The matrix U methods in the FFCSA package

The expressions for the product C can then be obtained by multiplying the r.h.s of equation (7.4):

ci = m−1

X

j=0

ui, jbj 0 ≤ i ≤ m − 1 (7.5)

The expressions obtained in this manner are used for the implementation of a multiplier circuit.

7.4.2

The matrix U methods in the FFCSA package

The FFCSA package implements several arithmetic operations (Table 7.5) using the matrix U obtained by equation (7.3). The multiplication, squaring, and exponentiations using matrix U are implemented as follows:

1. ChooseFieldElms( F ) prepares GAP variables ai and bi for vectors avec = [A]BF/K and

bvec= [B]BF/K, to allow symbolic computation.

2. MatrixU( B ) computes the matrix U with the elements based on u0_{i, j} = [α(i)α( j)]; that is the product of two basis elements represented w.r.t. basis B= BF/K.

3. MatrixUExpression( B, avec ) computes the matrix U with elements obtained based on equation (7.3). It requires inputs B= BF/K and the vector of symbols avec= [A].

4. FFA_mult_matrixU( B, avec, bvec ) first computes the matrix U with symbols aias Uexpr=

MatrixUExpression( B, avec ), and then returns the product of the obtained matrix and the second vector: Uexpr * bvec.

5. FFA_sq_matrixU( B, avec ) first computes the matrix U expressions for avec, i.e., Uexpr= MatrixUExpression( B, avec ), and then uses the same vector again to obtain Uexpr * avec. Finally, the exponents of all m expressions are reduced modulo |K | − 1.

6. FFA_exp_matrixU( B, avec, e ) computes the expressions for exponentiation Ae _{using a}

classic square and multiply method. Both squaring and multiplication are using matrix U, and the exponents are reduced modulo |K | − 1 on each step.

7. FFA_inv_matrixU( B, avec ) computes the inverse expressions as exponentiation with e set to |F | − 2 (Remark 2.1.17, page 14 in [15]): FFA_exp_matrixU( B, avec, e ).

All reductions modulo |K | − 1 use ReduceMonomialsOverField (Table6.5).

Example7.4.1shows multiplication expressions obtained for F24 using a polynomial basis. Exam-

pleC.3.3in AppendixC.3shows the squaring expressions for the same field and basis. Example

Example 7.4.1 Multiplication expressions for F24

The following simple example shows how to compute the matrix U for a polynomial basis. The irreducible polynomial used in this example is f (x)= x4_{+ x + 1 with root α, yielding PB = {1, α, α}2_{, α}3_{}. Expressions used for the reduction} are α4_{= α + 1, α}5 _{= α}2_{= α and α}6_{= α}3_{+ α}2_. A = a0+ a1α + a2α2+ a3α3 αA = a0α + a1α2+ a2α3+ a3α4 = a3+ (a0+ a3)α+ a1α2+ a2α3 α2_{A = a} 0α2+ a1α3+ a2α4+ a3α5 = a2+ (a2+ a3)α+ (a0+ a3)α2+ a1α3 α3_{A = a} 0α3+ a1α4+ a2α5+ a3α6 = a1+ (a1+ a2)α+ (a2+ a3)α2+ (a0+ a3)α3

Obtained matrix U, with column vectors annotated on the top:

[A] [αA] [α2A] [α3A] U=               a0 a3 a2 a1 _             a1 a0+ a3 a2+ a3 a1+ a2 a2 a1 a0+ a3 a2+ a3 a3 a2 a1 a0+ a3

GAP Example7.4.1shows the setup and matrix U, obtained by the method MatrixUExpression. At the end of the example, the output of FFA_mult_matrixU( B, avec, bvec ) is shown: these are the expressions used for the hardware implementation. For example, to drive the multiplier output c0, the expression a0b0+ a1b3+ a2b2+ a3b1 must be implemented in hardware. The subexpressions seen in matrix U, e.g., (a0+ a3), are not preserved in list mult, obtained by the FFA_mult_matrixU: they are transformed into the ANF form. The subexpression eliminations can in part be performed by the hardware synthesis tools.

Example7.4.1(a)

gap> K := GF(2);; x := X(K, "x");; f := x^4+x+1;; F := FieldExtension(K, f);;

gap> PB := GeneratePB(F, RootOfDefiningPolynomial(F));; ChooseFieldElms(F);

variables

[ "a_0", "a_1", "a_2", "a_3" ] [ "b_0", "b_1", "b_2", "b_3" ]

[ "d_0", "d_1", "d_2", "d_3", "d_4", "d_5", "d_6" ]

gap> U := MatrixUExpression(PB, avec);;

gap> for i in U do Display(i); od;

[ a_0, a_3, a_2, a_1 ]

[ a_1, a_0+a_3, a_2+a_3, a_1+a_2 ] [ a_2, a_1, a_0+a_3, a_2+a_3 ] [ a_3, a_2, a_1, a_0+a_3 ]

gap> mult := FFA_mult_matrixU(PB, avec, bvec);;

gap> for i in mult do Display(i); od;

a_0*b_0+a_1*b_3+a_2*b_2+a_3*b_1

a_0*b_1+a_1*b_0+a_1*b_3+a_2*b_2+a_2*b_3+a_3*b_1+a_3*b_2 a_0*b_2+a_1*b_1+a_2*b_0+a_2*b_3+a_3*b_2+a_3*b_3

a_0*b_3+a_1*b_2+a_2*b_1+a_3*b_0+a_3*b_3

Exact same expressions for the multiplication can be obtained with the school-book two-step classic method, shown in Example7.4.1(b). FFA_mult_2stepClassic( f, avec, bvec, “to” ) calls method FFA_mult_convolution( vec1, vec2 ), followed by and then the ReductionMatrixExpressionM( f, dexpr ). The latter two are shown in detail in ExampleC.3.2in AppendixC.3.

Example7.4.1(b)

gap> mult2sc := FFA_mult_2stepClassic(f, avec, bvec, "to");;

gap> for i in mult2sc do Display(i); od;

a_0*b_0+a_1*b_3+a_2*b_2+a_3*b_1

a_0*b_1+a_1*b_0+a_1*b_3+a_2*b_2+a_2*b_3+a_3*b_1+a_3*b_2 a_0*b_2+a_1*b_1+a_2*b_0+a_2*b_3+a_3*b_2+a_3*b_3

a_0*b_3+a_1*b_2+a_2*b_1+a_3*b_0+a_3*b_3

gap> mult = mult2sc;

true

, −→

Example 7.4.2 Multiplication expressions for F((22₎2₎2/F₍₂2₎2 and F₂8 ,−→

This example is a continuation of the Example7.3.1. The input to the FFA_mult_matrixU method is the “per-level” polynomial basis B3, obtained for F((22₎2₎2/F₍₂2₎2. It produces the expressions for the multiplication on the top level of the tower field F((22₎2₎2/F₍₂2₎2. Note that ChooseFieldElms in the GAP code Example7.4.2(a,b) return vectors of length 2, not 8. The multiplications in expressions for the product need a multiplier from the lower level F(22₎2/F₂2. Just as in Example7.4.1above, the generalized algorithm (matrix U) produces the same expressions (Example7.4.2(a)) as the two-step classic multiplication (Example7.4.2(b)).

The matrix U methods are is independent of the type of basis used. Examples so far were showing only polynomial bases (at different levels of the tower field). Example7.4.2(c) shows the multiplication expressions obtained by using the tower-field basis TFB1 from Example 7.3.1. Same expressions would be obtained by first expressing the top level multiplier expressions (Example7.4.2(a)), then replacing every multiplication with expressions obtained for the lower level multiplier, and of course being careful with the variables used, as shown in decomposition in Figure7.2. Note that new variables for the lower levels would have to be created manually.

Example7.4.2(a)

gap> B3 := GeneratePB(F3, nu); ChooseFieldElms(F3);

Basis( AsField( AsField( GF(2^2), GF(2^4) ), GF(2^8) ), [ Z(2)^0, Z(2^8)^76 ] ) variables

[ "a_0", "a_1" ] [ "b_0", "b_1" ]

[ "d_0", "d_1", "d_2" ]

gap> multB3 := FFA_mult_matrixU(B3, avec, bvec);;

gap> for i in multB3 do Display(i); od;

a_0*b_0+Z(2^4)*a_1*b_1

a_0*b_1+a_1*b_0+Z(2^2)*a_1*b_1

gap> lambda^2*mu; lambda;

Z(2^4) Z(2^2)

Example7.4.2(b)

gap> mult2scB3 := FFA_mult_2stepClassic(f3, avec, bvec, "to");;

gap> for i in mult2scB3 do Display(i); od;

a_0*b_0+Z(2^4)*a_1*b_1

a_0*b_1+a_1*b_0+Z(2^2)*a_1*b_1

gap> multB3 = mult2scB3;

true

gap> IR := ReductionMatrixIR(f3);;

gap> for i in IR do Display((i)); od;

[ Z(2)^0, 0*Z(2), Z(2^4) ] [ 0*Z(2), Z(2)^0, Z(2^2) ]

Example7.4.2(c)

gap> ChooseFieldElms(GF(2^8));

variables

[ "a_0", "a_1", "a_2", "a_3", "a_4", "a_5", "a_6", "a_7" ] [ "b_0", "b_1", "b_2", "b_3", "b_4", "b_5", "b_6", "b_7" ] [ "d_0", "d_1", "d_2", "d_3", "d_4", "d_5", "d_6", "d_7", "d_8", "d_9", "d_10", "d_11", "d_12", "d_13", "d_14" ] gap> TFB1 := GenerateTFBfromEDPLwithPB(edpl); Basis( GF(2^8), [ Z(2)^0, Z(2^2), Z(2^4)^6, Z(2^4)^11, Z(2^8)^76, Z(2^8)^161, Z(2^8)^178, Z(2^8)^8 ] )

gap> multTFB := FFA_mult_matrixU(TFB1, avec, bvec);;

gap> for i in multTFB do Print(i,"\n"); od;

a_0*b_0+a_1*b_1+a_2*b_2+a_3*b_3+a_4*b_6+a_4*b_7+a_5*b_6+a_6*b_4+a_6*b_5+a_6*b_6+a_7* b_4+a_7*b_7 a_0*b_1+a_1*b_0+a_1*b_1+a_2*b_3+a_3*b_2+a_3*b_3+a_4*b_6+a_5*b_7+a_6*b_4+a_6*b_7+a_7* b_5+a_7*b_6+a_7*b_7 a_0*b_2+a_1*b_3+a_2*b_0+a_2*b_3+a_3*b_1+a_3*b_2+a_3*b_3+a_4*b_4+a_4*b_5+a_4*b_6+a_5* b_4+a_5*b_7+a_6*b_4+a_6*b_6+a_7*b_5+a_7*b_7 a_0*b_3+a_1*b_2+a_1*b_3+a_2*b_1+a_2*b_2+a_2*b_3+a_3*b_0+a_3*b_1+a_3*b_2+a_4*b_4+a_4* b_7+a_5*b_5+a_5*b_6+a_5*b_7+a_6*b_5+a_6*b_7+a_7*b_4+a_7*b_5+a_7*b_6+a_7*b_7 a_0*b_4+a_1*b_5+a_2*b_6+a_3*b_7+a_4*b_0+a_4*b_5+a_5*b_1+a_5*b_4+a_5*b_5+a_6*b_2+a_6* b_7+a_7*b_3+a_7*b_6+a_7*b_7 a_0*b_5+a_1*b_4+a_1*b_5+a_2*b_7+a_3*b_6+a_3*b_7+a_4*b_1+a_4*b_4+a_4*b_5+a_5*b_0+a_5* b_1+a_5*b_4+a_6*b_3+a_6*b_6+a_6*b_7+a_7*b_2+a_7*b_3+a_7*b_6 a_0*b_6+a_1*b_7+a_2*b_4+a_2*b_7+a_3*b_5+a_3*b_6+a_3*b_7+a_4*b_2+a_4*b_7+a_5*b_3+a_5* b_6+a_5*b_7+a_6*b_0+a_6*b_3+a_6*b_5+a_6*b_6+a_6*b_7+a_7*b_1+a_7*b_2+a_7*b_3+a_7*b_4+ a_7*b_5+a_7*b_6 a_0*b_7+a_1*b_6+a_1*b_7+a_2*b_5+a_2*b_6+a_2*b_7+a_3*b_4+a_3*b_5+a_3*b_6+a_4*b_3+a_4* b_6+a_4*b_7+a_5*b_2+a_5*b_3+a_5*b_6+a_6*b_1+a_6*b_2+a_6*b_3+a_6*b_4+a_6*b_5+a_6*b_6+ a_7*b_0+a_7*b_1+a_7*b_2+a_7*b_4+a_7*b_7 , −→

7.5

Summary of key insights

This brief passage is a recap and extension of the Key7.1 (the only key in Chapter7). Since the FFCSA package falls into a very broad research area, the status of this package will remain_{X, i.e.,} partially solved.

The Finite Field Constructions, Search and Algorithms package (FFCSA) deals with field defining polynomials, bases, transition matrices, multiplication matrices, and Hamming weights (complex- ities). It includes various primitives for exhaustive search. Examples include search for normal elements, for optimal normal bases, and for primitive polynomials for the LFSRs with specified degree, number of taps, and coefficients. There are a variety of well-studied algorithms for imple- menting finite field arithmetic and it is important to make good decisions early on, as it saves a lot of time and effort. Hence, the FFCSA package is very important in the early design stages of any hardware implementation involving finite field arithmetic. As this is a very broad research area, the package provides only basic functionality but will gradually be extended with more sophisticated algorithms. In terms of subexpression elimination, this package is not intended to compete with or replace synthesis tools.

Chapter 8

Case study: WG and WAGE

8.1 Case study: the WGcipher package . . . 112

8.2 Case study: the WAGE package . . . 116