Generalised Mersenne Numbers Revisited

TL;DR

This paper introduces a new class of generalized Mersenne numbers that enable more efficient modular multiplication and reduction, are abundant at any bitlength, and offer enhanced security features for cryptographic applications.

Contribution

We propose an alternative generalization of Mersenne numbers that maintains high efficiency in modular arithmetic, is widely available at various bitlengths, and provides inherent side-channel attack resistance.

Findings

Our algorithms are highly parallelisable for hardware implementation.

The new primes are abundant across all bitlengths, unlike traditional GMNs.

The proposed field representation offers strong protection against side-channel attacks.

Abstract

Generalised Mersenne Numbers (GMNs) were defined by Solinas in 1999 and feature in the NIST (FIPS 186-2) and SECG standards for use in elliptic curve cryptography. Their form is such that modular reduction is extremely efficient, thus making them an attractive choice for modular multiplication implementation. However, the issue of residue multiplication efficiency seems to have been overlooked. Asymptotically, using a cyclic rather than a linear convolution, residue multiplication modulo a Mersenne number is twice as fast as integer multiplication; this property does not hold for prime GMNs, unless they are of Mersenne's form. In this work we exploit an alternative generalisation of Mersenne numbers for which an analogue of the above property --- and hence the same efficiency ratio --- holds, even at bitlengths for which schoolbook multiplication is optimal, while also maintaining very efficient reduction. Moreover, our proposed primes are abundant at any bitlength, whereas GMNs are extremely rare. Our multiplication and reduction algorithms can also be easily parallelised, making our arithmetic particularly suitable for hardware implementation. Furthermore, the field representation we propose also naturally protects against side-channel attacks, including timing attacks, simple power analysis and differential power analysis, which is essential in many cryptographic scenarios, in constrast to GMNs.