Another Look at Inversions over Binary Fields Vassil Dimitrov 1 - - PowerPoint PPT Presentation

Another Look at Inversions over Binary Fields

Vassil Dimitrov1 Kimmo Järvinen2

1Department of Electrical and Computer Engineering

University of Calgary, Canada

2Department of Information and Computer Science

Aalto University, School of Science, Finland

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 2/23

Inversion with Fermat’s Little Theorem

◮ Multiplicative inverse:

Given A = 0 ∈ GF(2m), find A−1 such that A−1 · A = 1

◮ A2m−1 = 1 for all A = 0 ∈ GF(2m)

⇒ A−1 = A2m−2

◮ A2(2m−1−1) = A2(1+2+22+...+2m−2)

Standard exponentiation

A2(1+2+22+...+2m−2) = B · B2 · B22 · . . . · B2m−2 where B = A2

◮ m − 2 multiplications ◮ m − 1 squarings

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 3/23

Itoh-Tsujii

Introduced by Itoh and Tsujii in 1988

1+2+. . .+2m−2 =

• (1 + 2)(1 + 22 + . . . + 2m−3),

if m − 1 even 1 + 2(1 + 2)(1 + 22 + . . . + 2m−4), if m − 1 odd

Example

GF(231): 1 + 2 + . . . + 229 = (1 + 2)(1 + 22(1 + 22)(1 + 24(1 + 24)(1 + 28(1 + 28)))) ⇒ 7 multiplications, 30 squarings In general

◮ ⌊log(m − 1)⌋ + H(m − 1) − 1 multiplications ◮ m − 1 squarings

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 4/23

Matrix Polynomial I + A + A2 + . . . + AN−1

◮ A problem that has significance in graph theory and signal

processing

◮ Minimize the number of matrix multiplications in computing

G(N, A) = I + A + A2 + . . . + AN−1 Dimitrov and Cooklev(1995):

G(N, A) =          (I + A + A3) · G(⌊N/3⌋, A3) if N = 0 or 3 (mod 6) I + (A + A2 + A3) · G(⌊N/3⌋, A3) if N = 1 or 4 (mod 6) (I + A) · G(⌊N/2⌋, A2) if N = 2 (mod 6) I + (A + A2) · G(⌊N/2⌋, A2) if N = 5 (mod 6)

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 5/23

The New Algorithm

Idea

Use the same approach for 1 + 2 + 22 + . . . + 2m−2 but try to minimize the number of additions (which imply multiplications in an inversion) Double-base with bases {2, 3}:

1 + 2 + . . . + 2m−2 =      (1 + 2 + 22) · (1 + 23 + 26 + . . . + 2m−4) if m − 1 = 0, 3 (mod 6) (1 + 2) · (1 + 22 + 24 + . . . + 2m−3) if m − 1 = 2, 4 (mod 6) 1 + (2 + 22) · (1 + 22 + 24 + . . . + 2m−4) if m − 1 = 1, 5 (mod 6)

For triple-base version with bases {2, 3, 5}, we extend this with:

((1 + 2)(1 + 22) + 24)(1 + 25 + . . . + 2m−6) if m − 1 = 0 (mod 5)

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 6/23

The New Algorithm vs. Itoh-Tsujii

Average number of multiplications:

◮ 1.5 log(m − 1) for IT ◮ 1.42 log(m − 1) for {2, 3} ◮ 1.39 log(m − 1) for {2, 3, 5}

For fields GF(2m), 1 ≤ m ≤ 1023:

◮ 18 (1.8 %): {2, 3} is the best ◮ 109 (10.7 %): {2, 3, 5} is the best ◮ 387 (37.8 %): {2, 3} and {2, 3, 5} are the best ◮ 79 (7.7 %): IT is the best ◮ 430 (42.0 %): All are equally good

⇒ We are better for 50.2 % and worse for 7.7 % of the cases

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 7/23

The NIST Fields

Itoh-Tsujii: GF(2163) GF(2233) GF(2283) GF(2409) GF(2571) 9 10 11 11 13 The best from both {2, 3} and {2, 3, 5}: GF(2163) GF(2233) GF(2283) GF(2409) GF(2571) 9 10 12 10 12

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 8/23

Some Other Practical Implications

Fewer (even by one) multiplications make a large difference and, therefore, practically all work so far has concentrated on them. Although multiplications usually dominate the costs of inversions, other aspects should not be over-looked

◮ Temporary variables ◮ Squarings

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 9/23

Temporary Variables

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 10/23

How Are Inversions Computed?

GF(231) : A−1 = A231−2 = A2(230−1) = A2(1+2+...+229) 1 + 2 + . . . + 229 = (1 + 2 + 22)(1 + 23)(1 + 26 (1 + 26)(1 + 212))

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 10/23

How Are Inversions Computed?

GF(231) : A−1 = A231−2 = A2(230−1) = A2(1+2+...+229) 1 + 2 + . . . + 229 = (1 + 2 + 22)(1 + 23)(1 + 26 (1 + 26)(1 + 212)) B ← A ≪ 1

1

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 10/23

How Are Inversions Computed?

GF(231) : A−1 = A231−2 = A2(230−1) = A2(1+2+...+229) 1 + 2 + . . . + 229 = (1 + 2 + 22)(1 + 23)(1 + 26 (1 + 26)(1 + 212)) B ← A ≪ 1

1

C ← B ≪ 1

2

B ← B × C

3

B ← B × (C ≪ 1)

4

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 10/23

How Are Inversions Computed?

GF(231) : A−1 = A231−2 = A2(230−1) = A2(1+2+...+229) 1 + 2 + . . . + 229 = (1 + 2 + 22)(1 + 23)(1 + 26 (1 + 26)(1 + 212)) B ← A ≪ 1

1

C ← B ≪ 1

2

B ← B × C

3

B ← B × (C ≪ 1)

4

B ← B × (B ≪ 3)

5

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 10/23

How Are Inversions Computed?

GF(231) : A−1 = A231−2 = A2(230−1) = A2(1+2+...+229) 1 + 2 + . . . + 229 = (1 + 2 + 22)(1 + 23)(1 + 26 (1 + 26)(1 + 212)) B ← A ≪ 1

1

C ← B ≪ 1

2

B ← B × C

3

B ← B × (C ≪ 1)

4

B ← B × (B ≪ 3)

5

C ← B

6

B ← B × (B ≪ 6)

7

B ← B × (B ≪ 12)

8

B ← C × (B ≪ 6)

9

return B = A−1

10

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 11/23

Number of Variables

(1 + 2k) No additional variables (1 + 2k + 22k) One short-time variable ((1 + 2k)(1 + 22k) + 24k) One short-time variable 1 + 2k(1 + 2k) One long-time variable ⇒ For IT, the number of variables V is the number of 1 + 2k(1 + 2k) terms; i.e. V = H(m − 1) − 1 ⇒ For us, V is the number of 1 + 2k(1 + 2k) terms in the decomposition plus one if we have at least one (1 + 2k + 22k) or ((1 + 2k)(1 + 22k) + 24k) after the last 1 + 2k(1 + 2k) term. ⇒ The average number of long-time variables is 0.5 log(m − 1) for IT and about 0.339 log(m − 1) for us

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 12/23

Results

100 200 300 400 500 600 700 800 900 1000 1 2 3 4 5 6 7 8 9

m Temporary variables

IT Our

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 13/23

Results (cont.)

100 200 300 400 500 600 700 800 900 1000 −6 −4 −2 2 4 6

m Difference (variables) Our is better IT is better

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 14/23

Summary

◮ We save on average one variable for GF(2m),

1 ≤ m ≤ 1023

◮ For some fields we save 5 variables and for some we lose

by 2

◮ The fields for which we are losing are always those for

which we need more multiplications

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 15/23

Squarings

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 16/23

Motivation

Example

An inversion over GF(2163) requires:

◮ 9 multiplications and ◮ 162 squarings.

Modern HW implementations of ECC use fast multipliers and squarings start to dominate:

◮ M = 163 ⇒ Squarings take 10% of the time (162 vs. 1467) ◮ M = 15

⇒ Squarings take 55% of the time (162 vs. 135)

◮ M = 4

⇒ Squarings take 82% of the time (162 vs. 36)

◮ M = 1

⇒ Squarings take 95% of the time (162 vs. 9) OK but the number of squarings is m − 1 = 162 for both IT and the new algorithm.

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 17/23

Squarings

Normal Basis

An element A ∈ GF(2m) is given by A = m−1

i=0 aiβ2i. Then,

A2s = A ≪ s (cyclic shift).

Polynomial Basis

An element A ∈ GF(2m) is given by A = m−1

i=0 aixi. Then,

A2 = m−1

i=0 aix2i mod p(x) and

A2s =       1 q(s)

0,1

. . . q(s)

0,m−1

q(s)

1,1

. . . q(s)

1,m−1

. . . . . . ... . . . q(s)

m−1,1

. . . q(s)

m−1,m−1

           a0 a1 . . . am−1     

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 18/23

Repeated Squarer (Normal Basis / HW)

A repeated squarer is a component that can compute A2s for all s ∈ S with the same latency (one clock cycle)

◮ In normal basis, repeated squarers are simply m-bit C-to-1

multiplexers where C is the cardinality of S

Example

A repeated squarer with S = {1, 2, 3} is a 3-to-1 multiplexer:

≪ 1 ≪ 2 ≪ 3

A A2s s

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 19/23

The Problem

◮ Let E = (e1, e2, . . . , eN) be the sequence of exponents

required for repeated squarings during an inversion.

◮ One needs a set S = {s1, s2, . . . , sC} with cardinality C

such that all exponents ei in E can be represented as a sum ei = sj(i)

1 + sj(i) 2 + . . . + sj(i) ki

in order to compute the inversion

The problem

The task is to find Sopt that minimizes the sum L = N

i=1 ki

among all S with cardinality C satisfying the above condition. ⇒ Exhaustive search because the search space is small(ish)

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 20/23

Example: The NIST Field GF(2163)

Itoh-Tsujii

1 + 2 + . . . + 2161 = (1 + 2)(1 + 22(1 + 22)(1 + 24)(1 + 28)(1 + 216)(1+ 232(1 + 232)(1 + 264))) ⇒ E = (1, 1, 2, 4, 8, 16, 32, 64, 32, 2)

Our algorithm

1 + 2 + . . . + 2161 = (1 + 2 + 22)(1 + 23 + 26)(1 + 29 + 218)(1 + 227 + 254)(1 + 281) ⇒ E = (1, 1, 1, 3, 3, 9, 9, 27, 27, 81)

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 21/23

Example: The NIST Field GF(2163) (cont.)

With different C, Sopt and L are as follows:

IT Our E (1, 1, 2, 4, 8, 16, 32, 64, 32, 2) (1, 1, 1, 3, 3, 9, 9, 27, 27, 81) C = 1 {1}, 162 {1}, 162 C = 2 {1, 16}, 27 {1, 9}, 26 C = 3 {1, 4, 32}, 17 {1, 3, 27}, 16 C = 4 {1, 2, 8, 32}, 13 {1, 3, 9, 27}, 12 C = 5 {1, 2, 4, 8, 32}, 12 {1, 3, 9, 27, 81}, 10 C = 6 {1, 2, 4, 8, 16, 32}, 11 — C = 7 {1, 2, 4, 8, 16, 32, 64}, 10 —

◮ We have a smaller latency when C > 1 ◮ We can use smaller repeated squarers (multiplexers) to get

the same latency

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 22/23

Summary

◮ If repeated squarings with polynomial basis are computed

by using precomputed matrices, then the same technique applies and we need less precomputed matrices and/or use them fewer times during an inversion

◮ Similar behavior can be seen for other NIST fields, too.

(except for GF(2233) when IT and our algorithm give the same decompositions)

◮ More general cases are still to be investigated

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 23/23

Conclusions

A new algorithm for inversion in GF(2m) that has provably lower number of multiplications compared to the popular IT and

• utperforms it in about half of the cases for 1 ≤ m ≤ 1023

The algorithm has some nice by-products that may be important in some implementations

Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 23/23

Conclusions

A new algorithm for inversion in GF(2m) that has provably lower number of multiplications compared to the popular IT and

• utperforms it in about half of the cases for 1 ≤ m ≤ 1023

The algorithm has some nice by-products that may be important in some implementations

Thank you! Questions?