Optimal Normal Basis Representation

Optimal Normal Basis Representation

For many values of m, the finite field F₂^m has an optimal basis representation as well as the polynomial representation described above. An optimal basis gives an alternative way of defining multiplication on the elements of a field. While optimal normal basis multiplication is less insightful than polynomial multiplication, it is in practice much more efficient.
Setup for Multiplication

Optimal normal basis representations are classified as either Type I or Type II. The value of m determines which type shall be used.

If F₂^m only has a type I ONB then let f(x) = x^m + x^m^-1 + ... + x² + x + 1. Otherwise, if F₂^m has a type II ONB then compute f(x) = f_m(x) using the following recursive formulae:
f₀(x) = 1,
f₁(x) = x + 1,
f_i+1(x) = xf_i(x) + f_i_-1(x), i = 1, ..., m.
At each stage, the coefficients of the polynomials f_i(x) are reduced modulo 2; hence f(x) is a polynomial of degree m with coefficients in F₂. The set of polynomials {x, x², x²², ..., x^2m-1} forms a basis of F₂^m over F₂, called a normal basis.
Construct the m by m matrix A whose i^th row, i = 0 ... m - 1, is the bit string corresponding to the polynomial x²ⁱ mod f(x). (The rows and columns of A are indexed by the integers from 0 to m - 1.) The entries of A are elements of F₂.
Determine the inverse matrix A^-1 of A over F₂.
Construct the m by m matrix T ' whose i^th row, i = 0 ... m - 1, is x x²ⁱ mod f(x). Then compute the matrix T = T ' A^-1 over F₂.
Determine the product terms l_ij, for i, j = 0 ... m - 1, as l_ij = T(j-i,-i). (T(g,h) denotes (g,h)-entry of T with indices reduced modulo m.) Each product term l_ij is an element of F₂. It should also be the case that l_0j = 1 for precisely one j, 0 <= j <= m - 1, and that for each i, 0 <= i <= m - 1, l_ij = 1 for precisely two distinct j, 0 <= j <= m - 1. Hence only 2m-1 of the m² entries of the matrix T are 1, the rest being 0. This scarcity of 1's is the reason that the normal basis is called an optimal normal basis.

Certicom is a trademark of the Certicom Corp. Copyright Certicom Corp. 1997. All rights reserved.

Comments or Questions about this site? Please contact info@certicom.ca

	Optimal Normal Basis Representation For many values of m, the finite field F₂^m has an optimal basis representation as well as the polynomial representation described above. An optimal basis gives an alternative way of defining multiplication on the elements of a field. While optimal normal basis multiplication is less insightful than polynomial multiplication, it is in practice much more efficient. Setup for Multiplication Optimal normal basis representations are classified as either Type I or Type II. The value of m determines which type shall be used. If F₂^m only has a type I ONB then let f(x) = x^m + x^m^-1 + ... + x² + x + 1. Otherwise, if F₂^m has a type II ONB then compute f(x) = f_m(x) using the following recursive formulae: f₀(x) = 1, f₁(x) = x + 1, f_i+1(x) = xf_i(x) + f_i_-1(x), i = 1, ..., m. At each stage, the coefficients of the polynomials f_i(x) are reduced modulo 2; hence f(x) is a polynomial of degree m with coefficients in F₂. The set of polynomials {x, x², x²², ..., x^2m-1} forms a basis of F₂^m over F₂, called a normal basis. Construct the m by m matrix A whose i^th row, i = 0 ... m - 1, is the bit string corresponding to the polynomial x²ⁱ mod f(x). (The rows and columns of A are indexed by the integers from 0 to m - 1.) The entries of A are elements of F₂. Determine the inverse matrix A^-1 of A over F₂. Construct the m by m matrix T ' whose i^th row, i = 0 ... m - 1, is x x²ⁱ mod f(x). Then compute the matrix T = T ' A^-1 over F₂. Determine the product terms l_ij, for i, j = 0 ... m - 1, as l_ij = T(j-i,-i). (T(g,h) denotes (g,h)-entry of T with indices reduced modulo m.) Each product term l_ij is an element of F₂. It should also be the case that l_0j = 1 for precisely one j, 0 <= j <= m - 1, and that for each i, 0 <= i <= m - 1, l_ij = 1 for precisely two distinct j, 0 <= j <= m - 1. Hence only 2m-1 of the m² entries of the matrix T are 1, the rest being 0. This scarcity of 1's is the reason that the normal basis is called an optimal normal basis.

	Certicom is a trademark of the Certicom Corp. Copyright Certicom Corp. 1997. All rights reserved.
		Comments or Questions about this site? Please contact info@certicom.ca