Division and Inversion Over Finite Fields

Since 1976, when the principles of public key cryptography were introduced (by Whitfield Diffie and Martin Hellman) (Diffie & Hellman 1976), RSA was the most well-known public key cryptographic system. Rivest, Shamir and Adleman (RSA) algorithm composes a public key considered sufficiently long enough to be recognized as secure. The security of RSA is based on difficulty of factoring large numbers to its prime components. For many years, RSA was the leading method for industrial encryption. RSA cryptographic algorithm includes addition, squaring and multiplication operations. Addition and squaring are two simple operations over finite fields; hence, the most important arithmetic operation for RSA based cryptographic systems is multiplication.


Introduction
Arithmetic operation such as addition, multiplication, division and inversion are widely used in data communication systems, coding and cryptography particularly public key cryptography.
Since 1976, when the principles of public key cryptography were introduced (by Whitfield Diffie and Martin Hellman) (Diffie & Hellman 1976), RSA was the most well-known public key cryptographic system.Rivest, Shamir and Adleman (RSA) algorithm composes a public key considered sufficiently long enough to be recognized as secure.The security of RSA is based on difficulty of factoring large numbers to its prime components.For many years, RSA was the leading method for industrial encryption.RSA cryptographic algorithm includes addition, squaring and multiplication operations.Addition and squaring are two simple operations over finite fields; hence, the most important arithmetic operation for RSA based cryptographic systems is multiplication.
With the advances of computer computational power, RSA is becoming more and more vulnerable.In 1985, Victor S. Miller (Miller 1985) and Neal Koblitz (Koblitz 1987) proposed Elliptic Curve Cryptography (ECC), independently.ECC offer higher security in compare with RSA.
The security of ECC relies on the difficulty of solving Elliptic Curve Discrete Logarithm Problem or ECDLP.So far not any efficient method has been offered to solve ECDLP and its complexity is higher than factoring large numbers to its prime components (where the security of RSA relies on that).Hence, ECC can offer higher security with smaller key size and designers can use it to save storage space, consumed power in the circuit and increase the bandwidth.
Elliptic Curve Cryptographic algorithm includes addition, squaring, multiplication and division (or inversion).Many research and studies have been done on multiplication.However, division and inversion research are becoming more relevant to cryptographic systems.In the terms of implementation area, complexity and executing time; division (or inversion) is the most costly operation in public key cryptography.For many years hardware implementations of division or inversion were an ambitious goal.However, recent advances in technology of ASIC circuits and the ability to provide high capacity FPGAs, let circuit designers to achieve this goal.
In this chapter we study two main classes of proposed algorithms for division (and inversion).The first class of dividers is based on Fermat's little theorem.This class of dividers also called as multiplicative based dividers.In the next chapter we introduce the principles of these algorithms and the proposed methods to improve their efficiency.

Cryptography and Security in Computing 118
Chapter three is about the other class of dividers, called Euclidian based dividers.We review the principles and all proposed algorithms based on Euclidian algorithm.

Dividers based on Fermat's little theorem
The most simple and primary dividers were based on Fermat's little theorem.These kinds of dividers are also known as multiplicative based dividers, because in these algorithms, division is performed by sequence of multiplication operations (and squaring).Squaring in finite fields are simple operations, which are usually perform in a simple clock cycle.However multiplication is more complicated operation and in terms of time and implementation area is more costly.
Based on Fermat's little theorem, if is a prime number for any integer , we can write: ≡ Dividing two side to , we get Hence we can conclude the inversion of any integer over is .

× ≡ ≡
Expanding this technique to , we can write Hence, = , in which ∈ .
To compute , the most primary method is "square and multiplication" algorithm.In square and multiplication algorithm instead of − multiplications, we calculate , with at most − squaring and − multiplications.
Alg.1: Square and Multiplication Algorithm To better understand of square and multiplication algorithms, we review the following equations.As we know, we can decompose in the following form.
Hence, we can use the above equations to decompose to: The square and multiplication algorithm use the same principle to calculate .

Itoh and Tsujii algorithm
Itoh and Tsujii (Itoh & Tsujii 1988) offered a more efficient algorithm over normal basis; however it is applicable over polynomial and other basis.Their algorithm was based on multiplication which can be applied on some values of .In their algorithm, they reduced the number of multiplications, significantly.Many efforts have been done to improve Itoh and Tsujii algorithm and make it more general for all values of (Guajardo & C. Paar 2002;Henrıquez, et. al. 2007).Here we review the general form of this algorithm.
To describe Itoh and Tsujii algorithm, we introduce a new term, called addition chain.
Definition addition chain: Addition chain for an integer value such as − , is a series of integers with elements such that, = and = − , and = + .
Where and are two integer values between and .
Cryptography and Security in Computing 120 Let's define a function = , which ∈ .We know that = = .The other characteristic of this function is enlisted as follow: Hence, to compute , we should use the equations above and using addition chaining to achieve = .
Example.3: for = , and above addition chain, we can write the following calculations It has been shown that the maximum number of multiplication in this method is and the required number of square operation is − .The size of addition chain or is estimated as − + − + , where − is the hamming weight of − .
For more information and more details, the readers may refer to (Guajardo & C. Paar 2002;Henrıquez, et. al. 2007).
Itoh and Tsujii algorithm is presented in Alg.2.
After calculating inversion, division simply becomes a multiplication operation.
The advantage of Fermat's little theorem based inversion algorithm is that, it can be implemented just by using multiplication and square arithmetic operators.This eliminates the need to add any extra components, such as dividers.When ECC was proposed, the dividers were not as advanced as they are now; hence, multiplicative based dividers were the best candidates for hardware implementation of ECC, particularly over FPGAs.Also it is possible to use these dividers for reconfigurable cryptosystems, which are designed to perform both RSA and ECC algorithms.Since the sizes of these cryptosystems are becoming larger, dropping a big component such as divider is a huge saving on implemented area for designers.The main drawback of the cipher cores without dividers is the longer computational time.

Euclidian based dividers
Euclid's algorithm is an old algorithm to calculate the greatest common divider (GCD) of two integers.The basic principle of Euclid's algorithm is that, the greatest common divider of and , , , is equal to the greatest common divider of and ± or in other word , = , ± = ± , .We can apply the above principle more than once and rewrite this theorem as , = , × ± × = ́× ± ́× , .

Example
Example.5: To reduce the calculation time, we can offer the Alg.3.
Alg.3: Euclidian algorithm to calculate Greatest Common Divider (GCD) The above algorithm can be made more compact using a recursive approach.Alg. 4 presents the recursive and more compact version of Alg. 3.

Alg.4:
Euclidian algorithm to calculate Greatest Common Divider (Recursive Approach) We provide a useful theorem below which will be used this section, to make the Euclidian algorithm more general for our purpose.
In order to use Euclid's theorem for division or inversion, assume two values such as and .We have already seen how to compute = , .We know that there are two variables, and , which satisfies the following equation If we can design an algorithm which accepts and , and produces and ; we can use that algorithm to find inversion.Assume is a prime value and is an integer where < < − .We know = , = .Hence, applying the above algorithm, we can find and which × + × = .
If we use that algorithm over the finite field, , we can calculate the inverse of which is (i.e. = ).Using the algorithm above, it gives us and such that it satisfy the equation: × + × = .Over the finite field, , × = .Then × + × = over could be simplified to × = .Then is the inversion of over .
Let's , = .We know there are two integer values, and such that (where one of the values is smaller than zero): × + × = .
Based on Euclid's theorem, we can write , − = .Hence, the equation above can be rewritten as: By rearranging this equation, we can write: Then we can conclude: (1) Similarly, for − , = , we can write the same equations and conclude = − × = . (2) If we perform the Euclidian algorithm to calculate , at the final step or loop , = , = = .The above relationship for this step will be Example = ; 8.
= ; 9. Return ( , , ) In order to get better impression about the role of , , and in Alg.5 (and Alg.6) we recommend to extend the last two equations of example.6 (i.e. and ) and rewrite them with , and .
All the substitutions at step 5.1 and 5.2 of Alg.5 should be executed at the same time.

www.intechopen.com
We can simplify this algorithm for and (where < , and is a prime number) to calculate over (Alg.6).

Alg.6: Algorithm of Computing Inversion Over
Input: , ∈ Output: All the operations on Alg.6 are performs over .All the substitutions at step 3.2 of Alg.6 should be done simultaneously.
In the algorithm above, we should perform a division at each loop (step 3.1.).To avoid division, we can assume if then = 1 and if < then = or swap and and and values.Then we can compute , − , instead of computing , = , − . This technique increases the number of iterations.
Modifying the above algorithms for polynomial basis, we have Alg.7.All operations in Alg.7 should be done over .In Alg.7, represents the irreducible polynomial of .

Alg.7: Algorithm of Computing Inversion Over
Example.7: let's assume we want to calculate / over values decrease at each step.At the final step, and are zero and one, respectively.This algorithm will finish at most after − iterations, where < < .
Alg.9: Algorithm of Computing Division Over Input: , ∈ , ∈ Output: To extend this algorithm to be applicable over , the following changes should be applied; Assume as irreducible polynomial (It is known that is always 1) and substitute with .The degrees of the most significant nonzero bit of and will distinguish which variable is larger (in step 2.2).Hence, the algorithm will be as Alg.9.

Input:
, ∈ , ∈ Output: − iterations to finish.Checking the degree of and , is a costly operation in hardware implementation.In (Brent & Kung 1983), Brent and Kung reduced this complexity by adopting a new idea.They used a new variable, , to represent the difference of upper bounds of degree and .In (Brent & Kung 1983) they use this method to calculate the Greatest Common Divisor of two variables.However this method can be used to calculate division.
At the initialization step, should be equal to − .Then the above algorithm has to be changed as Alg.10.The final step to improve the algorithm above is applied within the loop.Hardware implementation of " ℎ " statement is difficult.This is because the number of iterations is an unknown variable, making it inappropriate for cryptographic cores and particularly systolic implementations.We know that this algorithm takes at most − iterations.
Hence, instead of a " ℎ " loop, we implement a " " loop.This modification can be done by a simple change in Alg.10.In step.2,instead of "While ≠ ≠ " we should write "For = to − ".
So far we have presented very general forms of divider algorithms.We reviewed all the proposed algorithms because each one has a unique characteristic that makes it more efficient for a specific design of a core.Many research papers have been done to improve the above algorithms and make them more efficient for hardware implementations.For example, in (Wu, Shieh & Hwang 2001), the designers proposed a new algorithm.In their algorithms, they eliminate and use two other variables to Instead of comparing relationship to zero, they only check two bits of their new adopted variables in their algorithm; thus making the new algorithms more efficient for hardware (by eliminating step 2.1.1 in Alg.10).Another example can be seen in (Zadeh 2007), where the number of iterations is reduced from − to by combining two loop iterations.The paper explores how a number of modifications can reduce the number of conditional statements.
Other similar classes of dividers have been proposed such as Dual Field Modular dividers or Unified Modular Division (UMD).These classes perform division on two finite field (over and ).Unified Modular Dividers have been applied in some applications such as network servers (Wolkerstorfer 2002;Tenca & Tawalbeh 2004).
Euclidian algorithm is the most efficient algorithm for division in terms of area and time.Until now, not many hardware platforms were able to implement this algorithm.Advances in technology of ASIC offer many high capacity reconfigurable platforms such as FPGA.It gives hardware designers the ability of using these dividers in real applications.It is foreseeable that Euclidian dividers will be more widely implemented in the future.

Conclusion
In this chapter, we have reviewed two common classes of dividers which are widely used for cryptographic purpose.The most common dividers to be implemented in Elliptic Curve Cryptography and other cryptographic cores are multiplicative based dividers (based on Fermat's little theorem) and Euclidian based dividers.
To perform division over finite field, some other dividers have been proposed such as "Wiener-Hopf equation" based dividers.In Wiener-Hopf based dividers, the divisor ( ) should expand to an × matrix, , then the linear equation × = should be solved to get .can be calculated using Gaussian elimination algorithm (Morii, Kasahara & Whiting 1989;Hasan & Bhargava 1992).The hardware efficiency of these dividers are not comparable with multiplicative and Euclidian based dividers.
In terms of implementation area multiplicative based dividers are very efficient.Since they don't need any extra component on the circuit and they can perform division using embedded components of the cipher cores.Also in term of speed, Euclidian based dividers are very fast.

5 :
way of finding and is to execute Euclidian algorithm.Then calculate and based on the equations above.Alg.5 is based on this idea.Alg.Algorithm of Finding and