Effective arithmetic in finite fields based on Chudnovsky's multiplication algorithm

HAL Id: hal-01260806

https://hal.archives-ouvertes.fr/hal-01260806

Submitted on 1 Feb 2016

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Effective arithmetic in finite fields based on Chudnovsky’s multiplication algorithm

Kévin Atighehchi, Stéphane Ballet, Alexis Bonnecaze, Robert Rolland

To cite this version:

Kévin Atighehchi, Stéphane Ballet, Alexis Bonnecaze, Robert Rolland. Effective arithmetic in finite fields based on Chudnovsky’s multiplication algorithm. Comptes rendus de l’Académie des sciences.

Série I, Mathématique, Elsevier, 2016, 354, pp.137-141. �10.1016/j.crma.2015.12.001�. �hal-01260806�

Contents lists available atScienceDirect

C. R. Acad. Sci. Paris, Ser. I

www.sciencedirect.com

Number theory/Computer science

Effective arithmetic in finite fields based on Chudnovsky’s multiplication algorithm

Arithmétique effective dans les corps finis basée sur l’algorithme de multiplication de Chudnovsky

Kévin Atighehchi^a,Stéphane Ballet^b,Alexis Bonnecaze^b,Robert Rolland^b

aAix-MarseilleUniversité,Laboratoired’informatiquefondamentaledeMarseille,case901,13288Marseillecedex9,France bAix-MarseilleUniversité,InstitutdemathématiquesdeMarseille,case930,13288Marseillecedex9,France

a r t i c l e i n f o a b s t r a c t

Articlehistory:

Received22September2015

Acceptedafterrevision1December2015 Availableonlinexxxx

PresentedbytheEditorialBoard

ThankstoanewconstructionoftheChudnovskyandChudnovskymultiplicationalgorithm, wedesignefficientalgorithmsforboththeexponentiationandthemultiplicationinfinite fields.Theyare tailoredtohardwareimplementationandtheyallowcomputationstobe parallelized,whilemaintainingalownumberofbilinearmultiplications.

©^{2015Académiedessciences.PublishedbyElsevierMassonSAS.}All rights reserved.

r é s um é

À partir d’une nouvelle construction de l’algorithme de multiplication de Chudnovsky et Chudnovsky, nous concevons des algorithmes efficaces pour la multiplication et l’exponentiation dans lescorps finis. Ils sont adaptés àune implémentation matérielle etsontparallélisables,toutengardantunnombredemultiplicationsbilinéairestrèsbas.

©^{2015Académiedessciences.PublishedbyElsevierMassonSAS.}All rights reserved.

1. Introduction

Multiplication infinitefieldsisa fundamentaloperation inarithmetic andfindingefficientmultiplication methodsre- mainsatopicalissue.Letq beaprimepower,Fqthefinitefieldwithq elementsandFqⁿ thedegreenextensionofFq.If B= {^e1,. . . ,en}^isabasisofFqⁿ overFqthenforx=n

i=¹xieiand y=n

i=¹yiei,wehavetheproduct z=^xy=

n

h=¹ z_he_h=

n

h=¹

n i,j=¹

t_{i jh}x_ix_j

e_h, (1)

whereeiej=n

h=¹ti jheh,ti jh∈Fq beingsomeconstants. Thecomplexity ofamultiplicationalgorithm inFqⁿ dependson thenumberofmultiplications andadditionsinFq.Thereexisttwotypesofmultiplications inFq:thescalarmultiplication

E-mailaddresses:[email protected](K. Atighehchi),[email protected](S. Ballet),[email protected](A. Bonnecaze), [email protected](R. Rolland).

http://dx.doi.org/10.1016/j.crma.2015.12.001

1631-073X/©^{2015Académiedessciences.PublishedbyElsevierMassonSAS.}All rights reserved.

JID:CRASS1 AID:5641 /FLA Doctopic: Number theory [m3G; v1.172; Prn:15/01/2016; 16:07] P.2 (1-5) 2 K. Atighehchi et al. / C. R. Acad. Sci. Paris, Ser. I•••(••••)•••–•••

andthebilinear multiplication.The scalarmultiplicationisthemultiplication bya constant(in Fq) thatdoesnot depend on the elements of Fqⁿ that are multiplied. The bilinear multiplication is a multiplication of elements that depend on the elementsofFqⁿ that aremultiplied. Thebilinearcomplexity isindependentofthechosen representationofthefinite field. Forexample,thedirectcalculationof z=(z1,. . . ,zn)using(1) requiresn² non-scalarmultiplications xixj,n³ scalar multiplications,andn³−^nadditions.

Moreprecisely,themultiplicationoftwoelementsofFqⁿ isanFq-bilinearapplicationfromFqⁿ×Fqⁿ ontoFqⁿ.Then,it can be consideredasan Fq-linearapplicationfromthetensorproduct Fqⁿ⊗FqFqⁿ ontoFqⁿ.Consequently,it canalsobe consideredasanelementT ofFqⁿ⊗FqFqⁿ⊗FqFqⁿ,wheredenotesthedual.Set

T= r

i=¹

x_i⊗^y_i⊗^ci, (2)

wherether elementsx_i aswell astherelements y_i areinthedualFqⁿ ofFqⁿ,whiletherelementsc_i areinFqⁿ.The followingholdsforanyx,y∈Fqⁿ:x·^y=r

i=1x_i(x)y_i(y)ci.Thedecomposition(2)isnotunique.

Definition1.1.AbilinearmultiplicationalgorithmU^{isanexpression}

x·^y= r

i=1

x_i(x)y_i(y)ci.

ThenumberrofsummandsinthisexpressioniscalledthebilinearcomplexityofthealgorithmU ^{andisdenotedby} μ(U)^. Definition1.2.The minimal numberofsummands ina decompositionof thetensor T ofthe multiplicationis calledthe bilinearcomplexityofthemultiplicationandisdenotedby μq(n):

μ_q(n)=^min

U μ(U),

whereU ^{isrunningoverallbilinear}multiplicationalgorithmsinFqⁿ overFq.

Thebilinearcomplexity ofthemultiplicationinFqⁿ overFq hasbeenwidelystudied.Inparticular,itwasprovedin[2]

thatitisuniformlylinearwithrespecttothedegreenoftheextension.ThisfollowsfromtheChudnovskyandChudnovsky multiplication algorithm (CCMA). This clever construction was originally introduced in 1987 in [3] and is based on the interpolationonalgebraiccurves.

Thereisbenefithavingalowbilinearcomplexitywhenconsideringhardwareimplementationsmainlybecauseitreduces thenumberofgatesinthecircuit.Inthisnote,weconsiderthreemodels.

– Thenon-scalarmodel(denotedNS),inwhichonlythebilinearcomplexityistakenintoaccountanditisassumedthat all scalaroperationsare free.Indeed,thismodeldoesnot reflectthereality and, sincethe bilinearcomplexity isnot the whole complexity ofthe algorithm,the complexity ofthelinear partofthe algorithm shouldalso be takeninto account.

– ThemodelS1,whichtakesintoaccountthenumberofmultiplicationswithoutdistinguishingbetweenthebilinearones andthescalarones.

– ThemodelS2,whichtakesintoaccountalloperations(multiplicationsandadditions)inFq.

Notice that so far, practical implementations of multiplication algorithms over finite fieldshave failed to simultaneously optimizethenumberofscalarmultiplications,additions,andbilinearmultiplications.

Regarding exponentiationalgorithms, theuse ofa normalbasis isofinterest becausethe qth powerofan element is justa cyclicshiftofits coordinates.Aremaining question ishowtoimplementmultiplication efficientlyinordertohave simultaneouslyfastmultiplicationandfastexponentiation.In2000,Gao etal.[6]showedthatfastmultiplicationmethods canbeadaptedtonormalbasesconstructedwithGaussperiods.TheyshowthatifFqⁿ isrepresentedbyanormalbasisover Fq generatedby aGauss periodof type (n,k),themultiplication inFqⁿ canbe computedwithO

nklognklog lognk and theexponentiationwithO

n²klogklog lognk

operationsinFq (q beingsmall).Thisresultisvaluablewhenkisbounded.

However,inthegeneralcase,kisupper-boundedbyO

n³log²nq .

In2009, CouveignesandLercierconstructedin[5,Theorem4]twofamilies ofbasis (calledellipticandnormalelliptic) forfinitefieldextensions,fromwhichtheyobtainedamodeldefinedasfollows.Witheverycouple(q,n),theyassociated a model,(q,n),ofthedegree-nextension ofFq,such thatthefollowingholds: thereisapositive constant K suchthat thefollowingaretrue:

– elements in Fqⁿ are represented by vectors for which the number of components in Fq is upper bounded by Kn(logn)²log(logn)²;

– thereexistsanalgorithmthatmultipliestwoelementsattheexpenseofKn(logn)⁴|^log(logn)|³ multiplicationsinFq; – exponentiationbyqconsistsofacircularshiftofthecoordinates.

Therefore,foreachextensionoffinitefield,theyshowthatthereexistsamodelthatallowsbothfastmultiplicationand fastapplicationoftheFrobeniusautomorphism.Theirmodelhastheadvantageofexistingforallextensions.However,the bilinear complexity of their algorithm is not competitive comparedwith thebest known methods, aspointedout in [5, Section4.3.4].Indeed,itisclearthatsuchamodelrequiresatleastKn(logn)²(log(logn))² bilinearmultiplications.

Notethathere,theefficiencyofthealgorithmsisdescribedintermsofparalleltime(depthofthecircuit,innumberof multiplications),numberofprocessors(width),andtotalnumberofmultiplications(size).

Thisarticledescribesthemaintheoretical resultsofamoredetailedforthcomingarticle,whereaneffectiveimplemen- tationforthecaseF16¹³ ispresented(forapreliminaryversion,see[1]).

2. Newresults

Weproposeanothermodelwiththefollowingcharacteristics:

– ourmodelisbasedonCCMA,thusthemultiplicationalgorithmhasabilinearcomplexityinO(n),whichisoptimal;

– ourmodel istailored toparallel computation. Hence, the computation time usedto perform amultiplication or any exponentiationcan easilybe reducedwithan adequatenumber ofprocessors.Since ourmethodhasa bilinear com- plexityofmultiplicationinO(n),itcanbeparallelizedtoobtainaconstanttimecomplexityusingO

n

processors.The previousaforementionedworks([6]and[5]) donotgive anyparallelalgorithm(suchanalgorithmismoredifficultto conceivethanaserialone);

– exponentiationby qisacircularshiftofthecoordinatesandcanbeconsideredfree.Thus,efficientparallelizationcan bedonewhendoingexponentiation;

– the scalar complexity of our exponentiation algorithm is reduced, compare to a basic exponentiation using CCMA, thankstoa suitablebasis representationoftheRiemann–RochspaceL(2D) inthesecondevaluationmap.Morepre- cisely,thenormalbasisrepresentationoftheresidueclassfieldiscarriedintheassociatedRiemann–RochspaceL(^D), andtheexponentiationbyq consistsofacircularshiftofthenfirstcoordinatesofthevectorslying intheRiemann–

RochspaceL(2D);

– ourmodelusestheCoppersmith–Winograd[4]method(denotedCW)oranyvariantsthereoftoimprovematrixprod- uctsandtodiminishthenumberofscalaroperations.Thisimprovementisparticularlyefficientforexponentiation.

Theorem2.1.Inthenon-scalarmodelNS,thereexistmultiplicationandexponentiationalgorithmsinFqⁿsuchthat:

– themultiplicationisdoneinparalleltimeinO 1

multiplicationsinFqwithO n

processors,foratotalinO n

multiplications;

– exponentiationisdoneinparalleltimeinO logn

multiplicationsinFqwithO

n²/log²n

processors,foratotalinO

n²/logn multiplications.

When considering models S1 andS2,two cases can be distinguished forthe multiplication complexity.We might be interested either in thecomplexity ofone multiplication or inthe average (amortized) complexity of one multiplication whenmanymultiplicationsaredonesimultaneously.Regardingexponentiation,awiseuseofCWmethodallowscomplexity tobeimproved.

Theorem2.2.InthemodelS1,thereexistmultiplicationandexponentiationalgorithmsinFqⁿsuchthat:

– multiplication:

a) onemultiplicationisdoneinparalleltimeinO 1

multiplicationsinFqwithO n²

processors,foratotalinO n²

multiplica- tions;

b) intheamortizedsense,theparalleltimeisinO 1

multiplicationsinFq withO n¹⁺

processors,foratotalinO n¹⁺ multiplicationswherethevalueof isapproximately0.38forthebestknownmatrixproductmethods;

– exponentiation isdonein a parallel timeofO logn

multiplications in Fq with O

n²⁺/log²n

processors, fora totalin O

n²⁺log¹⁻²n

multiplications.

Theorem2.3.InthemodelS2,thereexistmultiplicationandexponentiationalgorithmsinFqⁿsuchthat:

– multiplication:

a) onemultiplicationisdoneinparalleltimeinO logn

operationsinFqwithO

n²/logn

processors,foratotalinO n² operations;

b) intheamortizedsense,theparalleltimeisinO logn

operationsinFqwithO

n¹⁺/logn

processors,foratotalinO n¹⁺ operations;recallthatthevalueof isapproximately0.38forthebestmatrixproductmethods;

JID:CRASS1 AID:5641 /FLA Doctopic: Number theory [m3G; v1.172; Prn:15/01/2016; 16:07] P.4 (1-5) 4 K. Atighehchi et al. / C. R. Acad. Sci. Paris, Ser. I•••(••••)•••–•••

– exponentiation is done in a parallel timeof O log²n

operations in Fq with O

n²⁺/log¹⁺²n

processors, fora total in O

n²⁺log¹⁻²n

operations.

2.1. Multiplicationandexponentiationalgorithms

Let F/Fq be an algebraic functionfield overthefinitefield Fq ofgenus g(F).Wedenote by N₁(F/Fq) thenumberof places ofdegreeone ofF overFq.IfD isadivisor,L(^D)denotes theRiemann–Rochspaceassociatedwith D.Wedenote by FQ theresidueclass fieldoftheplace Q whichisisomorphic toFq^deg(Q),wheredeg(Q) isthedegreeoftheplace Q. Thefollowingtheoremthatmakeseffectivetheoriginalalgorithmgroupssomeresultsof[2].

Theorem2.4.LetF/Fqbeanalgebraicfunctionfieldofgenusg(F)definedoverFqandn aninteger.Letussupposethatthereexists aplaceQ ofdegreen.

Then,ifN1(F/Fq)>2n+^2g−^{2thereisaneffectivedivisorD ofdegreen}+^g−^1suchthat:

(i) Q isnotinthesupportofD, (ii) theevaluationmapE definedby

E: L(D) → FQ

f → ^f(Q)

isanisomorphismofvectorspacesoverFq,

(iii) thereexist2n+^g−^{1placesofdegreeoneP}iwhicharenotinthesupportofD suchthatthemulti-evaluationmapT definedby T:L(2D) →

Fq

2n+g−1

f →

f(P1) , . . . ,f

P2n+^g−¹

isanisomorphism.

2.1.1. Strategyofimplementation

The constructionofthealgorithmisbasedon thechoiceoftheplace Q ofdegreen,theeffectivedivisorD ofdegree n+^g−^{1,thebasesofspaces}L(D)andL(2D),andthebasisoftheresidueclassfield FQ oftheplace Q.TheplaceQ of degreenislyingaboveanormalprimitivepolynomialinFq[^X]^{,whichistotallydecomposedinthealgebraicfunctionfield} F/Fq.

Astheresidueclassfield FQ oftheplaceQ isisomorphictothefinitefieldFqⁿ,weidentifyFqⁿ toFQ.Indeed,deg(D)= n+^g−^1,dim(D−^Q)=^{0 yet}L(D−^Q)=^Ker(E).Inparticular,we chooseforbasisofL(D),thereciprocalimage BD of thebasisBQ =(φ1,. . . ,φn)of FQ bytheevaluationmapE,namelyBD=(E⁻¹(φ1),. . . ,E⁻¹(φn)).

NotethatasthedivisorDisaneffectivedivisor,wehaveL(^D)⊂L(^2D).LetP bethemapfromL(^2D)toL(^2D)defined in thefollowing way:if f∈L(^2D) then f(Q) isin theresiduefield FQ ofthe place Q; define P(f)= ^J◦^E−1

f(Q) , where JistheinjectionmapfromL(D)intoL(2D).Then P isalinearmapfromL(2D)intoL(2D)whoseimageisL(D). Moreprecisely, P isaprojectionfromL(2D)ontoL(D).LetM^{bethekernelof P.Then}L(2D)=L(D)⊕M^.

2.1.2. ProductoftwoelementsinFqⁿ

Let x=(x1,. . . ,xn) and y=(y1,. . . ,yn) be two elements of Fqⁿ given by their components over Fq relative to the chosenbasisBQ.Accordingtothepreviousnotation,wecanconsiderthatxandy areidentifiedtothefollowingelements ofL(D):

fx= n

i=1

xifi and fy= n

i=1

yifi.

Wewillconsiderthatxandyarerespectivelytheelements f_xand f_yofL(^2D)wherethen+^g−^{1 lastcomponentsare 0.}

Nowitisclearthatknowingxor fx bytheircoordinatesisthesamething.

DenotetheHadamardproductin Fq

2n+^g−¹ by:

(u₁, . . . ,u_2n+g−1) (v₁, . . . ,v_2n+g−1)=(u₁v₁, . . . ,u_2n+g−1v_2n+g−1).

Theorem2.5.Theproductofx byy issuchthat f_xy=^P

T⁻¹

T(f_x) T(f_y) .