Modern Cryptography and its applications: An Introduction

innocentsickAI and Robotics

Nov 21, 2013 (3 years and 10 months ago)

78 views


Aritmética Computacional

Francisco Rodríguez Henríquez

An Introduction to Binary Finite Fields
GF(2
m
)

By Francisco Rodríguez Henríquez.



Aritmética Computacional

Francisco Rodríguez Henríquez

What is a Field?


A field is a set of elements with two custom
-
defined arithmetic
operations: most commonly, addition and multiplication. The elements of
the field are an additive
abelian group
, and the non
-
zero elements of the
field are a
multiplicative abelian group
. This means that all elements of
the field have an additive inverse, and all non
-
zero elements have a
multiplicative inverse.


A field is called finite if it has a finite number of elements. The most
commonly used finite fields in cryptography are the field
F
p

(where
p

is a
prime number) and the field F
2
m
.



Aritmética Computacional

Francisco Rodríguez Henríquez

Finite Fields


A

finite

field

or

Galois

field

denoted

by

GF
(
q=p
n
),

is

a

field

with

characteristic

p
,

and

a

number

q

of

elements
.

As

we

have

seen,

such

a

finite

field

exists

for

every

prime

p

and

positive

integer

n
,

and

contains

a

subfield

having

p

elements
.

This

subfield

is

called

ground

field

of

the

original

field
.



For the rest of this class, we will consider only the two most used cases
in cryptography:
q=p
, with
p

a prime and
q=2
m
. The former case,
GF
(
p
),
is denoted as the prime field, whereas the latter,
GF
(
2
m
), is known as the
finite field of characteristic two or simply binary field.


Aritmética Computacional

Francisco Rodríguez Henríquez

Finite Fields


A

finite

field

is

a

field

with

a

finite

number

of

elements
.

The

number

of

elements

in

a

finite

field

is

called

the

order

of

the

field
.

Fields

of

the

same

order

are

isomorphic
:

they

display

exactly

the

same

algebraic

structure

differing

only

in

the

representation

of

the

elements
.


Aritmética Computacional

Francisco Rodríguez Henríquez

The field
F
2
m




Plegaria del Codificador teórico: Juro por Galois que seré leal a las nobles tradiciones de
la teoría de códigos; que hablaré de ella en el secreto lenguaje sólo conocido por los
contados iniciados; y que celosamente vigilaré la sagrada teoría de aquellos que quisieran
profanarla para usarla en aplicaciones mundanas”.


J. L. Massey






Although the description of the field
F
2
m

is complicated, this field is extremely

beautiful and also quite useful, because its computations can be done efficiently

when implemented in hardware. There are several ways to describe arithmetic in

F
2
m
; the most common one is the so
-
called polynomial representation.



Aritmética Computacional

Francisco Rodríguez Henríquez

Some definitions




Here,

we

restrict

our

discussion

to

the

numbers

that

belongs

to

the

finite

field

F=GF(
2
m
)

over

K=GF(
2
)
.

K

is

also

known

as

the

characteristic

field
.

The

elements

of

F

are

polynomials

of

degree

less

than

m
,

with

coefficients

in

K
;

that

is,



{a
m
-
1
x
m
-
1
+a
m
-
2
x
m
-
2
+...+a
2
x
2
+a
1
x+a
0
|a
i
= 0
or

1}.


These elements are frequently written in vector form as
(a
m
-
1

... a
1

a
0
)
.


F

has exactly
2
m
-
1

nonzero elements plus the zero element.


Aritmética Computacional

Francisco Rodríguez Henríquez

The Binary Field
F
2
m



A polynomial
p

in
GF
(
2
m
) is
irreducible

if
p

is not a unit element and if
p=fg

then
f

or
g

must be a unit, that is, a constant polynomial.


Let

us

consider

a

finite

field

F=GF
(
2
m
)

over

K=GF
(
2
)
.



Elements

of

F
:

Polynomials

of

degree

less

than

m
,

with

coefficients

in

K
,

such

that,



{a
m
-
1
x
m
-
1
+a
m
-
2
x
m
-
2
+...+a
2
x
2
+a
1
x+a
0
|a
i
= 0
or

1}.

Fact:

The field

F

has exactly
q
-
1=2
m
-
1

nonzero elements plus

the zero element.



Aritmética Computacional

Francisco Rodríguez Henríquez

Generating polynomial



















Then,

taking

advantage

of

the

fact

that

over

GF(
2
)

addition

is

equivalent

to

subtraction,

we

get

the

important

relation














0
1
2
2
1
1
...
k
x
k
x
k
x
k
x
x
f
m
m
m
m
m












0
...
0
1
2
2
1
1











k
k
k
k
f
m
m
m
m
m









1
0
m
i
i
i
m
k


The finite field
F=GF(2
m
)

is completely described by a
monic

irreducible

polynomial, often called
generating polynomial
, of the form

Where
k
i



GF(2)

for
i=0,1,…,m
-
1
. Let


be a root of the monic irreducible

polynomial in (0), i.e., f(

) =
0
, Then


Aritmética Computacional

Francisco Rodríguez Henríquez

Generating polynomial and polynomial basis




Then, we define the
polynomial or canonical basis

of
GF
(
2
m
) over
GF
(
2
) using the primitive element


and its
m

first powers


{1,

,

2
,…,

m
-
1
},



which happen to be linearly independent over
GF
(
2
).




Aritmética Computacional

Francisco Rodríguez Henríquez

Polynomial representation























0
1
2
1
0
1
2
2
1
1
,
...,
,


...
Rep.

Coordinate




Rep.

Polynomial


a
a
a
a
a
a
a
a
m
m
m
m
m
m















Sometimes, it is more convenient to represent a field element using the

so
-
called coordinate representation,





1
0
m
i
i
i
a
A

Using the canonical basis we can uniquely represent any number

A



F=GF
(
2
m
) as



Aritmética Computacional

Francisco Rodríguez Henríquez

Element’s Representation






















Where

all

the

coefficients

a
I
's

belong

to

the

characteristic

field

GF(
2
)
.

Elements

of

the

field

are

m
-
bit

strings
.

The

rules

for

arithmetic

in

F

can

be

defined

by

polynomial

representation
.

Since

F

operates

on

bit

strings,

computers

can

perform

arithmetic

in

this

field

very

efficiently
.






1
0
m
i
i
i
a
A

By using the polynomial basis given in last equation, we can represent any

number
A



F=GF(2
m
)

uniquely by


Aritmética Computacional

Francisco Rodríguez Henríquez

Order definition










In

fact,

this

is

always

the

case

for

any

finite

field

F=GF(
2
m
)

where

we

can

always

define

the

so
-
called

polynomial

basis

of

GF(
2
m
)

over

GF(
2
)

as

as

the

linearly

independent

set

of

the

first

m

powers

of





{1,

,

2
,…,

m
-
1
}



1
,
,
,
,
,
0
1
3
2


q







The
order

of an element


in
F
, is defined as the smallest positive integer
k



such that

k
=1
. Any finite field always contains at least one element, called


a primitive element, which has order
q
-
1
. We say that
f(x)
is a primitive


polynomial, if any one of its roots, say

, is a primitive element in
F
. If
f(x)


is primitive, then all the
q

elements of
F
, can be expressed as the union of


the zero element and the set of the first
q
-
1

powers of

,



Aritmética Computacional

Francisco Rodríguez Henríquez

An example




Example
.

Let

K

=

GF(
2
4
)
,

F

=

GF(
2
)
,

with

defining

primitive

polynomial

f(x)

given

by


f(x) = x
4

+ x + 1



Then,

if



is

a

root

of

f(x)
,

we

have

f(

)=
0
,

which

implies

that


f(

) =

4

+


+ 1 = 0




This

equation

over

GF(
2
)
,

means

that



satisfies

the

following

equation




4

=


+ 1
.



Using the above equation, one can now express each one of the
15

nonzero elements of
K

over
F

as is shown in the next table.


Aritmética Computacional

Francisco Rodríguez Henríquez

Discrete log table



i

i
Coordinates
0
1
(0
0
0 1)
1

(0
0 1 0)
2

2
(0 1 0
0)
3

3
(1 0
0
0)
4

4
=

+1
(0
0 1
1)
5

5
=

2
+

(0 1
1 0)
6

6
=

3
+

2
(1
1 0
0)
7

7
=

3
+

+1
(1 0 1
1)
8

8
=

2
+1
(0 1 0 1)
9

9
=

3
+

(1 0 1 0)
10

10
=

2
+

+1
(0 1
1
1)
11

11
=

3
+

2
+

(1
1
1 0)
12

12
=

3
+

2
+

+1
(1
1
1
1)
13

13
=

3
+

2
+1
(1
1 0 1)
14

14
=

3
+1
(1 0
0 1)

Aritmética Computacional

Francisco Rodríguez Henríquez

Finite fields: definitions and
operations

F
2
m
finite field operations : Addition, Squaring,
multiplication and inversion


Aritmética Computacional

Francisco Rodríguez Henríquez

Arithmetic in the field
F
2
m


The irreducible
generating

polynomial

used for these sample
calculations is again
f(x) =x
4
+x+1
.


Notice that all the

coefficients are reduced modulo
2
!!


Addition



(0110)+(0101)=(0011)
.


Multiplication


(1101)

(1001)


= (x
3
+x
2
+1)

(x
3
+1) mod f(x)


= x
6
+x
5
+2x
3
+x
2
+1 mod f(x)


= x
6
+x
5
+x
2
+1 mod f(x)


= (x
4
+x+1)(x
2
+x)+(x
3
+x
2
+x+1) mod f(x)


= x
3
+x
2
+x+1


= (1111).



Aritmética Computacional

Francisco Rodríguez Henríquez

Arithmetic in the field
F
2
m


Exponentiation


To compute
(0010)
4
, first find


(0010)
2
= (0010)

(0010)



= x x mod f(x)



= x
2



= (0100).


Then


(0010)
4
= (0010)
2

(0010)
2



= (0100)

(0100)



= x
2

x
2

mod f(x)



= (x
4
+x+1)(1)+(x+1) mod f(x)



= x + 1



= (0011).


Aritmética Computacional

Francisco Rodríguez Henríquez

Arithmetic in the field
F
2
m


Multiplicative

Inversion


The

multiplicative

identity

for

the

field

is


0

=

(
0001
)
.

The

multiplicative

inverse

of


7

=

(
1011
)

is




-
7

mod 15=

8

mod 15=(0101)
.


To

verify

this,

see

that,


(1011)

(0101)

= (x
3
+x+1) (x
2
+1) mod f(x)



= x
5
+x
2
+x+1 mod f(x)



= (x
4
+x+1)(x)+(1) mod f(x)






= 1



= (0001)


Which

is

the

multiplicative

identity
.




Aritmética Computacional

Francisco Rodríguez Henríquez

Field multipliers


Aritmética Computacional

Francisco Rodríguez Henríquez

Two
-
steps Multipliers


In most algorithms the modular product is computed in two steps:
polynomial multiplication

followed by
modular reduction
. Let
A(x)
,
B(x)

and
(x)



GF(2
m
)

and
P(x)

be the irreducible field generator
polynomial.


In order to compute the modular product we first obtain the product
polynomial
C(x)
, of degree at most
2m
-
2
, as










































1
0
1
0
m
i
i
i
m
i
i
i
b
a
x
B
x
A
x
C


Polynomial product

2m
-
1

coordinates







x
P
x
C
x
C
mod


Reduction step

m

coordinates



Then, in the second step, a reduction operation is performed in order


to obtain the
m
-
1

degree polynomial
C’(x)

is defined as


Aritmética Computacional

Francisco Rodríguez Henríquez

Squaring over GF(2
m
)


Aritmética Computacional

Francisco Rodríguez Henríquez

GF(2
m
) Squarer


In most algorithms the modular product is computed in two steps:
polynomial multiplication

followed by
modular reduction
. Let
A(x)



GF(2
m
)

be an arbitrary element in the field and
P(x)

be the irreducible
field generator polynomial.


In order to compute the modular square of the element
A
(
x
) we first
obtain the polynomial product
C(x)
, of degree at most
2m
-
2
, as










































1
0
1
0
m
i
i
i
m
i
i
i
a
a
x
A
x
A
x
C


Polynomial product

2m
-
1

coordinates







x
P
x
C
x
C
mod


Reduction step

m

coordinates



Then, in a second step, a reduction operation is performed in order


to obtain the
m
-
1

degree polynomial
C’(x)

defined as


Aritmética Computacional

Francisco Rodríguez Henríquez

Squaring: Example


Let
A

be an element of the finite field
F
=
GF
(
2
5
). Then, the square of
A

is given as,







a
4

0

a
3

0

a
2

0

a
1

0

a
0

In general
, for an arbitrary element
A

in the field
F
=
GF
(
2
5
), we have,





































1
0
2
1
0
1
0
2
m
i
i
i
m
i
i
i
m
i
i
i
x
a
x
a
x
a
x
A
x
A
x
A
x
C
a
4
a
3
a
2
a
1
a
0 *

a
4
a
3
a
2
a
1
a
0

a
4
a
0
a
3
a
0
a
2
a
0
a
1
a
0
a
0
a
0
a
4
a
1
a
3
a
1
a
2
a
1
a
1
a
1
a
0
a
1
a
4
a
2
a
3
a
2
a
2
a
2
a
1
a
2
a
0
a
2
a
4
a
3
a
3
a
3
a
2
a
3
a
1
a
3
a
0
a
3
a
4
a
4
a
3
a
4
a
2
a
4
a
1
a
4
a
0
a
4

Aritmética Computacional

Francisco Rodríguez Henríquez

Squaring: Software Solution

rct_word sqr_table_low[256] = {





0, 1, 4, 5, 16, 17, 20, 21, 64 65, 68, 69, 80, 81
, 84, 85,


256, 257, 260, 261, 272, 273, 276, 277, 320, 321, 324, 325, 336, 337, 340, 341,




1024, 1025, 1028, 1029, 1040, 1041, 1044, 1045, 1088, 1089, 1092, 1093, 1104, 1105, 1108, 1109,


1280, 1281, 1284, 1285, 1296, 1297, 1300, 1301, 1344, 1345, 1348, 1349, 1360, 1361, 1364, 1365,


4096, 4097, 4100, 4101, 4112, 4113, 4116, 4117, 4160, 4161, 4164, 4165, 4176, 4177, 4180, 4181,


4352, 4353, 4356, 4357, 4368, 4369, 4372, 4373, 4416, 4417, 4420, 4421, 4432, 4433, 4436, 4437,


5120, 5121, 5124, 5125, 5136, 5137, 5140, 5141, 5184, 5185, 5188, 5189, 5200, 5201, 5204, 5205,


5376, 5377, 5380, 5381, 5392, 5393, 5396, 5397, 5440, 5441, 5444, 5445, 5456, 5457, 5460, 5461,

16384, 16385, 16388, 16389, 16400, 16401, 16404, 16405, 16448, 16449, 16452, 16453, 16464, 16465, 16468,
16469, 16640, 16641, 16644, 16645, 16656, 16657, 16660, 16661, 16704, 16705, 16708, 16709, 16720, 16721,
16724, 16725, 17408, 17409, 17412, 17413, 17424, 17425, 17428, 17429, 17472, 17473, 17476, 17477, 17488,
17489, 17492, 17493, 17664, 17665, 17668, 17669, 17680, 17681, 17684, 17685, 17728, 17729, 17732, 17733,
17744, 17745, 17748, 17749, 20480, 20481, 20484, 20485, 20496, 20497, 20500, 20501, 20544, 20545, 20548,
20549, 20560, 20561, 20564, 20565, 20736, 20737, 20740, 20741, 20752, 20753, 20756, 20757, 20800, 20801,
20804, 20805, 20816, 20817, 20820, 20821, 21504, 21505, 21508, 21509, 21520, 21521, 21524, 21525, 21568,
21569, 21572, 21573, 21584, 21585, 21588, 21589, 21760, 21761, 21764, 21765, 21776, 21777, 21780, 21781,

21824, 21825, 21828, 21829, 21840, 21841, 21844, 21845

};


Aritmética Computacional

Francisco Rodríguez Henríquez

Squaring: Software Implementation

void rce_FieldSqr2k_Random(rct_word *ax, rct_word *tx, rce_context *cntxt,




rct_octet *offsetptr)

{


rct_index i;


rct_word C, S;


rct_index wlen, blen_p;


rct_word *tmp;



wlen = cntxt
-
>ecp
-
>wlen;


blen_p = cntxt
-
>ecp
-
>blen_p;




tmp = (rct_word *) offsetptr;



tmp[0]=0; tmp[1]=0;



for (i=0; i<wlen; i++) {



S = sqr_table_low[(ax[i]&0xff)];



S ^= (sqr_table_low[(ax[i]>>8)&0xff]<<16);



C = sqr_table_low[(ax[i]>>16)&0xff];



C ^= (sqr_table_low[(ax[i]>>24)&0xff]<<16);




tmp[i*2] = S; tmp[i*2+1] = C;


}



RCE_FIELD_REDUC2K(cntxt) (tmp, blen_p, cntxt
-
>ecp
-
>poly);




//rce_residue2k(tmp, blen_p, cntxt
-
>ecp
-
>poly);



for (i=0; i<wlen; i++) tx[i] = tmp[i];

}


Aritmética Computacional

Francisco Rodríguez Henríquez

Second step: reduction


Problem:

Given the polynomial product
C(x)
with at most,
2m
-
1
, obtain
the modular product
C'

with
m

coordinates, using the generating
irreducible polynomial
P(x)
.











x
P
x
C
x
C
mod



Notice that since we are interested in the polynomial reminder of the


above equation, we can safely add any multiple of
P
(
x
) to
C
(
x
) without


altering the desired result. This simple observation suggest the following


algorithm that can reduce k bits of the polynomial product
C

at once.


Aritmética Computacional

Francisco Rodríguez Henríquez

Second step: reduction


Let us assume that the
m+1

and
2m
-
1

coordinates of
P
(
x
) and
C
(
x
),
respectively, are distributed as follows:




Then, there always exists a
k
-
bit constant scalar
S
, such that




where
0 < k <m
. Notice that all the
k

MSB of
SP

become identical to the
corresponding ones of the number
C
. By left shifting the number
SP



exactly
Shift

=
2m
-
2
-
k
-
1

positions, we effectively reduce the number in


C

by
k

bit.






0
1
1
0
1
2
2
1
2
3
2
2
2
p
p
p
p
P
c
c
c
c
c
c
C
m
m
k
m
k
m
m
m
















0
1
1
2
3
2
2
2
0
1
1
1
p
p
p
c
c
c
P
S
p
p
p
p
p
p
P
k
m
k
m
m
m
k
m
k
m
m
m




















Aritmética Computacional

Francisco Rodríguez Henríquez

Software reduction implementation

C[
pwlen-wlen+shiftn]
32 bits
C
n
i
C
ni+32
C[
pwlen-i]
Addition operations < 4wlen;

SHIFT operations < 4wlen;

Comparisons = 2wlen.

wlen-1
C
C
2m-2
4
pwl en-1
2
2
0
1
...
wlen-2
wlen+1
wlen+2
...
pwl en-2
m-1
C
m modular coordinates
C
n
1
1
3
3
4
pwl en-1
wlen-1
2m
-
1

coordinates

w
m
wlen

:

Aritmética Computacional

Francisco Rodríguez Henríquez

0
2
2
4
4
6
6
2
0
1
2
2
3
3
a
x
a
x
a
x
a
A
a
x
a
x
a
x
a
A








A = 1111

A
2
= 1010101

Squaring: Polynomial Multiplication Step
FPGA Implementation
[by Nazar Saqib]


Aritmética Computacional

Francisco Rodríguez Henríquez

Squaring: Reduction Step FPGA
Implementation
[by Nazar Saqib]


Aritmética Computacional

Francisco Rodríguez Henríquez

Full Parallel Multipliers over
GF(2
m
)


Aritmética Computacional

Francisco Rodríguez Henríquez

Modular multiplication for software applications

1. Polynomial multiplication:


Look
-
up tables


Karatsuba


Karatsuba/Look
-
up tables

2. Reduction step:


Standard reduction


trinomials & pentanomials


General irreducible polynomials


Montgomery reduction


trinomials & pentanomials


General irreducible polynomials

Modular Multiplication


















Software


Aritmética Computacional

Francisco Rodríguez Henríquez

Polynomial multiplication: classical algorithm















































































































1
2
2
1
0
1
2
1
2
3
2
1
1
2
3
2
1
0
1
4
3
2
1
0
5
4
3
2
0
1
2
0
1
0
2
2
3
2
1
1
2
2
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
m
m
m
m
m
m
m
m
m
m
m
m
m
m
m
m
m
m
m
m
m
m
m
m
b
b
b
b
b
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
c
c
c
c
c
c
c
c
c























AND gates =
m
2


XOR gates =
(m
-
1)
2

Time delay =



X
A
T
m
T
2
log


Aritmética Computacional

Francisco Rodríguez Henríquez

Polynomial multiplication: Karatsuba Multipliers


Karatsuba's

algorithm

is

based

on

the

idea

that

the

polynomial

product

C=AB

can

be

written

as,
















L
H
m
L
L
m
L
H
L
H
L
L
H
H
H
H
m
C
C
x
B
A
x
B
B
A
A
B
A
B
A
B
A
x
C















2


It can be computed with 3 poly mults and 4 poly additions
.



Best results obtained by using a combination of classic and Karatsuba


strategies.




By using this idea recursively, one can obtain
O(m
log
2
3
)

space complexities.


Aritmética Computacional

Francisco Rodríguez Henríquez

2
k
n
-
bit Karatsuba Multipliers


Aritmética Computacional

Francisco Rodríguez Henríquez

2
kn
-
bit Karatsuba Multipliers


There

are

some

asymptotically

faster

methods

for

polynomial

multiplications,

such

as

the

Karatsuba
-
Ofman

algorithm
.


Discovered

in

1962
,

it

was

the

first

algorithm

able

to

accomplish

polynomial

multiplication

under

O
(
m
2
)

operations
.


Karatsuba's

algorithm

is

based

on

the

idea

that

the

polynomial

product

C=AB

can

be

written

as,
















L
H
m
L
L
m
L
H
L
H
L
L
H
H
H
H
m
C
C
x
B
A
x
B
B
A
A
B
A
B
A
B
A
x
C















2
;

;
2
2
L
H
m
L
H
m
B
B
x
B
A
A
x
A





Aritmética Computacional

Francisco Rodríguez Henríquez

2
kn
-
bit Karatsuba Multipliers


last

equation

can

be

carried

out

at

the

cost

of

only

3

polynomial

multiplications

and

four

polynomial

additions
.


Of

course,

Karatsuba

strategy

can

be

applied

recursively

to

the

three

polynomial

multiplications

of

last

equation
.


By

applying

this

strategy

recursively,

it

is

possible

to

achieve

a

polynomial

complexity

of


Best

results

can

be

obtained

by

combining

classical

method

with

Karatsuba

strategy
.



3
log
2
m
O

February 2000


Francisco Rodríguez Henríquez

Procedure
Kmul2
k
(C, A, B)



Input:
Two elements
A ,B

Є
GF(2
m
) with
m=rn=2
k
n
, and where
A, B

can be
expressed as,





Output
: A polynomial
C=AB

with up to 2
m
-
1
coordinates, where
C=x
m
C
H
+C
L..



end
17.
end
.
16
;
15.
do
1
-
r
to
0
from
i
for
14.
end
.
13
;
12.
do
1
-
r
to
0
from
i
for
.
11
);
,
,
(
2
.
10
);
,
,
(
2
.
9
);
,
,
(
2
.
8
end
.
7
;
.
6
;
.
5
do
1
2

to
0
from
i
for
.
4
return;
.
3
);
,
(
_
2.
then
)
1
(
if
1.
begin
.
0
2
2
i
i
r
i
r
H
i
L
i
i
i
H
H
H
k
B
A
k
L
L
L
k
H
i
L
i
Bi
H
i
L
i
Ai
M
C
C
C
C
M
M
B
A
C
mul
M
M
M
mul
B
A
C
mul
B
B
M
A
A
M
r
B
A
n
mul
C
r














.
,
2
2
L
H
m
L
H
m
B
B
x
B
A
A
x
A





Aritmética Computacional

Francisco Rodríguez Henríquez

2
kn
-
bit Karatsuba Multipliers

It

can

be

shown

that

the

space

and

time

complexities

of

a

m=
2
k
n
-
bit

Karatsuba

multiplier

combined

with

a

classical

method

are

given

as,






.
log
Delay

Time
;

Gates

AND
;
2
8
1
6

Gates

XOR
2
2
3
log
2
3
log
2
2
k
n
T
T
n
n
m
m
n
n
n
m
X
AND






















Aritmética Computacional

Francisco Rodríguez Henríquez

Space and Time complexities

m

r

n

AND gates

XOR gates

Time
Delay

Area (NAND
units)

1

1

1

1

0

T
A

1.26

2

1

2

4

1

T
X
+T
A

7.2

4

1

4

16

9

2T
X
+T
A

40.0

8

2

4

48

55

6T
X
+T
A

181.5

16

4

4

144

225

10T
X
+T
A

676.4

32

8

4

432

799

14T
X
+T
A

2302.1

64

16

4

1296

2649

18T
X
+T
A

7460.8

128

32

4

3888

8455

22T
X
+T
A

23499.9

256

64

4

11664

26385

26T
X
+T
A

72743.6

512

128

4

34992

81199

30T
X
+T
A

222727.7


Aritmética Computacional

Francisco Rodríguez Henríquez

Space complexity of hybrid Karatsuba multipliers
for arbitrary
m

using
n=1, 2, 3

1
0
0
2
0
0
3
0
0
4
0
0
5
0
0
0
2
4
6
8
1
0
1
2
x

1
0
4
1
0
0
2
0
0
3
0
0
4
0
0
5
0
0
0
0
.
5
1
1
.
5
2
2
.
5
3
3
.
5
4
4
.
5
x

1
0
4
n = 3
n = 3
n = 2
n = 2
n = 1
n = 1
N u m b e r o f X O R g a
t e s
N u m b e r o f A N D g a t e s
m
m

Aritmética Computacional

Francisco Rodríguez Henríquez

Binary Karatsuba Multipliers


Aritmética Computacional

Francisco Rodríguez Henríquez

Binary Karatsuba Multipliers


Problem
:

Find

an

efficient

Karatsuba

strategy

for

the

multiplication

of

two

polynomials

A
,

B



GF
(
2
m
)
,

such

that

m

=

2
k

+

d
,

d



0
.


Basic

Idea
:

Pretend

that

both

operands

are

polynomials

with

degree

m’

=

2
(k+
1
)
,

and

use

normal

Karatsuba

approach

for

two

of

the

three

required

polynomial

multiplications,

i
.
e
.
,

given


;

;
2
2
L
H
m
L
H
m
B
B
x
B
A
A
x
A










L
H
m
L
L
m
L
H
L
H
L
L
H
H
H
H
m
C
C
x
B
A
x
B
B
A
A
B
A
B
A
B
A
x
C















2

Aritmética Computacional

Francisco Rodríguez Henríquez

Binary Karatsuba Multipliers


Compute

the

two

2
k
-
bit

polynomial

multiplications
:





While

the

remaining

d
-
bit

polynomial

multiplication

A
H
B
H

can

be

computed

using

a

-
bit

Karatsuba

multiplier

in

a

recursive

manner

(since

the

leftover

d

bits

can

be

expressed

as,


d

=

2
k
1
+d
1
)
.






L
H
L
H
B
A
L
L
B
B
A
A
M
M
M
B
A




and;





d
k
2
log
'


Aritmética Computacional

Francisco Rodríguez Henríquez

Binary Karatsuba Multipliers


The

above

outlined

strategy

yields

a

Binary

Karatsuba

scheme

where

the

hamming

weight

of

the

original

m

will

determine

the

number

of

recursive

iterations

to

be

used

by

the

algorithm
.



Aritmética Computacional

Francisco Rodríguez Henríquez

An Example


Aritmética Computacional

Francisco Rodríguez Henríquez

An Example


As

a

design

example,

let

us

consider

the

polynomial

multiplication

of

the

elements

A

and

B



GF(
2193
)
.

Since

(
193
)
2

=

11000001
,

the

Hamming

weight

of

m

is

h

=

3
.



This

will

imply

that

we

need

a

total

of

three

iterations

in

order

to

compute

the

multiplication

using

the

generalized

m
-
bit

binary

Karatsuba

multiplier
.

Additionally

we

notice

that

for

this

case,

m

=

193

=
2
7
+
65
.


Aritmética Computacional

Francisco Rodríguez Henríquez

193
-
bit binary Karatsuba Multiplier

XOR gates = 20524

AND gates = 9201

Time delay = 13.5

nS


Aritmética Computacional

Francisco Rodríguez Henríquez

An Example


Where

we

have

assumed

that

the

above

circuit

has

been

implemented

using

a

1
.
2


CMOS

technology,

where

we

have

that

the

time

delays

associated

to

the

AND,

XOR

logic

gates

are

given

as
:

TA


Tx=
0
.
5

nS
.



Next slide shows a comparison between the proposed
binary Karatsuba approach and the more traditional
hybrid approach discussed previously.


Aritmética Computacional

Francisco Rodríguez Henríquez

Field Multiplication



Preliminary

results

yield

a

time

delay

of

50
-
70


Sec

and


9
K

Slices

of

hardware

resources

utilization
.



Aritmética Computacional

Francisco Rodríguez Henríquez

Binary and hybrid Karatsuba multipliers’ area
complexity

5
0
1
0
0
1
5
0
2
0
0
2
5
0
3
0
0
3
5
0
4
0
0
4
5
0
5
0
0
0
0
.
5
1
1
.
5
2
2
.
5
3
x

1
0
5
m
C
o
m
b
i
n
e
d

s
p
a
c
e

c
o
m
p
l
e
x
i
t
y
Hybrid Karatsuba
Binary Karatsuba

Aritmética Computacional

Francisco Rodríguez Henríquez

Second step: reduction


Problem:

Given the polynomial product
C(x)
with at most,
2m
-
1
, obtain
the modular product
C'

with
m

coordinates, using the generating
irreducible polynomial
P(x)
.











x
P
x
C
x
C
mod




The computational complexity of the reduction operation is linearly



proportional to the Hamming weight (the number of nonzero terms) of



the generating irreducible polynomial.


Aritmética Computacional

Francisco Rodríguez Henríquez

Field multipliers using special irreducible
polynomials

Field multipliers

Equally
-
spaced polynomials

trinomials

pentanomials




There exist for only
468


degrees
m
, less than

1024

(

45
%)


There exist for only
81


degrees
m
, less than

1024

(

8%)


There exists at least

one for any degree

m>3




Aritmética Computacional

Francisco Rodríguez Henríquez

Performance criteria and element representation



the amount of memory required for the algorithm



(
memory requirements
)







the total time required for execution (
speed
) and;




The most important measures of the performance for software


implementations of the arithmetic operations in the Galois


field
GF(2
m
)

are,


Aritmética Computacional

Francisco Rodríguez Henríquez

Second step: reduction


Problem:

Given the polynomial product
C(x)
with at most,
2m
-
1
, obtain
the modular product
C'

with
m

coordinates, using the generating
irreducible polynomial
P(x)
.











x
P
x
C
x
C
mod



Notice that since we are interested in the polynomial reminder of the


above equation, we can safely add any multiple of
P
(
x
) to
C
(
x
) without


altering the desired result. This simple observation suggest the following


algorithm that can reduce k bits of the polynomial product
C

at once.


Aritmética Computacional

Francisco Rodríguez Henríquez

Second step: reduction


Let us assume that the
m+1

and
2m
-
1

coordinates of
P
(
x
) and
C
(
x
),
respectively, are distributed as follows:




Then, there always exists a
k
-
bit constant scalar
S
, such that




where
0 < k <m
. Notice that all the
k

MSB of
SP

become identical to the
corresponding ones of the number
C
. By left shifting the number
SP



exactly
Shift

=
2m
-
2
-
k
-
1

positions, we effectively reduce the number in


C

by
k

bit.






0
1
1
0
1
2
2
1
2
3
2
2
2
p
p
p
p
P
c
c
c
c
c
c
C
m
m
k
m
k
m
m
m
















0
1
1
2
3
2
2
2
0
1
1
1
p
p
p
c
c
c
P
S
p
p
p
p
p
p
P
k
m
k
m
m
m
k
m
k
m
m
m




















Aritmética Computacional

Francisco Rodríguez Henríquez

Standard reduction for trinomials and pentanomials

C[
pwlen-wlen+shiftn]
32 bits
C
n
i
C
ni+32
C[
pwlen-i]
Addition operations < 4wlen;

SHIFT operations < 4wlen;

Comparisons = 2wlen.

wlen-1
C
C
2m-2
4
pwl en-1
2
2
0
1
...
wlen-2
wlen+1
wlen+2
...
pwl en-2
m-1
C
m modular coordinates
C
n
1
1
3
3
4
pwl en-1
wlen-1
2m
-
1

coordinates

w
m
wlen

:

Aritmética Computacional

Francisco Rodríguez Henríquez

Exercises

0
)

Consider

the

polynomial



Find

if

F
=
GF
(
5
5
)

constructed

using

f

as

a

generating

polynomial,

is

a

field

or

not
.


1
)

Consider

the

polynomial



a)

Show

that

P
(
x
)

forms

a

field

in

GF
(
2
m
)
.


b)

Find

whether

P
(

)

is

a

primitive

root

or

not
.


c)

Find

a

primitive

element

in

the

field
.





2
3
2
2
3
4
5





x
x
x
x
x
f


1
2
4
5
6





x
x
x
x
x
P

Aritmética Computacional

Francisco Rodríguez Henríquez

Exercises

2) Consider the polynomial






a)

Show that
P
(
x
) forms a field in
GF
(
2
m
).


b)

Is
P
(
x
) a primitive polynomial?


c)

Find

47

as a polynomial of degree less or equal to 5.


d)

Find the positive number
k

that satisfies:






1
4
5
6





x
x
x
x
x
P
1
3
4








k