Finite Field Basis Conversion Methods

1. RSA Data Security, Inc. Finite Field Basis Conversion Methods Burt Kaliski, Yiqun Lisa Yin, and Moses Liskov RSA Laboratories Public Key Solutions �99April 12-14, 1999

2. � RSA 1999 Outline Background General solution More efficient algorithms Conclusions

3. � RSA 1999 Background A finite field is a finite set closed under addition and multiplication, where inverses exist except for 0 q elements, for a prime or prime power q notation: GF(q) = Galois Field Typical fields in cryptography: GF(p), where p is a large prime GF(2m) Extension field: GF(qm)

4. � RSA 1999 Finite Field Representation A basis for the finite field GF(qm) over GF(q) is a set of elements ?0, �, ?m-1 such that every element ? can be expressed uniquely as ? = ? B[i] ?i where B[i] ? GF(q)

5. � RSA 1999 Common Representations Polynomial basis: 1, ?, ?2, �, ?m-1 for some field element ? Normal basis: ?, ?q, ?q2, �, ?qm-1 Many special cases e.g., trinomial, ONB

6. � RSA 1999 Dual Bases The dual basis of ?0, �, ?m-1 with respect to a linear function h is the basis ?0, �, ?m-1 such that

7. � RSA 1999 Basis Conversion Problem Convert between two representations of a field element: A[0], �, A[m-1]: internal representation B[0], �, B[m-1]: external representation ? A[i] ?i = ? B[i] ?i for bases ?0, �, ?m-1 and ?0, �, ?m-1

8. � RSA 1999 Why Does It Matter? For interoperability, parties must have a common representation e.g., public keys in certificates intermediate values in cryptographic primitives, such as DSA, DH But parties may choose different representations when implementing finite field arithmetic

9. � RSA 1999 Import vs. Export In both cases, ideally with field operations in the internal representation take advantage of field arithmetic acceleration

10. � RSA 1999 General Solution Let M be the m ? m matrix whose columns are the internal representations of the external basis elements Then AT = M BT BT = M-1AT where AT, BT are column vectors containing the coefficients A[i], B[i]

11. � RSA 1999 Disadvantages Matrix method requires storage for O(m2) coefficients, which may be too large in some environments e.g., m = 160 requires 3.2K bytes Method involves coefficient operations, not primarily internal field operations

12. � RSA 1999 More Efficient Algorithms Import and export algorithms polynomial, normal, or dual of polynomial or normal external basis any internal basis over GF(q) Storage for O(m) coefficients Primarily internal field operations

13. � RSA 1999 Internal Operations Add, subtract: A ? T Multiply: A ? T Exponentiate: Ai Scalar multiply: s ? T, where s ? GF(q) Coefficient select: A[i]

14. � RSA 1999 Four Approaches Import algorithms Generate-Accumulate Shift-Insert Export algorithms Generate*-Evaluate Shift-Extract

15. � RSA 1999 Import Algorithms Input: B[0], �, B[m-1], coefficients of external representation Output: A, internal representation where A = ? B[i] Wi and W0, ..., Wm-1 is the internal representation of the external basis

16. � RSA 1999 Generate-Accumulate Method Generate W0, �, Wm-1 Accumulate B[i] Wi terms into A A ? 0 for i ? 0 to m-1 A ? A + B[i] ? Wi endfor

17. � RSA 1999 Shift-Insert Method Insert B[m-1] into A as W0-coefficient Shift A up by one coefficient of external representation alternatively, rotate or shift down Repeat for B[m-2], and so on See Kaliski-Yin, SAC �98

18. � RSA 1999 Shift-Insert Method

19. � RSA 1999 Shift-Insert Process








27. � RSA 1999 Import Requirements Efficient generation of external basis or Efficient external shifting

28. � RSA 1999 Export Algorithms Input: A, internal representation Output: B[0], �, B[m-1], coefficients of external representation where A = ? B[i] Wi

29. � RSA 1999 Generate*-Evaluate Method Select a linear function h Generate X0, ..., Xm-1, the internal representation of the dual of the external basis W0, ..., Wm-1 with respect to h Evaluate h at AXi to get B[i] for each i See e.g. Lidl-Niederreiter

30. � RSA 1999 Generate*-Evaluate Method

31. � RSA 1999 Shift-Extract Method Extract W0 coefficient from A as B[0] Shift A down by one digit of external representation alternatively, rotate or shift up Repeat for B[1], and so on

32. � RSA 1999 Shift-Extract Method

33. � RSA 1999 Shift-Extract Process







40. � RSA 1999 Export Requirements Efficient generation of dual of external basis and evaluation or Efficient external shifting and coefficient extraction

41. � RSA 1999 Some Tools External shifting External basis generation Coefficient extraction and evaluation

42. � RSA 1999 External Shifting Given the internal representation corresponding to B[0], B[1], B[2], �, B[m-1], compute the internal representation of some shifted version: 0, B[0], B[1], �, B[m-2] or B[1], B[2], �, B[m-1], 0 or B[m-1], B[0], B[1], �, B[m-2]

43. � RSA 1999 Polynomial Basis Polynomial basis: I, G, G2, ... , Gm-1 A = ? B[i]Gi Shift up: A ? A ? G assuming B[m-1] = 0 Shift down: A ? (A ? B[0] ? I) ? G-1 Rotation also possible

44. � RSA 1999 Normal Basis Normal basis: G, Gq, ..., Gqm-1 A = ? B[i]Gqi Rotate up: A ? Aq Rotate down and shifting also possible

45. � RSA 1999 Dual of Polynomial Basis Shift up, when h is h0, the I-coefficient of polynomial-basis representation: A ? AG-1 ? h0(AG-1) For other h, involves scaling Rotation and shift down also possible

46. � RSA 1999 Dual of Normal Basis Rotate up, when h is the G-coefficient of normal-basis representation A ? Aq ? X1where X1 is from the dual basis For other h, involves scaling Rotate down and shifting also possible

47. � RSA 1999 Generation by Shifting An application of shifting: Given W0, for i ? 1 to m-1 Wi ? shift(Wi-1) endfor Sometimes basis generation is easier than shifting

48. � RSA 1999 External Basis Generation For polynomial and normal bases, generation is straightforward For dual of polynomial and dual of normal bases, generation can be done more efficiently

49. � RSA 1999 Coefficient Extraction & Evaluation h is a linear function: h(A) = ? si A[i] for some coefficients s0, �, sm-1 Equivalently, h(A) = (A ? V)[0] for some field element V

50. � RSA 1999 Summary Four conversion approaches each on iterations of shifting or generation, and possibly extraction or evaluation Efficient tools shift, generate, extract/evaluate internal field operations low storage polynomial, normal, and dual bases

51. � RSA 1999 Running Time O(m) or O(m log q) field operations: m iterations 2-4 field operations per iteration, plus exponentiation (for some bases) 10-20% overhead in elliptic curve cryptosystems If field arithmetic is accelerated, may be faster than matrix method

52. � RSA 1999 Storage O(m) coefficients: 1-2 constants, 2-3 variables, plus exponentiation storage (for some bases) Substantial improvement over matrix method in some environments

53. � RSA 1999 Extensions Multiple coefficients per iteration for shift methods Other bases Different ground-field representations

54. � RSA 1999 Conclusion Storage-efficient and practical basis conversion algorithms for polynomial, normal basis extensions to other bases Modest overhead for ECC operations Result: interoperability in memory-constrained environments

Finite Field Basis Conversion Methods

Finite Field Basis Conversion Methods

Presentation Transcript

MECH3300 Finite element methods

MECH3300 Finite element Methods

Finite Elements: Basis functions

Introduction to Finite Field

Finite Difference Methods (FDM)

Field Methods

MECH3300 Finite Element Methods

Finite Field Restriction Estimates

Data Conversion Methods

Finite-State Methods

Finite-State Methods

Finite Difference Methods

Finite element methods

The Finite-Field FFT

Generalized Finite Element Methods

Finite-State Methods

( FINITE DIFFERENCE METHODS (FDM

I. Finite Field Algebra

Introduction to Finite Field

Finite-State Methods

Generalized Finite Element Methods

Generalized Finite Element Methods