1

I am trying to implement Elliptic Curve Cryptography on software in GF(2^m). To do this, I need to be able to solve a quadratic equation, namely $x^2 + x = c$.

After a lot of research, I know the following:

  • To solve this equation, I need the Trace of c to be 0. Tr(c) = $\sum_{i=0}^{m-1}$ $c^{2^{i}}$
  • After ensuring that Tr(c) = 0, and if m is odd, then the solution to the quadratic equation is given by the half trace, H(c) = $\sum_{i=0}^{\frac{m-1}{2}}$ $c^{2^{2i}}$
  • The above representation of the half trace and trace are in normal basis (and not polynomial basis)

I am used to working with polynomial representation, i.e: a polynomial in GF(2^5) is represented as a string of 1's and 0's. e.g: 10101 = $x^4 + x^2 + 1$

I searched around a lot to try and find a definition of the trace and the half trace in polynomial representation, but with no luck. So my only solution was to transform my element from polynomial to normal representation, compute the trace and the half trace, and then transform back my element to polynomial representation.

After doing some research, I found algorithms that would do this transformation; however, they require having the generator of the GF in both representations. I understand that the generator in a polynomial representation is such that it satisfies the condition given by the irreducible polynomial. e.g: GF(2^3) with irreducible polynomial $x^3 + x + 1 = 0$, then the generator must satisfy $g^3 = g + 1$.

This is what I have so far. The bottom line is, if anyone can answer one of the two questions below, then my problem would be one step closer to being solved and I would really, really appreciate it:

  • What is the definition of a generator in normal basis?
  • Is there any other (easier) way to solve a quadratic equation in GF(2^m)?

Thank you.

RB12
  • 11
  • The above formula for the half-trace works in representation of the field - not just normal basis. Admittedly it is particularly handy when you are using a normal basis representation because you are just adding some (the even) cyclic shifts of $c$. If you are using a polynomial basis, then here's how to efficiently calculate the half-trace. Your basis elements are just $1,g,g^2,\ldots,g^{m-1}$. The half-trace is linear, so for a general element of your field $x=\sum_{i=0}^{m-1}b_ig^i$ with $b_i\in{0,1}$ you have $$H(x)=\sum_{i=0}^{m-1}b_i H(g^i).$$ – Jyrki Lahtonen Dec 02 '15 at 21:28
  • (cont'd) A way to take advantagte of this is to build, once and for all, a look-up-table of the elements $H(g^i),i=0,1,\ldots,m-1$. This table needs $m\times m$ bits, which is a tiny amount in comparison to $2^m$. Recall that addition is bitwise XORing no matter which basis you use, so with the LUT in place calculating $H(x)$ takes at most $m$ bitwise XORs on $m$-bit registers. – Jyrki Lahtonen Dec 02 '15 at 21:31
  • (cont'd) Oh, and do calculate that LUT using either square-and-multiply to produce the terms, or (may be even better?) build first another LUT consisting of the square $g^{2i}, i=0,1,\ldots,m-1$ and take advantage of the fact that squaring can also be done term-by-term (the Freshman's dream at work). – Jyrki Lahtonen Dec 02 '15 at 21:34
  • @JyrkiLahtonen Thank you so much for your reply! Yes I will definitely be building a look-up-table to solve this. However, I'm still a bit confused on how to compute the trace. Let's say I have a polynomial in GF(2^3), namely $x^2+x+1$ and I want to get its half trace. So first I have to transform it to normal representation, compute the half trace, and then take it back to polynomial representation. How would I go about this? Thanks again for your help. – RB12 Dec 03 '15 at 15:14

0 Answers0