Aritmética Computacional Francisco Rodríguez Henríquez An Introduction to Binary Finite Fields...

Aritmética Computacional Francisco Rodríguez Henríquez

An Introduction to Binary Finite Fields GF(2m)

By Francisco Rodríguez Henríquez.


What is a Field?

• A field is a set of elements with two custom-defined arithmetic

operations: most commonly, addition and multiplication. The elements

of the field are an additive abelian group, and the non-zero elements of

the field are a multiplicative abelian group. This means that all elements

of the field have an additive inverse, and all non-zero elements have a

multiplicative inverse.

• A field is called finite if it has a finite number of elements. The most

commonly used finite fields in cryptography are the field Fp (where p is

a prime number) and the field F2m.


Finite Fields

• A finite field or Galois field denoted by GF(q=pn), is a field with

characteristic p, and a number q of elements. As we have seen, such a

finite field exists for every prime p and positive integer n, and contains a

subfield having p elements. This subfield is called ground field of the

original field.

• For the rest of this class, we will consider only the two most used cases

in cryptography: q=p, with p a prime and q=2m. The former case, GF(p),

is denoted as the prime field, whereas the latter, GF(2m), is known as the

finite field of characteristic two or simply binary field.


Finite Fields

• A finite field is a field with a finite number of elements. The

number of elements in a finite field is called the order of the

field. Fields of the same order are isomorphic: they display

exactly the same algebraic structure differing only in the

representation of the elements.


The field F2m

‘Plegaria del Codificador teórico: Juro por Galois que seré leal a las nobles tradiciones de la teoría de códigos; que hablaré de ella en el secreto lenguaje sólo conocido por los contados iniciados; y que celosamente vigilaré la sagrada teoría de aquellos que quisieran profanarla para usarla en aplicaciones mundanas”.

J. L. Massey

Although the description of the field F2m is complicated, this field is extremely

beautiful and also quite useful, because its computations can be done efficiently when implemented in hardware. There are several ways to describe arithmetic in F2

m; the most common one is the so-called polynomial representation.


Some definitions

Here, we restrict our discussion to the numbers that belongs to the

finite field F=GF(2m) over K=GF(2). K is also known as the

characteristic field. The elements of F are polynomials of degree less

than m, with coefficients in K; that is,

{am-1xm-1+am-2xm-2+...+a2x2+a1x+a0|ai= 0 or 1}.

These elements are frequently written in vector form as (am-1 ... a1 a0).

F has exactly 2m-1 nonzero elements plus the zero element.


The Binary Field F2m

A polynomial p in GF(2m) is irreducible if p is not a unit element and if

p=fg then f or g must be a unit, that is, a constant polynomial.

Let us consider a finite field F=GF(2m) over K=GF(2).

Elements of F: Polynomials of degree less than m, with coefficients in

K, such that,

{am-1xm-1+am-2xm-2+...+a2x2+a1x+a0|ai= 0 or 1}.

Fact: The field F has exactly q-1=2m-1 nonzero elements plus

the zero element.


Generating polynomial

Then, taking advantage of the fact that over GF(2) addition is equivalent

to subtraction, we get the important relation

012

21

1 ... kxkxkxkxxf mm

mm

m

0... 012

21

1

kkkkf m

mm

mm

1

0

m

i

ii

m k

The finite field F=GF(2m) is completely described by a monic irreducible polynomial, often called generating polynomial, of the form

Where ki GF(2) for i=0,1,…,m-1. Let be a root of the monic irreducible polynomial in (0), i.e., f() = 0, Then


Generating polynomial and polynomial basis

Then, we define the polynomial or canonical basis of GF(2m) over

GF(2) using the primitive element and its m first powers

{1, , 2,…, m-1},

which happen to be linearly independent over GF(2).


Polynomial representation

0121012

21

1 ,...,, ...

Rep. Coordinate Rep. Polynomial

aaaaaaaa mmm

mm

m

Sometimes, it is more convenient to represent a field element using the so-called coordinate representation,

1

0

m

i

iiaA

Using the canonical basis we can uniquely represent any number

A F=GF(2m) as


Element’s Representation

Where all the coefficients aI's belong to the characteristic field GF(2).

Elements of the field are m-bit strings. The rules for arithmetic in F can

be defined by polynomial representation. Since F operates on bit strings,

computers can perform arithmetic in this field very efficiently.

1

0

m

i

iiaA

By using the polynomial basis given in last equation, we can represent any

number A F=GF(2m) uniquely by


Order definition

• In fact, this is always the case for any finite field F=GF(2m) where we can always define the so-called polynomial basis of GF(2m) over GF(2) as as the linearly independent set of the first m powers of

{1, , 2,…, m-1}

1,,,,,0 132 q

• The order of an element in F, is defined as the smallest positive integer k

such that k=1. Any finite field always contains at least one element, called

a primitive element, which has order q-1. We say that f(x) is a primitive

polynomial, if any one of its roots, say , is a primitive element in F. If f(x)

is primitive, then all the q elements of F, can be expressed as the union of

the zero element and the set of the first q-1 powers of ,


An example

Example. Let K = GF(24), F = GF(2), with defining primitive

polynomial f(x) given by

f(x) = x4 + x + 1

Then, if is a root of f(x), we have f()=0, which implies that

f() = 4 + + 1 = 0

This equation over GF(2), means that satisfies the following equation

4 = + 1.

Using the above equation, one can now express each one of the 15

nonzero elements of K over F as is shown in the next table.


Discrete log table i i Coordinates

0 1 (0 0 0 1)

1 (0 0 1 0)

2 2 (0 1 0 0)

3 3 (1 0 0 0)

4 4=+1 (0 0 1 1)

5 5=2+ (0 1 1 0)

6 6=3+2 (1 1 0 0)

7 7=3++1 (1 0 1 1)

8 8=2+1 (0 1 0 1)

9 9=3+ (1 0 1 0)

10 10=2++1 (0 1 1 1)

11 11=3+2+ (1 1 1 0)

12 12=3+2++1 (1 1 1 1)

13 13=3+2+1 (1 1 0 1)

14 14=3+1 (1 0 0 1)


Finite fields: definitions and operations

F2m finite field operations : Addition, Squaring,

multiplication and inversionF2

m finite field operations : Addition, Squaring, multiplication and inversion


Arithmetic in the field F2m

The irreducible generating polynomial used for these sample calculations is again f(x) =x4+x+1.

Notice that all the coefficients are reduced modulo 2!! Addition

(0110)+(0101)=(0011).

Multiplication (1101)(1001)

= (x3+x2+1)(x3+1) mod f(x)

= x6+x5+2x3+x2+1 mod f(x)

= x6+x5+x2+1 mod f(x)

= (x4+x+1)(x2+x)+(x3+x2+x+1) mod f(x)

= x3+x2+x+1

= (1111).



Exponentiation

To compute (0010)4, first find

(0010)2 = (0010)(0010)

= x x mod f(x)

= x2

= (0100).

Then

(0010)4 = (0010)2(0010)2

= (0100)(0100)

= x2x2 mod f(x)

= (x4+x+1)(1)+(x+1) mod f(x)

= x + 1

= (0011).



Multiplicative Inversion

The multiplicative identity for the field is 0 = (0001). The multiplicative inverse of 7 = (1011) is

-7 mod 15=8 mod 15=(0101).

To verify this, see that,

(1011)(0101) = (x3+x+1) (x2+1) mod f(x)

= x5+x2+x+1 mod f(x)

= (x4+x+1)(x)+(1) mod f(x)

= 1

= (0001)

Which is the multiplicative identity.


Field multipliers


Two-steps Multipliers

In most algorithms the modular product is computed in two steps: polynomial multiplication followed by modular reduction. Let A(x), B(x) and (x) GF(2m) and P(x) be the irreducible field generator polynomial.

• In order to compute the modular product we first obtain the product polynomial C(x), of degree at most 2m-2, as

1

0

1

0

m

i

ii

m

i

ii baxBxAxC Polynomial product

2m-1 coordinates

xPxCxC modReduction stepm coordinates

• Then, in the second step, a reduction operation is performed in order to obtain the m-1 degree polynomial C’(x) is defined as


Squaring over GF(2m)


GF(2m) Squarer

In most algorithms the modular product is computed in two steps: polynomial multiplication followed by modular reduction. Let A(x) GF(2m) be an arbitrary element in the field and P(x) be the irreducible field generator polynomial.

• In order to compute the modular square of the element A(x) we first obtain the polynomial product C(x), of degree at most 2m-2, as

1

0

1

0

m

i

ii

m

i

ii aaxAxAxC Polynomial product

2m-1 coordinates

xPxCxC modReduction stepm coordinates

• Then, in a second step, a reduction operation is performed in order to obtain the m-1 degree polynomial C’(x) defined as


Squaring: Example

• Let A be an element of the finite field F=GF(25). Then, the square of A is given as,

a4 0 a3 0 a2 0 a1 0 a0

In general, for an arbitrary element A in the field F=GF(25), we have,

1

0

21

0

1

0

2m

i

ii

m

i

ii

m

i

ii xaxaxaxAxAxAxC

a4a3a2a1a0 * a4a3a2a1a0

a4a0 a3a0 a2a0 a1a0 a0a0

a4a1 a3a1 a2a1 a1a1 a0a1a4a2 a3a2 a2a2 a1a2 a0a2




Squaring: Software Solution

rct_word sqr_table_low[256] = { 0, 1, 4, 5, 16, 17, 20, 21, 64 65, 68, 69, 80, 81, 84, 85, 256, 257, 260, 261, 272, 273, 276, 277, 320, 321, 324, 325, 336, 337, 340, 341, 1024, 1025, 1028, 1029, 1040, 1041, 1044, 1045, 1088, 1089, 1092, 1093, 1104, 1105, 1108, 1109, 1280, 1281, 1284, 1285, 1296, 1297, 1300, 1301, 1344, 1345, 1348, 1349, 1360, 1361, 1364, 1365, 4096, 4097, 4100, 4101, 4112, 4113, 4116, 4117, 4160, 4161, 4164, 4165, 4176, 4177, 4180, 4181, 4352, 4353, 4356, 4357, 4368, 4369, 4372, 4373, 4416, 4417, 4420, 4421, 4432, 4433, 4436, 4437, 5120, 5121, 5124, 5125, 5136, 5137, 5140, 5141, 5184, 5185, 5188, 5189, 5200, 5201, 5204, 5205, 5376, 5377, 5380, 5381, 5392, 5393, 5396, 5397, 5440, 5441, 5444, 5445, 5456, 5457, 5460, 5461, 16384, 16385, 16388, 16389, 16400, 16401, 16404, 16405, 16448, 16449, 16452, 16453, 16464, 16465, 16468, 16469, 16640, 16641, 16644, 16645, 16656, 16657, 16660, 16661, 16704, 16705, 16708, 16709, 16720, 16721, 16724, 16725, 17408, 17409, 17412, 17413, 17424, 17425, 17428, 17429, 17472, 17473, 17476, 17477, 17488, 17489, 17492, 17493, 17664, 17665, 17668, 17669, 17680, 17681, 17684, 17685, 17728, 17729, 17732, 17733, 17744, 17745, 17748, 17749, 20480, 20481, 20484, 20485, 20496, 20497, 20500, 20501, 20544, 20545, 20548, 20549, 20560, 20561, 20564, 20565, 20736, 20737, 20740, 20741, 20752, 20753, 20756, 20757, 20800, 20801, 20804, 20805, 20816, 20817, 20820, 20821, 21504, 21505, 21508, 21509, 21520, 21521, 21524, 21525, 21568, 21569, 21572, 21573, 21584, 21585, 21588, 21589, 21760, 21761, 21764, 21765, 21776, 21777, 21780, 21781, 21824, 21825, 21828, 21829, 21840, 21841, 21844, 21845};


Squaring: Software Implementationvoid rce_FieldSqr2k_Random(rct_word *ax, rct_word *tx, rce_context *cntxt,

rct_octet *offsetptr){

rct_index i;rct_word C, S;rct_index wlen, blen_p;rct_word *tmp;

wlen = cntxt->ecp->wlen;blen_p = cntxt->ecp->blen_p;

tmp = (rct_word *) offsetptr;

tmp[0]=0; tmp[1]=0;

for (i=0; i<wlen; i++) {S = sqr_table_low[(ax[i]&0xff)];S ^= (sqr_table_low[(ax[i]>>8)&0xff]<<16);C = sqr_table_low[(ax[i]>>16)&0xff];C ^= (sqr_table_low[(ax[i]>>24)&0xff]<<16);

tmp[i*2] = S; tmp[i*2+1] = C;}

RCE_FIELD_REDUC2K(cntxt) (tmp, blen_p, cntxt->ecp->poly);

//rce_residue2k(tmp, blen_p, cntxt->ecp->poly);

for (i=0; i<wlen; i++) tx[i] = tmp[i];}


Second step: reduction

• Problem: Given the polynomial product C(x) with at most, 2m-1, obtain

the modular product C' with m coordinates, using the generating

irreducible polynomial P(x).

xPxCxC mod

Notice that since we are interested in the polynomial reminder of the

above equation, we can safely add any multiple of P(x) to C(x) without

altering the desired result. This simple observation suggest the following

algorithm that can reduce k bits of the polynomial product C at once.



• Let us assume that the m+1 and 2m-1 coordinates of P(x) and C(x),

respectively, are distributed as follows:

• Then, there always exists a k-bit constant scalar S, such that

where 0 < k <m. Notice that all the k MSB of SP become identical to

the corresponding ones of the number C. By left shifting the number SP

exactly Shift = 2m-2-k-1 positions, we effectively reduce the number in

C by k bit.

011

0122123222

ppppP

ccccccC

mm

kmkmmm

01123222

0111

pppcccPS

ppppppP

kmkmmm

kmkmmm


Software reduction implementation

C[ pwlen-wlen+shiftn]

32 bits C n i C ni+32

C[ pwlen-i] Addition operations < 4wlen;SHIFT operations < 4wlen;Comparisons = 2wlen.

wlen-1 C

C 2m-2

4

pwlen-1

2

2

0 1 ... wlen-2 wlen+1 wlen+2 ... pwlen-2

m-1 C

m modular coordinates

C n

1

1

3

3 4

pwlen-1 wlen-1

2m-1 coordinates

w

mwlen :


0

2

2

4

4

6

6

2

01

2

2

3

3

axaxaxaA

axaxaxaA

A = 1111A2= 1010101

Squaring: Polynomial Multiplication Step FPGA Implementation [by Nazar Saqib]


Squaring: Reduction Step FPGA Implementation [by Nazar Saqib]


Full Parallel Multipliers over GF(2m)


Modular multiplication for software applications

1. Polynomial multiplication:•Look-up tables•Karatsuba•Karatsuba/Look-up tables

1. Polynomial multiplication:•Look-up tables•Karatsuba•Karatsuba/Look-up tables

2. Reduction step:•Standard reduction

•trinomials & pentanomials•General irreducible polynomials

•Montgomery reduction•trinomials & pentanomials•General irreducible polynomials

2. Reduction step:•Standard reduction

•trinomials & pentanomials•General irreducible polynomials

•Montgomery reduction•trinomials & pentanomials•General irreducible polynomials

Modular Multiplication

Software


Polynomial multiplication: classical algorithm

1

2

2

1

0

1

21

2321

12321

014321

05432

012

01

0

22

32

1

1

2

2

1

0

00000

0000

00

0

0

000

0000

00000

m

m

m

mm

mm

mmm

mmmm

mmmm

m

m

m

m

m

m

b

b

b

b

b

a

aa

aaaa

aaaaa

aaaaaa

aaaaa

aaa

aa

a

c

c

c

c

c

c

c

c

c

AND gates = m2

XOR gates = (m-1)2

Time delay =

AND gates = m2

XOR gates = (m-1)2

Time delay = XA TmT 2log


Polynomial multiplication: Karatsuba Multipliers

Karatsuba's algorithm is based on the idea that the polynomial product

C=AB can be written as,

LHmLLm

LHLHLLHHHHm CCxBAxBBAABABABAxC

2

• It can be computed with 3 poly mults and 4 poly additions.

• Best results obtained by using a combination of classic and Karatsuba

strategies.

• By using this idea recursively, one can obtain O(mlog23) space complexities.


2kn-bit Karatsuba Multipliers2kn-bit Karatsuba Multipliers


2kn-bit Karatsuba Multipliers

There are some asymptotically faster methods for polynomial multiplications, such as

the Karatsuba-Ofman algorithm.

Discovered in 1962, it was the first algorithm able to accomplish polynomial

multiplication under O(m2) operations.

Karatsuba's algorithm is based on the idea that the polynomial product C=AB can be

written as,

LHmLLm


2

; ; 22 LHm

LHm

BBxBAAxA



• last equation can be carried out at the cost of only 3

polynomial multiplications and four polynomial additions.

• Of course, Karatsuba strategy can be applied recursively to

the three polynomial multiplications of last equation.

• By applying this strategy recursively, it is possible to

achieve a polynomial complexity of

• Best results can be obtained by combining classical method

with Karatsuba strategy.

3log2mO

February 2000 Francisco Rodríguez Henríquez

Procedure Kmul2k(C, A, B)

Input: Two elements A ,B ЄGF(2m) with m=rn=2kn, and where A, B can be expressed as,

Output: A polynomial C=AB with up to 2m-1 coordinates, where C=xmCH+CL..

end17.

end.16

;15.

do1-rto0fromifor14.

end.13

;12.

do1-rto0fromifor.11

);,,(2.10

);,,(2.9

);,,(2.8

end.7

;.6

;.5

do12

to0fromifor.4

return;.3

);,(_2.

then)1(if1.

begin.0

22

ii

ri

r

Hi

Liii

HHHk

BAk

LLLk

Hi

LiBi

Hi

LiAi

MCC

CCMM

BACmul

MMMmul

BACmul

BBM

AAM

r

BAnmulC

r

., 22 LHm

LHm

BBxBAAxA



It can be shown that the space and time complexities of a m=2kn-bit Karatsuba multiplier combined with a classical method are given as,

.logDelay Time

; Gates AND

;2816 Gates XOR

2

23log

23log

2

2

knTT

nn

m

mnnn

m

XAND


Space and Time complexities

m r n AND gates XOR gates Time Delay

Area (NAND units)

1 1 1 1 0 TA 1.26

2 1 2 4 1 TX+TA 7.2

4 1 4 16 9 2TX+TA 40.0

8 2 4 48 55 6TX+TA 181.5

16 4 4 144 225 10TX+TA 676.4

32 8 4 432 799 14TX+TA 2302.1

64 16 4 1296 2649 18TX+TA 7460.8

128 32 4 3888 8455 22TX+TA 23499.9

256 64 4 11664 26385 26TX+TA 72743.6

512 128 4 34992 81199 30TX+TA 222727.7


Space complexity of hybrid Karatsuba multipliers for arbitrary m using n=1, 2, 3

1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 0

2

4

6

8

1 0

1 2 x 1 0

4

1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 0

0 . 5

1

1 . 5

2

2 . 5

3

3 . 5

4

4 . 5 x 1 0

4

n = 3

n = 3

n = 2

n = 2

n = 1

n = 1

N u

m b

e r

o

f X

O R

g

a

t e s

N u

m b

e r

o

f

A N

D

g a

t e

s

m m


Binary Karatsuba MultipliersBinary Karatsuba Multipliers


Binary Karatsuba Multipliers

• Problem: Find an efficient Karatsuba strategy for the

multiplication of two polynomials A, B GF(2m), such that m

= 2k + d, d 0.

• Basic Idea: Pretend that both operands are polynomials with

degree m’ = 2(k+1), and use normal Karatsuba approach for two

of the three required polynomial multiplications, i.e., given

; ; 22 LHm

LHm

BBxBAAxA

LHmLLm


2



• Compute the two 2k-bit polynomial multiplications:

• While the remaining d-bit polynomial multiplication AHBH can

be computed using a -bit Karatsuba multiplier in a

recursive manner (since the leftover d bits can be expressed as,

d = 2k1+d1).

LHLHBA

LL

BBAAMMM

BA

and;

dk 2log'



• The above outlined strategy yields a Binary

Karatsuba scheme where the hamming weight

of the original m will determine the number of

recursive iterations to be used by the

algorithm.


An ExampleAn Example


An Example

• As a design example, let us consider the polynomial multiplication of the elements A and B GF(2193). Since (193)2 = 11000001, the Hamming weight of m is h = 3.

• This will imply that we need a total of three iterations in order to compute the multiplication using the generalized m-bit binary Karatsuba multiplier. Additionally we notice that for this case, m = 193 =27+65.


193-bit binary Karatsuba Multiplier

XOR gates = 20524AND gates = 9201Time delay = 13.5 nS


An Example

• Where we have assumed that the above circuit has been implemented using a 1.2 CMOS technology, where we have that the time delays associated to the AND, XOR logic gates are given as: TA Tx=0.5 nS.

• Next slide shows a comparison between the proposed binary Karatsuba approach and the more traditional hybrid approach discussed previously.


Field Multiplication

Preliminary results yield a time delay of 50-70 Sec and 9K Slices of hardware resources utilization.


Binary and hybrid Karatsuba multipliers’ area complexity

5 0 1 0 0 1 5 0 2 0 0 2 5 0 3 0 0 3 5 0 4 0 0 4 5 0 5 0 0 0

0 . 5

1

1 . 5

2

2 . 5

3 x 1 0

5

m

C o m b i n e d s p a c e c o m p l e x i t y

Hybrid Karatsuba

Binary Karatsuba






xPxCxC mod

• The computational complexity of the reduction operation is linearly

proportional to the Hamming weight (the number of nonzero terms) of

the generating irreducible polynomial.


Field multipliers using special irreducible polynomials

Field multipliers

Equally-spaced polynomials trinomials pentanomials

•

There exist for only 468 degrees m, less than

1024 ( 45%)


1024 ( 45%)


1024 ( 8%)


1024 ( 8%)

There exists at least one for any degree

m>3

There exists at least one for any degree

m>3


Performance criteria and element representation

• the amount of memory required for the algorithm

(memory requirements)

• the total time required for execution (speed) and;

• The most important measures of the performance for software

implementations of the arithmetic operations in the Galois

field GF(2m) are,






xPxCxC mod

Notice that since we are interested in the polynomial reminder of the

above equation, we can safely add any multiple of P(x) to C(x) without

altering the desired result. This simple observation suggest the following

algorithm that can reduce k bits of the polynomial product C at once.



• Let us assume that the m+1 and 2m-1 coordinates of P(x) and C(x),

respectively, are distributed as follows:

• Then, there always exists a k-bit constant scalar S, such that

where 0 < k <m. Notice that all the k MSB of SP become identical to

the corresponding ones of the number C. By left shifting the number SP

exactly Shift = 2m-2-k-1 positions, we effectively reduce the number in

C by k bit.

011

0122123222

ppppP

ccccccC

mm

kmkmmm

01123222

0111

pppcccPS

ppppppP

kmkmmm

kmkmmm


Standard reduction for trinomials and pentanomials

C[ pwlen-wlen+shiftn]

32 bits C n i C ni+32

C[ pwlen-i] Addition operations < 4wlen;SHIFT operations < 4wlen;Comparisons = 2wlen.

wlen-1 C

C 2m-2

4

pwlen-1

2

2

0 1 ... wlen-2 wlen+1 wlen+2 ... pwlen-2

m-1 C

m modular coordinates

C n

1

1

3

3 4

pwlen-1 wlen-1

2m-1 coordinates

w

mwlen :


Exercises

0) Consider the polynomial

Find if F=GF(55) constructed using f as a generating polynomial, is a field or not.


a) Show that P(x) forms a field in GF(2m).

b) Find whether P() is a primitive root or not.

c) Find a primitive element in the field.

232 2345 xxxxxf

12456 xxxxxP


Exercises


a) Show that P(x) forms a field in GF(2m).

b) Is P(x) a primitive polynomial?

c) Find 47 as a polynomial of degree less or equal to 5.

d) Find the positive number k that satisfies:

1456 xxxxxP

134 k

Aritmética Computacional Francisco Rodríguez Henríquez An Introduction to Binary Finite Fields...

Documents

Transcript of Aritmética Computacional Francisco Rodríguez Henríquez An Introduction to Binary Finite Fields...