## Efficient multiplication using type 2 optimal normal bases

Citations: | 5 - 0 self |

### BibTeX

@MISC{Gathen_efficientmultiplication,

author = {Joachim Von Zur Gathen and Amin Shokrollahi and Jamshid Shokrollahi},

title = {Efficient multiplication using type 2 optimal normal bases},

year = {}

}

### OpenURL

### Abstract

Abstract. In this paper we propose a new structure for multiplication using optimal normal bases of type 2. The multiplier uses an efficient linear transformation to convert the normal basis representations of ele-ments of Fqn to suitable polynomials of degree at most n over Fq. These polynomials are multiplied using any method which is suitable for the implementation platform, then the product is converted back to the normal basis using the inverse of the above transformation. The efficiency of the transformation arises from a special factorization of its matrix into sparse matrices. This factorization — which resembles the FFT factorization of the DFT matrix — allows to compute the transformation and its inverse using O(n log n) operations in Fq, rather than O(n 2) operations needed for a general change of basis. Using this technique we can reduce the asymptotic cost of multiplication in optimal normal bases of type 2 from 2M(n) + O(n) reported by Gao et al. (2000) to M(n) + O(n log n) operations in Fq, where M(n) is the number of Fq-operations to multiply two polynomials of degree n − 1 over Fq. We show that this cost is also smaller than other proposed multipliers for n> 160, values which are used in elliptic curve cryptography.

### Citations

343 |
Computational Frameworks for the Fast Fourier Transform (SIAM
- Loan
- 1992
(Show Context)
Citation Context ...e isomorphism νn can be computed using O(n log n) operations as will be shown later in Section 6. (7) (9)sTheorem 3. For r ≥ 1, we have Lp r = (I1 ⊗ Br)(Ip ⊗ Br−1) · · · (I p r−2 ⊗ B2)(I p r−1 ⊗ B1). =-=(11)-=- In order to multiply Lpr by a vector, we successively multiply the matrices in the factorization (11) by that vector. In the next section we count the number of operations required for the computatio... |

60 | Computational method and apparatus for finite field arithmetic - MASSEY, OMURA - 1986 |

28 | An efficient optimal normal basis type II multiplier - SUNAR, KOC - 2001 |

24 | A new construction of Massey–Omura parallel multiplier over GF(2m - REYHANI-MASOLEH, HASAN |

23 | Optimal normal bases
- Gao, Lenstra
- 1992
(Show Context)
Citation Context ...even, and ⎪⎩ � � j1 Θpr−1 otherwise. (j1−i1−1)/2 Lemma 1. For r ≥ 1, we have Lp r = Br(Ip ⊗ L p r−1). (4) Proof. For 0 ≤ i, j < p r we compute (Lp r)i,j by writing i = i1p r−1 + i0, j = j1p r−1 + j0, =-=(5)-=- with 0 ≤ i1, j1 < p and 0 ≤ i0, j0 < p r−1 . Since p · x = 0, we have (x + x −1 ) j = (x + x −1 ) j1pr−1 (x + x −1 ) j0 = (x pr−1 + x −pr−1 ) j1 (x + x −1 ) j0 = ( � k1∈Z lk1,j1x k1pr−1 )( � k0∈Z lk0... |

20 | Hardware and software normal basis arithmetic for pairing-based cryptography in characteristic three
- Granger, Page, et al.
- 2005
(Show Context)
Citation Context ... matrix factorization for Lp r in Theorem 3. Using this factorization the map of a vector under the isomorphism νn can be computed using O(n log n) operations as will be shown later in Section 6. (7) =-=(9)-=-sTheorem 3. For r ≥ 1, we have Lp r = (I1 ⊗ Br)(Ip ⊗ Br−1) · · · (I p r−2 ⊗ B2)(I p r−1 ⊗ B1). (11) In order to multiply Lpr by a vector, we successively multiply the matrices in the factorization (11... |

15 | Algorithms for Exponentiation in Finite Fields
- Gao, Gathen, et al.
- 2000
(Show Context)
Citation Context ...ifting matrices Θn = (θi,j)0≤i,j<n ∈ F n×n p and Ψn = (ψi,j)0≤i,j<n ∈ F n×n p , respectively, are defined by the relations: θi,j = � 1 if i + j = n, 0 otherwise, ψi,j = � 1 if j − i = 1, 0 otherwise. =-=(3)-=-sa b Fig.2. (a) The matrix Θ5 and (b) the matrix Ψ5. As an example, Θ5 and Ψ5, are shown in Figure 2, where the coefficients equal to 0 and 1 are represented by empty and filled boxes, respectively. L... |

7 | Efficient implementation of elliptic curve cryptography on FPGAs. 2007. Dissertation. http://hss.ulb.uni-bonn.de/diss online/math nat fak/2007 - Shokrollahi |

7 | Konstruktion von Normalbasen - Wassermann - 1990 |

6 |
zur Gathen, “FPGA designs of parallel high performance GF (2233) multipliers
- Grabbe, Bednara, et al.
- 2003
(Show Context)
Citation Context ... − t for some t ∈ Z. In the above equation except for t = −1, 0 we have |i0 + tp r−1 | ≥ |p r−1 | > |j0| which means l i0+tp r−1 ,j0 = 0, and hence (Lp r)i,j = li1,j1li0,j0 + li1+1,j1l i0−p r−1 ,j0 , =-=(8)-=- in which li1,j1 = (Lp)i1,j1, li0,j0 = (L p r−1)i0,j0, and li1+1,j1 = (ΨpLp)i1,j1 according to the definition of Ψp. The value of l i0−p r−1 ,j0 can be replaced by l p r−1 −i0,j0 because of the symmet... |

6 |
Efficient finite field basis conversion involving dual bases
- Liskov
- 1999
(Show Context)
Citation Context ... Substituting all of these into (8) we have (Lp r)i,j = (Lp)i1,j1(L p r−1)i0,j0 + (ΨpLp)i1,j1(Θ p r−1L p r−1)i0,j0 which together with (5) shows that: Lp r = Lp ⊗ L p r−1 + (ΨpLp) ⊗ (Θ p r−1L p r−1). =-=(10)-=- It is straightforward, using Definition 4, to show that (10) is equivalent to (4). ⊓⊔ This recursive relation resembles that for the DFT matrix in Chapter 1 of van Loan (1992) and enables us to find ... |

6 | Data Structures for Parallel Exponentiation in Finite Fields - Nöcker - 2001 |

5 |
Gauss periods and fast exponentiation in finite fields
- Gao, Gathen, et al.
- 1995
(Show Context)
Citation Context ... and B (i1,j1) ⎧ ⎪⎨ the zero block if i1 � � > j1, j1 = (j1−i1)/2 Ipr−1 if i1 ≤ j1 and j1 − i1 is even, and ⎪⎩ � � j1 Θpr−1 otherwise. (j1−i1−1)/2 Lemma 1. For r ≥ 1, we have Lp r = Br(Ip ⊗ L p r−1). =-=(4)-=- Proof. For 0 ≤ i, j < p r we compute (Lp r)i,j by writing i = i1p r−1 + i0, j = j1p r−1 + j0, (5) with 0 ≤ i1, j1 < p and 0 ≤ i0, j0 < p r−1 . Since p · x = 0, we have (x + x −1 ) j = (x + x −1 ) j1p... |

5 | Constructing normal bases in finite fields
- Gathen, G
- 1989
(Show Context)
Citation Context ...ce p · x = 0, we have (x + x −1 ) j = (x + x −1 ) j1pr−1 (x + x −1 ) j0 = (x pr−1 + x −pr−1 ) j1 (x + x −1 ) j0 = ( � k1∈Z lk1,j1x k1pr−1 )( � k0∈Z lk0,j0x k0 ) = � k0,k1∈Z 7 lk1,j1lk0,j0x k1pr−1 +k0 =-=(6)-=-s8 0 1 2 a b Fig.3. (a) the matrix B3 and (b) the matrix L27 for p = 3 where lk,j is as Definition 1 and is zero for |k| > |j|. For the coefficient of x i = x i1pr−1 +i0 , which is (Lp r)i,j, we have:... |

1 | Subquadratic multiplication using optimal normal bases
- Fan, Hasan
- 2006
(Show Context)
Citation Context ...we call the permuted normal basis, is a permutation of N. Hence the normal basis representation of an element a = �n−1 k=0 a(N) k (βqk + β−qk) ∈ Fqn can be written as n� a = a (N ′ ) l (β l + β −l ), =-=(2)-=- l=1 where (a (N ′ ) l )1≤l≤n is a permutation of (a (N) k )0≤k<n, called the permuted normal representation of a. The a (N) ′ (N ) k and a l are elements of Fq. 3 Multiplier Structure The structure o... |