Multiplication in Cyclotomic Rings and its Application to Finite Fields

Multiplication in Cyclotomic Rings and its Application to F inite Fields F rancisco Arg ¨ uello Dept. E lectr´ onica y Co mputa ci ´ on Universidad de San tiag o de Com p ostel a. 1578 2 Sa n tiag o de Comp ostela . Spain. francisco .arg uello@usc. es August 1 7 , 20 1 8 Mailing Address: F rancisco Arguello Dept. Electronica y Computacion Univ ersidad de Santiago de Compostela 15782 San tiago de Comp ostela Spain PHONE: +34 981 59448 8 ext. 1 3556 F AX: +34 981 528012 e-mail: francisco.arguello@usc.es 1 Multiplic ati o n in C yclotomic Rings and its Applicatio n to Finit e Fields F rancisco Arg ¨ uello Abstract A represent ation of fin ite fields that has pro v ed useful when imple- men ting fi nite field arithm etic in hardw are is based on an isomorphism b et w een subrings and fields. I n this pap er, we presen t an unified form u- lation for m ultiplication in cyclotomic rings and cyclotomic fields in that most arithmetic op erations are done on vecto rs. F rom this formulat ion w e can generate optimized algorithms for multi plication. F or example, one of the prop osed algorithms r equires appro ximately half the num b er of co ordinate-lev el m ultiplications at the exp ense of extra coordinate-lev el additions. Our metho d is then a pplied to the finite fields GF( q m ) to further reduce the num b er of op erations. W e then present optimized algorithms for multiplicatio n in finite fields with t yp e-I and t yp e-I I optimal n ormal bases. Keyw ords: Cyc lotomic ring, Finite field, Ga lois field, Normal basis, Redun- dan t basis, Multiplier. 1 In tro du ction Recen tly , there has been a go o d deal of in terest in dev eloping hardw are and soft w are metho ds for implemen ting the finite field GF( q m ) arithmetic op erations particularly for cryptogra phic applications [1], [2], [3 ]. Multiplication in finite fields is a complic ated and time-consuming op eration that v ery m uc h depends o n ho w the field elemen ts a re represen t ed. A represen ta tion of finite fields that has pro v ed useful when implemen ting finite field a r it hmetic in hardw a re is based on an isomorphism b etw een subrings and fields. The main idea is to em b ed a field in a la rger ring, p erform m ultiplication there, and t hen conv ert the result back to the field. The ring used is referred to as cyclotomic , because has an extremely simple basis whose elemen ts form a cyclic group. Because the dimension of t he ring is higher than that o f the field, this represen t a tion is r eferred to a s redundan t. Ha ving in mind the design of efficien t ar it hmetic circuits, it is desirable to find the ring o f lo wes t dimension with the prop ert y that the finite field is contained in the ring. This w ay of represen tation of finite fields has b een explored b y v arious authors [4], [5], [6], [7], [8], [9], [10]. Drolet [5] represen ts the finite field GF(2 m ) as a subring of the cyclotomic ring GF(2)[ x ] / ( x n + 1) with the in teger n c hosen in suc h a w a y that x n + 1 ∈ GF(2)[ x ] con t a ins an irreducible factor of degree m . He sho ws that this ring represen tation 1 of elemen ts of the finite field satisfies a generalized Massey -Om ura condition and the square o f an elemen t can b e obtained b y applying a sp ecific p erm uta t io n to the bits of the w o r d represen ting it. In this line, Geiselmann et a l. [6] c hara cterize the smallest n with GF(2)[ x ] / ( x n + 1) con taining an isomorphic copy of GF(2 m ). Some redundan t bases can b e easily introduced b y the normal ba ses generated with the help of a Gauss p erio d [11], [1 2]. Gao et al. [7 ], [8] use G auss p erio ds for em b edding the elemen ts o f the finite field in a cyclotomic field and, by doing so, they can find the relation/conv ersion b et w een the r edundant basis a nd the normal basis. This con v ersion can b e done in ha rdw are with almost no cost. There are tw o t yp es o f normal basis generated by Gauss p erio ds with minimal complexit y , usually called o ptimal normal bases (ONBs) of ty p e-I a nd type-I I, resp ectiv ely . When there exis ts an ONB, v ery simple and highly regular m ultiplier arc hitecture can b e o bt a ined using the redundan t represen tation. Recen tly , W u et al. [10] ha v e made this idea more explicit and presen t archite ctures that a re suitable fo r hardw are implemen tation. The ba sic idea is to embed the finite field GF(2 m ) in the smallest splitting field of x n + 1 ov er GF (2) and do the arithmetic in this cyclotomic field. In t his pap er, we first presen t an unified for mulation for multiplication in cyclotomic rings and cyclotomic fields in that most arit hmetic op erations are done on v ectors. The metho d is quite generic in t he sense that it is not res tricted to any sp ecial t yp e of ground field. Our algorithms are t hen applied to the finite fields GF( q m ) with q prime to further reduce the num b er of op erations. The organization of the rest of this pap er is as follo ws: In the next sec tion, w e briefly review the cyclotomic r ing s and fields. In Section 3, w e deriv e a formulation for m ultiplicatio n in generic cyclotomic rings/fields . W e a lso giv e the computational complexit y of the algorithms in terms of the co ordinate-lev el op erations needed. In section 4, we apply the metho d to the finite fields and then adapt it to tw o sp ecial classes o f bases, namely , the type-I and ty p e-I I ONBs. Finally , w e mak e a few concluding remarks in Section 5 . 2 Cyclotomic Rings and Fields 2.1 Cyclotomic rings Let F b e a field. The set of p olynomials with co efficien ts in the field, F [ x ], with the usual op erations of addition and m ultiplication of p olynomials forms a ring. W e can also conside r the ring of t he p olynomials mo dulo a polynomial p ( x ). If we let β b e the residue class of x , then the elemen ts of F [ x ] /p ( x ) can b e represen ted in the form A = a 0 + a 1 β + a 2 β 2 + · · · + a n − 1 β n − 1 , a i ∈ F, (1) 2 where n is the degree of p ( x ). That is, the elemen ts 1 , β , β 2 , . . . , β n − 1 form a true basis for F [ x ] /p ( x ). If the arithmetic is done mo dulo the p olynomial x n − 1 then one obtains the n th cyclotomic ring F [ x ] / ( x n − 1). Since a cyclotomic ring satisfies the expression β n = 1, the elemen ts 1 , β , β 2 , . . . , β n − 1 form a cyclic g roup of order n with the follo wing m ultiplication table: β · β i = ( β i +1 if 0 ≤ i < n − 1 1 if i = n − 1 . (2) As men tioned in the in tro duction, the k ey idea of the represen tatio n of G F ( q m ) considered in [5], [6] is to represe n t the field GF( q m ) as a subring of GF( q )[ x ] / ( x n − 1) with n ≥ m and do the arithmetic op erations ov er the ring. Example 1. With the usual addition and m ultiplication in GF(2)[ x ]( x 3 + 1 ) , the residue classes 0, β + 1, β 2 + 1 and β 2 + β form a subring of GF(2 )[ x ] / ( x 3 + 1) that is isomorphic to GF(2 2 ). The r esidue class β 2 + β serv es as a m ultiplicative iden tit y in the subring. 2.2 Cyclotomic fields On the other hand, the n th cyclotomic field [10] ov er t he field F , denoted F ( n ) , is defined to b e the splitting field of x n − 1 ov er F . Let β b e a primitive n th ro ot of unit y in some extension of F . Then, the elemen ts 1 , β , β 2 , . . . , β n − 1 form a cyclic group of order n with the multiplication table (2). F ( n ) is obtained b y a dj o ining the elemen ts generated b y β to F . W e ma y consider the basis [1 , β , β 2 , . . . , β n − 1 ] and write elemen ts of F ( n ) in the form (1). Since a cyclotomic field satisfies the equation 1 + β + β 2 + · · · + β n − 1 = 0 , (3) the represen t a tion is not unique, that is, each n -tuple ( a 0 , a 1 , . . . , a n − 1 ) , a i ∈ F , giv es an elemen t of F ( n ) , but differen t tuples may give t he same elemen t. F or example, since (3) the tw o m -tuples ( a 0 , a 1 , . . . , a n − 1 ) and ( a 0 + k , a 1 + k , . . . , a n − 1 + k ) , k ∈ F b oth represen t the same elemen t . Example 2. If Q is the field of rational n um b ers a nd n = 3, then a cyclotomic field Q (3) can b e obtained b y adjoining a primitive cubic ro ot of unit y , β , sa y β = ( − 1 + i √ 3) / 2, to the rational n umbers Q , and the elemen ts of Q (3) can be written as A = a 0 + a 1 β + a 2 β 2 . Note tha t equation (3 ) is satisfied and so suc h represen tation is redundant since we can also write A = b 0 + b 1 i √ 3. As men tioned in the introduction, the ba sic idea in [10] is to em b ed the finite field GF( q m ) in the smallest splitting field of x n − 1 o v er GF( q ) and do the 3 arithmetic in this cyclotomic field. Some examples a re the redundan t bases whic h can be generated with the help of the Gauss p erio ds [12]. If there exis ts a normal basis [ γ q 0 , γ q 1 , . . . , γ q m − 1 ] generated by a Gauss p erio ds of t yp e ( m, k ), then this normal basis can b e expressed in function of the redundan t basis [ β 0 , β 1 , . . . , β n − 1 ] as [ γ q 0 , γ q 1 , . . . , γ q m − 1 ] = " k − 1 X i =0 β q 0 α i , k − 1 X i =0 β q 1 α i , . . . , k − 1 X i =0 β q m − 1 α i # . (4) where n = mk + 1 , α is an elemen t of orden k of Z × n and β satisfies, b y construc- tion, equations (2) and (3). 2.3 Multiplication Let any t w o elemen ts A, B b e r epresen ted in the for m (1), i.e., A = P n − 1 i =0 a i β i and B = P n − 1 i =0 b i β i . Since β n = 1 (that is satisfied in b oth, cyclotomic rings and cyclotomic fields), the pro duct C = AB can b e written as, C = n − 1 X i =0 n − 1 X j =0 a i b j β i + j = n − 1 X j =0 n − 1 X i =0 a i b j − i ! β j , (5) where the subscript j − i must b e read mo dulo n (i.e., a n + k → a k and a − k → a n − k ). Then, the co ordinates of C can b e calculated b y c j = n − 1 X i =0 a i b j − i , 0 ≤ j < n. (6) The resulting algo rithm is suitable for a bit- lev el hardw are implem en tation [10]. 3 Algorith m for Mult iplication In this section, w e will in tro duce a v ector- lev el algorithm whic h ess en t ia lly elimi- nates the bit-wide inner pro ducts needed b y a direct implemen tation of equation (6). W e start from the equation (5) and, using a similar tec hnique to t ha t of [15 ], write a separate sum with the terms whic h hav e equal co ordinate indexes, C = n − 1 X i =0 n − 1 X j =0 a i b j β i + j = n − 1 X i =0 a i b i β 2 i + n − 1 X i =0 n − 1 X j =0 ,j 6 = i a i b j β i + j (7) = n − 1 X i =0 a i b i β 2 i + n − 1 X i =0 n − 1 X k =1 a i b i + k β 2 i + k . (8) 4 In the last expression we hav e used that β 2 i + k = β 2 i + k − n for 2 i + k ≥ n and the subsc ripts must b e read mo dulo n . Denoting v = ⌊ ( n − 1) / 2 ⌋ and since the m ultiplicatio n matrix is symmetric, w e can write C = n − 1 X i =0 a i b i β 2 i + n − 1 X i =0 v X j =1 ( a i b i + j + a i + j b i ) β 2 i + j + V , (9) where V =      n − 1 X i =0 a i b i + n/ 2 β 2 i + n/ 2 = v X i =0 ( a i b i + n/ 2 + a i + n/ 2 b i ) β 2 i + n/ 2 if n ev en 0 if n o dd . (10) This equation can b e r ewritten if w e add and subtract the term (for n o dd), n − 1 X i =0 v X j =0 a i b i β 2 i + j + n − 1 X i =0 v X j =0 a i + j b i + j β 2 i + j . (11) The last sum can b e r e- indexed, and then one can ve rify t hat C = (1 − W ) n − 1 X i =0 a i b i β 2 i + n − 1 X i =0 v X j =1 ( a i + a i + j )( b i + b i + j ) β 2 i + j + Z, (12) where W =            v X j =1  β j + β − j  + β n/ 2 if n ev en v X j =1  β j + β − j  if n o dd , (13) and Z =      v X i =0 ( a i + a i + n/ 2 )( b i + b i + n/ 2 ) β 2 i + n/ 2 if n ev en 0 if n o dd . (14) W e can a lso write W = P n − 1 j =1 β j . Let A = P n − 1 i =0 a i β i b e an y ring elemen t. Then one can v erify that A (1 − W ) = n − 1 X i =0 (2 a i − p ) β i , with p = n − 1 X j =0 a j . (15) Applying this expression to (12) and b y using a bit o f algebra, w e can obtain, C = x n − 1 X i =0 β i + 2 n − 1 X i =0 a i b i β 2 i + n − 1 X i =0 v X j =1 ( a i + a i + j )( b i + b i + j ) β 2 i + j + Z, (16) 5 Multiplier #Mult #Doub #Add T o tal Eqs. (9), (18), rings and fields n 2 0 ( n − 1) n 2 n 2 − n Eqs. (16), (19), rings (general) ( n + 1) n/ 2 n (3 n + 1) n/ 2 − 1 2 n 2 + 2 n − 1 Eqs. (16), (19), rings (GF ( 2)) ( n + 1) n/ 2 0 (3 n − 1) n/ 2 − 1 2 n 2 − 1 Eqs. (17), (20), fields (general) ( n + 1) n/ 2 n 3( n − 1) n/ 2 2 n 2 Eqs. (17), (20), fields (GF (2)) ( n − 1) n/ 2 0 (3 n − 5) n/ 2 2 n 2 − 3 n Direct [5],[6] n 2 0 ( n − 1) n 2 n 2 − n T a ble 1: Comparison of cyclotomic ring/field multipliers. with x = − P n − 1 j =0 a j b j . This equation applies to b oth cyclotomic field s and cyc lo- tomic rings and to any ground field F . In the case of cyclotomic fields, w e can apply the supplemen tary relation (3). So, in this case, w e obtain the equation C = 2 n − 1 X i =0 a i b i β 2 i + n − 1 X i =0 v X j =1 ( a i + a i + j )( b i + b i + j ) β 2 i + j + Z . (17) Equations (9), (16) and (17) are the final results . In the next section, w e will see ho w to obtain a v ector-lev el algorithm from these equations. T a ble 1 compares the num b er of co ordinate-lev el op erations of the obtained equations with that of a direct imple men tation of equation (6) ( for example, fig- ures 1.a and 1.b [5],[6],[10]). Equation (9) requires the same n umber of multipli- cations and additions as the direct implemen tation. On the other hand, equations (16) and (17) require appro ximately half the n um b er of co ordinate-leve l multi- plications. Although this is ac hiev ed at the exp ense of extra co ordinate-lev el additions, the total n um b er of op erations is only slightly higher than that of the direct implemen tation. Hence, these eq uations are adv an ta geous for ground fields in whic h m ultiplication is more costly than addition. In the particular case where the ground field is GF(2), t he n umber of op erations is slightly lo w er b ecause of 2 a i b i = 0. In this case, equation (17) requires the low est num b er of op erations. 4 Applicatio n to fin i te fields Finally , w e restrict ourselv es to the particular case of n o dd (f o r example, for finite fields GF( q ) with q prime or p o w er of a prime). In this case and fo r b oth cyclotomic rings and cyclotomic fields, equation (9) can b e written as C = n − 1 X i =0    a i b i + v X j =1 ( a i + j b i − j + b i + j a i − j )    β 2 i , (18) 6 where w e hav e made the c hange of v a riables: i → i + j, j → − 2 j . Moreo ver, for cyclotomic rings, equation (16) simplifies to C = n − 1 X i =0    x + 2 a i b i + v X j =1 ( a i + j + a i − j )( b i + j + b i − j )    β 2 i , (19) with x = − P n − 1 j =0 a j b j and v = ( n − 1) / 2. Lastly , for cyclotomic fields, equation (17) simplifies to C = n − 1 X i =0    2 a i b i + v X j =1 ( a i + j + a i − j )( b i + j + b i − j )    β 2 i . (20) Where, in the particular case o f mo dulo 2 a rithmetic, for example GF(2), 2 a i b i = 0 . F rom these equations w e can dev elop algo rithms in whic h most arith- metic op erations are done on v ectors instead of bits. W e can mak e the following considerations: • The index i r uns o v er all co ordinates of the op erands, a nd consequen tly the op erations of multiplic ation and addition can b e done on ve ctors. • The subscript i + k represen ts a cyclic shift of k p ositions with resp ect to the reference index i . It is found in the co ordinates a i + j and a i − j . • The square of the basis ( β 2 i ) can simply b e p erfor med with a permutation since w e can write for n o dd, β 2 i | n − 1 i =0 = [1 , β 2 , β 4 , . . . , β 2( n − 2) , β 2( n − 1) ] = [1 , β 2 , β 4 , . . . , β n − 1 β , β 3 , . . . , β n − 2 ] , (21) In this last express ion, since β n = 1 , w e ha v e applied β 2 j = β 2 j − n if 2 j ≥ n . Besides, the in vers e p erm uta tion repres en ts the realization of a square ro o t op eration. T a ble 2 show s the data-flow of the co ordinat es of the v ariable A during the computation of equation (2 0). In this ta ble, w e can see the cyclic shifts whic h ha v e to b e done in eac h cycle and the final p ermutation fo r obta ining C = AB . If this final p erm utation is not done, w e will obtain D = √ AB . Th us, fro m equation (18) w e hav e the following algorithm. Algorithm 1. Multiplication ov er cy clotomic rings and fields with n odd (equa- tion (18)). Input: A, B Output: D = √ AB , C = AB 7 a 1 a 2 a 3 a 4 a 5 a 6 a 0 j = 1 + + + + + + + a 6 a 0 a 1 a 2 a 3 a 4 a 5 a 2 a 3 a 4 a 5 a 6 a 0 a 1 j = 2 + + + + + + + a 5 a 6 a 0 a 1 a 2 a 3 a 4 a 3 a 4 a 5 a 6 a 0 a 1 a 2 j = 3 + + + + + + + a 4 a 5 a 6 a 0 a 1 a 2 a 3 ↓ ↓ ↓ ↓ ↓ ↓ ↓ D = √ AB ← d 0 d 1 d 2 d 3 d 4 d 5 d 6 C = AB ← c 0 c 2 c 4 c 6 c 1 c 3 c 5 T a ble 2: Da ta-flow of the co ordinates of A during the computat io n of equation (20) for C = AB and D = √ AB with n = 7. 1. Initialize S A = A, S B = B , v = ( n − 1) / 2 2. D = A ⊙ B 3. F or j = 1 to v { 4. S A << 1 , S B >> 1 5. R = ( A ⊙ S B ) ⊕ ( B ⊙ S A ) 6. D = D ⊕ R } 7. C = sqrt p erm( D ). F rom equations (19) and (20) we obtain the follo wing algorithm. Algorithm 2. Multiplication o v er cyclotomic r ing s (equation (1 9)) and cyclo- tomic fields (equation (20) ) with n o dd. Input: A, B Output: D = √ AB , C = AB 1. Initialize S A = A, S B = B , v = ( n − 1) / 2 2. D = A ⊙ B // Lines 3 and 5 apply only to cyclotomic r ing s 3. x = − P n − 1 i =0 d i 4. D = 2 D 5. D = D ⊕ ( x, . . . , x ) 6. F or j = 1 to v { 7. S A << 1 , S B >> 1 8. R = ( A ⊕ S A ) ⊙ ( B ⊕ S B ) 9. D = D ⊕ R } 10. C = sqrt p erm( D ). 8 a 0 b 0 a 1 b 1 a 2 b 2 j = 1 +( a 1 b 2 + b 1 a 2 ) +( a 2 b 0 + b 2 a 0 ) +( a 0 b 1 + b 0 a 1 ) C = AB = c 0 = c 2 = c 1 (a) x = a 0 b 0 + a 1 b 1 + a 2 b 2 x + x + x + j = 1 ( a 1 + a 2 ) ( a 2 + a 0 ) ( a 0 + a 1 ) × ( b 1 + b 2 ) × ( b 2 + b 0 ) × ( b 0 + b 1 ) C = AB = c 0 = c 2 = c 1 (b) T a ble 3: Multiplication in a cyclotomic ring ( example 3). (a) Algorit hm 1. (b) Algorithm 2. In the a b o v e algorithms, ⊙ a nd ⊕ denote co ordinate-wise op erations, for example, A ⊙ B = ( a 0 b 0 , a 1 b 1 , . . . , a n − 1 b n − 1 ), sym b ols << and >> denote cyclic shifts, and C = sqrt p erm( D ) denotes the p erm utation of co ordinates giv en b y c 2 i mod n = d i , 0 ≤ i < n . Next, we a pply the a b o v e algorithms to m ultiplicatio n in the finite field GF( q m ). Three cases are considered: the general case (cyclotomic rings), and the t w o particular cases of finite fields with type-I and t yp e- I I ONBs. A) Cyclotomic r ings This is the more general case (fields are rings with multiplic ativ e in vers es) and so w e m ust use Algorithm 1 or Algorithm 2 in full. Example 3. GF(2 2 ) is isomorphic to a subring of GF [ x ] / ( x 3 + 1) and so a finite field elemen t can b e written in the redundan t represen tation as A = a 0 + a 1 β + a 2 β 2 . An isomorphism is giv en by the em b edding 0 → 0, 1 → β + β 2 , α → 1 + β and 1 + α → 1 + β 2 , where the former is an elemen t of GF(2 2 ) in p olynomial represen tation and the latter a ring elem en t. T able 3 shows the op erations that must b e done in a m ultiplicatio n when using this redundan t represen tation. B) ONB-I Some cyclotomic fields can be easily in tro duced by the normal bases generated b y the Gauss p erio ds and, b y doing so, one can find the relation/con vers ion b et w een the redundan t basis a nd the normal basis. In these cases , w e can used Algorithms 1 and 2 (the latter without lines 3 and 5). 9 a 0 b 0 a 1 b 1 a 2 b 2 a 3 b 3 a 4 b 4 j = 1 +( a 1 b 4 + b 1 a 4 ) +( a 2 b 0 + b 2 a 0 ) +( a 3 b 1 + b 3 a 1 ) +( a 4 b 2 + b 4 a 2 ) +( a 0 b 3 + b 0 a 3 ) j = 2 +( a 2 b 3 + b 2 a 3 ) +( a 3 b 4 + b 3 a 4 ) +( a 4 b 0 + b 4 a 0 ) +( a 0 b 1 + b 0 a 1 ) +( a 1 b 2 + b 1 a 2 ) C = AB = c 0 = c 2 = c 4 = c 1 = c 3 (a) j = 1 ( a 1 + a 4 ) ( a 2 + a 0 ) ( a 3 + a 1 ) ( a 4 + a 2 ) ( a 0 + a 3 ) × ( b 1 + b 4 ) × ( b 2 + b 0 ) × ( b 3 + b 1 ) × ( b 4 + b 2 ) × ( b 0 + b 3 ) j = 2 +( a 2 + a 3 ) +( a 3 + a 4 ) +( a 4 + a 0 ) +( a 0 + a 1 ) +( a 1 + a 2 ) × ( b 2 + b 3 ) × ( b 3 + b 4 ) × ( b 4 + b 0 ) × ( b 0 + b 1 ) × ( b 1 + b 2 ) C = AB = c 0 = c 2 = c 4 = c 1 = c 3 (b) T a ble 4: Multiplication in a t yp e-I ONB (example 4). (a) Algo rithm 1. (b) Algorithm 2. A t yp e-I ONB can b e alw a ys generated b y a Gauss p erio d of ty p e ( m, 1). This case is considered in [7], [8], [9], [10], [1 3], [14 ], [15 ], [16], [18]. Here, n = m + 1, and a basis for GF ( q m ) is [ β , β 2 , . . . , β m ] (whic h is a p erm uta tion of the normal basis [ β q 0 , β q 1 , . . . , β q m − 1 ]). The correspo ndence b et ween finite field elemen ts and cyclotomic field elemen ts is giv en by a 1 β + a 2 β 2 + · · · + a m β m − → 0 · 1 + a 1 β + a 2 β 2 + · · · + a m β m , ( a 1 − a 0 ) β + ( a 2 − a 0 ) β 2 + · · · + ( a m − a 0 ) β m ← − ← − a 0 · 1 + a 1 β + a 2 β 2 + · · · + a m β m . (22) Example 4. The Gauss p erio d (4 , 1) generates an em b edding o f GF (2 4 ) in the cyclotomic field G F (5) . T able 4 sho ws the op erat io ns that m ust b e done in a m ultiplication using Algorithms 1 and 2. Equations (18) and ( 20) can b e simplified in this case since a 0 = b 0 = 0. W e can also subtract c 0 to c 1 , c 2 , ..., c m in accordance with the mapping ( 2 2). So equation (18) simplifies to C ′ = m X i =1            r + a i b i + v X j = 1 , j 6 = i, j 6 = m + 1 − i ( a i + j b i − j + b i + j a i − j )            β 2 i , (23) where r = − P v j =1 a j b m +1 − j + b j a m +1 − j and C ′ = P m i =1 ( c i − c 0 ) β i . Also, eq uation (20) simplifies to 10 C ′ = m X i =1            t + 2 a i b i + a 2 i b 2 i + v X j = 1 , j 6 = i, j 6 = m + 1 − i ( a i + j + a i − j )( b i + j + b i − j )            β 2 i , (24) where t = − P v j =1 ( a j + a m +1 − j )( b j + b m +1 − j ). C) ONB-I I A Gauss p erio d of t yp e ( m, 2) with n = 2 m + 1 generates a t yp e-I I ONB. This case considered in [10], [13], [14 ], [18], [19], [20]. F rom equation (4), γ q i = β q i + β 2 m +1 − q i , and so, a mapping b etw een finite field ele men ts and cyclotomic field elemen ts can b e written as, a 1 β + a 2 β 2 + · · · + a m β m − → − → 0 · 1 + a 1 β + a 2 β 2 + · · · + a m β m + a m β m +1 + a m − 1 β m +2 + · · · + a 1 β 2 m , ( a 1 − a 0 ) β + ( a 2 − a 0 ) β 2 + · · · + ( a m − a 0 ) β m ← − ← − a 0 + a 1 β + a 2 β 2 + · · · + a m β m + a m β m +1 + a m − 1 β m +2 + · · · + a 1 β 2 m . (25) Again, [ β 1 , β 2 , . . . , β m ] is a p erm uta tion of the co efficien ts of the normal basis. In the particular case of GF( 2 m ), co ordinate a 0 in (25) is alw a ys zero. Example 5. The Gauss p erio d (3 , 2) generates an isomorphism b et w een GF(2 3 ) and G F (7) . The data-flo w of the multiplication is sho w ed in T able 5. In this table, w e show t he pairs o f co ordinates ov er which arithmetic op erations are to b e p erformed. Represen tation giv en b y (25) has some redundancies whic h can b e eliminated. First, co ordina t es c 1 , c 2 , . . . , c m are obtained twic e, but it can b e easy av oided. Applying this simplification t o equation (18), w e obtain, C ′′ = m X i =0    a s ( i ) b s ( i ) + m X j =1 ( a s ( i + j ) b s ( i − j ) + b s ( i + j ) a s ( i − j ) )    β s (2 i ) , (26) where the indexes m ust b e read mo dulo 2 m + 1, and s ( i ) = ( i if 0 ≤ i ≤ m 2 m + 1 − i if m + 1 ≤ i ≤ 2 m. (27) W e can also subtract c 0 to c 1 , c 2 , ..., c m in accordance with the mapping ( 2 5). Also, since a 0 = b 0 = 0 , equation (26) can b e simplifie d to 11 j = 1 (1,1) (2,0) (3,1) (3,2) (2,3) (1,3) (0,2) j = 2 (2,2) (3,1) (3,0) (2,1) (1,2) (0,3) (1,3) j = 3 (3,3) (3,2) (2,1) (1,0) (0,1) (1,2) (2,3) C = AB c 0 c 2 c 3 c 1 c 1 c 3 c 2 (a) j = 1 (2,0) (3,1) (3,2) j = 2 (3,1) (3,0) (2,1) j = 3 (3,2) (2,1) (1,0) C = AB c 2 c 3 c 1 (b) T a ble 5: Data-flow of m ultiplication in a t yp e-I I ONB (example 5). (a) Original. (b) Simplified. C ′ = m X i =1    2 y + a s ( i ) b s ( i ) + m X j =1 ,j 6 = i ( a s ( i + j ) b s ( i − j ) + b s ( i + j ) a s ( i − j ) )    β s (2 i ) , (28) where y = − P m j =1 a j b j and C ′ = P m i =1 ( c i − c 0 ) β i , Second, since the data-flow matrix of equation (2 8) is symmetric, it is only necessary to compute the diagonal and the upp er triangula r submatrices. In a similar w ay , equation (20) can b e written as C ′ = m X i =1    4 y + 2 a i b i + a s (2 i ) b s (2 i ) + m X j =1 ,j 6 = i ( a s ( i + j ) + a s ( i − j ) )( b s ( i + j ) + b s ( i − j ) )    β s (2 i ) . (29) Equations (23), (24), (28) and (29) can b e applied to GF( q m ) with q prime. F or comparison, w e will consider the particular case of GF(2 m ) and other m ulti- pliers as shown in T able 6. This table show s the n um b er of bit op erations of these m ultipliers and the time complexit y of multipliers in bit- parallel implemen tation. The m ultiplier of [13] is considered to b e the first suc h work published in the op en literature, multipliers of [5], [6], [10] use redundan t r epresen tation, and those of [14], [17], [18], [20] are more r ecen t work and ha v e the b est results among the kno wn existing ones. F or m ultiplication in finite fields using cyclotomic rings, Algorit hm 1 requires the same num b er of arithmetic o p erations compared to previously published m ul- tipliers, while Algorithm 2 requires approx imately half the n um b er of AND op er- ations at the exp ense of extra X OR op erations. F or m ultiplication in finite fields with ty p e-I and t yp e-I I ONBs, equations ( 23), (2 4), (29) and (28) require a total n umber of op erations equal to that of b est results kno wn m ultipliers. 12 Multiplier #AND #XOR T otal Critical path Rings, Alg. 1 n 2 n 2 − n 2 n 2 − n T A + ⌈ log 2 n ⌉ T X Rings, Alg. 2 ( n 2 + n ) / 2 (3 n 2 − n ) / 2 − 1 2 n 2 − 1 T A + (1 + ⌈ log 2 n ⌉ ) T X Rings, redundan t [5], [6] n 2 n 2 − n 2 n 2 − n T A + ⌈ log 2 n ⌉ T X ONB-I, Alg. 1 m 2 + 2 m + 1 m 2 + m 2 m 2 + 3 m + 1 T A + ⌈ log 2 ( m + 1) ⌉ T X ONB-I, Alg. 2 ( m 2 + m ) / 2 (3 m 2 + m − 2) / 2 2 m 2 + m − 1 T A + ⌈ log 2 ( m − 1) ⌉ T X ONB-I, Eq. (23) m 2 m 2 − 1 2 m 2 − 1 T A + (1 + ⌈ l og 2 ( m − 1) ⌉ ) T X ONB-I, Eq. (24) ( m 2 + m ) / 2 (3 m 2 − m ) / 2 − 1 2 m 2 − 1 T A + (1 + ⌈ l og 2 ( m − 1) ⌉ ) T X ONB-I, redundant [10] m 2 + m m 2 + m 2 m 2 + 2 m T A + (1 + ⌈ l og 2 ( m − 1) ⌉ ) T X ONB-I, [13] m 2 2 m 2 − 2 m 3 m 2 − 2 m T A + (1 + ⌈ l og 2 ( m − 1) ⌉ ) T X ONB-I, [17],[ 18] m 2 m 2 − 1 2 m 2 − 1 T A + (1 + ⌈ l og 2 ( m − 1) ⌉ ) T X ONB-I, [14] ( m 2 + m ) / 2 (3 m 2 − m ) / 2 − 1 2 m 2 − 1 T A + (1 + ⌈ l og 2 ( m − 1) ⌉ ) T X ONB-I I, Alg. 1 2 m 2 + m 2 m 2 4 m 2 + m T A + ⌈ log 2 (2 m + 1) ⌉ T X ONB-I I, Alg. 2, Eq. (26) m 2 3 m 2 − m 4 m 2 − m T A + (1 + ⌈ log 2 m ⌉ ) T X ONB-I I, Eq. (2 8) m 2 (3 m 2 − 3 m ) / 2 (5 m 2 − 3 m ) / 2 T A + ⌈ log 2 (2 m − 1) ⌉ T X ONB-I I, Eq. (2 9) ( m 2 + m ) / 2 2 m 2 − 2 m (5 m 2 − 3 m ) / 2 T A + ⌈ log 2 (2 m − 1) ⌉ T X ONB-I I, redundan t [10] m 2 2 m 2 − m 3 m 2 − m T A + (1 + ⌈ log 2 m ⌉ ) T X ONB-I I, [13] m 2 2 m 2 − 2 m 3 m 2 − 2 m T A + (1 + ⌈ l og 2 ( m − 1) ⌉ ) T X ONB-I I, [18],[20] m 2 (3 m 2 − 3 m ) / 2 (5 m 2 − 3 m ) / 2 T A + (1 + ⌈ log 2 m ⌉ ) T X ONB-I I, [14] ( m 2 + m ) / 2 2 m 2 − 2 m (5 m 2 − 3 m ) / 2 T A + ⌈ log 2 (2 m − 1) ⌉ T X T a ble 6: Comparison of GF(2 m ) m ultipliers. 5 Conclus ions In this pap er w e ha v e presen ted an unified formulation fo r multiplication in cy- clotomic r ing s and fields. F rom this form ulation we can generate optimized algo- rithms for m ultiplication. The a lgorithms are quite generic in the sense that they are not restricted to an y sp ecial ty p e of ground field. Moreo ve r, in our algorithms, most a rithmetic opera t ions are done on vectors. One of the proposed algorithms requires appro ximately half the num b er of co ordinate-leve l m ult iplicatio ns com- pared t o the con ve n tional algorithm for m ultiplication in cyclotomic rings/fields. Although this is ac hiev ed at the expense of extra co o r dina t e-lev el additions, the total num b er of op eratio ns is o nly sligh tly higher than tha t of the con v entional algorithm. Hence, the prop osed algorithm is adv antageous for ground fields in whic h m ultiplication is more costly than addition. Our metho d has b een applied to the finite fields GF( q m ) t o further reduce the n umber of op erations. W e then presen t ed optimized algorit hms for multiplic ation in finite fields with ONBs of type-I and type-I I. In t he particular case of GF( 2 m ) and compared to b est results known m ultipliers in GF(2 m ), these prop osed ones require the same n um b er of ar it hmetic op erations. Ac knowledgmen ts This w ork w as supp orted in part b y the Xun ta de Galicia under con tract PGIDIT03TIC10502PR and b y MCYT under contract TIN 2007-6753 7-C03. 13 References [1] M.A. Hasan and A.G. W assal, “VLSI Algorithms, Architecture s, and Imple- men tatio n of a V ersatile GF (2 m ) Pro cessor”, IEEE T r an s . on Computers , V ol. 49, No. 10, pp. 1065–1 073, O ct. 2000. [2] S. Mo on, J. P ark, and Y. Lee, “F ast VLSI Arithmetic Algorithms for High– Securit y Elliptic Curv e Cryptographic Applications”, IEEE T r ans. on Con- sumer Ele ctr onics , V ol. 47, No. 3, pp. 700– 708, Aug. 2001. [3] P .H.W. Leong and I.K.H. Leung, “A Micro co ded Elliptic Curv e Pro cessor Using F PGA T ec hnolo gy”, IEEE T r ans. on V ery L ar ge S c ale Inte gr ation Systems , V o l. 10, No. 5, pp. 550-5 5 9, Oct. 2002. [4] T. Itoh and S. Tsujii, “Structure o f Parallel Multipliers for a Class of Fields GF(2 m )”, Information and Computation , V ol. 83, No. 1 pp. 21–40, 1989. [5] G. Drolet, “ A New Represen tation of Elemen ts of Finite Fields GF( 2 m ) Yielding Small Complexit y Arit hmetic Circuits”, IEEE T r ans. on Comput- ers , V o l. 47, No. 9, pp. 938–94 6 , Sept. 1998. [6] W. Geiselmann, J. M ¨ uller-Quade, and R. Stein w a ndt, “O n ‘A New Repre- sen tation of Elemen ts o f Finite Fields GF(2 m ) Yielding Small Comple xit y Arithmetic Circuits’ ”, IEEE T r ans. on Computers , V ol. 51, No. 12, pp. 1460–146 1, Dec. 2 0 02 [7] S. Gao, J. v on zur Gathen, D. Panario, a nd V. Shoup, “ Gauss P erio ds and F ast Exponentiation in Finite F ields”. L e ctur e Notes in Computer Scienc e , V ol. 911, pp. 311–322, 1995. [8] S. G ao, J. v on zur Gathen, D. Panario, and V. Shoup, “Algorithms for Exp o nen tiat io n in Finite Fields”. J. Symb olic Computation , V ol. 29, pp. 879–899, 2000. [9] J.H. Silv erman, “Lo w Complex it y Multiplic ation in Rings”, Pr o c. Workshop Crypto gr aphic Har dwar e and Em b e dde d Systems (C HES’99) , pp. 122–134, 1999 [10] H. W u, M.A. Hasan, I.F. Bla ke a nd S. G ao, “Finite Field Multiplier Using Redundan t R epresen tation”, IEEE T r ans. on C o mputers , V ol. 51, No. 11, pp. 1306–13 15, Nov. 2002. [11] R. Mullin, I. Onysz c h uk, S.A. V anstone, a nd R. Wilson, “Optimal Normal Bases in GF( p n )”, Discr ete Applie d Math. , V ol. 22, pp. 149–161, 1988. [12] A.J. Menezes, Applic ations of Finite Fields , Klu wer Academic Publishers, 1993. 14 [13] C.C. W ang, T.K. T ruo ng, H.M. Shao, L.J. Deutsc h, J.K. Om ura , and I.S. Reed, “VLSI Architectures for Computing Multiplications and In vers es in GF(2 m ), IEEE T r ans. on Computers , V ol. 34, No. 8, pp. 709–7 17, Aug. 1985. [14] A. Reyhani-Masoleh and M.A. Hasan, “Efficien t Multiplication Bey ond Op- timal Norma l Bases”, IEEE T r ans. on Computers , V ol. 52, No. 4, pp. 428 – 439, Apr. 2003. [15] A. Reyhani-Masoleh and M.A. Hasan, “F ast Normal Basis Multiplication Using General Purp ose Processors”, IEEE T r ans. on C o mputers , V ol. 5 2, No. 11, pp. 1379–139 0, No v. 2003 . [16] C ¸ .K. Ko¸ c and B. Sunar, “Lo w-Complexit y Bit- P a rallel Canonical a nd Nor- mal Basis Multipliers for a Class of Finite Fields”, IEEE T r ans. on Comput- ers , V o l. 47, No. 3, pp. 353–35 6 , Marc h. 19 98. [17] M.A. Hasan, M.Z. W ang, and V.K. Bhargav a, “A Mo dified Massey-Om ura P ar allel Multiplier for a Class of Finite Fields”, IEEE T r an s. C omputers , V ol. 42, No. 10, pp. 1278–1 280, O ct. 1993. [18] A. Reyhani-Masoleh and M.A Hasan, “A New Construction of Massey- Om ura P arallel Multiplier ov er GF( 2 m )”, I EEE T r ans. Computers , V ol. 51, No. 5, pp. 511–520, Ma y 2002 . [19] I.F. Blak e, R.M. Roth, and G . Seroussi, “ Efficien t Arithmetic in G F(2 n ) through P alindromic Represen tation”, Hewlett-P a ck ard, HPL-98 -134, Aug. 1998. [20] B. Sunar and C ¸ .K. Ko¸ c, “An Efficien t Optimal Normal Ba sis T yp e I I Mul- tiplier”, IEEE T r ans. on Co mputers , V ol. 50, No. 1, pp. 83–87 , Jan. 2001 . 15