Prime Fields 04/05/2007. Hybrid system simulator for ODE 1. Galois field. The issue. Prime fields: naïve implementation

Transcription

1 Galois field The issue Topic: finite fields with word size cardinality Field: 4 arithmetic operators to implement (+, -, *, /) We will focus on axpy: r = a x + y (operation mainly used in linear algebra applications) Naïve dot product on a Pentium III, 1GHz: Int : 85 Millions of operations per second Z/ pz : 1 Millions of field operations per second GF(p 2 ) : 1 Million of field operations per second System division is very expensive Polynomial arithmetic is prohibitive Prime field, Z/ pz, (or Zp) : integers modulo a prime p Galois field, GF(q) : finite field of characteristic q=p k Isomorphic to Z/ pz [x]/q polynomials over Z/ pz modulo an irreducible polynomial Q of degree k 1. Reduce the constant factor Several representations and algorithms 2. Transform the constant into a decreasing function Specialize algorithms (ex.: dotproduct, matrix multiplication, LU triangularizations, etc.) Prime fields: naïve implementation Prime Fields Use system division to implement multiplication ADD : MUL : AXPY: r=(x + y); r = (r<p? r : r-p); r=(a x); r = (r<p? r : r%p); r=(a x + y); r = (r<p? r : r%p); Addition, subtraction are very fast Multiplication is slow Needs: Size(p 2 +p) < word size (p<46337 for 32 bits, p< for 64 bits) Hybrid system simulator for ODE 1

2 Prime fields: floating point implementation Using Generators All finite fields of same cardinality are isomorphic Stores a floating-point representation of the inverse of p AXPY: r=(a x + y); r -= floor( r 1/p ) p; Multiplication can be faster (no division used, but floor is also quite slow) Needs also: Size(p 2 +p) < word size The multiplicative group of invertibles is cyclic of cardinality p-1: 1. there exists a generator, g 2. each invertible element is a power of g Ex. in Z/ 7Z : 2 1 =2, 2 2 =4,2 3 =1, but 3 1 3, 3 2 2, 3 3 6, 3 4 4, 3 5 5, In Z/ mz, a generator of the invertibles is a primitive root If m=2,4,p k, 2p k, there are Φ(Φ(m)) primitive roots If m is prime, Φ(m-1) primitive roots They are the g k for k coprime with m-1 How to find a primitive root? Prime fields: primitive roots 1/2 First : a test to recognize one 1. Brute-force : try all possible exponents 2. Order of a divides φ(m), thus p prime and dividing φ(m) Thus a is a primtive root. Requires to factor m in order to compute φ(m) Factoring can be partial probable primitive root Then : Finding one? In 8% of the cases, it seems that there is one generator 6 Random tries: average of m-1/ Φ(m-1) < K ln(ln(m)) tries Takes less than.1s on 333MHz, for m<2 64 Then: pre-compute 3 tables takes less than 2s for fields of size less than ) Correspondence between x and i: t 1 [x] = i, s.t. x = g i 2) Correspondence between i and x: t 2 [i] = x, s.t. x = g i 3) «Plus one» table: t 3 [i] = j, s.t. 1+g i = g j [Conway]: perform operations only on the indices! a x : (g i g j ) % m = gi+j ±(m-1) and 1 have special values, for instance and m-1 [Imamura], [Hubert], [Douillet] can reduce the size of tables Hybrid system simulator for ODE 2

3 Prime fields: primitive roots 2/2 a = g i ; x = g j ; y = g k ; a x + y = g i g j + g k = g k (1+g i+j-k ) AXPY: r = i+j-k ; r = t 3 [r] + k ; and tests for zero, indices modulo m-1 Absolutely no system multiplication nor division Every operation is just a combination of tests, additions and table accesses. Prime fields: Montgomery reduction 1/2 System division is replaced by shifts and masks AXPY: 1. c = (a x); /* c = c h B + c l */ 2. unsigned long c (c & MASK); /* c mod B */ 3. c = (c * nim) & MASK; /* -c/p mod B */ 4. c += c * p; /* c = mod B */ 5. c >>= HALF_BITS; /* high bits of c */ 6. return (c>p?c-p:c); /* < c < 2p */ Indeed, RES 4 = c c l (p -1 mod B)p which is thus: modulo B and c modulo p Therefore, RES 5 = RES 4 / B corresponds to c B -1 mod p And we have computed c B -1 modulo p without any division by p Prime fields: Montgomery reduction 2/2 Sun Ultra 25 MHz The trick is that RES 5 is cb -1 mod p but of small size RES 5 < ( (p-1)² + (p-1)b) / B < p-1 + (p-1) Thus only a final subtraction by p might be necessary How to use cb -1? Change of representation : elements are stored as ab mod p Montgomery(aB x bb) cb -1 abbbb -1 abb mod p ab + bb (a+b)b mod p To print only, we need another reduction: Montgomery(aB) abb -1 a No division (replaced by shifts and masks), faster for many machines Smaller primes: Size(p 2 +p*half_word_size) < word size (p<4499 with 32 bits, p< with 64 bits) Speed (Mfop/s) %twice Z/pZ NTL GFq If Memory is fast / machine arithmetic: Tabulation wins p 2 tabulation possible, but pays either: Huge table size / cache misses supplementary additions [Kawame-Murao, MBLAS] AXPY Hybrid system simulator for ODE 3

4 Arithmetics modulo on a PIII 993 MHz Speed (Mfop/s) Montgomery Z/pZ NTL GFq PIII 993 MHz Speed (Mfop/s) Montgomery Z/pZ NTL GFq Better arithmetic, Division still slow: Montgomery wins Addition Soustraction Negation Multiplication Division AXPYIN AXPY AXPY Arithmetics modulo on a PIV 2.4 GHz Speed (Mfop/s) PIV 2.4 GHz 5 Montgomery Z/pZ NTL GFq Speed (Mfop/s) Montgomery Z/pZ NTL GFq Better division? NO! slowing down of Montgomery on PIV classical 2 6 Only 12 Mffop/s % of peak performances 5 AXPY Addition Soustraction Negation Multiplication Division AXPYIN AXPY Hybrid system simulator for ODE 4

5 Set Theory Extension Fields and polynomials Group (G,*) : * binary, internal, associative, neutral, every element has an inverse. An abelian group has * commutative A cyclic group contains at least one generator : g G, a G, i Z, a = g i Ring (A,+, ) : (A,+) abelian group, associative, distributive on +, neutral for (A est unitary). A* is the set of invertible elements by e.g.: (Z/nZ,+, ) where the invertibles a the coprime with n Field (A,+, ) : ring and A* = A\{} R, C, Q : infinite e.g. : Integers modulo a prime p (Z/pZ) : finite of size p Ring of polynomials on an abelian field Polynomial operations complexity G a field, then for a i G, we write P = a i X i G[X] In this ring, there is an euclidian division : A, B G[X] :! (Q, R) G[X] with deg(r) < deg(b) s.t. A = B.Q + R Therefore there is a gcd, and the Extended Euclidian Algorithm works. Two polynomials are coprime if their gcd G A polynomial is irreducible if it is coprime with all the polynomials of degree strictly less than his. There is a factorisation (unique up to a factor of G) into irreducible polynomials Polynomial complexity! [Berlekamp], [Cantor-Zassenhaus] e.g.: In Z/3Z, we have X 3 +X+1=(X-1)(X 2 +X-1) Addition : d additions of the field Multiplication Classical : O(d 2 ) additions/multiplications of the field Karatsuba : O(d ) additions/multiplications of the field If supports FFT : O(d log(d) ) additions/multiplications Euclide : O( Mult(d) log(d) ) field operations Factorizations [Cantor-Zassenhauss] : O ~ ( d 2 log(q) ) operations on GF(q) [Berlekamp] : O( d 3 + Mult(d)log(q) ) operations on GF(q) Hybrid system simulator for ODE 5

6 Fast polynomial product Quotient ring G[X]/P ω n-th root of unity 1. H = DFT( P ) = [ ; j p j ω kj ; ] H k = P( ω k ) 2. DFT( P Q ) = DFT(P). DFT(Q) one to one C k = H k G k = P(ω k ) Q(ω k ) = PQ(ω k ) 3. PQ = DFT -1 ( DFT(P). DFT(Q) ) = [ ; k C k ω kj ; ] Complexity : 3 transformations O(n log(n) ) 1 one to one product O(n) For a field G, P a degree d polynomial The set of polynomial of degree strictly less than d with addition and multiplication modulo P is a commutative ring When G =q, this ring has q d elements When P is irreducible, Euclide proves that it is a field e.g.: Z/3Z[X] / (X 2 +X-1) = {, 1, 2, X, X+1, X-1, 2X, 2X+1, 2X-1} And (X+1)(2X+1) = 2X 2 +1 = 2(X 2 +X-1)+X = X Proposition : p premier, d >, irreducibles exists Corollary : There exists a finite field of size p d Theorem : Those quotient rings are the only ones Some properties Irreducibility test Q et Z/pZ : prime fields GF(q) : Galois Field with q elements K = {k N*, k. 1 G = }; Characteristic : if K is empty (e.g.: R, C, Q) Smallest element in K (e.g.: p for Z/pZ) or prime! Size of finite field = power of its characteristic The set of invertibles GF(p k )* is cyclic of size p k -1 The order of an element is the smallest power s.t. x e = 1 The order always divides p k -1 Theorem : (X q ) r -X is the product of all the unitary irreducible polynomials of GF(q)[X] which degree divides r. Irreducibility test [Ben-Or] for P GF(q)[X] IF gcd(p,p ) 1 THEN Return «no» // Now P is square-free W = X FOR d=1 UNTIL d P / 2 DO W W q [P] IF gcd(w-x,p) 1 THEN Return «no» Return «yes» Hybrid system simulator for ODE 6

7 How ot build a finite field? How many irreducibles of degree d? about one over d Random tries : a mean of d tries Polynomial arithmetics is faster when the irreducible is sparse e.g.: AB=HX d +L mod (X d +a) = -ah + L Search first irreducible of the form: X d +a, X d +bx k +a With an irreducible polynomial, the arithmetic operations can be build, as is the field! Second implementation : generators GF(q d )* is cyclic There exists generators e.g.: Inside Z/3Z[X] / (X 2 +X-1) = {,1,2,X,X+1,X+2,2X,2X+1,2X+2} (X+1) = 1 (X+1) 1 = X+1 (X+1) 2 = X 2 +2X+1 = X+2 (X+1) 3 = (X+2)(X+1) = 2 X (X+1) 4 = 2 (X+1) 5 = 2X+2 (X+1) 6 = 2X+1 (X+1) 7 = X (X+1) 8 = 1 Test for generators 1. Brute force : try P and compute all the successive powers of R until 1 is found 2. But the order of R divides q d -1, thus THEN R is a generator We replaced degree d polynomial complexity by indices arithmetic! speed-up factor of at least d 2! Primitive polynomials tables : compute all the powers of a generator R Faster when P is sprase and R is simple There exists P s.t. X is a generator Called primitive, or X-irreducibles There are φ(q d -1)/d of them among p r polynomials For p < 2 32, the mean tries is < 12d Hybrid system simulator for ODE 7

8 X-irreducibility Building larger finite fields Build with tables : Fast arithmetics Needs O(p k ) memory units RAM size is the limit Build with polynomials : No memory issue Polynomial arithmetics Generation of discrete logarithm tables on a PII, 333 MHz Building a large GF(p d ) with d=kr Build an efficient GF(p k ) with memory fitting in RAM Find an irreducible polynomial of degree r in GF(p k ) Then GF(p d ) GF(p k ) [X] / P Hybrid system simulator for ODE 8