Another Look at Inversions over Binary Fields

Size: px

Start display at page:

Download "Another Look at Inversions over Binary Fields"

Lenard Shelton
5 years ago
Views:

1 Another Look at Inversions over Binary Fields Vassil Dimitrov 1 Kimmo Järvinen 2 1 Department of Electrical and Computer Engineering University of Calgary, Canada 2 Department of Information and Computer Science Aalto University, School of Science, Finland

2 Inversion with Fermat s Little Theorem Multiplicative inverse: Given A 0 GF(2 m ), find A 1 such that A 1 A = 1 A 2m 1 = 1 for all A 0 GF (2 m ) A 1 = A 2m 2 A 2(2m 1 1) = A 2( m 2 ) Standard exponentiation A 2( m 2) = B B 2 B B 2m 2 where B = A 2 m 2 multiplications m 1 squarings 2/23

3 Itoh-Tsujii Introduced by Itoh and Tsujii in 1988 { m 2 (1 + 2)( m 3 ), if m 1 even = 1 + 2(1 + 2)( m 4 ), if m 1 odd Example GF (2 31 ): = (1 + 2)( ( )( ( )( ( )))) 7 multiplications, 30 squarings In general log(m 1) + H(m 1) 1 multiplications m 1 squarings 3/23

4 Matrix Polynomial I + A + A A N 1 A problem that has significance in graph theory and signal processing Minimize the number of matrix multiplications in computing G(N, A) = I + A + A A N 1 Dimitrov and Cooklev(1995): (I + A + A 3 ) G( N/3, A 3 ) if N = 0 or 3 (mod 6) I + (A + A 2 + A 3 ) G( N/3, A 3 ) if N = 1 or 4 (mod 6) G(N, A) = (I + A) G( N/2, A 2 ) if N = 2 (mod 6) I + (A + A 2 ) G( N/2, A 2 ) if N = 5 (mod 6) 4/23

5 The New Algorithm Idea Use the same approach for m 2 but try to minimize the number of additions (which imply multiplications in an inversion) Double-base with bases {2, 3}: m 2 = ( ) ( m 4 ) if m 1 = 0, 3 (mod 6) (1 + 2) ( m 3 ) if m 1 = 2, 4 (mod 6) 1 + ( ) ( m 4 ) if m 1 = 1, 5 (mod 6) For triple-base version with bases {2, 3, 5}, we extend this with: ((1 + 2)( ) )( m 6 ) if m 1 = 0 (mod 5) 5/23

6 The New Algorithm vs. Itoh-Tsujii Average number of multiplications: 1.5 log(m 1) for IT 1.42 log(m 1) for {2, 3} 1.39 log(m 1) for {2, 3, 5} For fields GF (2 m ), 1 m 1023: 18 (1.8 %): {2, 3} is the best 109 (10.7 %): {2, 3, 5} is the best 387 (37.8 %): {2, 3} and {2, 3, 5} are the best 79 (7.7 %): IT is the best 430 (42.0 %): All are equally good We are better for 50.2 % and worse for 7.7 % of the cases 6/23

7 The NIST Fields Itoh-Tsujii: GF(2 163 ) GF(2 233 ) GF(2 283 ) GF (2 409 ) GF(2 571 ) The best from both {2, 3} and {2, 3, 5}: GF(2 163 ) GF(2 233 ) GF(2 283 ) GF (2 409 ) GF(2 571 ) /23

8 Some Other Practical Implications Fewer (even by one) multiplications make a large difference and, therefore, practically all work so far has concentrated on them. Although multiplications usually dominate the costs of inversions, other aspects should not be over-looked Temporary variables Squarings 8/23

9 Temporary Variables 9/23

10 How Are Inversions Computed? GF (2 31 ) : A 1 = A = A 2(230 1) = A 2( ) = ( )( )( ( )( )) 10/23

11 How Are Inversions Computed? GF (2 31 ) : A 1 = A = A 2(230 1) = A 2( ) = ( )( )( ( )( )) 1 B A 1 10/23

12 How Are Inversions Computed? GF (2 31 ) : A 1 = A = A 2(230 1) = A 2( ) = ( )( )( ( )( )) B A 1 C B 1 B B C B B (C 1) 10/23

13 How Are Inversions Computed? GF (2 31 ) : A 1 = A = A 2(230 1) = A 2( ) = ( )( )( ( )( )) B A 1 C B 1 B B C B B (C 1) B B (B 3) 10/23

14 How Are Inversions Computed? GF (2 31 ) : A 1 = A = A 2(230 1) = A 2( ) = ( )( )( ( )( )) B A 1 C B 1 B B C B B (C 1) B B (B 3) C B B B (B 6) B B (B 12) B C (B 6) return B = A 1 10/23

15 Number of Variables (1 + 2 k ) No additional variables (1 + 2 k + 2 2k ) One short-time variable ((1 + 2 k )( k ) + 2 4k ) One short-time variable k (1 + 2 k ) One long-time variable For IT, the number of variables V is the number of k (1 + 2 k ) terms; i.e. V = H(m 1) 1 For us, V is the number of k (1 + 2 k ) terms in the decomposition plus one if we have at least one (1 + 2 k + 2 2k ) or ((1 + 2 k )( k ) + 2 4k ) after the last k (1 + 2 k ) term. The average number of long-time variables is 0.5 log(m 1) for IT and about log(m 1) for us 11/23

16 Results Temporary variables m IT Our 12/23

17 Results (cont.) 6 Difference (variables) Our is better IT is better m 13/23

18 Summary We save on average one variable for GF(2 m ), 1 m 1023 For some fields we save 5 variables and for some we lose by 2 The fields for which we are losing are always those for which we need more multiplications 14/23

19 Squarings 15/23

20 Motivation Example An inversion over GF(2 163 ) requires: 9 multiplications and 162 squarings. Modern HW implementations of ECC use fast multipliers and squarings start to dominate: M = 163 Squarings take 10% of the time (162 vs. 1467) M = 15 Squarings take 55% of the time (162 vs. 135) M = 4 Squarings take 82% of the time (162 vs. 36) M = 1 Squarings take 95% of the time (162 vs. 9) OK but the number of squarings is m 1 = 162 for both IT and the new algorithm. 16/23

21 Squarings Normal Basis An element A GF(2 m ) is given by A = m 1 i=0 a iβ 2i. Then, A 2s = A s (cyclic shift). Polynomial Basis An element A GF(2 m ) is given by A = m 1 i=0 a ix i. Then, A 2 = m 1 i=0 a ix 2i mod p(x) and 1 q (s) 0,1... q (s) 0,m 1 0 q (s) A 2s = 1,1... q (s) 1,m q (s) m 1,1... q (s) m 1,m 1 a 0 a 1. a m 1 17/23

22 Repeated Squarer (Normal Basis / HW) A repeated squarer is a component that can compute A 2s for all s S with the same latency (one clock cycle) In normal basis, repeated squarers are simply m-bit C-to-1 multiplexers where C is the cardinality of S Example A repeated squarer with S = {1, 2, 3} is a 3-to-1 multiplexer: 1 A 2 3 A 2s s 18/23

23 The Problem Let E = (e 1, e 2,..., e N ) be the sequence of exponents required for repeated squarings during an inversion. One needs a set S = {s 1, s 2,..., s C } with cardinality C such that all exponents e i in E can be represented as a sum e i = s j (i) 1 + s j (i) 2 in order to compute the inversion s j (i) k i The problem The task is to find S opt that minimizes the sum L = N i=1 k i among all S with cardinality C satisfying the above condition. Exhaustive search because the search space is small(ish) 19/23

24 Example: The NIST Field GF(2 163 ) Itoh-Tsujii = (1 + 2)( ( )( )( )( )( ( )( ))) E = (1, 1, 2, 4, 8, 16, 32, 64, 32, 2) Our algorithm = ( )( )( )( )( ) E = (1, 1, 1, 3, 3, 9, 9, 27, 27, 81) 20/23

25 Example: The NIST Field GF(2 163 ) (cont.) With different C, S opt and L are as follows: IT Our E (1, 1, 2, 4, 8, 16, 32, 64, 32, 2) (1, 1, 1, 3, 3, 9, 9, 27, 27, 81) C = 1 {1}, 162 {1}, 162 C = 2 {1, 16}, 27 {1, 9}, 26 C = 3 {1, 4, 32}, 17 {1, 3, 27}, 16 C = 4 {1, 2, 8, 32}, 13 {1, 3, 9, 27}, 12 C = 5 {1, 2, 4, 8, 32}, 12 {1, 3, 9, 27, 81}, 10 C = 6 {1, 2, 4, 8, 16, 32}, 11 C = 7 {1, 2, 4, 8, 16, 32, 64}, 10 We have a smaller latency when C > 1 We can use smaller repeated squarers (multiplexers) to get the same latency 21/23

26 Summary If repeated squarings with polynomial basis are computed by using precomputed matrices, then the same technique applies and we need less precomputed matrices and/or use them fewer times during an inversion Similar behavior can be seen for other NIST fields, too. (except for GF(2 233 ) when IT and our algorithm give the same decompositions) More general cases are still to be investigated 22/23

27 Conclusions A new algorithm for inversion in GF(2 m ) that has provably lower number of multiplications compared to the popular IT and outperforms it in about half of the cases for 1 m 1023 The algorithm has some nice by-products that may be important in some implementations 23/23

28 Conclusions A new algorithm for inversion in GF(2 m ) that has provably lower number of multiplications compared to the popular IT and outperforms it in about half of the cases for 1 m 1023 The algorithm has some nice by-products that may be important in some implementations Thank you! Questions? 23/23

ABHELSINKI UNIVERSITY OF TECHNOLOGY

ABHELSINKI UNIVERSITY OF TECHNOLOGY On Repeated Squarings in Binary Fields Kimmo Järvinen Helsinki University of Technology August 14, 2009 K. Järvinen On Repeated Squarings in Binary Fields 1/1 Introduction Repeated squaring Repeated squaring: