A Residue Approach of the Finite Field Arithmetics

A Residue Approach of the Finite Field Arithmetics 1/20

A Residue Approach of the Finite FieldArithmetics

JC Bajard

LIRMM, CNRS UM2161 rue Ada, 34392 Montpellier cedex 5, France


Contents

Introduction to Residue Systems

Modular reduction in Residue Systems

Applications to Cryptography

Conclusion







I In some applications, like cryptography, we use finite fieldarithmetics on huge numbers or large polynomials.

I Residue systems are a way to distribute the calculus on smallcells.

I Are these systems available for finite fields?



Residue Number Systems in GF (p), p prime

I Modular arithmetic mod p, elements are considered asintegers.

I Residue Number SystemI RNS base: a set of coprime numbers (m1, ...,mk)I RNS representation: (a1, ..., ak) with ai = |A|mi

I Full parallel operations modM with M =∏k

i=1 mi

(|a1 ⊗ b1|m1, . . . , |an ⊗ bn|mn

)→ A⊗ B (mod M)

I Very fast product, but an extension of the base could benecessary and a reduction modulo p is needed.



Lagrange representations in GF (pk) with p > 2k

I Arithmetic modulo I (X ), an irreducible GF (p) polynomial ofdegree k. Elements of GF (pk) are considered as GF (p)polynomials of degree lower than k .

I Lagrange representationI is defined by k different points e1, ...ek in GF (p). (k ≤ p.)I A polynomial A(X ) = α0 + α1X + ...+ αk−1X

k−1 over GF (p)is given in Lagrange representation by:

(a1 = A(e1), ..., ak = A(ek)).

I Remark: ai = A(ei ) = A(X ) mod (X − ei ). If we notemi (X ) = (X − ei ), we obtain a similar representation as RNS.

I Operations are made independently on each A(ei ) (like in FFTor Tom-Cook approaches). We need to extend to 2k pointsfor the product.



Trinomial residue in GF (2n)

I Arithmetic modulo I (X ), an irreducible GF (2) polynomial ofdegree n. Elements of GF (2n) are considered as GF (2)polynomials of degree lower than n.

I Trinomial representationI is defined by a set of k coprime trinomials

mi (X ) = X d + X ti + 1, with k × d ≥ n,I an element A(X ) is represented by (a1(X ), ...ak(X )) with

ai (X ) = A(X ) mod mi (X ).I This representation is equivalent to RNS.

I Operations are made independently on each ai (X )



Residue Systems

I Residue systems could be an issue for computing efficientlythe product.

I The main operation is now the modular reduction forconstructing the finite field elements.

I The choice of the residue system base is important, it givesthe complexity of the basic operations.






Reduction of Montgomery

I The most used reduction algorithm is due to Montgomery(1985)[9]

I For reducing A modulo p, it evaluates q = −(Ap−1) mod 2s ,then it constructs R = (A + qp)/2s . The obtained valuesatisfies: R ≡ A× 2−s (mod p) and R < 2p if A < p2s .We note Montg(A, 2s , p) = R.

I Montgomery notation: A′ = A× 2s mod pMontg(A′ × B ′, 2s , p) ≡ (A× B)× 2s (mod p)



Residue version of Montgomery Reduction

I The residue base is such that p < M(or deg M(X ) ≥ deg I (X ))

I We use an auxiliary base such that p < M ′

(or deg M ′(X ) ≥ deg I (X )), M ′ and M coprime.(Exact product, and existence of M−1)

I Steps of the algorithm

1. q = −(Ap−1) mod M (calculus in base M)2. Extension of the representation of q to the base M ′

3. R = (A + qp)×M−1 (calculus in base M ′)4. Extension of the representation of R to the base M

I The values are represented in the two bases.



Extension of Residue System Bases (from M to M ′)

The extension comes from the Lagrange interpolation.If (a1, ..., ak) is the residue representation in the base M, then

A =k∑

i=1

∣∣∣∣∣ai ×[

M

mi

]−1

mi

∣∣∣∣∣mi

× M

mi− αM

The factor α can be in certain cases, neglected or computed.[1]Another approach consists in the Newton interpolation where A iscorrectly reconstructed. [4]



Extension of Residue System Bases (from M to M ′)

We first translate in an intermediate representation (MRS):

ζ1 = a1

ζ2 = (a2 − ζ1) m−11 mod m2

ζ3 =((a3 − ζ1) m−1

1 − ζ2)

m−12 mod m3

...

ζn =(. . .((an − ζ1) m−1

1 − ζ2)

m−12 − · · · − ζn−1

)m−1

n−1 mod mn.

We evaluate A, with Horner’s rule, as

A = (. . . ((ζn mn−1 + ζn−1) mn−2 + · · ·+ ζ3) m2 + ζ2) m1 + ζ1.



Features of the residue system

I Efficient multiplication, the cost being the cost of onemultiplication on one residue.

I Costly reduction: O(k1.6) for trinomials [4], 2k2 + 3k for RNS[1], O(k2) for Lagrange representation [5].

I If we take into account that most of the operations aremultiplications by a constant, the cost can be considerablysmaller.






Elliptic curve cryptography

I The main idea comes from the efficiency of the product andthe cost of the reduction in Residue Systems.

I We try to minimize the number of reductions. A reduction isnot necessary after each operation. Clearly, for a formula likeA× B + C × D, only one reduction is needed.

I Elliptic Curve Cryptography is based on points addition. Weuse appropriate forms (Hessian, Jacobi, MontgomeryLadder...) and coordinates: projective, Jacobian orChudnowski.

I For 512 bits values, Residues Systems, for curves defined overa prime field, are more efficient than classicalrepresentations.[2]



Pairings

I Summarizing, we define a pairing as following: G1 and G2 twoadditive abelean groups of cardinal n and G3 a cyclic(multiplicative) group of cardinal n.

I A pairing is a function e : G1 × G2 → G3 which verifies thefollowing properties: Bilinearity, Non-degeneracy.

I For pairings defined on an elliptic curve E over a finite fieldGF (p), we have G1 ⊂ E (GF (p)), G2 ⊂ E (GF (pk)) andG3 ⊂ GF (pk), where k is the smallest integer such that ndivides pk − 1, k is called the embedded degree of the curve.



Pairings

I The construction of the pairing implies values over GF (p) andGF (pk) into the formulas. An approach with Residue Systems,similar to the one made on ECC could be interesting.[3]

I k is most of the time chosen as a small power of 2 and 3 foralgorithmic reasons. Residue arithmetics allow to pass overthis restriction.

I With pairings, we can also imagine two levels of ResidueSystems: one over GF (p) and one over GF (pk).


Conclusion

Conclusion on Residue Systems


Conclusion

Conclusions

I We have seen that Residue Systems give some good resultsfor ECC over GF (p).

I We will extend these studies for ECC over GF (pk) andGF (2k).

I Residue Systems offer to pairings an opening to a large varietyof embedded degrees and finite fields. We remind that thesecurity is given by the one of ECC over GF (p) and by thediscrete logarithm over GF (pk).


Conclusion

Bajard, J.C., Didier, L.S., Kornerup, P.: Modularmultiplication and base extension in residue number systems.15th IEEE Symposium on Computer Arithmetic, 2001 VailColorado USA pp. 59–65

Bajard, J.C., Duquesne, S., Ercegovac M. and Meloni N.:Residue systems efficiency for modular products summation:Application to Elliptic Curves Cryptography, in AdvancedSignal Processing Algorithms, Architectures, andImplementations XVI, SPIE 2006, San Diego, USA.

Bajard, J.C. and ElMrabet N.: Pairing in cryptography: anarithmetic point of view, Advanced Signal ProcessingAlgorithms, Architectures, and Implementations XVII, part ofthe SPIE Optics & Photonics 2007 Symposium. August 2007San Diego, USA.


Conclusion

J.C. Bajard, L. Imbert, and G. A. Jullien: Parallel MontgomeryMultiplication in GF (2k) using Trinomial Residue Arithmetic,17th IEEE symposium on Computer Arithmetic, 2005, CapeCod, MA, USA.pp. 164-171

J.C. Bajard, L. Imbert et Ch. Negre, Arithmetic Operations inFinite Fields of Medium Prime Characteristic Using theLagrange Representation, journal IEEE Transactions onComputers, September 2006 (Vol. 55, No. 9) p p. 1167-1177

Bajard, J.C., Meloni, N., Plantard, T.: Efficient RNS bases forCryptography IMACS’05, Applied Mathematics andSimulation, (2005)

Garner, H.L.: The residue number system. IRE Transactionson Electronic Computers, EL 8:6 (1959) 140–147

Knuth, D.: Seminumerical Algorithms. The Art of ComputerProgramming, vol. 2. Addison-Wesley (1981)


Conclusion

Montgomery, P.L.: Modular multiplication without trialdivision. Math. Comp. 44:170 (1985) 519–521

Svoboda, A. and Valach, M.: Operational Circuits. Stroje naZpracovani Informaci, Sbornik III, Nakl. CSAV, Prague, 1955,pp.247-295.

Szabo, N.S., Tanaka, R.I.: Residue Arithmetic and itsApplications to Computer Technology. McGraw-Hill (1967)

A Residue Approach of the Finite Field Arithmetics

Documents