Misplaced Pages

Itoh–Tsujii inversion algorithm

Article snapshot taken from[REDACTED] with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.

While the algorithm is often called the Itoh-Tsujii algorithm, it was first presented by Feng. Feng's paper was received on March 13, 1987 and published in October 1989. Itoh and Tsujii's paper was received on July 8, 1987 and published in 1988.

Feng and Itoh-Tsujii algorithm is first used to invert elements in finite field GF(2) using the normal basis representation of elements, however, it is generic and can be used for other bases, such as the polynomial basis. It can also be used in any finite field GF(p).

The algorithm is as follows:

Input: A ∈ GF(p)
Output: A
  1. r ← (p − 1)/(p − 1)
  2. compute A in GF(p)
  3. compute A = A · A
  4. compute (A) in GF(p)
  5. compute A = (A) · A
  6. return A

This algorithm is fast because steps 3 and 5 both involve operations in the subfield GF(p). Similarly, if a small value of p is used, a lookup table can be used for inversion in step 4. The majority of time spent in this algorithm is in step 2, the first exponentiation. This is one reason why this algorithm is well suited for the normal basis, since squaring and exponentiation are relatively easy in that basis.

This algorithm is based on the fact that GF(p) is a cyclic group of order p-1. Given a nonzero element A in finite field GF(2), we have A 1 = A 2 m 2 = A 2 m 1 A 2 m 2 A 2 m 3 A 2 2 A 2 1 = i = 1 m 1 A 2 i . {\displaystyle A^{-1}=A^{2^{m}-2}=A^{2^{m-1}}\cdot A^{2^{m-2}}\cdot A^{2^{m-3}}\cdots A^{2^{2}}\cdot A^{2^{1}}=\prod _{i=1}^{m-1}{A^{2^{i}}}.}

The above A expression itself is close to that of the multiplicative Norm function in finite field, which is defined as N o r m ( A ) = i = 0 m 1 A 2 i . {\displaystyle Norm(A)=\prod _{i=0}^{m-1}{A^{2^{i}}}.}

This viewpoint leads us to consider the additive absolute Trace function , which is defined as T r ( A ) = i = 0 m 1 A 2 i . {\displaystyle Tr(A)=\sum _{i=0}^{m-1}{A^{2^{i}}}.}

If Tr(A)=0, then we have A = i = 1 m 1 A 2 i {\displaystyle A=\sum _{i=1}^{m-1}{A^{2^{i}}}} and can express A as A 1 = A 2 i = 1 m 1 A 2 i = i = 1 m 1 A 2 i 2 = j = 0 m 2 ( A 2 ) 2 j 1 . {\displaystyle A^{-1}=A^{-2}\sum _{i=1}^{m-1}{A^{2^{i}}}=\sum _{i=1}^{m-1}{A^{2^{i}-2}}=\sum _{j=0}^{m-2}{(A^{2})^{2^{j}-1}}.}

In some GF(2)s, for example, GF(2) used in Advanced Encryption Standard (AES), this formula needs 1 less multiplication operation than Feng and Itoh-Tsujii algorithm for elements with Trace value 0: because 0 = T r ( A ) = A + A 2 + A 4 + A 8 + A 16 + A 32 + A 64 + A 128 , {\displaystyle 0=Tr(A)=A+A^{2}+A^{4}+A^{8}+A^{16}+A^{32}+A^{64}+A^{128},} we have A = A 2 + A 4 + A 8 + A 16 + A 32 + A 64 + A 128 {\displaystyle A=A^{2}+A^{4}+A^{8}+A^{16}+A^{32}+A^{64}+A^{128}} and A 1 = 1 + A 2 + A 6 + A 14 + A 30 + A 62 + A 126 = 1 + { ( A + A 3 + A 7 ) + [ ( A + A 3 + A 7 ) 8 A 7 ] } 2 . {\displaystyle A^{-1}=1+A^{2}+A^{6}+A^{14}+A^{30}+A^{62}+A^{126}=1+\{(A+A^{3}+A^{7})+\}^{2}.}

This additive formula needs 3 multiplications, 4 additions and 6 squarings.

But the multiplicative formula A 1 = A 254 = A 2 A 4 A 8 A 16 A 32 A 64 A 128 = { A ( A A 2 A 4 ) 2 ( A A 2 A 4 ) 16 } 2 {\displaystyle A^{-1}=A^{254}=A^{2}A^{4}A^{8}A^{16}A^{32}A^{64}A^{128}=\{A(A\cdot A^{2}A^{4})^{2}(A\cdot A^{2}A^{4})^{16}\}^{2}} needs 4 multiplications and 7 squarings.

See also

References

  1. Feng, Gui-Liang (1989). "A VLSI architecture for fast inversion in GF(2)". IEEE Transactions on Computers. 38 (10): 1383–1386.
  2. Itoh, Toshiya; Tsujii, Shigeo (1988). "A fast algorithm for computing multiplicative inverses in GF(2)". Information and Computation. 78: 171–177.
  3. Fan, Haining. "A Trace Based GF(2) Inversion Algorithm". Archived from the original (PDF) on May 6, 2020. Retrieved Jan 10, 2025.
Categories:
Itoh–Tsujii inversion algorithm Add topic