Another Look at Inversions over Binary Fields Vassil Dimitrov 1 - PowerPoint PPT Presentation

Another Look at Inversions over Binary Fields Vassil Dimitrov 1 Kimmo Järvinen 2 1 Department of Electrical and Computer Engineering University of Calgary, Canada 2 Department of Information and Computer Science Aalto University, School of Science, Finland

Inversion with Fermat’s Little Theorem ◮ Multiplicative inverse: Given A � = 0 ∈ GF ( 2 m ) , find A − 1 such that A − 1 · A = 1 ◮ A 2 m − 1 = 1 for all A � = 0 ∈ GF ( 2 m ) ⇒ A − 1 = A 2 m − 2 ◮ A 2 ( 2 m − 1 − 1 ) = A 2 ( 1 + 2 + 2 2 + ... + 2 m − 2 ) Standard exponentiation A 2 ( 1 + 2 + 2 2 + ... + 2 m − 2 ) = B · B 2 · B 2 2 · . . . · B 2 m − 2 where B = A 2 ◮ m − 2 multiplications ◮ m − 1 squarings Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 2/23

Itoh-Tsujii Introduced by Itoh and Tsujii in 1988 ( 1 + 2 )( 1 + 2 2 + . . . + 2 m − 3 ) , � if m − 1 even 1 + 2 + . . . + 2 m − 2 = 1 + 2 ( 1 + 2 )( 1 + 2 2 + . . . + 2 m − 4 ) , if m − 1 odd Example GF ( 2 31 ) : 1 + 2 + . . . + 2 29 = ( 1 + 2 )( 1 + 2 2 ( 1 + 2 2 )( 1 + 2 4 ( 1 + 2 4 )( 1 + 2 8 ( 1 + 2 8 )))) ⇒ 7 multiplications, 30 squarings In general ◮ ⌊ log ( m − 1 ) ⌋ + H ( m − 1 ) − 1 multiplications ◮ m − 1 squarings Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 3/23

Matrix Polynomial I + A + A 2 + . . . + A N − 1 ◮ A problem that has significance in graph theory and signal processing ◮ Minimize the number of matrix multiplications in computing G ( N , A ) = I + A + A 2 + . . . + A N − 1 Dimitrov and Cooklev(1995):  ( I + A + A 3 ) · G ( ⌊ N / 3 ⌋ , A 3 ) if N = 0 or 3 ( mod 6 )   I + ( A + A 2 + A 3 ) · G ( ⌊ N / 3 ⌋ , A 3 )  if N = 1 or 4 ( mod 6 )  G ( N , A ) = ( I + A ) · G ( ⌊ N / 2 ⌋ , A 2 ) if N = 2 ( mod 6 )    I + ( A + A 2 ) · G ( ⌊ N / 2 ⌋ , A 2 )  if N = 5 ( mod 6 ) Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 4/23

The New Algorithm Idea Use the same approach for 1 + 2 + 2 2 + . . . + 2 m − 2 but try to minimize the number of additions (which imply multiplications in an inversion) Double-base with bases { 2 , 3 } : 1 + 2 + . . . + 2 m − 2 = ( 1 + 2 + 2 2 ) · ( 1 + 2 3 + 2 6 + . . . + 2 m − 4 )  if m − 1 = 0 , 3 ( mod 6 )   ( 1 + 2 ) · ( 1 + 2 2 + 2 4 + . . . + 2 m − 3 ) if m − 1 = 2 , 4 ( mod 6 ) 1 + ( 2 + 2 2 ) · ( 1 + 2 2 + 2 4 + . . . + 2 m − 4 )  if m − 1 = 1 , 5 ( mod 6 )  For triple-base version with bases { 2 , 3 , 5 } , we extend this with: (( 1 + 2 )( 1 + 2 2 ) + 2 4 )( 1 + 2 5 + . . . + 2 m − 6 ) if m − 1 = 0 ( mod 5 ) Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 5/23

The New Algorithm vs. Itoh-Tsujii Average number of multiplications: ◮ 1 . 5 log ( m − 1 ) for IT ◮ 1 . 42 log ( m − 1 ) for { 2 , 3 } ◮ 1 . 39 log ( m − 1 ) for { 2 , 3 , 5 } For fields GF ( 2 m ) , 1 ≤ m ≤ 1023: ◮ 18 (1.8 %): { 2 , 3 } is the best ◮ 109 (10.7 %): { 2 , 3 , 5 } is the best ◮ 387 (37.8 %): { 2 , 3 } and { 2 , 3 , 5 } are the best ◮ 79 (7.7 %): IT is the best ◮ 430 (42.0 %): All are equally good ⇒ We are better for 50.2 % and worse for 7.7 % of the cases Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 6/23

The NIST Fields Itoh-Tsujii: GF ( 2 163 ) GF ( 2 233 ) GF ( 2 283 ) GF ( 2 409 ) GF ( 2 571 ) 9 10 11 11 13 The best from both { 2 , 3 } and { 2 , 3 , 5 } : GF ( 2 163 ) GF ( 2 233 ) GF ( 2 283 ) GF ( 2 409 ) GF ( 2 571 ) 9 10 12 10 12 Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 7/23

Some Other Practical Implications Fewer (even by one) multiplications make a large difference and, therefore, practically all work so far has concentrated on them. Although multiplications usually dominate the costs of inversions, other aspects should not be over-looked ◮ Temporary variables ◮ Squarings Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 8/23

Temporary Variables Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 9/23

How Are Inversions Computed? GF ( 2 31 ) : A − 1 = A 2 31 − 2 = A 2 ( 2 30 − 1 ) = A 2 ( 1 + 2 + ... + 2 29 ) 1 + 2 + . . . + 2 29 = ( 1 + 2 + 2 2 )( 1 + 2 3 )( 1 + 2 6 ( 1 + 2 6 )( 1 + 2 12 )) Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 10/23

How Are Inversions Computed? GF ( 2 31 ) : A − 1 = A 2 31 − 2 = A 2 ( 2 30 − 1 ) = A 2 ( 1 + 2 + ... + 2 29 ) 1 + 2 + . . . + 2 29 = ( 1 + 2 + 2 2 )( 1 + 2 3 )( 1 + 2 6 ( 1 + 2 6 )( 1 + 2 12 )) B ← A ≪ 1 1 Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 10/23

How Are Inversions Computed? GF ( 2 31 ) : A − 1 = A 2 31 − 2 = A 2 ( 2 30 − 1 ) = A 2 ( 1 + 2 + ... + 2 29 ) 1 + 2 + . . . + 2 29 = ( 1 + 2 + 2 2 )( 1 + 2 3 )( 1 + 2 6 ( 1 + 2 6 )( 1 + 2 12 )) B ← A ≪ 1 1 C ← B ≪ 1 2 B ← B × C 3 B ← B × ( C ≪ 1 ) 4 Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 10/23

How Are Inversions Computed? GF ( 2 31 ) : A − 1 = A 2 31 − 2 = A 2 ( 2 30 − 1 ) = A 2 ( 1 + 2 + ... + 2 29 ) 1 + 2 + . . . + 2 29 = ( 1 + 2 + 2 2 )( 1 + 2 3 )( 1 + 2 6 ( 1 + 2 6 )( 1 + 2 12 )) B ← A ≪ 1 1 C ← B ≪ 1 2 B ← B × C 3 B ← B × ( C ≪ 1 ) 4 B ← B × ( B ≪ 3 ) 5 Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 10/23

How Are Inversions Computed? GF ( 2 31 ) : A − 1 = A 2 31 − 2 = A 2 ( 2 30 − 1 ) = A 2 ( 1 + 2 + ... + 2 29 ) 1 + 2 + . . . + 2 29 = ( 1 + 2 + 2 2 )( 1 + 2 3 )( 1 + 2 6 ( 1 + 2 6 )( 1 + 2 12 )) B ← A ≪ 1 1 C ← B ≪ 1 2 B ← B × C 3 B ← B × ( C ≪ 1 ) 4 B ← B × ( B ≪ 3 ) 5 C ← B 6 B ← B × ( B ≪ 6 ) 7 B ← B × ( B ≪ 12 ) 8 B ← C × ( B ≪ 6 ) 9 return B = A − 1 10 Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 10/23

Number of Variables ( 1 + 2 k ) No additional variables ( 1 + 2 k + 2 2 k ) One short-time variable (( 1 + 2 k )( 1 + 2 2 k ) + 2 4 k ) One short-time variable 1 + 2 k ( 1 + 2 k ) One long-time variable ⇒ For IT, the number of variables V is the number of 1 + 2 k ( 1 + 2 k ) terms; i.e. V = H ( m − 1 ) − 1 ⇒ For us, V is the number of 1 + 2 k ( 1 + 2 k ) terms in the decomposition plus one if we have at least one ( 1 + 2 k + 2 2 k ) or (( 1 + 2 k )( 1 + 2 2 k ) + 2 4 k ) after the last 1 + 2 k ( 1 + 2 k ) term. ⇒ The average number of long-time variables is 0 . 5 log ( m − 1 ) for IT and about 0 . 339 log ( m − 1 ) for us Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 11/23

Results 9 8 7 Temporary variables 6 5 4 3 2 1 IT Our 0 100 200 300 400 500 600 700 800 900 1000 m Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 12/23

Results (cont.) 6 IT is better 4 Difference (variables) 2 0 Our is better −2 −4 −6 100 200 300 400 500 600 700 800 900 1000 m Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 13/23

Summary ◮ We save on average one variable for GF ( 2 m ) , 1 ≤ m ≤ 1023 ◮ For some fields we save 5 variables and for some we lose by 2 ◮ The fields for which we are losing are always those for which we need more multiplications Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 14/23

Squarings Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 15/23

Motivation Example An inversion over GF ( 2 163 ) requires: ◮ 9 multiplications and ◮ 162 squarings. Modern HW implementations of ECC use fast multipliers and squarings start to dominate: ◮ M = 163 ⇒ Squarings take 10 % of the time (162 vs. 1467) ◮ M = 15 ⇒ Squarings take 55 % of the time (162 vs. 135) ◮ M = 4 ⇒ Squarings take 82 % of the time (162 vs. 36) ◮ M = 1 ⇒ Squarings take 95 % of the time (162 vs. 9) OK but the number of squarings is m − 1 = 162 for both IT and the new algorithm. Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 16/23

Squarings Normal Basis An element A ∈ GF ( 2 m ) is given by A = � m − 1 i = 0 a i β 2 i . Then, A 2 s = A ≪ s (cyclic shift). Polynomial Basis An element A ∈ GF ( 2 m ) is given by A = � m − 1 i = 0 a i x i . Then, A 2 = � m − 1 i = 0 a i x 2 i mod p ( x ) and q ( s ) q ( s )   1 . . .   a 0 0 , 1 0 , m − 1 q ( s ) q ( s ) a 1 0 . . . A 2 s =     1 , 1 1 , m − 1    .  . . . ...   . . . .   .  . . .      q ( s ) q ( s ) a m − 1 0 . . . m − 1 , 1 m − 1 , m − 1 Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 17/23

Repeated Squarer (Normal Basis / HW) A repeated squarer is a component that can compute A 2 s for all s ∈ S with the same latency (one clock cycle) ◮ In normal basis, repeated squarers are simply m -bit C -to-1 multiplexers where C is the cardinality of S Example A repeated squarer with S = { 1 , 2 , 3 } is a 3-to-1 multiplexer: ≪ 1 A 2 s A ≪ 2 ≪ 3 s Vassil Dimitrov and Kimmo Järvinen Another Look at Inversions over Binary Fields 18/23