Title:

Kind
Code:

A1

Abstract:

The invention provides apparatus and methods for use in basis conversion involving a dual basis, such as a dual of a polynomial basis or dual of a normal basis. The invention in an illustrative embodiment includes basis generators for generating elements of a dual of a polynomial or a normal basis of a finite field GF(q^{m} ), where q is a prime number or power of a prime number and m is an integer greater than or equal to 2. The basis generators can be used in “import” basis conversion, such as converting a representation in an external basis to a representation in an internal dual of a polynomial basis or dual of a normal basis, as part of a generate-accumulate algorithm, or in “export” basis conversion, such as converting a representation in an internal dual of a polynomial basis or dual of a normal basis to a representation in an external basis, as part of a generate-evaluate algorithm. The invention also includes basis shifters which generate a shifted version of a representation in an internal polynomial or normal basis. The basis shifters may be used in import basis conversion as part of a shift-insert algorithm, or in export basis conversion as part of a shift-extract algorithm. The basis shifters may also be used to provide alternative shift-based basis generators. The basis conversion techniques of the invention significantly increase the storage and computational efficiency of dual basis operations in cryptographic systems and other applications.

Inventors:

Kaliski, Burton S. (Wellesley, MA, US)

Liskov, Moses (Waltham, MA, US)

Liskov, Moses (Waltham, MA, US)

Application Number:

09/919664

Publication Date:

12/27/2001

Filing Date:

07/31/2001

Export Citation:

Assignee:

KALISKI BURTON S.

LISKOV MOSES

LISKOV MOSES

Primary Class:

International Classes:

View Patent Images:

Related US Applications:

Primary Examiner:

MAI, TAN V

Attorney, Agent or Firm:

TESTA, HURWITZ & THIBEAULT, LLP (HIGH STREET TOWER, BOSTON, MA, 02110, US)

Claims:

1. An apparatus for determining elements in a dual of a polynomial basis for a finite field, the apparatus comprising: a coefficient generator which generates a coefficient in the polynomial basis; a multiplier for multiplying a first value by a function of a generator of the polynomial basis; and a subtractor for subtracting a function of the coefficient from one of an output of the multiplier and an input value, such that an output of one of the subtractor and the multiplier corresponds to a second value which is used to provide a shifted version of the input value in the dual of the polynomial basis.

2. The apparatus of claim 1 wherein the first value corresponds to the input value, the output of the multiplier is applied to an input of the subtractor and to an input of the coefficient generator, such that the subtractor subtracts the function of the coefficient from the output of the multiplier, the output of the subtractor corresponds to the second value, and the coefficient generator utilizes the output of the multiplier to generate the coefficient.

3. The apparatus of claim 1 wherein the first value corresponds to the input value, the output of the multiplier is applied to an input of the subtractor, such that the subtractor subtracts the function of the coefficient from the output of the multiplier, the output of the subtractor corresponds to the second value, and the coefficient generator utilizes the input value to generate the coefficient.

4. The apparatus of claim 1 wherein the first value corresponds to an output of the subtractor, the coefficient generator utilizes the input value to generate the coefficient, the subtractor subtracts the function of the coefficient from the input value, the output of the subtractor is applied to an input of the multiplier, and the output of the multiplier corresponds to the second value.

5. The apparatus of claim 1 wherein the operations of the coefficient generator, multiplier and subtractor are repeated to provide additional shifted versions of the input value in the dual of the polynomial basis, and wherein the shifted versions of the input value are used to generate elements of the dual of the polynomial basis.

6. The apparatus of claim 1 further including a looping mechanism operative to repeat the operations of the coefficient generator, multiplier and subtractor so as to generate a plurality of shifted versions of elements in the dual of the polynomial basis, wherein each non-initial iteration of the loop starts with the input value set to the second value generated in the previous iteration of the loop.

7. The apparatus of claim 1 wherein the input value initially corresponds to an identity element and the dual of the polynomial basis is a canonical polynomial basis.

8. The apparatus of claim 1 further including an additional multiplier for multiplying the second value by a scaling factor to generate a shifted version of an element in the dual of the polynomial basis.

9. The apparatus of claim 8 wherein the scaling factor corresponds to a linear function.

10. The apparatus of claim 1 wherein the coefficient generator generates the coefficient using a coefficient extractor which determines a coefficient of a representation of an element in the polynomial basis.

11. The apparatus of claim 1 wherein the coefficient generator generates the coefficient using an additional multiplier in conjunction with a coefficient selector.

12. The apparatus of claim 1 wherein the coefficient generated by the coefficient generator is computed as a function of V

13. The apparatus of claim 12 wherein the coefficient generated by the coefficient generator is of the form (W×V

14. The apparatus of claim 1 wherein the multiplier multiplies the first value by a function YH, where Y is the inverse of a scaling factor and H is the inverse of the polynomial basis generator.

15. The apparatus of claim 1 wherein the multiplier multiplies the first value by a function H, where H is the inverse of the polynomial basis generator.

16. The apparatus of claim 12 wherein the coefficient generated by the coefficient generator is computed as a function of V

17. The apparatus of claim 1 wherein at least a subset of the coefficient generator, multiplier and subtractor are implemented in a processor which is operative to convert a representation in an external dual of a polynomial basis to a representation in an internal basis using a generate-accumulate algorithm.

18. The apparatus of claim 1 wherein at least a subset of the coefficient generator, multiplier and subtractor are implemented in a processor which is operative to convert a representation in an internal basis to a representation in an external polynomial basis using a generate-evaluate algorithm which generates a dual of the polynomial basis.

19. The apparatus of claim 1 wherein at least a subset of the coefficient generator, multiplier and subtractor are implemented in a processor which is operative to convert a representation in an external dual of a polynomial basis to a representation in an internal basis using a shift-insert algorithm.

20. The apparatus of claim 1 wherein at least a subset of the coefficient generator, multiplier and subtractor are implemented in a processor which is operative to convert a representation in an internal basis to a representation in an external dual of a polynomial basis using a shift-extract algorithm.

21. An apparatus for determining elements in a dual of a normal basis for a finite field, the apparatus comprising: an exponentiator; and a multiplier which is operative to multiply one of an input value and an output of the exponentiator by a function of a generator of the dual basis, wherein the multiplier and exponentiator are configured to operate such that one of the multiplier and exponentiator generates an output value corresponding to a shifted version of the input value in the dual of the normal basis.

22. The apparatus of claim 21 wherein the function of a generator of the dual basis is also a function of a scaling value.

23. The apparatus of claim 21 wherein the multiplier multiplies the input value by a function of the generator of the dual basis, and the exponentiator raises an output of the multiplier to a power to generate the output value.

24. The apparatus of claim 21 wherein the exponentiator computes a value representing the input value raised to a power, and the multiplier generates the output value as a product of the value computed by the exponentiator multiplied by a function of the generator.

25. The apparatus of claim 21 wherein the operations of the exponentiator and multiplier are repeated to provide additional output values corresponding to shifted versions of the input value in the dual of the normal basis, and wherein the output values are used to generate elements of the dual of the normal basis.

26. The apparatus of claim 21 further including a looping mechanism operative to repeat the operations of the exponentiator and multiplier so as to generate a plurality of shifted versions of elements in the dual of the normal basis, wherein each non-initial iteration of the loop starts with the input value set to the output value generated in the previous iteration of the loop.

27. The apparatus of claim 21 wherein the input value initially corresponds to an identity element and the dual of the normal basis is a canonical normal basis.

28. The apparatus of claim 21 an initial value of the input value corresponds to a scaling factor.

29. The apparatus of claim 28 wherein the scaling factor corresponds to a linear function.

30. The apparatus of claim 21 wherein the multiplier multiplies one of the input value and the output value by a function SZ

31. The apparatus of claim 21 wherein the multiplier multiplies one of the input value and the output value by a function SZ, where S is a generator of the dual of the normal basis, and Z is a scaling factor.

32. The apparatus of claim 21 wherein the multiplier multiplies one of the input value and the output value by a qth root of SZ

33. The apparatus of claim 21 further including an additional multiplier for multiplying one of the input value and the output value by a function of a scaling factor.

34. The apparatus of claim 21 wherein at least one of the exponentiator and multiplier are implemented in a processor which is operative to convert a representation in an external dual of a normal basis to a representation in an internal basis using a generate-accumulate algorithm.

35. The apparatus of claim 21 wherein at least one of the exponentiator and multiplier are implemented in a processor which is operative to convert a representation in an internal basis to a representation in an external normal basis using a generate-evaluate algorithm which generates a dual of the normal basis.

36. The apparatus of claim 21 wherein at least one of the exponentiator and multiplier are implemented in a processor which is operative to convert a representation in an external dual of a normal basis to a representation in an internal basis using a shift-insert algorithm.

37. The apparatus of claim 21 wherein at least one of the exponentiator and multiplier are implemented in a processor which is operative to convert a representation in an internal basis to a representation in an external dual of a normal basis using a shift-extract algorithm.

38. An apparatus for determining elements of a dual of a normal basis for a finite field, the apparatus comprising: an exponentiator which raises an input value to a power, wherein the output of the exponentiator is applied to its input such that the exponentiator repeats the raising to a power operation a designated number of times; and a multiplier which is operative to multiply an output of the exponentiator, generated after the designated number of repetitions, by a scaling factor which is a function of a (q−1)

39. The apparatus of claim 38 wherein an initial value of the input value corresponds to a (q−1)

40. The apparatus of claim 38 wherein the operations of the exponentiator and multiplier are repeated to generate additional elements of the dual of the normal basis.

41. An apparatus for determining elements of a dual of a normal basis for a finite field, the apparatus comprising: an exponentiator which raises an input value to a power, wherein the output of the exponentiator is applied to its input such that the exponentiator repeats the raising to a power operation a designated number of times; and a multiplier which is operative to multiply an output of the exponentiator, generated after the designated number of repetitions, by one of an initial value and a previously-generated output of the multiplier, such that a current output of the multiplier corresponds to an element of the dual of the normal basis.

42. The apparatus of claim 41 wherein the operations of the exponentiator and multiplier are repeated to generate additional elements of the dual of the normal basis.

43. The apparatus of claim 41 wherein the input value is initially set to a function of a generator of the dual basis.

44. The apparatus of claim 41 wherein the input value initially corresponds to an identity element.

45. The apparatus of claim 41 wherein the initial value corresponds to a scaling factor.

46. The apparatus of claim 41 wherein the initial value corresponds to an identity element.

47. A method of determining elements in a dual of a polynomial basis for a finite field, the method comprising the steps of: generating a signal corresponding to a coefficient in the polynomial basis in a coefficient generator; multiplying a signal corresponding to a first value by a function of a generator of the polynomial basis in a multiplier; and subtracting a function of the signal corresponding to the coefficient from one of an output of the multiplier and an input value in a subtractor, such that an output of one of the subtractor and the multiplier is used to provide a shifted version of the input value in the dual of the polynomial basis.

48. A method for determining elements in a dual of a normal basis for a finite field, the method comprising: multiplying one of a signal corresponding to an input value and an output of an exponentiator by a function of a generator of the dual basis in a multiplier, wherein the multiplier and exponentiator are configured to operate such that one of the multiplier and exponentiator generates an output value corresponding to a shifted version of the input value in the dual of the normal basis.

49. A method for determining elements of a dual of a normal basis for a finite field, the method comprising: raising a signal corresponding to an input value to a power in an exponentiator, wherein the output of the exponentiator is applied to its input such that the exponentiator repeats the raising to a power operation a designated number of times; and multiplying an output of the exponentiator, generated after the designated number of repetitions, in a multiplier by a scaling factor which is a function of a (q−1)

50. A method for determining elements of a dual of a normal basis for a finite field, the method comprising: raising a signal corresponding to an input value to a power in an exponentiator, wherein the output of the exponentiator is applied to its input such that the exponentiator repeats the raising to a power operation a designated number of times; and multiplying an output of the exponentiator, generated after the designated number of repetitions, in a multiplier by one of an initial value and a previously-generated output of the multiplier, such that a current output of the multiplier corresponds to an element of the dual of the normal basis.

Description:

[0001] The present application claims the benefit of U.S. Provisional Application Serial No. 60/066,937 filed on Nov. 18, 1997.

[0002] The present invention relates generally to techniques for converting signals of a finite field having one basis to signals of a finite field having another basis, and more particularly to finite field basis conversion techniques which involve a dual basis.

[0003] As described in U.S. application Ser. No. 08/851,045, filed in the name of inventors Burton S. Kaliski Jr. and Yiqun Lisa Yin on May 5, 1997 and entitled “Methods and Apparatus for Efficient Finite Field Basis Conversion,” and which is incorporated by reference herein, conversion between different choices of basis for a finite field is an important problem in today's computer systems, particularly for cryptographic operations. While it is possible to convert between two choices of basis by matrix multiplication, the matrix may be too large for some applications, hence the motivation for more storage-efficient techniques.

[0004] Elements of a finite field can be represented in a variety of ways, depending on the choice of basis for the representation. Let GF(q^{m}^{r }^{m}_{0}_{m−1}^{m}

[0005] where B[0], . . . , B[m−1]εGF(q) are the coefficients. Two common types of basis are a polynomial basis and a normal basis. In a polynomial basis, the basis elements are successive powers of an element γ, called the generator:

_{i}^{i}

[0006] A polynomial ƒ of degree m, called the minimal polynomial of γ, relates the successive powers:

^{m}_{m−1}^{m−1}_{m−2}^{m−2}_{1}_{0}

[0007] In a normal basis, the basis elements are successive exponentiations of an element γ, again called the generator:

_{i}^{q}^{i}

[0008] Another common type of basis is a dual basis. Let ω_{0}_{m−1 }^{m}

[0009] The dual basis of the basis ω_{0}_{m−1 }_{0}_{m−1 }

[0010] The dual basis is uniquely defined, and duality is symmetric: the dual basis with respect to h of the basis ξ_{0}_{m−1 }_{0}_{m−1}

[0011] The basis conversion or change-of-basis problem is to compute the representation of an element of a finite field in one basis, given its representation in another basis. The problem has two forms, which distinguish between the internal basis in which finite field operations are performed, and the external basis to and from which one is converting:

[0012] Import problem. Given an internal basis and an external basis for a finite field GF(q^{m}

[0013] Export problem. Given an internal basis and an external basis for a finite field GF(q^{m}

[0014] A conventional solution to both problems is to apply a change-of-basis matrix relating the two bases. However, as the matrix is potentially quite large, and as the operations involved are not necessarily implementable with operations in either basis, the matrix-based conversion process may be inefficient in many important applications.

[0015] Another approach to conversion is to compute with a dual basis. Consider the problem of converting to the basis ω_{0}_{m−1}_{0}_{m−1 }

_{i}

[0016] One can therefore convert by multiplying by elements of the dual basis and evaluating the function h, another straightforward and effective solution, which is efficient provided that the elements of the dual basis ξ_{0}_{m−1 }^{2 }

[0017] A number of other references describe finite field basis conversion operations involving dual basis. For example, U.S. Pat. No. 4,994,995, issued Feb. 19, 1991 to R. W. Anderson, R. L. Gee, T. L. Nguyen, and M. A. Hassner, entitled “Bit-Serial Division Method and Apparatus,” describes hardware for a converter which converts an element in GF(2^{m}^{m}^{m}

[0018] The above-cited U.S. application Ser. No. 08/851,045 introduced the “shift-extract” technique of basis conversion, and also provided several storage-efficient and computation-efficient algorithms based on that technique for converting to and from a polynomial or normal basis. The conversion algorithms described therein overcome many of the problems associated with the previously-described conventional approaches. However, a need remains for further improvements in finite field basis conversion, particularly with regard to techniques involving dual basis.

[0019] It is therefore an object of the present invention to provide efficient finite field basis conversion techniques involving dual basis which do not require an excessively large amount of storage or an excessively large number of operations, and which take advantage of the built-in efficiency of finite field operations in one basis, rather than implementing new operations such as matrix multiplications.

[0020] The invention provides apparatus and methods for use in basis conversion involving dual basis, such as a dual of a polynomial basis or dual of a normal basis. For example, the invention includes efficient basis generators for generating the dual of a polynomial or normal basis. In accordance with the invention, these generators are implemented in generate-accumulate import basis converters and conversion algorithms, and generate-evaluate export basis converters and conversion algorithms. The invention also includes efficient basis shifters for performing shifting operations in a dual of a polynomial basis or normal basis. In accordance with the invention, these basis shifters are implemented in shift-insert import basis converters and conversion algorithms, and shift-extract export basis converters and conversion algorithms. The basis shifters may also be used to provide alternative shift-based basis generators.

[0021] The basis conversion techniques of the invention significantly increase the storage and computational efficiency of dual basis conversion operations in cryptographic systems and other applications, relative to the conventional dual basis conversion approaches described previously. The basis converters and conversion algorithms in accordance with the invention are computationally efficient in that they involve primarily or exclusively finite-field operations, rather than more complex operations such as matrix multiplications, and thus benefit from available optimizations for finite-field operations. The invention may be used, for example, to convert from a polynomial basis or a normal basis to a corresponding dual basis, and vice versa, in order to simplify cryptographic operations. These and other features of the present invention will become more apparent from the accompanying drawings and the following detailed description.

[0022]

[0023]

[0024]

[0025]

[0026]

[0027]

[0028]

[0029]

[0030]

[0031]

[0032]

[0033] The present invention will be described in several sections below in accordance with the following outline.

[0034] 1.0 Overview of Basis Conversion Techniques

[0035] 1.1 Import Algorithms

[0036] 1.1.1 Generate-Accumulate Method

[0037] 1.1.2 Shift-Insert Method

[0038] 1.2 Export Algorithms

[0039] 1.2.1 Generate*-Evaluate Method

[0040] 1.2.2 Shift-Extract Method

[0041] 1.3 Summary Tables

[0042] 2.0 Techniques Involving the Dual of a Polynomial Basis

[0043] 2.1 Efficient Basis Generation

[0044] 2.1.1 Importing from a Polynomial* Basis by Generate-Accumulate

[0045] 2.1.2 Exporting to a Polynomial Basis by Generate*-Evaluate

[0046] 2.2 Efficient External Shifting

[0047] 2.2.1 Importing from a Polynomial* Basis by Shift-Insert

[0048] 2.2.2 Exporting to a Polynomial* Basis by Shift-Extract

[0049] 3.0 Techniques Involving the Dual of a Normal Basis

[0050] 3.1 Efficient Basis Generation

[0051] 3.1.1 Importing from a Normal* Basis by Generate-Accumulate

[0052] 3.1.2 Exporting to a Normal Basis by Generate*-Evaluate

[0053] 3.2 Efficient External Shifting

[0054] 3.2.1 Importing from a Normal* Basis by Shift-Insert

[0055] 3.2.2 Exporting to a Normal* Basis by Shift-Extract

[0056] 4.0 Applications

[0057] As noted above, U.S. application Ser. No. 08/851,045 introduced the “shift-extract” technique of basis conversion, and also provided several storage-efficient algorithms based on that technique for converting to a polynomial or normal basis. The present invention provides techniques involving the dual of a polynomial or normal basis, including storage-efficient generation of a dual basis and storage-efficient shifting in such a basis. The present invention may be used in combination with the “shift-extract” technique of U.S. application Ser. No. 08/851,045 as well as other basis conversion techniques, but also provides several new storage-efficient and computation-efficient algorithms for converting to and from the dual of a polynomial or normal basis, as well as additional algorithms for converting to a polynomial or normal basis. Like the invention described in U.S. application Ser. No. 08/851,045, the present invention applies both to even-characteristic and odd-characteristic finite fields of degree greater than one, though even-characteristic processing is the most likely application since it is generally more common in practice. It should be noted that in certain special cases, a given dual basis may be the same as the corresponding polynomial or normal basis. These so-called “self-dual” bases can be generated using conventional techniques, and thus do not require the dual basis techniques described herein.

[0058] An overview of the basis conversion techniques of the present invention will now be provided. Algorithms for particular choices of basis will then be described in greater detail in subsequent sections. In the following description, the dual of a polynomial basis will be denoted as a polynomial* basis, and the dual of a normal basis will be denoted as a normal* basis. Although the problem of conversion between two choices of basis involving different ground fields is not addressed in this description, it will be apparent to those skilled in the art that the described techniques can be readily applied to this problem in a straightforward manner, as illustrated in U.S. application Ser. No. 08/851,045.

[0059] It should also be noted that for all the techniques described, it may be possible to improve efficiency by working with a scaled version of the intended basis, as the conversion process may be simpler for certain scaling factors. During an export operation, the element to be converted would be multiplied by the scaling factor before conversion to the external basis, and during an import operation, the element would be multiplied by the inverse of the scaling factor after conversion. Since a scaled version of a basis is also in general a basis, the general techniques described herein apply, the multiplication by the scaling factor or its inverse being considered simply as an additional processing step.

[0060] 1.1 Import Algorithms

[0061] Given an internal basis and an external basis for a finite field and the representation B of a field element in the external basis, an import algorithm determines the corresponding representation A of the same field element in the internal basis. Two general methods for determining the internal representation A are described below: the generate-accumulate method and the shift-insert method.

[0062] 1.1.1 Generate-Accumulate Method

[0063] The Generate-Accumulate method computes the internal representation A by accumulating the products of coefficients B[i] with successive elements of the external basis, as in the equation

[0064] where W_{0}_{m−1 }

[0065] proc I

[0066] A←0

[0067] for i from 0 to m−1 do

[0068] A←A+B[i]×W_{i }

[0069] end for

[0070] end proc

[0071] As written, this conventional algorithm requires storage for the m values W_{0}_{m−1}

[0072] _{i}

[0073] The present invention provides algorithms for generating the values for a polynomial* or normal* basis, called G

[0074] 1.1.2 Shift-Insert Method

[0075] The Shift-Insert method computes the internal representation A by “shifting” an intermediate variable in the external basis, and inserting successive coefficients between the shifts. This follows the same concept as the shift-extract method to be described below. Let S

[0076] computes the internal representation of the element with external representation

[0077] Other forms of shifting are possible, including shifting in the reverse direction, or shifting where the value 0 rather than B[m−1] is shifted in.

[0078] The basic form of algorithm for this method is as follows:

[0079] proc I

[0080] A←0

[0081] for i from m−1 downto 0 do

[0082] S

[0083] A←A+B[i]×W_{0 }

[0084] endfor

[0085] endproc

[0086] The direction of the for loop may vary depending on the direction of the shift. The algorithm has the advantage over I

[0087]

[0088]

[0089] The present invention provides algorithms for shifting in a polynomial* or normal* basis, called S

[0090] 1.2 Export Algorithms

[0091] Given an internal basis and an external basis for a finite field and the representation A of a field element in the internal basis, an export algorithm determines the corresponding representation B of the same field element in the internal basis. Two general methods for determining the external representation B are described: the generate*-evaluate method and the shift-extract method.

[0092] 1.2.1 Generate*-Evaluate Method

[0093] The Generate*-Evaluate method computes the external representation B by evaluating products of A with successive elements of a dual of the external basis, as in the equation

_{i}

[0094] where h is a linear function and X_{0}_{m−1 }

[0095] proc E

[0096] for i from 0 to m−1 do

[0097] T←A×X_{i }

[0098] B[i]←h(T)

[0099] end for

[0100] end proc

[0101] A variation on this conventional algorithm is to generate the values AX_{0}_{m−1 }

[0102] _{i}_{i}

[0103]

[0104] As previously noted, the present invention provides algorithms for generating the values for a polynomial* or normal* basis, called G

[0105] It should be noted that it is straightforward to generate the dual of the external basis when the external basis is a polynomial* or normal* basis, since the dual is then a scaled polynomial or scaled normal basis. The algorithms for these choices of basis, which one might call E

[0106] 1.2.2 Shift-Extract Method

[0107] The Shift-Extract method computes the external representation A by “shifting” an intermediate variable in the external basis, and extracting successive coefficients between the shifts. This follows the same concept as the shift-insert method above, and may be based on the same S

[0108] proc E

[0109] for i from m−1 to 0 do

[0110] B[i]←E

[0111] S

[0112] end for

[0113] end proc

[0114] Again, the direction of the for loop may vary depending on the direction of the shift.

[0115] The algorithm has the advantage over E

[0116]

[0117]

[0118] As previously noted, the present invention provides algorithms for shifting in a polynomial* or normal* basis, called S

[0119] 1.3 Summary Tables

[0120] The following Tables summarize the foregoing techniques and where they are described.

TABLE 1 | |||

Import Algorithms. | |||

Method | |||

Basis | Shift-Insert | Generate-Accumulate | |

POLY | Ser. No. 08/851,045 | Ser. No. 08/851,045 | |

NORMAL | Ser. No. 08/851,045 | Ser. No. 08/851,045 | |

POLY* | present invention | present invention | |

NORMAL* | present invention | present invention | |

[0121]

TABLE 2 | |||

Export Algorithms. | |||

Method | |||

Basis | Shift-Extract | Generate*-Evaluate | |

POLY | Ser. No. 08/851,045 | present invention | |

NORMAL | Ser. No. 08/851,045 | Ser. No. 08/851,045 | |

POLY* | present invention | prior art | |

NORMAL* | present invention | prior art | |

[0122] Let 1, γ, . . . , γ^{m−1 }^{m}^{m}_{0}_{i}^{th }^{m}_{0}_{0}_{1}_{m−1 }_{0}_{1}_{m−1 }

_{0}^{1}_{0}_{1}^{−1}_{1}_{m−1}^{−1}_{m−1 }

[0123] where ξ_{0}_{i}_{i−1}^{−1}_{0}_{i−1}^{−1}_{0}_{0}_{1}_{m−1 }_{0}_{1}_{m−1 }

^{1}_{0}

^{i}^{1}_{0}^{i}

[0124] Suppose it is known that the first i−1 elements are correct elements of the dual basis. Then for the i^{th }

^{i}^{1}_{i}^{i−1}^{−1}_{i−1}^{i}^{−1}_{0}_{i−1}^{−1}_{0}^{i}_{0}_{i−1}^{−1}

[0125] since h_{0}^{i}

^{i}^{1}_{i}^{j−1}^{−1}_{i−1}^{i}^{−1}_{0}_{i−1}^{−1}_{0}^{i}_{0}_{i−1}^{−1}

[0126] If j=0, h(ξ_{i}^{1}_{0}_{i}^{−1}^{−1}_{0}_{0}

[0127] In general, the internal representations of constants such as Z, Y, G and H utilized by the algorithms described herein can be obtained by applying known techniques, such as the correspondence between linear functions and multiplication by group elements, or solution of polynomials. For example, the internal representation G of the generator of an external basis can be computed using information about the internal and external basis, as noted in U.S. application Ser. No. 08/851,045. The general approach to computing such a representation is to find a root, in the internal-basis representation, of an appropriate polynomial corresponding to the external basis. Such root-finding techniques are well known in the prior art. As a further example, the value V_{0 }

[0128] 2.1 Efficient Basis Generation

[0129] The algorithm G

[0130] Input:

[0131] Z, a scaling factor.

[0132] Output:

[0133] W_{0}_{m−1}

[0134] Parameters:

[0135] m, the degree of the finite field.

[0136] Constants:

[0137] I, the internal representation of the identity element,

[0138] V_{0}_{0}_{0}

[0139] H, the internal representation of the inverse of the polynomial basis generator.

[0140] Algorithm:

[0141] iter G

[0142] W←I

[0143] yield Z

[0144] for i from 1 to m−1 do

[0145] W←W×H

[0146] T←W×V_{0 }

[0147] W←W−T[0]×I

[0148] yield W×Z

[0149] endfor

[0150] enditer

[0151] Typically, Z will be the internal representation of the scaling factor. However, as noted above, sometimes one may wish to use a value of 0 for Z, which does not correspond to any linear function. If Z does correspond to a linear function, the output is the polynomial* basis with respect to the linear function corresponding to Z. In all cases, the output is the canonical polynomial* basis scaled by Z, and in the case that Z=0, the output will always be zero. At iteration i, the algorithm outputs W_{i}_{0}_{0}_{i }_{i}^{−1}_{0}_{i}^{−1}_{i+1}_{i}^{1}_{i }^{−1 }

[0152] _{0}_{0}_{0}_{i}_{0 }_{0}_{0}^{−1}

[0153] Other forms of G

[0154] Algorithm:

[0155] iter G

[0156] W←H

[0157] yield W×ZG

[0158] for i from 1 to m−1 do

[0159] T←W×V_{0 }

[0160] W←W−T[0]×I

[0161] W←W×H

[0162] yield W×ZG

[0163] endfor

[0164] enditer

[0165] This alternate algorithm, which involves a slight rewriting of the steps of the previous algorithm, has the property that it involves the same sequence of steps in the loop (ignoring the yield) as the exemplary polynomial-basis shifter described in U.S. application Ser. No. 08/851,045, which may provide benefits in terms of sharing of computational logic.

[0166] Another possible variant of the G

[0167] Algorithm:

[0168] iter G

[0169] W←Z

[0170] yield W

[0171] for i from 1 to m−1 do

[0172] T←W×V_{0}

[0173] W←W×H

[0174] W←W−T[0]×Z

[0175] yield W

[0176] endfor

[0177] enditer

[0178] This variant avoids the multiplication in the yield, but it presumes the availability of Y=Z^{−1}_{0}^{−1}

[0179] In the case that the linear function to which Z corresponds is the coefficient at index 0 of the internal basis representation, i.e., the linear function x_{0 }_{0}_{0}

[0180] Algorithm:

[0181] iter G

[0182] W←V_{0 }

[0183] yield Z

[0184] for i from 1 to m−1 do

[0185] W←W×H

[0186] W←W−W[0]×V_{0 }

[0187] yield W×Z V_{0}^{−1 }

[0188] endfor

[0189] enditer

[0190] In general, the above and other forms of G

[0191] 2.1.1 Importing from a Polynomial* Basis by Generate-Accumulate

[0192] One application of the above-described G

[0193] Input:

[0194] B[0], . . . , B[m−1], the external representation to be converted.

[0195] Output:

[0196] A, the corresponding internal representation.

[0197] Parameters:

[0198] Any required for G

[0199] Constants:

[0200] Z, the internal representation of the scaling factor, and any constants required for G

[0201] Algorithm:

[0202] proc I

[0203] A←0

[0204] i←0

[0205] for W in G

[0206] A←A+B[i]×W

[0207] i←i+1

[0208] endfor

[0209] endproc

[0210] The I

[0211] 2.1.2 Exporting to a Polynomial Basis by Generate*-Evaluate

[0212] The algorithm E

[0213] Input:

[0214] A, the internal representation to be converted.

[0215] Output:

[0216] B[0], . . . , B[m−1], the corresponding external representation.

[0217] Parameters:

[0218] Any required for G

[0219] Constants:

[0220] V_{0}_{0}

[0221] Algorithm:

[0222] proc E

[0223] A←A×V_{0 }

[0224] i←0

[0225] for T in G

[0226] B[i]←T[0]

[0227] i←i+1

[0228] endfor

[0229] endproc

[0230] The above version of the E_{0}_{0}_{0}

[0231] Algorithm:

[0232] proc E

[0233] i←0

[0234] for W in G

[0235] B[i]←h(W×A)

[0236] i←i+1

[0237] endfor

[0238] endproc

[0239] This version of the E

[0240] 2.2 Efficient External Shifting

[0241] With knowledge of the formula for a polynomial* basis, a method for shifting an element's representation in the polynomial* basis can also be derived. The algorithm uses the recursive formula for generating ξ_{i }_{i−1}_{m−1 }^{−1}_{0}^{−1}

[0242] To prove the above claim, repeated applications of the formula to the identity element _{0 }_{i}^{−1 }

^{2}^{m−1}^{−1}^{1}^{m−2}

[0243] First, ξ_{0 }_{i }_{1}^{−1}_{0}^{−1}_{1 }_{1}_{m−1}^{−1}_{0}_{m−1}^{−1}_{m−1}

_{m−1}^{−1}_{0}_{m−1}^{−1}

[0244] Now the technique for shifting in the polynomial* basis will be demonstrated. Let ε be any element.

_{0}_{1}_{m−1 }

_{0}_{1}_{m−1 }

_{1}_{2}_{m−1}

^{−1}_{1}_{2}_{m−1 }

[0245] Thus, if ε is an element, then ζ^{−1}^{−1}^{−1}_{0}^{−1}

^{−1}^{−1}_{0}^{−1}^{−1}_{0}_{0}^{m−1}

[0246] The following is an algorithm for shifting in the polynomial* basis, based on the above-described shifting technique.

[0247] Input/Output:

[0248] A, the internal representation of the element to be shifted.

[0249] Parameters:

[0250] m, the degree of the finite field.

[0251] Constants:

[0252] YH, the internal representation of ζγ^{−1}

[0253] I, the internal representation of the identity element,

[0254] V_{0}_{0}_{0}

[0255] Z, the internal representation of the scaling factor.

[0256] Algorithm:

[0257] proc S

[0258] A←A×YH

[0259] T←A×V_{0 }

[0260] A←A−T[0]×I

[0261] A←A×Z

[0262] endproc

[0263] Another variation of this algorithm which does not require the constant I is the following:

[0264] Algorithm:

[0265] proc S

[0266] A←A×YH

[0267] T←A×V_{0 }

[0268] T←T[0]×Z

[0269] A←A×Z

[0270] A←A−T

[0271] endproc

[0272] A further variation of the S

[0273] Algorithm:

[0274] proc S

[0275] A←A×YH

[0276] T←A×V_{0 }

[0277] A←A×Z

[0278] A←A−T[0]×Z

[0279] endproc

[0280] Another variation of the S

[0281] Algorithm:

[0282] proc S

[0283] T←A×V_{0}

[0284] A←A×H

[0285] A←A−T[0]×Z

[0286] endproc

[0287] _{0 }^{−1}_{0 }_{0}_{0}

[0288] It should also be noted that S

[0289] Algorithm:

[0290] iter G

[0291] T←Z

[0292] yield T

[0293] for i from 1 to m−1 do

[0294] S

[0295] yield T

[0296] endfor

[0297] enditer

[0298] The algorithms G

[0299]

[0300] It should be noted that in a case in which YH=I, the first multiplication may be suppressed (and the last multiplication is by H) and in a case in which Z=I, the last multiplication may be suppressed. Various straightforward rearrangements of S

[0301] Similar to G

[0302] 2.2.1 Importing from a Polynomial* Basis by Shift-Insert

[0303] The algorithm I

[0304] Input:

[0305] B[0], . . . , B[m−1], the external representation to be converted.

[0306] Output:

[0307] A, the corresponding internal representation.

[0308] Parameters:

[0309] m, the degree of the finite field, and any required for S

[0310] Constants:

[0311] Z, the internal representation of the scaling factor, and any other constants required for S

[0312] Algorithm:

[0313] proc I

[0314] A←B[m−1]×Z

[0315] for i from m−2 downto 0 do

[0316] S

[0317] A←A+B[i]×Z

[0318] endfor

[0319] endproc

[0320] The algorithm I

[0321] A possible improvement on this algorithm is to insert multiple coefficients per iteration, as in the basis converter of _{m/2}

[0322] Algorithm:

[0323] proc I

[0324] A←B[m−1]×Z

[0325] A←A+B[(m/2)−1]×V

[0326] for i from m−2 downto (m/2) do

[0327] S

[0328] A←A+B[i]×Z

[0329] A←A+B[i−(m/2)]×V

[0330] endfor

[0331] endproc

[0332] This reduces the number of external shifts by a factor of 2. A similar improvement can be made with a factor of k, as mentioned previously, using the basis converter of

[0333] Another version of the I

[0334] Algorithm:

[0335] proc I

[0336] A←0

[0337] for i from m−1 downto (m/2) do

[0338] S

[0339] A←A+B[i]×Z

[0340] A←A+B[i−(m/2)]×V

[0341] endfor

[0342] endproc

[0343] In this version of the algorithm, the loop is started at m−1 in order to reduce the number of statements in the algorithm.

[0344] 2.2.2 Exporting to a Polynomial* Basis by Shift-Extract

[0345] The algorithm E

[0346] Input:

[0347] A, the internal representation to be converted.

[0348] Output:

[0349] B[0], . . . , B[m−1], the corresponding external representation.

[0350] Parameters:

[0351] m, the degree of the finite field, and any required for S

[0352] Constants:

[0353] V_{m−1}_{m−1}

[0354] Algorithm:

[0355] proc E

[0356] for i from m−1 downto 0 do

[0357] T←A×V_{m−1 }

[0358] B[i]←T[0]

[0359] S

[0360] endfor

[0361] endproc

[0362] The algorithm E_{m/2−1 }_{m/2−1}

[0363] Algorithm:

[0364] proc E

[0365] for i from m−1 downto m/2 do

[0366] T←A×V_{m−1 }

[0367] B[i]←T[0]

[0368] T←A×V_{m/2−1 }

[0369] B[i−m/2]←T[0]

[0370] S

[0371] endfor

[0372] endproc

[0373] This is more efficient, since in the second version of the algorithm, there are half as many shifts as in the first version. A similar improvement can be made with a factor of k, as mentioned previously, using the basis converter of

[0374] Let γ, . . . , γ^{q}^{m−1 }^{m}^{m}_{0}_{0}_{0}_{1}_{m−1 }_{0}_{1}_{m−1 }

_{0}^{1}_{0}_{1}^{−1}_{1}_{m−1}^{−1}_{m−1 }

[0375] where ξ_{0}_{1}^{(q}^{i}^{−1)/(q−1) }_{0}^{q}_{0}^{q}^{i}_{0}_{0}_{1}_{m−1 }_{0}_{1}_{m−1 }

^{1}_{0}

^{1}^{q}^{i}_{0}^{q}^{i}

[0376] To establish the induction, one need only recall the simple result that raising an element ε to the q^{th }_{0}_{1}^{q}_{1}^{q}^{−1}_{i−1}^{−1}^{(q}^{i−1}^{−1)/(q−1) }

^{q}^{i}^{−1}_{i}^{q}^{i}^{−1}^{(q}^{i}^{−1)/(q−1)}^{1}^{q}^{i−1}^{(q}^{i−1}^{−1)/(q−1)}^{q}^{1}^{q}^{i−1}_{i−1}^{q}

[0377] Now, by the definition of σ, h(ζ^{1}_{0}_{1}

^{1}^{q}^{i−1}_{i−1}_{1}^{q}^{i−1}_{i−1}^{q}_{0}^{q}^{i−1}_{i−1}

[0378] With a similar derivation, it follows that

^{1}^{q}^{i−1}_{i−1}^{q}_{0}^{q}^{i−1}_{i−1}

[0379] This establishes the correctness of the formula for the dual basis and also gives a recursion formula: ξ_{i}_{i−1}^{q}_{i }^{th }^{−1}_{0}_{0}

[0380] 3.1 Efficient Basis Generation

[0381] The following algorithm illustrates a technique for efficiently generating the dual of a normal basis in accordance with the invention.

[0382] Input:

[0383] Z, a scaling factor.

[0384] Output:

[0385] W_{0}_{m−1}

[0386] Parameters:

[0387] m, the degree of the finite field; q, the order of the ground field GF(q).

[0388] Constants:

[0389] S, the internal representation of the normal* basis generator.

[0390] Algorithm:

[0391] iter G

[0392] T←Z

[0393] W←S

[0394] yield T

[0395] for i from 1 to m−1 do

[0396] T←T×W

[0397] W←W^{q }

[0398] yield T

[0399] endfor

[0400] enditer

[0401] Typically, Z will be the internal representation of the scaling factor. However, sometimes one may wish to use a value 0 for Z, which does not correspond to any linear function. If Z does correspond to a linear function, the output is the normal* basis with respect to the linear function corresponding to Z. In all cases, the output is the canonical normal* basis scaled by Z, and in the case that Z=0, the output will always be zero. Assuming Z is nonzero, the following establishes the correctness of the algorithm. After the first iteration, G^{−1}^{−1}^{−1}^{−1}^{q+1}^{−1}^{q}^{2}^{+1}

[0402] ^{q}

[0403] Other forms of G

[0404] Algorithm:

[0405] iter G

[0406] W←U

[0407] yield W×ZU^{−1 }

[0408] for i from 1 to m−1 do

[0409] W←W^{q }

[0410] yield W×ZU^{−1 }

[0411] endfor

[0412] enditer

[0413] In this alternate algorithm, U is a (q−1)^{st }^{(q}^{m}^{−1)/(q−1)}

[0414] In general, the above and other forms of G

[0415] 3.1.1 Importing from a Normal* Basis by Generate-Accumulate

[0416] The algorithm I

[0417] Input:

[0418] B[0], . . . , B[m−1], the external representation to be converted.

[0419] Output:

[0420] A, the corresponding internal representation.

[0421] Parameters:

[0422] Any required for G

[0423] Constants:

[0424] Z, the internal basis representation of the scaling factor, and any other constants required for G

[0425] Algorithm:

[0426] proc I

[0427] A←0

[0428] i←0

[0429] for W in G

[0430] A←A+B[i]×W

[0431] i←i+1

[0432] endfor

[0433] endproc

[0434] The I

[0435] 3.1.2 Exporting to a Normal Basis by Generate*-Evaluate

[0436] The algorithm E

[0437] Input:

[0438] A, the internal representation to be converted.

[0439] Output:

[0440] B[0], . . . , B[m−1], the corresponding external representation.

[0441] Parameters:

[0442] Any required for G

[0443] Constants:

[0444] V_{0}_{0}

[0445] Algorithm:

[0446] proc E

[0447] A←A×V_{0 }

[0448] i←0

[0449] for T in G

[0450] B[i]←T[0]

[0451] i←i+1

[0452] endfor

[0453] endproc

[0454] The above version of the E_{0}_{0}_{0}

[0455] Algorithm:

[0456] proc E

[0457] i←0

[0458] for W in G

[0459] B[i]←h(W×A)

[0460] i←i+1

[0461] endfor

[0462] endproc

[0463] This version of the E

[0464] 3.2 Efficient External Shifting

[0465] The present invention also provides an efficient method for shifting (e.g., doing a rotation) of an element's representation in the normal* basis. A claim that may be desirable to prove is that ξ_{m}^{(q}^{m}^{−1)/(q−1)}_{0}_{1}_{m−1 }^{(q}^{m−1}^{−1)/(q−1)}^{q}^{(q}^{m}^{−1)/(q−1)}_{m}

[0466] By definition of the dual basis, the sequence of values output by h_{0 }_{m}^{(q}^{m}^{−1)/(q−1) }_{m}^{(q}^{m}^{−1)/(q−1)}_{0}^{q}^{m}

[0467] The following demonstrates the technique for shifting in the normal* basis.

_{0}_{m−2}_{m−1 }

_{0}_{m−2}_{m−1 }

^{q}_{0}_{1}_{m−1 }

^{−1}^{q}_{0}_{1}_{m−1 }

[0468] Another way to compute ζ^{−1}^{q }^{q−1}^{q}

[0469] Input/Output:

[0470] A, the internal representation to be shifted.

[0471] Parameters:

[0472] m, the degree of the finite field; q, the order of the ground field.

[0473] Constants:

[0474] SZ^{1−q }^{−1}^{1−q }^{q−1}

[0475] Algorithm:

[0476] proc S

[0477] A←A^{q }

[0478] A←A×SZ^{1−q }

[0479] endproc

[0480] ^{1−q }

[0481] It should also be noted that S

[0482] Algorithm:

[0483] iter G

[0484] T←Z

[0485] yield T

[0486] for i from 1 to m−1 do

[0487] S

[0488] yield T

[0489] endfor

[0490] enditer

[0491] The algorithms G

[0492]

[0493] ^{q}^{1−q }^{−1 }^{th }

[0494] It should be noted that in a case in which SZ^{1−q}^{−1}^{1−q}

[0495] In general, the above and other forms of S

[0496] 3.2.1 Importing from a Normal* Basis by Shift-Insert

[0497] The algorithm I

[0498] Input:

[0499] B[0], . . . , B[m−1], the external representation to be converted.

[0500] Output:

[0501] A, the corresponding internal representation

[0502] Parameters:

[0503] m, the degree of the finite field.

[0504] Constants:

[0505] Z, the internal representation of the scaling factor, and any other constants required for S

[0506] Algorithm:

[0507] proc I

[0508] A←B[m−1]×Z

[0509] for i from m−2 downto 0 do

[0510] S

[0511] A←A+B[i]×Z

[0512] endfor

[0513] endproc

[0514] The algorithm I^{(q}^{m/2}^{−1)/(q−1)}_{m/2}

[0515] Algorithm:

[0516] proc I

[0517] A←B[m−1]×Z

[0518] A←A+B[(m/2)−1]×V

[0519] for i from m−2 downto m/2 do

[0520] S

[0521] A←A+B[i]×Z

[0522] A←A+B[i−(m/2)]×V

[0523] endfor

[0524] endproc

[0525] This second version reduces the number of external shifts by a factor of 2. A similar improvement can be made with a factor of k, as mentioned previously, using the basis converter of

[0526] Another version of the I

[0527] Algorithm:

[0528] proc I

[0529] A←0

[0530] for i from m−1 downto (m/2) do

[0531] S

[0532] A←A+B[i]×Z

[0533] A←A+B[i−(m/2)]×V

[0534] endfor

[0535] endproc

[0536] In this version of the algorithm, the loop is started at m−1 in order to reduce the number of statements in the algorithm.

[0537] 3.2.2 Exporting to a Normal* Basis by Shift-Extract

[0538] The algorithm E

[0539] Input:

[0540] A, the internal representation to be converted.

[0541] Output:

[0542] B[0], . . . , B[m−1], the corresponding external representation.

[0543] Parameters:

[0544] m, the degree of the finite field, and any parameters required for S

[0545] Constants:

[0546] V_{m−1}_{m−1}

[0547] Algorithm:

[0548] proc E

[0549] for i from m−1 downto 0 do

[0550] T←A×V_{m−1 }

[0551] B[i]←T[0]

[0552] S

[0553] endfor

[0554] endproc

[0555] The algorithm E_{m/2−1 }_{m/2−1}

[0556] Algorithm:

[0557] proc E

[0558] for i from m−1 downto m/2 do

[0559] T←A×V_{m−1 }

[0560] B[i]←T[0]

[0561] T←A×V_{m/2−1 }

[0562] B[i−m/2]←T[0]

[0563] S

[0564] endfor

[0565] endproc

[0566] This is more efficient, since in the second version of the algorithm, there are half as many shifts as in the first version. A similar improvement can be made with a factor of k, as mentioned previously, using the basis converter of

[0567] It should be noted that the algorithms described above may be extended to the case in which the internal and external basis have different ground fields, as described in U.S. application Ser. No. 08/851,045. For example, if a ground field is represented in terms of polynomial* or normal* basis, the techniques described in U.S. application Ser. No. 08/851,045 can be applied to process subcoefficients during import and/or export operations.

[0568] The basis converters described herein may be implemented in the form of a processor which operates in conjunction with a memory to control the processing operations of the basis converter. The processor and memory may be part of a user terminal in a cryptographic system such as those to be described in conjunction with

[0569] The basis conversion techniques of the present invention can be implemented in a wide variety of cryptographic applications such as, for example, the applications described in U.S. application Ser. No. 08/851,045. The techniques of the present invention are particularly well suited for use in cryptographic applications which make use of elliptic curve cryptosystems and/or finite field arithmetic. Moreover, because the invention provides basis conversion techniques which require relatively little storage capacity as compared to conventional techniques, the invention is also well suited for use in memory-limited cryptographic applications.

[0570]

[0571] The system

[0572] A particular one of the users

[0573]

[0574] It should be emphasized that the basis conversion techniques described herein are exemplary and should not be construed as limiting the present invention to any particular embodiment or group of embodiments. Numerous alternative embodiments within the scope of the appended claims will be readily apparent to those skilled in the art.