!(X^{n/2})^{i_{s-1}}(X^{n/4})^{i_{s-2}}\cdots (X^{n/2^{s-1}})^{i_{1}}(X^{n/2^s})^{i_{0}} (1+X^{n/2^s})\\&\!\!\!\!\quad = (X^{n/2^s})^{i_{s-1}2^{s-1}}(X^{n/2^s})^{i_{s-1}2^{s-2}}\cdots \\&\!\!\!\! \quad \quad \cdots (X^{n/2^{s}})^{i_{1}2}(X^{n/2^s})^{i_{0}2^0} (1+X^{n/2^s})\\&\!\!\!\!\quad = \left( X^{n/2^s}\right) ^{\sum _{\ell =0}^{s-1}i_\ell 2^\ell }(1+X^{n/2^s})\\&\!\!\!\!\quad = X^{in/2^s}(1+X^{n/2^s}). \end{aligned}$$
  • Proof of statement (ii). The proof is similar to the proof of \((i)\). Indeed, the parent of the considered node \(C^{(h)}_{3j+1}\) is the \(L/R\) node \(C^{(h-1)}_{j}\). By Lemma 2 we know that there exists \(i \in [0,2^{h-1}-1]\) such that \(j=\sigma (i)\). Let \(i=(i_{h-2},i_{h-3},\ldots ,i_1,i_0)_2\) be the binary representation of \(i\). The same argument as in \((i)\) applies leading to the following new label above \(C^{(h)}_{3j+1}\). Indeed, the factors \(X^{n/2^k}\) in the new label of \(C^{(h)}_{3j+1}\) corresponds to coefficients \(i_k=1\) for \(k={h-2},\ldots ,i_1,i_0\). We obtain the following new label above \(C^{(h)}_{3j+1}\)

    $$\begin{aligned}&\!\!\!\!(X^{n/2})^{i_{h-2}}(X^{n/4})^{i_{h-3}}\cdots (X^{n/2^{h-2}})^{i_{1}} (X^{n/2^{h-1}})^{i_{0}} X^{n/2^{h}}\\&\!\!\!\!\quad =(X^{n/2^{h-1}})^{2^{h-2}i_{h-2}}(X^{n/2^{h-1}})^{2^{h-3}i_{h-3}}\cdots \\&\!\!\!\!\quad \quad \cdots (X^{n/2^{h-1}})^{2i_{1}} (X^{n/2^{h-1}})^{i_{0}} X^{n/2^{h}}\\&\!\!\!\!\quad = \left( X^{n/2^{h-1}}\right) ^{\sum _{\ell =0}^{h-2}i_\ell 2^\ell }X^{n/2^{h}}\\&\!\!\!\!\quad = X^{in/2^{h-1}}X^{n/2^{h}}. \end{aligned}$$
  • Proof of statement (iii). The considered node \(C_j^{(h)}\) is an \(L/R\) node but not a leaf. The initial factor \(X^{n/2^h}\) which could appear above \(C_j^{(h)}\) was moved down during the modification of the tree. It only remains the factor \((1+X^{n/2^h})\) in the label above \(C_j^{(h)}\).

Appendix B: Proof of Lemma 5

We proceed to the proof of  (12) by induction. Specifically, we denote

$$\begin{aligned} \gamma (s,n)= n+s(2n-1)-\frac{n}{2^s}-2^{s+1}+2 \end{aligned}$$

the term which appears in (11) and we denote

$$\begin{aligned} \rho (s,n)=\frac{27n}{4} \left( \frac{3}{2}\right) ^{s-1} -\frac{15}{4} 3^{s-1} - 4n-\frac{n}{2^{s+1}}+\frac{5}{4}-\frac{s}{2} \end{aligned}$$
(15)

the expression in the right side of (12). Proving that the two expressions of \(\mathcal {S}(s,n)\) of (12) and (11) are equal is equivalent to prove that

$$\begin{aligned} \sum _{i=1}^{s-1} 2^{i-1} \mathcal {S}(s-i,n/2^i) = \rho (s,n) -\gamma (s,n). \end{aligned}$$
(16)

We prove that this latter equality is true by induction on \(s\). For \(s=1\) this can be checked directly using the material of Sect. 2. We assume that (12) and (16) are true up to \(s-1\) and we show that they are also true for \(s\). We begin by rewriting the sum in the left side of (16) as follows

$$\begin{aligned}&\sum _{i=1}^{s-1} 2^{i-1} \mathcal {S}(s-i,n/2^i)\\&\quad = \left( \sum _{i'=1}^{s-2} 2^{s-i'-1} \mathcal {S}(i',n/2^{s-i'}) \right) + \mathcal {S}(s-1,n/2) \\&\quad = 2\left( \sum _{i'=1}^{s'-1} 2^{s'-i'-1} \mathcal {S}(i',n'/2^{s'-i'}) \right) + \mathcal {S}(s',n'). \end{aligned}$$

This latter identity is obtained by setting \(s'=s-1\) and \(n'=n/2\). We apply the induction hypothesis (16) to the sum \(\sum _{i'=1}^{s'-1} 2^{s'-i'-1} \mathcal {S}(i',n'/2^{s'-i'})\) and we use (12) to rewrite \(\mathcal {S}(s',n')=\rho (s',n')\)

$$\begin{aligned}&\sum _{i=1}^{s-1} 2^{i-1} \mathcal {S}({s-i},n/2^i)\nonumber \\&\quad = 2\left( \rho (s',n') -\gamma (s',n') \right) + \rho (s',n')\nonumber \\&\quad = 3 \rho (s-1,n/2) - 2\gamma (s-1,n/2). \end{aligned}$$
(17)

Now, we separately arrange the terms \( 3 \rho (s-1,n/2)\) and \(2\gamma (s-1,n/2)\). We replace \(\rho (s-1,n/2)\) by the corresponding expression in terms of \(n\) and \(s\) given in (15):

$$\begin{aligned}&\!\!\!3 \rho (s-1,n/2)\\&\quad = 3\left( \frac{27n}{8} \left( \frac{3}{2}\right) ^{s-2} -\frac{15}{4} 3^{s-2} - 4n/2-\frac{n}{2^{s+1}} \right. \\&\quad \quad \left. +\frac{5}{4}-\frac{s-1}{2}\right) \\&\quad = \frac{27n}{4} \left( \frac{3}{2}\right) ^{s-1} -\frac{15}{4} 3^{s-1} - 6n-\frac{3n}{2^{s+1}} \\&\quad \quad +\frac{15}{4}-\frac{3(s-1)}{2}\\&\quad = \left( \frac{27n}{4} \left( \frac{3}{2}\right) ^{s-1} -\frac{15}{4} 3^{s-1} - 4n-\frac{n}{2^{s+1}} +\frac{5}{4}-\frac{s}{2} \right) \\&\quad \quad -2n -\frac{2n}{2^{s+1}} +\frac{10}{4}+\frac{s}{2}-\frac{3(s-1)}{2}\\&\quad = \rho (s,n) - 2n -\frac{n}{2^{s}} +\frac{10}{4} - \frac{2s}{2} +\frac{3}{2}.\\ \end{aligned}$$

We deal with the term \(2\gamma (s-1,n/2)\) in the same way

$$\begin{aligned}&2\gamma (s-1,n/2)\\&\quad = 2\left( \frac{n}{2}+(s-1)(2\frac{n}{2}-1)-\frac{n}{2^{s}}-2^{s}+2\right) \\&\quad = (n+(s-1)(2n-2)-\frac{n}{2^{s-1}}-2^{s+1}+4)\\&\quad = (n +s(2n-1) -\frac{n}{2^{s}}-2^{s+1} +2 ) -(2n-1)\\&\quad \quad -(s-1) -\frac{n}{2^{s}} +2\\&\quad = \gamma (s,n)-2n-s -\frac{n}{2^{s}} +4. \end{aligned}$$

Finally, we replace in (17) the new expression of \(3 \rho (s-1,n/2)\) and \(2\gamma (s-1,n/2)\). We obtain, after some simplifications, that \(\sum _{i=1}^{s-1} 2^{i-1} S(s-i,n/2^i) = \rho (s,n) -\gamma (s,n)\) and this ends the proof.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Negre, C. Efficient binary polynomial multiplication based on optimized Karatsuba reconstruction. J Cryptogr Eng 4, 91–106 (2014). https://doi.org/10.1007/s13389-013-0066-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-013-0066-2

Keywords

Navigation