An Improvement of Cyclic Vector Multiplication Algorithm

This paper first introduces cyclic vector multiplication algorithm (CVMA) that is a multiplication algorithm in extension field. Then, it is also introduced that CVMA is useful under the tight restrictions of pairing-based cryptographies. Then, this paper points out a problem about the calculation cost of CVMA. For this problem, this paper proposes an improvement. According to some simulation results, it is shown that the improvement makes CVMA much more efficient.


Introduction
Pairing-based cryptographic applications such as ID-based cryptography (Boneh et al., 2001) and group signature authentication (Nakanishi & Funabiki, 2005) have received much attentions.Such an application needs a pairing-friendly elliptic curve and arithmetic operations in a certain extension field .The extension degree is especially called embedding degree.In general, corresponding to the pairing-friendly curve, characteristic p is restricted so as to satisfy a certain condition and m is fixed to a certain positive integer.For example, Barreto-Naehrig (BN) curve (Barreto & Naehrig, 2005) and Freeman curve (Freeman, 2006) are well known pairingfriendly curves.In the case of BN curve, characteristic p needs to be given with an integer χ as (1) and m is fixed to 12.In the case of Freeman curve,(2) and embedding degree m is fixed to 10.In order to make those cryptographic applications practical, definition field needs to have fast arithmetic operations, especially multiplication.However, some of these restrictions cannot satisfy the conditions for fast arithmetic operations inversely.Optimal extension field (OEF) (Bailey & Paar, 1998) has fast arithmetic operations and is widely used (Devegili et al., 2007).Since OEF uses Karatsuba-based polynomial multiplication and an irreducible binomial as the modular polynomial, a multiplication in OEF is efficiently carried out.However, in order to construct as OEF, each prime factor needs to divide p -1.It is a critical condition for Freeman curve, for example, because characteristic p of Freeman curve is given by Eq.( 2) and thus can never satisfy it.On the other hand, type-<k,m> Gauss period normal basis (GNB) can be easily prepared in whenever 4p does not divide m(p -1) (Kato et al., 2007).As previously introduced, m is relatively small than p, therefore this condition is always satisfied.In addition, the authors have proposed an efficient multiplication algorithm using GNB (Kato et al, 2007).It is called cyclic vector multiplication algorithm (CVMA).In the previous work (Kato et al, 2007), CVMA 344 is quite efficient when m is small such as for the use of pairing-based cryptographic applications.However, the calculation cost of CVMA becomes worse as k becomes larger.As shown in (Kato et al, 2007), most of cases have small k within 5 but it sometimes becomes large.In this paper, a symmetric feature that appears in the calculation of CVMA is first introduced.Then, based on the feature, an improvement of CVMA is proposed.From some simulation results, it is shown that the improved CVMA efficiently carries out a multiplication in extension field even if parameter k is large.Throughout this paper, p and m denote the characteristic and the extension degree, respectively, where p is a prime number.
denotes an m-th extension field over F p .Without any additional explanation, lower and upper case letters show elements in prime field and extension field, respectively, and a Greek alphabet shows a zero of modular polynomial.In this paper, a subtraction in F p is counted up as an addition in F p .M 1 , A 1 and D 1 denote the calculation costs of a multiplication, addition and doubling in F p .

Fundamentals
This section briefly reviews Gauss period normal basis, cyclic vector multiplication algorithm (CVMA), and then shows a problem of CVMA.

Gauss period normal basis
Type-<k,m> Gauss period normal basis in is defined with an integer k as follows (Gao, 1993).Definition 1 Let km + 1 be a prime number not equal to p and suppose that gcd(km/e,m) = 1, where e is the order of p modulo km + 1.Then, for any primitive k-th root θ of unity in F km+1 , (3) generates a normal basis in , where β is a (km + 1)-st root of unity that belongs to .This normal basis Eq.( 3) is called type-<k,m> Gauss period normal basis.■ For an arbitrary extension degree m, there is an infinite number of k's such that km + 1 becomes a prime number.It is well-known as the Dirichlet's theorem on arithmetic progressions (Apostol, 1976).Moreover, when p is odd and 4p does not divide m(p -1), it is known that type-<k,m> Gauss period normal basis with a certain integer k always exists for an arbitrary pair of p and m (Gao, 1993).The authors have shown a multiplication algorithm with typeI-X Gauss period normal basis called cyclic vector multiplication algorithm (CVMA) (Kato et al., 2007).Fig. 1 shows CVMA with typeI-X GNB in .In the algorithm Fig. 1, <x> denotes x mod km + 1 The calculation cost of CVMA is given by (4)

TypeI-X GNB and CVMA
where M 1 and A 1 denote the calculation costs of a multiplication and an addition in F p , respectively.Different from OEF (optimal extension field) that restricts the characteristic p and extension degree m (Bailey & Paar, 1998) 1 , our proposed multiplication algorithm, that is CVMA, is widely applicable since it is based on Gauss period normal basis (Kato et al, 2007).Especially, CVMA is efficient when extension degree m is small.Fig. 1.CVMA with TypeI-X Gauss period normal basis in

A problem in conventional CVMA
As shown in Eq.( 4), the calculation cost of CVMA depends on the integer k.In general, A 1 is much smaller than M 1 ; however, if k is large, it will not be negligible.As shown in our previous work (Kato et al, 2007), the minimal integer k such that the conditions for type I-X Gauss period normal basis tends to be small such as within 5 but sometimes becomes large.When we can appropriately set the parameters p and m such that the corresponding minimal integer k becomes small, it will not be a critical problem.However, when these parameters are restricted as pairing-based cryptographies, it is out of options for CVMA.Thus, for such a case, this paper shows an improvement of CVMA.

Improvement of CVMA
This section shows an improvement of CVMA by which the number of F p -additions needed for a multiplication in with CVMA is efficiently reduced.

Pre-Computation
According to the original CVMA Fig. 1, the temporary data M ij shown at Step 3 of the procedure is prepared with corresponding to i and j.Then, at Step 5, it is added to k coefficients among q[l], 0 ≤ l ≤ m.
The k coefficients to which the temporary data M ij is added are determined from not only I and j but also p and m.It can be previously computed.In order to explain the basic idea, let us consider the following simple example.Let (p, m, k) be (41,3,6), respectively, and let X, Y be given as Suppose that not only x 0 y 0 , x 1 y 1 , x 2 y 2 but also M 01 , M 02 , M 12 have been calculated as the temporary values, then we need to calculate q[0], q[1], q[2], and q[3].In this case, those temporary values are used as Note that M 01 , M 02 , and M 12 are given as In our previous work (Kato et al, 2007), it has been shown that q[0] becomes 0 when k is even.As shown in Eqs.( 6), six M 01 's in total are added to q[1], q[2], and q[3].M 02 's and M 12 's are similarly added to q[1], q[2], and q[3].Thus, it is found that the number of additions increases as k becomes larger.Based on Eqs.( 6), consider the following m× m C 2 matrix given from the coefficients related to k: As shown in Eq.( 8), finite field theory often demonstrates such a symmetric feature.In what follows, we consider how to reduce the number of such additions.Such a matrix can be previously computed because it only depends on p, m, and k.

Improvement with tree structure
Eq.( 8) can be decomposed as The lower suffixes correspond to the column vectors of the first matrix of the right-hand side of Eq.( 9) and thus it is led from Eq.( 9).Then, using C 101 , C 011 , and C 110 , q[1], q[2], and q[3] are calculated by Though Eqs.( 6) needs 18 additions, Eqs.( 11) needs only 12 additions.This example is one of the most efficient cases.However, since the lower suffixes are efficiently controlled with tree structure, this technique can be widely applied for more general cases.In other words, using tree structure, q[0] to q[m] are systematically recomposed with temporary calculated values such as C 110 , C 101 , and C 011 .

Simulation
In order to show the efficiency of the improvement, this section simulates the improved CVMA with some practical parameter settings.

Parameter settings
This section considers a more practical case.Since pairing-based cryptographies often considers 158-bit characteristic p and extension degree m = 6, for simulation we consider m = 6 and the following p: (12) In this case, the minimal k that satisfies the conditions for the existence of type I-X Gauss period normal basis in is 12.Noting that k is even in the same of the preceding example, consider q[1] to q [6] in this case.Then, the m× m C 2 becomes (13) In this case, it is decomposed as Eq.( 14).

Simulation result
Let characteristic p be 158-bit prime, Table 1 shows calculation costs and simulation results of the original CVMA for some pairs of extension degree m and k, Table 2 shows those of the improved CVMA.The simulation result shows that the improved CVMA becomes more efficient than the original.

Conclusion
This paper has first introduced cyclic vector multiplication algorithm (CVMA) that is a multiplication algorithm in extension field.Then, it was also introduced that CVMA was Table 2. Timing of a multiplication with CVMA useful under the tight restrictions of pairing-based cryptographies.Then, this paper pointed out a problem about the calculation cost of CVMA.For this problem, this paper proposed an improvement.According to some simulation results, it was shown that the improvement made CVMA much more efficient.
Consider a class of Gauss period normal basis of which the order e shown in Def.1 is km+1.When k is equal to 1, it is typeI optimal normal basis (Cohen & Frey, 2005), thus in what follows we call the class of Gauss period normal basis typeI-X (typeI eXtended) GNB.
decomposed equation also has the symmetric feature.Then, consider C 101 , C 011 , and C

Table 1 .
Calculation cost of CVMA