Useful Arithmetic for Cryptography

Transcription

1 Arithmetic and Cryptography 1/116 Useful Arithmetic for Cryptography Jean Claude Bajard LIP6 - UPMC (Paris 6)/ CNRS France 8 Jul 2013

2 Arithmetic and Cryptography 2/116 Introduction Modern Public Key Cryptography In 1985, Victor S Miller [1] and Neal Koblitz [2] introduced Elliptic Curve Cryptography Gödel Prize 2013: Dan Boneh, Matthew K Franklin [3] and Antoine Joux [4] for Pairing Cryptography Group operations on points of elliptic curve defined on finite fields Basic finite field operations: addition, multiplication, inversion

3 Arithmetic and Cryptography 3/116 Content Finite Fields Representations Multiplication in GF (p) Back to multiplication Modular Reduction Multiplication in GF (2 m ) Polynomial Approaches Approaches using specific bases Inversion in a Finite Field Another Approach: Residue Systems Introduction to Residue Systems Modular reduction in Residue Systems Applications to Cryptography Annexes Références

4 Arithmetic and Cryptography 4/116 Finite Fields Representations Finite Fields Representations

5 Arithmetic and Cryptography 5/116 Finite Fields Representations General Principles [5] A finite field F (+, ) is a finite set F such that: F (+) is an Abelian Group F (+, ) is a Ring where every element (excepted 0 for ) has an inverse Elementary Finite Fields have an order equal to a prime p Example of a such finite prime field Z/pZ Z/pZ = {0, 1, 2,, p 1} Calculus are based on modular arithmetic

6 Arithmetic and Cryptography 6/116 Finite Fields Representations Splitting Finite Field More generally, Finite Field has an order equal to a power of a prime, we note GF (p m ) or F p m with p prime p is the caracteristic, if u GF (p m ) then p u = 0 as a set of polynomial residues modulo an irreducible polynomial P(X ) of degree m in F p [x] as a set of the powers of a primitive element g, GF (p m ) = {0, g 0, g 1,, g pm 2 } as a set of linear combinations of base elements : canonical {1, α, α 2,, α m 1 } ou normal {α, α p, α p2, α pm 1 } (α root of P(X ))

7 Arithmetic and Cryptography 7/116 Finite Fields Representations Example in GF (2 2 ) (notice GF (2 2 ) Z/2 2 Z) Polynomials in GF (2)[X ] : 0, 1, X, 1 + X Addition on GF (2) : 1 + (1 + X ) = X Product with a modular reduction in function of an irreducible one X 2 + X + 1 is irreducible over GF (2), GF (4) can be represented by GF (2)[X ]/X 2 + X + 1 Multiplication modulo X 2 + X + 1: X (1 + X ) = (X + X 2 ) mod (X 2 + X + 1) = 1 The choice of the irreducible polynomial impacts the complexity

8 Arithmetic and Cryptography 8/116 Multiplication in GF (p) Multiplication in GF (p) Multiplication of two values

9 Arithmetic and Cryptography 9/116 Multiplication in GF (p) Back to multiplication Multiplication of two values

10 Arithmetic and Cryptography 10/116 Multiplication in GF (p) Back to multiplication Product of two numbers via polynomials k 1 k 1 Let A = a i β i and B = b i β i be two numbers in base β i=0 i=0 k 1 k 1 Let A(X ) = a i X i and B(X ) = b i X i be the associated polynomials i=0 i=0 Evaluation of the product P = A B: 1 Polynomial Evaluation: P(X ) = A(X ) B(X ) 2 Calculus of the value: P(β) = A(β) B(β)

11 Arithmetic and Cryptography 11/116 Multiplication in GF (p) Back to multiplication Product of two numbers via polynomials: Remarks Step 1, the p i are lower than k β 2 Step 2, the calculus of P(β) becomes a reduction of the p i by carry propagation

12 Arithmetic and Cryptography 12/116 Multiplication in GF (p) Back to multiplication Polynomial representations A polynomial of degree k 1 can be defined: by its k coefficients ai k 1 A(X ) = a i X i i=0 or by k values in different points ei k 1 for i = 0k 1, A(e i ) = a j e j i e i are chosen, in respect to two criteria: easy evaluation and small size for the A(e i ) j=0

13 Arithmetic and Cryptography 13/116 Multiplication in GF (p) Back to multiplication Polynomial Product defined by coefficients k 1 k 1 P(X ) = A(X ) B(X ) = ( a i X i ) ( b i X i ) = p 0 p 1 p k 1 p 2k 3 p 2k 2 = i=0 i=0 a a 1 a a k 1 a k 2 a k 3 a 0 0 a k 1 a k 2 a a k 1 k 2 products 2k 2 i=0 b 0 b 1 b k 2 b k 1 p i X i

14 Arithmetic and Cryptography 14/116 Multiplication in GF (p) Back to multiplication Polynomial Product defined by points k 1 k 1 P(X ) = A(X ) B(X ) = ( a i X i ) ( b i X i ) = i=0 is computed at 2k 1 differents points: i=0 P(e 0 ) = A(e 0 ) B(e 0 ) P(e 1 ) = A(e 1 ) B(e 1 ) P(e 2k 3 ) = A(e 2k 3 ) B(e 2k 3 ) P(e 2k 2 ) = A(e 2k 2 ) B(e 2k 2 ) 2k 1 products 2k 2 i=0 p i X i

15 Arithmetic and Cryptography 15/116 Multiplication in GF (p) Back to multiplication Coefficient reconstruction Lagrange approach Use of a sum of k polynomials, such that the i th one is equal to P(e i ) for e i, and 0 for all other e j with j i k 1 P(X ) = P(e i ) i=0 j i (X e j) j i (e i e j )

16 Arithmetic and Cryptography 16/116 Multiplication in GF (p) Back to multiplication Coefficient reconstruction Newton approach The main idea is to use polynomials of increasing degrees k 1 i 1 P(X ) = ˆp i (X e j ) = ˆp 0 + ˆp 1 (X e 0 ) + ˆp 2 (X e 0 )(X e 1 ) + i=0 j=0 ˆp 0 = p 0 ˆp 1 = (p 1 ˆp 0)/(e 1 e 0 ) ˆp i = ( (p i ˆp 0 )/(e i e 0 ) ˆp 1 )/(e i e 1 ) ˆp i 1 )/(e i e i 1 ) ˆp k 1 = ( (p k 1 ˆp 0)/(e k 1 e 0 ) ˆp 1 )/(e k 1 e 1 ) ˆp k 2 )/(e k 1 e k 2 ) with, p i = P(e i )

17 Arithmetic and Cryptography 17/116 Multiplication in GF (p) Back to multiplication Product of two numbers Karatsuba Algorithm(1) Select points e 0 = 0, e 1 = 1 and e 2 = We have: k 1 A = a i β i = ( i=0 k/2 1 i=0 k/2 1 a k/2+i β i )β k/2 + a i β i = A 1 β k/2 + A 0 i=0 Polynomial view: A(X ) = A 1 X + A 0 A(0) = A 0 A( 1) = A 0 A 1 A( ) = lim A 1X X

18 Arithmetic and Cryptography 18/116 Multiplication in GF (p) Back to multiplication Product of two numbers Karatsuba Algorithm (2) Values of the product polynomials P(0) = A 0 B 0 P( 1) = (A 0 A 1 )(B 0 B 1 ) P( ) = lim A 1B 1 X 2 X Newton interpolation ˆp 0 = P(0) = A 0 B 0 ˆp 1 = (P( 1) ˆp 0 )/( 1) = (A 1 A 0 )(B 0 B 1 ) + A 0 B 0 ˆp = lim X ((P( ) ˆp 0)/X ˆp 1 )/(X + 1) = A 1 B 1

19 Arithmetic and Cryptography 19/116 Multiplication in GF (p) Back to multiplication Product of two numbers Karatsuba Algorithm(3) Reconstruction P(X ) = ˆp 0 + ˆp 1 X + ˆp X (X + 1) = A 0 B 0 +((A 1 A 0 )(B 0 B 1 ) + A 0 B 0 + A 1 B 1 )X +A 1 B 1 X 2 Final evaluation P(β k/2 ) = A 0 B 0 +((A 1 A 0 )(B 0 B 1 ) + A 0 B 0 + A 1 B 1 )β k/2 +A 1 B 1 β k

20 Arithmetic and Cryptography 20/116 Multiplication in GF (p) Back to multiplication Product of two numbers Karatsuba Algorithm (4) : Complexity Let denote K(k) as the number of elementary operations By recurrence K(k) = 3K(k/2) + αk, we suppose that the addition is linear We obtain K(k) = O(k log 2 (3) )

21 Arithmetic and Cryptography 21/116 Multiplication in GF (p) Back to multiplication Product of two numbers Toom Cook Algorithm (1) The Karatsuba approach can be generalized: Select points e 0 = 0, e 1 = 1, e 2 = 1, e 3 = 2 and e 4 = We have: A = A 2 β 2k/3 + A 1 β k/3 + A 0 Polynomial view: A(X ) = A 2 X 2 + A 1 X + A 0 A(0) = A 0 A( 1) = A 2 A 1 + A 0 A(1) = A 2 + A 1 + A 0 A(2) = 4A 2 + 2A 1 + A 0 A( ) = lim A 2X 2 X

22 Arithmetic and Cryptography 22/116 Multiplication in GF (p) Back to multiplication Product of two numbers Toom Cook Algorithm (2) With Newton ˆp 0 = P(0) = A 0 B 0 ˆp 1 = (P( 1) ˆp 0 )/( 1) ˆp 2 = ((P(1) ˆp 0 )/(1) ˆp 1 )/(2) ˆp 3 = (((P(2) ˆp 0 )/(2) ˆp 1 )/(3) ˆp 2 )/(1) ˆp 4 = lim X ((((P( ) ˆp 0)/X ˆp 1 )/(X + 1) ˆp 2 )/(X 1) ˆp 3 )/(X 2) = A 2 B 2 We notice a division by 3 limits of this approach Reconstruction by computing P(β k/3 ): P(X ) = ˆp 0 + X (ˆp 1 + (X + 1)(ˆp 2 + (X 1)(ˆp 3 + ˆp 4 (X 2))))

23 Arithmetic and Cryptography 23/116 Multiplication in GF (p) Back to multiplication Product of two numbers Toom Cook Algorithm (3) Let denote T 3 (k) as the number of elementary operations By recurrence T 3 (k) = 5T 3 (k/3) + αk, assuming that addition is linear We obtain T 3 (k) = O(k log 3 (5) )

24 Arithmetic and Cryptography 24/116 Multiplication in GF (p) Back to multiplication Product of two numbers Toom Cook Algorithm (4), asymptotic point of view Splitting by n With T n (k) he number of elementary operations By recurrence T n (k) = (2n 1)T n (k/n) + αk, assuming that addition is linear We obtain T n (k) = O(k log n (2n 1) ) Then the complexity of the multiplication can reach O(k 1+ɛ )

25 Arithmetic and Cryptography 25/116 Multiplication in GF (p) Back to multiplication Fourier Transform Complexité Algorithme FFT Select points: the n th roots of unity, ω n = 1, ω primitive Properties: ω 2k is a n 2th root, (ω k ) n/2 = 1 (assuming n even) n 2 1 n 2 1 A(ω k ) = a 2i ω 2ik + ω k a 2i+1 ω 2ik = A 0 (ω 2k ) + ω k A 1 (ω 2k ) i=0 i=0 F (n) number of elementary op for a FFT of dimension n We have F (n) = 2F (n/2) + αn, then, F (n) = O(n log 2 n)

26 Arithmetic and Cryptography 26/116 Multiplication in GF (p) Modular Reduction Multiplication in GF (p) Modular Reduction

27 Arithmetic and Cryptography 27/116 Multiplication in GF (p) Modular Reduction Modular Reduction p fixed Two options: Specific p allowing an easy reduction p = β n ξ avec ξ < β n/2 Common p generic algorithms

28 Arithmetic and Cryptography 28/116 Multiplication in GF (p) Modular Reduction Modular Reduction p = β n ξ with 0 ξ < β n/2 and ξ 2 β n 2β n/2 + 1 We have C = A B (p 1) 2 We write C = C 1 β n + C 0 First reduction pass: C C 1 ξ + C 0 (= C ) (mod p) Second reduction pass: C C 1 ξ + C 0 (= C ) (mod p) Final touch: If C + ξ β n Then R = C + ξ β n, Else R = C

29 Arithmetic and Cryptography 29/116 Multiplication in GF (p) Modular Reduction Modular Reduction p = β n ξ with 0 ξ < β n/2 This reduction uses two multiplications by ξ, two options Choose a very small ξ, for example, ξ < β digit number Choose a very sparce ξ shift and add approach If ξ > β n/2, then the number of passes increases

30 Arithmetic and Cryptography 30/116 Multiplication in GF (p) Modular Reduction Modular Reduction with p = β n 1 ( 1, β, β 2, β ) 2n 2 a a 1 a a n 1 a n 2 a n 3 a 0 0 a n 1 a n 2 a a n 1 C ( 1, β, β 2, β ) n 1 M b 0 b 1 b n 2 b n 1 (mod p) b 0 b 1 b n 2 b n 1

31 Arithmetic and Cryptography 31/116 Multiplication in GF (p) Modular Reduction Modular Reduction with p = β n 1 M = a a 1 a a n 2 a n 3 a 0 0 a n 1 a n 2 a 1 a 0 M = + a 0 a n 1 a n 2 a 1 a 1 a 0 a n 1 a 2 a n 2 a n 3 a 0 a n 1 a n 1 a n 2 a 1 a 0 0 a n 1 a n 2 a a n 1 a a n

32 Arithmetic and Cryptography 32/116 Multiplication in GF (p) Modular Reduction Modular Reduction with p = β n β t 1 If t < n/2 then M is obtained with one matrix addition M = a 0 a n 1 a n 2 a 1 a 1 a 0 a n 1 a 2 a n 2 a n 3 a 0 a n 1 a n 1 a n 2 a 1 a a n 1 a n 2 a 1 0 a n 1 a n t + 0 a n 1 a n t a n a n 1 a n t a n 1

33 Arithmetic and Cryptography 33/116 Multiplication in GF (p) Modular Reduction Multiplication in GF (p) Generic Modular Reduction

34 Arithmetic and Cryptography 34/116 Multiplication in GF (p) Modular Reduction Generic Modular Reduction Barrett Algorithm [7] Reduction of A modulo P via the approximation of the quotient Conditions: β n 1 P < β n et A < P 2 < β 2n We can write that: β u+v A P βn+u P A β n v = 0 β u+v A P β n+u A P β n v = ( ) P βn+u f ( A P β n v ) + A βn+u βn v f ( ) + f ( A β2n P βn 1 )f ( P ) < P(β u+1 + (β n+v 1) + 1) with f () the fractional part function If u n + 1 and v 2 then (β u+1 + β n+v )/β u+v < 1 We deduce: A mod P A P β2n+1 A P β n 2 β n+3 < 2P

35 Arithmetic and Cryptography 35/116 Multiplication in GF (p) Modular Reduction Generic Modular Reduction Barrett Algorithm [7] Barrett(A,P) Inputs β n 1 P < β n and A < P 2 < β 2n Output R = A (mod P) et Q = A P Core Q β2n+1 P R A Q P A β n 2 β n+3 If R P, Then R R P and Q Q + 1 Complexity: 2 products of n + 1 digits

36 Arithmetic and Cryptography 36/116 Multiplication in GF (p) Modular Reduction Generic Modular Reduction Montgomery Algorithm [8] Reduction of A modulo P via a multiple of P Conditions : β n 1 P < β n and A < Pβ n The scheme is to add a multiple of P to A such that the result is a multiple of β n The division by β n in base β is a shift The output of this approach is A β n mod P

37 Arithmetic and Cryptography 37/116 Multiplication in GF (p) Modular Reduction Generic Modular Reduction Montgomery Algorithm [8] Montgomery(A, P) Inputs β n 1 P < β n and A < Pβ n < β 2n Output R = A β n mod P Core Q A P 1 β n mod β n R (A + Q P) R is a multiple of β n R R β n division by β n is a shift, (R < 2P) If R P Then R R P (optional) Complexity: 2 products of n digits (two half products)

38 Arithmetic and Cryptography 38/116 Multiplication in GF (p) Modular Reduction Generic Modular Reduction Montgomery Representation To avoid the accumulation of factors β n mod P, we note: à = A β n mod P Thee construction à = Montgomery(A β2n P, P) Stable for addition and multiplication using Montgomery reduction: à + B = à + B and ÃB = Montgomery(à B, P) Reconversion to standard: A = Montgomery(Ã, P) It is the most used algorithm in cryptography

39 Arithmetic and Cryptography 39/116 Multiplication in GF (p) Modular Reduction Interleaved Modular Multiplication Montgomery Algorithm MontgomeryI(A, B, P) Inputs β n 1 P < β n ad AB < Pβ n < β 2n n 1 and B = b i β i Output R = A B β n mod P Core R 0 For i = 0 to i = n 1 do R (R + b i A) q i r 0 p0 1 β mod β R (R + q i P) multiple of β R R β at the end (R < 2P) If R P, Then R R P (optional) i=0

40 Arithmetic and Cryptography 40/116 Multiplication in GF (p) Modular Reduction Binary Interleaved Modular Multiplication Montgomery Algorithm MontgomeryB(A, B, P) Inputs 2 n 1 P < 2 n and AB < 2 n P < 2 2n n 1 and B = b i 2 i Output R = A B 2 n mod P Core R 0 For i = 0 to i = n 1 do R (R + b i A) q i r 0 In fact p = 1 if P odd R (R + q i P) multiple of 2 R R >> 1 at the end (R < 2P) If R P, Then R R P (optional) i=0

41 Arithmetic and Cryptography 41/116 Multiplication in GF (p) Modular Reduction Bipartite Modular Multiplication [9] This approach is based on: We define as: X Y = (X Y ) R 1 mod P We split *y*: Y = Y h R + Y l for example R = β n/2 thus X Y = (X Y h mod P + X Y l R 1 mod P) mod P X Y h mod P is computed using Barret X Y l R 1 mod P is computed via Montgomery These two operations can be done in parallelel

42 Arithmetic and Cryptography 42/116 Multiplication in GF (2 m ) Multiplication in GF (2 m )

43 Arithmetic and Cryptography 43/116 Multiplication in GF (2 m ) Multiplication in GF (2 m ) Most of the hardware implementations use GF (2 m ) where basic operators are AND and XOR The different approaches for the modular reduction needed in the multiplication over GF (2 m ) are: The ones depending of the finite field The generic ones Those using specific bases

44 Arithmetic and Cryptography 44/116 Multiplication in GF (2 m ) Polynomial Approaches Multiplication in GF (2 m ) Polynomial Approaches

45 Arithmetic and Cryptography 45/116 Multiplication in GF (2 m ) Polynomial Approaches Multiplication in GF (2 m ) The calculus of C(X ) = A(X ) B(X ) mod P(X ) can be executed in two steps: 1 a polynomial product C (X ) = A(X ) B(X ), c 0 a c 1 a 1 a c m 1 = a m 1 a 1 a 0 c m 0 a m 1 a 1 c 2m a m 1 2 a modular reduction P(X ) : C(X ) = C (X ) mod P(X ) b 0 b 1 b m 1

46 Arithmetic and Cryptography 46/116 Multiplication in GF (2 m ) Polynomial Approaches Montgomery Algorithm A(X ) B(X ) is computed in GF (2 m ) defined by P(X ) a degree m irreducible polynomial Montgomery compute A(X ) B(X ) R 1 (X )modp(x ) where R(X ) is a fixed element and R 1 (X ) is its inverse modp(x ) We know R(X ) and P(X ) (irreducible), we can precompute R 1 (X ) and P (X ) such that: R 1 (X ) R(X ) + P (X ) P(X ) = 1

47 Arithmetic and Cryptography 47/116 Multiplication in GF (2 m ) Polynomial Approaches Montgomery Algorithm (generic case) Inputs: A(X ) and B(X ) of degrees lower than m Outputs: T (X ) = A(X ) B(X ) R 1 (X ) mod P(X ) Precomputed: P (X ), R(X ) Product: C(X ) = A(X ) B(X ) Reduction: Q(X ) = C(X ) P (X ) mod R(X ) T (X ) = ( C(X ) + Q(X ) P(X ) ) div R(X) The complexity is due to the three products The reduction modulo R(X ) and the division by R(X ) are easy if R(X ) = X m

48 Arithmetic and Cryptography 48/116 Multiplication in GF (2 m ) Polynomial Approaches Montgomery Algorithm (execution) Polynomial representations: A(X ) = a 0 + a 1X + a 2X a m 1X m 1 B(X ) = b 0 + b 1X + b 2X b m 1X m 1 P(X ) = p 0 + p 1X + p 2X p m 1X m 1 + X m P (X ) = p 0 + p 1X + p 2X p m 1X m 1 We decompose the evaluation using matrices, into two parts: The first lines for the computation of Q(X ) The last lines for the result T (X )

49 Arithmetic and Cryptography 49/116 Multiplication in GF (2 m ) Polynomial Approaches Montgomery Algorithm (execution) Decomposition of the calculus for Q(X ): (the lower degrees) Q(X ) = p p 1 p p m 2 p m 3 p 0 0 p m 1 p m 2 p 1 p 0 a a 1 a a m 2 a m 3 a 0 0 a m 1 a m 2 a 1 a 0 b 0 b 1 b m 2 b m 1 Then for T (X ):(the upper degrees) 0 a m 1 a 2 a a 2 a a m 1 a m a m b 0 b 1 b m 3 b m 2 b m p m 1 p 2 p p 2 p p m 1 p m p m q 0 q 1 q m 3 q m 2 q m 1

50 Arithmetic and Cryptography 50/116 Multiplication in GF (2 m ) Polynomial Approaches Montgomery Algorithm (complexity of the general case) Complexity counting the number of elementary operations over GF (2): m 2 + (m 1) 2 multiplications (AND) (m 1) 2 + (m 2) 2 + m additions (XOR) For this approach we can use the Montgomery representation: Ã(X ) = A(X ) R(X ) (mod P)(X ) It can be generalized to GF (p k )

51 Arithmetic and Cryptography 51/116 Multiplication in GF (2 m ) Polynomial Approaches Iterative Montgomery in GF (2 m ) with R(X ) = X m Inputs: A(X ) and B(X ) of degrees lower than m Output: T (X ) = A(X ) B(X ) R 1 (X ) mod P(X ) Precomputed: P (X ), R(X ) Initialisation T (X ) = 0 Loop For i = 0 to m 1 do T (X ) = T (X ) + a i B(X ) T (X ) = (T (X ) + t 0 P(X ))/X

52 Arithmetic and Cryptography 52/116 Multiplication in GF (2 m ) Polynomial Approaches Iterative Montgomery in GF (2 m ) with R(X ) = X m At each step a division by X, hence at the end it is equivalent to R(X ) = X m Moreover P(X ) is irreducible, thus its constant term is 1, idem for P (X ) The complexity given in logical gates: 2m 2 XOR (for the additions) and 2m 2 AND (for the products)

53 Arithmetic and Cryptography 53/116 Multiplication in GF (2 m ) Polynomial Approaches Method of Mastrovito [10] Approach Idea GF (2 m ) is defined by a root α of the irreducible P(X ) of degree m The elements of GF (2 m ) are given in the canonical {1, α, α 2,, α m 1 }: m 1 m 1 A = a i α i and B = b i α i i=0 i=0 m 1 We note C = A B in GF (2 m ), C = c i α i Mastrovito proposed to construct Z, a matrix m m using the coefficients of A, such that: i=0 C = Z B

54 Arithmetic and Cryptography 54/116 Multiplication in GF (2 m ) Polynomial Approaches Method of Mastrovito Construction of Z Z is obtained by: 1 constructing the matrix (m 1) m, Q which is the representations of X k for k m modulo P(X ): X m X 0 X m+1 = Q X 1 X 2m 2 X m 1 2 and then, the matrix Z is obtained with: a i for j = 0, i = 0 m 1 z i,j = u(i j) a i j + j 1 t=0 q j 1 t,i a m 1 t, else, with u(t) = { 1 if t 0 0 else

55 Arithmetic and Cryptography 55/116 Multiplication in GF (2 m ) Polynomial Approaches Method of Mastrovito Cost of the approach The complexity is due to the construction of Z which can need m 3 /2 And and Xor, the choice of the irreducible polynomial is fundamental With trinomials like X m + X + 1 the multiplication is done with m 2 1 XOR and m 2 AND There are some variants if all the coefficients are 1 (all-one polynomial) P(X ) = 1 + X + X X m, in this case X m+1 1 (mod P(X )) or for regular sparced polynomials P(X ) = 1 + X + X X k =m, here X (k+1) 1 (mod P(X ))

56 Arithmetic and Cryptography 56/116 Multiplication in GF (2 m ) Polynomial Approaches Method of Mastrovito I Example with a trinomial We consider GF (2 7 ) with the canoical base {1, α, α 2,, α 6 } where α is a root of the irreducible P(X ) = X 7 + X + 1 Thus, α 7 = α + 1 (1, 1, 0, 0, 0, 0, 0) α 8 = α 2 + α (0, 1, 1, 0, 0, 0, 0) α 9 = α 3 + α 2 (0, 0, 1, 1, 0, 0, 0) α 10 = α 4 + α 3 (0, 0, 0, 1, 1, 0, 0) α 11 = α 5 + α 4 (0, 0, 0, 0, 1, 1, 0) α 11 = α 6 + α 5 (0, 0, 0, 0, 0, 1, 1) et Q =

57 Arithmetic and Cryptography 57/116 Multiplication in GF (2 m ) Polynomial Approaches Method of Mastrovito II Example with a trinomial Z = a 0 a 6 a 5 a 4 a 3 a 2 a 1 a 1 a 0 + a 6 a 6 + a 5 a 5 + a 4 a 4 + a 3 a 3 + a 2 a 2 + a 1 a 2 a 1 a 0 + a 6 a 6 + a 5 a 5 + a 4 a 4 + a 3 a 3 + a 2 a 3 a 2 a 1 a 0 + a 6 a 6 + a 5 a 5 + a 4 a 4 + a 3 a 4 a 3 a 2 a 1 a 0 + a 6 a 6 + a 5 a 5 + a 4 a 5 a 4 a 3 a 2 a 1 a 0 + a 6 a 6 + a 5 a 6 a 5 a 4 a 3 a 2 a 1 a 0 + a 6

58 Arithmetic and Cryptography 58/116 Multiplication in GF (2 m ) Polynomial Approaches Méthode de Mastrovito Exemple avec un All-One If P(X ) = 1 + X + X X m, the matrix Z can be written as Z = Z 1 + Z 2 with: a 0 0 a m 1 a 3 a 2 a 1 a 0 0 a m 1 a 4 a 3 Z 1 = a m 2 a m 3 a 0 0 a m 1 a m 2 a 1 a 0 and 0 a m 1 a m 2 a 1 Z 2 = 0 a m 1 a m 2 a 1 (ie ligne X m ) 0 a m 1 a m 2 a 1

59 Arithmetic and Cryptography 59/116 Multiplication in GF (2 m ) Polynomial Approaches Toeplitz Matrices Definition A n n matrix is Toeplitz if [t i,j ] 1 i,j n are such that t i,j = t i 1,j 1 for i, j 1 t n t n+1 t n+2 t 2n 1 t n 1 t n t n+1 T = t n 2 t n 1 t n t 1 t n 1 t n Remark: An addition of 2 Toeplitz requires only 2n 1 additions

60 Arithmetic and Cryptography 59/116 Multiplication in GF (2 m ) Polynomial Approaches Toeplitz Matrices Definition A n n matrix is Toeplitz if [t i,j ] 1 i,j n are such that t i,j = t i 1,j 1 for i, j 1 t n t n+1 t n+2 t 2n 1 t n 1 t n t n+1 T = t n 2 t n 1 t n t 1 t n 1 t n Remark: An addition of 2 Toeplitz requires only 2n 1 additions

61 Arithmetic and Cryptography 59/116 Multiplication in GF (2 m ) Polynomial Approaches Toeplitz Matrices Definition A n n matrix is Toeplitz if [t i,j ] 1 i,j n are such that t i,j = t i 1,j 1 for i, j 1 t n t n+1 t n+2 t 2n 1 t n 1 t n t n+1 T = t n 2 t n 1 t n t 1 t n 1 t n Remark: An addition of 2 Toeplitz requires only 2n 1 additions

62 Arithmetic and Cryptography 60/116 Multiplication in GF (2 m ) Polynomial Approaches Product matrix-vector with a Toeplitz [11] If T is Toeplitz n n with 2 n then: [ ] [ ] T1 T T V = 0 V0 T 2 T 1 V 1 [ ] is such that: P0 + P T V = 2 P 1 + P 2 with P 0 = (T 0 + T 1 ) V 1, P 1 = (T 1 + T 2 ) V 0, P 2 = T 1 (V 0 + V 1 ),

63 Arithmetic and Cryptography 61/116 Multiplication in GF (2 m ) Polynomial Approaches Complexity of the Toeplitz - vector product Fan and Hasan proposed also a 3-way split method Two-way split method Three-way split method # AND n log 2 (3) n log 3 (6) # XOR 55n log 2 (3) 24 6n nlog 3 (6) 5n Delay T A + 2 log 2 (n)d X D A + 3 log 3 (n)d X D A is the delay of one AND and D X the one for one XOR

64 Arithmetic and Cryptography 62/116 Multiplication in GF (2 m ) Polynomial Approaches Application of Toeplitz - vector approach We have seen that C(X ) = A(X ) B(X ) mod P(X ) can be obtained with C(X ) = Z B(X ), where Z is a m m matrix Using circular permutations of rows or columns, Z can be transformed into a Toeplitz Fan-Hasan did it with trinomials, pentanomials (2006) and All-One (2007), then Hasan-Nègre (2010) used quadrinomals (with Q(X ) = (X + 1)P(X ))

65 Arithmetic and Cryptography 63/116 Multiplication in GF (2 m ) Polynomial Approaches Application of Toeplitz - vector approach Example We consider GF (2 6 ) with P(X ) = X 6 + X + 1 Z = a 0 a 5 a 4 a 3 a 2 a 1 a 1 a 0 + a 5 a 5 + a 4 a 4 + a 3 a 3 + a 2 a 2 + a 1 a 2 a 1 a 0 + a 5 a 5 + a 4 a 4 + a 3 a 3 + a 2 a 3 a 2 a 1 a 0 + a 5 a 5 + a 4 a 4 + a 3 a 4 a 3 a 2 a 1 a 0 + a 5 a 5 + a 4 a 5 a 4 a 3 a 2 a 1 a 0 + a 5 is transformed in Toeplitz with a rotation of the 1st row to the last one Z = a 1 a 0 + a 5 a 5 + a 4 a 4 + a 3 a 3 + a 2 a 2 + a 1 a 2 a 1 a 0 + a 5 a 5 + a 4 a 4 + a 3 a 3 + a 2 a 3 a 2 a 1 a 0 + a 5 a 5 + a 4 a 4 + a 3 a 4 a 3 a 2 a 1 a 0 + a 5 a 5 + a 4 a 5 a 4 a 3 a 2 a 1 a 0 + a 5 a 0 a 5 a 4 a 3 a 2 a 1

66 Arithmetic and Cryptography 64/116 Multiplication in GF (2 m ) Approaches using specific bases Multiplication in GF (2 n ) Approaches using specific bases

67 Arithmetic and Cryptography 65/116 Multiplication in GF (2 m ) Approaches using specific bases Normal Base for GF (2 m ) We call normal base of GF (2 m ), the base {α, α 2, α 22, α 2m 1 } where α is a root of P(X ) (irreducible of degree m) ( α 2i are roots of P(X ), Frobenius property, P(X ) 2i = P(X 2i )) A in GF (2 m ): A = (a 0, a 1,, a m 1 ) = The square operation is a left rotation: we have A 2 m 1 = a i α 2i+1 but α 2m = α, i=0 thus, A 2 = a m 1 α + m 1 i=1 m 1 i=0 a i α 2i a i 1 α 2i in other words A 2 = (a m 1, a 0,, a m 2 )

68 Arithmetic and Cryptography 66/116 Multiplication in GF (2 m ) Approaches using specific bases Normal Base: Multiplication of Massey-Omura [13] We have D = A B = A M B t with: M = α α α j α m 2 α m 1 α α α j α m 2 α m 1 α 2i +2 0 α 2i +2 1 α 2i +2 j α 2i +2 m 2 α 2i +2 m 1 α 2m α 2m α 2m 1 +2 j α 2m 1 +2 m 2 α 2m 1 +2 m 1 M = M 0 α + M 1 α M m 1 α 2m 1 where M i are composed of 0 and 1 Thus, D = A B is obtained coordinate by coordinate with d m 1 k = A M m 1 k B t for k = 0,, m 1

69 Arithmetic and Cryptography 67/116 Multiplication in GF (2 m ) Approaches using specific bases Normal Base: Multiplication of Massey-Omura [13] Storage of one matrix We have D 2k = A 2k B 2k and the power to 2 k is given by k left rotations: d m 1 k = A 2k M m 1 (B 2k ) t for k = 0,, m 1 The complexity is given by the number of 1 s in M m 1 which depends on m and on P(X ) The lower bound is 2m 1 When this bound is reached, the base is said optimal [12] If all the coefficients of P(X ) are 1 (All-One), it is reached and the complexity is m 2 AND and 2m 2 2m XOR

70 Arithmetic and Cryptography 68/116 Multiplication in GF (2 m ) Approaches using specific bases Normal Base: Multiplication of Massey-Omura [13] Example We consider GF (2 4 ) and the normal base (α 20, α 21, α 22, α 23 ) where α is a root of P(X ) = X 4 + X (irreducible) α 2 α + α 2 + α 8 α + α 4 α + α 4 + α 8 α + α M = 2 + α 8 α 4 α + α 2 + α 4 α 2 + α 8 α + α 4 α + α 2 + α 4 α 8 α 2 + α 4 + α 8 α + α 4 + α 8 α 2 + α 8 α 2 + α 4 + α 8 α Thus, M 3 =

71 Arithmetic and Cryptography 69/116 Multiplication in GF (2 m ) Approaches using specific bases Normal Base: Modified Massey-Omura [14] If P(X ) is All-One, the complexity can be decreased to m 2 AND and m 2 1 XOR, by decomposing M m 1 M m 1 = (P + Q) (mod 2) { 1 if i = (m/2 + j) mod m with P i,j = 0 else Let T (k) be such that: B 2k = BT (k), we have T (k) PT (k)t = P, and d m 1 k = A P B t + A 2k Q (B 2k ) t for k = 0,, m 1

72 Arithmetic and Cryptography 70/116 Multiplication in GF (2 m ) Approaches using specific bases Normal Base: Modified Massey-Omura [14] Example We consider GF (2 4 ) and the normal base (α 20, α 21, α 22, α 23 ) where α is a root of P(X ) = X 4 + X 3 + X 2 + X + 1 (irreducible) With γ = α + α 2 + α 4 + α 8, we obtain: Thus: M 3 = ( M = ) = P + Q = α 2 α 8 γ α 4 α 8 α 4 α γ γ α α 8 α 2 α 4 γ α 2 α ( ) + ( )

73 Arithmetic and Cryptography 71/116 Multiplication in GF (2 m ) Approaches using specific bases Dual Bases in GF (2 m ) Definition Trace Function: linear form Tr(u) = m 1 i=0 u GF (2 m ) (minimal polynomial of α, P(X ) = m 1 i=0 (X α2i ) GF (2)[X ]) u 2i GF (2) with Dual Bases: two bases {λ i, i = 0m 1} { and 1 i = j {ν j, j = 0m 1} are dual if Tr(λ i ν j ) = 0 i j Base conversion : Tr(ν j x) = x j where x j with x = m 1 j=0 x j λ j

74 Arithmetic and Cryptography 72/116 Multiplication in GF (2 m ) Approaches using specific bases Dual Bases in GF (2 m ) General Definition An other linear form: f (u) = Tr(βu) where β GF (2 k ) { 1 i = j Dual bases if Tr(βλ i ν j ) = 0 i j Base conversion: Tr(βν j x) = x j where x j with x = m 1 j=0 x j λ j

75 Arithmetic and Cryptography 73/116 Multiplication in GF (2 m ) Approaches using specific bases Multiplication avec les Bases duales dans GF (2 m ) [15] We consider the canonical base {α i, i = 0m 1} and a dual base with (f, β) Be a, b et c in GF (2 m ): c = a b Tr(bβ) Tr(bβα) Tr(bβα m 1 ) Tr(bβα) Tr(bβα 2 ) Tr(bβα m ) Tr(bβα m 1 ) Tr(bβα m ) Tr(bβα 2m 2 ) a 0 a 1 a m 1 = Tr(cβ) Tr(cβα) Tr(cβα m 1 ) first line, we find the coordinates of b in the dual base, coordinates of a are in the canonical one, c is obtained in the dual base Goal: find f such that the dual base is a permutation of the canonical one [16]

76 Arithmetic and Cryptography 74/116 Multiplication in GF (2 m ) Approaches using specific bases Dual Bases in GF (2 m ): example 1 In GF (2 4 ), we consider the canonical base (1, α, α 2, α 3 ) where α is a root of P(X ) = X 4 + X (irreducible) Consider the base, (α 12 = α + 1, α 11 = α 3 + α 2 + 1, α 10 = α 3 + α, α 13 = α 2 + α) which satisfies Tr(α 10 ) = Tr(α 11 ) = Tr(α 13 ) = Tr(α 14 ) = Tr(1) = 0, et Tr(α 12 ) = Tr(α) = 1 Thus bases (1, α, α 2, α 3 ) and (α 12, α 11, α 10, α 13 ) are dual Let A = α 12 = (1, 1, 0, 0) and B = α 7 = (0, 1, 1, 1) in the canonical base, and A = α 12 = (1, 0, 0, 0) and B = α 7 = (0, 1, 1, 0) in the dual one We have, ( ) ( 1 ) 1 = 0 0 ( We verify that C = α 4 = (1, 0, 1, 0) in the dual base and C = (1, 0, 0, 1) in the canonical one )

77 Arithmetic and Cryptography 75/116 Multiplication in GF (2 m ) Approaches using specific bases Dual Bases in GF (2 m ): example 2 We consider GF (2 4 ) and the canonical base (1, α, α 2, α 3 ) with α root of P(X ) = X 4 + X We consider the linear form Tr(α 10 u) In this case, the dual base is a permutation of the canonical one (α 2, α, 1, α 3 ) Base conversion is trivial and the product of A = α 12 and B = α 7 becomes: We verify that C = α =

78 Arithmetic and Cryptography 76/116 Inversion in a Finite Field Inversion in a Finite Field

79 Arithmetic and Cryptography 77/116 Inversion in a Finite Field Extended Euclid Algorithm Evaluation of the inverse of a modulo b using Bezout identity bu 1 + au 2 = gcd(a, b) We consider U = (u 1, u 2, u 3 ) and V = (v 1, v 2, v 3 ) such that: u 1 b + u 2 a = u 3 v 1 b + v 2 a = v 3 Initialization (u 1, u 2, u 3 ) = (1, 0, b) and (v 1, v 2, v 3 ) = (0, 1, a) We apply the Euclid GCD algorithm on u 3 and v 3 keeping the previous identities In fact terms of index 2 are not useful for the computing of the inverse

80 Arithmetic and Cryptography 78/116 Inversion in a Finite Field Extended Euclide Algorithm in GF (p) Initialization u 1 1 u 2 0 u 3 p v 1 0 v 2 1 v 3 a Loop while v 3 0 q = u 3/v 3 t 1 u 1 qv 1 t 2 u 2 qv 2 t 3 u 3 qv 3 u 1 v 1 u 2 v 2 u 3 v 3 v 1 t 1 v 2 t 2 v 3 t 3 Result u 2 a 1 mod p

81 Arithmetic and Cryptography 79/116 Inversion in a Finite Field Extended Euclide Algorithm in GF (2 m ) Initialisation U 1 1 U 2 0 U 3 P(X ) V 1 0 V 2 1 V 3 A(X ) Loop while V 3 0 n = deg(u 3) deg(v 3) T 1 U 1 X n V 1 t 2 U 2 X n V 2 T 3 U 3 X n V 3 If deg(t 3) deg(v 3) then U 1 T 1 U 2 T 2 U 3 T 3 U 1 V 1 U 2 V 2 U 3 V 3 V 1 T 1 V 2 T 2 V 3 T 3 Result U 2 A 1 mod P(X ) In GF (2 m ), this algorithm is in O(k) (at each step the degree decreases)

82 Arithmetic and Cryptography 80/116 Inversion in a Finite Field Extended Euclide Algorithm in GF (2 4 ) We consider A(X ) = X and P(X ) = X 4 + X irreducible u 1 (X ) = 1 u 2 (X ) = 0 u 3 (X ) = P(X ) = X 4 + X v 1 (X ) = 0 v 2 (X ) = 1 v 3 (X ) = A(X ) = X n = 2 u 1 (X ) = 1 u 2 (X ) = X 2 u 3 (X ) = X 3 + X v 1 (X ) = 0 v 2 (X ) = 1 v 3 (X ) = X n = 1 u 1 (X ) = 1 u 2 (X ) = X 2 + X u 3 (X ) = X 2 + X + 1 v 1 (X ) = 0 v 2 (X ) = 1 v 3 (X ) = X n = 0 u 1 (X ) = 0 u 2 (X ) = 1 u 3 (X ) = X v 1 (X ) = 1 v 2 (X ) = X 2 + X + 1 v 3 (X ) = X n = 1 u 1 (X ) = 1 u 2 (X ) = X 2 + X + 1 u 3 (X ) = x v 1 (X ) = X v 2 (X ) = X 2 + X 3 + X + 1 v 3 (X ) = 1 n = 1 u 1 (X ) = X u 2 (X ) = X 2 + X 3 + X + 1 u 3 (X ) = 1 v 1 (X ) = 1 + X 2 v 2 (X ) = X 4 + X v 3 (X ) = 0 We verfify that (X 2 + X 3 + X + 1)(X 2 + 1) = 1 mod (X 4 + X 3 + 1) and X 2 + X 3 + X + 1 is the inverse of X modulo P(X )

83 Arithmetic and Cryptography 81/116 Inversion in a Finite Field Fermat-Euler Approach Theorem: If β 0 in F q, then β q = β in F q β is a root of X q = X Corollary: For β 0 in F q : β q 2 = β 1 In GF (p) we need an exponentiation to p 2 which can be costly In GF (2 m ), we have β 1 = β 2m 2 The exponentiation uses the binary representation of the exponent, we can use a square and multiply strategy, minimizing the multiplications considering that 2 m 2 = [17]

84 Arithmetic and Cryptography 82/116 Inversion in a Finite Field Fermat-Euler Approach Example in GF (2 4 ) We consider GF (2 4 ) and the canonical base (1, α, α 2, α 3 ) where α is a root of P(X ) = X 4 + X (irreducible) We have = 14 Let A(X ) = X 2 + 1, we have A 1 (X ) = A 14 (X ) = (X 2 + 1) 14 mod (X 4 + X 3 + 1) The binary representation of 14 is 1110, thus, (X 2 + 1) 14 = ((((X 2 + 1) 2 )(X 2 + 1)) 2 )(X 2 + 1)) 2 mod (X 4 + X 3 + 1) Step by step: (X 2 + 1) 2 = X 3 ((X 2 + 1) 2 )(X 2 + 1) = (X 2 + 1) 3 = X + 1 (((X 2 + 1) 2 )(X 2 + 1)) 2 = (X 2 + 1) 6 = X ((((X 2 + 1) 2 )(X 2 + 1)) 2 )(X 2 + 1) = (X 2 + 1) 7 = X 3 (((((X 2 + 1) 2 )(X 2 + 1)) 2 )(X 2 + 1)) 2 = (X 2 + 1) 14 = X 3 + X 2 + X + 1

85 Arithmetic and Cryptography 83/116 Inversion in a Finite Field Fermat-Euler Approach Example in GF (2 31 ) We consider GF (2 31 ) We want to compute β 231 2, but = is in binary operation valuer exponent β 2 = β 2 10 β 2 β = β 3 11 (β 3 ) 22 = β β 12 β 3 = β (β 15 ) 24 = β β 240 β 15 = β (β 255 ) 28 = β β β 255 = β (β ) 215 = β (β 255 ) 27 = β (β 15 ) 23 = β (β 3 ) 21 = β β β = β β 120 β 6 = β β β 126 = β

86 Arithmetic and Cryptography 84/116 Another Approach: Residue Systems Introduction to Residue Systems Another Approach: Residue Systems Introduction to Residue Systems

87 Arithmetic and Cryptography 85/116 Another Approach: Residue Systems Introduction to Residue Systems Introduction to Residue Systems In some applications, like cryptography, we use finite field arithmetics on huge numbers or large polynomials Residue systems are a way to distribute the calculus on small arithmetic units Are these systems suitable for finite field arithmetics?

88 Arithmetic and Cryptography 86/116 Another Approach: Residue Systems Introduction to Residue Systems Residue Number Systems in F p, p prime Modular arithmetic mod p, elements are considered as integers Residue Number System RNS base: a set of coprime numbers (m1,, m k ) RNS representation: (a1,, a k ) with a i = A mi Full parallel operations modm with M = k i=1 m i ( a 1 b 1 m1,, a n b n mn ) A B (mod M) Very fast product, but an extension of the base could be necessary and a reduction modulo p is needed

89 Arithmetic and Cryptography 87/116 Another Approach: Residue Systems Introduction to Residue Systems Residue Number Systems in F p, p prime Φ(m) = p m p prime log p = log p m p prime p m If 2 m 1 M < 2 m, then the size of moduli is of order O(log m) In other words, if addition and multiplication have complexities of order Θ(f (m)), then in RNS the complexities become Θ(f (log m))

90 Arithmetic and Cryptography 88/116 Another Approach: Residue Systems Introduction to Residue Systems Lagrange representations in F p k with p > 2k Arithmetic modulo I (X ), an irreducible F p polynomial of degree k Elements of F p k are considered as F p polynomials of degree lower than k Lagrange representation is defined by k different points e1, e k in F p (k p) A polynomial A(X ) = α0 + α 1 X + + α k 1 X k 1 over F p is given in Lagrange representation by: (a 1 = A(e 1 ),, a k = A(e k )) Remark: ai = A(e i ) = A(X ) mod (X e i ) If we note m i (X ) = (X e i ), we obtain a similar representation as RNS Operations are made independently on each A(e i ) (like in FFT or Tom-Cook approaches) We need to extend to 2k points for the product

91 Arithmetic and Cryptography 89/116 Another Approach: Residue Systems Introduction to Residue Systems Trinomial residue in F 2 n Arithmetic modulo I (X ), an irreducible F 2 polynomial of degree n Elements of F 2 n are considered as F 2 polynomials of degree lower than n Trinomial representation is defined by a set of k coprime trinomials m i (X ) = X d + X t i + 1, with k d n, an element A(X ) is represented by (a 1 (X ), a k (X )) with a i (X ) = A(X ) mod m i (X ) This representation is equivalent to RNS Operations are made independently for each m i (X )

92 Arithmetic and Cryptography 90/116 Another Approach: Residue Systems Introduction to Residue Systems Residue Systems Residue systems could be an issue for computing efficiently the product The main operation is now the modular reduction for constructing the finite field elements The choice of the residue system base is important, it gives the complexity of the basic operations

93 Arithmetic and Cryptography 91/116 Another Approach: Residue Systems Modular reduction in Residue Systems Modular reduction in Residue Systems

94 Arithmetic and Cryptography 92/116 Another Approach: Residue Systems Modular reduction in Residue Systems Reduction of Montgomery on F p The most used reduction algorithm is due to Montgomery (1985)[8] For reducing A modulo p, one evaluates q = (Ap 1 ) mod 2 s, then one constructs R = (A + qp)/2 s The obtained value satisfies: R A 2 s (mod p) and R < 2p if A < p2 s We note Montg(A, 2 s, p) = R Montgomery notation: A = A 2 s mod p Montg(A B, 2 s, p) (A B) 2 s (mod p)

95 Arithmetic and Cryptography 93/116 Another Approach: Residue Systems Modular reduction in Residue Systems Residue version of Montgomery Reduction The residue base is such that p < M (or deg M(X ) deg I (X )) We use an auxiliary base such that p < M (or deg M (X ) deg I (X )), M and M coprime (Exact product, and existence of M 1 ) Steps of the algorithm 1 Q = (Ap 1 ) mod M (calculus in base M) 2 Extension of the representation of Q to the base M 3 R = (A + Qp) M 1 (calculus in base M ) 4 Extension of the representation of R to the base M The values are represented in the two bases

96 Arithmetic and Cryptography 94/116 Another Approach: Residue Systems Modular reduction in Residue Systems Extension of Residue System Bases (from M to M ) The extension comes from the Lagrange interpolation If (a 1,, a k ) is the residue representation in the base M, then A = k [ M a i i=1 m i ] 1 m i M αm m i mi The factor α can be, in certain cases, neglected or computed [18] Another approach consists in the Newton interpolation where A is correctly reconstructed [21] In the polynomial case, the term αm vanishes

97 Arithmetic and Cryptography 95/116 Another Approach: Residue Systems Modular reduction in Residue Systems Extension for Q By the CRT Q = n q i M i 1 mi M i = Q + αm i=1 m i where 0 α < n When Q has been computed, it is possible to compute R as R = (AB + Qp)M 1 = (AB + Qp + αmp)m 1 = (AB + Qp)M 1 + αp so that R R ABM 1 (mod p), which is sufficient for our purpose Also, assuming that AB < pm, we find that R < (n + 2)p since α < n

98 Arithmetic and Cryptography 96/116 Another Approach: Residue Systems Modular reduction in Residue Systems Extension R Shenoy and Kumaresan (1989): n Mi We have ( M i 1 mi m i r i ) = R + α M i=1 ( n α = M 1 m n+1 M i M i 1 mi m i r i R mn+1) i=1 mn+1 n r j = M i M i 1 mi m i r i αm mj mj i=1 mj mn+1

99 Arithmetic and Cryptography 97/116 Another Approach: Residue Systems Modular reduction in Residue Systems Extension of Residue System Bases We first translate into an intermediate representation (MRS): ζ 1 = a 1 ζ 2 = (a 2 ζ 1 ) m1 1 mod m 2 ζ 3 = ( (a 3 ζ 1 ) m1 1 ) ζ 2 m 1 2 mod m 3 ζ n = ( ( (a n ζ 1 ) m 1 1 ζ 2 ) m 1 2 ζ n 1 ) m 1 n 1 mod m n We evaluate A, with Horner s rule, as A = ( ((ζ n m n 1 + ζ n 1 ) m n ζ 3 ) m 2 + ζ 2 ) m 1 + ζ 1

100 Arithmetic and Cryptography 98/116 Another Approach: Residue Systems Modular reduction in Residue Systems Features of the residue systems Efficient multiplication, the cost being the cost of one multiplication on one residue Costly reduction: O(k 16 ) for trinomials [21] (annexe 109), 2k 2 + 3k O(k) for RNS [18] (annexe 104), O(k 2 ) O(k) for Lagrange representation [22] (annexe 112) If we take into account that most of the operations are multiplications by a constant, the cost can be considerably smaller

101 Arithmetic and Cryptography 99/116 Another Approach: Residue Systems Applications to Cryptography Applications to Cryptography

102 Arithmetic and Cryptography 100/116 Another Approach: Residue Systems Applications to Cryptography Elliptic curve cryptography The main idea comes from the efficiency of the product and the cost of the reduction in Residue Systems We try to minimize the number of reductions A reduction is not necessary after each operation Clearly, for a formula like A B + C D, only one reduction is needed Elliptic Curve Cryptography is based on addition of points We use appropriate forms (Hessian, Jacobi, Montgomery) and coordinates: projective, Jacobian or Chudnowski For 512 bits values, Residues Systems for curves defined over a prime field, are more efficient than classical representations [19]

103 Arithmetic and Cryptography 101/116 Another Approach: Residue Systems Applications to Cryptography Pairings To summarize, we define a pairing as follows: let G 1 and G 2 be two additive abelian groups of cardinal n, and G 3 a multiplicative group of cardinal n A pairing is a function e : G 1 G 2 G 3 which verifies the following properties: Bilinearity, Non-degeneracy For pairings defined on an elliptic curve E over a finite field F p, we have G 1 E(F p ), G 2 E(F p k ) and G 3 Fp k, where k is the smallest integer such that n divides p k 1; k is called the embedded degree of the curve

104 Arithmetic and Cryptography 102/116 Another Approach: Residue Systems Applications to Cryptography Pairings The construction of the pairing involves values over F p and F p k in the formulas An approach with Residue Systems, similar to the one made on ECC could be interesting [20] k is most of the time chosen as a small power of 2 and 3 for algorithmic reasons Residue arithmetics allows us to pass over this restriction With pairings, we can also imagine two levels of Residue Systems: one over F p and one over Fp k

105 Arithmetic and Cryptography 103/116 Annexes ANNEXES Détails of the implementation in Residue Systems

106 Arithmetic and Cryptography 104/116 Annexes Annexe F p Table : Hamming weight w(m 1 i,j ) of the inverse of m i modulo m j m j m i 2 k 2 k 1 2 k 2 t k 2 t k 2 t k 2 t k 1 2 k k 2 t 1 1 k k t t t 1 t 2 2 k 2 t 2 1 k k t t t 1 t 2 2 k 2 t k k 1 k t t1 2 1 t 1 1 t 1 t 2 2 k 2 t Back to 98 k t2 k 1 t k t 1 t 1 t 2

107 Arithmetic and Cryptography 105/116 Annexes Table : Hamming weight w(m 1 i,j ) of the inverse of m i modulo m j m j m i 2 k 2 k 1 2 k 2 t k 2 t 1 2 k 2 t k 2 t k 1 2 k k 2 t+1 1 k t+1 2 k 2 t 1 kt k t t 1 2 k 2 t k k 1 k t 2 t+1 t t 1 2 k 2 t + 1 kt k 1 k t t 1 t 1 Back to 98 k t t 1 2 2

108 Arithmetic and Cryptography 106/116 Annexes Pair of 5 Moduli - Parallel mode The dynamical range is M = and M < M m 1 = m 1 = RNS bases m 2 = m 2 = for 5 moduli m 3 = m 3 = (P) m 4 = m 4 = m 5 = m 5 = Back to 98

109 Arithmetic and Cryptography 107/116 Annexes Inverses m 1 i,j in basis B 5 ω(m 1 ) i,j m 1 1,2 = m 1 1,3 = m 1 1,4 = m 1 1,5 = m 1 2,3 = m 1 2,4 = m 1 2,5 = m 1 3,4 = m 1 3,5 = m 1 4,5 = Back to 98

110 Arithmetic and Cryptography 108/116 Annexes Inverses m 1 i,j in basis B 5 ω(m 1 ) i,j m 1 1,2 = m 1 1,3 = m 1 1,4 = m 1 1,5 = m 1 2,3 = m 1 2,4 = m 1 2,5 = m 1 3,4 = m 1 3,5 = m 1 4,5 = Back to 98

111 Arithmetic and Cryptography 109/116 Annexes Annexe F 2 n To compute ψ = F T 1 j mod T i (1) We use the nptation, B j,i (X ) = T j mod T i Thus, (1) becomes ψ = F B 1 j,i mod T i (2) We evaluate (2) like a Montgomery reduction, where B j,i is the Montgomery factor: 1 φ = F T 1 i mod B j,i, (F + φt i multiple of B j,i ) 2 ψ = (F + φ T i )/B j,i (with a division by B j,i ) Back to 98

112 Arithmetic and Cryptography 110/116 Annexes We remark that B j,i (X ) = X t j (X t i t j + 1) for t j < t i In order to evaluate (2), we compute ψ = ) ( 1 (F (X a ) 1 mod T i X b + 1) mod Ti (3) We evaluate F (X a ) 1 mod T i in two steps: Back to 98 φ = F T 1 i mod X a (4) ψ = (F + φ T i ) /X a (5)

113 Arithmetic and Cryptography 111/116 Annexes To end (3), we compute F (X b + 1) 1 mod T i (degree of F is at most d 1) in four steps: Back to 98 F = F mod (X b + 1) (6) φ = F T 1 i mod (X b + 1) (7) ρ = F + φ T i (8) ψ = ρ/(x b + 1) (We have ρ = ψx b + ψ thus ρ mod X b = ψ mod X b ) (9)

114 Arithmetic and Cryptography 112/116 Annexes Annexe F p k Let us consider the first 2k integers: we define E = {0,, k 1} and E = {k,, 2k 1} We can precompute k 1 constants C j = ((e j e 1 )(e j e 2 ) (e j e j 1 )) 1 mod p, for 2 j k and we can evaluate (ˆq 1,, ˆq k ) ˆq 1 = q 1 mod p, ˆq 2 = (q 2 ˆq 1 )C 2 mod p, ˆq 3 = (q 3 (ˆq 1 + 2ˆq 2 ))C 3 mod p, Back to 98 ˆq k = (q k (ˆq 1 + (k 1)(ˆq 2 + (k 2)(ˆq ˆq k 1 ) ))) C k mod p (10)

115 Arithmetic and Cryptography 113/116 Annexes q i = ( ( (ˆq k (e i e k 1 ) + ˆq k 1 )(e i e k 2 ) + + ˆq 2 )(e i ) e 1 ) + ˆq 1 mod p (11) q 1 = (( (ˆq k 2 + ˆq k 1 ) ˆq 2 ) k + ˆq 1 ) mod p, q 2 = (( (ˆq k 3 + ˆq k 1 ) ˆq 2 ) (k + 1) + ˆq 1 ) mod p, (12) q k = (( (ˆq k (k + 1) + ˆq k 1 ) (k + 2) + + ˆq 2 ) (2k 1) + ˆq 1 ) mod p, Back to 98

116 Arithmetic and Cryptography 114/116 Annexes For example the multiplication by 45 = ( ) 2 gives three additions if one considers the NAF, or with only two if one considers its factorization 45 = 9 5 c #A c #A c #A Table : Number of addition (#A) required in the multiplication by some small constants c Back to 98

117 Arithmetic and Cryptography 115/116 Annexes p form of p k l Table : Good candidates for p and k suitable for elliptic curve cryptography and the corresponding key lengths Back to 98

118 Arithmetic and Cryptography 116/116 Références REFERENCES

119 Arithmetic and Cryptography 116/116 Références Miller, V (1985) Use of elliptic curves in cryptography CRYPTO 85: Koblitz, N (1987) Elliptic curve cryptosystems Mathematics of Computation 48 (177): Boneh, Dan; Franklin, Matthew (2003) Identity-based encryption from the Weil pairing SIAM Journal on Computing 32 (3): Joux, Antoine (2004) A one round protocol for tripartite Diffie-Hellman Journal of Cryptology 17 (4): R Lidl and H Niederreiter Finite Fields Addison-Wesley, Reading, 1985

120 Arithmetic and Cryptography 116/116 Références Rudolf Lidl and Harald Niederreiter Introduction to Finite Fields and Their Applications Cambridge University Press, revised edition edition, 1994 Paul Barrett Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor Advances in Cryptology CRYPTO 86 Lecture Notes in Computer Science Volume 263, 1987, pp Montgomery, PL: Modular multiplication without trial division Math Comp 44:170 (1985) M Kaihara and N Takagi Bipartite Modular Multiplication Method IEEE Trans on Computers, vol 57, No 2, , Feb 2007 E Mastrovito VLSI Architectures for Computation in Galois Fields

121 Arithmetic and Cryptography 116/116 Références PhD thesis, Linkoping University, Dept Electr Eng, 1991 H Fan and M A Hasan, A New Approach to Sub-quadratic Space Complexity Parallel Multipliers for Extended Binary Fields, IEEE Trans Computers, vol 56, no 2, pp , Feb 2007 RC Mullin, IM Onyszchuk, SA Vanstone and R Wilson Optimal normal basis in gf (p m ) Discrete Applied Mathematics, 1989 JL Massey and JK Omura Computational Method and Apparatus for Finite Field Arithmetic US patent No 4,587,627, 1986 Hasan, Wang, and Bhargava A modified massey-omura parallel multiplier for a class of finite fields

122 Arithmetic and Cryptography 116/116 Références IEEETC: IEEE Transactions on Computers, 42, 1993 Sebastian TJ Fenn, Mohammed Benaissa and David Taylor gf (2 m ) multiplication and division over the dual basis IEEE Transactions on Computers, 1996 M Anwarul Hasan Huapeng Wu and Ian F Blake New low-complexity bit-parallel finite field multipliers using weakly dual bases IEEE Transactions on Computers, 1998 Takagi, Yoshiki, and Takagi A fast algorithm for multiplicative inversion in GF (2 m ) using normal basis IEEETC: IEEE Transactions on Computers, 50, 2001 Bajard, JC, Didier, LS, Kornerup, P: Modular multiplication and base extension in residue number systems