1 / 53

Finite Field Basis Conversion Methods

RSA 1999. Outline. BackgroundGeneral solutionMore efficient algorithmsConclusions. RSA 1999. Background. A finite field is a finite set closed under addition and multiplication, where inverses exist except for 0q elements, for a prime or prime power qnotation: GF(q) = Galois FieldTypical f

forever
Download Presentation

Finite Field Basis Conversion Methods

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. RSA Data Security, Inc. Finite Field Basis Conversion Methods Burt Kaliski, Yiqun Lisa Yin, and Moses Liskov RSA Laboratories Public Key Solutions 99 April 12-14, 1999

    2. RSA 1999 Outline Background General solution More efficient algorithms Conclusions

    3. RSA 1999 Background A finite field is a finite set closed under addition and multiplication, where inverses exist except for 0 q elements, for a prime or prime power q notation: GF(q) = Galois Field Typical fields in cryptography: GF(p), where p is a large prime GF(2m) Extension field: GF(qm)

    4. RSA 1999 Finite Field Representation A basis for the finite field GF(qm) over GF(q) is a set of elements ?0, , ?m-1 such that every element ? can be expressed uniquely as ? = ? B[i] ?i where B[i] ? GF(q)

    5. RSA 1999 Common Representations Polynomial basis: 1, ?, ?2, , ?m-1 for some field element ? Normal basis: ?, ?q, ?q2, , ?qm-1 Many special cases e.g., trinomial, ONB

    6. RSA 1999 Dual Bases The dual basis of ?0, , ?m-1 with respect to a linear function h is the basis ?0, , ?m-1 such that

    7. RSA 1999 Basis Conversion Problem Convert between two representations of a field element: A[0], , A[m-1]: internal representation B[0], , B[m-1]: external representation ? A[i] ?i = ? B[i] ?i for bases ?0, , ?m-1 and ?0, , ?m-1

    8. RSA 1999 Why Does It Matter? For interoperability, parties must have a common representation e.g., public keys in certificates intermediate values in cryptographic primitives, such as DSA, DH But parties may choose different representations when implementing finite field arithmetic

    9. RSA 1999 Import vs. Export In both cases, ideally with field operations in the internal representation take advantage of field arithmetic acceleration

    10. RSA 1999 General Solution Let M be the m ? m matrix whose columns are the internal representations of the external basis elements Then AT = M BT BT = M-1AT where AT, BT are column vectors containing the coefficients A[i], B[i]

    11. RSA 1999 Disadvantages Matrix method requires storage for O(m2) coefficients, which may be too large in some environments e.g., m = 160 requires 3.2K bytes Method involves coefficient operations, not primarily internal field operations

    12. RSA 1999 More Efficient Algorithms Import and export algorithms polynomial, normal, or dual of polynomial or normal external basis any internal basis over GF(q) Storage for O(m) coefficients Primarily internal field operations

    13. RSA 1999 Internal Operations Add, subtract: A ? T Multiply: A ? T Exponentiate: Ai Scalar multiply: s ? T, where s ? GF(q) Coefficient select: A[i]

    14. RSA 1999 Four Approaches Import algorithms Generate-Accumulate Shift-Insert Export algorithms Generate*-Evaluate Shift-Extract

    15. RSA 1999 Import Algorithms Input: B[0], , B[m-1], coefficients of external representation Output: A, internal representation where A = ? B[i] Wi and W0, ..., Wm-1 is the internal representation of the external basis

    16. RSA 1999 Generate-Accumulate Method Generate W0, , Wm-1 Accumulate B[i] Wi terms into A A ? 0 for i ? 0 to m-1 A ? A + B[i] ? Wi endfor

    17. RSA 1999 Shift-Insert Method Insert B[m-1] into A as W0-coefficient Shift A up by one coefficient of external representation alternatively, rotate or shift down Repeat for B[m-2], and so on See Kaliski-Yin, SAC 98

    18. RSA 1999 Shift-Insert Method

    19. RSA 1999 Shift-Insert Process

    20. RSA 1999 Shift-Insert Process

    21. RSA 1999 Shift-Insert Process

    22. RSA 1999 Shift-Insert Process

    23. RSA 1999 Shift-Insert Process

    24. RSA 1999 Shift-Insert Process

    25. RSA 1999 Shift-Insert Process

    26. RSA 1999 Shift-Insert Process

    27. RSA 1999 Import Requirements Efficient generation of external basis or Efficient external shifting

    28. RSA 1999 Export Algorithms Input: A, internal representation Output: B[0], , B[m-1], coefficients of external representation where A = ? B[i] Wi

    29. RSA 1999 Generate*-Evaluate Method Select a linear function h Generate X0, ..., Xm-1, the internal representation of the dual of the external basis W0, ..., Wm-1 with respect to h Evaluate h at AXi to get B[i] for each i See e.g. Lidl-Niederreiter

    30. RSA 1999 Generate*-Evaluate Method

    31. RSA 1999 Shift-Extract Method Extract W0 coefficient from A as B[0] Shift A down by one digit of external representation alternatively, rotate or shift up Repeat for B[1], and so on

    32. RSA 1999 Shift-Extract Method

    33. RSA 1999 Shift-Extract Process

    34. RSA 1999 Shift-Extract Process

    35. RSA 1999 Shift-Extract Process

    36. RSA 1999 Shift-Extract Process

    37. RSA 1999 Shift-Extract Process

    38. RSA 1999 Shift-Extract Process

    39. RSA 1999 Shift-Extract Process

    40. RSA 1999 Export Requirements Efficient generation of dual of external basis and evaluation or Efficient external shifting and coefficient extraction

    41. RSA 1999 Some Tools External shifting External basis generation Coefficient extraction and evaluation

    42. RSA 1999 External Shifting Given the internal representation corresponding to B[0], B[1], B[2], , B[m-1], compute the internal representation of some shifted version: 0, B[0], B[1], , B[m-2] or B[1], B[2], , B[m-1], 0 or B[m-1], B[0], B[1], , B[m-2]

    43. RSA 1999 Polynomial Basis Polynomial basis: I, G, G2, ... , Gm-1 A = ? B[i]Gi Shift up: A ? A ? G assuming B[m-1] = 0 Shift down: A ? (A ? B[0] ? I) ? G-1 Rotation also possible

    44. RSA 1999 Normal Basis Normal basis: G, Gq, ..., Gqm-1 A = ? B[i]Gqi Rotate up: A ? Aq Rotate down and shifting also possible

    45. RSA 1999 Dual of Polynomial Basis Shift up, when h is h0, the I-coefficient of polynomial-basis representation: A ? AG-1 ? h0(AG-1) For other h, involves scaling Rotation and shift down also possible

    46. RSA 1999 Dual of Normal Basis Rotate up, when h is the G-coefficient of normal-basis representation A ? Aq ? X1 where X1 is from the dual basis For other h, involves scaling Rotate down and shifting also possible

    47. RSA 1999 Generation by Shifting An application of shifting: Given W0, for i ? 1 to m-1 Wi ? shift(Wi-1) endfor Sometimes basis generation is easier than shifting

    48. RSA 1999 External Basis Generation For polynomial and normal bases, generation is straightforward For dual of polynomial and dual of normal bases, generation can be done more efficiently

    49. RSA 1999 Coefficient Extraction & Evaluation h is a linear function: h(A) = ? si A[i] for some coefficients s0, , sm-1 Equivalently, h(A) = (A ? V)[0] for some field element V

    50. RSA 1999 Summary Four conversion approaches each on iterations of shifting or generation, and possibly extraction or evaluation Efficient tools shift, generate, extract/evaluate internal field operations low storage polynomial, normal, and dual bases

    51. RSA 1999 Running Time O(m) or O(m log q) field operations: m iterations 2-4 field operations per iteration, plus exponentiation (for some bases) 10-20% overhead in elliptic curve cryptosystems If field arithmetic is accelerated, may be faster than matrix method

    52. RSA 1999 Storage O(m) coefficients: 1-2 constants, 2-3 variables, plus exponentiation storage (for some bases) Substantial improvement over matrix method in some environments

    53. RSA 1999 Extensions Multiple coefficients per iteration for shift methods Other bases Different ground-field representations

    54. RSA 1999 Conclusion Storage-efficient and practical basis conversion algorithms for polynomial, normal basis extensions to other bases Modest overhead for ECC operations Result: interoperability in memory-constrained environments

More Related