Abstract
At Crypto 2009, Bernstein (LNCS, vol 5677. Springer, Berlin, pp 317–336, 2009) proposed two optimized Karatsuba formulas for binary polynomial multiplication. Bernstein obtained these optimizations by re-expressing the reconstruction of one or two recursions of the Karatsuba formula. In this paper we present a generalization of these optimizations. Specifically, we optimize the reconstruction of \(s\) recursions of the Karatsuba formula for \(s \ge 1\). To reach this goal, we express the recursive reconstruction through a tree and reorganize this tree to derive an optimized recursive reconstruction of depth \(s\). When we apply this approach to a recursion of depth \(s=\log _2(n)-2\) we obtain a parallel multiplier with a space complexity of \(3.75 n^{\log _2(3)}+O(n)\) XOR gates and \(1.78 n^{\log _2(3)}\) AND gates and with a delay of \((2\log _2(n)-1) D_\oplus +D_\otimes \) where \(D_\oplus \) represents the delay of an XOR gate and \(D_\otimes \) the delay of an AND gate.
Similar content being viewed by others
References
Berlekamp, E.R.: Bit-serial Reed–Solomon encoder. In: IEEE Transactions on Information Theory, IT-28 (1982)
Bernstein, D.J.: Batch binary Edwards. In: Proceedings of Advances in Cryptology - CRYPTO 2009. LNCS, vol. 5677, pp. 317–336. Springer, Berlin (2009)
Boneh, D., Franklin, M.K.: Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil Pairing. J. Cryptol. 17(4), 297–319 (2004)
Cenk, M., Hasan, M.A., Negre, C.: Efficient subquadratic space complexity binary polynomial multipliers based on block recombination. IEEE Trans. Comp. (2014, to appear)
Fan, H., Hasan, M.A.: A new approach to sub-quadratic space complexity parallel multipliers for extended binary fields. IEEE Trans. Comput. 56(2), 224–233 (2007)
Fan, H., Sun, J., Gu, M., Lam, K.-Y.: Overlap-free Karatsuba–Ofman polynomial multiplication algorithm. IET Inf. Secur. 4, 8–14 (March 2010)
Hasan, M.A., Méloni, N., Namin, A.H., Negre, C.: Block recombination approach for subquadratic space complexity binary field multiplication based on Toeplitz matrix-vector product. IEEE Trans. Comp. (2014, to appear)
Karatsuba, A., Ofman, Y.: Multiplication of multidigit numbers on automata. Sov. Phys. Dokl. (Engl. Transl.) 7(7), 595–596 (1963)
Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)
Leone, M.: A new low complexity parallel multiplier for a class of finite fields. In: Proceedings of the Third International Workshop on Cryptographic Hardware and Embedded Systems (CHES ’01), pp. 160–170, Springer, London (2001)
Mastrovito, E.D.: VLSI Architectures for Computation in Galois Fields. PhD thesis, Linkoping University, Department of Electrical Engineering, Linkoping, Sweden (1991)
Miller, V.: Use of elliptic curves in cryptography. In: Advances in Cryptology, Proceedings of CRYPTO’85. LNCS, vol. 218, pp. 417–426. Springer, Berlin (1986)
Paar, C.: A new architecture for a parallel finite field multiplier with low complexity based on composite fields. IEEE Trans. Comput. 45(7), 856–861 (1996)
Acknowledgments
This work was supported by PAVOIS ANR 12 BS02 002 02.
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix A: Proof of Lemma 3
We prove the three cases \((i),(ii),(iii)\) of Lemma 3 as follows:
-
Proof of statement (i). The existence of \(i \in [0,2^s[\) such that \(j=\sigma (i)\) is given by Lemma 2. The key idea to obtain the label above \(C_j^{(s)}\) in the modified tree is to notice that this label is the product of the initial label, i.e., \((1+X^{n/2^s})\) or \(X^{n/2^s}(1+X^{n/2^s})\), multiplied by the factor \(X^{n/2^h}\) which appears on the path joining the root node \(C^{(0)}_0\) and \(C^{(s)}_{j}\). Let \(i=(i_{s-1},i_{s-2},\ldots ,i_1,i_0)_2\) be the binary representation of \(i\). Then we have \(j=\sigma (i)=(2i_{s-1},2i_{s-2},\ldots ,2i_1,2i_0)_3.\) The factors \(X^{n/2^h}\) appearing in the new label above \(C_j^{(s)}\) are on the labels of the right link on the path joining \(C_j^{(s)}\) and the root. But from Lemma 1, we know that the right links correspond to coefficients \(i_k=1\) for \(k={h-2},\ldots ,i_1,i_0\). This leads to the following expression of the new label
$$\begin{aligned}&\!\!\!\!(X^{n/2})^{i_{s-1}}(X^{n/4})^{i_{s-2}}\cdots (X^{n/2^{s-1}})^{i_{1}}(X^{n/2^s})^{i_{0}} (1+X^{n/2^s})\\&\!\!\!\!\quad = (X^{n/2^s})^{i_{s-1}2^{s-1}}(X^{n/2^s})^{i_{s-1}2^{s-2}}\cdots \\&\!\!\!\! \quad \quad \cdots (X^{n/2^{s}})^{i_{1}2}(X^{n/2^s})^{i_{0}2^0} (1+X^{n/2^s})\\&\!\!\!\!\quad = \left( X^{n/2^s}\right) ^{\sum _{\ell =0}^{s-1}i_\ell 2^\ell }(1+X^{n/2^s})\\&\!\!\!\!\quad = X^{in/2^s}(1+X^{n/2^s}). \end{aligned}$$ -
Proof of statement (ii). The proof is similar to the proof of \((i)\). Indeed, the parent of the considered node \(C^{(h)}_{3j+1}\) is the \(L/R\) node \(C^{(h-1)}_{j}\). By Lemma 2 we know that there exists \(i \in [0,2^{h-1}-1]\) such that \(j=\sigma (i)\). Let \(i=(i_{h-2},i_{h-3},\ldots ,i_1,i_0)_2\) be the binary representation of \(i\). The same argument as in \((i)\) applies leading to the following new label above \(C^{(h)}_{3j+1}\). Indeed, the factors \(X^{n/2^k}\) in the new label of \(C^{(h)}_{3j+1}\) corresponds to coefficients \(i_k=1\) for \(k={h-2},\ldots ,i_1,i_0\). We obtain the following new label above \(C^{(h)}_{3j+1}\)
$$\begin{aligned}&\!\!\!\!(X^{n/2})^{i_{h-2}}(X^{n/4})^{i_{h-3}}\cdots (X^{n/2^{h-2}})^{i_{1}} (X^{n/2^{h-1}})^{i_{0}} X^{n/2^{h}}\\&\!\!\!\!\quad =(X^{n/2^{h-1}})^{2^{h-2}i_{h-2}}(X^{n/2^{h-1}})^{2^{h-3}i_{h-3}}\cdots \\&\!\!\!\!\quad \quad \cdots (X^{n/2^{h-1}})^{2i_{1}} (X^{n/2^{h-1}})^{i_{0}} X^{n/2^{h}}\\&\!\!\!\!\quad = \left( X^{n/2^{h-1}}\right) ^{\sum _{\ell =0}^{h-2}i_\ell 2^\ell }X^{n/2^{h}}\\&\!\!\!\!\quad = X^{in/2^{h-1}}X^{n/2^{h}}. \end{aligned}$$ -
Proof of statement (iii). The considered node \(C_j^{(h)}\) is an \(L/R\) node but not a leaf. The initial factor \(X^{n/2^h}\) which could appear above \(C_j^{(h)}\) was moved down during the modification of the tree. It only remains the factor \((1+X^{n/2^h})\) in the label above \(C_j^{(h)}\).
Appendix B: Proof of Lemma 5
We proceed to the proof of (12) by induction. Specifically, we denote
the term which appears in (11) and we denote
the expression in the right side of (12). Proving that the two expressions of \(\mathcal {S}(s,n)\) of (12) and (11) are equal is equivalent to prove that
We prove that this latter equality is true by induction on \(s\). For \(s=1\) this can be checked directly using the material of Sect. 2. We assume that (12) and (16) are true up to \(s-1\) and we show that they are also true for \(s\). We begin by rewriting the sum in the left side of (16) as follows
This latter identity is obtained by setting \(s'=s-1\) and \(n'=n/2\). We apply the induction hypothesis (16) to the sum \(\sum _{i'=1}^{s'-1} 2^{s'-i'-1} \mathcal {S}(i',n'/2^{s'-i'})\) and we use (12) to rewrite \(\mathcal {S}(s',n')=\rho (s',n')\)
Now, we separately arrange the terms \( 3 \rho (s-1,n/2)\) and \(2\gamma (s-1,n/2)\). We replace \(\rho (s-1,n/2)\) by the corresponding expression in terms of \(n\) and \(s\) given in (15):
We deal with the term \(2\gamma (s-1,n/2)\) in the same way
Finally, we replace in (17) the new expression of \(3 \rho (s-1,n/2)\) and \(2\gamma (s-1,n/2)\). We obtain, after some simplifications, that \(\sum _{i=1}^{s-1} 2^{i-1} S(s-i,n/2^i) = \rho (s,n) -\gamma (s,n)\) and this ends the proof.
Rights and permissions
About this article
Cite this article
Negre, C. Efficient binary polynomial multiplication based on optimized Karatsuba reconstruction. J Cryptogr Eng 4, 91–106 (2014). https://doi.org/10.1007/s13389-013-0066-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-013-0066-2