Efficient Characteristic 3 Galois Field Operations
for Elliptic Curve Cryptographic Applications
Vinay S. Iyengar
Oregon Episcopal School, Portland, Oregon, U.S.A.
Keywords: Public-Key Cryptography, Elliptic Curves, Characteristic 3 Galois Field Theory, Performance Optimization.
Abstract: Galois fields of characteristic 3, where the number of field elements is a power of 3, have a distinctive
application in building high-security elliptic curve cryptosystems. However, they are not typically used
because of their relative inefficiency in computing polynomial operations when compared to conventional
prime or binary Galois fields. The purpose of this research was to design and implement characteristic 3
Galois field arithmetic algorithms with greater overall efficiency than those presented in current literature,
and to evaluate their applicability to elliptic curve cryptography. The algorithms designed were tested in a
C++ program and using a mapping of field element logarithms, were able to simplify the operations of
polynomial multiplication, division, cubing, and modular reduction to that of basic integer operations. They
thus significantly outperformed the best characteristic 3 algorithms presented in literature and showed a
distinct applicability to elliptic curve cryptosystems. In conclusion, this research presents a novel method of
optimizing the performance of characteristic 3 Galois fields and has major implications for the field of
elliptic curve cryptography.
1 INTRODUCTION
Galois fields are one of the most important concepts
in abstract algebra and have a wide variety of
applications towards public-key cryptography
algorithms. In essence, a Galois field is an algebraic
structure with established operations for addition,
subtraction, multiplication, and division that satisfy
the requirements for an Abelian group. This means
that operations follow the five axioms of an Abelian
group: closure, associativity, commutativity, having
an identity element and an inverse element. Most
importantly, Galois fields have a finite number of
elements in them (Lidl and Niederreiter, 1997).
The most efficient and secure cryptographic
system in use today is known as elliptic curve
cryptography (ECC) and is based on the concept of
elliptic curves built over Galois fields (Koblitz,
1987). Our research in particular investigates elliptic
curves built over Galois fields of characteristic 3.
This essentially means that the number of elements
in the field is a power of 3, allowing the Galois field
to be notated as GF(3
k
), where k represents the
degree of the field. In Galois fields of characteristic
3, elements of the field are represented as
polynomials modulo a primitive polynomial p(x),
where coefficients are either 0, 1, or 2 (Lidl and
Niederreiter, 1994). A primitive polynomial is an
irreducible polynomial of degree k - 1 that can
generate all elements of the field. After the research
of Galbraith (2001), it is well accepted that
characteristic 3 curves provide more security and
bandwidth efficiency than conventional binary or
prime curves. In addition, they are highly applicable
towards building pairing-based cryptosystems, an
attractive option for identity-based cryptographic
algorithms (Boneh and Franklin, 2001). However,
according to the canonical research of Harrison,
Page and Smart (2002), they are not efficient enough
despite their potential. This is mainly because
characteristic 3 polynomial arithmetic operations
rely on base 3 arithmetic (Figure 1) and are much
slower compared to prime and binary Galois fields,
which utilize the computer’s inherent hardware
arithmetic.
Figure 1: Base 3 Arithmetic.
Elliptic curves are a type of equation of the
form y
2
= x
3
+ ax + b, where a and b represent
integer coefficients. When elliptic curves are built
531
S. Iyengar V..
Efficient Characteristic 3 Galois Field Operations for Elliptic Curve Cryptographic Applications.
DOI: 10.5220/0004528105310536
In Proceedings of the 10th International Conference on Security and Cryptography (SECRYPT-2013), pages 531-536
ISBN: 978-989-8565-73-0
Copyright
c
2013 SCITEPRESS (Science and Technology Publications, Lda.)
over a Galois field, the points on the curve
themselves form an Abelian group making it
possible for operations to be done on points on the
curve such as addition of two points, where the
result is a third point on the curve, as shown on the
left of Figure 2 (Hankerson et al.). This form of
elliptic curve is known as the Weierstrass equation
and is the most standard form of elliptic curve used
in number theory (Koblitz, 1994). Another form of
elliptic curve that is popular is the Edwards equation
(right side of Figure 2) of the form x
2
+ y
2
= 1 +
dx
2
y
2
, where d represents a coefficient. Our research
works primarily with the Edwards form of elliptic
curves due to the lack of characteristic 3 Edwards
research in the past.
Weierstrasss: y
2
= x
3
+ ax + b Edwards: x
2
+ y
2
= 1 + dx
2
y
2
Figure 2: Geometric Representation of Weierstrass
Addition (“What is Diffie-Hellman”, n.d) and Graphical
Representation of Multiple Edwards Curves (“Edwards
Curve”, n.d).
Given the fact that operations can be performed
on points on an elliptic curve, it is possible to design
cryptographic algorithms based on difficult number-
theoretic problems within this group (Silverman,
2006). For ECC this difficult problem is the Elliptic
Curve Discrete Logarithm Problem (ECDLP), which
states that it is difficult to find a point P and integer
k, given their product Pk. This operation of
multiplying a point by an integer is referred to as
scalar multiplication. Scalar multiplication not only
dominates the execution time of ECC algorithms,
but is also essential to the security of these systems.
1.1 Related Work
The research of Harrison, Page and Smart is
regarded as the canonical paper on software
implementation of characteristic 3 Galois fields for
ECC applications. Their research uses conventional
algorithms for polynomial arithmetic, and then
provides software optimization. Research by Iyengar
has developed efficient scalar multiplication
algorithms. Three of these algorithms are use
extensively in this research: the Binary Double-Add
Algorithm, the Ternary Expansion Algorithm, and
the Balanced Ternary Expansion Algorithm.
1.2 Research Goals
This research has two main goals:
1. To design and implement characteristic 3 Galois
field operations with greater overall efficiency than
conventional state-of-the-art algorithms.
2. To analyze this new method’s applicability to
elliptic curve cryptography.
Overall efficiency is evaluated as a combination
of a comparison of implementation speeds, and
time-space tradeoffs. If a new and more efficient
method for characteristic 3 Galois field operations
can be developed, it would be a major advancement
for elliptic curve cryptography and Internet security
in general.
2 CONVENTIONAL
ALGORITHMS
Algorithms 1 – 6 are the characteristic 3 Galois field
algorithms as presented in the research of Harrison,
Page and Smart, 2002. They are widely considered
the most efficient characteristic 3 algorithms in
literature.
Algorithm 1: Characteristic 3 Polynomial
Addition/Subtraction
INPUT: Polynomials f(x) = [a
n
…a
1
, a
0
]
and g(x) = [b
m
…b
1
, b
0
]
OUTPUT: f(x) + g(x)
1. For i from 0 to n if n > m,
from 0 to m if m > n
a. P
i
= (a
i
+/− b
i
) % 3
2. Return P(x)
Algorithm 3: Conventional Characteristic 3
Polynomial Multiplication
INPUT: Polynomials f(x) = [a
n
…a
1
, a
0
]
and g(x) = [b
m
…b
1
, b
0
]
OUTPUT: f(x) *g(x)
1. For i from 0 to n
a. For j from 0 to m
i. P
i+j
= (a
i
* b
j
) % 3
2. Return P(x)
Algorithm 4: Conventional Characteristic 3
Polynomial Cubing
INPUT: Polynomial f(x) = [a
n
…a
1
, a
0
]
OUTPUT: f(x) ^ 3
1. For i from 0 to n
a. P
i * 3
= (a
i
* 3) % 3
SECRYPT2013-InternationalConferenceonSecurityandCryptography
532
Conventional characteristic 3 polynomial cubing
takes the degrees of all terms of f(x), and multiplies
them by 3. The resulting polynomial is then reduced
modulo the primitive polynomial of the system.
Algorithm 5: Conventional Characteristic 3
Polynomial Division
INPUT: Polynomials f(x) = [a
n
…a
1
, a
0
]
and g(x) = [b
m
…b
1
, b
0
]
OUTPUT: f(x) / g(x)
1. h(x) = Extended Euclidean
Algorithm Inverse of g(x)
2. Return h(x) * f(x)
Conventional characteristic 3 polynomial division is
a complex operation requiring multiple steps.
Firstly, the inverse of the divisor is taken using
Algorithm 6. This is then multiplied by the dividend
using Algorithm 3.
Algorithm 6: Extended Euclidean Algorithm
INPUT: Polynomial f(x) = [a
n
…a
1
, a
0
],
Primitive Polynomial p(x)
OUTPUT: f
-1
(x)
1. remainder[1] = p(x);
remainder[2] = f(x)
2. inverse[1] = 0; inverse[2] = 1
3. i = 2
4. while remainder[i] > 2
a. i = i + 1
b. remainder[i] = remainder[i-2]
mod remainder[i-1]
c. quotient[i] = remainder[i-2] /
remainder[i-1]
d. If(inverse[i] == 2) inverse[i]
= 2(-quotient[i] *
inverse[i-1] + inverse[i-2])
e. Else (inverse[i] = -
quotient[i] * inverse[i-1] +
inverse[i-2])
f. Return inverse[i]
3 KEY RESEARCH CONCEPTS
The key idea of this research was to map the
polynomials to a simpler representation more
conducive to efficient arithmetic. The algorithms
designed were inspired by the concept of Zech’s
logarithms presented in the work of Lidl and
Neiderreiter, 1997. The algorithms designed include
the following: logarithm table generation,
polynomial multiplication, polynomial division, and
polynomial cubing.
3.1 Our Novel Contributions
This research designed and developed a new and
highly efficient way of doing characteristic 3 Galois
field operations using a logarithm-table approach.
Furthermore, this research explored and analyzed
Edwards curves over characteristic 3 fields. Finally,
scalar multiplication was implemented using binary,
ternary, and balanced-ternary algorithms.
Algorithm 7: Logarithm Table Generation
INPUT: Primitive Polynomial P(x)
OUTPUT: Mapped table of field elements
and logarithms
1. LogTable[0] = x
2. For i from 1 to field size do
a. LogTable[i] =
LogTable[i-1] * x
b. if degree of LogTable[i]=
degree of P(x) do
LogTable[i] modulo P(x)or
substitution reduction
3. Return LogTable
The logarithm table generation algorithm aims to
create a table of field element logarithms, mapped
from a power representation. This is done by
repeatedly multiplying successive terms in the table
by the value x, and then reducing these values
modulo the primitive polynomial of the system. This
algorithm also utilizes the concept of substitution
reduction to simplify polynomial modular reduction.
Substitution reduction basically substitutes, during
the computation phase, an identity previously
computed in the table, in order to simplify modular
reduction. To better illustrate this concept, we have
created a small example of logarithm table
generation as shown in Figure 3.
Figure 3: Example of Logarithm Table
Generation and Use
The following example shows the creation of a log
table for the Galois Field 3
3
over the primitive
polynomial P(x) = x
2
+ 2x + 2
Power
Rep
Galois Field
Rep
Operation Done
1 1
x x 1 x
x
2
x + 1 x
2
mod x
2
+ 2x + 2
x
3
2x + 1 x
2
+ x = 2x + 1
x
4
2 2x
2
+ x = 2
x
5
2x 2 x
x
6
2x + 2 2x
2
= 2x + 2
x
7
x + 2 2x
2
+ 2x = x + 2
x
8
1 x
2
+ 2x = 1
EfficientCharacteristic3GaloisFieldOperationsforEllipticCurveCryptographicApplications
533
This example computes the table in 8 multiplications
by x, and just 1 modular reduction using repeated
substitution with the identity x
2
= x + 1.
Once created, the logarithm table can then be
used to perform the following operations very
efficiently:
Polynomial multiplication and modular
reduction: Addition of power representation
exponents – EX: (x + 1) (2x + 1) = x
2
x
3
= x
5
=
2x
Polynomial division and modular reduction:
Subtraction of power representation exponents –
EX: (2x + 2) / 2 = x
6
/ x
4
= x
2
= x + 1
Polynomial exponentiation and modular
reduction: Multiplication of power representation
exponent by the desired exponent – EX: (2x + 1)
2
=
(x
3
)
2
= x
3
2
= x
6
= 2x + 2
3.2 Implementation
The main instrument used in this research was a
Windows 7 computer with a 2.10 GHz Intel Core i3
processor installed with a Microsoft Visual Studio
compiler. The main program was written in C++. An
open source implementation for a Galois Field of
characteristic 2 (Partow, 2006) was used as the
starting point for the programming part of the
research. The algorithms for the Galois Field of
characteristic 3 were designed independently and
then implemented into the program for testing.
Primitive polynomials were generated for each
Galois field size using the open source software
Primpoly (O’Connor, 2013).
4 RESULTS AND DISCUSSION
4.1 Galois Field Operations
The first goal of this research was to design and
implement characteristic 3 Galois field operations
more efficient than conventional algorithms. These
algorithms were tested by performing operations on
a wide range of values within Galois fields of six
different sizes: 3
5
, 3
7
, 3
9
, 3
11
, 3
13
, 3
15.
These
operations were measured in terms of processor
cycle counts, and finally averaged out as an
indication of the algorithms’ overall efficiencies.
Table 1 compares the average speed of these
operations using both the logarithm table method
designed in this research and the conventional
methods.
Table 1: Comparison of Performance of Galois Field
Operations (Processor Clock Cycles).
Degree of Galois Field
As shown in Table 1, the logarithm table
methods of doing basic characteristic 3 Galois field
operations were orders of magnitude faster than their
conventional counterparts. To conclude, research
goal 1 was met.
4.2 Elliptic Curve Analysis
Research goal 2 was to evaluate the applicability of
the logarithm table method towards elliptic curve
cryptography. The underlying Galois Field was thus
implemented, tested, and verified over Edwards
elliptic curves. This basically involved timing scalar
multiplication operations using the Binary Double-
Add, the Ternary Expansion, and the Balanced
Ternary Expansion algorithms for Edwards curves
using six different Galois field sizes: 3
5
, 3
7
, 3
9
, 3
11
,
3
13
, 3
15
. This procedure was first done using the
conventional polynomial arithmetic operations.
47Xto136Xfaster
38Xto81Xfaster
244Xto786Xfaster
SECRYPT2013-InternationalConferenceonSecurityandCryptography
534
Figure 4: Elliptic Curve Scalar Multiplication -
Conventional Polynomial.
Figure 4 shows the average performance of
scalar multiplication algorithms over 6 Galois field
sizes using the conventional characteristic 3
arithmetic algorithms. The Balanced Ternary
Expansion algorithm is the most efficient for all
Galois field sizes except 3
5
. Furthermore, as the size
of the underlying Galois field increases, the
efficiency decreases in a linear manner.
This same scalar multiplication testing procedure
was applied with the logarithm table method for
polynomial arithmetic.
Figure 5: Elliptic Curve Scalar Multiplication – Logarithm
Table.
Figure 5 shows the average time for scalar
multiplication operations over the 6 different Galois
fields with the 3 different scalar multiplication
algorithms using logarithm table polynomial
operations. It is clear that the Balanced-Ternary
algorithm is generally the fastest, and as the size of
the field increases, the speed of all algorithms
remains constant. Most importantly, these operations
are significantly faster in comparison to their
conventional counterparts shown in Figure 4.
Specifically, the logarithm table method for scalar
multiplication ranges from ~5X faster for a field of
degree 5, to ~30X faster for a field of degree 15.
4.3 Next Steps
A very attractive option for future research is
developing a hybrid method that utilizes both
logarithm table and conventional arithmetic,
reducing the cost upfront and the storage needed,
while also taking advantage of the speed provided
by logarithm table-based arithmetic. This could be
done by using a logarithm table method for a small
subfield, and then extending this field to a larger
power. Also, next steps include testing larger
numbers such as NIST (National Institute for
Standards in Technology) size elliptic curves in
order to evaluate the scalability of these algorithms.
5 CONCLUSIONS
In this paper, we present a novel and efficient
method for characteristic 3 Galois field operations
and analyze this method’s distinctive applications to
elliptic curve cryptography. We thus meet both
research goals. The findings of this research have a
wide significance towards the findings of other
researchers such as Harrison et al. and those at NIST
who have disregarded characteristic 3 Galois fields
for elliptic curve cryptographic applications. This
research shows that in fact characteristic 3 can be a
feasible option for some ECC applications.
ACKNOWLEDGEMENTS
My teacher and sponsor Peter Langley for all his
help and encouragement. My mentor Dr. Neal
Koblitz, Professor of Mathematics at the University
of Washington for his guidance and continuous
support. Dr. Jiangtao Li of Intel Corporation for
reviewing my research paper and providing useful
feedback.
0,00
200,00
400,00
600,00
800,00
1000,00
1200,00
5 7 9 11 13 15
AverageNumberofProcessor
CycleCounts
DegreeofGaloisField
Legen
d
for Figures 4 and 5
Binary Double-Add
Ternary Expansion
Balanced Ternary Expansion
EfficientCharacteristic3GaloisFieldOperationsforEllipticCurveCryptographicApplications
535
REFERENCES
Ahmadi, O., Hankerson, D., & Menezes, A. (2007).
Software implementation of arithmetic in. Arithmetic
of Finite Fields, 85-102.
Barreto, P., Kim, H., Lynn, B., & Scott, M. (2002).
Efficient algorithms for pairing-based cryptosystems.
Advances in Cryptology—CRYPTO 2002, 354-369.
Bernstein, D., & Lange, T. (2007). Faster addition and
doubling on elliptic curves. Advances in Cryptology,
13, 29-50. Retrieved from http://cr.yp.to/newelliptic/ -
20070906.pdf
Blake, I., Seroussi, G., & Smart, N. (1999). Elliptic curves
in cryptography. (1st ed.). London: Cambridge
University Press.
Boneh, D., & Franklin, M. (2001). Identity-based
encryption from the Weil pairing. In Advances in
Cryptology—CRYPTO 2001 (pp. 213-229). Springer
Berlin/Heidelberg.
Das, A., & Madhavan, C. E. V. (2009). Public-key
cryptography: theory and practice. (1st ed.). New
Delhi: Dorling Kindersley.
Galbraith, S. (2001). Supersingular curves in
cryptography. Advances in Cryptology—ASIACRYPT
2001, 495-513.
Hankerson, D., Menezes, A., & Vanstone, S. (2004).
Guide to elliptic curve cryptography. (1st ed.).
Springer.
Harrison, K., Page, D., & Smart, N. P. (2002). Software
implementation of finite fields of characteristic three,
for use in pairing-based cryptosystems.LMS
Journal of Computation and Mathematics, 5(1),
181-193.
Iyengar, V. S. (2012). Novel elliptic curve scalar
multiplication algorithms for faster and safer public-
key cryptosystems. International Journal on
Cryptography and Information Security, 2(3), 57-66.
doi: 10.5121/ijcis.2012.2305
Koblitz, N. (1994). A course in number theory and
cryptography. (2 ed.). New York, NY: Springer
Koblitz, N. (1987). Elliptic curve
cryptosystems. Mathematics of Computation, 48(177).
203–209. Retrieved from http://www.ams.org/
journals/mcom/1987-48-177/S0025-5718-1987-
0866109-5/S0025-5718-1987-0866109-5.pdf
Lawson, N. (2009). Side-channel attacks. IEEE, 7(6), 65-
68. Retrieved from http://rootlabs.com/articles/
IEEE_SideChannelAttacks.pdf
Lidl, R. and Niederreiter, H. Introduction to Finite Fields
and Their Applications, rev. ed. Cambridge, England:
Cambridge University Press, 1994.
Lidl, R. and Niederreiter, H. (Eds.). Finite Fields, 2nd ed.
Cambridge, England: Cambridge University Press,
1997.
O’Connor, S.E. (2013) Primpoly (Version 11.0)
[Computer Software] Available from: http://www.
seanerikoconnor.freeservers.com/Mathematics/Abstrac
tAlgebra/PrimitivePolynomials/overview.html
Partow, A. (2006) Galois Field Arithmetic Library
(Version 5.0) [Computer Software] Available
from:
http://www.partow.net/projects/galois/#GFALLice nse
Silverman, J. H. (2006). A friendly introduction to number
theory.
(3rd ed., Vol. 3). Pearson Prentice Hall.
What is diffie-hellman (n.d.). RSA Labs: PKCS, 7,
Retrieved from http://www.rsa.com/rsalabs/
node.asp?id=2248
(2012). Edwards Curve. Wikipedia, the free encyclopedia,
Retrieved from http://en.wikipedia.org/wiki/
File:Edward-curves.svg
SECRYPT2013-InternationalConferenceonSecurityandCryptography
536
