1 of 56

Finite Field Implementations

A Study Club Talk

Algorithms for Fast Multiplication and Modular Reduction

2 of 56

If something isn’t clear, ask.

You can use the “raise hand” button or the chat window, but feel free to interrupt

3 of 56

Flashback… Intro to Finite Fields

4 of 56

Motivation

5 of 56

Why Finite Fields?

  • Finite fields are the basis for (almost) all math we do in cryptography
  • All operations in zero-knowledge proof systems are in finite fields
    • Digital circuits use boolean operations (AND, OR, NOT)
    • Arithmetic circuits use finite field operations (addition, multiplication, negation)

6 of 56

Implementations for Real Computers

  • Real computers don’t have finite field circuitry
    • ADD rax, rbx
    • MUL rax
    • SHR rax, CL
  • We need to build finite fields from these operations

7 of 56

Why is Speed Important?

  • Proving cost is one of the largest barriers to ZKP availability
  • Almost all of the proving time is spent on finite field operations
    • Reduce the number of field operations (e.g. more efficient NTT or MSM algorithms).
    • Make the field operations more efficient (e.g. by using optimized field representations).

8 of 56

Overview

In this study club we are going to talk about:

  • BigInts
  • Addition of BigInts
  • Multiplication of BigInts
  • Modular reduction (Barrett method)
  • Montgomery form
  • Multiplication and reduction (Montgomery method)
  • Additional methods for multiplication

9 of 56

Big Integers

A.k.a BigInt or Multiprecision Integers

10 of 56

BigInt

  • Real computers operator over words
    • Almost all modern computers use 64-bit words
    • 32-bit words are not completely gone
    • You never know what you will find in the IoT world…
  • Representing larger fields (e.g. 256 bits) is done by breaking it into words

11 of 56

BigInt

  • Commonly you might have a 256-bit number in 4x 64-bit words.
  • Let’s work with 8 (base-10) digit number and 4x 2-digit words.

12 of 56

BigInt

  • Commonly you might have a 256-bit number in 4x 64-bit words.
  • Let’s work with 8 (base-10) digit number and 4x 2-digit words.

13 of 56

BigInt Addition

14 of 56

BigInt Addition

15 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

16 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

17 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

18 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

19 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

20 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

21 of 56

BigInt Multiplication

22 of 56

BigInt Multiplication

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

23 of 56

BigInt Multiplication

24 of 56

Modular Reduction

  • Both addition and multiplication result in larger values
  • We want to reduce values back to their canonical representation

25 of 56

Modular Reduction

  • We will talk about two methods:
    • Barrett reduction
    • Montgomery multiplication and reduction
  • Montgomery multiplication and reduction is the most widely used
  • Barrett reduction is useful when you can’t change representations

26 of 56

Barrett Reduction

  • An obvious method for reduction is to use division
  • However, division is expensive and may not be constant time

From the Wikipedia (Barrett Reduction)

def reduce(u uint) uint {

q := u / N # Division implicitly returns the floor of the result.

return u - q * N # N is the modulus

}

27 of 56

Barrett Reduction

  • We can approximate division by the modulus (1/n) by (R/b^2n)
  • We can calculate the R value to be be used as b^2n/N

From the Wikipedia (Barrett Reduction)

def mostly_reduce(a uint) uint {

q := (u * R) >> 2*n # ">> 2*n" denotes bitshift by 2*n.

return u - q * N

}

28 of 56

Barrett Reduction

  • The result will be in the range [0, 3N)
  • In order to get the fully reduced result in [0, N), we may need to subtract n.

From the Wikipedia (Barrett Reduction)

def reduce(a uint) uint {

q := (u * R) >> 2*n

u -= q * N # Reduce to an approximate answer.

while u >= N { # Final few additions to get fully-reduced answer.

u -= N

}

return u

}

29 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

30 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

31 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

32 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

33 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

34 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

35 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

36 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

37 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

38 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

39 of 56

Montgomery Form

  • Montgomery Form is an alternative finite field representation.
  • It enables a fast combined multiplication and reduction algorithm.

40 of 56

Montgomery Form

  • So far we have represented finite field elements as:

  • Montgomery representation is defined as:

41 of 56

Montgomery Reduction

  • We’ll now define the Montgomery Reduction algorithm
  • Note that it does not calculate the same reduction as before

42 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

43 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

44 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

45 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

46 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

47 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

48 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

49 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

50 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

51 of 56

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

52 of 56

Montgomery Reduction

  • REDC is a very versatile formula
  • Converting from Classical to Montgomery:

  • Converting from Montgomery to Classical:

  • Multiplication

53 of 56

Montgomery Multiplication and Reduction

From the Handbook of Elliptic and Hyperelliptic Curve Cryptography

54 of 56

A Quick Comparison of Finite Field Multiplication

55 of 56

Additional Multiplication Methods

  • Multiplication was believed to have an asymptotic runtime of O(n^2)
  • Karatsuba discovered a divide-and-conquer method with runtime O(n^1.58)
  • Toom–Cook multiplication is similar and achieve slightly better results.
  • Schönhage–Strassen later discovered an NTT method with
  • Concretely slower until we get to large integers (e.g. in 4096-bit RSA keys)

56 of 56

Thanks for coming!

Feel free to ask any more questions!