FPGA based Hardware Accleration for Elliptic Curve Cryptography ...

2.3. SEQUENTIAL MULTIPLICATION SCHEMES 13
Due to the complexity of a reduction step, in the following this work diverts the arithmetic operations in
into two successive parts. The arithmetical operation:hÁ5. corresponding to that in- and
with a degreeÕ
( and the subsequent reduction step.
2.3 Sequential Multiplication Schemes
In order to achieve a reasonable level of security for an EC cryptosystem, the extension degree ( of the
underlying finite field has to be in the hundreds. Due to chip area limitations an application of
combinational multipliers of full bit width ( is usually not feasible. Instead, a sequential multiplication
scheme, which is based on a reasonable sized purely combinational multiplier unit, has to be utilized. In
Sec. 3.4.4 the architecture of such a combinationalhÁ5. multiplier is presented, which is scalable and
highly efficient in terms of required logic resources.
In the remainder of this section it is assumed that a reasonable sized combinational multiplier, which
computes the unreduced product of two degree +êé ( polynomials, is part of the design. Some wellknown
methods for sequential multiplication are introduced first. Then, in Sec. 2.3.3, the Multi-Segment
Karatsuba multiplication scheme is detailed and compared to classical approaches.
2.3.1 Schoolbook Multiplication
Given two polynomialsv
@ |ëE -hÁ5ÃÂ of degree( and a combinational multiplier of size+
6ëì(b†¦kí ,
the product} 6 v |
can be computed as follows: Firstv
and|
are split each into two segments of equal
size.
Then the product can be computed as
6 v YC5 î 3 ¾ v ® v
6 | YC5 î 3 ¾ | ® |
6 v | }
v Yg5 î 3 ¾ v ®ZaP| Yg5 î 3 ¾ | ® 6
v YÚ | YC5 ¾Æv YÚ | ®Ú¾ v ®j | Y[º5 î 3 ¾ v ®j | ®k\ (2.10)
6
Please note that in the context of hardware implementations the5
±
factors correspond to position offsets,
which can simply be implemented by appropriate wiring.
Generally, the polynomials can be split into an arbitrary number of segments
E”© ª
. It is selected such
that the resulting segments are small enough to be multiplied on the combinational multiplier (+ ³ (b†¦ ).
The number of necessary multiplications is given by
3
. Since the additions can be computed combinationally
in the same cycle, the cycle count for a complete multiplication is also given by
3
.
A variation of the schoolbook method splits each of the two polynomialsv
and|
into different numbers
of segments (=ïÚ@A=ð .) Of course, in this case an appropriate asymmetric combinational multiplier is necessary
2 . The number of required multiplications is given here by.ïˆBPð . In the extreme case of4ï 6 ( and
=ð 6 c this scheme is called bit serial multiplication.
2 This topic is extensively treated in [16].