U.S. patent application number 09/919664 was filed with the patent office on 2001-12-27 for efficient finite field basis conversion involving a dual basis.
Invention is credited to Kaliski, Burton S., Liskov, Moses.
Application Number | 20010056452 09/919664 |
Document ID | / |
Family ID | 26747317 |
Filed Date | 2001-12-27 |
United States Patent
Application |
20010056452 |
Kind Code |
A1 |
Kaliski, Burton S. ; et
al. |
December 27, 2001 |
Efficient finite field basis conversion involving a dual basis
Abstract
The invention provides apparatus and methods for use in basis
conversion involving a dual basis, such as a dual of a polynomial
basis or dual of a normal basis. The invention in an illustrative
embodiment includes basis generators for generating elements of a
dual of a polynomial or a normal basis of a finite field
GF(q.sup.m), where q is a prime number or power of a prime number
and m is an integer greater than or equal to 2. The basis
generators can be used in "import" basis conversion, such as
converting a representation in an external basis to a
representation in an internal dual of a polynomial basis or dual of
a normal basis, as part of a generate-accumulate algorithm, or in
"export" basis conversion, such as converting a representation in
an internal dual of a polynomial basis or dual of a normal basis to
a representation in an external basis, as part of a
generate-evaluate algorithm. The invention also includes basis
shifters which generate a shifted version of a representation in an
internal polynomial or normal basis. The basis shifters may be used
in import basis conversion as part of a shift-insert algorithm, or
in export basis conversion as part of a shift-extract algorithm.
The basis shifters may also be used to provide alternative
shift-based basis generators. The basis conversion techniques of
the invention significantly increase the storage and computational
efficiency of dual basis operations in cryptographic systems and
other applications.
Inventors: |
Kaliski, Burton S.;
(Wellesley, MA) ; Liskov, Moses; (Waltham,
MA) |
Correspondence
Address: |
TESTA, HURWITZ & THIBEAULT, LLP
HIGH STREET TOWER
125 HIGH STREET
BOSTON
MA
02110
US
|
Family ID: |
26747317 |
Appl. No.: |
09/919664 |
Filed: |
July 31, 2001 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
09919664 |
Jul 31, 2001 |
|
|
|
09195346 |
Nov 18, 1998 |
|
|
|
6286022 |
|
|
|
|
60066937 |
Nov 18, 1997 |
|
|
|
Current U.S.
Class: |
708/492 |
Current CPC
Class: |
G06F 7/724 20130101 |
Class at
Publication: |
708/492 |
International
Class: |
G06F 007/00 |
Claims
What is claimed is:
1. An apparatus for determining elements in a dual of a polynomial
basis for a finite field, the apparatus comprising: a coefficient
generator which generates a coefficient in the polynomial basis; a
multiplier for multiplying a first value by a function of a
generator of the polynomial basis; and a subtractor for subtracting
a function of the coefficient from one of an output of the
multiplier and an input value, such that an output of one of the
subtractor and the multiplier corresponds to a second value which
is used to provide a shifted version of the input value in the dual
of the polynomial basis.
2. The apparatus of claim 1 wherein the first value corresponds to
the input value, the output of the multiplier is applied to an
input of the subtractor and to an input of the coefficient
generator, such that the subtractor subtracts the function of the
coefficient from the output of the multiplier, the output of the
subtractor corresponds to the second value, and the coefficient
generator utilizes the output of the multiplier to generate the
coefficient.
3. The apparatus of claim 1 wherein the first value corresponds to
the input value, the output of the multiplier is applied to an
input of the subtractor, such that the subtractor subtracts the
function of the coefficient from the output of the multiplier, the
output of the subtractor corresponds to the second value, and the
coefficient generator utilizes the input value to generate the
coefficient.
4. The apparatus of claim 1 wherein the first value corresponds to
an output of the subtractor, the coefficient generator utilizes the
input value to generate the coefficient, the subtractor subtracts
the function of the coefficient from the input value, the output of
the subtractor is applied to an input of the multiplier, and the
output of the multiplier corresponds to the second value.
5. The apparatus of claim 1 wherein the operations of the
coefficient generator, multiplier and subtractor are repeated to
provide additional shifted versions of the input value in the dual
of the polynomial basis, and wherein the shifted versions of the
input value are used to generate elements of the dual of the
polynomial basis.
6. The apparatus of claim 1 further including a looping mechanism
operative to repeat the operations of the coefficient generator,
multiplier and subtractor so as to generate a plurality of shifted
versions of elements in the dual of the polynomial basis, wherein
each non-initial iteration of the loop starts with the input value
set to the second value generated in the previous iteration of the
loop.
7. The apparatus of claim 1 wherein the input value initially
corresponds to an identity element and the dual of the polynomial
basis is a canonical polynomial basis.
8. The apparatus of claim 1 further including an additional
multiplier for multiplying the second value by a scaling factor to
generate a shifted version of an element in the dual of the
polynomial basis.
9. The apparatus of claim 8 wherein the scaling factor corresponds
to a linear function.
10. The apparatus of claim 1 wherein the coefficient generator
generates the coefficient using a coefficient extractor which
determines a coefficient of a representation of an element in the
polynomial basis.
11. The apparatus of claim 1 wherein the coefficient generator
generates the coefficient using an additional multiplier in
conjunction with a coefficient selector.
12. The apparatus of claim 1 wherein the coefficient generated by
the coefficient generator is computed as a function of V.sub.0,
where V.sub.0 is an element such that (A.times.V.sub.0)
[0]=h.sub.0(A) in the polynomial basis, and where h.sub.0(A) is a
function whose output is a coefficient of A when A is represented
in the polynomial basis.
13. The apparatus of claim 12 wherein the coefficient generated by
the coefficient generator is of the form (W.times.V.sub.0)[0].
14. The apparatus of claim 1 wherein the multiplier multiplies the
first value by a function YH, where Y is the inverse of a scaling
factor and H is the inverse of the polynomial basis generator.
15. The apparatus of claim 1 wherein the multiplier multiplies the
first value by a function H, where H is the inverse of the
polynomial basis generator.
16. The apparatus of claim 12 wherein the coefficient generated by
the coefficient generator is computed as a function of V.sub.0YH,
where Y is the inverse of a scaling factor and H is the inverse of
the polynomial basis generator.
17. The apparatus of claim 1 wherein at least a subset of the
coefficient generator, multiplier and subtractor are implemented in
a processor which is operative to convert a representation in an
external dual of a polynomial basis to a representation in an
internal basis using a generate-accumulate algorithm.
18. The apparatus of claim 1 wherein at least a subset of the
coefficient generator, multiplier and subtractor are implemented in
a processor which is operative to convert a representation in an
internal basis to a representation in an external polynomial basis
using a generate-evaluate algorithm which generates a dual of the
polynomial basis.
19. The apparatus of claim 1 wherein at least a subset of the
coefficient generator, multiplier and subtractor are implemented in
a processor which is operative to convert a representation in an
external dual of a polynomial basis to a representation in an
internal basis using a shift-insert algorithm.
20. The apparatus of claim 1 wherein at least a subset of the
coefficient generator, multiplier and subtractor are implemented in
a processor which is operative to convert a representation in an
internal basis to a representation in an external dual of a
polynomial basis using a shift-extract algorithm.
21. An apparatus for determining elements in a dual of a normal
basis for a finite field, the apparatus comprising: an
exponentiator; and a multiplier which is operative to multiply one
of an input value and an output of the exponentiator by a function
of a generator of the dual basis, wherein the multiplier and
exponentiator are configured to operate such that one of the
multiplier and exponentiator generates an output value
corresponding to a shifted version of the input value in the dual
of the normal basis.
22. The apparatus of claim 21 wherein the function of a generator
of the dual basis is also a function of a scaling value.
23. The apparatus of claim 21 wherein the multiplier multiplies the
input value by a function of the generator of the dual basis, and
the exponentiator raises an output of the multiplier to a power to
generate the output value.
24. The apparatus of claim 21 wherein the exponentiator computes a
value representing the input value raised to a power, and the
multiplier generates the output value as a product of the value
computed by the exponentiator multiplied by a function of the
generator.
25. The apparatus of claim 21 wherein the operations of the
exponentiator and multiplier are repeated to provide additional
output values corresponding to shifted versions of the input value
in the dual of the normal basis, and wherein the output values are
used to generate elements of the dual of the normal basis.
26. The apparatus of claim 21 further including a looping mechanism
operative to repeat the operations of the exponentiator and
multiplier so as to generate a plurality of shifted versions of
elements in the dual of the normal basis, wherein each non-initial
iteration of the loop starts with the input value set to the output
value generated in the previous iteration of the loop.
27. The apparatus of claim 21 wherein the input value initially
corresponds to an identity element and the dual of the normal basis
is a canonical normal basis.
28. The apparatus of claim 21 an initial value of the input value
corresponds to a scaling factor.
29. The apparatus of claim 28 wherein the scaling factor
corresponds to a linear function.
30. The apparatus of claim 21 wherein the multiplier multiplies one
of the input value and the output value by a function SZ.sup.1-q
where S is a generator of the dual of the normal basis, Z is a
scaling factor and q is a prime or a power of a prime.
31. The apparatus of claim 21 wherein the multiplier multiplies one
of the input value and the output value by a function SZ, where S
is a generator of the dual of the normal basis, and Z is a scaling
factor.
32. The apparatus of claim 21 wherein the multiplier multiplies one
of the input value and the output value by a qth root of SZ.sup.1-q
where S is a generator of the dual of the normal basis, Z is a
scaling factor and q is a prime or a power of a prime.
33. The apparatus of claim 21 further including an additional
multiplier for multiplying one of the input value and the output
value by a function of a scaling factor.
34. The apparatus of claim 21 wherein at least one of the
exponentiator and multiplier are implemented in a processor which
is operative to convert a representation in an external dual of a
normal basis to a representation in an internal basis using a
generate-accumulate algorithm.
35. The apparatus of claim 21 wherein at least one of the
exponentiator and multiplier are implemented in a processor which
is operative to convert a representation in an internal basis to a
representation in an external normal basis using a
generate-evaluate algorithm which generates a dual of the normal
basis.
36. The apparatus of claim 21 wherein at least one of the
exponentiator and multiplier are implemented in a processor which
is operative to convert a representation in an external dual of a
normal basis to a representation in an internal basis using a
shift-insert algorithm.
37. The apparatus of claim 21 wherein at least one of the
exponentiator and multiplier are implemented in a processor which
is operative to convert a representation in an internal basis to a
representation in an external dual of a normal basis using a
shift-extract algorithm.
38. An apparatus for determining elements of a dual of a normal
basis for a finite field, the apparatus comprising: an
exponentiator which raises an input value to a power, wherein the
output of the exponentiator is applied to its input such that the
exponentiator repeats the raising to a power operation a designated
number of times; and a multiplier which is operative to multiply an
output of the exponentiator, generated after the designated number
of repetitions, by a scaling factor which is a function of a
(q-1).sup.st root of S, where S is a generator of the normal basis
and q is a prime or a power of a prime, such that an output of the
multiplier corresponds to an element of the dual of the normal
basis.
39. The apparatus of claim 38 wherein an initial value of the input
value corresponds to a (q-1).sup.st root of S.
40. The apparatus of claim 38 wherein the operations of the
exponentiator and multiplier are repeated to generate additional
elements of the dual of the normal basis.
41. An apparatus for determining elements of a dual of a normal
basis for a finite field, the apparatus comprising: an
exponentiator which raises an input value to a power, wherein the
output of the exponentiator is applied to its input such that the
exponentiator repeats the raising to a power operation a designated
number of times; and a multiplier which is operative to multiply an
output of the exponentiator, generated after the designated number
of repetitions, by one of an initial value and a
previously-generated output of the multiplier, such that a current
output of the multiplier corresponds to an element of the dual of
the normal basis.
42. The apparatus of claim 41 wherein the operations of the
exponentiator and multiplier are repeated to generate additional
elements of the dual of the normal basis.
43. The apparatus of claim 41 wherein the input value is initially
set to a function of a generator of the dual basis.
44. The apparatus of claim 41 wherein the input value initially
corresponds to an identity element.
45. The apparatus of claim 41 wherein the initial value corresponds
to a scaling factor.
46. The apparatus of claim 41 wherein the initial value corresponds
to an identity element.
47. A method of determining elements in a dual of a polynomial
basis for a finite field, the method comprising the steps of:
generating a signal corresponding to a coefficient in the
polynomial basis in a coefficient generator; multiplying a signal
corresponding to a first value by a function of a generator of the
polynomial basis in a multiplier; and subtracting a function of the
signal corresponding to the coefficient from one of an output of
the multiplier and an input value in a subtractor, such that an
output of one of the subtractor and the multiplier is used to
provide a shifted version of the input value in the dual of the
polynomial basis.
48. A method for determining elements in a dual of a normal basis
for a finite field, the method comprising: multiplying one of a
signal corresponding to an input value and an output of an
exponentiator by a function of a generator of the dual basis in a
multiplier, wherein the multiplier and exponentiator are configured
to operate such that one of the multiplier and exponentiator
generates an output value corresponding to a shifted version of the
input value in the dual of the normal basis.
49. A method for determining elements of a dual of a normal basis
for a finite field, the method comprising: raising a signal
corresponding to an input value to a power in an exponentiator,
wherein the output of the exponentiator is applied to its input
such that the exponentiator repeats the raising to a power
operation a designated number of times; and multiplying an output
of the exponentiator, generated after the designated number of
repetitions, in a multiplier by a scaling factor which is a
function of a (q-1).sup.st root of S, where S is a generator of the
normal basis and q is a prime or a power of a prime, such that an
output of the multiplier corresponds to an element of the dual of
the normal basis.
50. A method for determining elements of a dual of a normal basis
for a finite field, the method comprising: raising a signal
corresponding to an input value to a power in an exponentiator,
wherein the output of the exponentiator is applied to its input
such that the exponentiator repeats the raising to a power
operation a designated number of times; and multiplying an output
of the exponentiator, generated after the designated number of
repetitions, in a multiplier by one of an initial value and a
previously-generated output of the multiplier, such that a current
output of the multiplier corresponds to an element of the dual of
the normal basis.
Description
RELATED APPLICATION
[0001] The present application claims the benefit of U.S.
Provisional Application Serial No. 60/066,937 filed on Nov. 18,
1997.
FIELD OF THE INVENTION
[0002] The present invention relates generally to techniques for
converting signals of a finite field having one basis to signals of
a finite field having another basis, and more particularly to
finite field basis conversion techniques which involve a dual
basis.
BACKGROUND OF THE INVENTION
[0003] As described in U.S. application Ser. No. 08/851,045, filed
in the name of inventors Burton S. Kaliski Jr. and Yiqun Lisa Yin
on May 5, 1997 and entitled "Methods and Apparatus for Efficient
Finite Field Basis Conversion," and which is incorporated by
reference herein, conversion between different choices of basis for
a finite field is an important problem in today's computer systems,
particularly for cryptographic operations. While it is possible to
convert between two choices of basis by matrix multiplication, the
matrix may be too large for some applications, hence the motivation
for more storage-efficient techniques.
[0004] Elements of a finite field can be represented in a variety
of ways, depending on the choice of basis for the representation.
Let GF(q.sup.m) be the finite field, and let GF(q) be the ground
field over which it is defined, where q is a prime or a prime
power. The characteristic of the field is p where q=p.sup.r for
some r.gtoreq.1. For even-characteristic fields, p=2. The degree of
the field is m; its order is q.sup.m. A basis for the finite field
is a set of m elements .omega..sub.0, . . . ,
.omega..sub.m-1.epsilon.GF(q.sup.m) such that every element of the
finite field can be represented uniquely as a linear combination of
basis elements: 1 = i = 0 m - 1 B [ i ] i
[0005] where B[0], . . . , B[m-1].epsilon.GF(q) are the
coefficients. Two common types of basis are a polynomial basis and
a normal basis. In a polynomial basis, the basis elements are
successive powers of an element .gamma., called the generator:
.omega..sub.i=.gamma..sup.i.
[0006] A polynomial .function. of degree m, called the minimal
polynomial of .gamma., relates the successive powers:
.gamma..sup.m+.function..sub.m-1.gamma..sup.m-1+.function..sub.m-2.gamma..-
sup.m-2+ . . . +.function..sub.1.gamma.+.function..sub.0=0.
[0007] In a normal basis, the basis elements are successive
exponentiations of an element .gamma., again called the
generator:
.omega..sub.i=.gamma..sup.q.sup..sup.i.
[0008] Another common type of basis is a dual basis. Let
.omega..sub.0, . . . , .omega..sub.m-1 be a basis and let h be a
nonzero linear function from GF(q.sup.m) to GF(q), i.e., a function
such that for all .epsilon., .phi.,
h(.epsilon.+.phi.)=h(.epsilon.)+h(.phi.).
[0009] The dual basis of the basis .omega..sub.0, . . . ,
.omega..sub.m-1 with respect to h is the basis .xi..sub.0, . . . ,
.xi..sub.m-1 such that for all i, j, 2 h ( i j ) = { 1 if i = j ; 0
otherwise .
[0010] The dual basis is uniquely defined, and duality is
symmetric: the dual basis with respect to h of the basis
.xi..sub.0, . . . , .xi..sub.m-1 is the basis .omega..sub.0, . . .
, .omega..sub.m-1. A dual basis can be defined for a polynomial
basis, a normal basis, or any other choice of basis, and with
respect to a variety of functions (including, as an example, the
function that evaluates to a particular coefficient of the
representation of the field element in some basis).
[0011] The basis conversion or change-of-basis problem is to
compute the representation of an element of a finite field in one
basis, given its representation in another basis. The problem has
two forms, which distinguish between the internal basis in which
finite field operations are performed, and the external basis to
and from which one is converting:
[0012] Import problem. Given an internal basis and an external
basis for a finite field GF(q.sup.m) and the representation B of a
field element in the external basis (the "external
representation"), determine the corresponding representation A of
the same field element in the internal basis (the "internal
representation").
[0013] Export problem. Given an internal basis and an external
basis for a finite field GF(q.sup.m) and the internal
representation A of a field element, determine the corresponding
external representation B of the same field element.
[0014] A conventional solution to both problems is to apply a
change-of-basis matrix relating the two bases. However, as the
matrix is potentially quite large, and as the operations involved
are not necessarily implementable with operations in either basis,
the matrix-based conversion process may be inefficient in many
important applications.
[0015] Another approach to conversion is to compute with a dual
basis. Consider the problem of converting to the basis
.omega..sub.0, . . . , .omega..sub.m-1, and let .xi..sub.0, . . . ,
.xi..sub.m-1 be its dual basis with respect to some linear function
h. Then by the definition of the dual basis and the linearity of h,
it follows that for all i,
B[i]=h(.epsilon..xi..sub.i).
[0016] One can therefore convert by multiplying by elements of the
dual basis and evaluating the function h, another straightforward
and effective solution, which is efficient provided that the
elements of the dual basis .xi..sub.0, . . . , .xi..sub.m-1 can be
generated efficiently and that the function h can be computed
efficiently. But this approach is again limited by a number of
difficulties. First, the approach requires the elements of the dual
basis, which must either be stored in the form of m.sup.2
coefficients, or computed. Second, it requires the computation of
the function h, which may or may not be efficient. More practical
choices of h have been suggested, such as a particular coefficient
of the representation in some basis. See, for example, S. T. J.
Fenn, M. Benaissa, and D. Taylor, "Finite Field Inversion Over the
Dual Basis," IEEE Transactions on VLSI, 4(1):134-137, March 1996,
which is incorporated by reference herein. But even with a more
practical h, there still remains the problem of determining the
dual basis efficiently. Moreover, the Fenn et al. method is
efficient only when m is very small, and no general efficient
conversion algorithm is given.
[0017] A number of other references describe finite field basis
conversion operations involving dual basis. For example, U.S. Pat.
No. 4,994,995, issued Feb. 19, 1991 to R. W. Anderson, R. L. Gee,
T. L. Nguyen, and M. A. Hassner, entitled "Bit-Serial Division
Method and Apparatus," describes hardware for a converter which
converts an element in GF(2.sup.m) in a polynomial basis
representation to a scalar multiple of its dual basis
representation, where the scalar is an element of the field. The
scalar is chosen so that the scalar multiple of the dual has many
of the same elements as the polynomial basis. The hardware consists
of AND gates, XOR gates, and a table for computing the trace
function. Again, no general conversion algorithm is suggested. I.
S. Hsu, T. K. Truong, L. J. Deutsch, and I. S. Reed, "A Comparison
of VLSI Architecture of Finite Field Multipliers using Dual,
Normal, or Standard Bases," IEEE Transactions on Computers,
37(6):735-739, June 1988, discloses conventional techniques for
converting between polynomial and dual bases. D. R. Stinson, "On
Bit-Serial Multiplication and Dual Bases in GF(2.sup.m)," IEEE
Transactions on Information Theory, 37(6):1733-1737, November 1991,
describes change-of-basis matrices between polynomial and dual
bases. Given a polynomial basis such that the change-of-basis
matrix M from the dual basis to some scalar (c.epsilon.GF(2.sup.m))
times the polynomial basis has as few "1" entries as possible,
efficient bit-serial multiplication is possible. Given the minimal
polynomial of .alpha., a generator of the polynomial basis, the
Stinson reference gives simple formulae computing a scalar c and
the weight of the matrix M. Although the above-cited references
disclose numerous conventional techniques for converting between a
polynomial basis and its dual basis, these techniques are generally
inefficient in terms of memory, and may also be inefficient in
terms of computation time.
[0018] The above-cited U.S. application Ser. No. 08/851,045
introduced the "shift-extract" technique of basis conversion, and
also provided several storage-efficient and computation-efficient
algorithms based on that technique for converting to and from a
polynomial or normal basis. The conversion algorithms described
therein overcome many of the problems associated with the
previously-described conventional approaches. However, a need
remains for further improvements in finite field basis conversion,
particularly with regard to techniques involving dual basis.
[0019] It is therefore an object of the present invention to
provide efficient finite field basis conversion techniques
involving dual basis which do not require an excessively large
amount of storage or an excessively large number of operations, and
which take advantage of the built-in efficiency of finite field
operations in one basis, rather than implementing new operations
such as matrix multiplications.
SUMMARY OF THE INVENTION
[0020] The invention provides apparatus and methods for use in
basis conversion involving dual basis, such as a dual of a
polynomial basis or dual of a normal basis. For example, the
invention includes efficient basis generators for generating the
dual of a polynomial or normal basis. In accordance with the
invention, these generators are implemented in generate-accumulate
import basis converters and conversion algorithms, and
generate-evaluate export basis converters and conversion
algorithms. The invention also includes efficient basis shifters
for performing shifting operations in a dual of a polynomial basis
or normal basis. In accordance with the invention, these basis
shifters are implemented in shift-insert import basis converters
and conversion algorithms, and shift-extract export basis
converters and conversion algorithms. The basis shifters may also
be used to provide alternative shift-based basis generators.
[0021] The basis conversion techniques of the invention
significantly increase the storage and computational efficiency of
dual basis conversion operations in cryptographic systems and other
applications, relative to the conventional dual basis conversion
approaches described previously. The basis converters and
conversion algorithms in accordance with the invention are
computationally efficient in that they involve primarily or
exclusively finite-field operations, rather than more complex
operations such as matrix multiplications, and thus benefit from
available optimizations for finite-field operations. The invention
may be used, for example, to convert from a polynomial basis or a
normal basis to a corresponding dual basis, and vice versa, in
order to simplify cryptographic operations. These and other
features of the present invention will become more apparent from
the accompanying drawings and the following detailed
description.
BRIEF DESCRIPTION OF THE DRAWINGS
[0022] FIG. 1 shows a basis converter which performs import
operations using a generate-accumulate method in accordance with
the present invention.
[0023] FIGS. 2A and 2B show basis converters which perform import
operations using a shift-insert method in accordance with the
present invention.
[0024] FIGS. 3A and 3B show basis converters which perform export
operations using a generate*-evaluate method in accordance with the
present invention.
[0025] FIGS. 4A and 4B show basis converters which perform export
operations using a shift-extract method in accordance with the
present invention.
[0026] FIG. 5 shows a polynomial* basis generator in accordance
with the present invention.
[0027] FIG. 6 shows a polynomial* basis external shifter in
accordance with the present invention.
[0028] FIG. 7 shows an alternative polynomial* basis generator in
accordance with the present invention.
[0029] FIG. 8 shows a normal* basis generator in accordance with
the present invention.
[0030] FIG. 9 shows a normal* basis external shifter in accordance
with the present invention.
[0031] FIGS. 10 and 11 show an alternative normal* basis generator
and an alternative normal* basis shifter, respectively, in
accordance with the present invention.
[0032] FIGS. 12A and 12B illustrate exemplary cryptographic systems
in which the basis conversion techniques of the present invention
may be implemented.
DETAILED DESCRIPTION OF THE INVENTION
[0033] The present invention will be described in several sections
below in accordance with the following outline.
[0034] 1.0 Overview of Basis Conversion Techniques
[0035] 1.1 Import Algorithms
[0036] 1.1.1 Generate-Accumulate Method
[0037] 1.1.2 Shift-Insert Method
[0038] 1.2 Export Algorithms
[0039] 1.2.1 Generate*-Evaluate Method
[0040] 1.2.2 Shift-Extract Method
[0041] 1.3 Summary Tables
[0042] 2.0 Techniques Involving the Dual of a Polynomial Basis
[0043] 2.1 Efficient Basis Generation
[0044] 2.1.1 Importing from a Polynomial* Basis by
Generate-Accumulate
[0045] 2.1.2 Exporting to a Polynomial Basis by
Generate*-Evaluate
[0046] 2.2 Efficient External Shifting
[0047] 2.2.1 Importing from a Polynomial* Basis by Shift-Insert
[0048] 2.2.2 Exporting to a Polynomial* Basis by Shift-Extract
[0049] 3.0 Techniques Involving the Dual of a Normal Basis
[0050] 3.1 Efficient Basis Generation
[0051] 3.1.1 Importing from a Normal* Basis by
Generate-Accumulate
[0052] 3.1.2 Exporting to a Normal Basis by Generate*-Evaluate
[0053] 3.2 Efficient External Shifting
[0054] 3.2.1 Importing from a Normal* Basis by Shift-Insert
[0055] 3.2.2 Exporting to a Normal* Basis by Shift-Extract
[0056] 4.0 Applications
[0057] As noted above, U.S. application Ser. No. 08/851,045
introduced the "shift-extract" technique of basis conversion, and
also provided several storage-efficient algorithms based on that
technique for converting to a polynomial or normal basis. The
present invention provides techniques involving the dual of a
polynomial or normal basis, including storage-efficient generation
of a dual basis and storage-efficient shifting in such a basis. The
present invention may be used in combination with the
"shift-extract" technique of U.S. application Ser. No. 08/851,045
as well as other basis conversion techniques, but also provides
several new storage-efficient and computation-efficient algorithms
for converting to and from the dual of a polynomial or normal
basis, as well as additional algorithms for converting to a
polynomial or normal basis. Like the invention described in U.S.
application Ser. No. 08/851,045, the present invention applies both
to even-characteristic and odd-characteristic finite fields of
degree greater than one, though even-characteristic processing is
the most likely application since it is generally more common in
practice. It should be noted that in certain special cases, a given
dual basis may be the same as the corresponding polynomial or
normal basis. These so-called "self-dual" bases can be generated
using conventional techniques, and thus do not require the dual
basis techniques described herein.
1.0 Overview of Basis Conversion Techniques
[0058] An overview of the basis conversion techniques of the
present invention will now be provided. Algorithms for particular
choices of basis will then be described in greater detail in
subsequent sections. In the following description, the dual of a
polynomial basis will be denoted as a polynomial* basis, and the
dual of a normal basis will be denoted as a normal* basis. Although
the problem of conversion between two choices of basis involving
different ground fields is not addressed in this description, it
will be apparent to those skilled in the art that the described
techniques can be readily applied to this problem in a
straightforward manner, as illustrated in U.S. application Ser. No.
08/851,045.
[0059] It should also be noted that for all the techniques
described, it may be possible to improve efficiency by working with
a scaled version of the intended basis, as the conversion process
may be simpler for certain scaling factors. During an export
operation, the element to be converted would be multiplied by the
scaling factor before conversion to the external basis, and during
an import operation, the element would be multiplied by the inverse
of the scaling factor after conversion. Since a scaled version of a
basis is also in general a basis, the general techniques described
herein apply, the multiplication by the scaling factor or its
inverse being considered simply as an additional processing
step.
[0060] 1.1 Import Algorithms
[0061] Given an internal basis and an external basis for a finite
field and the representation B of a field element in the external
basis, an import algorithm determines the corresponding
representation A of the same field element in the internal basis.
Two general methods for determining the internal representation A
are described below: the generate-accumulate method and the
shift-insert method.
[0062] 1.1.1 Generate-Accumulate Method
[0063] The Generate-Accumulate method computes the internal
representation A by accumulating the products of coefficients B[i]
with successive elements of the external basis, as in the equation
3 A = i = 0 m - 1 B [ i ] i
[0064] where W.sub.0, . . . , W.sub.m-1 are the internal-basis
representations of the elements of the external basis. The basic
form of algorithm for this method, which is well known in the prior
art, is as follows:
[0065] proc ImportByGenAccum
[0066] A.rarw.0
[0067] for i from 0 to m-1 do
[0068] A.rarw.A+B[i].times.W.sub.i
[0069] end for
[0070] end proc
[0071] As written, this conventional algorithm requires storage for
the m values W.sub.0, . . . , W.sub.m-1, and is therefore not
storage efficient. To reduce the storage requirement, it is
necessary to generate the values as part of the algorithm. This is
straightforward when the external basis is a polynomial basis or a
normal basis. The variant algorithm mentioned in the conjunction
with the algorithms ImportPoly and ImportNormal in U.S. application
Ser. No. 08/851,045 follows this method.
[0072] FIG. 1 shows a basis converter which implements the
Generate-Accumulate import algorithm. An external basis
representation (B) 1 is stored in an input register 2. At each step
of a looping mechanism 9, a coefficient selector 4 and a basis
generator 3 respectively select and generate the pair (B[i],
W.sub.i), which are multiplied in a multiplier 5, and accumulated
by an adder 6 into an output register 7. Unless otherwise stated,
all output registers shown herein are assumed to hold the value
zero initially, or to be initialized to zero before the start of
the conversion algorithm. Once the loop is finished, the content of
register 7 is output as an internal representation (A) 8. The basis
generator 3 could be, for example, a polynomial* basis generator
(see FIG. 5), a normal* basis generator (see FIG. 8), or a normal
or polynomial basis generator.
[0073] The present invention provides algorithms for generating the
values for a polynomial* or normal* basis, called GenPoly* and
GenNormal*, which lead to two new conversion algorithms for
polynomial* and normal* bases, ImportPoly*ByGenAccum and
ImportNormal*ByGenAccum.
[0074] 1.1.2 Shift-Insert Method
[0075] The Shift-Insert method computes the internal representation
A by "shifting" an intermediate variable in the external basis, and
inserting successive coefficients between the shifts. This follows
the same concept as the shift-extract method to be described below.
Let Shift be a function that shifts an element in the external
basis, i.e., a function such as one which given the internal
representation of an element with external representation
B[0] B[1] . . . B[m-2] B[m-1]
[0076] computes the internal representation of the element with
external representation
B[m-1] B[0] . . . B[m-3] B[m-2].
[0077] Other forms of shifting are possible, including shifting in
the reverse direction, or shifting where the value 0 rather than
B[m-1] is shifted in.
[0078] The basic form of algorithm for this method is as
follows:
[0079] proc ImportByShiftInsert
[0080] A.rarw.0
[0081] for i from m-1 downto 0 do
[0082] Shift(A)
[0083] A.rarw.A+B[i].times.W.sub.0
[0084] endfor
[0085] endproc
[0086] The direction of the for loop may vary depending on the
direction of the shift. The algorithm has the advantage over
ImportByGenAccum that more than one coefficient can readily be
processed per iteration, regardless of the basis. If one wishes to
reduce the number of shifts by a factor of k, k-fold insertion can
be performed at each iteration of the loop. If k does not divide m,
some of the insertions may have to be performed outside of the loop
(in ImportByGenAccum, a similar improvement can only be done for
certain choices of basis). However, an efficient Shift function is
required. The algorithms ImportPoly and ImportNormal in U.S.
application Ser. No. 08/851,045 follow this method.
[0087] FIG. 2A shows a basis converter which implements the
Shift-Insert import algorithm. The external basis representation 1
is stored in the input register 2. At each step of a looping
mechanism 16, a coefficient selector 10 selects one coefficient
B[i] of the external representation. This element is then
multiplied by a predetermined basis element 12, and added by an
adder 13 into a register 15. Then, the register 15 is shifted by an
external shifter 14. Once the loop is finished, the content of
register 15 is output as the internal basis representation 8.
[0088] FIG. 2B shows a basis converter which implements the
above-described k-fold optimization of the Shift-Insert import
algorithm. The external basis representation 1 is stored in an
input register 9. A multiple coefficient selector 10' selects k
elements of the array, each of which is multiplied by different
basis elements from a basis element source 12' via the multipliers
11-1, 11-2, . . . , 11-k, and accumulated by the adders 13-1, 13-2,
. . . , 13-k into the register 15. Alternatively, the multiple
coefficient selector 10' could be k separate coefficient selectors.
Note that the multiplications could be done in parallel. The
external shifter 14 in FIGS. 2A and 2B could be, for example, a
polynomial* basis external shifter (see FIG. 6), a normal* basis
external shifter (see FIG. 9), or a normal or polynomial basis
external shifter (see U.S. application Ser. No. 08/851,045).
[0089] The present invention provides algorithms for shifting in a
polynomial* or normal* basis, called ShiftPoly* and ShiftNormal*,
which lead to two new conversion algorithms for polynomial* and
normal* bases, ImportPoly*ByShiftInsert and
ImportNormal*ByShiftInsert. Alternative forms of GenPoly* and
GenNormal* and hence ImportPoly*ByGenAccum and
ImportNormal*ByGenAccum may also be obtained from the Shift
functions, as it is possible to generate the internal
representations of the elements of an external basis by repeated
application of Shift.
[0090] 1.2 Export Algorithms
[0091] Given an internal basis and an external basis for a finite
field and the representation A of a field element in the internal
basis, an export algorithm determines the corresponding
representation B of the same field element in the internal basis.
Two general methods for determining the external representation B
are described: the generate*-evaluate method and the shift-extract
method.
[0092] 1.2.1 Generate*-Evaluate Method
[0093] The Generate*-Evaluate method computes the external
representation B by evaluating products of A with successive
elements of a dual of the external basis, as in the equation
B[i]=h(AX.sub.i)
[0094] where h is a linear function and X.sub.0, . . . , X.sub.m-1
are the internal-basis representations of the elements of the dual
of the external basis with respect to the function h. (The
"Generate*" designation refers to the fact that the dual basis is
generated.) The basic form of algorithm for this method, which is
well known in the prior art, is as follows:
[0095] proc ExportByGen*Eval
[0096] for i from 0 to m-1 do
[0097] T.rarw.A.times.X.sub.i
[0098] B[i].rarw.h(T)
[0099] end for
[0100] end proc
[0101] A variation on this conventional algorithm is to generate
the values AX.sub.0, . . . , AX.sub.m-1 directly, which can save a
multiplication during each iteration. The algorithms GenPoly* and
GenNormal* are easily adapted to this approach. The choice of
function h and the consequent choice of dual basis is generally not
important as far as the correctness of the algorithm, though some
choices may lead to more efficient implementations than others. For
instance, the choice h(T)=T[0] is particularly efficient. The
conventional algorithm ExportByGen*Eval requires storage for m
values, and, as was the case for the conventional algorithm
ImportByGenAccum, to reduce the storage requirement, it is
necessary to generate the values as part of the algorithm.
[0102] FIG. 3A shows a basis converter implementing the
Generate*-Evaluate export algorithm. An internal basis
representation 17 is stored in a register 18. At each step of a
looping mechanism 25, a dual basis generator 19 outputs a dual
basis element X.sub.i, which is multiplied by the internal
representation in multiplier 20. An evaluator 21 then evaluates a
linear function h on X.sub.i.times.A, and the result is inserted by
a coefficient insertor 22 into an output register 23. Once the loop
is finished, the content of register 23 is output as an external
basis representation 24.
[0103] FIG. 3B shows an improvement in the basis converter of FIG.
3A which gives the dual basis generator 19 the value A.times.Z to
scale by instead of Z, which eliminates one multiplication per
iteration of the loop. The dual basis generator 19 in FIGS. 3A and
3B could be, for example, a polynomial* basis generator (see FIG.
5), a normal* basis generator (see FIG. 8), or a normal or
polynomial basis generator. The evaluator 21 in FIGS. 3A and 3B may
be, for example, a circuit which evaluates a linear function, or
another suitable evaluator.
[0104] As previously noted, the present invention provides
algorithms for generating the values for a polynomial* or normal*
basis, called GenPoly* and GenNormal*. This leads to two algorithms
for polynomial and normal bases, ExportPolyByGen*Eval and
ExportNormalByGen*Eval. The latter algorithm was first presented as
algorithm ExportNormal* in U.S. application Ser. No. 08/851,045,
and is presented again here for completeness.
[0105] It should be noted that it is straightforward to generate
the dual of the external basis when the external basis is a
polynomial* or normal* basis, since the dual is then a scaled
polynomial or scaled normal basis. The algorithms for these choices
of basis, which one might call ExportPoly*ByGen*Eval and
ExportNormal*ByGen*Eval, may thus be considered part of the prior
art.
[0106] 1.2.2 Shift-Extract Method
[0107] The Shift-Extract method computes the external
representation A by "shifting" an intermediate variable in the
external basis, and extracting successive coefficients between the
shifts. This follows the same concept as the shift-insert method
above, and may be based on the same Shift function and an Extract
function that obtains a selected coefficient of the external
representation. (The Extract function is similar to the h function
in the previous method.) The basic form of algorithm for this
method is as follows:
[0108] proc ExportByShiftExtract
[0109] for i from m-1 to 0 do
[0110] B[i].rarw.Extract (A)
[0111] Shift (A)
[0112] end for
[0113] end proc
[0114] Again, the direction of the for loop may vary depending on
the direction of the shift.
[0115] The algorithm has the advantage over ExportByGen*Eval that
more than one coefficient can readily be processed per iteration,
regardless of the basis. If one wishes to reduce the number of
shifts by a factor of k, k-fold extraction can be performed at each
iteration of the loop. If k does not evenly divide m, some of the
extractions may have to be done outside the loop. However, an
efficient Shift function is required. The shift-extract approach
was introduced in U.S. application Ser. No. 08/851,045, and related
Shift functions are described there for a polynomial and a normal
basis, leading to the algorithms ExportPoly and ExportNormal.
[0116] FIG. 4A shows a basis converter implementing the
Shift-Extract export algorithm. The internal representation 17 is
stored in a register 26. Then, at each step of a looping mechanism
31, an extractor 27 extracts the coefficient B[i], and passes the
result to a coefficient insertor 28 which inserts it into an output
register 29. Then, the register 26 is shifted by an external
shifter 30. Once the loop is finished, the content of register 29
is output as the external basis representation 24.
[0117] FIG. 4B shows the above-described k-fold optimization of the
Shift-Extract algorithm. A multiple extractor 27' extracts k
coefficients, which coefficient insertors 28-1, 28-2, . . . , 28-k
insert into the output register 29. The multiple extractor 27' may
simply be k extractors in parallel, or may have another
configuration. The external shifter 30 in FIGS. 4A and 4B could be,
for example, a polynomial* basis external shifter (see FIG. 6), a
normal* basis external shifter (see FIG. 9), or a normal or
polynomial basis external shifter (see U.S. application Ser. No.
08/851,045).
[0118] As previously noted, the present invention provides
algorithms for shifting in a polynomial* or normal* basis, called
ShiftPoly* and ShiftNormal*. This leads to two new conversion
algorithms, ExportPoly*ByShiftInsert and
ExportNormal*ByShiftInsert. Alternative forms of GenPoly* and
GenNormal* and hence ExportPolyByGen*Eval and
ExportNormalByGen*Eval may also be obtained from the Shift
functions, as it is possible to generate the internal
representations of the elements of an external basis by repeated
application of Shift.
[0119] 1.3 Summary Tables
[0120] The following Tables summarize the foregoing techniques and
where they are described.
1TABLE 1 Import Algorithms. Method Basis Shift-Insert
Generate-Accumulate POLY Ser. No. 08/851,045 Ser. No. 08/851,045
NORMAL Ser. No. 08/851,045 Ser. No. 08/851,045 POLY* present
invention present invention NORMAL* present invention present
invention
[0121]
2TABLE 2 Export Algorithms. Method Basis Shift-Extract
Generate*-Evaluate POLY Ser. No. 08/851,045 present invention
NORMAL Ser. No. 08/851,045 Ser. No. 08/851,045 POLY* present
invention prior art NORMAL* present invention prior art
2.0 Techniques Involving the Dual of a Polynomial Basis
[0122] Let 1, .gamma., . . . , .gamma..sup.m-1 be a polynomial
basis for GF(q.sup.m), and let h(x) be a linear function from
GF(q.sup.m) to GF(q). Let h.sub.0(x) be the linear function whose
output is the 1-coefficient of x when x is written in the
polynomial basis, where the term "1-coefficient" denotes the
coefficient of the first basis element. In general, let h.sub.i(x)
be the coefficient of the i.sup.th basis element of x written in
the internal basis. Furthermore, let .zeta. be the element of
GF(q.sup.m) such that h.sub.0(x.zeta.)=h(x). In the remainder of
the description, let .xi..sub.0, .xi..sub.1, . . . , .xi..sub.m-1
denote the canonical dual basis and .eta..sub.0, .eta..sub.1, . . .
, .eta..sub.m-1 a dual basis. A formula for the dual basis (i.e.,
the polynomial* basis) of the above-described polynomial basis with
respect to h is:
.eta..sub.0=.zeta..sup.1.xi..sub.0,
.eta..sub.1=.zeta..sup.-1.xi..sub.1, . . . ,
.eta..sub.m-1=.zeta..sup.-1.xi..sub.m-1
[0123] where .xi..sub.0=1 and
.xi..sub.i=.xi..sub.i-1.gamma..sup.-1-h.sub.-
0(.xi..sub.i-1.gamma..sup.-1). When h=h.sub.0, .zeta.=1, and
.eta..sub.0, .eta..sub.1, . . . , .eta..sub.m-1 equals .xi..sub.0,
.xi..sub.1, . . . , .xi..sub.m-1 and is called the canonical
polynomial* basis. To prove the correctness of the formula, one can
use the definition of the dual basis, and induction. First,
h(1.zeta..sup.1)=h.sub.0(1)=1, and
h(.gamma..sup.i.zeta..sup.1)=h.sub.0(.gamma..sup.i)=0 for
i>0.
[0124] Suppose it is known that the first i-1 elements are correct
elements of the dual basis. Then for the i.sup.th element:
h(.gamma..sup.i.zeta..sup.1.xi..sub.i)=h(.gamma..sup.i-1.zeta..sup.-1.xi..-
sub.i-1)-h(.gamma..sup.i.zeta..sup.-1h.sub.0(.xi..sub.i-1.gamma..sup.-1))=-
1-h.sub.0(.gamma..sup.ih.sub.0(.xi..sub.i-1.gamma..sup.-1))=1,
[0125] since h.sub.0(.gamma..sup.ic)=0, whenever c is an element of
GF(q) and i>0. Furthermore, if i.noteq.j and j.noteq.0,
h(.gamma..sup.i.zeta..sup.1.xi..sub.i)=h(.gamma..sup.j-1.zeta..sup.-1.xi..-
sub.i-1)-h(.gamma..sup.i.zeta..sup.-1h.sub.0(.xi..sub.i-1.gamma..sup.-1))=-
0-h.sub.0(.gamma..sup.ih.sub.0(.xi..sub.i-1.gamma..sup.-1))=0.
[0126] If j=0, h(.xi..sub.i.zeta..sup.1)=h.sub.0(.xi..sub.i)=0.
Thus, the formula for the dual basis is correct. In the following
algorithms, Z will generally be the internal representation of
.zeta..sup.-1, Y will be the internal representation of .zeta., G
will be the internal representation of .gamma., H will be the
internal representation of .gamma..sup.-1, and I will be the
internal representation of the identity element. The value Z
corresponds to the function h(.epsilon.)=h.sub.0(.ze-
ta..epsilon.), and contains the information specific to the choice
of dual basis in the following algorithms. Note that if Z is 0,
h(.epsilon.)=h.sub.0(0)=0, and therefore, h would not be a suitable
linear function for this purpose. However, it may be useful in some
applications to have Z=0. Z will also be referred to herein as the
scaling factor.
[0127] In general, the internal representations of constants such
as Z, Y, G and H utilized by the algorithms described herein can be
obtained by applying known techniques, such as the correspondence
between linear functions and multiplication by group elements, or
solution of polynomials. For example, the internal representation G
of the generator of an external basis can be computed using
information about the internal and external basis, as noted in U.S.
application Ser. No. 08/851,045. The general approach to computing
such a representation is to find a root, in the internal-basis
representation, of an appropriate polynomial corresponding to the
external basis. Such root-finding techniques are well known in the
prior art. As a further example, the value V.sub.0 used in certain
of the algorithms described herein, and other elements
corresponding to a linear function, can be computed by matrix
operations, as described in U.S. application Ser. No. 08/851,045.
All these values can be precomputed as part of the setup for the
algorithms. Their computation is not necessarily part of the
algorithms themselves.
[0128] 2.1 Efficient Basis Generation
[0129] The algorithm GenPoly* shown below generates the internal
representation of the dual basis elements of a polynomial basis, in
accordance with an illustrative embodiment of the invention.
GenPoly* is an iterator; it is meant to be called many times in
succession. The first time an iterator is called, it starts from
the "iter" line. When a yield statement is reached, the iterator
returns the value specified by the yield. The next time an iterator
is called, it starts immediately after the last yield executed; all
temporary variables are assumed to retain their values from one
call to the next. An iterator ends when the "enditer" line is
reached.
[0130] Input:
[0131] Z, a scaling factor.
[0132] Output:
[0133] W.sub.0, . . . , W.sub.m-1, the canonical polynomial* basis
scaled by Z.
[0134] Parameters:
[0135] m, the degree of the finite field.
[0136] Constants:
[0137] I, the internal representation of the identity element,
[0138] V.sub.0, the internal representation of the element such
that if T=A.times.V.sub.0, T[0]=h.sub.0(A),
[0139] H, the internal representation of the inverse of the
polynomial basis generator.
[0140] Algorithm:
[0141] iter GenPoly*
[0142] W.rarw.I
[0143] yield Z
[0144] for i from 1 to m-1 do
[0145] W.rarw.W.times.H
[0146] T.rarw.W.times.V.sub.0
[0147] W.rarw.W-T[0].times.I
[0148] yield W.times.Z
[0149] endfor
[0150] enditer
[0151] Typically, Z will be the internal representation of the
scaling factor. However, as noted above, sometimes one may wish to
use a value of 0 for Z, which does not correspond to any linear
function. If Z does correspond to a linear function, the output is
the polynomial* basis with respect to the linear function
corresponding to Z. In all cases, the output is the canonical
polynomial* basis scaled by Z, and in the case that Z=0, the output
will always be zero. At iteration i, the algorithm outputs W.sub.i.
To show that this is the correct result, note that W at the
beginning of the algorithm corresponds to .xi..sub.0=1. Proceeding
by induction, at each iteration, W is recalculated as
WH-h.sub.0(WH). So, .xi..sub.i becomes
.xi..sub.i.gamma..sup.-1-h.sub.0(.xi..sub.i.gamma..sup-
.-1)=.xi..sub.i+1, which is the correct term. The value
.eta..sub.i=.zeta..sup.1.xi..sub.i is then output. This version is
a preferred embodiment and generally the most efficient version,
but other versions are possible. For instance, one could set W to Z
instead of I, and then at each iteration multiply by Z.sup.-1
before applying the formula, then multiply by Z again afterwards.
This turns out to be equivalent to the generation method based on
the algorithm ShiftPoly* below.
[0152] FIG. 5 shows a polynomial* basis generator in accordance
with the invention, which implements the above-described iterator
GenPoly*. The value W.sub.0=Z is output first. A register 34 stores
the canonical poly* basis, initialized to the identity element I.
At each call, this is multiplied by H, then from this result, the
value (W.times.V.sub.0)[0].ti- mes.I is subtracted. The value
(W.times.V.sub.0)[0].times.I is computed using multipliers 35, 36
and a coefficient selector 37, where W is the value stored in
register 34. The subtraction is done by a scalar subtractor 39.
Once this subtraction is computed, the result is stored in the
register 34, and is multiplied in the multiplier 33 by the scaling
factor Z to obtain the output W.sub.i, a scaled polynomial* basis
element. As in the algorithm GenPoly*, the value V.sub.0 is the
element such that (A.times.V.sub.0)[0]=h.sub.0(A) in the internal
basis, H is the internal representation of .gamma..sup.-1, and I is
the internal representation of the identity element. Alternatively,
the multiplier 36 and the coefficient selector 37 may be replaced
by a coefficient extractor, i.e., a circuit that selects a
coefficient of an element in the external basis, given that
element's internal basis representation.
[0153] Other forms of GenPoly* may be readily constructed in
accordance with the invention. For example, it may be convenient to
perform the steps of the loop in a different order, perhaps
starting the value W at a different state, as in the following
alternate algorithm:
[0154] Algorithm:
[0155] iter GenPoly*
[0156] W.rarw.H
[0157] yield W.times.ZG
[0158] for i from 1 to m-1 do
[0159] T.rarw.W.times.V.sub.0
[0160] W.rarw.W-T[0].times.I
[0161] W.rarw.W.times.H
[0162] yield W.times.ZG
[0163] endfor
[0164] enditer
[0165] This alternate algorithm, which involves a slight rewriting
of the steps of the previous algorithm, has the property that it
involves the same sequence of steps in the loop (ignoring the
yield) as the exemplary polynomial-basis shifter described in U.S.
application Ser. No. 08/851,045, which may provide benefits in
terms of sharing of computational logic.
[0166] Another possible variant of the GenPoly* algorithm is the
following:
[0167] Algorithm:
[0168] iter GenPoly*
[0169] W.rarw.Z
[0170] yield W
[0171] for i from 1 to m-1 do
[0172] T.rarw.W.times.V.sub.0YH
[0173] W.rarw.W.times.H
[0174] W.rarw.W-T[0].times.Z
[0175] yield W
[0176] endfor
[0177] enditer
[0178] This variant avoids the multiplication in the yield, but it
presumes the availability of Y=Z.sup.-1, or at least V.sub.0YH. It
may be inconvenient or expensive to compute Z.sup.-1, as would be
the case if Z is a variable input value such as the value A to be
converted, as in the ExportPolyByGen*Eval algorithm to be described
in Section 2.1.2 below.
[0179] In the case that the linear function to which Z corresponds
is the coefficient at index 0 of the internal basis representation,
i.e., the linear function x.sub.0 in Section 2.1.2 below,
V.sub.0=Z, V.sub.0Y=I, and T[0]=W[0], and the first multiplication
in the loop in the above variant is not needed. This fact can be
exploited to obtain the following variant of the GenPoly* algorithm
that does not require the inverse computation:
[0180] Algorithm:
[0181] iter GenPoly*
[0182] W.rarw.V.sub.0
[0183] yield Z
[0184] for i from 1 to m-1 do
[0185] W.rarw.W.times.H
[0186] W.rarw.W-W[0].times.V.sub.0
[0187] yield W.times.Z V.sub.0.sup.-1
[0188] endfor
[0189] enditer
[0190] In general, the above and other forms of GenPoly* have the
following common characteristics: multiplication by a function of
the generator of the polynomial basis, e.g., H; generation of a
coefficient, e.g., T[0]; and subtraction of a function of the
coefficient from one of the loop variables. The ordering and
specifics of these steps may vary in accordance with implementation
preference, for instance to simplify one of the steps or to
introduce parallelism. Initial values of loop variables will vary
correspondingly. The examples of GenPoly* given above illustrate
some of the possible orderings and specifics.
[0191] 2.1.1 Importing from a Polynomial* Basis by
Generate-Accumulate
[0192] One application of the above-described GenPoly* algorithm is
in the Generate-Accumulate method for importing from a polynomial*
basis.
[0193] Input:
[0194] B[0], . . . , B[m-1], the external representation to be
converted.
[0195] Output:
[0196] A, the corresponding internal representation.
[0197] Parameters:
[0198] Any required for GenPoly*.
[0199] Constants:
[0200] Z, the internal representation of the scaling factor, and
any constants required for GenPoly*.
[0201] Algorithm:
[0202] proc ImportPoly*ByGenAccum
[0203] A.rarw.0
[0204] i.rarw.0
[0205] for W in GenPoly*(Z) do
[0206] A.rarw.A+B[i].times.W
[0207] i.rarw.i+1
[0208] endfor
[0209] endproc
[0210] The ImportPoly*ByGenAccum algorithm may be implemented using
the basis converter of FIG. 1.
[0211] 2.1.2 Exporting to a Polynomial Basis by
Generate*-Evaluate
[0212] The algorithm ExportPolyByGen*Eval converts from an internal
representation to an external representation in a polynomial basis
over the same ground field, primarily with internal-basis
operations, and using information largely about the dual of the
external basis rather than information about the external basis
itself.
[0213] Input:
[0214] A, the internal representation to be converted.
[0215] Output:
[0216] B[0], . . . , B[m-1], the corresponding external
representation.
[0217] Parameters:
[0218] Any required for GenPoly*.
[0219] Constants:
[0220] V.sub.0, the element such that if T=A.times.V.sub.0,
T[0]=B[0], and any constants required for GenPoly*.
[0221] Algorithm:
[0222] proc ExportPolyByGen*Eval
[0223] A.rarw.A.times.V.sub.0
[0224] i.rarw.0
[0225] for T in GenPoly*(A) do
[0226] B[i].rarw.T[0]
[0227] i.rarw.i+1
[0228] endfor
[0229] endproc
[0230] The above version of the ExportPolyByGen*Eval algorithm may
be implemented using the basis converter of FIG. 3B. This is
generally the most efficient version; it makes two shortcuts which
are not essential to the efficiency of the technique. First, it
uses the polynomial* basis corresponding to the linear function
x.sub.0, defined by x.sub.0(A)=A[0], where A is an internal basis
representation; this is easy to evaluate, and results in the Z
value being V.sub.0. Second, GenPoly* is passed the value A so that
it is not necessary to multiply the result of GenPoly* by A in an
extra step. The algorithm is still efficient without either of
these shortcuts. The following is a basic form of the
algorithm.
[0231] Algorithm:
[0232] proc ExportPolyByGen*Eval
[0233] i.rarw.0
[0234] for W in GenPoly*(Z) do
[0235] B[i].rarw.h(W.times.A)
[0236] i.rarw.i+1
[0237] endfor
[0238] endproc
[0239] This version of the ExportPolyByGen*Eval algorithm may be
implemented using the basis converter of FIG. 3A. Here, h is the
linear function corresponding to Z. It should be noted that in
practice, ExportPoly as described in U.S. application Ser. No.
08/851,045 is likely to be more efficient. However, if GenPoly* is
already available in an implementation, there may be an advantage
to choosing this approach.
[0240] 2.2 Efficient External Shifting
[0241] With knowledge of the formula for a polynomial* basis, a
method for shifting an element's representation in the polynomial*
basis can also be derived. The algorithm uses the recursive formula
for generating .xi..sub.i from .xi..sub.i-1. To prove that this is
correct, it is sufficient to show that applying the formula to
.xi..sub.m-1 yields 0. This shifting method works for basis
elements, since it simply applies the recursive formula
r(.epsilon.)=.epsilon..gamma..sup.-1-h.sub.0(.epsil-
on..gamma..sup.-1) to get all the successive elements.
[0242] To prove the above claim, repeated applications of the
formula to the identity element 1, and their representations in the
polynomial basis, will be considered. Recall that since .xi..sub.0
is 1, these various terms are the .xi..sub.i. Also recall that if
the 1-coefficient of .epsilon. written in the polynomial basis is
0, multiplying .epsilon. by .gamma..sup.-1 performs a shifting
operation. That is, if
.epsilon.=B[1].gamma.+B[2].gamma..sup.2+ . . .
+B[m-1].gamma..sup.m-1, then
.epsilon..gamma..sup.-1=B[1]+B[2].gamma..sup.1+ . . .
+B[m-1].gamma..sup.m-2.
[0243] First, .xi..sub.0 has a nonzero 1-coefficient, but none of
the other .xi..sub.i does. Second, notice that
.xi..sub.1=.gamma..sup.-1-h.su- b.0(.gamma..sup.-1), so .xi..sub.1
has a zero 1-coefficient. After .xi..sub.1, each application of the
recursive formula performs a shifting-like operation in the
polynomial basis, so one more of the coefficients is 0 after each
application. So, after m-1 more applications of the recursive
formula, the result is .xi..sub.m-1.gamma..sup.-1-h.sub.-
0(.xi..sub.m-1.gamma..sup.-1),which must be zero. But if the
recursive formula is applied to .xi..sub.m-1, the result is
.xi..sub.m-1.gamma..sup.-1-h.sub.0(.xi..sub.m-1.gamma..sup.-1)=0.
[0244] Now the technique for shifting in the polynomial* basis will
be demonstrated. Let .epsilon. be any element.
.epsilon.=B[0].eta..sub.0+B[1].eta..sub.1+ . . .
+B[m-1].eta..sub.m-1
.zeta..epsilon.=B[0].xi..sub.0+B[1].xi..sub.1+ . . .
+B[m-1].xi..sub.m-1
r(.zeta..epsilon.)=B[0].xi..sub.1+B[1].xi..sub.2+ . . .
+B[m-2].xi..sub.m-1+B[m-1]0
.zeta..sup.-1r(.zeta..epsilon.)=B[0].eta..sub.1+B[1].eta..sub.2+ .
. . +B[m-2].eta..sub.m-1
[0245] Thus, if .epsilon. is an element, then
.zeta..sup.-1r(.zeta..epsilo-
n.)=.epsilon..gamma..sup.-1-.zeta..sup.-1h.sub.0(.zeta..epsilon..gamma..su-
p.-1) is .epsilon. shifted in the polynomial* basis. It should be
noted that, in addition to shifting in one direction, it is also
possible to shift on the other direction, or to rotate. For
example, a formula implementing a right rotate operation for the
polynomial* basis is given by:
.epsilon..gamma..sup.-1-.zeta..sup.-1h.sub.0(.zeta..epsilon..gamma..sup.-1-
)+.zeta..sup.-1.xi..sub.0h.sub.0(.zeta..epsilon..gamma..sup.m-1).
[0246] The following is an algorithm for shifting in the
polynomial* basis, based on the above-described shifting
technique.
[0247] Input/Output:
[0248] A, the internal representation of the element to be
shifted.
[0249] Parameters:
[0250] m, the degree of the finite field.
[0251] Constants:
[0252] YH, the internal representation of .zeta..gamma..sup.-1,
[0253] I, the internal representation of the identity element,
[0254] V.sub.0, the internal representation of the element such
that if T=A.times.V.sub.0, T[0]=h.sub.0(A),
[0255] Z, the internal representation of the scaling factor.
[0256] Algorithm:
[0257] proc ShiftPoly*
[0258] A.rarw.A.times.YH
[0259] T.rarw.A.times.V.sub.0
[0260] A.rarw.A-T[0].times.I
[0261] A.rarw.A.times.Z
[0262] endproc
[0263] Another variation of this algorithm which does not require
the constant I is the following:
[0264] Algorithm:
[0265] proc ShiftPoly*
[0266] A.rarw.A.times.YH
[0267] T.rarw.A.times.V.sub.0
[0268] T.rarw.T[0].times.Z
[0269] A.rarw.A.times.Z
[0270] A.rarw.A-T
[0271] endproc
[0272] A further variation of the ShiftPoly* algorithm is as
follows:
[0273] Algorithm:
[0274] proc ShiftPoly*
[0275] A.rarw.A.times.YH
[0276] T.rarw.A.times.V.sub.0
[0277] A.rarw.A.times.Z
[0278] A.rarw.A-T[0].times.Z
[0279] endproc
[0280] Another variation of the ShiftPoly* algorithm which saves
one additional multiplication is the following:
[0281] Algorithm:
[0282] proc ShiftPoly*
[0283] T.rarw.A.times.V.sub.0YH
[0284] A.rarw.A.times.H
[0285] A.rarw.A-T[0].times.Z
[0286] endproc
[0287] FIG. 6 shows a polynomial* basis external shifter which
implements the above-described procedure ShiftPoly*. An internal
basis representation 42 is first multiplied in the multiplier 43
with the value YH. From this a scalar subtractor 47 subtracts a
value obtained by multiplying this value by V.sub.0 (in a
multiplier 44) and extracting the 1-coefficient (in a coefficient
selector 45). Finally, this value is multiplied in a multiplier 48
by Z. The output of multiplier 48 is a shifted internal basis
representation 49. As above, Z is the scaling factor, Y is the
inverse of the scaling factor, H is the internal representation of
.gamma..sup.-1, and V.sub.0 is the element such that
(A.times.V.sub.0)[0]=h.sub.0(A) in the internal basis, where A is
an internal representation and B is its corresponding external
representation. If this external shifter is to be implemented for
the canonical polynomial* basis, then Z=I and YH=H, and the
multiplication in multiplier 48 may be suppressed.
[0288] It should also be noted that ShiftPoly* can be used to make
a new version of GenPoly*:
[0289] Algorithm:
[0290] iter GenPoly*ByShift
[0291] T.rarw.Z
[0292] yield T
[0293] for i from 1 to m-1 do
[0294] ShiftPoly*(T)
[0295] yield T
[0296] endfor
[0297] enditer
[0298] The algorithms GenPoly* and GenPoly*ByShift are similar in
efficiency. Any of the algorithms using GenPoly* would also work
with GenPoly*ByShift instead. GenPoly*ByShift, as presented above,
assumes that the scaling factor is the same in the dual basis being
generated as in the shifter, but it is straightforward to adapt a
shifter for a different scaling factor by multiplying the outputs
of the shifter by a ratio of scaling factors.
[0299] FIG. 7 shows an alternative polynomial* basis generator
which implements the above-described GenPoly*ByShift algorithm. A
scaling factor 50 (Z, which is the same as the scaling factor Z
used in an external shifter 52) is stored in a register 51, whose
contents are yielded initially and for each iteration of a looping
mechanism 54. For each successive result, the contents of register
51 are shifted by the external shifter 52. The results are
polynomial* basis elements 53, which may be scaled by an additional
multiplication. The alternative basis generator of FIG. 7 could be
used in any basis conversion application in which the basis
generator shown in FIG. 5 could be used. The external shifter 52
could be, for example, the external shifter shown in FIG. 6.
[0300] It should be noted that in a case in which YH=I, the first
multiplication may be suppressed (and the last multiplication is by
H) and in a case in which Z=I, the last multiplication may be
suppressed. Various straightforward rearrangements of ShiftPoly*
can be made to accommodate these and other similar situations.
[0301] Similar to GenPoly*, the above and other forms of ShiftPoly*
have the common characteristics of multiplication by a function of
the generator of the polynomial basis, generation of a coefficient,
and subtraction of a function of the coefficient from one of the
loop variables. Additional scaling of a value may also be included.
Again, the ordering and specifics of these steps may vary in
accordance with implementation preference, and the examples of
ShiftPoly* given above illustrate some of the possible orderings
and specifics. It should be noted that many of the approaches given
for GenPoly* are also applicable to ShiftPoly*, and vice-versa.
[0302] 2.2.1 Importing from a Polynomial* Basis by Shift-Insert
[0303] The algorithm ImportPoly*ByShiftInsert converts from a
polynomial*-basis representation to an internal representation over
the same ground field, primarily with internal-basis
operations.
[0304] Input:
[0305] B[0], . . . , B[m-1], the external representation to be
converted.
[0306] Output:
[0307] A, the corresponding internal representation.
[0308] Parameters:
[0309] m, the degree of the finite field, and any required for
ShiftPoly*.
[0310] Constants:
[0311] Z, the internal representation of the scaling factor, and
any other constants required for ShiftPoly*.
[0312] Algorithm:
[0313] proc ImportPoly*ByShiftInsert
[0314] A.rarw.B[m-1].times.Z
[0315] for i from m-2 downto 0 do
[0316] ShiftPoly*(A)
[0317] A.rarw.A+B[i].times.Z
[0318] endfor
[0319] endproc
[0320] The algorithm ImportPoly*ByShiftInsert may be implemented
using the basis converter of FIG. 2A.
[0321] A possible improvement on this algorithm is to insert
multiple coefficients per iteration, as in the basis converter of
FIG. 2B. If the value V, the internal representation of
.eta..sub.m/2, were precomputed, assuming without loss of
generality that m is even, the algorithm could be run this way:
[0322] Algorithm:
[0323] proc ImportPoly*ByShiftInsert
[0324] A.rarw.B[m-1].times.Z
[0325] A.rarw.A+B[(m/2)-1].times.V
[0326] for i from m-2 downto (m/2) do
[0327] ShiftPoly*(A)
[0328] A.rarw.A+B[i].times.Z
[0329] A.rarw.A+B[i-(m/2)].times.V
[0330] endfor
[0331] endproc
[0332] This reduces the number of external shifts by a factor of 2.
A similar improvement can be made with a factor of k, as mentioned
previously, using the basis converter of FIG. 2B.
[0333] Another version of the ImportPoly*ByShiftInsert algorithm is
as follows:
[0334] Algorithm:
[0335] proc ImportPoly*ByShiftInsert
[0336] A.rarw.0
[0337] for i from m-1 downto (m/2) do
[0338] ShiftPoly*(A)
[0339] A.rarw.A+B[i].times.Z
[0340] A.rarw.A+B[i-(m/2)].times.V
[0341] endfor
[0342] endproc
[0343] In this version of the algorithm, the loop is started at m-1
in order to reduce the number of statements in the algorithm.
[0344] 2.2.2 Exporting to a Polynomial* Basis by Shift-Extract
[0345] The algorithm ExportPoly*ByShiftExtract converts from an
internal representation to an external representation in a dual
basis of a polynomial basis over the same ground field, primarily
with internal-basis operations.
[0346] Input:
[0347] A, the internal representation to be converted.
[0348] Output:
[0349] B[0], . . . , B[m-1], the corresponding external
representation.
[0350] Parameters:
[0351] m, the degree of the finite field, and any required for
ShiftPoly*.
[0352] Constants:
[0353] V.sub.m-1, an element such that if T=A.times.V.sub.m-1,
T[0]=B[m-1], and any constants required for ShiftPoly*.
[0354] Algorithm:
[0355] proc ExportPoly*ByShiftExtract
[0356] for i from m-1 downto 0 do
[0357] T.rarw.A.times.V.sub.m-1
[0358] B[i].rarw.T[0]
[0359] ShiftPoly*(A)
[0360] endfor
[0361] endproc
[0362] The algorithm ExportPoly*ByShiftExtract may be implemented
using the basis converter of FIG. 4A. This algorithm can be made
more efficient by computing multiple coefficients at once and
inserting them, as in the basis converter of FIG. 4B. That is,
suppose m is divisible by 2 and V.sub.m/2-1 is the element such
that if T=A.times.V.sub.m/2-1, T[0]=B[m/2-1], then the following
algorithm also works.
[0363] Algorithm:
[0364] proc ExportPoly*ByShiftExtract
[0365] for i from m-1 downto m/2 do
[0366] T.rarw.A.times.V.sub.m-1
[0367] B[i].rarw.T[0]
[0368] T.rarw.A.times.V.sub.m/2-1
[0369] B[i-m/2].rarw.T[0]
[0370] ShiftPoly*(A)
[0371] endfor
[0372] endproc
[0373] This is more efficient, since in the second version of the
algorithm, there are half as many shifts as in the first version. A
similar improvement can be made with a factor of k, as mentioned
previously, using the basis converter of FIG. 4B. Another version
of the algorithm may be implemented by excluding the shift the last
time through the loop.
3.0 Techniques Involving the Dual of a Normal Basis
[0374] Let .gamma., . . . , .gamma..sup.q.sup..sup.m-1 be a normal
basis for GF(q.sup.m), and let h(x) be a linear function from
GF(q.sup.m) to GF(q). Let h.sub.0(x) be the linear function whose
output is the .gamma.-coefficient of x when x is written in the
normal basis, where the term ".gamma.-coefficient" denotes the
coefficient of the first basis element. Furthermore, let .zeta. be
such that h.sub.0(x.zeta.)=h(x). Again, we let .xi..sub.0,
.xi..sub.1, . . . , .xi..sub.m-1 denote the canonical dual basis
and .eta..sub.0, .eta..sub.1, . . . , .eta..sub.m-1 denote a dual
basis. A formula for the dual basis (i.e., the normal* basis) of
the above-described normal basis with respect to h is:
.eta..sub.0=.zeta..sup.1.xi..sub.0,
.eta..sub.1=.zeta..sup.-1.xi..sub.1, . . . ,
.eta..sub.m-1=.zeta..sup.-1.xi..sub.m-1
[0375] where .xi..sub.0=1,
.xi..sub.1=.sigma..sup.(q.sup..sup.i.sup.-1)/(q- -1) and .sigma. is
an element such that h.sub.0(.sigma..gamma..sup.q)=1 and
h.sub.0(.sigma..gamma..sup.q.sup..sup.i)=0 for i.noteq.1. When
h=h.sub.0, .zeta.=1, and .eta..sub.0, .eta..sub.1, . . . ,
.eta..sub.m-1 equals .xi..sub.0, .xi..sub.1, . . . , .xi..sub.m-1
and is called the canonical normal* basis. The element .sigma. is
referred to below as the normal* basis generator. To prove that the
above dual basis formula is correct, one can use the dual basis
property and induction. First,
h(.zeta..sup.1.gamma.)=h.sub.0(.gamma.)=1, and
h(.zeta..sup.1.gamma..sup.q.sup..sup.i)=h.sub.0(.gamma..sup.q.sup..sup.i)=-
0 for j.noteq.0.
[0376] To establish the induction, one need only recall the simple
result that raising an element .epsilon. to the q.sup.th power
performs a shifting operation in the normal basis. Thus,
h.sub.0(.epsilon.)=h.sub.1(- .epsilon..sup.q) where
h.sub.1(.epsilon.) is the .gamma..sup.q-coefficient of .epsilon.
written in the normal basis. Now, suppose that each term up to the
term given by .zeta..sup.-1.xi..sub.i-1=.zeta..sup.-1.sigma..sup.(-
q.sup..sup.i-1.sup.-1)/(q-1) satisfies the appropriate dual basis
property. Then the same can be derived for i by the following:
.gamma..sup.q.sup..sup.i.zeta..sup.-1.xi..sub.i=.gamma..sup.q.sup..sup.i.z-
eta..sup.-1.sigma..sup.(q.sup..sup.i.sup.-1)/(q-1)=.zeta..sup.1.sigma.(.ga-
mma..sup.q.sup..sup.i-1.sigma..sup.(q.sup..sup.i-1.sup.-1)/(q-1)).sup.q=.z-
eta..sup.1.sigma.(.gamma..sup.q.sup..sup.i-1.xi..sub.i-1).sup.q.
[0377] Now, by the definition of .sigma.,
h(.zeta..sup.1.sigma..epsilon.)=-
h.sub.0(.sigma..epsilon.)=h.sub.1(.epsilon.), so
h(.zeta..sup.1.sigma.(.gamma..sup.q.sup..sup.i-1.xi..sub.i-1)=h.sub.1((.ga-
mma..sup.q.sup..sup.i-1.xi..sub.i-1).sup.q)=h.sub.0(.gamma..sup.q.sup..sup-
.i-1.xi..sub.i-1)=1.
[0378] With a similar derivation, it follows that
h(.zeta..sup.1.sigma.(.gamma..sup.q.sup..sup.i-1.xi..sub.i-1).sup.q)=h.sub-
.0(.gamma..sup.q.sup..sup.i-1.xi..sub.i-1)=0 for i.noteq.j.
[0379] This establishes the correctness of the formula for the dual
basis and also gives a recursion formula:
.xi..sub.i=.sigma.(.xi..sub.i-1).sup.- q, where .xi..sub.i is the
i.sup.th element of the canonical normal* basis. In the following
algorithms, G will be the internal representation of .gamma., S
will be the internal representation of .sigma., and Z will be the
internal representation of .zeta..sup.-1. The value Z corresponds
to the function h(.epsilon.)=h.sub.0(.zeta..epsilon.), and contains
the information specific to the choice of dual basis in the
following algorithms. Note that if Z is 0,
h(.epsilon.)=h.sub.0(0)=0, and therefore, h would not be a suitable
linear function. However, it may be useful in some applications to
have Z=0. As noted previously, Z is referred to herein as the
scaling factor.
[0380] 3.1 Efficient Basis Generation
[0381] The following algorithm illustrates a technique for
efficiently generating the dual of a normal basis in accordance
with the invention.
[0382] Input:
[0383] Z, a scaling factor.
[0384] Output:
[0385] W.sub.0, . . . , W.sub.m-1, the canonical normal* basis
multiplied by Z.
[0386] Parameters:
[0387] m, the degree of the finite field; q, the order of the
ground field GF(q).
[0388] Constants:
[0389] S, the internal representation of the normal* basis
generator.
[0390] Algorithm:
[0391] iter GenNormal*
[0392] T.rarw.Z
[0393] W.rarw.S
[0394] yield T
[0395] for i from 1 to m-1 do
[0396] T.rarw.T.times.W
[0397] W.rarw.W.sup.q
[0398] yield T
[0399] endfor
[0400] enditer
[0401] Typically, Z will be the internal representation of the
scaling factor. However, sometimes one may wish to use a value 0
for Z, which does not correspond to any linear function. If Z does
correspond to a linear function, the output is the normal* basis
with respect to the linear function corresponding to Z. In all
cases, the output is the canonical normal* basis scaled by Z, and
in the case that Z=0, the output will always be zero. Assuming Z is
nonzero, the following establishes the correctness of the
algorithm. After the first iteration, GenNormal* outputs the
internal representation of .zeta..sup.-1. At each successive step,
the basis is multiplied by successively higher powers of q of
.sigma., resulting in .zeta..sup.-1, .zeta..sup.-1.sigma.,
.zeta..sup.-1.sigma..sup.q+1,
.zeta..sup.-1.sigma..sup.q.sup..sup.2.sup.+- 1, and so on. By the
above-described formula, this is the correct list of normal* basis
elements.
[0402] FIG. 8 shows a normal* basis generator which implements the
above-described iterator GenNormal*. A register 57 stores one
temporary variable, W, initialized to S, the internal
representation of .sigma.. A register 56 stores another temporary
variable, T, initialized to Z, the scaling factor 55. At each
iteration of a looping mechanism 60, the product T.times.W
calculated by a multiplier 58 is output as a scaled normal* basis
element. Then, the product is stored as the new value of the
register 56, and the value of the register 57 is replaced by
W.sup.q, calculated by an exponentiator 59 (q is the order of the
ground field). The results are the scaled normal* basis elements
61.
[0403] Other forms of GenNormal* may be readily constructed in
accordance with the invention. For example, the following alternate
algorithm may be used:
[0404] Algorithm:
[0405] iter GenNormal*
[0406] W.rarw.U
[0407] yield W.times.ZU.sup.-1 (i.e., yield Z)
[0408] for i from 1 to m-1 do
[0409] W.rarw.W.sup.q
[0410] yield W.times.ZU.sup.-1
[0411] endfor
[0412] enditer
[0413] In this alternate algorithm, U is a (q-1).sup.st root of S,
and there are q-1 such roots. Such a root exists since
S.sup.(q.sup..sup.m.sup.-1)/(q-1)=I, and can be found by
conventional root-finding techniques. This alternate algorithm has
the property that it involves the same sequence of steps in the
loop (ignoring the yield) as the exemplary normal-basis shifter
described in U.S. application Ser. No. 08/851,045 (i.e., an
exponentiator), which may provide benefits in terms of sharing of
computational logic.
[0414] In general, the above and other forms of GenNormal* have the
following common characteristics: exponentiation of a loop
variable, and scaling of a value before it is yielded or
multiplication of a loop variable by a previously-yielded value
before a new one is needed. The ordering and specifics of these
steps may vary in accordance with implementation preference;
initial values of loop variables will vary correspondingly. The
examples of GenNormal* given above illustrate some of the possible
orderings and specifics.
[0415] 3.1.1 Importing from a Normal* Basis by
Generate-Accumulate
[0416] The algorithm ImportNormal*ByGenAccum converts from a
normal*-basis representation to an internal representation over the
same ground field, primarily with internal-basis operations.
[0417] Input:
[0418] B[0], . . . , B[m-1], the external representation to be
converted.
[0419] Output:
[0420] A, the corresponding internal representation.
[0421] Parameters:
[0422] Any required for GenNormal*.
[0423] Constants:
[0424] Z, the internal basis representation of the scaling factor,
and any other constants required for GenNormal*.
[0425] Algorithm:
[0426] proc ImportNormal*ByGenAccum
[0427] A.rarw.0
[0428] i.rarw.0
[0429] for W in GenNormal*(Z) do
[0430] A.rarw.A+B[i].times.W
[0431] i.rarw.i+1
[0432] endfor
[0433] endproc
[0434] The ImportNormal*ByGenAccum algorithm may be implemented
using the basis converter of FIG. 1.
[0435] 3.1.2 Exporting to a Normal Basis by Generate*-Evaluate
[0436] The algorithm ExportNormalByGen*Eval converts from an
internal representation to an external representation in a normal
basis over the same ground field, primarily with internal-basis
operations, and using information largely about the dual of the
external basis rather than information about the external basis
itself.
[0437] Input:
[0438] A, the internal representation to be converted.
[0439] Output:
[0440] B[0], . . . , B[m-1], the corresponding external
representation.
[0441] Parameters:
[0442] Any required for GenNormal*.
[0443] Constants:
[0444] V.sub.0, the internal representation of the element such
that if T=A.times.V.sub.0, T[0]=B[0], and any constants required
for GenNormal*.
[0445] Algorithm:
[0446] proc ExportNormalByGen*Eval
[0447] A.rarw.A.times.V.sub.0
[0448] i.rarw.0
[0449] for T in GenNormal*(A) do
[0450] B[i].rarw.T[0]
[0451] i.rarw.i+1
[0452] endfor
[0453] endproc
[0454] The above version of the ExportNormalByGen*Eval algorithm
may be implemented using the basis converter of FIG. 3B. This is
generally the most efficient version; it makes two shortcuts which
are not essential to the efficiency of the technique. First, it
uses the normal* basis corresponding to the linear function
x.sub.0, defined by x.sub.0(A)=A[0], where A is an internal basis
representation; this is easy to evaluate, and results in the Z
value being V.sub.0. Second, the value A is passed to GenNormal* so
as to avoid multiplying the result of GenNormal* by A in an extra
step. The algorithm is still efficient without either of these
shortcuts. The following is a basic form of the algorithm.
[0455] Algorithm:
[0456] proc ExportNormalByGen*Eval
[0457] i.rarw.0
[0458] for W in GenNormal*(Z) do
[0459] B[i].rarw.h(W.times.A)
[0460] i.rarw.i+1
[0461] endfor
[0462] endproc
[0463] This version of the ExportNormalByGen*Eval algorithm may be
implemented using the basis converter of FIG. 3A. Here, h is the
linear function corresponding to Z. It should be noted that in
practice, ExportNormal as described in the U.S. application Ser.
No. 08/851,045 is likely to be more efficient. However, if
GenNormal* is already available in an implementation, there may be
an advantage to choosing this approach. Furthermore, the algorithm
ExportNormal* as described in U.S. application Ser. No. 08/851,045
takes substantially the same approach as ExportNormalByGen*Eval,
but the latter is presented here for completeness.
[0464] 3.2 Efficient External Shifting
[0465] The present invention also provides an efficient method for
shifting (e.g., doing a rotation) of an element's representation in
the normal* basis. A claim that may be desirable to prove is that
.xi..sub.m=.sigma..sup.(q.sup..sup.m.sup.-1)/(q-1)=1. First,
applying analysis similar to that by which .xi..sub.0, .xi..sub.1,
. . . , .xi..sub.m-1 were shown to be correct normal* basis
elements,
.sigma.(.sigma..sup.(q.sup..sup.m-1.sup.-1)/(q-1)).sup.q=.sigma..sup.(q.s-
up..sup.m.sup.-1)/(q-1)=.xi..sub.m, and so 4 h 0 ( m q i ) = h 0 (
( q m - 1 ) / ( q - 1 ) q i ) = { 1 if i - 1 = m - 1 0 otherwise
.
[0466] By definition of the dual basis, the sequence of values
output by h.sub.0 as i varies forms the coefficients of
.xi..sub.m=.sigma..sup.(q.s- up..sup.m.sup.-1)/(q-1) in the
canonical normal* representation. The only nonzero output occurs
for i=m, so .xi..sub.m=.sigma..sup.(q.sup..sup.m.su-
p.-1)/(q-1)=1=.xi..sub.0. (The output is the same for i=m as i=0
since .gamma..sup.q.sup..sup.m=.gamma..)
[0467] The following demonstrates the technique for shifting in the
normal* basis.
.epsilon.=B[0].eta..sub.0+ . . .
+B[m-2].eta..sub.m-2+B[m-1].eta..sub.m-1
.zeta..epsilon.=B[0].xi..sub.0+ . . .
+B[m-2].xi..sub.m-2+B[m-1].xi..sub.m- -1
.sigma.(.zeta..epsilon.).sup.q=B[m-1].xi..sub.0+B[0].xi..sub.1+ . .
. +B[m-2].xi..sub.m-1
.zeta..sup.-1.sigma.(.zeta..epsilon.).sup.q=B[m-1].eta..sub.0+B[0].eta..su-
b.1+ . . . +B[m-2].eta..sub.m-1
[0468] Another way to compute
.zeta..sup.-1.sigma.(.zeta..epsilon.).sup.q is to compute
.zeta..sup.q-1.sigma..epsilon..sup.q. This provides a general
technique for shifting in a normal* basis. Based on this, the
algorithm ShiftNormal* is given as follows.
[0469] Input/Output:
[0470] A, the internal representation to be shifted.
[0471] Parameters:
[0472] m, the degree of the finite field; q, the order of the
ground field.
[0473] Constants:
[0474] SZ.sup.1-q where S is the internal representation of .sigma.
and Z is the internal representation of .zeta..sup.-1, i.e.,
SZ.sup.1-q is the internal representation of
.zeta..sup.q-1.sigma..
[0475] Algorithm:
[0476] proc ShiftNormal*
[0477] A.rarw.A.sup.q
[0478] A.rarw.A.times.SZ.sup.1-q
[0479] endproc
[0480] FIG. 9 shows a normal* basis external shifter which
implements the procedure ShiftNormal*. An internal basis
representation 61 is first raised to the power q (q, the order of
the finite field, is a parameter) in an exponentiator 62, and is
then multiplied by SZ.sup.1-q in a multiplier 63, where S is the
internal representation of .sigma., and Z is the scaling factor.
The result 64 is the shifted internal representation.
[0481] It should also be noted that ShiftNormal* can be used to
make a new version of GenNormal*.
[0482] Algorithm:
[0483] iter GenNormal*ByShift
[0484] T.rarw.Z
[0485] yield T
[0486] for i from 1 to m-1 do
[0487] ShiftNormal*(Y)
[0488] yield T
[0489] endfor
[0490] enditer
[0491] The algorithms GenNormal* and GenNormal*ByShift are similar
in efficiency, and selection of one or the other involves a
tradeoff between number of variables and parellelizability. Any of
the algorithms using GenNormal* would also work with
GenNormal*ByShift instead. GenNormal*ByShift, as presented above,
assumes that the scaling factor is the same in the dual basis being
generated as in the shifter, but it is straightforward to adapt a
shifter for a different scaling factor by multiplying the outputs
of the shifter by a ratio of scaling factors.
[0492] FIG. 10 shows an alternative normal* basis generator which
implements the iterator GenNormal*ByShift. Its structure is exactly
the analog of the structure of GenPoly*ByShift. A scaling factor 65
is stored in a register 66, whose contents are yielded initially
and for each iteration of a looping mechanism 68. For each
successive result, the contents of the register 66 are shifted by
an external shifter 67. The results are the normal* basis elements
69, and may be scaled by an additional multiplication. The basis
generator of FIG. 10 could be used in any basis conversion
application in which the basis converter of FIG. 8 could be used.
The external shifter 68 could be, for example, the external shifter
shown in FIG. 9.
[0493] FIG. 11 shows an alternative external basis shifter which
implements an alternative version of ShiftNormal*. This external
shifter computes A.sup.qSZ.sup.1-q by first multiplying A by
Z.sup.-1 using a multiplier 71, then raising the result to the
q.sup.th power using an exponentiator 72, and finally, multiplying
that result by SZ, using a multiplier 73.
[0494] It should be noted that in a case in which SZ.sup.1-q=I, the
multiplication in the original version of ShiftNormal* given above
may be suppressed, and if SZ=I, the multiplication may be
suppressed in the above-noted alternative version of ShiftNormal*.
In this case, Z.sup.-1=S, so the first multiplication is by S.
Moreover, the multiplication may be carried out in other ways in
any case. It may, for example, be performed only before the
exponentiation, e.g., by multiplying by a qth root of
SZ.sup.1-q.
[0495] In general, the above and other forms of ShiftNormal* have
the common characteristics of exponentiation and multiplication by
a function of the generator of the dual basis, e.g., S.
Multiplication by a function of a scaling factor may also be
included. The ordering and specifics of these steps may vary in
accordance with implementation preference, and the examples of
ShiftNormal* given above illustrate some of the possible orderings
and specifics. Inasmuch as a version of GenNormal* can be
constructed from ShiftNormal*, many of the approaches given above
for ShiftNormal* can be applied to GenNormal* as well.
[0496] 3.2.1 Importing from a Normal* Basis by Shift-Insert
[0497] The algorithm ImportNormal*ByShiftInsert converts from a
normal*-basis representation to an internal representation over the
same ground field, primarily with internal-basis operations.
[0498] Input:
[0499] B[0], . . . , B[m-1], the external representation to be
converted.
[0500] Output:
[0501] A, the corresponding internal representation
[0502] Parameters:
[0503] m, the degree of the finite field.
[0504] Constants:
[0505] Z, the internal representation of the scaling factor, and
any other constants required for ShiftNormal*.
[0506] Algorithm:
[0507] proc ImportNormal*ByShiftInsert
[0508] A.rarw.B[m-1].times.Z
[0509] for i from m-2 downto 0 do
[0510] ShiftNormal*(A)
[0511] A.rarw.A+B[i].times.Z
[0512] endfor
[0513] endproc
[0514] The algorithm ImportNormal*ByShiftInsert may be implemented
using the basis converter of FIG. 2A. The algorithm works by
inserting one coefficient into the internal representation,
externally rotating the internal representation to make space for
another coefficient, and repeating. An improvement on this
algorithm is to insert multiple coefficients per iteration, as in
the basis converter of FIG. 2B. If the value
V=ZS.sup.(q.sup..sup.m/2.sup.-1)/(q-1), the internal representation
of .eta..sub.m/2, were precomputed, assuming without loss of
generality that m is even, the algorithm could be run this way:
[0515] Algorithm:
[0516] proc ImportNormal*ByShiftInsert
[0517] A.rarw.B[m-1].times.Z
[0518] A.rarw.A+B[(m/2)-1].times.V
[0519] for i from m-2 downto m/2 do
[0520] ShiftNormal*(A)
[0521] A.rarw.A+B[i].times.Z
[0522] A.rarw.A+B[i-(m/2)].times.V
[0523] endfor
[0524] endproc
[0525] This second version reduces the number of external shifts by
a factor of 2. A similar improvement can be made with a factor of
k, as mentioned previously, using the basis converter of FIG.
2B.
[0526] Another version of the ImportNormal*ByShiftInsert algorithm
is as follows:
[0527] Algorithm:
[0528] proc ImportNormal*ByShiftInsert
[0529] A.rarw.0
[0530] for i from m-1 downto (m/2) do
[0531] ShiftNormal* (A)
[0532] A.rarw.A+B[i].times.Z
[0533] A.rarw.A+B[i-(m/2)].times.V
[0534] endfor
[0535] endproc
[0536] In this version of the algorithm, the loop is started at m-1
in order to reduce the number of statements in the algorithm.
[0537] 3.2.2 Exporting to a Normal* Basis by Shift-Extract
[0538] The algorithm ExportNormal*ByShiftExtract converts from an
internal representation to an external representation in a dual
basis of a normal basis over the same ground field, primarily with
internal-basis operations.
[0539] Input:
[0540] A, the internal representation to be converted.
[0541] Output:
[0542] B[0], . . . , B[m-1], the corresponding external
representation.
[0543] Parameters:
[0544] m, the degree of the finite field, and any parameters
required for ShiftNormal*.
[0545] Constants:
[0546] V.sub.m-1, an element such that if T=A.times.V.sub.m-1,
T[0]=B[m-1], and any constants required for ShiftNormal*.
[0547] Algorithm:
[0548] proc ExportNormal*ByShiftExtract
[0549] for i from m-1 downto 0 do
[0550] T.rarw.A.times.V.sub.m-1
[0551] B[i].rarw.T[0]
[0552] ShiftNormal*(A)
[0553] endfor
[0554] endproc
[0555] The algorithm ExportNormal*ByShiftExtract may be implemented
using the basis converter of FIG. 4A. The algorithm works by
successively extracting a coefficient from the external
representation and rotating the external representation. This
algorithm can be made more efficient by computing multiple
coefficients at once and inserting them, as in the basis converter
of FIG. 4B. That is, suppose m is divisible by 2, and V.sub.m/2-1
is the element such that if T=A.times.V.sub.m/2-1, T[0]=B[m/2-1],
then this algorithm also works:
[0556] Algorithm:
[0557] proc ExportNormal*ByShiftExtract
[0558] for i from m-1 downto m/2 do
[0559] T.rarw.A.times.V.sub.m-1
[0560] B[i].rarw.T[0]
[0561] T.rarw.A.times.V.sub.m/2-1
[0562] B[i-m/2].rarw.T[0]
[0563] ShiftNormal*(A)
[0564] endfor
[0565] endproc
[0566] This is more efficient, since in the second version of the
algorithm, there are half as many shifts as in the first version. A
similar improvement can be made with a factor of k, as mentioned
previously, using the basis converter of FIG. 4B. Another version
of the algorithm may be implemented by excluding the shift the last
time through the loop.
[0567] It should be noted that the algorithms described above may
be extended to the case in which the internal and external basis
have different ground fields, as described in U.S. application Ser.
No. 08/851,045. For example, if a ground field is represented in
terms of polynomial* or normal* basis, the techniques described in
U.S. application Ser. No. 08/851,045 can be applied to process
subcoefficients during import and/or export operations.
4.0 Applications
[0568] The basis converters described herein may be implemented in
the form of a processor which operates in conjunction with a memory
to control the processing operations of the basis converter. The
processor and memory may be part of a user terminal in a
cryptographic system such as those to be described in conjunction
with FIGS. 12A and 12B below. The processor and memory may be
implemented in a personal desktop or portable computer, a
microcomputer, a mainframe computer, a workstation, telephone,
facsimile machine, television set top box or any other type of
processing or communications terminal or device. The processor may
be a microprocessor, central processing unit (CPU),
application-specific integrated circuit (ASIC) or any other
suitable digital data processor. The basis converter and the
elements thereof may be configured as software modules executed by
the processor, as separate dedicated hardware modules, or as
various combinations of software and hardware.
[0569] The basis conversion techniques of the present invention can
be implemented in a wide variety of cryptographic applications such
as, for example, the applications described in U.S. application
Ser. No. 08/851,045. The techniques of the present invention are
particularly well suited for use in cryptographic applications
which make use of elliptic curve cryptosystems and/or finite field
arithmetic. Moreover, because the invention provides basis
conversion techniques which require relatively little storage
capacity as compared to conventional techniques, the invention is
also well suited for use in memory-limited cryptographic
applications.
[0570] FIG. 12A shows a communication system 100 in which user
identification or digital signature techniques utilizing basis
conversion in accordance with the invention may be implemented. The
system 100 is configured in the manner described in U.S. patent
application Ser. No. 08/954,712 filed Oct. 20, 1997 and entitled
"Secure User Identification Based on Constrained Polynomials,"
which is incorporated by reference herein. Although the
illustrative user identification and digital signature techniques
described in application Ser. No. 08/954,712 did not make use of
basis conversion, other similar techniques may be configured to
utilize basis conversion.
[0571] The system 100 includes a number of different users 112-i,
i=1, 2, . . . N, which communicate with each other via a
communication network 114. The users 112-i may represent personal
desktop or portable computers, microcomputers, mainframe computers,
workstations, telephones, facsimile machines, personal
communication devices, digital notepads, television set top boxes
or any other type of communication terminals in various
combinations. The communication network 114 may represent a global
computer network such as the Internet, a wide area network (WAN), a
local area network (LAN), a satellite network, a telephone or cable
network, or various combinations of these and other types of
networks. The network may operate using conventional data transfer
techniques including but not limited to asynchronous transfer mode
(ATM), synchronous optical network/synchronous digital hierarchy
(SONET/SDH) and/or transmission control protocol/Internet protocol
(TCP/IP).
[0572] A particular one of the users 112-i in the system 100 is
designated in this illustration as a prover 112-1. The prover 112-1
includes a processor 116 bidirectionally coupled to a memory 118.
Another of the users 112-i in system 110 is designated a verifier
112-2. The verifier 112-2 includes a processor 120 bidirectionally
coupled to a memory 122. The processors 116, 120 are used to
generate the information communicated between the prover 112-1 and
verifier 112-2 during identification and digital signature
techniques. The memories 118, 122 store intermediate results and
other information used in the identification and digital signature
techniques. It should be noted that in general any of the users
112-i of system 110 may be acting as either a prover or a verifier
or both at any given time. For example, the user 112-2 may be
verifying user 112-1 while also acting as a prover to another user
112-i and a verifier of yet another user 112-i. The processors 116,
120 in conjunction with their respective memories 118, 122 may be
used to implement any of the basis conversion operations
illustrated in FIGS. 1 through 11 and described in the previous
sections.
[0573] FIG. 12B shows another exemplary cryptographic system in
which the basis conversion techniques of the invention may be
implemented. In this embodiment, a prover 130 and verifier 132 are
configured to communicate as shown. The prover 130 includes a
processor 134 and a memory 136, and the verifier 132 includes a
processor 138 and a memory 140. The prover 130 may be implemented
as a smart card, while the verifier 132 is a processing terminal
with a card reader designed to receive the smart card. The
interconnection between the prover 130 and the verifier 132 in FIG.
12B may therefore represent a temporary interconnection which is
present when a smart card is inserted into a card reader. User
identification and digital signature techniques similar to those
described in U.S. application Ser. No. 08/954,712, as well as many
other types of cryptographic techniques, may utilize the basis
conversion operations of the present invention. The processors 134,
138 in conjunction with their respective memories 136, 140 may be
used to implement any of the basis conversion operations
illustrated in FIGS. 1 through 11 and described in the previous
sections.
[0574] It should be emphasized that the basis conversion techniques
described herein are exemplary and should not be construed as
limiting the present invention to any particular embodiment or
group of embodiments. Numerous alternative embodiments within the
scope of the appended claims will be readily apparent to those
skilled in the art.
* * * * *