1. Field
The embodiments relate to the field of cryptography, and in particular to a apparatus, system, and method for speeding up the computations for characteristic 2 elliptic curve cryptographic systems.
2. Description of the Related Art
The Karatsuba algorithm (A. Karatsuba and Y. Ofman, Multiplication of Multidigit Numbers on Automata, Soviet Physics—Doklady, 7 (1963), pages 595-596) was proposed in 1962 as an attempt to reduce the number of scalar multiplications required for computing the product of two large numbers. The classic algorithm accepts as input two polynomials of degree equal to 1, i.e., a(x)=a1x+a0 and b(x)=b1x+b0 and computes their product a(x)b(x)=a1b1x2+(a1b0+a0b1)x+a0b0 using three scalar multiplications. This technique is different from the naïve (also called the ‘schoolbook’) way of multiplying polynomials a(x) and b(x) which is to perform 4 scalar multiplications, i.e., find the products a0b0, a0b1, a1b0 and a1b1.
Karatsuba showed that you only need to do three scalar multiplications, i.e., you only need to find the products a1b1, (a1+a0)(b1+b0) and a0b0. The missing coefficient (a1b0+a0b1) can be computed as the difference (a1+a0)(b1+b0)−a0b0−a1b1 once scalar multiplications are performed. For operands of a larger size, the Karatsuba algorithm is applied recursively.
Karatsuba is not only applicable to polynomials but, also large numbers. Large numbers can be converted to polynomials by substituting any power of 2 with the variable x. One of the most important open problems associated with using Karatsuba is how to apply the algorithm to large numbers without having to lose processing time due to recursion. There are three reasons why recursion is not desirable. First, recursive Karatsuba processes interleave dependent additions with multiplications. As a result, recursive Karatsuba processes cannot take full advantage of any hardware-level parallelism supported by a processor architecture or chipset. Second, because of recursion, intermediate scalar terms produced by recursive Karatsuba need more than one processor word to be represented. Hence, a single scalar multiplication or addition requires more than one processor operation to be realized. Such overhead is significant. Third, recursive Karatsuba incurs the function call overhead.
Cetin Koc et. al. from Oregon Sate University (S. S. Erdem and C. K. Koc. “A less recursive variant of Karatsuba-Ofman algorithm for multiplying operands of size a power of two”, Proceedings, 16th IEEE Symposium on Computer Arithmetic, J.-C. Bajard and M. Schulte, editors, pages 28-35, IEEE Computer Society Press, Santiago de Compostela, Spain, Jun. 15-18, 2003) describes a less recursive variant of Karatsuba where the size of the input operands needs to be a power of 2. This variant, however, still requires recursive invocations and only applies to operands of a particular size.
Elliptic curve cryptography, originally proposed by Koblitz (N. Koblitz, “Elliptic Curve Cryptosystems”, Mathematics of Computation, 48, pg. 203-209, 1987) and Miller (V. Miller, “Uses of Elliptic Curvers in Cryptography”, Proceedings, Advances in Cryptology (Crypto '85), pg. 416-426, 1985) has recently gained significant interest from the industry and key establishment and digital signature operations like RSA with similar cryptographic strength, but much smaller key sizes.
The main idea behind elliptic curve cryptography is that points in an elliptic curve form an additive group. A point can be added to itself many times where the number of additions can be a very large number. Such operation is often called ‘point times scalar multiplication’ or simply ‘point multiplication’. The suitability of elliptic curve cryptography for public key operations comes from the fact that if the original and resulting points are known but the number of additions is unknown then it is very hard to find this number from the coordinates of the original and resulting points. The coordinates of a resulting point can form a public key whereas the number of additions resulting in the public key can form a private key.