Abstract
This paper presents several methods for reducing the number of bit operations for multiplication of polynomials over the binary field. First, a modified Bernstein’s 3-way algorithm is introduced, followed by a new 5-way algorithm. Next, a new 3-way algorithm that improves asymptotic arithmetic complexity compared to Bernstein’s 3-way algorithm is introduced. This new algorithm uses three multiplications of one-third size polynomials over the binary field and one multiplication of one-third size polynomials over the finite field with four elements. Unlike Bernstein’s algorithm, which has a linear delay complexity with respect to input size, the delay complexity of the new algorithm is logarithmic. The number of bit operations for the multiplication of polynomials over the finite field with four elements is also computed. Finally, all these new results are combined to obtain improved complexities.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Barbulescu, R., Detrey, J., Estibals, N., Zimmermann, P.: Finding optimal formulae for bilinear maps. In: WAIFI, pp. 168–186 (2012)
Bernstein, D.J.: Minimum number of bit operations for multiplication (2013). http://binary.cr.yp.to/m.html. Accessed 25 Jan 2013
Bernstein, D.J.: Batch binary edwards. In: Advances in Cryptology—CRYPTO 2009, LNCS, vol. 5677, pp. 317–336 (2009)
Bodrato, M.: Towards optimal toom-cook multiplication for univariate and multivariate polynomials in characteristic 2 and 0. In: WAIFI, pp. 116–133 (2007)
Bodrato, M., Zanoni, A.: Integer and polynomial multiplication: towards optimal toom-cook matrices. In: ISSAC, pp. 17–24 (2007)
Boyar, J., Dworkin, M., Fischer, M., Peralta, R., Visconti, A., Schiavo, C., Turan, M., Calik, C., Wood, C.: Past collaborators include: M. Bartock, B. Strackbein, C. Baker, J. Svensson, H. Gao, S. Zimmermann, and M. Bocchi. Circuit minimization work. A web page including explicit formulas for multiplication over the binary field by the Circuit Minimization Team at the Yale University (2013). http://www.cs.yale.edu/homes/peralta/CircuitStuff/CMT.html. Accessed 25 Nov 2013
Brent, R.P., Gaudry, P., Thomé, E., Zimmermann, P.: Faster multiplication in GF(2)\([x]\). In: ANTS, pp. 153–166 (2008)
Cenk, M., Koç, Ç.K., Özbudak, F.: Polynomial multiplication over finite fields using field extensions and interpolation. In: IEEE Symposium on Computer Arithmetic, pp. 84–91 (2009)
Cenk, M., Hasan, M.A., Negre, C.: Efficient subquadratic space complexity binary polynomial multipliers based on block recombination. IEEE Trans. Comput. 63(9), 2273–2287 (2014)
Cenk, M., Negre, C., Hasan, M.A.: Improved three-way split formulas for binary polynomial multiplication. In: Selected Areas in Cryptography, pp. 384–398 (2011)
Cenk, M., Negre, C., Hasan, M.A.: Improved three-way split formulas for binary polynomial and toeplitz matrix vector products. IEEE Trans. Comput. 62(7), 1345–1361 (2013)
Cenk, M., Özbudak, F.: Improved polynomial multiplication formulas over \({\mathbb{F}}_2\) using Chinese remainder theorem. IEEE Trans. Comput. 58(4), 572–576 (2009)
Dyka, Z., Langendoerfer, P., Vater, F.: Combining multiplication methods with optimized processing sequence for polynomial multiplier in GF\((2^k)\). In: WEWoRC, pp. 137–150 (2011)
Dyka, Z., Langendoerfer, P., Vater, F., Peter, S.: Towards strong security in embedded and pervasive systems: energy and area optimized serial polynomial multipliers in GF\((2^k)\). In: NTMS, pp. 1–6 (2012)
Erdem, S.S., Koç, Ç.K.: A less recursive variant of karatsuba-ofman algorithm for multiplying operands of size a power of two. In: IEEE Symposium on Computer Arithmetic, pp. 28–35 (2003)
Erdem, S.S., Yanik, T., Koç, Ç.K.: Polynomial basis multiplication over GF\((2^m)\). Acta Appl. Math. 93(1–3), 33–55 (2006)
Fan, H., Hasan, M.A.: Comments on “five, six, and seven-term Karatsuba-like formulae”. IEEE Trans. Comput. 56(5), 716–717 (2007)
Fan, H., Sun, J., Gu, M., Lam, K.-Y.: Overlap-free Karatsuba–Ofman polynomial multiplication algorithms. Inf. Secur. IET 4, 8–14 (2010)
Karatsuba, A.A., Ofman, Y.: Multiplication of multidigit numbers on automata. Sov. Phys. Dokl. 7, 595–596 (1963)
Montgomery, P.L.: Five, six, and seven-term Karatsuba-like formulae. IEEE Trans. Comput. 54(3), 362–369 (2005)
Negre, C.: Improved three-way split approach for binary polynomial multiplication based on optimized reconstruction. In: Technical Report hal-00788646, Team DALI/LIRMM, on Hyper Articles en Ligne (HAL) (2013)
Negre, C.: Efficient binary polynomial multiplication based on optimized Karatsuba reconstruction. J. Cryptogr. Eng. 4(2), 91–106 (2014)
Chang, N.S., Kim, C.H., Park, Y.-H., Lim, J.: A non-redundant and efficient architecture for Karatsuba–Ofman algorithm. In: ISC, pp. 288–299 (2005)
Sunar, B.: A generalized method for constructing subquadratic complexity GF(\(2^k\)) multipliers. IEEE Trans. Comput. 53, 1097–1105 (2004)
von zur Gathen, J., Shokrollahi, J.: Efficient fpga-based karatsuba multipliers for polynomials over F\(_{\text{2 }}\). In: Selected Areas in Cryptography, pp. 359–369 (2005)
Winograd, S.: Arithmetic Complexity of Computations. Society For Industrial and Applied Mathematics, Philadelphia (1980)
Zhou, G., Michalik, H.: Comments on “a new architecture for a parallel finite field multiplier with low complexity based on composite field”. IEEE Trans. Comput. 59(7), 1007–1008 (2010)
Zhou, G., Michalik, H., Hinsenkamp, L.: Complexity analysis and efficient implementations of bit parallel finite field multipliers based on karatsuba-ofman algorithm on fpgas. IEEE Trans. VLSI Syst. 18(7), 1057–1066 (2010)
Acknowledgments
The authors would like to thank undergraduate research assistant Ryan Young, who wrote a C-code for them to automate the generation of a part of the data included in Table 2 in Appendix A. The authors would also like to thank Dr. Rene Peralta for commenting on the explicit formulas presented in the paper. This work was supported in part by an NSERC grant awarded to Dr. M. Anwar Hasan. Part of this paper was written while Dr. Murat Cenk was a postdoctoral fellow in the Department of Electrical and Computer Engineering at the University of Waterloo. Dr. Murat Cenk was partially supported by TUBITAK under Grant No. BIDEB—114C052.
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix A: New bounds for multiplication over \(\mathbb {F}_2\)
We give the new bounds for certain values of \(n\) that are of interest for cryptographic applications. Note that the improvements can be further enhanced by obtaining the explicit algorithm and eliminating common operations as in [2, 3]. The results are shown in Table 2.
Appendix B: Algorithms for \(n=9\) and \(n=15\)
For \(n=9,\, A=\sum _{i=0}^{8}b[i]X^i,\, B=\sum _{i=0}^{8}b[i]X^i\) and \( C=AB=\sum _{i=0}^{16}c[i]X^i\). The coefficients of \(C\) are computed using the following algorithm:
Algorithm for \(n=9\) | ||||||
|---|---|---|---|---|---|---|
\( t1=a0*b0 \) | \( t22=t20+t21 \) | \( t43=b3+b6 \) | \( t64=b2+b5 \) | \( t85=t78*t82 \) | \( t106=t26+t30 \) | \( c0=t1 \) |
\( t2=a0*b1 \) | \( t23=a4*b5 \) | \( t44=b4+b7 \) | \( t65=t59*t62 \) | \( t86=t79*t81 \) | \( t107=t99+t105 \) | \( c1=t4 \) |
\( t3=a1*b0 \) | \( t24=a5*b4 \) | \( t45=b5+b8 \) | \( t66=t59*t63 \) | \( t87=t85+t86 \) | \( t108=t100+t106 \) | \( c2=t9 \) |
\( t4=t2+t3 \) | \( t25=t23+t24 \) | \( t46=t40*t43 \) | \( t67=t60*t62 \) | \( t88=t78*t83 \) | \( t109=t101+t35 \) | \( c3=t102 \) |
\( t5=a0*b2 \) | \( t26=a5*b5 \) | \( t47=t40*t44 \) | \( t68=t66+t67 \) | \( t89=t79*t82 \) | \( t110=t76+t84 \) | \( c4=t103 \) |
\( t6=a1*b1 \) | \( t27=a6*b6 \) | \( t48=t41*t43 \) | \( t69=t59*t64 \) | \( t90=t80*t81 \) | \( t111=t77+t87 \) | \( c5= t104 \) |
\( t7=a2*b0 \) | \( t28=a6*b7 \) | \( t49=t47+t48 \) | \( t70=t60*t63 \) | \( t91=t88+t89 \) | \( t112=t107+t110 \) | \( c6=t112 \) |
\( t8=t5+t6 \) | \( t29=a7*b6 \) | \( t50=t40*t45 \) | \( t71=t61*t62 \) | \( t92=t90+t91 \) | \( t113=t108+t111 \) | \( c7= t113 \) |
\( t9=t7+t8 \) | \( t30=t28+t29 \) | \( t51=t41*t44 \) | \( t72=t69+t70 \) | \( t93=t79*t83 \) | \( t114=t109+t92 \) | \( c8= t114 \) |
\( t10=a1*b2 \) | \( t31=a6*b8 \) | \( t52=t42*t43 \) | \( t73=t71+t72 \) | \( t94=t80*t82 \) | \( t115=t105+t38 \) | \( c9= t123 \) |
\( t11=a2*b1 \) | \( t32=a7*b7 \) | \( t53=t50+t51 \) | \( t74=t60*t64 \) | \( t95=t93+t94 \) | \( t116=t106+t39 \) | \( c10= t124 \) |
\( t12=t10+t11 \) | \( t33=a8*b6 \) | \( t54=t52+t53 \) | \( t75=t61*t63 \) | \( t96=t80*t83 \) | \( t117=t115+t97 \) | \( c11= t122 \) |
\( t13=a2*b2 \) | \( t34=t31+t32 \) | \( t55=t41*t45 \) | \( t76=t74+t75 \) | \( t97=t12+t14 \) | \( t118=t116+t98 \) | \( c12= t125 \) |
\( t14=a3*b3 \) | \( t35=t33+t34 \) | \( t56=t42*t44 \) | \( t77=t61*t64 \) | \( t98=t13+t17 \) | \( t119=t35+t22 \) | \( c13= t126 \) |
\( t15=a3*b4 \) | \( t36=a7*b8 \) | \( t57=t55+t56 \) | \( t78=a0+a6 \) | \( t99=t97+t1 \) | \( t120=t46+t117 \) | \( c14= t35 \) |
\( t16=a4*b3 \) | \( t37=a8*b7 \) | \( t58=t42*t45 \) | \( t79=a1+a7 \) | \( t100=t98+t4 \) | \( t121=t49+t118 \) | \( c15= t38 \) |
\( t17=t15+t16 \) | \( t38=t36+t37 \) | \( t59=a0+a3 \) | \( t80=a2+a8 \) | \( t101=t22+t9 \) | \( t122=t54+t119 \) | \( c16= t39 \) |
\( t18=a3*b5 \) | \( t39=a8*b8 \) | \( t60=a1+a4 \) | \( t81=b0+b6 \) | \( t102=t99+t65 \) | \( t123=t95+t120 \) | |
\( t19=a4*b4 \) | \( t40=a3+a6 \) | \( t61=a2+a5 \) | \( t82=b1+b7 \) | \( t103=t100+t68 \) | \( t124=t96+t121 \) | |
\( t20=a5*b3 \) | \( t41=a4+a7 \) | \( t62=b0+b3 \) | \( t83=b2+b8 \) | \( t104=t101+t73 \) | \( t125=t57+t115 \) | |
\( t21=t18+t19 \) | \( t42=a5+a8 \) | \( t63=b1+b4 \) | \( t84=t78*t81 \) | \( t105=t25+t27 \) | \( t126=t58+t116 \) | |
For \(n=15,\, A=\sum _{i=0}^{14}a[i]X^i,\, B=\sum _{i=0}^{14}a[i]X^i\) and \( C=AB=\sum _{i=0}^{28}c[i]X^i\). The coefficients of \(C\) are computed using the following algorithm:
Algorithm for \(n=15\) | |||||
|---|---|---|---|---|---|
\(t1=a[0]*b[0]\) | \(t59=a[14]*b[12]\) | \(t117=t114+t115\) | \(t175=t174+t173\) | \(t233=t230+t220\) | \(t291=t276+t288\) |
\(t2=a[0]*b[1]\) | \(t60=t57+t58\) | \(t118=t117+t116\) | \(t176=t162*t166\) | \(t234=t231+t221\) | \(t292=t277+t289\) |
\(t3=a[1]*b[0]\) | \(t61=t60+t59\) | \(t119=t105*t109\) | \(t177=t163*t165\) | \(t235=t232+t222\) | \(t293=t233+t265\) |
\(t4=t2+t3\) | \(t62=a[13]*b[14]\) | \(t120=t106*t108\) | \(t178=t176+t177\) | \(t236=t226+t218\) | \(t294=t234+t266\) |
\(t5=a[0]*b[2]\) | \(t63=a[14]*b[13]\) | \(t121=t119+t120\) | \(t179=t163*t166\) | \(t237=t227+t219\) | \(t295=t235+t61\) |
\(t6=a[1]*b[1]\) | \(t64=t62+t63\) | \(t122=t106*t109\) | \(t180=t123+t66\) | \(t238=t35+t9\) | \(t296=t284+t293\) |
\(t7=a[2]*b[0]\) | \(t65=a[14]*b[14]\) | \(t123=a[12]+a[9]\) | \(t181=t124+t67\) | \(t239=t40+t38\) | \(t297=t285+t294\) |
\(t8=t5+t6\) | \(t66=a[3]+a[0]\) | \(t124=a[13]+a[10]\) | \(t182=t125+t68\) | \(t240=t43+t39\) | \(t298=t286+t295\) |
\(t9=t8+t7\) | \(t67=a[4]+a[1]\) | \(t125=a[14]+a[11]\) | \(t183=t126+t69\) | \(t241=t239+t236\) | \(t299=t178+t186\) |
\(t10=a[1]*b[2]\) | \(t68=a[5]+a[2]\) | \(t126=b[12]+b[9]\) | \(t184=t127+t70\) | \(t242=t240+t237\) | \(t300=t179+t189\) |
\(t11=a[2]*b[1]\) | \(t69=b[3]+b[0]\) | \(t127=b[13]+b[10]\) | \(t185=t128+t71\) | \(t243=t48+t238\) | \(t301=t296+t299\) |
\(t12=t10+t11\) | \(t70=b[4]+b[1]\) | \(t128=b[14]+b[11]\) | \(t186=t180*t183\) | \(t244=t53+t241\) | \(t302=t297+t300\) |
\(t13=a[2]*b[2]\) | \(t71=b[5]+b[2]\) | \(t129=t123*t126\) | \(t187=t180*t184\) | \(t245=t56+t242\) | \(t303=t298+t194\) |
\(t14=a[3]*b[3]\) | \(t72=t66*t69\) | \(t130=t123*t127\) | \(t188=t181*t183\) | \(t246=t61+t243\) | \(t304=t1+t244\) |
\(t15=a[3]*b[4]\) | \(t73=t66*t70\) | \(t131=t124*t126\) | \(t189=t187+t188\) | \(t247=t110+t102\) | \(t305=t4+t245\) |
\(t16=a[4]*b[3]\) | \(t74=t67*t69\) | \(t132=t130+t131\) | \(t190=t180*t185\) | \(t248=t113+t103\) | \(t306=t9+t246\) |
\(t17=t15+t16\) | \(t75=t73+t74\) | \(t133=t123*t128\) | \(t191=t181*t184\) | \(t249=t247+t244\) | \(t307=t64+t304\) |
\(t18=a[3]*b[5]\) | \(t76=t66*t71\) | \(t134=t124*t127\) | \(t192=t182*t183\) | \(t250=t248+t245\) | \(t308=t65+t305\) |
\(t19=a[4]*b[4]\) | \(t77=t67*t70\) | \(t135=t125*t126\) | \(t193=t190+t191\) | \(t251=t118+t246\) | \(t309=t247+t307\) |
\(t20=a[5]*b[3]\) | \(t78=t68*t69\) | \(t136=t133+t134\) | \(t194=t193+t192\) | \(t252=t186+t148\) | \(t310=t248+t308\) |
\(t21=t18+t19\) | \(t79=t76+t77\) | \(t137=t136+t135\) | \(t195=t181*t185\) | \(t253=t189+t151\) | \(t311=t118+t306\) |
\(t22=t21+t20\) | \(t80=t79+t78\) | \(t138=t124*t128\) | \(t196=t182*t184\) | \(t254=t194+t156\) | \(t312=t178+t309\) |
\(t23=a[4]*b[5]\) | \(t81=t67*t71\) | \(t139=t125*t127\) | \(t197=t195+t196\) | \(t255=t252+t205\) | \(t313=t179+t310\) |
\(t24=a[5]*b[4]\) | \(t82=t68*t70\) | \(t140=t125*t128\) | \(t198=t182*t185\) | \(t256=t253+t208\) | \(t314=t197+t312\) |
\(t25=t23+t24\) | \(t83=t81+t82\) | \(t141=t138+t139\) | \(t199=t180+a[6]\) | \(t257=t254+t213\) | \(t315=t198+t313\) |
\(t26=a[5]*b[5]\) | \(t84=t68*t71\) | \(t142=a[9]+t85\) | \(t200=t181+a[7]\) | \(t258=t249+t255\) | \(t316=t216+t314\) |
\(t27=a[6]*b[6]\) | \(t85=a[6]+a[0]\) | \(t143=a[10]+t86\) | \(t201=t182+a[8]\) | \(t259=t250+t256\) | \(t317=t217+t315\) |
\(t28=a[6]*b[7]\) | \(t86=a[7]+a[1]\) | \(t144=a[11]+t87\) | \(t202=t183+b[6]\) | \(t260=t251+t257\) | \(c0=t1\) |
\(t29=a[7]*b[6]\) | \(t87=a[8]+a[2]\) | \(t145=b[9]+t88\) | \(t203=t184+b[7]\) | \(t261=t53+t51\) | \(c1=t4\) |
\(t30=t28+t29\) | \(t88=b[6]+b[0]\) | \(t146=b[10]+t89\) | \(t204=t185+b[8]\) | \(t262=t56+t52\) | \(c2=t9\) |
\(t31=a[6]*b[8]\) | \(t89=b[7]+b[1]\) | \(t147=b[11]+t90\) | \(t205=t199*t202\) | \(t263=t261+t64\) | \(c3=t223\) |
\(t32=a[7]*b[7]\) | \(t90=b[8]+b[2]\) | \(t148=t142*t145\) | \(t206=t199*t203\) | \(t264=t262+t65\) | \(c4=t224\) |
\(t33=a[8]*b[6]\) | \(t91=t85*t88\) | \(t149=t142*t146\) | \(t207=t200*t202\) | \(t265=t263+t141\) | \(c5=t225\) |
\(t34=t31+t32\) | \(t92=t85*t89\) | \(t150=t143*t145\) | \(t208=t206+t207\) | \(t266=t264+t140\) | \(c6=t233\) |
\(t35=t34+t33\) | \(t93=t86*t88\) | \(t151=t149+t150\) | \(t209=t199*t204\) | \(t267=t263+t239\) | \(c7=t234\) |
\(t36=a[7]*b[8]\) | \(t94=t92+t93\) | \(t152=t142*t147\) | \(t210=t200*t203\) | \(t268=t264+t240\) | \(c8=t235\) |
\(t37=a[8]*b[7]\) | \(t95=t85*t90\) | \(t153=t143*t146\) | \(t211=t201*t202\) | \(t269=t61+t48\) | \(c9=t258\) |
\(t38=t36+t37\) | \(t96=t86*t89\) | \(t154=t144*t145\) | \(t212=t209+t210\) | \(t270=t121+t129\) | \(c10=t259\) |
\(t39=a[8]*b[8]\) | \(t97=t87*t88\) | \(t155=t152+t153\) | \(t213=t212+t211\) | \(t271=t122+t132\) | \(c11=t260\) |
\(t40=a[9]*b[9]\) | \(t98=t95+t96\) | \(t156=t155+t154\) | \(t214=t200*t204\) | \(t272=t267+t270\) | \(c12=t290\) |
\(t41=a[9]*b[10]\) | \(t99=t98+t97\) | \(t157=t143*t147\) | \(t215=t201*t203\) | \(t273=t268+t271\) | \(c13=291\) |
\(t42=a[10]*b[9]\) | \(t100=t86*t90\) | \(t158=t144*t146\) | \(t216=t214+t215\) | \(t274=t269+t137\) | \(c14=t292\) |
\(t43=t41+t42\) | \(t101=t87*t89\) | \(t159=t157+t158\) | \(t217=t201*t204\) | \(t275=t272+t223\) | \(c15=t301\) |
\(t44=a[9]*b[11]\) | \(t102=t100+t101\) | \(t160=t144*t147\) | \(t218=t12+t1\) | \(t276=t273+t224\) | \(c16=t302\) |
\(t45=a[10]*b[10]\) | \(t103=t87*t90\) | \(t161=t104+a[3]\) | \(t219=t13+t4\) | \(t277=t274+t225\) | \(c17=t303\) |
\(t46=a[11]*b[9]\) | \(t104=a[12]+a[6]\) | \(t162=t105+a[4]\) | \(t220=t14+t218\) | \(t278=t159+t167\) | \(c18=t316\) |
\(t47=t44+t45\) | \(t105=a[13]+a[7]\) | \(t163=t106+a[5]\) | \(t221=t17+t219\) | \(t279=t160+t170\) | \(c19=t317\) |
\(t48=t47+t46\) | \(t106=a[14]+a[8]\) | \(t164=t107+b[3]\) | \(t222=t22+t9\) | \(t280=t205+t216\) | \(c20=t311\) |
\(t49=a[10]*b[11]\) | \(t107=b[12]+b[6]\) | \(t165=t108+b[4]\) | \(t223=t72+t220\) | \(t281=t208+t217\) | \(c21=t272\) |
\(t50=a[11]*b[10]\) | \(t108=b[13]+b[7]\) | \(t166=t109+b[5]\) | \(t224=t75+t221\) | \(t282=t148+t197\) | \(c22=t273\) |
\(t51=t49+t50\) | \(t109=b[14]+b[8]\) | \(t167=t161*t164\) | \(t225=t80+t222\) | \(t283=t151+t198\) | \(c23=t274\) |
\(t52=a[11]*b[11]\) | \(t110=t104*t107\) | \(t168=t161*t165\) | \(t226=t27+t25\) | \(t284=t278+t280\) | \(c24=t265\) |
\(t53=a[12]*b[12]\) | \(t111=t104*t108\) | \(t169=t162*t164\) | \(t227=t30+t26\) | \(t285=t279+t281\) | \(c25=t266\) |
\(t54=a[12]*b[13]\) | \(t112=t105*t107\) | \(t170=t168+t169\) | \(t228=t91+t83\) | \(t286=t175+t213\) | \(c26=t61\) |
\(t55=a[13]*b[12]\) | \(t113=t111+t112\) | \(t171=t161*t166\) | \(t229=t94+t84\) | \(t287=t282+t284\) | \(c27=t64\) |
\(t56=t54+t55\) | \(t114=t104*t109\) | \(t172=t162*t165\) | \(t230=t228+t226\) | \(t288=t283+t285\) | \(c28=t65\) |
\(t57=a[12]*b[14]\) | \(t115=t105*t108\) | \(t173=t163*t164\) | \(t231=t229+t227\) | \(t289=t156+t286\) | |
\(t58=a[13]*b[13]\) | \(t116=t106*t107\) | \(t174=t171+t172\) | \(t232=t99+t35\) | \(t290=t275+t287\) | |
Rights and permissions
About this article
Cite this article
Cenk, M., Hasan, M.A. Some new results on binary polynomial multiplication. J Cryptogr Eng 5, 289–303 (2015). https://doi.org/10.1007/s13389-015-0101-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-015-0101-6