My 2 hours today: 1. Efficient arithmetic in finite fields minute break 3. Elliptic curves. My 2 hours tomorrow:

Transcription

1 My 2 hours today: 1. Efficient arithmetic in finite fields minute break 3. Elliptic curves My 2 hours tomorrow: 4. Efficient arithmetic on elliptic curves minute break 6. Choosing curves

2 Efficient arithmetic in finite fields D. J. Bernstein University of Illinois at Chicago

3 Some examples of finite fields: Z ( ). (Z (2 61 1))[Ø] (Ø 5 3). (Z 223))[Ø] (Ø 37 2). (Z 2)[Ø] (Ø 283 Ø 12 Ø 7 Ø 5 1). How quickly can we add, subtract, multiply in these fields? Answer will depend on platform: AMD Athlon, Sun UltraSPARC IV, Intel 8051, Xilinx Spartan-3, etc. Warning: different platforms often favor different fields!

4 The first question How to multiply big integers? Child s answer: Use polynomial with coefficients in to represent integer in radix 10. With this representation, multiply integers in two steps: 1. Multiply polynomials. 2. Carry extra digits. Polynomial multiplication involves small integers. Have split one big multiplication into many small operations.

5 Example of representation: 839 = = value (at Ø = 10) of polynomial 8Ø 2 + 3Ø 1 + 9Ø 0. Squaring: (8Ø 2 + 3Ø 1 + 9Ø 0 ) 2 = 64Ø Ø Ø Ø Ø 0. Carrying: 64Ø Ø Ø Ø Ø 0 ; 64Ø Ø Ø Ø 1 + 1Ø 0 ; 64Ø Ø Ø 2 + 2Ø 1 + 1Ø 0 ; 64Ø Ø 3 + 9Ø 2 + 2Ø 1 + 1Ø 0 ; 70Ø 4 + 3Ø 3 + 9Ø 2 + 2Ø 1 + 1Ø 0 ; 7Ø 5 + 0Ø 4 + 3Ø 3 + 9Ø 2 + 2Ø 1 + 1Ø 0. In other words, =

6 What operations were used here? multiply add divide by 10 add 159 mod

7 Scaled variation: 839 = = value (at Ø = 1) of polynomial 800Ø Ø 1 + 9Ø 0. Squaring: (800Ø Ø 1 + 9Ø 0 ) 2 = Ø Ø Ø Ø Ø 0. Carrying: Ø Ø Ø Ø Ø 0 ; Ø Ø Ø Ø 1 + 1Ø 0 ; Ø 5 + 0Ø Ø Ø Ø 1 + 1Ø 0.

8 What operations were used here? multiply add add subtract mod

9 Speedup: double inside squaring Squaring + 2Ø 2 + 1Ø 1 + 0Ø 0 produces coefficients such as Compute more efficiently as Or, slightly faster, 2( ) Or, slightly faster, (2 4) 0 + (2 3) after precomputing Have eliminated 1 2 of the work if there are many coefficients.

10 Speedup: allow negative coeffs Recall Scaled: Alternative: Scaled: Use digits instead of Several small advantages: easily handle negative integers; easily handle subtraction; reduce products a bit.

11 Speedup: delay carries Computing (e.g.) big + 2 : multiply polynomials, carry, square poly, carry, add, carry. e.g. = 314, = 271, = 839: (3Ø 2 +1Ø 1 +4Ø 0 )(2Ø 2 +7Ø 1 +1Ø 0 ) = 6Ø Ø Ø Ø 1 + 4Ø 0 ; carry: 8Ø 4 + 5Ø 3 + 0Ø 2 + 9Ø 1 + 4Ø 0. As before (8Ø 2 + 3Ø 1 + 9Ø 0 ) 2 = 64Ø Ø Ø Ø Ø 0 ; 7Ø 5 + 0Ø 4 + 3Ø 3 + 9Ø 2 + 2Ø 1 + 1Ø 0. +: 7Ø 5 +8Ø 4 +8Ø 3 +9Ø 2 +11Ø 1 +5Ø 0 ; 7Ø 5 + 8Ø 4 + 9Ø 3 + 0Ø 2 + 1Ø 1 + 5Ø 0.

12 Faster: multiply polynomials, square polynomial, add, carry. (6Ø Ø Ø Ø 1 + 4Ø 0 ) + (64Ø 4 +48Ø Ø 2 +54Ø 1 +81Ø 0 ) = 70Ø Ø Ø Ø Ø 0 ; 7Ø 5 + 8Ø 4 + 9Ø 3 + 0Ø 2 + 1Ø 1 + 5Ø 0. Eliminate intermediate carries. Outweighs cost of handling slightly larger coefficients. Important to carry between multiplications (and squarings) to reduce coefficient size; but carries are usually a bad idea for additions, subtractions, etc.

13 Speedup: polynomial Karatsuba Computing product of polys with (e.g.) deg 20, deg 20: 400 coefficient mults, 361 coefficient adds. Faster: Write as 0 + 1Ø 10 with deg 0 10, deg Similarly write as 0 + 1Ø 10. Then = ( 0 + 1)( 0 + 1)Ø 10 + ( Ø 10 )(1 Ø 10 ).

14 20 adds for 0 + 1, mults for three products 0 0, 1 1, ( 0 + 1)( 0 + 1). 243 adds for those products. 9 adds for Ø 10 with subs counted as adds and with delayed negations. 19 adds for (1 Ø 10 ). 19 adds to finish. Total 300 mults, 310 adds. Larger coefficients, slight expense; still saves time. Can apply idea recursively as poly degree grows.

15 Many other algebraic speedups in polynomial multiplication: Toom, FFT, etc. Increasingly important as polynomial degree grows. Ç(Ò lg Ò lg lg Ò) coeff operations to compute Ò-coeff product. Useful for sizes of Ò that occur in cryptography? Maybe; active research area.

16 Using CPU s integer instructions Replace radix 10 with, e.g., Power of 2 simplifies carries. Adapt radix to platform. e.g. Every 2 cycles, Athlon 64 can compute a 128-bit product of two 64-bit integers. (5-cycle latency; parallelize!) Also low cost for 128-bit add. Reasonable to use radix Sum of many products of digits fits comfortably below Be careful: analyze largest sum.

17 e.g. In 4 cycles, Intel 8051 can compute a 16-bit product of two 8-bit integers. Could use radix 2 6. Could use radix 2 8, with 24-bit sums. e.g. Every 2 cycles, Pentium 4 F3 can compute a 64-bit product of two 32-bit integers. (11-cycle latency; yikes!) Reasonable to use radix Warning: Multiply instructions are very slow on some CPUs. e.g. Pentium 4 F2: 10 cycles!

18 Using floating-point instructions Big CPUs have separate floating-point instructions, aimed at numerical simulation but useful for cryptography. In my experience, floating-point instructions support faster multiplication (often much, much faster) than integer instructions, except on the Athlon 64. Other advantages: portability; easily scaled coefficients.

19 e.g. Every 2 cycles, Pentium III can compute a 64-bit product of two floating-point numbers, and an independent 64-bit sum. e.g. Every cycle, Athlon can compute a 64-bit product and an independent 64-bit sum. e.g. Every cycle, UltraSPARC III can compute a 53-bit product and an independent 53-bit sum. Reasonable to use radix e.g. Pentium 4 can do the same using SSE2 instructions.

20 How to do carries in floating-point registers? (No CPU carry instruction: not useful for simulations.) Exploit floating-point rounding: add big constant, subtract same constant. e.g. Given «with «2 75 : compute 53-bit floating-point sum of «and constant , obtaining a multiple of 2 24 ; subtract from result, obtaining multiple of 2 24 nearest «; subtract from «.

21 Reducing modulo a prime Fix a prime Ô. The prime field Z Ô is the set Ô 1 with defined as mod Ô, + defined as + mod Ô, defined as mod Ô. e.g. Ô = : = 47 in Z Ô; 1 = in Z Ô; = 1 in Z Ô.

22 How to multiply in Z Ô? Can use definition: mod Ô = Ô Ô. Can multiply by a precomputed 1 Ô approximation; easily adjust to obtain Ô. Slight speedup: 2-adic inverse ; Montgomery reduction. We can do better: normally Ô is chosen with a special form (or dividing a special form; see redundant representations ) to make mod Ô much faster.

23 e.g. In Z : = = ( 3) = = Easily adjust to range 0 1 Ô 1 by adding/subtracting a few Ô s. (Beware timing attacks!) Speedup: Delay the adjustment; extra Ô s won t damage subsequent field operations.

24 Can delay carries until after multiplication by 3. e.g. To square in Z : Square poly 3Ø 5 + 1Ø 4 + 4Ø 3 + 1Ø 2 + 5Ø 1 + 9Ø 0, obtaining 9Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø 0. Reduce: replace ( )Ø 6+ by ( 3 )Ø, obtaining 72Ø Ø Ø 3 32Ø Ø 1 63Ø 0. Carry: 8Ø 6 4Ø 5 2Ø 4 + 1Ø 3 + 2Ø 2 + 2Ø 1 3Ø 0.

25 To minimize poly degree, mix reduction and carrying, carrying the top sooner. e.g. Start from square 9Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø Ø 0. Reduce Ø 10 Ø 4 and carry Ø 4 Ø 5 Ø 6 : 6Ø 9 +25Ø 8 +14Ø 7 +56Ø 6 5Ø 5 +2Ø 4 +82Ø 3 +43Ø 2 +90Ø 1 +81Ø 0. Finish reduction: 5Ø 5 + 2Ø Ø 3 32Ø Ø 1 87Ø 0. Carry Ø 0 Ø 1 Ø 2 Ø 3 Ø 4 Ø 5 : 4Ø 5 2Ø 4 + 1Ø 3 + 2Ø 2 1Ø 1 + 3Ø 0.

26 Speedup: non-integer radix Consider Z (2 61 1). Five coeffs in radix 2 13? 4Ø 4 + 3Ø 3 + 2Ø 2 + 1Ø 1 + 0Ø 0. Most coeffs could be Square +2( )Ø 5 +. Coeff of Ø 5 could be Reduce: 2 65 = 2 4 in Z (2 61 1); + (2 5 ( ) + 0 2)Ø0. Coeff could be Very little room for additions, delayed carries, etc. on 32-bit platforms.

27 Scaled: Evaluate at Ø = 1. 4 is multiple of 2 52 ; 3 is multiple of 2 39 ; 2 is multiple of 2 26 ; 1 is multiple of 2 13 ; 0 is multiple of 2 0. Reduce: + (2 60 ( ) + 0 2)Ø0. Better: Non-integer radix is multiple of 2 49 ; 3 is multiple of 2 37 ; 2 is multiple of 2 25 ; 1 is multiple of 2 13 ; 0 is multiple of 2 0. Saves a few bits in coeffs.

28 More finite fields Fix a prime Ô. Fix a poly ³ in one variable Ø with ³ irreducible mod Ô. The finite field (Z Ô)[Ø] ³ is the set of polynomials deg ³ 1 Ødeg ³ Ø 1 + 0Ø 0 with each ¾ Z Ô and with + defined modulo Ô and modulo ³. (Z Ô)[Ø] ³ is an extension of the prime field Z Ô; it has characteristic Ô.

29 e.g. 223 is prime, and poly Ø 6 3 is irreducible mod 223, so (Z 223)[Ø] (Ø 6 3) is a field elements of field, namely polynomials 5Ø 5 + 4Ø 4 + 3Ø 3 + 2Ø 2 + 1Ø 1 + 0Ø 0 with each ¾ After adding, subtracting, multiplying: replace Ø 6 by 3, replace Ø 7 by 3Ø, etc.; and reduce coefficients modulo 223. e.g. (9Ø 4 + 1) 2 = 81Ø Ø = 243Ø 2 +18Ø 4 +1 = 18Ø 4 +20Ø 2 +1.

30 Have two levels of polynomials when Ô is large: element of (Z Ô)[Ø] ³ is poly mod ³; each poly coefficient is integer represented as poly in some radix. e.g. 4Ø 4 + 3Ø 3 + 2Ø 2 + 1Ø 1 + 0Ø 0 in (Z (2 61 1))[Ø] (Ø 5 3) could have each coefficient represented as poly of degree 3 in radix When Ô is small, especially Ô = 2, many speedups beyond this talk: batching coefficients, using fast Frobenius, et al.