Novel Hybrid-Size Digit-Serial Systolic Multiplier over GF(2^m)

Abstract

Because of the efficient tradeoff in area–time complexities, digit-serial systolic multiplier over $GF\left(2^m\right)$ has gained substantial attention in the research community for possible application in current/emerging cryptosystems. In general, this type of multiplier is designed to be applicable to one certain field-size, which in fact determines the actual security level of the cryptosystem and thus limits the flexibility of the operation of cryptographic applications. Based on this consideration, in this paper, we propose a novel hybrid-size digit-serial systolic multiplier which not only offers flexibility to operate in either pentanomial- or trinomial-based multiplications, but also has low-complexity implementation performance. Overall, we have made two interdependent efforts to carry out the proposed work. First, a novel algorithm is derived to formulate the mathematical idea of the hybrid-size realization. Then, a novel digit-serial structure is obtained after efficient mapping from the proposed algorithm. Finally, the complexity analysis and comparison are given to demonstrate the efficiency of the proposed multiplier, e.g., the proposed one has less area-delay product (ADP) than the best existing trinomial-based design. The proposed multiplier can be used as a standard intellectual property (IP) core in many cryptographic applications for flexible operation.

1. Introduction

Finite field multipliers have gained substantial attentions recently due to their critical roles in many cryptosystems such as elliptic curve cryptography (ECC), especially on hardware platforms [1]. Typically, there are three types of structuring related to the finite field multipliers, namely the bit-serial, bit-parallel, and digit-serial. Because of the efficient tradeoff in area–time complexities, digit-serial structures usually are more widely preferred than the other two in many applications [2].

Along with the recent advance in artificial intelligence technology, systolic structure has becoming more and more attracting in high-performance hardware platforms [3]. Accordingly, digit-serial systolization of finite field multipliers have the potential to be applied in high-performance cryptosystems due to their superior features such as high-throughput rate and regularity and modularity. Thus far, several efforts have been made on efficient implementation of digit-serial systolic finite field multipliers: (i) an efficient systolic finite field multiplier is presented in [3], where its complexity is significantly reduced compared with the previous reported one; (ii) a systolic-like digit-serial multiplier is reported in [4] and it is found that the systolic structure proposed is specifically suitable for Reed–Solomon Codec; (iii) an efficient digit-serial systolic multiplier is presented in [5]; (iv) the same authors reported a unified digit-serial systolic multiplier based on trinomials and all-one-polynomials [6]; (v) a low-complexity systolic multiplier is given in [7], where its complexity is optimized to be minimal; (vi) an efficient resource-sharing technique is employed in another digit-serial systolic multiplier to achieve low critical-path and high-performance operation [8]; and (vii) an efficient systolic digit-serial multipliers is reported in [9], where the complexity is so far the least in the literature. These designs, undoubtedly, represent the major advance in the field of systolic digit-serial multipliers.

On the other side, however, the existing digit-serial systolic finite field multipliers, more or less, still have some drawbacks to be overcome: (i) although the digit-serial systolic multipliers have relatively few processing elements (PEs), the register-complexity of the multipliers is still large; and (ii) the current digit-serial multipliers are designed to be fixed field-size, and thus cannot provide enough flexibility to meet the current technology trend, i.e., one cryptosystem can meet different security level (field-size) need and the designers have to finalize different field-size multipliers with respect to different application requirement, which is some sort of inefficient in integrated chip (IC) design. Facing with these two challenges, in this paper, we have proposed a novel hybrid-size digit-serial systolic multiplier with low-complexity implementation. The proposed work is carried out through a combination of two coherent interdependent stages’ efforts: (i) a novel hybrid-size digit-serial systolic multiplication algorithm is proposed which provides enough flexibility to both pentanomial- and trinomial-based multipliers; and (ii) the proposed algorithm is then mapped into a novel systolic structure through a series of optimization techniques. Thorough complexity analysis and detailed comparison have also been made to confirm the efficiency of the proposed design, i.e., it not only offers flexibility to be switched from one field-size to another one, but also has smaller area–time complexities compared with the existing single field-size digit-serial systolic multipliers. The proposed design can not only be used as a standard intellectual property (IP) core for various field-size cryptosystem, but also can be employed as a core computation unit in reconfigurable cryptographic processor (where demands flexible field-size choice).

The rest of the paper is organized as follows: Section 2 presents the mathematical formulation of the proposed digit-serial multiplication algorithm. Section 3 shows the detailed steps of the proposed systolic structure mapped from the algorithm. The analysis and comparison are provided in Section 4. The conclusion is given in Section 5.

2. Mathematical Formulation of the Proposed Multiplication Algorithm

Let the three elements A, B, and C $\in GF\left(2^m\right)$ and let the polynomial basis be the $\{1,x,x^2,\dots \}$, where x is the root of $f\left(x\right)$ ($f\left(x\right)$ determines the field) [1]. Suppose for two field-sizes with $m_1$ and $m_2$, and $m_1<m_2$, we can first define that

$$A_1=\sum _{i=0}^{m_1-1}{a}_i{x}^i,B_1=\sum _{i=0}^{m_1-1}{b}_i{x}^i,C_1=\sum _{i=0}^{m_1-1}{c}_i{x}^i,$$

(1)

and

$$A_2=\sum _{i=0}^{m_2-1}{a}_i{x}^i,B_2=\sum _{i=0}^{m_2-1}{b}_i{x}^i,C_2=\sum _{i=0}^{m_2-1}{c}_i{x}^i,$$

(2)

where $a_i$, $b_i$, and $c_i$ $\in GF\left(2\right)$ and it is clear that $a_i$ in both $A_1$ and $A_2$ are the same (for $0\le i\le m_2-1$), and the same applies to $b_i$ and $c_i$.

Suppose in the field-size of $m_1$, let $C_1$ be the product of $A_1$ and $B_1$ (corresponding field polynomial is $f_1\left(x\right)$), we can have

$$\begin{array}{cc}\hfill C_1=& A_1{B}_1\mathrm{mod}{f}_1\left(x\right)\hfill \\ \hfill =& \sum _{i=0}^{m_1-1}{b}_i(x^i·A_1)\mathrm{mod}{f}_1\left(x\right)\hfill \\ \hfill =& \sum _{i=0}^{m_1-1}{b}_i{A}_1^{\left(i\right)},\hfill \end{array}$$

(3)

where $A_1^{\left(0\right)}=A_1$ and $A_1^{\left(i\right)}=x^i·A_1\mathrm{mod}{f}_1\left(x\right)$. Similarly, for the field-size of $m_2$, we can have $C_2$ as the product of $A_2$ and $B_2$ (the field polynomial is $f_2\left(x\right)$):

$$\begin{array}{cc}\hfill C_2=& A_2{B}_2\mathrm{mod}{f}_2\left(x\right)\hfill \\ \hfill =& \sum _{i=0}^{m_2-1}{b}_i(x^i·A_2)\mathrm{mod}{f}_2\left(x\right)\hfill \\ \hfill =& \sum _{i=0}^{m_2-1}{b}_i{A}_2^{\left(i\right)},\hfill \end{array}$$

(4)

where, similarly, we have $A_2^{\left(0\right)}=A_2$ and $A_2^{\left(i\right)}=x^i·A_2\mathrm{mod}{f}_2\left(x\right)$. One can then have

$$\begin{array}{cc}\hfill C_2=& \sum _{i=0}^{m_1-1}{b}^i{A}_2^{\left(i\right)}+\sum _{i=m_1}^{m_2-1}{b}^i{A}_2^{\left(i\right)}\hfill \end{array}$$

(5)

Then, after comparing Equation (3) with Equation (5), we can have

$$C_j=\sum _{i=0}^{m_1-1}{b}^i{A}_j^{\left(i\right)}+k_j·\sum _{i=m_1}^{m_2-1}{b}^i{A}_2^{\left(i\right)},$$

(6)

where $j=1$ or 2 according to Equations (3) and (5), respectively, and

$$\begin{array}{c}{k}_j=0,\mathrm{if}j=1\hfill \\ k_j=1,\mathrm{if}j=2.\hfill \end{array}$$

(7)

Then, we can have the following definitions:

For any integer of $m_2$, we have $m_2=w·d$ (meanwhile, one can have $m_1=w·d_1$); then, we can define

$$\begin{array}{cc}\hfill B_1=& [b_0,b_1,\dots ,b_{w-1}]\hfill \\ \hfill B_2=& [b_w,b_{w+1},\dots ,b_{2w-1}]\hfill \\ & \cdots \cdots \cdots \hfill \\ \hfill B_d=& [b_{m_2-w},b_{m_2-w+1},\dots ,b_{m_2-1}].\hfill \end{array}$$

(8)

Similarly, we can have

$$\begin{array}{cc}\hfill A_1=& [A_j^{\left(0\right)},A_j^{\left(1\right)},\dots ,A_j^{(w-1)}]\hfill \\ \hfill A_2=& [A_j^{\left(w\right)},A_j^{(w+1)},\dots ,A_j^{(2w-1)}]\hfill \\ & \cdots \cdots \cdots \hfill \\ \hfill A_d=& [A_2^{(m_2-w)},A_2^{(m_2-w+1)},\dots ,A_2^{(m_2-1)}],\hfill \end{array}$$

(9)

where we assume $m_2-m_1>w$.

It is clear that we can now transfer Equation (6) into

$$\begin{array}{cc}\hfill C_j=& A_1{B}_1^T+A_2{B}_2^T+\cdots +k_j{A}_d{B}_d^T\hfill \\ \hfill =& \sum _{u=1}^d\xi \left(k_j\right)A_u{B}_u^T,\hfill \end{array}$$

(10)

where $\xi \left(k_j\right)$ works for terms only when $m_1\le i\le m_2-1$ and

$$\begin{array}{c}\xi \left(k_j\right)=1,\mathrm{if}j=2\hfill \\ \xi \left(k_j\right)=0,\mathrm{if}j=1,\hfill \end{array}$$

(11)

where we can see that Equation (10) can be used to perform two field-size finite field multiplications if we select the control signal properly.

The above equations can thus be summarized as Algorithm 1.

Algorithm 1. Proposed multiplication algorithm for hybrid field-size-based implementation

Inputs: $A_1$ and $B_1$ (also $A_2$ and $B_2$) are the pair of elements (polynomial basis representation) in $GF\left(2^m\right)$ for

field-size of $m_1$ and $m_2$, respectively

Output: $C_j=A_j·B_j\mathrm{mod}{f}_j\left(x\right)$ for $j=1\mathrm{or}2$ and $f_j\left(x\right)$ is the field polynomial

1. Initialization step

1.1 Define $B_1$, $B_2$, …, $B_d$ for $m_2=w·d$ according to (8)    1.2 Define $A_1$, $A_2$, …, $A_d$ for $m_2=w·d$ according to (9)    1.3 Define $D=0$

2. Multiplication step

2.1 According to the field-size selection signal, determine the value of j    2.2 For $1\le u\le d$    2.3 $D=D+\xi \left(k_j\right)A_u{B}_u^T$    2.4 End for

3. Final step

3.1 Get $C_j=D$

The detailed processes of Steps 2.2 and 2.4 are the key multiplication processes.

Note that, due to the difference of the field polynomial $f_j\left(x\right)$, the process of deriving $A_j^{(i+1)}$ from $A_j^{\left(i\right)}$ is slightly different from each other. For instance, assume

$$A_j^{\left(i\right)}=\sum _{v=0}^{m_j-1}{a}_{j\to v}^{\left(i\right)}{x}^v,$$

(12)

where we can have

$$\begin{array}{cc}\hfill a_{j\to 0}^{(i+1)}& =a_{j\to m_j-1}^{\left(i\right)}\hfill \\ \hfill a_{j\to s}^{(i+1)}& =a_{j\to s-1}^{\left(i\right)}+a_{j\to m-1}^{\left(i\right)}\hfill \\ \hfill a_{j\to v}^{(i+1)}& =a_{j\to v-1}^{\left(i\right)},\mathrm{for}1\le v\le m_j-1,\hfill \end{array}$$

(13)

when $f_j\left(x\right)$ is a trinomial of $f_j\left(x\right)=x^{m_j}+x^s+1$. While, for pentanomial $f_j\left(x\right)=x^{m_j}+x^{s_1}+x^{s_2}+x^{s_3}+1$, we can have

$$\begin{array}{cc}\hfill a_{j\to 0}^{(i+1)}& =a_{j\to m_j-1}^{\left(i\right)},a_{j\to s_1}^{(i+1)}=a_{j\to s_1-1}^{\left(i\right)}+a_{j\to m_j-1}^{\left(i\right)}\hfill \\ \hfill a_{j\to s_2}^{(i+1)}& =a_{j\to s_2-1}^{\left(i\right)}+a_{j\to m_j-1}^{\left(i\right)},a_{j\to s_3}^{(i+1)}=a_{j\to s_3-1}^{\left(i\right)}+a_{j\to m_j-1}^{\left(i\right)}\hfill \\ \hfill a_{j\to v}^{(i+1)}& =a_{j\to v-1}^{\left(i\right)},\mathrm{for}1\le v\le m_j-1\mathrm{and}v\ne s_1,s_2,s_3.\hfill \end{array}$$

(14)

Besides that, one has to note that the National Institute of Standards and Technology (NIST) has recommended five irreducible polynomials for ECC implementation [10,11] (three pentanomials and two trinomials). Without loss of generality, we can assume $m_1$ is a pentanomial and $m_2$ is a trinomial. The corresponding structure presented below is also based on this assumption.

3. Proposed Hybrid-Size Digit-Serial Systolic Multiplier

In this section, we propose several optimization technique to successfully map the corresponding algorithm into desired systolic structure. Specifically:

3.1. Novel Input Data Broadcasting Scheme

One major component of the register-complexity of a systolic finite field multiplier comes from the input data broadcasting. In this subsection, we propose a novel input data broadcasting that the main inputs to each PE are fed independent from each other and thus the relation of these data between the PEs is reduced to minimum, which can significantly reduce the related register-complexity among systolic array. In Figure 1, the proposed input data broadcasting technique is employed.

As shown in Figure 1, according to Step 2.3 of Algorithm 1, each PE in the systolic array is fed with two inputs, namely the $A_j^{\left(i\right)}$ and the corresponding $b_i$. The output of each PE is then transferred to the next PE on its right. The complete output can be delivered after $(d+w)$ cycles, with the help of an extra accumulation cell. Since differences exist among all the $A_j^{\left(i\right)}$, we have used the selective connection to rightly connect each PE according to Algorithm 1. Because only one signal pipelining to the next PE is used, the register-complexity of the systolic array is significantly reduced. The details of the internal structures of these PEs are shown below. Note that, due to the simple internal structure of the PEs, i.e., critical-path of the PE is quite small, the proposed broadcasting technique has very limited influence on the overall time complexity.

3.2. Proper Arrangement on the Input Data Delivery

The two inputs, i.e., $A_j$ and $B_j$, must be properly arranged to meet the data dependence requirement for hybrid-size operation. For $B_j$, according to Algorithm 1, all bits are delivered in a grouped-sequential way, which can be realized by the structure, as shown in Figure 2. One can see that the shift-register is producing the required output bits to each PE of Figure 1 based on Algorithm 1, while the hybrid-size selection is done by the inserting of an extra MUX (MUX is short for multiplexer) in the shifting path such that the shift-register can be working under the field-size of either $m_1$ or $m_2$ through the proper control of the MUX (control signal).

The operand $A_j$, through the help of PE-0, delivers the correct output bits to each PE according to Algorithm 1, which requires a more sophisticated structure, as shown in Figure 3a. From Equations (13) and (14), one can observe that there are one XOR gate involved when obtaining $A_2^{(i+1)}$ from $A_2^{\left(i\right)}$ (trinomial-based multiplication) while it requires three XOR gates when deriving $A_1^{(i+1)}$ from $A_1^{\left(i\right)}$. Thus, according to the data dependence requirement of Algorithm 1, one can find that there are d number of operands being delivered from PE-0 at the same cycle period, i.e., $A_j^{\left(wu\right)},A_j^{(wu+1)},\dots ,A_j^{(wu+d-1)}$. These operands, in fact, involve multiple identical bits between each other and thus can be shared. For simplicity of discussion, let assume $f_2\left(x\right)=x^{233}+x^{74}+1$ and $f_1\left(x\right)=x^{163}+x^7+x^6+x^3+1$, we can have ($d_1=13$, $d=16$, $a_0,a_1,a_2,\dots ,a_{162}$ for $A_1$, and $a_0,a_1,a_2,\dots ,a_{232}$ for $A_2$)

$$\begin{array}{cc}& [A_1^{\left(0\right)}{A}_1^{\left(1\right)}{A}_1^{\left(2\right)}\cdots A_1^{\left(12\right)}]\hfill \\ \hfill =& \left[\begin{array}{ccccc}{a}_0& a_{162}& a_{161}& \cdots & a_{151}\\ a_1& a_0& a_{162}& \cdots & a_{152}\\ a_2& a_1& a_0& \cdots & a_{153}\\ a_3& a_2+a_{162}& a_1+a_{161}& \cdots & a_{154}+a_{150}\\ a_4& a_3& a_2& \cdots & a_{155}\\ a_5& a_4& a_3& \cdots & a_{156}\\ a_6& a_5+a_{162}& a_4+a_{161}& \cdots & a_{157}+a_{150}\\ ⋮& ⋮& ⋮& \ddots & ⋮\\ a_{162}& a_{161}& a_{160}& \cdots & a_{150}\end{array}\right],\hfill \end{array}$$

(15)

and

$$\begin{array}{cc}& [A_2^{\left(0\right)}{A}_2^{\left(1\right)}{A}_2^{\left(2\right)}\cdots A_2^{\left(15\right)}]\hfill \\ \hfill =& \left[\begin{array}{ccccc}{a}_0& a_{232}& a_{231}& \cdots & a_{218}\\ a_1& a_0& a_{232}& \cdots & a_{219}\\ a_2& a_1& a_0& \cdots & a_{220}\\ a_3& a_2& a_1& \cdots & a_{221}\\ a_4& a_3& a_2& \cdots & a_{222}\\ a_5& a_4& a_3& \cdots & a_{223}\\ a_6& a_5& a_4& \cdots & a_{224}\\ ⋮& ⋮& ⋮& \ddots & ⋮\\ a_{232}& a_{231}& a_{230}& \cdots & a_{217}\end{array}\right],\hfill \end{array}$$

(16)

where we can see that the identical bits, e.g., $a_0,a_1,\dots$, can be shared among these $A_j^{\left(i\right)}$ ($0\le i\le 12$), as shown by the example in Figure 3b (where we have shown how the MUXes are located to obtain hybrid-size implementation). Since other bits cannot be shared, we just use the MUX to connect with the two bits at the same position (according to Equations (8) and (9)) such that, through the proper working of these MUXes, the correct signals can be produced to the corresponding PE.

One can also notice that, according to Equations (9), (13), and (14), with the help of a modular operation (done by the modular cell in Figure 3), the PE-0 delivers the corresponding output to each PE, i.e., obtaining $A_u$ from $A_{u-1}$ (for $1\le u\le d/d_1$ ), which needs a delay time of $2T_X$ ($T_X$ is the delay time of an XOR gate, and it takes $T_X$ for trinomial-based multiplier and $2T_X$ for pentanomial-based one [9]). Besides that, one has to note that all the $A_j^{\left(i\right)}$ in one specific $A_u$ can be obtained through the sharing of identical bits, as represented by the selective connection in Figure 1 and Figure 3. Following this arrangement, the proposed hybrid-size structure operates in an ordered form according to Algorithm 1.

3.3. Hybrid Accumulation

The accumulation of the digit-serial operation also needs adjustment when compared with the conventional ones. As shown in Figure 4, where we have used a $m_1$-bit MUX cell to obtain the hybrid-size accumulation (where the accumulation cell is realized through the XOR cell connected with the register cell in a back-loop style). Note that these $m_1$ bit-level MUXes connect with the $m_1$-bit output of PE-$d_1$, while the remaining $(m_2-m_1)$ bits of PE-d are directly connected with the accumulation cell. According to Equations (8) and (9), and Algorithm 1, we can let the MUX determine the multiplier is working under the condition of field-size of either $m_1$ bits or $m_2$ bits. Besides that, the number of output bits is also selected according to the specific chosen field-size, as shown in Figure 4, i.e., after designated number of cycle periods, the output is produced based on the value of the control signal.

3.4. Final Structure

The internal structure of each PE is shown in Figure 5b, where it mainly consists of an AND cell, an XOR cell, and a register cell. With the combination of all the optimization techniques introduced above, we have presented the finalized proposed hybrid-size digit-serial structure, as shown in Figure 5a. All the control signals connected with the inserted MUXes collaborate together to switch the finite field multiplier from operating in one field-size to another. After designated cycle periods of accumulation, the multiplier delivers the desired output.

4. Complexity and Comparison

For simplicity of discussion, we just follow the assumption in Section 3 that $m_1$ comes from a pentanomial while $m_2$ is the field-size of a trinomial. The detailed complexity of the proposed multiplier is: (i) Systolic array: The systolic array has d number of PEs, where each PE has $m_2$ AND gates, $m_2$ XOR gates, and $m_2$ registers. (ii) Shift-register: The shift-register for $B_j$ requires $m_2$ registers and one MUX. (iii) Accumulation cell: The accumulation cell requires $m_1$ MUXes, $m_2$ XORs, and $m_2$ registers. (iv) PE-0: There are in total $(3d_1+d-4)$ XOR gates, $(4d_1-4)$ MUXes, and $(m_2+3d_1+d-4)$ registers involved. Moreover, the proposed structure has a critical-path of $(2T_X+T_M)$ ($T_M$ is the delay time of an MUX), and it takes $(d+w)$ cycles to produce the desired output for hybrid-size operation. Overall, the complexity of the proposed design is listed along with the existing digit-serial multipliers (trinomial- or pentanomial-based designs) in

Table 1. Comparison of Area–Time Complexities of Various Digit-Serial Systolic Multipliers.

Design	AND	XOR	Register	Latency	Critical-Path
Digit-serial systolic structures (trinomial of size $m_2$)
[7] ${}^1$	$m_{2}d$	$d(2+m_2)+1$	$2m_{2}d+3m_2$	$d+w$	$T_A+T_X$
[8] ${}^1$	$m_{2}d$	$m_{2}d+m_2-d+1$	$2m_{2}d+2m_2$	$d+w$	$T_A+T_X$
Digit-serial systolic structures (pentanomial of size $m_1$)
[4] ${}^2$	$2m_1{d}_1+m_1$	$2m_1{d}_1$	$m_1/d_1(10d_1+$	$3m_1/d_1$	$d_1(T_A+T_X+$
			$1+9s{d}_1/2+s)$		$T_{MUX})/(s+1)$
DS-I [9]	$m_1{d}_1$	$m_1{d}_1+3m_1$	$2d_1{m}_1+2m_1$	$d_1+w_1$	$2T_X$
		$-3m_1/d_1+3$
Hybrid-size digit-serial systolic structures (pentanomial of size $m_1$ and trinomial of size $m_2$)
Proposed ${}^3$	$m_{2}d$	$m_{2}d+m_2$	$m_{2}d+2m_2$	$d+w$	$2T_X+T_M$
		$3d_1+d-4$	$+3d_1+d-4$

$T_A$, delay time of an AND gate; $T_M$, delay time of an MUX; ${}^1$: For a fair comparison, the input bits of operand $B_j$ fed to each PE is finalized as 1 for [7,8] (a shift-register of $m_2$ bits is also added). ${}^2$: $(s+1)$ refers to the pipelined stage in the PE (here we choose s = 1), and $2m_1$ of MUX gates are not listed here. ${}^3$: There are also $(m_1+4d_1-3)$ MUXes involved.

in terms of logic gates number, register number, latency (number of cycle periods), and critical-path. Note that the designs of [5,6] are based on all-one-polynomials (or used all-one-polynomials as a computation core), we thus do not list them in Table 1, just for a fair comparison. As shown in Table 1, one can see that the proposed hybrid-size digit-serial multiplier has relatively better area–time complexities than the existing ones, especially when considering that the proposed one can offer hybrid field-size operation (the existing ones are all single field-size based). To have a detailed comparison, we have also used the NanGate’s Library Creator and the 45-nm FreePDK Base Kit from North Carolina State University (NCSU) [12] to estimate the area and time complexities of all the designs for $m_2=233,m_1=163$, $d=16$, and $d_1=13$. The obtained area, delay (latency time), power, area-delay product (ADP), and power-delay product (PDP) are listed in

Table 2. Comparison of Area–Time Complexities of Various Digit-Serial Systolic Multipliers.

Design	Area ($\mathsf{\mu }$m${}^2$)	Delay (ns) ${}^1$	Power ($\mathsf{\mu }$W/GHz)	ADP ($\mathsf{\mu }$m${}^2\times$ ns)	PDP ($\mathsf{\mu }$W/GHz× ns)
Digit-serial trinomial-based ($m_2=233,d=16$)
[7]	46,958	4.48	56,068	$210,372$	251,185
[8]	46,174	4.48	55,726	$206,860$	249,652
Digit-serial pentanomial-based ($m_1=163,d_1=13$)
[4]	22,675	45.63	35,412	1,034,660	1,615,850
[9]	26,998	4.16	33,139	112,312	137,858
Hybrid-size ($m_1=163$ and $m_2=233$)
Traditional ${}^2$	73,172	4.48	88,865	327,811	398,115
Proposed	29,961	6.4	40,672	191,750	260,301

${}^1$: delay = latency cycle number × critical-path. ${}^2$: Refers to the conventional implementation of two field-size finite field multipliers; we have used the best existing ones of [8,9] to be combined together.

for a comparison. Again, we can observe that the proposed one has better performance than the existing ones, e.g., it has at least 7.3% less ADP than the best trinomial one of [8], while it offers the flexibility to execute the pentanomial-based multiplier. Compared with the existing pentanomial ones, the proposed one still has better ADP when considering the scaling of the field-size. The proposed one also has 41.5% less ADP and 34.6% less PDP than the conventional hybrid field-size implementation (we have combined the best existing ones of [8,9] together to realize it).

The proposed hybrid-size digit-serial systolic multiplier, undoubtedly, can be extended as a standard IP core in various cryptosystems that demand different security levels. On the other hand, due to the low-complexity of the proposed design, it can also be used in cryptosystem for flexible operation, in the case the user of that cryptosystem needs to change/upgrade the system. Moreover, it is worth mentioning that the proposed hybrid field-size strategy can also be extended to multiple filed-size implementation.

5. Conclusions

This paper presents a novel implementation of a hybrid field-size digit-serial systolic multiplier over $GF\left(2^m\right)$. A novel digit-serial multiplication algorithm suitable for hybrid field-size realization is proposed first. Then, through a series of optimization techniques, the proposed algorithm is successfully mapped into a high-performance digit-serial systolic multiplier. The complexity analysis and detailed comparison have been given to confirm the efficiency of the proposed design. Future work may focus on the application of the proposed design in various cryptosystems.