On the arithmetic operations over finite fields of characteristic three with low complexity

On the arithmetic operations over finite fields of characteristic three with low complexity

Journal of Computational and Applied Mathematics 259 (2014) 546–554 Contents lists available at ScienceDirect Journal of Computational and Applied M...
Download PDF
381KB Sizes 0 Downloads 121 Views
Report

Journal of Computational and Applied Mathematics 259 (2014) 546–554

Contents lists available at ScienceDirect

Journal of Computational and Applied Mathematics journal homepage: www.elsevier.com/locate/cam

On the arithmetic operations over finite fields of characteristic three with low complexity S. Akleylek a,c , F. Özbudak b,c , C. Özel c,d,∗ a

Department of Computer Engineering, Ondokuz Mayıs University, Samsun, Turkey

b

Department of Mathematics, METU, 06800 Ankara, Turkey

c

Institute of Applied Mathematics, METU, 06800 Ankara, Turkey

d

The Scientific and Technological Research Council of Turkey, TUBITAK, 06100 Ankara, Turkey

article

info

Article history: Received 15 February 2013 Received in revised form 17 July 2013 Keywords: Finite field representation Hermite polynomials Modular multiplication Matrix vector product method

abstract In this paper, the Hermite polynomial representation is adapted as a new way to represent certain finite fields of characteristic three. We give the multiplication method to multiply two elements of F3n in the Hermite polynomial representation with subquadratic computational complexity by using a divide-and-conquer idea. We show that in some cases there is a set of irreducible binomials in the Hermite polynomial representation to obtain modular reduction with a lower addition complexity than the standard polynomial representation. We also investigate the matrix vector product method for the multiplication of the field elements represented by Hermite polynomials. © 2013 Elsevier B.V. All rights reserved.

1. Introduction An efficient implementation of arithmetic operations in finite fields has a significant role in cryptography, coding theory and digital signal processing [1,2]. In recent years, arithmetic of odd characteristic finite fields has been widely studied in elliptic curve cryptography and pairing-based cryptography [3]. For instance, supersingular elliptic curves over F3n are used for the efficient implementations of the algorithms in pairing-based cryptography [4]. The algorithms require the basic arithmetic operations such as field addition, subtraction, multiplication and cubing. As a result of these, the studies have been increased in the area of hardware and software implementations of arithmetic operations in characteristic three finite fields F3n [5,6]. The multiplication of the finite field elements is the most important arithmetic operation. It can be performed in two steps: polynomial multiplication and modular reduction. Since the complexity of the multiplication depends on the number of nonzero terms in the reduction polynomial, it is desirable to use low weight irreducible polynomials as reduction polynomials. The selection of the representation of finite field elements and the irreducible polynomial has a crucial role on the efficiency of the arithmetic implementations. In F3n , there is no irreducible binomial except for x2 − 2 [7]. Therefore, irreducible trinomials, when trinomials do not exist, quadrinomials or pentanomials are preferred to construct F3n [8]. A polynomial basis or a normal basis is used to represent the elements of F3n . There is also an alternative basis which is called elliptic basis which allows fast implementations of some operations [9]. The studies on implementations of the polynomial basis multiplication in binary extension fields appear intensively in the literature. However, there is no similar interest for the polynomial basis multiplication in general extension fields. In [10], the Charlier polynomial representation for characteristic three finite fields is given and in some cases better results in reduction complexity according to the



Corresponding author at: The Scientific and Technological Research Council of Turkey, TUBITAK, 06100 Ankara, Turkey. Tel.: +90 3124685300/1901. E-mail addresses: [email protected] (S. Akleylek), [email protected] (F. Özbudak), [email protected] (C. Özel).

0377-0427/$ – see front matter © 2013 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.cam.2013.08.011

S. Akleylek et al. / Journal of Computational and Applied Mathematics 259 (2014) 546–554

547

standard polynomial representation are obtained. In [11], Hermite polynomials are proposed to represent binary finite fields and in [12] the Hermite polynomial representation for finite fields of characteristic three is studied. In this work, we modify the Hermite polynomial representation to be used in F3n and we show that multiplication in F3n in the Hermite polynomial representation can be achieved with subquadratic multiplication complexity. We also give the multiplication of two elements in F3n by using the matrix vector multiplication design and we construct reduction matrix. All computations are done by using MAGMA [13] and Maple [14]. There are also different multiplication algorithms used in any extension of finite fields like the Karatsuba algorithm [15], Chudnovsky–Chudnovsky type algorithm [16] and a unified method using the bilinear rank problem [17]. This paper is organized as follows: in Section 2, we recall the Hermite polynomial representation and give some results on these polynomials in F3 [x]. We also give the multiplication complexity. In Section 3 we define the reduction operation for the corresponding irreducible Hermite polynomial. We compare the proposed representation with the standard polynomial representation in view of the required number of multiplications and additions. In Section 4, we present the matrix vector multiplication method to multiply the field elements in the Hermite representation and we construct the reduction matrix. We conclude the paper in Section 5. 2. Multiplication of polynomials in the Hermite polynomial representation In this section, we give some preliminaries and the Hermite polynomial representation of characteristic three finite fields. Then, we describe the multiplication of field elements represented by Hermite polynomials and explore arithmetic complexity of multiplication. 2.1. Preliminaries Recall that in [18] Hermite polynomials are defined recursively for given H0 (x) = 1, H1 (x) = x and n ≥ 2 as Hn (x) = x · Hn−1 (x) − (n − 1) · Hn−2 (x). Remark 1. We note that deg(Hn (x)) = n. For notational simplicity, let βn = Hn (x) be the n-th Hermite polynomial in F3 [x]. Since Hermite polynomials have a recursive structure, it is easy to show that all Hermite polynomials in F3 have the forms

β3k (x) = x3k β3k+1 (x) = x3k+1 β3k+2 (x) = x3k+2 + 2x3k for k ∈ N. Any finite field F3n is isomorphic to F3 [x]/f (x) where f (x) is an irreducible polynomial of degree n. The standard  representation of elements of F3 [x]/f (x) is done by using the polynomial basis 1, x, x2 , . . . , xn−1 . F3n is an extension field of F3 and also considered as a vector space over F3 ; therefore, it should contain n basis elements. Remark 2. In [12], the Hermite polynomial representation is done by using {β0 , β1 , . . . , βn−1 } where βi denotes the i-th Hermite polynomial in F3n . It is obvious that this set is linearly independent. We can write each element of F3n uniquely as a linear combination of {β0 , β1 , . . . , βn−1 }. Let f = fn βn + · · · + f0 β0 be an irreducible polynomial of degree n where each fi ∈ F3 . The set {β0 , β1 , . . . , βn−1 } constitutes a basis of F3n ∼ = F3 [x]/f (x). Note that β0 is the identity element, i.e., β0 = 1. 2.2. Multiplication in the Hermite polynomial representation In [12], the multiplication operation of Hermite polynomials is defined by the following theorem. Theorem 1. For all i, j ≥ 0 the Hermite polynomials {β0 , β1 , . . . , βn−1 , . . .} satisfy the following equation:

  βi · βj = βi+j + l · k · βi+j−2 + 2 · m · βi+j−4 where l, k, m ∈ F3 is defined as



if i or j ≡ 0 mod 3 otherwise.

0 1

l=

 k=

1 2

 m=

1 0

if i ≡ j mod 3 otherwise. if i, j ≡ 2 mod 3 otherwise.

(1)

548

S. Akleylek et al. / Journal of Computational and Applied Mathematics 259 (2014) 546–554

If we multiply each two cases given in Remark 1 with respect to the indices i and j(mod 3) respectively, then we get Eq. (1). One can notice that the multiplication of Hermite polynomials βi and βj changes with respect to the indices i, j(mod 3). Note that in F3 multiplication by 2 is equal to multiplication by −1. We explain the multiplication method in Examples 1–3. The idea is based on divide-and-conquer. One can also consider this Karatsuba-like algorithm. We start with 2-term (Example 1) polynomials multiplication. Then, we continue with 3-term (Example 2) and 4-term (Example 3) polynomials multiplication. Example 1. Let a = a1 β1 + a0 β0 and b = b1 β1 + b0 β0 be 2-term polynomials in the Hermite polynomial representation over F3 . Let c = a · b = c2 β2 + c1 β 1 + c0 β0 . Then, c0 = a0 b0 + a1 b1 = m0 + m1 c1 = a0 b1 + a1 b0 = m2 − (m0 + m1 ) c2 = a1 b1 = m1 , where m0 = a0 b0 ,

m1 = a1 b1 ,

m2 = (a0 + a1 )(b0 + b1 ).

We need 3 multiplications and 4 additions to compute c, the same multiplication complexity in standard polynomial representation. Example 2. Let a = a2 β2 + a1 β1 + a0 β0 and b = b2 β2 + b1 β1 + b0 β0 be 3-term polynomials in the Hermite polynomial representation over F3 . Let c = a · b = c4 β4 + c3 β3 + c2 β2 + c1 β1 + c0 β0 . Then, c0 = a0 b0 + a1 b1 − a2 b2 = m0 + m1 − m2 c1 = a0 b1 + a1 b0 − a2 b1 − a1 b2 = (−m5 + m4 ) − m3 + (m0 − m1 ) c2 = a2 b2 + a2 b0 + a0 b2 + a1 b1 = m4 − (m0 − m1 ) c3 = a2 b1 + a1 b2 = (m5 − m4 ) − m3 + m0 c4 = a2 b2 = m2 , where m0 = a0 b0 ,

m1 = a1 b1 ,

m4 = (a0 + a2 )(b0 + b2 ),

m 2 = a2 b 2 ,

m3 = (a0 + a1 )(b0 + b1 ),

m5 = (a0 + a1 + a2 )(b0 + b1 + b2 ).

We need 6 multiplications and 14 additions to compute c. Recall that by using the Karatsuba method in standard polynomial representation, we need 6 multiplications and 13 additions. Now, we give divide-and-conquer idea used to multiply two elements in the Hermite polynomial representation. Example 3. Let a = a3 β3 + a2 β2 + a1 β1 + a0 β0 and b = b3 β3 + b2 β2 + b1 β1 + b0 β0 be 4-term polynomials in the Hermite polynomial representation over F3 . Let c = a · b = c6 β6 + c5 β5 + c4 β4 + c3 β3 + c2 β2 + c1 β1 + c0 β0 . Then, a and b can be written as a = (A1 β2 + A0 ) b = (B1 β2 + B0 ) with A0 = (a1 + a3 )β1 + a0 β0 A1 = a3 β1 + a2 β0 B0 = (b1 + b3 )β1 + b0 β0 B1 = b3 β1 + b2 β0 . Note that the coefficients a3 in A0 and b3 in B0 come from the multiplication rule in the Hermite polynomial representation. Now we can write c = a · b as follows: c = (A1 β2 + A0 )(B1 β2 + B0 ) c = A1 B1 β4 + (A0 B1 + A1 B0 + A1 B1 )β2 + (A0 B0 − A1 B1 )β0 c = A1 B1 β4 + ((A0 + A1 )(B0 + B1 ) − A0 B0 )β2 + (A0 B0 − A1 B1 )β0 .

S. Akleylek et al. / Journal of Computational and Applied Mathematics 259 (2014) 546–554

549

Note that A0 , A1 , B0 and B1 are 2-term polynomials. Therefore, the complexity cost of each multiplication A0 B0 , A1 B1 and (A0 + A1 )(B0 + B1 ) is the same as Example 1. That is to say each of these multiplications requires 3 multiplications in F3 . The required multiplications are

(for A0 B0 ) (for A1 B1 ) = a3 b3 (for A1 B1 ) = (a0 + a2 )(b0 + b2 ) (for (A0 + A1 )(B0 + B1 )) = (a1 + a3 )(b1 + b3 ) (for A0 B0 ) = (a1 − a3 )(b1 − b3 ) (for (A0 + A1 )(B0 + B1 )) = (a2 + a3 )(b2 + b3 ) (for A1 B1 ) = (a0 + a1 + a3 )(b0 + b1 + b3 ) (for A0 B0 ) = (a0 + a1 + a2 − a3 )(b0 + b1 + b2 − b3 ) (for (A0 + A1 )(B0 + B1 )).

m 0 = a0 b 0

m 1 = a2 b 2 m2 m3 m4 m5 m6 m7 m8

Now we can write the coefficients of c by using mi ’s as follows: c0 = a0 b0 + a1 b1 − a2 b2 = m0 − (m2 + m4 + m5 ) − m1 c1 = a0 b1 + a1 b0 − a2 b1 − a1 b2 = −((m8 + m6 − m5 − m3 − m2 − m1 ) − (m0 + m4 − m7 )) c2 = a0 b2 + a2 b0 + a1 b1 + a2 b2 = m3 − m0 − (m2 + m4 + m5 ) c3 = a0 b3 + a3 b0 + a1 b2 + a2 b1 = (m8 + m6 − m5 − m3 − (m1 + m2 )) + (m0 + m4 − m7 ) c4 = a1 b3 + a3 b1 + a2 b2 = m5 − m4 + m1 c5 = a2 b3 + a3 b2 = m6 − (m1 + m2 ) c6 = a3 b3 = m2 . We need 9 multiplications and 26 additions to compute c. Recall that by using the Karatsuba method in standard polynomial representation, we need 9 multiplications and 23 additions. Remark 3. Bernstein’s optimization of the Karatsuba reconstruction in [19] (and independently proposed by Zhou and Michalik in [20]) is also working on this idea. By this optimization, we save n/2 − 1 additions from the original construction. The modified reconstruction is as follows: R0 = −P0 + P1 βn/2 R1 = R0 (−1 + βn/2 ) c = R1 + P2 βn/2 where P0 = A0 B0 ,

P1 = A1 B1 ,

P2 = (A0 + A1 )(B0 + B1 ).

Consequently, by using the divide-and-conquer idea, the required number of multiplications is the same with the Karatsuba algorithm in a standard polynomial representation while the required number of additions is more than the one computed with the Karatsuba algorithm in a standard polynomial representation. It is well-known that the multiplication of finite field elements can be performed in two steps: first multiplication of polynomials and then modular reduction with respect to the irreducible polynomial that is chosen before [2]. We give the multiplication and the reduction operations respectively. Now, in Theorem 2 we give the general multiplication and addition complexity in the Hermite polynomial representation by using the divide-and-conquer idea explained above. One can also find new complexity results and explicit formulas using different techniques such as [16]. Theorem 2 shows that the divide-and-conquer idea can be efficiently used to multiply two elements in the Hermite polynomial representation. Theorem 2. Let a = an−1 βn−1 + · · · + a0 β0 and b = bn−1 βn−1 + · · · + b0 β0 be n-term polynomials over F3 and a · b = c = c2n−2 β2n−2 +· · ·+ c0 β0 . By using the divide-and-conquer idea, the coefficients of the polynomial c are computed with at most M (n) multiplications and A(n) + n − 2 additions, where M (n) and A(n) are the required number of multiplications and additions for the Karatsuba algorithm for the desired extensions, respectively. For example, the required number of multiplications is nlog2 3 and the required number of additions is 6nlog2 3 − 7n for n = 2j , where j is a positive integer. Since the complexity of the divide-and-conquer idea is very similar to the Karatsuba multiplication method and has been well studied in the Karatsuba multiplication method (for example see [15]), we omit the proof. The reason of increasing of the required number of additions is due to the extra terms coming from the multiplication rule.

550

S. Akleylek et al. / Journal of Computational and Applied Mathematics 259 (2014) 546–554 Table 1 Irreducible Hermite binomials.

β3 + β2 β12 + β2 β15 + β2 β60 + β2 β111 + β2 β183 + β2

β4 + β2 β7 + β2 β19 + β2 β28 + β2 β67 + β2 β151 + β2

β11 + β0 β26 + β0 β35 + β0 β119 + β0 β146 + β0 β242 + β0

Table 2 Reduction complexity of βi . Form

# Constant multiplications

# Additions

βn + β2 (n ≡ 0 mod 3) βn + β2 (n ≡ 1 mod 3) βn + β0 (n ≡ 2 mod 3)

4 6∗ 4∗

2 3∗ 2∗

3. Irreducible Hermite binomials and reduction In this section, we compare the reduction complexities of the standard polynomial representation and Hermite polynomial representation in view of the required number of additions and scalar multiplications. We explore the low weight irreducible Hermite polynomials for the performance of the reduction operation, so we look for the Hermite binomials. The Hermite polynomials including constant terms are only β0 and β1 . Therefore, irreducible Hermite binomials are of two forms βn + β0 and βn + β2 . In [12], selected irreducible Hermite binomials are given as in Table 1. The reduction operations are different due to the chosen binomials from each column of the Table 1, since the multiplication of Hermite polynomials differs with respect to the values of the indices in mod 3, as given in Theorem 1. In [12], the reduction operation of a given single term βi , where n ≤ i ≤ 2n − 2 is performed by using each form of the irreducible Hermite binomials and the comparison of the reduction complexities is given as in Table 2. Remark 4. The signed numbers in Table 2 are the numbers of constant multiplications and additions for one step of the reduction. The total number of multiplications and additions for these binomials are computed with multiplying these numbers by the number of reduction steps. Consequently, between these binomials βn + β2 , where n ≡ 0(mod 3) has the least number of constant multiplications and the least number of additions. Now, we give the total reduction complexity of the binomial βn +β2 , where n ≡ 0(mod 3). In the rest of the study, we use this binomial and the corresponding polynomial of this binomial in the standard polynomial representation which is f (x) = xn + x2 + 2, where n ≡ 0(mod 3). ′ ′ ′ ′ Theorem 3. Let f = βn + β2 , where n ≡ 0(mod 3) and a · b = c2n −2 β2n−2 + c2n−3 β2n−3 + · · · + c0 β0 where ci ∈ F3 be the 4 ′ product of a and b in F3n . Then the reduction of c = c (mod f ) requires 2n − 3 additions and 3 n − 3 scalar multiplications.

Proof. The reduction operation is performed due to the terms of c ′ with indices n ≤ i ≤ 2n − 2. We compute the reduced forms of βi ’s for n ≤ i ≤ 2n − 2 by using the reduction formula that is given in [12]

βn = 2β2 βn+1 2β3 + β1 βn+2 2β4 + 2β2 + β0 βn+3 2β5 βn+4 2β6 + β4 βn+5 2β7 + 2β5 + β3 .. . β2n−3 2βn−1 β2n−2 βn−2 + β2 . The coefficients ci′ of each βi on the left of the equations are added to the coefficients cj′ of each βj ’s on the right, where 0 ≤ j ≤ n − 1. So the number of additions is equal to the total number of βi ’s on the right side of the equations. Starting from the first equation, for each three equations there are 6 βj ’s on the right side except the last two equations. The number (n−3)

of these three iterative equations is 3 , then the number of terms on the right hand side is 6 terms in the last two equations. So the total number is equal to 2n − 3.

(n−3) 3

. Also there are 3 more

S. Akleylek et al. / Journal of Computational and Applied Mathematics 259 (2014) 546–554

551

Table 3 Reduction complexity. Form

# Additions

# Constant multiplications

Hermite binomial, βn + β2 (n ≡ 0 mod ) Polynomial basis, xn + x2 + 2 (n ≡ 0 mod )

2n − 3 2n − 1

4 n−3 3 n−1

In each three iterative equations there are 4 scalar multiplications, so from all of three iterative equations, we have (n−3) 4 3 scalar multiplications. Also we have one multiplication in the last two equations. Totally, we have 43 n − 3 scalar multiplications.  Remark 5. The standard polynomial representation of βn + β2 is the trinomial xn + x2 + 2. The reduction by using this trinomial is performed as xn 2x2 + 1 xn+1 2x3 + x xn+2 2x4 + x2 xn+3 2x5 + x3 xn+4 2x6 + x4 xn+5 2x7 + x5

.. . x2n−2 xn−2 + x2 + 2. After the reduction operation, the coefficients of c in F3 are given in both the Hermite polynomial representation and standard polynomial representation as Coefficients in Hermite polynomial representation c0 = c0′ + cn′ +2 c1 = c1′ + cn′ +1 ′ c2 = c2′ + 2cn′ + 2cn′ +2 + c2n −2 ′ ′ ′ c3 = c3 + 2cn+1 + cn+5 c4 = c4′ + 2cn′ +2 + cn′ +4 c5 = c5′ + 2cn′ +3 + 2cn′ +5 c6 = c6′ + 2cn′ +4 + cn′ +8

Coefficients in standard polynomial representation ′ c0 = c0′ + cn′ + 2c2n −2 ′ ′ c1 = c1 + cn+1 ′ ′ ′ ′ c2 = c2 + 2cn + cn+2 + c2n −2 ′ ′ ′ c3 = c3 + 2cn+1 + cn+3 c4 = c4′ + 2cn′ +2 + cn′ +4 c5 = c5′ + 2cn′ +3 + cn′ +5 c6 = c6′ + 2cn′ +4 + cn′ +6

′ cn−1 = cn′ −1 + 2c2n −3

′ cn−1 = cn′ −1 + 2c2n −3

.. .

.. .

Now, we compute the reduction complexity in standard polynomial representation by using xn + x2 + 2 as the irreducible polynomial. The reduction complexity in standard polynomial representation is given for binary extension fields in [21] and for general extension fields in [22]. The following theorem gives the reduction complexity in the standard polynomial representation for Fqn . Theorem 4. Let f (x) be a degree n irreducible polynomial with r nonzero terms in Fq [x]. Let nk for k = 1, 2, . . . , r − 1 denote the degrees of the nonzero terms except the term xn . Then if (n+1)/2 ≥ nk , the reduction with respect to f (x) requires (r −1)(n−1)+1 additions and at most (r − 1)(n − 1) coefficient multiplications. Remark 6. In our case, we use the trinomial xn + x2 + 2 in F3 [x]. Since (n + 1)/2 ≥ 2 then the polynomial modular reduction can be done with 2(n − 1) + 1 = 2n − 1 additions and at most 2(n − 1) multiplications. From Remark 5, we can see that there are 2(n − 1) + 1 terms on the right sides of the equations and in each equation there is one scalar multiplication, so there are n − 1 scalar multiplications. By Theorem 3, in the Hermite polynomial representation the reduction with respect to the binomial βn + β2 requires 2n − 3 additions and 43 n − 3 multiplications. In Table 3, we give the comparison of the reduction complexities in the Hermite polynomial representation and standard polynomial representation. 4. Matrix vector product for Hermite basis In this part, we express the product of two elements in F3n as a matrix vector product. Let u(x) = un−1 xn−1 +· · ·+ u1 x + u0 be a polynomial representing an element in F3n . The coefficient vector of u(x) is given by u = [u0 , u1 , . . . , un−1 ]T . Let a, b

552

S. Akleylek et al. / Journal of Computational and Applied Mathematics 259 (2014) 546–554

and c be vectors including the coefficients of a(x), b(x) and c (x) in F3n and let f (x) be an irreducible polynomial with degree n. We now compute a(x) · b(x) = c (x) mod f (x) by using the matrix vector product method. First we construct a (2n − 1) × n matrix including the coefficients of a(x) and denote it by M ′

 a 0  a1  .  ..   a  n−2  an−1 ′ M =  0   0   ..  . 

0 a0

0 0

... ...

0 0

0 0

an−3 an−2 an−1 0

an − 4 an − 3 an − 2 an − 1

... ... ... ...

a0 a1 a2 a3

0 a0 a1 a2

0 0

0 0

... ...

an − 1 0

an − 2 an − 1

.. .

.. .

0 0

.. .

.. .

.. .

.. .

        .       

Let us call the upper part of the matrix M ′ as L which is an n × n matrix and the lower part of the matrix M ′ as U which is an (n − 1) × n matrix,





M =

L U



.

The reduction operation is performed by using an n ×(n − 1) reduction matrix which is defined in terms of the irreducible polynomial f (x) and called as Q . After the reduction, one can get an n × n matrix denoted by M. This matrix is called the Mastrovito matrix in binary fields M = L + Q · U. Then, the multiplication a(x) · b(x) = c (x) mod f (x) can be done by the product of matrix M and vector b c = M · b. Remark 7. In the reduction part, the rows n, (n + 1), . . . , (2n − 1) of the matrix M ′ are added to the first n rows with respect to the reduction modulo f (x). The reduction complexity is determined by using the reduction matrix Q such that the number of nonzero entries in Q is equal to the number of additions and the number of nonzero entries different than one (i.e. the number of 2’s in F3 ) is equal to the number of scalar multiplications. In [21], they survey the matrix vector product techniques for binary fields. There are two different approaches to apply the matrix vector product. One is that the polynomial multiplication part is done by any multiplication method and then the reduction part is performed by the matrix vector product. The other approach is that the two steps of multiplication are performed by the matrix vector product by using the Mastrovito matrix. In Table 3, we show that in the reduction part of the polynomial multiplication, in some cases the Hermite polynomial representation is better than the standard polynomial representation in the case of the number of additions. Therefore in this section, we use the matrix vector product method only in the reduction part and we explain how the reduction operation in the Hermite polynomial representation can be computed by using matrix vector operations. The reduction matrix is constructed by using the irreducible reduction polynomial f (x). Let the jth column of reduction matrix Q be denoted by qj = [q0,j , q1,j , . . . , qn−1,j ]T where the entries of this column vector correspond to the coefficients of qj (x) = q0,j + q1,j x + · · · + qn−1,j xn−1 . In [21], this qj (x) is defined by qj (x) =



xn mod f (x), xqj−1 (x) mod f (x),

j=0 j = 1, . . . , n − 2.

(2)

In the Hermite polynomial representation, let the entries of the column vector qj correspond to the coefficients of qj = q0,j β0 + q1,j β1 + · · · + qn−1,j βn−1 . As in Eq. (2), we compute each column vector qj by multiplying β1 · qj−1 . Since the multiplication of Hermite polynomials differs with respect to the indices, the multiplication of β1 · qj−1 differs with respect to j. Therefore, we define qj by

 qj =

βn mod f , β1 qj−1 + l · qj−2 mod f ,

j=0 j = 1, . . . , n − 2,

(3)

where

 l=

1 0 2

if j ≡ 0 mod 3 if j ≡ 1 mod 3 if j ≡ 2 mod 3.

Now, we give an example to show the difference between the reduction matrices in the standard polynomial representation and Hermite polynomial representation.

S. Akleylek et al. / Journal of Computational and Applied Mathematics 259 (2014) 546–554

553

Example 4. We choose an irreducible Hermite binomial βn + β2 where n ≡ 0 mod 3. Let us take β12 + β2 from Table 1. It is equal to x12 + x2 + 2 in the standard polynomial representation. We compute the reduction matrices by using Eqs. (2) and (3). The dimensions of the matrices are 12 × 11. We denote the reduction matrix of x12 + x2 + 2 by QS and the reduction matrix of βn + β2 by QH :

 1  0  2   0   0   0 QS =   0  0   0   0 

0 1 0 2 0 0 0 0 0 0 0 0

0 0 1 0 2 0 0 0 0 0 0 0

0 0 0 1 0 2 0 0 0 0 0 0

0 0 0 0 1 0 2 0 0 0 0 0

0 0 0 0 0 1 0 2 0 0 0 0

0 0 0 0 0 0 1 0 2 0 0 0

0 0 0 0 0 0 0 1 0 2 0 0

0 0 0 0 0 0 0 0 1 0 2 0

0 0 0 0 0 0 0 0 0 1 0 2

2 0 1 0 0 0 0 0 0 0 1 0



 0  0  2   0   0   0 QH =   0  0   0   0 

0 1 0 2 0 0 0 0 0 0 0 0

1 0 2 0 2 0 0 0 0 0 0 0

0 0 0 0 0 2 0 0 0 0 0 0

0 0 0 0 1 0 2 0 0 0 0 0

0 0 0 1 0 2 0 2 0 0 0 0

0 0 0 0 0 0 0 0 2 0 0 0

0 0 0 0 0 0 0 1 0 2 0 0

0 0 0 0 0 0 1 0 2 0 2 0

0 0 0 0 0 0 0 0 0 0 0 2

0 0 1 0 0 0 0 0 0 0 1 0



0 0

0 0

               

        .       

We count the nonzero entries of each matrices. The matrix QS has 23 nonzero entries which is also equal to the number of additions in reduction complexity and the number of 2’s in the matrix is 11 which is equal to the number of scalar multiplications. The matrix QH has 21 nonzero entries and the number of 2’s in the matrix is 13. By using Theorem 3, the reduction complexity of β12 + β2 contains 2.12 − 3 = 21 additions and 34 n − 3 = 13 scalar multiplications. In the standard polynomial representation, by using Theorem 4 we can compute the reduction complexity of x12 + x2 + 2 as (3 − 1)(12 − 1) + 1 = 23 additions and 12 − 1 = 11 scalar multiplications. In Example 4, we divide the matrices into 3 × 3 block matrices to simplify the observation. As n increases the entries of the matrices do not change; only they expand diagonally. Both matrices have a recursive structure. The 3 × 3 block matrices repeat down the diagonals of the matrix. Therefore, we can compute the general reduction complexity for any n, where n ≡ 0 mod 3 by using the matrices in Example 4. In each reduction matrix, there are two different 3 × 3 nonzero block matrices and they appear in each three columns. (n−3) The number of 3 × 3 block matrices in each reduction matrix is 3 . First, we compute the reduction complexity for QS . These two block matrices in QS contain 6 nonzero terms and 3 scalar multiplications and in the last two columns there are (n−3) (n−3) 5 nonzero terms and 2 scalar multiplications. Totally, QS has 6 3 + 5 = 2n − 1 nonzero terms and 3 3 + 2 = n − 1 scalar multiplications. For QH , these two block matrices contain 6 nonzero terms and 4 scalar multiplications and in the last (n−3) two columns there are 3 nonzero terms and 1 scalar multiplication. Totally, QS has 6 3 + 3 = 2n − 3 nonzero terms and (n−3)

4 3 + 1 = 43 n − 3 scalar multiplications. These results are the same with the reduction complexities given in Table 3. By this way, we give the matrix vector product method for the reduction part of the polynomial multiplication in the Hermite polynomial representation of F3n . 5. Conclusion In this paper, we modify the Hermite polynomial representation given in [11] for characteristic three finite fields. We give the multiplication method in the Hermite polynomial representation with subquadratic space complexity by using the divide-and-conquer idea. In this representation, one can obtain an irreducible binomial βn +β2 , where n ≡ 0(mod 3), which allows a modular reduction operation more efficient than the standard polynomial representation. We also give the matrix vector product method and we construct the reduction matrix for the binomial βn + β2 . Furthermore, this proposed method brings a new approach to the representation of characteristic three finite fields.

554

S. Akleylek et al. / Journal of Computational and Applied Mathematics 259 (2014) 546–554

Acknowledgments A preliminary version of this paper was presented at the International Conference on Applied and Computational Mathematics (ICACM), Ankara, Turkey, October 3–6, 2012. Sedat Akleylek and Ferruh Özbudak are partially supported by TUBITAK under the Grant No. TBAG-109T672. The authors thank the anonymous referees for their detailed and very helpful comments. References [1] I.F. Blake, G. Seroussi, N.P. Smart, Elliptic Curves in Cryptography, in: London Mathematical Society Lecture Note Series, vol. 265, Cambridge Univ. Press, 1999. [2] R. Lidl, H. Niederreiter, Introduction to Finite Fields and Their Applications, Cambridge University, 1997. [3] H. Cohen, G. Frey, Handbook of Elliptic and Hyperelliptic Curve Cryptography, in: Discrete Math. Appl., Chapman Hall/CRC, 2006. [4] P.S.L.M. Barreto, H.Y. Kim, B. Lynn, M. Scott, Efficient algorithms for pairing-based cryptosystems, in: Advances in Cryptology, CRYPTO’02, in: LNCS, vol. 2442, Springer-Verlag, 2002, pp. 354–368. [5] K. Harrison, D. Page, N. Smart, Software implementation of finite fields of characteristic three, for use in pairing-based cryptosystems, LMS J. Comput. Math. 5 (2002) 181–193. [6] D. Page, N. Smart, Hardware implementation of finite fields of characteristic three, in: Cryptographic Hardware and Embedded Systems, CHES 2002, in: LNCS, vol. 2523, 2003, pp. 529–539. [7] D. Panario, D. Thompson, Efficient pth root computations in finite fields of characteristic p, Des. Codes Cryptogr. 50 (2009) 351–358. [8] O. Ahmadi, F. Rodriguez-Henriquez, Low complexity cubing and cube root computation over F3m in polynomial basis, IEEE Trans. Comput. 59 (10) (2010) 1297–1308. [9] J.M. Couveignes, R. Lercier, Elliptic periods for finite fields, Finite Fields Appl. (15) (2009) 122. [10] S. Akleylek, F. Özbudak, C. Özel, Charlier polynomial representation for finite fields of characteristic three, in: 18th International Conference on Applications of Computer Algebra, ACA 2012, Sofia, Bulgaria, 2012. [11] S. Akleylek, M. Cenk, F. Özbudak, A new representation of elements of binary fields with subquadratic space complexity multiplication of polynomials, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E96-A (10) (2013) http://dx.doi.org/10.1587/transfun. E96.A.1. [12] S. Akleylek, F. Özbudak, C. Özel, Hermite polynomial representation for finite fields of characteristic three, in: 5th International Information Security and Cryptology Conference, ISCTURKEY 2012, Vol. 5, Ankara, 2012 pp. 155–159. [13] W. Bosma, J. Cannon, C. Playoust, The MAGMA algebra system I: the user language, J. Symbolic. Comput. 24 (1997) 235–265 (Also see the Magma home page at http://www.maths.usyd.edu.au:8000/u/magma/). [14] www.maplesoft.com. [15] A. Weimerskirch, C. Paar, Generalizations of the Karatsuba algorithm for efficient implementations, http://eprint.iacr.org/2006/224, 2006. [16] S. Ballet, A. Bonnecaze, M. Tukumuli, On the construction of elliptic Chudnovsky-type algorithms for multiplication in large extensions of finite fields, 2013. ArXiv preprint arXiv:1303.7082. [17] R. Barbulescu, J. Detrey, N. Estibals, P. Zimmermann, Finding optimal formulae for bilinear maps, in: Arithmetic of Finite Fields—4th International Workshop, WAIFI 2012, in: LNCS, vol. 7369, Springer-Verlag, 2012, pp. 168–186. [18] D. Drake, The combinatorics of associated Hermite polynomials, European J. Combin. 30 (4) (2009) 1005–1021. [19] D.J. Bernstein, Batch binary edwards, in: Advances in Cryptology, CRYPTO’09, in: LNCS, vol. 5677, Springer-Verlag, 2010, pp. 317–336. [20] G. Zhou, H. Michalik, Comments on ‘‘a new architecture for a parallel finite field multiplier with low complexity based on composite field’’, IEEE Trans. Comput. 59 (7) (2010) 1007–1008. [21] S.S. Erdem, T. Yanik, C.K. Koc, Polynomial basis multiplication over GF (2m ), Acta Appl. Math. 93 (1–3) (2006) 33–55. [22] H. Wu, Bit-parallel finite field multiplier and squarer using polynomial basis, IEEE Trans. Comput. 51 (7) (2002) 750–758.