Useful Arithmetic for Cryptography
|
|
- John Sutton
- 5 years ago
- Views:
Transcription
1 Arithmetic and Cryptography 1/116 Useful Arithmetic for Cryptography Jean Claude Bajard LIP6 - UPMC (Paris 6)/ CNRS France 8 Jul 2013
2 Arithmetic and Cryptography 2/116 Introduction Modern Public Key Cryptography In 1985, Victor S Miller [1] and Neal Koblitz [2] introduced Elliptic Curve Cryptography Gödel Prize 2013: Dan Boneh, Matthew K Franklin [3] and Antoine Joux [4] for Pairing Cryptography Group operations on points of elliptic curve defined on finite fields Basic finite field operations: addition, multiplication, inversion
3 Arithmetic and Cryptography 3/116 Content Finite Fields Representations Multiplication in GF (p) Back to multiplication Modular Reduction Multiplication in GF (2 m ) Polynomial Approaches Approaches using specific bases Inversion in a Finite Field Another Approach: Residue Systems Introduction to Residue Systems Modular reduction in Residue Systems Applications to Cryptography Annexes Références
4 Arithmetic and Cryptography 4/116 Finite Fields Representations Finite Fields Representations
5 Arithmetic and Cryptography 5/116 Finite Fields Representations General Principles [5] A finite field F (+, ) is a finite set F such that: F (+) is an Abelian Group F (+, ) is a Ring where every element (excepted 0 for ) has an inverse Elementary Finite Fields have an order equal to a prime p Example of a such finite prime field Z/pZ Z/pZ = {0, 1, 2,, p 1} Calculus are based on modular arithmetic
6 Arithmetic and Cryptography 6/116 Finite Fields Representations Splitting Finite Field More generally, Finite Field has an order equal to a power of a prime, we note GF (p m ) or F p m with p prime p is the caracteristic, if u GF (p m ) then p u = 0 as a set of polynomial residues modulo an irreducible polynomial P(X ) of degree m in F p [x] as a set of the powers of a primitive element g, GF (p m ) = {0, g 0, g 1,, g pm 2 } as a set of linear combinations of base elements : canonical {1, α, α 2,, α m 1 } ou normal {α, α p, α p2, α pm 1 } (α root of P(X ))
7 Arithmetic and Cryptography 7/116 Finite Fields Representations Example in GF (2 2 ) (notice GF (2 2 ) Z/2 2 Z) Polynomials in GF (2)[X ] : 0, 1, X, 1 + X Addition on GF (2) : 1 + (1 + X ) = X Product with a modular reduction in function of an irreducible one X 2 + X + 1 is irreducible over GF (2), GF (4) can be represented by GF (2)[X ]/X 2 + X + 1 Multiplication modulo X 2 + X + 1: X (1 + X ) = (X + X 2 ) mod (X 2 + X + 1) = 1 The choice of the irreducible polynomial impacts the complexity
8 Arithmetic and Cryptography 8/116 Multiplication in GF (p) Multiplication in GF (p) Multiplication of two values
9 Arithmetic and Cryptography 9/116 Multiplication in GF (p) Back to multiplication Multiplication of two values
10 Arithmetic and Cryptography 10/116 Multiplication in GF (p) Back to multiplication Product of two numbers via polynomials k 1 k 1 Let A = a i β i and B = b i β i be two numbers in base β i=0 i=0 k 1 k 1 Let A(X ) = a i X i and B(X ) = b i X i be the associated polynomials i=0 i=0 Evaluation of the product P = A B: 1 Polynomial Evaluation: P(X ) = A(X ) B(X ) 2 Calculus of the value: P(β) = A(β) B(β)
11 Arithmetic and Cryptography 11/116 Multiplication in GF (p) Back to multiplication Product of two numbers via polynomials: Remarks Step 1, the p i are lower than k β 2 Step 2, the calculus of P(β) becomes a reduction of the p i by carry propagation
12 Arithmetic and Cryptography 12/116 Multiplication in GF (p) Back to multiplication Polynomial representations A polynomial of degree k 1 can be defined: by its k coefficients ai k 1 A(X ) = a i X i i=0 or by k values in different points ei k 1 for i = 0k 1, A(e i ) = a j e j i e i are chosen, in respect to two criteria: easy evaluation and small size for the A(e i ) j=0
13 Arithmetic and Cryptography 13/116 Multiplication in GF (p) Back to multiplication Polynomial Product defined by coefficients k 1 k 1 P(X ) = A(X ) B(X ) = ( a i X i ) ( b i X i ) = p 0 p 1 p k 1 p 2k 3 p 2k 2 = i=0 i=0 a a 1 a a k 1 a k 2 a k 3 a 0 0 a k 1 a k 2 a a k 1 k 2 products 2k 2 i=0 b 0 b 1 b k 2 b k 1 p i X i
14 Arithmetic and Cryptography 14/116 Multiplication in GF (p) Back to multiplication Polynomial Product defined by points k 1 k 1 P(X ) = A(X ) B(X ) = ( a i X i ) ( b i X i ) = i=0 is computed at 2k 1 differents points: i=0 P(e 0 ) = A(e 0 ) B(e 0 ) P(e 1 ) = A(e 1 ) B(e 1 ) P(e 2k 3 ) = A(e 2k 3 ) B(e 2k 3 ) P(e 2k 2 ) = A(e 2k 2 ) B(e 2k 2 ) 2k 1 products 2k 2 i=0 p i X i
15 Arithmetic and Cryptography 15/116 Multiplication in GF (p) Back to multiplication Coefficient reconstruction Lagrange approach Use of a sum of k polynomials, such that the i th one is equal to P(e i ) for e i, and 0 for all other e j with j i k 1 P(X ) = P(e i ) i=0 j i (X e j) j i (e i e j )
16 Arithmetic and Cryptography 16/116 Multiplication in GF (p) Back to multiplication Coefficient reconstruction Newton approach The main idea is to use polynomials of increasing degrees k 1 i 1 P(X ) = ˆp i (X e j ) = ˆp 0 + ˆp 1 (X e 0 ) + ˆp 2 (X e 0 )(X e 1 ) + i=0 j=0 ˆp 0 = p 0 ˆp 1 = (p 1 ˆp 0)/(e 1 e 0 ) ˆp i = ( (p i ˆp 0 )/(e i e 0 ) ˆp 1 )/(e i e 1 ) ˆp i 1 )/(e i e i 1 ) ˆp k 1 = ( (p k 1 ˆp 0)/(e k 1 e 0 ) ˆp 1 )/(e k 1 e 1 ) ˆp k 2 )/(e k 1 e k 2 ) with, p i = P(e i )
17 Arithmetic and Cryptography 17/116 Multiplication in GF (p) Back to multiplication Product of two numbers Karatsuba Algorithm(1) Select points e 0 = 0, e 1 = 1 and e 2 = We have: k 1 A = a i β i = ( i=0 k/2 1 i=0 k/2 1 a k/2+i β i )β k/2 + a i β i = A 1 β k/2 + A 0 i=0 Polynomial view: A(X ) = A 1 X + A 0 A(0) = A 0 A( 1) = A 0 A 1 A( ) = lim A 1X X
18 Arithmetic and Cryptography 18/116 Multiplication in GF (p) Back to multiplication Product of two numbers Karatsuba Algorithm (2) Values of the product polynomials P(0) = A 0 B 0 P( 1) = (A 0 A 1 )(B 0 B 1 ) P( ) = lim A 1B 1 X 2 X Newton interpolation ˆp 0 = P(0) = A 0 B 0 ˆp 1 = (P( 1) ˆp 0 )/( 1) = (A 1 A 0 )(B 0 B 1 ) + A 0 B 0 ˆp = lim X ((P( ) ˆp 0)/X ˆp 1 )/(X + 1) = A 1 B 1
19 Arithmetic and Cryptography 19/116 Multiplication in GF (p) Back to multiplication Product of two numbers Karatsuba Algorithm(3) Reconstruction P(X ) = ˆp 0 + ˆp 1 X + ˆp X (X + 1) = A 0 B 0 +((A 1 A 0 )(B 0 B 1 ) + A 0 B 0 + A 1 B 1 )X +A 1 B 1 X 2 Final evaluation P(β k/2 ) = A 0 B 0 +((A 1 A 0 )(B 0 B 1 ) + A 0 B 0 + A 1 B 1 )β k/2 +A 1 B 1 β k
20 Arithmetic and Cryptography 20/116 Multiplication in GF (p) Back to multiplication Product of two numbers Karatsuba Algorithm (4) : Complexity Let denote K(k) as the number of elementary operations By recurrence K(k) = 3K(k/2) + αk, we suppose that the addition is linear We obtain K(k) = O(k log 2 (3) )
21 Arithmetic and Cryptography 21/116 Multiplication in GF (p) Back to multiplication Product of two numbers Toom Cook Algorithm (1) The Karatsuba approach can be generalized: Select points e 0 = 0, e 1 = 1, e 2 = 1, e 3 = 2 and e 4 = We have: A = A 2 β 2k/3 + A 1 β k/3 + A 0 Polynomial view: A(X ) = A 2 X 2 + A 1 X + A 0 A(0) = A 0 A( 1) = A 2 A 1 + A 0 A(1) = A 2 + A 1 + A 0 A(2) = 4A 2 + 2A 1 + A 0 A( ) = lim A 2X 2 X
22 Arithmetic and Cryptography 22/116 Multiplication in GF (p) Back to multiplication Product of two numbers Toom Cook Algorithm (2) With Newton ˆp 0 = P(0) = A 0 B 0 ˆp 1 = (P( 1) ˆp 0 )/( 1) ˆp 2 = ((P(1) ˆp 0 )/(1) ˆp 1 )/(2) ˆp 3 = (((P(2) ˆp 0 )/(2) ˆp 1 )/(3) ˆp 2 )/(1) ˆp 4 = lim X ((((P( ) ˆp 0)/X ˆp 1 )/(X + 1) ˆp 2 )/(X 1) ˆp 3 )/(X 2) = A 2 B 2 We notice a division by 3 limits of this approach Reconstruction by computing P(β k/3 ): P(X ) = ˆp 0 + X (ˆp 1 + (X + 1)(ˆp 2 + (X 1)(ˆp 3 + ˆp 4 (X 2))))
23 Arithmetic and Cryptography 23/116 Multiplication in GF (p) Back to multiplication Product of two numbers Toom Cook Algorithm (3) Let denote T 3 (k) as the number of elementary operations By recurrence T 3 (k) = 5T 3 (k/3) + αk, assuming that addition is linear We obtain T 3 (k) = O(k log 3 (5) )
24 Arithmetic and Cryptography 24/116 Multiplication in GF (p) Back to multiplication Product of two numbers Toom Cook Algorithm (4), asymptotic point of view Splitting by n With T n (k) he number of elementary operations By recurrence T n (k) = (2n 1)T n (k/n) + αk, assuming that addition is linear We obtain T n (k) = O(k log n (2n 1) ) Then the complexity of the multiplication can reach O(k 1+ɛ )
25 Arithmetic and Cryptography 25/116 Multiplication in GF (p) Back to multiplication Fourier Transform Complexité Algorithme FFT Select points: the n th roots of unity, ω n = 1, ω primitive Properties: ω 2k is a n 2th root, (ω k ) n/2 = 1 (assuming n even) n 2 1 n 2 1 A(ω k ) = a 2i ω 2ik + ω k a 2i+1 ω 2ik = A 0 (ω 2k ) + ω k A 1 (ω 2k ) i=0 i=0 F (n) number of elementary op for a FFT of dimension n We have F (n) = 2F (n/2) + αn, then, F (n) = O(n log 2 n)
26 Arithmetic and Cryptography 26/116 Multiplication in GF (p) Modular Reduction Multiplication in GF (p) Modular Reduction
27 Arithmetic and Cryptography 27/116 Multiplication in GF (p) Modular Reduction Modular Reduction p fixed Two options: Specific p allowing an easy reduction p = β n ξ avec ξ < β n/2 Common p generic algorithms
28 Arithmetic and Cryptography 28/116 Multiplication in GF (p) Modular Reduction Modular Reduction p = β n ξ with 0 ξ < β n/2 and ξ 2 β n 2β n/2 + 1 We have C = A B (p 1) 2 We write C = C 1 β n + C 0 First reduction pass: C C 1 ξ + C 0 (= C ) (mod p) Second reduction pass: C C 1 ξ + C 0 (= C ) (mod p) Final touch: If C + ξ β n Then R = C + ξ β n, Else R = C
29 Arithmetic and Cryptography 29/116 Multiplication in GF (p) Modular Reduction Modular Reduction p = β n ξ with 0 ξ < β n/2 This reduction uses two multiplications by ξ, two options Choose a very small ξ, for example, ξ < β digit number Choose a very sparce ξ shift and add approach If ξ > β n/2, then the number of passes increases
30 Arithmetic and Cryptography 30/116 Multiplication in GF (p) Modular Reduction Modular Reduction with p = β n 1 ( 1, β, β 2, β ) 2n 2 a a 1 a a n 1 a n 2 a n 3 a 0 0 a n 1 a n 2 a a n 1 C ( 1, β, β 2, β ) n 1 M b 0 b 1 b n 2 b n 1 (mod p) b 0 b 1 b n 2 b n 1
31 Arithmetic and Cryptography 31/116 Multiplication in GF (p) Modular Reduction Modular Reduction with p = β n 1 M = a a 1 a a n 2 a n 3 a 0 0 a n 1 a n 2 a 1 a 0 M = + a 0 a n 1 a n 2 a 1 a 1 a 0 a n 1 a 2 a n 2 a n 3 a 0 a n 1 a n 1 a n 2 a 1 a 0 0 a n 1 a n 2 a a n 1 a a n
32 Arithmetic and Cryptography 32/116 Multiplication in GF (p) Modular Reduction Modular Reduction with p = β n β t 1 If t < n/2 then M is obtained with one matrix addition M = a 0 a n 1 a n 2 a 1 a 1 a 0 a n 1 a 2 a n 2 a n 3 a 0 a n 1 a n 1 a n 2 a 1 a a n 1 a n 2 a 1 0 a n 1 a n t + 0 a n 1 a n t a n a n 1 a n t a n 1
33 Arithmetic and Cryptography 33/116 Multiplication in GF (p) Modular Reduction Multiplication in GF (p) Generic Modular Reduction
34 Arithmetic and Cryptography 34/116 Multiplication in GF (p) Modular Reduction Generic Modular Reduction Barrett Algorithm [7] Reduction of A modulo P via the approximation of the quotient Conditions: β n 1 P < β n et A < P 2 < β 2n We can write that: β u+v A P βn+u P A β n v = 0 β u+v A P β n+u A P β n v = ( ) P βn+u f ( A P β n v ) + A βn+u βn v f ( ) + f ( A β2n P βn 1 )f ( P ) < P(β u+1 + (β n+v 1) + 1) with f () the fractional part function If u n + 1 and v 2 then (β u+1 + β n+v )/β u+v < 1 We deduce: A mod P A P β2n+1 A P β n 2 β n+3 < 2P
35 Arithmetic and Cryptography 35/116 Multiplication in GF (p) Modular Reduction Generic Modular Reduction Barrett Algorithm [7] Barrett(A,P) Inputs β n 1 P < β n and A < P 2 < β 2n Output R = A (mod P) et Q = A P Core Q β2n+1 P R A Q P A β n 2 β n+3 If R P, Then R R P and Q Q + 1 Complexity: 2 products of n + 1 digits
36 Arithmetic and Cryptography 36/116 Multiplication in GF (p) Modular Reduction Generic Modular Reduction Montgomery Algorithm [8] Reduction of A modulo P via a multiple of P Conditions : β n 1 P < β n and A < Pβ n The scheme is to add a multiple of P to A such that the result is a multiple of β n The division by β n in base β is a shift The output of this approach is A β n mod P
37 Arithmetic and Cryptography 37/116 Multiplication in GF (p) Modular Reduction Generic Modular Reduction Montgomery Algorithm [8] Montgomery(A, P) Inputs β n 1 P < β n and A < Pβ n < β 2n Output R = A β n mod P Core Q A P 1 β n mod β n R (A + Q P) R is a multiple of β n R R β n division by β n is a shift, (R < 2P) If R P Then R R P (optional) Complexity: 2 products of n digits (two half products)
38 Arithmetic and Cryptography 38/116 Multiplication in GF (p) Modular Reduction Generic Modular Reduction Montgomery Representation To avoid the accumulation of factors β n mod P, we note: à = A β n mod P Thee construction à = Montgomery(A β2n P, P) Stable for addition and multiplication using Montgomery reduction: à + B = à + B and ÃB = Montgomery(à B, P) Reconversion to standard: A = Montgomery(Ã, P) It is the most used algorithm in cryptography
39 Arithmetic and Cryptography 39/116 Multiplication in GF (p) Modular Reduction Interleaved Modular Multiplication Montgomery Algorithm MontgomeryI(A, B, P) Inputs β n 1 P < β n ad AB < Pβ n < β 2n n 1 and B = b i β i Output R = A B β n mod P Core R 0 For i = 0 to i = n 1 do R (R + b i A) q i r 0 p0 1 β mod β R (R + q i P) multiple of β R R β at the end (R < 2P) If R P, Then R R P (optional) i=0
40 Arithmetic and Cryptography 40/116 Multiplication in GF (p) Modular Reduction Binary Interleaved Modular Multiplication Montgomery Algorithm MontgomeryB(A, B, P) Inputs 2 n 1 P < 2 n and AB < 2 n P < 2 2n n 1 and B = b i 2 i Output R = A B 2 n mod P Core R 0 For i = 0 to i = n 1 do R (R + b i A) q i r 0 In fact p = 1 if P odd R (R + q i P) multiple of 2 R R >> 1 at the end (R < 2P) If R P, Then R R P (optional) i=0
41 Arithmetic and Cryptography 41/116 Multiplication in GF (p) Modular Reduction Bipartite Modular Multiplication [9] This approach is based on: We define as: X Y = (X Y ) R 1 mod P We split *y*: Y = Y h R + Y l for example R = β n/2 thus X Y = (X Y h mod P + X Y l R 1 mod P) mod P X Y h mod P is computed using Barret X Y l R 1 mod P is computed via Montgomery These two operations can be done in parallelel
42 Arithmetic and Cryptography 42/116 Multiplication in GF (2 m ) Multiplication in GF (2 m )
43 Arithmetic and Cryptography 43/116 Multiplication in GF (2 m ) Multiplication in GF (2 m ) Most of the hardware implementations use GF (2 m ) where basic operators are AND and XOR The different approaches for the modular reduction needed in the multiplication over GF (2 m ) are: The ones depending of the finite field The generic ones Those using specific bases
44 Arithmetic and Cryptography 44/116 Multiplication in GF (2 m ) Polynomial Approaches Multiplication in GF (2 m ) Polynomial Approaches
45 Arithmetic and Cryptography 45/116 Multiplication in GF (2 m ) Polynomial Approaches Multiplication in GF (2 m ) The calculus of C(X ) = A(X ) B(X ) mod P(X ) can be executed in two steps: 1 a polynomial product C (X ) = A(X ) B(X ), c 0 a c 1 a 1 a c m 1 = a m 1 a 1 a 0 c m 0 a m 1 a 1 c 2m a m 1 2 a modular reduction P(X ) : C(X ) = C (X ) mod P(X ) b 0 b 1 b m 1
46 Arithmetic and Cryptography 46/116 Multiplication in GF (2 m ) Polynomial Approaches Montgomery Algorithm A(X ) B(X ) is computed in GF (2 m ) defined by P(X ) a degree m irreducible polynomial Montgomery compute A(X ) B(X ) R 1 (X )modp(x ) where R(X ) is a fixed element and R 1 (X ) is its inverse modp(x ) We know R(X ) and P(X ) (irreducible), we can precompute R 1 (X ) and P (X ) such that: R 1 (X ) R(X ) + P (X ) P(X ) = 1
47 Arithmetic and Cryptography 47/116 Multiplication in GF (2 m ) Polynomial Approaches Montgomery Algorithm (generic case) Inputs: A(X ) and B(X ) of degrees lower than m Outputs: T (X ) = A(X ) B(X ) R 1 (X ) mod P(X ) Precomputed: P (X ), R(X ) Product: C(X ) = A(X ) B(X ) Reduction: Q(X ) = C(X ) P (X ) mod R(X ) T (X ) = ( C(X ) + Q(X ) P(X ) ) div R(X) The complexity is due to the three products The reduction modulo R(X ) and the division by R(X ) are easy if R(X ) = X m
48 Arithmetic and Cryptography 48/116 Multiplication in GF (2 m ) Polynomial Approaches Montgomery Algorithm (execution) Polynomial representations: A(X ) = a 0 + a 1X + a 2X a m 1X m 1 B(X ) = b 0 + b 1X + b 2X b m 1X m 1 P(X ) = p 0 + p 1X + p 2X p m 1X m 1 + X m P (X ) = p 0 + p 1X + p 2X p m 1X m 1 We decompose the evaluation using matrices, into two parts: The first lines for the computation of Q(X ) The last lines for the result T (X )
49 Arithmetic and Cryptography 49/116 Multiplication in GF (2 m ) Polynomial Approaches Montgomery Algorithm (execution) Decomposition of the calculus for Q(X ): (the lower degrees) Q(X ) = p p 1 p p m 2 p m 3 p 0 0 p m 1 p m 2 p 1 p 0 a a 1 a a m 2 a m 3 a 0 0 a m 1 a m 2 a 1 a 0 b 0 b 1 b m 2 b m 1 Then for T (X ):(the upper degrees) 0 a m 1 a 2 a a 2 a a m 1 a m a m b 0 b 1 b m 3 b m 2 b m p m 1 p 2 p p 2 p p m 1 p m p m q 0 q 1 q m 3 q m 2 q m 1
50 Arithmetic and Cryptography 50/116 Multiplication in GF (2 m ) Polynomial Approaches Montgomery Algorithm (complexity of the general case) Complexity counting the number of elementary operations over GF (2): m 2 + (m 1) 2 multiplications (AND) (m 1) 2 + (m 2) 2 + m additions (XOR) For this approach we can use the Montgomery representation: Ã(X ) = A(X ) R(X ) (mod P)(X ) It can be generalized to GF (p k )
51 Arithmetic and Cryptography 51/116 Multiplication in GF (2 m ) Polynomial Approaches Iterative Montgomery in GF (2 m ) with R(X ) = X m Inputs: A(X ) and B(X ) of degrees lower than m Output: T (X ) = A(X ) B(X ) R 1 (X ) mod P(X ) Precomputed: P (X ), R(X ) Initialisation T (X ) = 0 Loop For i = 0 to m 1 do T (X ) = T (X ) + a i B(X ) T (X ) = (T (X ) + t 0 P(X ))/X
52 Arithmetic and Cryptography 52/116 Multiplication in GF (2 m ) Polynomial Approaches Iterative Montgomery in GF (2 m ) with R(X ) = X m At each step a division by X, hence at the end it is equivalent to R(X ) = X m Moreover P(X ) is irreducible, thus its constant term is 1, idem for P (X ) The complexity given in logical gates: 2m 2 XOR (for the additions) and 2m 2 AND (for the products)
53 Arithmetic and Cryptography 53/116 Multiplication in GF (2 m ) Polynomial Approaches Method of Mastrovito [10] Approach Idea GF (2 m ) is defined by a root α of the irreducible P(X ) of degree m The elements of GF (2 m ) are given in the canonical {1, α, α 2,, α m 1 }: m 1 m 1 A = a i α i and B = b i α i i=0 i=0 m 1 We note C = A B in GF (2 m ), C = c i α i Mastrovito proposed to construct Z, a matrix m m using the coefficients of A, such that: i=0 C = Z B
54 Arithmetic and Cryptography 54/116 Multiplication in GF (2 m ) Polynomial Approaches Method of Mastrovito Construction of Z Z is obtained by: 1 constructing the matrix (m 1) m, Q which is the representations of X k for k m modulo P(X ): X m X 0 X m+1 = Q X 1 X 2m 2 X m 1 2 and then, the matrix Z is obtained with: a i for j = 0, i = 0 m 1 z i,j = u(i j) a i j + j 1 t=0 q j 1 t,i a m 1 t, else, with u(t) = { 1 if t 0 0 else
55 Arithmetic and Cryptography 55/116 Multiplication in GF (2 m ) Polynomial Approaches Method of Mastrovito Cost of the approach The complexity is due to the construction of Z which can need m 3 /2 And and Xor, the choice of the irreducible polynomial is fundamental With trinomials like X m + X + 1 the multiplication is done with m 2 1 XOR and m 2 AND There are some variants if all the coefficients are 1 (all-one polynomial) P(X ) = 1 + X + X X m, in this case X m+1 1 (mod P(X )) or for regular sparced polynomials P(X ) = 1 + X + X X k =m, here X (k+1) 1 (mod P(X ))
56 Arithmetic and Cryptography 56/116 Multiplication in GF (2 m ) Polynomial Approaches Method of Mastrovito I Example with a trinomial We consider GF (2 7 ) with the canoical base {1, α, α 2,, α 6 } where α is a root of the irreducible P(X ) = X 7 + X + 1 Thus, α 7 = α + 1 (1, 1, 0, 0, 0, 0, 0) α 8 = α 2 + α (0, 1, 1, 0, 0, 0, 0) α 9 = α 3 + α 2 (0, 0, 1, 1, 0, 0, 0) α 10 = α 4 + α 3 (0, 0, 0, 1, 1, 0, 0) α 11 = α 5 + α 4 (0, 0, 0, 0, 1, 1, 0) α 11 = α 6 + α 5 (0, 0, 0, 0, 0, 1, 1) et Q =
57 Arithmetic and Cryptography 57/116 Multiplication in GF (2 m ) Polynomial Approaches Method of Mastrovito II Example with a trinomial Z = a 0 a 6 a 5 a 4 a 3 a 2 a 1 a 1 a 0 + a 6 a 6 + a 5 a 5 + a 4 a 4 + a 3 a 3 + a 2 a 2 + a 1 a 2 a 1 a 0 + a 6 a 6 + a 5 a 5 + a 4 a 4 + a 3 a 3 + a 2 a 3 a 2 a 1 a 0 + a 6 a 6 + a 5 a 5 + a 4 a 4 + a 3 a 4 a 3 a 2 a 1 a 0 + a 6 a 6 + a 5 a 5 + a 4 a 5 a 4 a 3 a 2 a 1 a 0 + a 6 a 6 + a 5 a 6 a 5 a 4 a 3 a 2 a 1 a 0 + a 6
58 Arithmetic and Cryptography 58/116 Multiplication in GF (2 m ) Polynomial Approaches Méthode de Mastrovito Exemple avec un All-One If P(X ) = 1 + X + X X m, the matrix Z can be written as Z = Z 1 + Z 2 with: a 0 0 a m 1 a 3 a 2 a 1 a 0 0 a m 1 a 4 a 3 Z 1 = a m 2 a m 3 a 0 0 a m 1 a m 2 a 1 a 0 and 0 a m 1 a m 2 a 1 Z 2 = 0 a m 1 a m 2 a 1 (ie ligne X m ) 0 a m 1 a m 2 a 1
59 Arithmetic and Cryptography 59/116 Multiplication in GF (2 m ) Polynomial Approaches Toeplitz Matrices Definition A n n matrix is Toeplitz if [t i,j ] 1 i,j n are such that t i,j = t i 1,j 1 for i, j 1 t n t n+1 t n+2 t 2n 1 t n 1 t n t n+1 T = t n 2 t n 1 t n t 1 t n 1 t n Remark: An addition of 2 Toeplitz requires only 2n 1 additions
60 Arithmetic and Cryptography 59/116 Multiplication in GF (2 m ) Polynomial Approaches Toeplitz Matrices Definition A n n matrix is Toeplitz if [t i,j ] 1 i,j n are such that t i,j = t i 1,j 1 for i, j 1 t n t n+1 t n+2 t 2n 1 t n 1 t n t n+1 T = t n 2 t n 1 t n t 1 t n 1 t n Remark: An addition of 2 Toeplitz requires only 2n 1 additions
61 Arithmetic and Cryptography 59/116 Multiplication in GF (2 m ) Polynomial Approaches Toeplitz Matrices Definition A n n matrix is Toeplitz if [t i,j ] 1 i,j n are such that t i,j = t i 1,j 1 for i, j 1 t n t n+1 t n+2 t 2n 1 t n 1 t n t n+1 T = t n 2 t n 1 t n t 1 t n 1 t n Remark: An addition of 2 Toeplitz requires only 2n 1 additions
62 Arithmetic and Cryptography 60/116 Multiplication in GF (2 m ) Polynomial Approaches Product matrix-vector with a Toeplitz [11] If T is Toeplitz n n with 2 n then: [ ] [ ] T1 T T V = 0 V0 T 2 T 1 V 1 [ ] is such that: P0 + P T V = 2 P 1 + P 2 with P 0 = (T 0 + T 1 ) V 1, P 1 = (T 1 + T 2 ) V 0, P 2 = T 1 (V 0 + V 1 ),
63 Arithmetic and Cryptography 61/116 Multiplication in GF (2 m ) Polynomial Approaches Complexity of the Toeplitz - vector product Fan and Hasan proposed also a 3-way split method Two-way split method Three-way split method # AND n log 2 (3) n log 3 (6) # XOR 55n log 2 (3) 24 6n nlog 3 (6) 5n Delay T A + 2 log 2 (n)d X D A + 3 log 3 (n)d X D A is the delay of one AND and D X the one for one XOR
64 Arithmetic and Cryptography 62/116 Multiplication in GF (2 m ) Polynomial Approaches Application of Toeplitz - vector approach We have seen that C(X ) = A(X ) B(X ) mod P(X ) can be obtained with C(X ) = Z B(X ), where Z is a m m matrix Using circular permutations of rows or columns, Z can be transformed into a Toeplitz Fan-Hasan did it with trinomials, pentanomials (2006) and All-One (2007), then Hasan-Nègre (2010) used quadrinomals (with Q(X ) = (X + 1)P(X ))
65 Arithmetic and Cryptography 63/116 Multiplication in GF (2 m ) Polynomial Approaches Application of Toeplitz - vector approach Example We consider GF (2 6 ) with P(X ) = X 6 + X + 1 Z = a 0 a 5 a 4 a 3 a 2 a 1 a 1 a 0 + a 5 a 5 + a 4 a 4 + a 3 a 3 + a 2 a 2 + a 1 a 2 a 1 a 0 + a 5 a 5 + a 4 a 4 + a 3 a 3 + a 2 a 3 a 2 a 1 a 0 + a 5 a 5 + a 4 a 4 + a 3 a 4 a 3 a 2 a 1 a 0 + a 5 a 5 + a 4 a 5 a 4 a 3 a 2 a 1 a 0 + a 5 is transformed in Toeplitz with a rotation of the 1st row to the last one Z = a 1 a 0 + a 5 a 5 + a 4 a 4 + a 3 a 3 + a 2 a 2 + a 1 a 2 a 1 a 0 + a 5 a 5 + a 4 a 4 + a 3 a 3 + a 2 a 3 a 2 a 1 a 0 + a 5 a 5 + a 4 a 4 + a 3 a 4 a 3 a 2 a 1 a 0 + a 5 a 5 + a 4 a 5 a 4 a 3 a 2 a 1 a 0 + a 5 a 0 a 5 a 4 a 3 a 2 a 1
66 Arithmetic and Cryptography 64/116 Multiplication in GF (2 m ) Approaches using specific bases Multiplication in GF (2 n ) Approaches using specific bases
67 Arithmetic and Cryptography 65/116 Multiplication in GF (2 m ) Approaches using specific bases Normal Base for GF (2 m ) We call normal base of GF (2 m ), the base {α, α 2, α 22, α 2m 1 } where α is a root of P(X ) (irreducible of degree m) ( α 2i are roots of P(X ), Frobenius property, P(X ) 2i = P(X 2i )) A in GF (2 m ): A = (a 0, a 1,, a m 1 ) = The square operation is a left rotation: we have A 2 m 1 = a i α 2i+1 but α 2m = α, i=0 thus, A 2 = a m 1 α + m 1 i=1 m 1 i=0 a i α 2i a i 1 α 2i in other words A 2 = (a m 1, a 0,, a m 2 )
68 Arithmetic and Cryptography 66/116 Multiplication in GF (2 m ) Approaches using specific bases Normal Base: Multiplication of Massey-Omura [13] We have D = A B = A M B t with: M = α α α j α m 2 α m 1 α α α j α m 2 α m 1 α 2i +2 0 α 2i +2 1 α 2i +2 j α 2i +2 m 2 α 2i +2 m 1 α 2m α 2m α 2m 1 +2 j α 2m 1 +2 m 2 α 2m 1 +2 m 1 M = M 0 α + M 1 α M m 1 α 2m 1 where M i are composed of 0 and 1 Thus, D = A B is obtained coordinate by coordinate with d m 1 k = A M m 1 k B t for k = 0,, m 1
69 Arithmetic and Cryptography 67/116 Multiplication in GF (2 m ) Approaches using specific bases Normal Base: Multiplication of Massey-Omura [13] Storage of one matrix We have D 2k = A 2k B 2k and the power to 2 k is given by k left rotations: d m 1 k = A 2k M m 1 (B 2k ) t for k = 0,, m 1 The complexity is given by the number of 1 s in M m 1 which depends on m and on P(X ) The lower bound is 2m 1 When this bound is reached, the base is said optimal [12] If all the coefficients of P(X ) are 1 (All-One), it is reached and the complexity is m 2 AND and 2m 2 2m XOR
70 Arithmetic and Cryptography 68/116 Multiplication in GF (2 m ) Approaches using specific bases Normal Base: Multiplication of Massey-Omura [13] Example We consider GF (2 4 ) and the normal base (α 20, α 21, α 22, α 23 ) where α is a root of P(X ) = X 4 + X (irreducible) α 2 α + α 2 + α 8 α + α 4 α + α 4 + α 8 α + α M = 2 + α 8 α 4 α + α 2 + α 4 α 2 + α 8 α + α 4 α + α 2 + α 4 α 8 α 2 + α 4 + α 8 α + α 4 + α 8 α 2 + α 8 α 2 + α 4 + α 8 α Thus, M 3 =
71 Arithmetic and Cryptography 69/116 Multiplication in GF (2 m ) Approaches using specific bases Normal Base: Modified Massey-Omura [14] If P(X ) is All-One, the complexity can be decreased to m 2 AND and m 2 1 XOR, by decomposing M m 1 M m 1 = (P + Q) (mod 2) { 1 if i = (m/2 + j) mod m with P i,j = 0 else Let T (k) be such that: B 2k = BT (k), we have T (k) PT (k)t = P, and d m 1 k = A P B t + A 2k Q (B 2k ) t for k = 0,, m 1
72 Arithmetic and Cryptography 70/116 Multiplication in GF (2 m ) Approaches using specific bases Normal Base: Modified Massey-Omura [14] Example We consider GF (2 4 ) and the normal base (α 20, α 21, α 22, α 23 ) where α is a root of P(X ) = X 4 + X 3 + X 2 + X + 1 (irreducible) With γ = α + α 2 + α 4 + α 8, we obtain: Thus: M 3 = ( M = ) = P + Q = α 2 α 8 γ α 4 α 8 α 4 α γ γ α α 8 α 2 α 4 γ α 2 α ( ) + ( )
73 Arithmetic and Cryptography 71/116 Multiplication in GF (2 m ) Approaches using specific bases Dual Bases in GF (2 m ) Definition Trace Function: linear form Tr(u) = m 1 i=0 u GF (2 m ) (minimal polynomial of α, P(X ) = m 1 i=0 (X α2i ) GF (2)[X ]) u 2i GF (2) with Dual Bases: two bases {λ i, i = 0m 1} { and 1 i = j {ν j, j = 0m 1} are dual if Tr(λ i ν j ) = 0 i j Base conversion : Tr(ν j x) = x j where x j with x = m 1 j=0 x j λ j
74 Arithmetic and Cryptography 72/116 Multiplication in GF (2 m ) Approaches using specific bases Dual Bases in GF (2 m ) General Definition An other linear form: f (u) = Tr(βu) where β GF (2 k ) { 1 i = j Dual bases if Tr(βλ i ν j ) = 0 i j Base conversion: Tr(βν j x) = x j where x j with x = m 1 j=0 x j λ j
75 Arithmetic and Cryptography 73/116 Multiplication in GF (2 m ) Approaches using specific bases Multiplication avec les Bases duales dans GF (2 m ) [15] We consider the canonical base {α i, i = 0m 1} and a dual base with (f, β) Be a, b et c in GF (2 m ): c = a b Tr(bβ) Tr(bβα) Tr(bβα m 1 ) Tr(bβα) Tr(bβα 2 ) Tr(bβα m ) Tr(bβα m 1 ) Tr(bβα m ) Tr(bβα 2m 2 ) a 0 a 1 a m 1 = Tr(cβ) Tr(cβα) Tr(cβα m 1 ) first line, we find the coordinates of b in the dual base, coordinates of a are in the canonical one, c is obtained in the dual base Goal: find f such that the dual base is a permutation of the canonical one [16]
76 Arithmetic and Cryptography 74/116 Multiplication in GF (2 m ) Approaches using specific bases Dual Bases in GF (2 m ): example 1 In GF (2 4 ), we consider the canonical base (1, α, α 2, α 3 ) where α is a root of P(X ) = X 4 + X (irreducible) Consider the base, (α 12 = α + 1, α 11 = α 3 + α 2 + 1, α 10 = α 3 + α, α 13 = α 2 + α) which satisfies Tr(α 10 ) = Tr(α 11 ) = Tr(α 13 ) = Tr(α 14 ) = Tr(1) = 0, et Tr(α 12 ) = Tr(α) = 1 Thus bases (1, α, α 2, α 3 ) and (α 12, α 11, α 10, α 13 ) are dual Let A = α 12 = (1, 1, 0, 0) and B = α 7 = (0, 1, 1, 1) in the canonical base, and A = α 12 = (1, 0, 0, 0) and B = α 7 = (0, 1, 1, 0) in the dual one We have, ( ) ( 1 ) 1 = 0 0 ( We verify that C = α 4 = (1, 0, 1, 0) in the dual base and C = (1, 0, 0, 1) in the canonical one )
77 Arithmetic and Cryptography 75/116 Multiplication in GF (2 m ) Approaches using specific bases Dual Bases in GF (2 m ): example 2 We consider GF (2 4 ) and the canonical base (1, α, α 2, α 3 ) with α root of P(X ) = X 4 + X We consider the linear form Tr(α 10 u) In this case, the dual base is a permutation of the canonical one (α 2, α, 1, α 3 ) Base conversion is trivial and the product of A = α 12 and B = α 7 becomes: We verify that C = α =
78 Arithmetic and Cryptography 76/116 Inversion in a Finite Field Inversion in a Finite Field
79 Arithmetic and Cryptography 77/116 Inversion in a Finite Field Extended Euclid Algorithm Evaluation of the inverse of a modulo b using Bezout identity bu 1 + au 2 = gcd(a, b) We consider U = (u 1, u 2, u 3 ) and V = (v 1, v 2, v 3 ) such that: u 1 b + u 2 a = u 3 v 1 b + v 2 a = v 3 Initialization (u 1, u 2, u 3 ) = (1, 0, b) and (v 1, v 2, v 3 ) = (0, 1, a) We apply the Euclid GCD algorithm on u 3 and v 3 keeping the previous identities In fact terms of index 2 are not useful for the computing of the inverse
80 Arithmetic and Cryptography 78/116 Inversion in a Finite Field Extended Euclide Algorithm in GF (p) Initialization u 1 1 u 2 0 u 3 p v 1 0 v 2 1 v 3 a Loop while v 3 0 q = u 3/v 3 t 1 u 1 qv 1 t 2 u 2 qv 2 t 3 u 3 qv 3 u 1 v 1 u 2 v 2 u 3 v 3 v 1 t 1 v 2 t 2 v 3 t 3 Result u 2 a 1 mod p
81 Arithmetic and Cryptography 79/116 Inversion in a Finite Field Extended Euclide Algorithm in GF (2 m ) Initialisation U 1 1 U 2 0 U 3 P(X ) V 1 0 V 2 1 V 3 A(X ) Loop while V 3 0 n = deg(u 3) deg(v 3) T 1 U 1 X n V 1 t 2 U 2 X n V 2 T 3 U 3 X n V 3 If deg(t 3) deg(v 3) then U 1 T 1 U 2 T 2 U 3 T 3 U 1 V 1 U 2 V 2 U 3 V 3 V 1 T 1 V 2 T 2 V 3 T 3 Result U 2 A 1 mod P(X ) In GF (2 m ), this algorithm is in O(k) (at each step the degree decreases)
82 Arithmetic and Cryptography 80/116 Inversion in a Finite Field Extended Euclide Algorithm in GF (2 4 ) We consider A(X ) = X and P(X ) = X 4 + X irreducible u 1 (X ) = 1 u 2 (X ) = 0 u 3 (X ) = P(X ) = X 4 + X v 1 (X ) = 0 v 2 (X ) = 1 v 3 (X ) = A(X ) = X n = 2 u 1 (X ) = 1 u 2 (X ) = X 2 u 3 (X ) = X 3 + X v 1 (X ) = 0 v 2 (X ) = 1 v 3 (X ) = X n = 1 u 1 (X ) = 1 u 2 (X ) = X 2 + X u 3 (X ) = X 2 + X + 1 v 1 (X ) = 0 v 2 (X ) = 1 v 3 (X ) = X n = 0 u 1 (X ) = 0 u 2 (X ) = 1 u 3 (X ) = X v 1 (X ) = 1 v 2 (X ) = X 2 + X + 1 v 3 (X ) = X n = 1 u 1 (X ) = 1 u 2 (X ) = X 2 + X + 1 u 3 (X ) = x v 1 (X ) = X v 2 (X ) = X 2 + X 3 + X + 1 v 3 (X ) = 1 n = 1 u 1 (X ) = X u 2 (X ) = X 2 + X 3 + X + 1 u 3 (X ) = 1 v 1 (X ) = 1 + X 2 v 2 (X ) = X 4 + X v 3 (X ) = 0 We verfify that (X 2 + X 3 + X + 1)(X 2 + 1) = 1 mod (X 4 + X 3 + 1) and X 2 + X 3 + X + 1 is the inverse of X modulo P(X )
83 Arithmetic and Cryptography 81/116 Inversion in a Finite Field Fermat-Euler Approach Theorem: If β 0 in F q, then β q = β in F q β is a root of X q = X Corollary: For β 0 in F q : β q 2 = β 1 In GF (p) we need an exponentiation to p 2 which can be costly In GF (2 m ), we have β 1 = β 2m 2 The exponentiation uses the binary representation of the exponent, we can use a square and multiply strategy, minimizing the multiplications considering that 2 m 2 = [17]
84 Arithmetic and Cryptography 82/116 Inversion in a Finite Field Fermat-Euler Approach Example in GF (2 4 ) We consider GF (2 4 ) and the canonical base (1, α, α 2, α 3 ) where α is a root of P(X ) = X 4 + X (irreducible) We have = 14 Let A(X ) = X 2 + 1, we have A 1 (X ) = A 14 (X ) = (X 2 + 1) 14 mod (X 4 + X 3 + 1) The binary representation of 14 is 1110, thus, (X 2 + 1) 14 = ((((X 2 + 1) 2 )(X 2 + 1)) 2 )(X 2 + 1)) 2 mod (X 4 + X 3 + 1) Step by step: (X 2 + 1) 2 = X 3 ((X 2 + 1) 2 )(X 2 + 1) = (X 2 + 1) 3 = X + 1 (((X 2 + 1) 2 )(X 2 + 1)) 2 = (X 2 + 1) 6 = X ((((X 2 + 1) 2 )(X 2 + 1)) 2 )(X 2 + 1) = (X 2 + 1) 7 = X 3 (((((X 2 + 1) 2 )(X 2 + 1)) 2 )(X 2 + 1)) 2 = (X 2 + 1) 14 = X 3 + X 2 + X + 1
85 Arithmetic and Cryptography 83/116 Inversion in a Finite Field Fermat-Euler Approach Example in GF (2 31 ) We consider GF (2 31 ) We want to compute β 231 2, but = is in binary operation valuer exponent β 2 = β 2 10 β 2 β = β 3 11 (β 3 ) 22 = β β 12 β 3 = β (β 15 ) 24 = β β 240 β 15 = β (β 255 ) 28 = β β β 255 = β (β ) 215 = β (β 255 ) 27 = β (β 15 ) 23 = β (β 3 ) 21 = β β β = β β 120 β 6 = β β β 126 = β
86 Arithmetic and Cryptography 84/116 Another Approach: Residue Systems Introduction to Residue Systems Another Approach: Residue Systems Introduction to Residue Systems
87 Arithmetic and Cryptography 85/116 Another Approach: Residue Systems Introduction to Residue Systems Introduction to Residue Systems In some applications, like cryptography, we use finite field arithmetics on huge numbers or large polynomials Residue systems are a way to distribute the calculus on small arithmetic units Are these systems suitable for finite field arithmetics?
88 Arithmetic and Cryptography 86/116 Another Approach: Residue Systems Introduction to Residue Systems Residue Number Systems in F p, p prime Modular arithmetic mod p, elements are considered as integers Residue Number System RNS base: a set of coprime numbers (m1,, m k ) RNS representation: (a1,, a k ) with a i = A mi Full parallel operations modm with M = k i=1 m i ( a 1 b 1 m1,, a n b n mn ) A B (mod M) Very fast product, but an extension of the base could be necessary and a reduction modulo p is needed
89 Arithmetic and Cryptography 87/116 Another Approach: Residue Systems Introduction to Residue Systems Residue Number Systems in F p, p prime Φ(m) = p m p prime log p = log p m p prime p m If 2 m 1 M < 2 m, then the size of moduli is of order O(log m) In other words, if addition and multiplication have complexities of order Θ(f (m)), then in RNS the complexities become Θ(f (log m))
90 Arithmetic and Cryptography 88/116 Another Approach: Residue Systems Introduction to Residue Systems Lagrange representations in F p k with p > 2k Arithmetic modulo I (X ), an irreducible F p polynomial of degree k Elements of F p k are considered as F p polynomials of degree lower than k Lagrange representation is defined by k different points e1, e k in F p (k p) A polynomial A(X ) = α0 + α 1 X + + α k 1 X k 1 over F p is given in Lagrange representation by: (a 1 = A(e 1 ),, a k = A(e k )) Remark: ai = A(e i ) = A(X ) mod (X e i ) If we note m i (X ) = (X e i ), we obtain a similar representation as RNS Operations are made independently on each A(e i ) (like in FFT or Tom-Cook approaches) We need to extend to 2k points for the product
91 Arithmetic and Cryptography 89/116 Another Approach: Residue Systems Introduction to Residue Systems Trinomial residue in F 2 n Arithmetic modulo I (X ), an irreducible F 2 polynomial of degree n Elements of F 2 n are considered as F 2 polynomials of degree lower than n Trinomial representation is defined by a set of k coprime trinomials m i (X ) = X d + X t i + 1, with k d n, an element A(X ) is represented by (a 1 (X ), a k (X )) with a i (X ) = A(X ) mod m i (X ) This representation is equivalent to RNS Operations are made independently for each m i (X )
92 Arithmetic and Cryptography 90/116 Another Approach: Residue Systems Introduction to Residue Systems Residue Systems Residue systems could be an issue for computing efficiently the product The main operation is now the modular reduction for constructing the finite field elements The choice of the residue system base is important, it gives the complexity of the basic operations
93 Arithmetic and Cryptography 91/116 Another Approach: Residue Systems Modular reduction in Residue Systems Modular reduction in Residue Systems
94 Arithmetic and Cryptography 92/116 Another Approach: Residue Systems Modular reduction in Residue Systems Reduction of Montgomery on F p The most used reduction algorithm is due to Montgomery (1985)[8] For reducing A modulo p, one evaluates q = (Ap 1 ) mod 2 s, then one constructs R = (A + qp)/2 s The obtained value satisfies: R A 2 s (mod p) and R < 2p if A < p2 s We note Montg(A, 2 s, p) = R Montgomery notation: A = A 2 s mod p Montg(A B, 2 s, p) (A B) 2 s (mod p)
95 Arithmetic and Cryptography 93/116 Another Approach: Residue Systems Modular reduction in Residue Systems Residue version of Montgomery Reduction The residue base is such that p < M (or deg M(X ) deg I (X )) We use an auxiliary base such that p < M (or deg M (X ) deg I (X )), M and M coprime (Exact product, and existence of M 1 ) Steps of the algorithm 1 Q = (Ap 1 ) mod M (calculus in base M) 2 Extension of the representation of Q to the base M 3 R = (A + Qp) M 1 (calculus in base M ) 4 Extension of the representation of R to the base M The values are represented in the two bases
96 Arithmetic and Cryptography 94/116 Another Approach: Residue Systems Modular reduction in Residue Systems Extension of Residue System Bases (from M to M ) The extension comes from the Lagrange interpolation If (a 1,, a k ) is the residue representation in the base M, then A = k [ M a i i=1 m i ] 1 m i M αm m i mi The factor α can be, in certain cases, neglected or computed [18] Another approach consists in the Newton interpolation where A is correctly reconstructed [21] In the polynomial case, the term αm vanishes
97 Arithmetic and Cryptography 95/116 Another Approach: Residue Systems Modular reduction in Residue Systems Extension for Q By the CRT Q = n q i M i 1 mi M i = Q + αm i=1 m i where 0 α < n When Q has been computed, it is possible to compute R as R = (AB + Qp)M 1 = (AB + Qp + αmp)m 1 = (AB + Qp)M 1 + αp so that R R ABM 1 (mod p), which is sufficient for our purpose Also, assuming that AB < pm, we find that R < (n + 2)p since α < n
98 Arithmetic and Cryptography 96/116 Another Approach: Residue Systems Modular reduction in Residue Systems Extension R Shenoy and Kumaresan (1989): n Mi We have ( M i 1 mi m i r i ) = R + α M i=1 ( n α = M 1 m n+1 M i M i 1 mi m i r i R mn+1) i=1 mn+1 n r j = M i M i 1 mi m i r i αm mj mj i=1 mj mn+1
99 Arithmetic and Cryptography 97/116 Another Approach: Residue Systems Modular reduction in Residue Systems Extension of Residue System Bases We first translate into an intermediate representation (MRS): ζ 1 = a 1 ζ 2 = (a 2 ζ 1 ) m1 1 mod m 2 ζ 3 = ( (a 3 ζ 1 ) m1 1 ) ζ 2 m 1 2 mod m 3 ζ n = ( ( (a n ζ 1 ) m 1 1 ζ 2 ) m 1 2 ζ n 1 ) m 1 n 1 mod m n We evaluate A, with Horner s rule, as A = ( ((ζ n m n 1 + ζ n 1 ) m n ζ 3 ) m 2 + ζ 2 ) m 1 + ζ 1
100 Arithmetic and Cryptography 98/116 Another Approach: Residue Systems Modular reduction in Residue Systems Features of the residue systems Efficient multiplication, the cost being the cost of one multiplication on one residue Costly reduction: O(k 16 ) for trinomials [21] (annexe 109), 2k 2 + 3k O(k) for RNS [18] (annexe 104), O(k 2 ) O(k) for Lagrange representation [22] (annexe 112) If we take into account that most of the operations are multiplications by a constant, the cost can be considerably smaller
101 Arithmetic and Cryptography 99/116 Another Approach: Residue Systems Applications to Cryptography Applications to Cryptography
102 Arithmetic and Cryptography 100/116 Another Approach: Residue Systems Applications to Cryptography Elliptic curve cryptography The main idea comes from the efficiency of the product and the cost of the reduction in Residue Systems We try to minimize the number of reductions A reduction is not necessary after each operation Clearly, for a formula like A B + C D, only one reduction is needed Elliptic Curve Cryptography is based on addition of points We use appropriate forms (Hessian, Jacobi, Montgomery) and coordinates: projective, Jacobian or Chudnowski For 512 bits values, Residues Systems for curves defined over a prime field, are more efficient than classical representations [19]
103 Arithmetic and Cryptography 101/116 Another Approach: Residue Systems Applications to Cryptography Pairings To summarize, we define a pairing as follows: let G 1 and G 2 be two additive abelian groups of cardinal n, and G 3 a multiplicative group of cardinal n A pairing is a function e : G 1 G 2 G 3 which verifies the following properties: Bilinearity, Non-degeneracy For pairings defined on an elliptic curve E over a finite field F p, we have G 1 E(F p ), G 2 E(F p k ) and G 3 Fp k, where k is the smallest integer such that n divides p k 1; k is called the embedded degree of the curve
104 Arithmetic and Cryptography 102/116 Another Approach: Residue Systems Applications to Cryptography Pairings The construction of the pairing involves values over F p and F p k in the formulas An approach with Residue Systems, similar to the one made on ECC could be interesting [20] k is most of the time chosen as a small power of 2 and 3 for algorithmic reasons Residue arithmetics allows us to pass over this restriction With pairings, we can also imagine two levels of Residue Systems: one over F p and one over Fp k
105 Arithmetic and Cryptography 103/116 Annexes ANNEXES Détails of the implementation in Residue Systems
106 Arithmetic and Cryptography 104/116 Annexes Annexe F p Table : Hamming weight w(m 1 i,j ) of the inverse of m i modulo m j m j m i 2 k 2 k 1 2 k 2 t k 2 t k 2 t k 2 t k 1 2 k k 2 t 1 1 k k t t t 1 t 2 2 k 2 t 2 1 k k t t t 1 t 2 2 k 2 t k k 1 k t t1 2 1 t 1 1 t 1 t 2 2 k 2 t Back to 98 k t2 k 1 t k t 1 t 1 t 2
107 Arithmetic and Cryptography 105/116 Annexes Table : Hamming weight w(m 1 i,j ) of the inverse of m i modulo m j m j m i 2 k 2 k 1 2 k 2 t k 2 t 1 2 k 2 t k 2 t k 1 2 k k 2 t+1 1 k t+1 2 k 2 t 1 kt k t t 1 2 k 2 t k k 1 k t 2 t+1 t t 1 2 k 2 t + 1 kt k 1 k t t 1 t 1 Back to 98 k t t 1 2 2
108 Arithmetic and Cryptography 106/116 Annexes Pair of 5 Moduli - Parallel mode The dynamical range is M = and M < M m 1 = m 1 = RNS bases m 2 = m 2 = for 5 moduli m 3 = m 3 = (P) m 4 = m 4 = m 5 = m 5 = Back to 98
109 Arithmetic and Cryptography 107/116 Annexes Inverses m 1 i,j in basis B 5 ω(m 1 ) i,j m 1 1,2 = m 1 1,3 = m 1 1,4 = m 1 1,5 = m 1 2,3 = m 1 2,4 = m 1 2,5 = m 1 3,4 = m 1 3,5 = m 1 4,5 = Back to 98
110 Arithmetic and Cryptography 108/116 Annexes Inverses m 1 i,j in basis B 5 ω(m 1 ) i,j m 1 1,2 = m 1 1,3 = m 1 1,4 = m 1 1,5 = m 1 2,3 = m 1 2,4 = m 1 2,5 = m 1 3,4 = m 1 3,5 = m 1 4,5 = Back to 98
111 Arithmetic and Cryptography 109/116 Annexes Annexe F 2 n To compute ψ = F T 1 j mod T i (1) We use the nptation, B j,i (X ) = T j mod T i Thus, (1) becomes ψ = F B 1 j,i mod T i (2) We evaluate (2) like a Montgomery reduction, where B j,i is the Montgomery factor: 1 φ = F T 1 i mod B j,i, (F + φt i multiple of B j,i ) 2 ψ = (F + φ T i )/B j,i (with a division by B j,i ) Back to 98
112 Arithmetic and Cryptography 110/116 Annexes We remark that B j,i (X ) = X t j (X t i t j + 1) for t j < t i In order to evaluate (2), we compute ψ = ) ( 1 (F (X a ) 1 mod T i X b + 1) mod Ti (3) We evaluate F (X a ) 1 mod T i in two steps: Back to 98 φ = F T 1 i mod X a (4) ψ = (F + φ T i ) /X a (5)
113 Arithmetic and Cryptography 111/116 Annexes To end (3), we compute F (X b + 1) 1 mod T i (degree of F is at most d 1) in four steps: Back to 98 F = F mod (X b + 1) (6) φ = F T 1 i mod (X b + 1) (7) ρ = F + φ T i (8) ψ = ρ/(x b + 1) (We have ρ = ψx b + ψ thus ρ mod X b = ψ mod X b ) (9)
114 Arithmetic and Cryptography 112/116 Annexes Annexe F p k Let us consider the first 2k integers: we define E = {0,, k 1} and E = {k,, 2k 1} We can precompute k 1 constants C j = ((e j e 1 )(e j e 2 ) (e j e j 1 )) 1 mod p, for 2 j k and we can evaluate (ˆq 1,, ˆq k ) ˆq 1 = q 1 mod p, ˆq 2 = (q 2 ˆq 1 )C 2 mod p, ˆq 3 = (q 3 (ˆq 1 + 2ˆq 2 ))C 3 mod p, Back to 98 ˆq k = (q k (ˆq 1 + (k 1)(ˆq 2 + (k 2)(ˆq ˆq k 1 ) ))) C k mod p (10)
115 Arithmetic and Cryptography 113/116 Annexes q i = ( ( (ˆq k (e i e k 1 ) + ˆq k 1 )(e i e k 2 ) + + ˆq 2 )(e i ) e 1 ) + ˆq 1 mod p (11) q 1 = (( (ˆq k 2 + ˆq k 1 ) ˆq 2 ) k + ˆq 1 ) mod p, q 2 = (( (ˆq k 3 + ˆq k 1 ) ˆq 2 ) (k + 1) + ˆq 1 ) mod p, (12) q k = (( (ˆq k (k + 1) + ˆq k 1 ) (k + 2) + + ˆq 2 ) (2k 1) + ˆq 1 ) mod p, Back to 98
116 Arithmetic and Cryptography 114/116 Annexes For example the multiplication by 45 = ( ) 2 gives three additions if one considers the NAF, or with only two if one considers its factorization 45 = 9 5 c #A c #A c #A Table : Number of addition (#A) required in the multiplication by some small constants c Back to 98
117 Arithmetic and Cryptography 115/116 Annexes p form of p k l Table : Good candidates for p and k suitable for elliptic curve cryptography and the corresponding key lengths Back to 98
118 Arithmetic and Cryptography 116/116 Références REFERENCES
119 Arithmetic and Cryptography 116/116 Références Miller, V (1985) Use of elliptic curves in cryptography CRYPTO 85: Koblitz, N (1987) Elliptic curve cryptosystems Mathematics of Computation 48 (177): Boneh, Dan; Franklin, Matthew (2003) Identity-based encryption from the Weil pairing SIAM Journal on Computing 32 (3): Joux, Antoine (2004) A one round protocol for tripartite Diffie-Hellman Journal of Cryptology 17 (4): R Lidl and H Niederreiter Finite Fields Addison-Wesley, Reading, 1985
120 Arithmetic and Cryptography 116/116 Références Rudolf Lidl and Harald Niederreiter Introduction to Finite Fields and Their Applications Cambridge University Press, revised edition edition, 1994 Paul Barrett Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor Advances in Cryptology CRYPTO 86 Lecture Notes in Computer Science Volume 263, 1987, pp Montgomery, PL: Modular multiplication without trial division Math Comp 44:170 (1985) M Kaihara and N Takagi Bipartite Modular Multiplication Method IEEE Trans on Computers, vol 57, No 2, , Feb 2007 E Mastrovito VLSI Architectures for Computation in Galois Fields
121 Arithmetic and Cryptography 116/116 Références PhD thesis, Linkoping University, Dept Electr Eng, 1991 H Fan and M A Hasan, A New Approach to Sub-quadratic Space Complexity Parallel Multipliers for Extended Binary Fields, IEEE Trans Computers, vol 56, no 2, pp , Feb 2007 RC Mullin, IM Onyszchuk, SA Vanstone and R Wilson Optimal normal basis in gf (p m ) Discrete Applied Mathematics, 1989 JL Massey and JK Omura Computational Method and Apparatus for Finite Field Arithmetic US patent No 4,587,627, 1986 Hasan, Wang, and Bhargava A modified massey-omura parallel multiplier for a class of finite fields
122 Arithmetic and Cryptography 116/116 Références IEEETC: IEEE Transactions on Computers, 42, 1993 Sebastian TJ Fenn, Mohammed Benaissa and David Taylor gf (2 m ) multiplication and division over the dual basis IEEE Transactions on Computers, 1996 M Anwarul Hasan Huapeng Wu and Ian F Blake New low-complexity bit-parallel finite field multipliers using weakly dual bases IEEE Transactions on Computers, 1998 Takagi, Yoshiki, and Takagi A fast algorithm for multiplicative inversion in GF (2 m ) using normal basis IEEETC: IEEE Transactions on Computers, 50, 2001 Bajard, JC, Didier, LS, Kornerup, P: Modular multiplication and base extension in residue number systems
Subquadratic Computational Complexity Schemes for Extended Binary Field Multiplication Using Optimal Normal Bases
1 Subquadratic Computational Complexity Schemes for Extended Binary Field Multiplication Using Optimal Normal Bases H. Fan and M. A. Hasan March 31, 2007 Abstract Based on a recently proposed Toeplitz
More informationModular Multiplication in GF (p k ) using Lagrange Representation
Modular Multiplication in GF (p k ) using Lagrange Representation Jean-Claude Bajard, Laurent Imbert, and Christophe Nègre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier
More informationLow complexity bit-parallel GF (2 m ) multiplier for all-one polynomials
Low complexity bit-parallel GF (2 m ) multiplier for all-one polynomials Yin Li 1, Gong-liang Chen 2, and Xiao-ning Xie 1 Xinyang local taxation bureau, Henan, China. Email:yunfeiyangli@gmail.com, 2 School
More informationReducing the Complexity of Normal Basis Multiplication
Reducing the Complexity of Normal Basis Multiplication Ömer Eǧecioǧlu and Çetin Kaya Koç Department of Computer Science University of California Santa Barbara {omer,koc}@cs.ucsb.edu Abstract In this paper
More informationA new class of irreducible pentanomials for polynomial based multipliers in binary fields
Noname manuscript No. (will be inserted by the editor) A new class of irreducible pentanomials for polynomial based multipliers in binary fields Gustavo Banegas Ricardo Custódio Daniel Panario the date
More informationSubquadratic space complexity multiplier for a class of binary fields using Toeplitz matrix approach
Subquadratic space complexity multiplier for a class of binary fields using Toeplitz matrix approach M A Hasan 1 and C Negre 2 1 ECE Department and CACR, University of Waterloo, Ontario, Canada 2 Team
More informationPARALLEL MULTIPLICATION IN F 2
PARALLEL MULTIPLICATION IN F 2 n USING CONDENSED MATRIX REPRESENTATION Christophe Negre Équipe DALI, LP2A, Université de Perpignan avenue P Alduy, 66 000 Perpignan, France christophenegre@univ-perpfr Keywords:
More informationSubquadratic Space Complexity Multiplication over Binary Fields with Dickson Polynomial Representation
Subquadratic Space Complexity Multiplication over Binary Fields with Dickson Polynomial Representation M A Hasan and C Negre Abstract We study Dickson bases for binary field representation Such representation
More informationChapter 4 Finite Fields
Chapter 4 Finite Fields Introduction will now introduce finite fields of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public Key concern operations on numbers what constitutes a number
More informationReprésentation RNS des nombres et calcul de couplages
Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29
More informationMontgomery Multiplier and Squarer in GF(2 m )
Montgomery Multiplier and Squarer in GF( m ) Huapeng Wu The Centre for Applied Cryptographic Research Department of Combinatorics and Optimization University of Waterloo, Waterloo, Canada h3wu@cacrmathuwaterlooca
More informationSUBQUADRATIC BINARY FIELD MULTIPLIER IN DOUBLE POLYNOMIAL SYSTEM
SUBQUADRATIC BINARY FIELD MULTIPLIER IN DOUBLE POLYNOMIAL SYSTEM Pascal Giorgi, Christophe Nègre 2 Équipe DALI, LP2A, Unversité de Perpignan avenue P. Alduy, F66860 Perpignan, France () pascal.giorgi@univ-perp.fr,
More informationA New Bit-Serial Architecture for Field Multiplication Using Polynomial Bases
A New Bit-Serial Architecture for Field Multiplication Using Polynomial Bases Arash Reyhani-Masoleh Department of Electrical and Computer Engineering The University of Western Ontario London, Ontario,
More informationA new class of irreducible pentanomials for polynomial based multipliers in binary fields
Noname manuscript No. (will be inserted by the editor) A new class of irreducible pentanomials for polynomial based multipliers in binary fields Gustavo Banegas Ricardo Custódio Daniel Panario the date
More informationISSN (PRINT): , (ONLINE): , VOLUME-5, ISSUE-7,
HIGH PERFORMANCE MONTGOMERY MULTIPLICATION USING DADDA TREE ADDITION Thandri Adi Varalakshmi Devi 1, P Subhashini 2 1 PG Scholar, Dept of ECE, Kakinada Institute of Technology, Korangi, AP, India. 2 Assistant
More informationCOMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162
COMPUTER ARITHMETIC 13/05/2010 cryptography - math background pp. 1 / 162 RECALL OF COMPUTER ARITHMETIC computers implement some types of arithmetic for instance, addition, subtratction, multiplication
More informationMathematical Foundations of Cryptography
Mathematical Foundations of Cryptography Cryptography is based on mathematics In this chapter we study finite fields, the basis of the Advanced Encryption Standard (AES) and elliptical curve cryptography
More informationFinite Fields. Mike Reiter
1 Finite Fields Mike Reiter reiter@cs.unc.edu Based on Chapter 4 of: W. Stallings. Cryptography and Network Security, Principles and Practices. 3 rd Edition, 2003. Groups 2 A group G, is a set G of elements
More informationassume that the message itself is considered the RNS representation of a number, thus mapping in and out of the RNS system is not necessary. This is p
Montgomery Modular Multiplication in Residue Arithmetic Jean-Claude Bajard LIRMM Montpellier, France bajardlirmm.fr Laurent-Stephane Didier Universite de Bretagne Occidentale Brest, France laurent-stephane.didieruniv-brest.fr
More information2WF15 - Discrete Mathematics 2 - Part 1. Algorithmic Number Theory
1 2WF15 - Discrete Mathematics 2 - Part 1 Algorithmic Number Theory Benne de Weger version 0.54, March 6, 2012 version 0.54, March 6, 2012 2WF15 - Discrete Mathematics 2 - Part 1 2 2WF15 - Discrete Mathematics
More informationECEN 5022 Cryptography
Elementary Algebra and Number Theory University of Colorado Spring 2008 Divisibility, Primes Definition. N denotes the set {1, 2, 3,...} of natural numbers and Z denotes the set of integers {..., 2, 1,
More informationEfficient modular arithmetic in Adapted Modular Number System using Lagrange representation
Efficient modular arithmetic in Adapted Modular Number System using Lagrange representation Christophe Negre 1 and Thomas Plantard 2 1 Team DALI, University of Perpignan, France. 2 Centre for Information
More informationFrequency Domain Finite Field Arithmetic for Elliptic Curve Cryptography
Frequency Domain Finite Field Arithmetic for Elliptic Curve Cryptography Selçuk Baktır, Berk Sunar {selcuk,sunar}@wpi.edu Department of Electrical & Computer Engineering Worcester Polytechnic Institute
More informationGalois Fields and Hardware Design
Galois Fields and Hardware Design Construction of Galois Fields, Basic Properties, Uniqueness, Containment, Closure, Polynomial Functions over Galois Fields Priyank Kalla Associate Professor Electrical
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a k for some integer k. Notation
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand 1 Divisibility, prime numbers By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a
More informationRSA Implementation. Oregon State University
RSA Implementation Çetin Kaya Koç Oregon State University 1 Contents: Exponentiation heuristics Multiplication algorithms Computation of GCD and Inverse Chinese remainder algorithm Primality testing 2
More informationArithmetic operators for pairing-based cryptography
7. Kryptotag November 9 th, 2007 Arithmetic operators for pairing-based cryptography Jérémie Detrey Cosec, B-IT, Bonn, Germany jdetrey@bit.uni-bonn.de Joint work with: Jean-Luc Beuchat Nicolas Brisebarre
More informationA New Algorithm to Compute Terms in Special Types of Characteristic Sequences
A New Algorithm to Compute Terms in Special Types of Characteristic Sequences Kenneth J. Giuliani 1 and Guang Gong 2 1 Dept. of Mathematical and Computational Sciences University of Toronto at Mississauga
More informationOptimal Extension Field Inversion in the Frequency Domain
Optimal Extension Field Inversion in the Frequency Domain Selçuk Baktır, Berk Sunar WPI, Cryptography & Information Security Laboratory, Worcester, MA, USA Abstract. In this paper, we propose an adaptation
More informationTopics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationOn The Weights of Binary Irreducible Cyclic Codes
On The Weights of Binary Irreducible Cyclic Codes Yves Aubry and Philippe Langevin Université du Sud Toulon-Var, Laboratoire GRIM F-83270 La Garde, France, {langevin,yaubry}@univ-tln.fr, WWW home page:
More informationEfficient Subquadratic Space Complexity Binary Polynomial Multipliers Based On Block Recombination
Efficient Subquadratic Space Complexity Binary Polynomial Multipliers Based On Block Recombination Murat Cenk, Anwar Hasan, Christophe Negre To cite this version: Murat Cenk, Anwar Hasan, Christophe Negre.
More informationHigh Performance GHASH Function for Long Messages
High Performance GHASH Function for Long Messages Nicolas Méloni 1, Christophe Négre 2 and M. Anwar Hasan 1 1 Department of Electrical and Computer Engineering University of Waterloo, Canada 2 Team DALI/ELIAUS
More informationA VLSI Algorithm for Modular Multiplication/Division
A VLSI Algorithm for Modular Multiplication/Division Marcelo E. Kaihara and Naofumi Takagi Department of Information Engineering Nagoya University Nagoya, 464-8603, Japan mkaihara@takagi.nuie.nagoya-u.ac.jp
More informationEfficient Modular Arithmetic in Adapted Modular Number System using Lagrange Representation
Efficient Modular Arithmetic in Adapted Modular Number System using Lagrange Representation Christophe Negre 1, Thomas Plantard 2 1 Team DALI, University of Perpignan, France. 2 Centre for Information
More informationNumber Theory. Modular Arithmetic
Number Theory The branch of mathematics that is important in IT security especially in cryptography. Deals only in integer numbers and the process can be done in a very fast manner. Modular Arithmetic
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 Public Key Encryption page 2 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem:
More informationDistributed computation of the number. of points on an elliptic curve
Distributed computation of the number of points on an elliptic curve over a nite prime eld Johannes Buchmann, Volker Muller, Victor Shoup SFB 124{TP D5 Report 03/95 27th April 1995 Johannes Buchmann, Volker
More informationRevisiting Finite Field Multiplication Using Dickson Bases
Revisiting Finite Field Multiplication Using Dickson Bases Bijan Ansari and M. Anwar Hasan Department of Electrical and Computer Engineering University of Waterloo, Waterloo, Ontario, Canada {bansari,
More informationREDUNDANT TRINOMIALS FOR FINITE FIELDS OF CHARACTERISTIC 2
REDUNDANT TRINOMIALS FOR FINITE FIELDS OF CHARACTERISTIC 2 CHRISTOPHE DOCHE Abstract. In this paper we introduce so-called redundant trinomials to represent elements of nite elds of characteristic 2. The
More informationAn introduction to the algorithmic of p-adic numbers
An introduction to the algorithmic of p-adic numbers David Lubicz 1 1 Universté de Rennes 1, Campus de Beaulieu, 35042 Rennes Cedex, France Outline Introduction 1 Introduction 2 3 4 5 6 7 8 When do we
More informationMath 312/ AMS 351 (Fall 17) Sample Questions for Final
Math 312/ AMS 351 (Fall 17) Sample Questions for Final 1. Solve the system of equations 2x 1 mod 3 x 2 mod 7 x 7 mod 8 First note that the inverse of 2 is 2 mod 3. Thus, the first equation becomes (multiply
More informationFIELD THEORY. Contents
FIELD THEORY MATH 552 Contents 1. Algebraic Extensions 1 1.1. Finite and Algebraic Extensions 1 1.2. Algebraic Closure 5 1.3. Splitting Fields 7 1.4. Separable Extensions 8 1.5. Inseparable Extensions
More informationBSIDES multiplication, squaring is also an important
1 Bit-Parallel GF ( n ) Squarer Using Shifted Polynomial Basis Xi Xiong and Haining Fan Abstract We present explicit formulae and complexities of bit-parallel shifted polynomial basis (SPB) squarers in
More informationLecture notes: Algorithms for integers, polynomials (Thorsten Theobald)
Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald) 1 Euclid s Algorithm Euclid s Algorithm for computing the greatest common divisor belongs to the oldest known computing procedures
More informationModular Reduction without Pre-Computation for Special Moduli
Modular Reduction without Pre-Computation for Special Moduli Tolga Acar and Dan Shumow Extreme Computing Group, Microsoft Research, Microsoft One Microsoft Way, Redmond, WA 98052, USA {tolga,danshu}@microsoft.com
More informationA New Approach to Subquadratic Space Complexity Parallel Multipliers for Extended Binary Fields
1 A New Approach to Subquadratic Space Complexity Parallel Multipliers for Extended Binary Fields Haining Fan and M. Anwar Hasan Senior Member, IEEE July 19, 2006 Abstract Based on Toeplitz matrix-vector
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationA note on López-Dahab coordinates
A note on López-Dahab coordinates Tanja Lange Faculty of Mathematics, Matematiktorvet - Building 303, Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark tanja@hyperelliptic.org Abstract López-Dahab
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Çetin Kaya Koç koc@cs.ucsb.edu (http://cs.ucsb.edu/~koc/ecc) Elliptic Curve Cryptography lect08 discrete log 1 / 46 Exponentiation and Logarithms in a General Group In a multiplicative
More informationNumber Theory in Cryptology
Number Theory in Cryptology Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology Kharagpur October 15, 2011 What is Number Theory? Theory of natural numbers N = {1,
More informationEfficient multiplication using type 2 optimal normal bases
Efficient multiplication using type 2 optimal normal bases Joachim von zur Gathen 1, Amin Shokrollahi 2, and Jamshid Shokrollahi 3 1 B-IT, Dahlmannstr. 2, Universität Bonn, 53113 Bonn, Germany gathen@bit.uni-bonn.de
More informationFast Polynomial Multiplication
Fast Polynomial Multiplication Marc Moreno Maza CS 9652, October 4, 2017 Plan Primitive roots of unity The discrete Fourier transform Convolution of polynomials The fast Fourier transform Fast convolution
More informationIEEE P1363 / D13 (Draft Version 13). Standard Specifications for Public Key Cryptography
IEEE P1363 / D13 (Draft Version 13). Standard Specifications for Public Key Cryptography Annex A (Informative). Number-Theoretic Background. Copyright 1999 by the Institute of Electrical and Electronics
More informationA field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:
Byte multiplication 1 Field arithmetic A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties: F is an abelian group under addition, meaning - F is closed under
More informationScalar multiplication in compressed coordinates in the trace-zero subgroup
Scalar multiplication in compressed coordinates in the trace-zero subgroup Giulia Bianco and Elisa Gorla Institut de Mathématiques, Université de Neuchâtel Rue Emile-Argand 11, CH-2000 Neuchâtel, Switzerland
More informationIEEE P1363 / D9 (Draft Version 9). Standard Specifications for Public Key Cryptography
IEEE P1363 / D9 (Draft Version 9) Standard Specifications for Public Key Cryptography Annex A (informative) Number-Theoretic Background Copyright 1997,1998,1999 by the Institute of Electrical and Electronics
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationDickson Polynomials that are Involutions
Dickson Polynomials that are Involutions Pascale Charpin Sihem Mesnager Sumanta Sarkar May 6, 2015 Abstract Dickson polynomials which are permutations are interesting combinatorial objects and well studied.
More informationFPGA accelerated multipliers over binary composite fields constructed via low hamming weight irreducible polynomials
FPGA accelerated multipliers over binary composite fields constructed via low hamming weight irreducible polynomials C. Shu, S. Kwon and K. Gaj Abstract: The efficient design of digit-serial multipliers
More informationLecture 6: Cryptanalysis of public-key algorithms.,
T-79.159 Cryptography and Data Security Lecture 6: Cryptanalysis of public-key algorithms. Helsinki University of Technology mjos@tcs.hut.fi 1 Outline Computational complexity Reminder about basic number
More informationEfficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand
Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe Negre, Thomas Plantard, Jean-Marc Robert Team DALI (UPVD) and LIRMM (UM2, CNRS), France CCISR, SCIT, (University
More informationEfficient randomized regular modular exponentiation using combined Montgomery and Barrett multiplications
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2016 Efficient randomized regular modular exponentiation
More informationElliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm Problem Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM October 19, 2009 Vanessa VITSE (UVSQ) Elliptic Curve Discrete Logarithm Problem October
More informationOutline. Computer Arithmetic for Cryptography in the Arith Group. LIRMM Montpellier Laboratory of Computer Science, Robotics, and Microelectronics
Outline Computer Arithmetic for Cryptography in the Arith Group Arnaud Tisserand LIRMM, CNRS Univ. Montpellier 2 Arith Group Crypto Puces Porquerolles, April 16 18, 2007 Introduction LIRMM Laboratory Arith
More informationGalois fields/1. (M3) There is an element 1 (not equal to 0) such that a 1 = a for all a.
Galois fields 1 Fields A field is an algebraic structure in which the operations of addition, subtraction, multiplication, and division (except by zero) can be performed, and satisfy the usual rules. More
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationOn the Number of Trace-One Elements in Polynomial Bases for F 2
On the Number of Trace-One Elements in Polynomial Bases for F 2 n Omran Ahmadi and Alfred Menezes Department of Combinatorics & Optimization University of Waterloo, Canada {oahmadid,ajmeneze}@uwaterloo.ca
More informationEfficient random number generation on FPGA-s
Proceedings of the 9 th International Conference on Applied Informatics Eger, Hungary, January 29 February 1, 2014. Vol. 1. pp. 313 320 doi: 10.14794/ICAI.9.2014.1.313 Efficient random number generation
More informationNUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA
NUMBER THEORY Anwitaman DATTA SCSE, NTU Singapore Acknowledgement: The following lecture slides are based on, and uses material from the text book Cryptography and Network Security (various eds) by William
More informationAN IMPROVED LOW LATENCY SYSTOLIC STRUCTURED GALOIS FIELD MULTIPLIER
Indian Journal of Electronics and Electrical Engineering (IJEEE) Vol.2.No.1 2014pp1-6 available at: www.goniv.com Paper Received :05-03-2014 Paper Published:28-03-2014 Paper Reviewed by: 1. John Arhter
More informationImplementation Options for Finite Field Arithmetic for Elliptic Curve Cryptosystems Christof Paar Electrical & Computer Engineering Dept. and Computer Science Dept. Worcester Polytechnic Institute Worcester,
More informationA New Approach to Subquadratic Space Complexity Parallel Multipliers for Extended Binary Fields
1 A New Approach to Subquadratic Space Complexity Parallel Multipliers for Extended Binary Fields Haining Fan and M. Anwar Hasan Senior Member, IEEE January 5, 2006 Abstract Based on Toeplitz matrix-vector
More informationIntegers and Division
Integers and Division Notations Z: set of integers N : set of natural numbers R: set of real numbers Z + : set of positive integers Some elements of number theory are needed in: Data structures, Random
More informationMontgomery Multiplication in GF(2 k ) * **
Designs, Codes and Cryptography, 14(1), 57 69 (April 1998) c April 1998 Kluwer Academic Publishers, Boston. Manufactured in The Netherlands. Montgomery Multiplication in GF(2 k ) * ** ÇETIN K. KOÇ AND
More informationSecurity Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2
Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 ) December 2001 Contents Summary 2 Detailed Evaluation 3 1 The Elliptic Curve Method 3 1.1 The ECM applied to N = p d............................
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 8 February 1, 2012 CPSC 467b, Lecture 8 1/42 Number Theory Needed for RSA Z n : The integers mod n Modular arithmetic GCD Relatively
More informationHardware implementations of ECC
Hardware implementations of ECC The University of Electro- Communications Introduction Public- key Cryptography (PKC) The most famous PKC is RSA and ECC Used for key agreement (Diffie- Hellman), digital
More informationCoding Theory ( Mathematical Background I)
N.L.Manev, Lectures on Coding Theory (Maths I) p. 1/18 Coding Theory ( Mathematical Background I) Lector: Nikolai L. Manev Institute of Mathematics and Informatics, Sofia, Bulgaria N.L.Manev, Lectures
More informationMastrovito Form of Non-recursive Karatsuba Multiplier for All Trinomials
1 Mastrovito Form of Non-recursive Karatsuba Multiplier for All Trinomials Yin Li, Xingpo Ma, Yu Zhang and Chuanda Qi Abstract We present a new type of bit-parallel non-recursive Karatsuba multiplier over
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationEfficient Digit-Serial Normal Basis Multipliers over Binary Extension Fields
Efficient Digit-Serial Normal Basis Multipliers over Binary Extension Fields ARASH REYHANI-MASOLEH and M. ANWAR HASAN University of Waterloo In this article, two digit-serial architectures for normal basis
More informationEfficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields
Efficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields Sanjit Chatterjee, Palash Sarkar and Rana Barua Cryptology Research Group Applied Statistics Unit Indian
More informationLECTURE NOTES IN CRYPTOGRAPHY
1 LECTURE NOTES IN CRYPTOGRAPHY Thomas Johansson 2005/2006 c Thomas Johansson 2006 2 Chapter 1 Abstract algebra and Number theory Before we start the treatment of cryptography we need to review some basic
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationDivision of Trinomials by Pentanomials and Orthogonal Arrays
Division of Trinomials by Pentanomials and Orthogonal Arrays School of Mathematics and Statistics Carleton University daniel@math.carleton.ca Joint work with M. Dewar, L. Moura, B. Stevens and Q. Wang
More informationResidue systems efficiency for modular products summation: Application to Elliptic Curves Cryptography
Residue systems efficiency for modular products summation: Application to Elliptic Curves Cryptography JC Bajard a,s.duquesne b, M Ercegovac c and N Meloni ab a ARITH-LIRMM, CNRS Université Montpellier2,
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationEfficient Computation for Pairing Based
Provisional chapter Chapter 3 Efficient Computation for Pairing Based Cryptography: Efficient Computation A Statefor ofpairing the Art Based Cryptography: A State of the Art Nadia El Mrabet Nadia El Mrabet
More informationHigh Performance GHASH Function for Long Messages
High Performance GHASH Function for Long Messages Nicolas Méloni, Christophe Negre, M. Anwar Hasan To cite this version: Nicolas Méloni, Christophe Negre, M. Anwar Hasan. High Performance GHASH Function
More informationSome Efficient Algorithms for the Final Exponentiation of η T Pairing
Some Efficient Algorithms for the Final Exponentiation of η T Pairing Masaaki Shirase 1, Tsuyoshi Takagi 1, and Eiji Okamoto 2 1 Future University-Hakodate, Japan 2 University of Tsukuba, Japan Abstract.
More informationA Note on Scalar Multiplication Using Division Polynomials
1 A Note on Scalar Multiplication Using Division Polynomials Binglong Chen, Chuangqiang Hu and Chang-An Zhao Abstract Scalar multiplication is the most important and expensive operation in elliptic curve
More informationMathematical Foundations of Public-Key Cryptography
Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010) Outline Review: Basic Mathematical
More informationOptimal Use of Montgomery Multiplication on Smart Cards
Optimal Use of Montgomery Multiplication on Smart Cards Arnaud Boscher and Robert Naciri Oberthur Card Systems SA, 71-73, rue des Hautes Pâtures, 92726 Nanterre Cedex, France {a.boscher, r.naciri}@oberthurcs.com
More informationECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation
ECE 646 Lecture 8 RSA: Genesis, Security, Implementation & Key Generation Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob
More information