1. Aritmética Computacional Francisco Rodríguez Henríquez An Introduction to Binary Finite Fields GF(2 m ) By Francisco Rodríguez Henríquez.

2. Aritmética Computacional Francisco Rodríguez Henríquez What is a Field? A field is a set of elements with two custom-defined arithmetic operations: most commonly, addition and multiplication. The elements of the field are an additive abelian group, and the non-zero elements of the field are a multiplicative abelian group. This means that all elements of the field have an additive inverse, and all non-zero elements have a multiplicative inverse. A field is called finite if it has a finite number of elements. The most commonly used finite fields in cryptography are the field F p (where p is a prime number) and the field F 2 m.

3. Aritmética Computacional Francisco Rodríguez Henríquez Finite Fields A finite field or Galois field denoted by GF(q=p n ), is a field with characteristic p, and a number q of elements. As we have seen, such a finite field exists for every prime p and positive integer n, and contains a subfield having p elements. This subfield is called ground field of the original field. For the rest of this class, we will consider only the two most used cases in cryptography: q=p, with p a prime and q=2 m. The former case, GF(p), is denoted as the prime field, whereas the latter, GF(2 m ), is known as the finite field of characteristic two or simply binary field.

4. Aritmética Computacional Francisco Rodríguez Henríquez Finite Fields A finite field is a field with a finite number of elements. The number of elements in a finite field is called the order of the field. Fields of the same order are isomorphic: they display exactly the same algebraic structure differing only in the representation of the elements.

5. Aritmética Computacional Francisco Rodríguez Henríquez The field F 2 m ‘ Plegaria del Codificador teórico: Juro por Galois que seré leal a las nobles tradiciones de la teoría de códigos; que hablaré de ella en el secreto lenguaje sólo conocido por los contados iniciados; y que celosamente vigilaré la sagrada teoría de aquellos que quisieran profanarla para usarla en aplicaciones mundanas”. J. L. Massey Although the description of the field F 2 m is complicated, this field is extremely beautiful and also quite useful, because its computations can be done efficiently when implemented in hardware. There are several ways to describe arithmetic in F 2 m ; the most common one is the so-called polynomial representation.

6. Aritmética Computacional Francisco Rodríguez Henríquez Some definitions Here, we restrict our discussion to the numbers that belongs to the finite field F=GF(2 m ) over K=GF(2). K is also known as the characteristic field. The elements of F are polynomials of degree less than m, with coefficients in K; that is, {a m-1 x m-1 +a m-2 x m-2 +...+a 2 x 2 +a 1 x+a 0 |a i = 0 or 1}. These elements are frequently written in vector form as (a m-1... a 1 a 0 ). F has exactly 2 m -1 nonzero elements plus the zero element.

7. Aritmética Computacional Francisco Rodríguez Henríquez The Binary Field F 2 m A polynomial p in GF(2 m ) is irreducible if p is not a unit element and if p=fg then f or g must be a unit, that is, a constant polynomial. Let us consider a finite field F=GF(2 m ) over K=GF(2). Elements of F: Polynomials of degree less than m, with coefficients in K, such that, {a m-1 x m-1 +a m-2 x m-2 +...+a 2 x 2 +a 1 x+a 0 |a i = 0 or 1}. Fact: The field F has exactly q-1=2 m -1 nonzero elements plus the zero element.

8. Aritmética Computacional Francisco Rodríguez Henríquez Generating polynomial Then, taking advantage of the fact that over GF(2) addition is equivalent to subtraction, we get the important relation The finite field F=GF(2 m ) is completely described by a monic irreducible polynomial, often called generating polynomial, of the form Where k i  GF(2) for i=0,1,…,m-1. Let  be a root of the monic irreducible polynomial in (0), i.e., f(  ) = 0, Then

9. Aritmética Computacional Francisco Rodríguez Henríquez Generating polynomial and polynomial basis Then, we define the polynomial or canonical basis of GF(2 m ) over GF(2) using the primitive element  and its m first powers {1, ,  2,…,  m-1 }, which happen to be linearly independent over GF(2).

10. Aritmética Computacional Francisco Rodríguez Henríquez Polynomial representation Sometimes, it is more convenient to represent a field element using the so-called coordinate representation, Using the canonical basis we can uniquely represent any number A  F=GF(2 m ) as

11. Aritmética Computacional Francisco Rodríguez Henríquez Element’s Representation Where all the coefficients a I 's belong to the characteristic field GF(2). Elements of the field are m-bit strings. The rules for arithmetic in F can be defined by polynomial representation. Since F operates on bit strings, computers can perform arithmetic in this field very efficiently. By using the polynomial basis given in last equation, we can represent any number A  F=GF(2 m ) uniquely by

12. Aritmética Computacional Francisco Rodríguez Henríquez Order definition In fact, this is always the case for any finite field F=GF(2 m ) where we can always define the so-called polynomial basis of GF(2 m ) over GF(2) as as the linearly independent set of the first m powers of  {1, ,  2,…,  m-1 } The order of an element  in F, is defined as the smallest positive integer k such that  k =1. Any finite field always contains at least one element, called a primitive element, which has order q-1. We say that f(x) is a primitive polynomial, if any one of its roots, say , is a primitive element in F. If f(x) is primitive, then all the q elements of F, can be expressed as the union of the zero element and the set of the first q-1 powers of ,

13. Aritmética Computacional Francisco Rodríguez Henríquez An example Example. Let K = GF(2 4 ), F = GF(2), with defining primitive polynomial f(x) given by f(x) = x 4 + x + 1 Then, if  is a root of f(x), we have f(  )=0, which implies that f(  ) =  4 +  + 1 = 0 This equation over GF(2), means that  satisfies the following equation  4 =  + 1. Using the above equation, one can now express each one of the 15 nonzero elements of K over F as is shown in the next table.

14. Aritmética Computacional Francisco Rodríguez Henríquez Discrete log table

15. Aritmética Computacional Francisco Rodríguez Henríquez Finite fields: definitions and operations F 2 m finite field operations : Addition, Squaring, multiplication and inversion

16. Aritmética Computacional Francisco Rodríguez Henríquez Arithmetic in the field F 2 m The irreducible generating polynomial used for these sample calculations is again f(x) =x 4 +x+1. Notice that all the coefficients are reduced modulo 2!! Addition (0110)+(0101)=(0011). Multiplication (1101)  (1001) = (x 3 +x 2 +1)  (x 3 +1) mod f(x) = x 6 +x 5 +2x 3 +x 2 +1 mod f(x) = x 6 +x 5 +x 2 +1 mod f(x) = (x 4 +x+1)(x 2 +x)+(x 3 +x 2 +x+1) mod f(x) = x 3 +x 2 +x+1 = (1111).

17. Aritmética Computacional Francisco Rodríguez Henríquez Arithmetic in the field F 2 m Exponentiation To compute (0010) 4, first find (0010) 2 = (0010)  (0010) = x x mod f(x) = x 2 = (0100). Then (0010) 4 = (0010) 2  (0010) 2 = (0100)  (0100) = x 2  x 2 mod f(x) = (x 4 +x+1)(1)+(x+1) mod f(x) = x + 1 = (0011).

18. Aritmética Computacional Francisco Rodríguez Henríquez Arithmetic in the field F 2 m Multiplicative Inversion The multiplicative identity for the field is  0 = (0001). The multiplicative inverse of  7 = (1011) is  -7 mod 15=  8 mod 15=(0101). To verify this, see that, (1011)  (0101)= (x 3 +x+1) (x 2 +1) mod f(x) = x 5 +x 2 +x+1 mod f(x) = (x 4 +x+1)(x)+(1) mod f(x) = 1 = (0001) Which is the multiplicative identity.

19. Aritmética Computacional Francisco Rodríguez Henríquez Field multipliers

20. Aritmética Computacional Francisco Rodríguez Henríquez Two-steps Multipliers In most algorithms the modular product is computed in two steps: polynomial multiplication followed by modular reduction. Let A(x), B(x) and (x)  GF(2 m ) and P(x) be the irreducible field generator polynomial. In order to compute the modular product we first obtain the product polynomial C(x), of degree at most 2m-2, as Polynomial product 2m-1 coordinates Reduction step m coordinates Then, in the second step, a reduction operation is performed in order to obtain the m-1 degree polynomial C’(x) is defined as

21. Aritmética Computacional Francisco Rodríguez Henríquez Squaring over GF(2 m )

22. Aritmética Computacional Francisco Rodríguez Henríquez GF(2 m ) Squarer In most algorithms the modular product is computed in two steps: polynomial multiplication followed by modular reduction. Let A(x)  GF(2 m ) be an arbitrary element in the field and P(x) be the irreducible field generator polynomial. In order to compute the modular square of the element A(x) we first obtain the polynomial product C(x), of degree at most 2m-2, as Polynomial product 2m-1 coordinates Reduction step m coordinates Then, in a second step, a reduction operation is performed in order to obtain the m-1 degree polynomial C’(x) defined as

23. Aritmética Computacional Francisco Rodríguez Henríquez Squaring: Example Let A be an element of the finite field F=GF(2 5 ). Then, the square of A is given as, a 4 0 a 3 0 a 2 0 a 1 0 a 0 In general, for an arbitrary element A in the field F=GF(2 5 ), we have, a 4 a 3 a 2 a 1 a 0 * a 4 a 3 a 2 a 1 a 0

24. Aritmética Computacional Francisco Rodríguez Henríquez Squaring: Software Solution rct_word sqr_table_low[256] = { 0, 1, 4, 5, 16, 17, 20, 21, 64 65, 68, 69, 80, 81, 84, 85, 256, 257, 260, 261, 272, 273, 276, 277, 320, 321, 324, 325, 336, 337, 340, 341, 1024, 1025, 1028, 1029, 1040, 1041, 1044, 1045, 1088, 1089, 1092, 1093, 1104, 1105, 1108, 1109, 1280, 1281, 1284, 1285, 1296, 1297, 1300, 1301, 1344, 1345, 1348, 1349, 1360, 1361, 1364, 1365, 4096, 4097, 4100, 4101, 4112, 4113, 4116, 4117, 4160, 4161, 4164, 4165, 4176, 4177, 4180, 4181, 4352, 4353, 4356, 4357, 4368, 4369, 4372, 4373, 4416, 4417, 4420, 4421, 4432, 4433, 4436, 4437, 5120, 5121, 5124, 5125, 5136, 5137, 5140, 5141, 5184, 5185, 5188, 5189, 5200, 5201, 5204, 5205, 5376, 5377, 5380, 5381, 5392, 5393, 5396, 5397, 5440, 5441, 5444, 5445, 5456, 5457, 5460, 5461, 16384, 16385, 16388, 16389, 16400, 16401, 16404, 16405, 16448, 16449, 16452, 16453, 16464, 16465, 16468, 16469, 16640, 16641, 16644, 16645, 16656, 16657, 16660, 16661, 16704, 16705, 16708, 16709, 16720, 16721, 16724, 16725, 17408, 17409, 17412, 17413, 17424, 17425, 17428, 17429, 17472, 17473, 17476, 17477, 17488, 17489, 17492, 17493, 17664, 17665, 17668, 17669, 17680, 17681, 17684, 17685, 17728, 17729, 17732, 17733, 17744, 17745, 17748, 17749, 20480, 20481, 20484, 20485, 20496, 20497, 20500, 20501, 20544, 20545, 20548, 20549, 20560, 20561, 20564, 20565, 20736, 20737, 20740, 20741, 20752, 20753, 20756, 20757, 20800, 20801, 20804, 20805, 20816, 20817, 20820, 20821, 21504, 21505, 21508, 21509, 21520, 21521, 21524, 21525, 21568, 21569, 21572, 21573, 21584, 21585, 21588, 21589, 21760, 21761, 21764, 21765, 21776, 21777, 21780, 21781, 21824, 21825, 21828, 21829, 21840, 21841, 21844, 21845 };

25. Aritmética Computacional Francisco Rodríguez Henríquez Squaring: Software Implementation void rce_FieldSqr2k_Random(rct_word *ax, rct_word *tx, rce_context *cntxt, rct_octet *offsetptr) { rct_index i; rct_word C, S; rct_index wlen, blen_p; rct_word *tmp; wlen = cntxt->ecp->wlen; blen_p = cntxt->ecp->blen_p; tmp = (rct_word *) offsetptr; tmp[0]=0; tmp[1]=0; for (i=0; i<wlen; i++) { S = sqr_table_low[(ax[i]&0xff)]; S ^= (sqr_table_low[(ax[i]>>8)&0xff]<<16); C = sqr_table_low[(ax[i]>>16)&0xff]; C ^= (sqr_table_low[(ax[i]>>24)&0xff]<<16); tmp[i*2] = S; tmp[i*2+1] = C; } RCE_FIELD_REDUC2K(cntxt) (tmp, blen_p, cntxt->ecp->poly); //rce_residue2k(tmp, blen_p, cntxt->ecp->poly); for (i=0; i<wlen; i++) tx[i] = tmp[i]; }

26. Aritmética Computacional Francisco Rodríguez Henríquez Second step: reduction Problem: Given the polynomial product C(x) with at most, 2m-1, obtain the modular product C' with m coordinates, using the generating irreducible polynomial P(x). Notice that since we are interested in the polynomial reminder of the above equation, we can safely add any multiple of P(x) to C(x) without altering the desired result. This simple observation suggest the following algorithm that can reduce k bits of the polynomial product C at once.

27. Aritmética Computacional Francisco Rodríguez Henríquez Second step: reduction Let us assume that the m+1 and 2m-1 coordinates of P(x) and C(x), respectively, are distributed as follows: Then, there always exists a k-bit constant scalar S, such that where 0 < k <m. Notice that all the k MSB of SP become identical to the corresponding ones of the number C. By left shifting the number SP exactly Shift = 2m-2-k-1 positions, we effectively reduce the number in C by k bit.

28. Aritmética Computacional Francisco Rodríguez Henríquez Software reduction implementation Addition operations < 4wlen; SHIFT operations < 4wlen; Comparisons = 2wlen. 2m-1 coordinates

29. Aritmética Computacional Francisco Rodríguez Henríquez A = 1111 A 2 = 1010101 Squaring: Polynomial Multiplication Step FPGA Implementation [by Nazar Saqib]

30. Aritmética Computacional Francisco Rodríguez Henríquez Squaring: Reduction Step FPGA Implementation [by Nazar Saqib]

31. Aritmética Computacional Francisco Rodríguez Henríquez Full Parallel Multipliers over GF(2 m )

32. Aritmética Computacional Francisco Rodríguez Henríquez Modular multiplication for software applications 1. Polynomial multiplication: Look-up tables Karatsuba Karatsuba/Look-up tables 1. Polynomial multiplication: Look-up tables Karatsuba Karatsuba/Look-up tables 2. Reduction step: Standard reduction trinomials & pentanomials General irreducible polynomials Montgomery reduction trinomials & pentanomials General irreducible polynomials 2. Reduction step: Standard reduction trinomials & pentanomials General irreducible polynomials Montgomery reduction trinomials & pentanomials General irreducible polynomials Modular Multiplication Software

33. Aritmética Computacional Francisco Rodríguez Henríquez Polynomial multiplication: classical algorithm AND gates = m 2 XOR gates = (m-1) 2 Time delay = AND gates = m 2 XOR gates = (m-1) 2 Time delay =

34. Aritmética Computacional Francisco Rodríguez Henríquez Polynomial multiplication: Karatsuba Multipliers Karatsuba's algorithm is based on the idea that the polynomial product C=AB can be written as, It can be computed with 3 poly mults and 4 poly additions. Best results obtained by using a combination of classic and Karatsuba strategies. By using this idea recursively, one can obtain O(m log 2 3 ) space complexities.

35. Aritmética Computacional Francisco Rodríguez Henríquez 2 k n-bit Karatsuba Multipliers

36. Aritmética Computacional Francisco Rodríguez Henríquez 2kn-bit Karatsuba Multipliers There are some asymptotically faster methods for polynomial multiplications, such as the Karatsuba-Ofman algorithm. Discovered in 1962, it was the first algorithm able to accomplish polynomial multiplication under O(m 2 ) operations. Karatsuba's algorithm is based on the idea that the polynomial product C=AB can be written as,

37. Aritmética Computacional Francisco Rodríguez Henríquez 2kn-bit Karatsuba Multipliers last equation can be carried out at the cost of only 3 polynomial multiplications and four polynomial additions. Of course, Karatsuba strategy can be applied recursively to the three polynomial multiplications of last equation. By applying this strategy recursively, it is possible to achieve a polynomial complexity of Best results can be obtained by combining classical method with Karatsuba strategy.

38. February 2000 Francisco Rodríguez Henríquez Procedure Kmul2 k (C, A, B) Input: Two elements A,B ЄGF(2 m ) with m=rn=2 k n, and where A, B can be expressed as, Output: A polynomial C=AB with up to 2m-1 coordinates, where C=x m C H +C L..

39. Aritmética Computacional Francisco Rodríguez Henríquez 2kn-bit Karatsuba Multipliers It can be shown that the space and time complexities of a m=2 k n-bit Karatsuba multiplier combined with a classical method are given as,

40. Aritmética Computacional Francisco Rodríguez Henríquez Space and Time complexities mrnAND gatesXOR gatesTime Delay Area (NAND units) 11110TATA 1.26 21241T X +T A 7.2 4141692T X +T A 40.0 82448556T X +T A 181.5 164414422510T X +T A 676.4 328443279914T X +T A 2302.1 641641296264918T X +T A 7460.8 1283243888845522T X +T A 23499.9 256644116642638526T X +T A 72743.6 5121284349928119930T X +T A 222727.7

41. Aritmética Computacional Francisco Rodríguez Henríquez Space complexity of hybrid Karatsuba multipliers for arbitrary m using n=1, 2, 3

42. Aritmética Computacional Francisco Rodríguez Henríquez Binary Karatsuba Multipliers

43. Aritmética Computacional Francisco Rodríguez Henríquez Binary Karatsuba Multipliers Problem: Find an efficient Karatsuba strategy for the multiplication of two polynomials A, B  GF(2 m ), such that m = 2 k + d, d  0. Basic Idea: Pretend that both operands are polynomials with degree m’ = 2 (k+1), and use normal Karatsuba approach for two of the three required polynomial multiplications, i.e., given

44. Aritmética Computacional Francisco Rodríguez Henríquez Binary Karatsuba Multipliers Compute the two 2 k -bit polynomial multiplications: While the remaining d-bit polynomial multiplication A H B H can be computed using a -bit Karatsuba multiplier in a recursive manner (since the leftover d bits can be expressed as, d = 2 k1 +d 1 ).

45. Aritmética Computacional Francisco Rodríguez Henríquez Binary Karatsuba Multipliers The above outlined strategy yields a Binary Karatsuba scheme where the hamming weight of the original m will determine the number of recursive iterations to be used by the algorithm.

46. Aritmética Computacional Francisco Rodríguez Henríquez An Example

47. Aritmética Computacional Francisco Rodríguez Henríquez An Example As a design example, let us consider the polynomial multiplication of the elements A and B  GF(2193). Since (193) 2 = 11000001, the Hamming weight of m is h = 3. This will imply that we need a total of three iterations in order to compute the multiplication using the generalized m-bit binary Karatsuba multiplier. Additionally we notice that for this case, m = 193 =2 7 +65.

48. Aritmética Computacional Francisco Rodríguez Henríquez 193-bit binary Karatsuba Multiplier XOR gates = 20524 AND gates = 9201 Time delay = 13.5 nS

49. Aritmética Computacional Francisco Rodríguez Henríquez An Example Where we have assumed that the above circuit has been implemented using a 1.2  CMOS technology, where we have that the time delays associated to the AND, XOR logic gates are given as: TA  Tx=0.5 nS. Next slide shows a comparison between the proposed binary Karatsuba approach and the more traditional hybrid approach discussed previously.

50. Aritmética Computacional Francisco Rodríguez Henríquez Field Multiplication Preliminary results yield a time delay of 50-70  Sec and  9K Slices of hardware resources utilization.

51. Aritmética Computacional Francisco Rodríguez Henríquez Binary and hybrid Karatsuba multipliers’ area complexity

52. Aritmética Computacional Francisco Rodríguez Henríquez Second step: reduction Problem: Given the polynomial product C(x) with at most, 2m-1, obtain the modular product C' with m coordinates, using the generating irreducible polynomial P(x). The computational complexity of the reduction operation is linearly proportional to the Hamming weight (the number of nonzero terms) of the generating irreducible polynomial.

53. Aritmética Computacional Francisco Rodríguez Henríquez Field multipliers using special irreducible polynomials Field multipliers Equally-spaced polynomialstrinomialspentanomials There exist for only 468 degrees m, less than 1024 ( 45%) There exist for only 468 degrees m, less than 1024 ( 45%) There exist for only 81 degrees m, less than 1024 ( 8%) There exist for only 81 degrees m, less than 1024 ( 8%) There exists at least one for any degree m>3 There exists at least one for any degree m>3

54. Aritmética Computacional Francisco Rodríguez Henríquez Performance criteria and element representation the amount of memory required for the algorithm (memory requirements) the total time required for execution (speed) and; The most important measures of the performance for software implementations of the arithmetic operations in the Galois field GF(2 m ) are,

55. Aritmética Computacional Francisco Rodríguez Henríquez Second step: reduction Problem: Given the polynomial product C(x) with at most, 2m-1, obtain the modular product C' with m coordinates, using the generating irreducible polynomial P(x). Notice that since we are interested in the polynomial reminder of the above equation, we can safely add any multiple of P(x) to C(x) without altering the desired result. This simple observation suggest the following algorithm that can reduce k bits of the polynomial product C at once.

56. Aritmética Computacional Francisco Rodríguez Henríquez Second step: reduction Let us assume that the m+1 and 2m-1 coordinates of P(x) and C(x), respectively, are distributed as follows: Then, there always exists a k-bit constant scalar S, such that where 0 < k <m. Notice that all the k MSB of SP become identical to the corresponding ones of the number C. By left shifting the number SP exactly Shift = 2m-2-k-1 positions, we effectively reduce the number in C by k bit.

57. Aritmética Computacional Francisco Rodríguez Henríquez Standard reduction for trinomials and pentanomials Addition operations < 4wlen; SHIFT operations < 4wlen; Comparisons = 2wlen. 2m-1 coordinates

58. Aritmética Computacional Francisco Rodríguez Henríquez Exercises 0)Consider the polynomial Find if F=GF(5 5 ) constructed using f as a generating polynomial, is a field or not. 1)Consider the polynomial a)Show that P(x) forms a field in GF(2 m ). b)Find whether P(  ) is a primitive root or not. c)Find a primitive element in the field.

59. Aritmética Computacional Francisco Rodríguez Henríquez Exercises 2) Consider the polynomial a)Show that P(x) forms a field in GF(2 m ). b)Is P(x) a primitive polynomial? c)Find  47 as a polynomial of degree less or equal to 5. d)Find the positive number k that satisfies: