Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Itoh–Tsujii inversion algorithm
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
While the algorithm is often called the Itoh-Tsujii algorithm, it was first presented by Feng.<ref>{{cite journal |title=A VLSI architecture for fast inversion in {{math|GF(2<sup>''m''</sup>)}}|journal=[[IEEE Transactions on Computers]] |volume=38 |issue=10 |pages=1383–1386 |date=1989 |first=Gui-Liang |last=Feng}}</ref> Feng's paper was received on March 13, 1987 and published in October 1989. Itoh and Tsujii's paper was received on July 8, 1987 and published in 1988.<ref>{{cite journal |journal=[[Information and Computation]]|volume=78 |pages=171–177 |date=1988 |first1=Toshiya |last1=Itoh|first2=Shigeo |last2=Tsujii |title=A fast algorithm for computing multiplicative inverses in {{math|GF(2<sup>''m''</sup>)}} }}</ref> Feng and Itoh-Tsujii algorithm is first used to invert elements in [[finite field]] {{math|GF(2<sup>''m''</sup>)}} using the [[normal basis]] representation of elements, however, it is generic and can be used for other bases, such as the [[polynomial basis]]. It can also be used in any finite field {{math|GF(''p''<sup>''m''</sup>)}}. The algorithm is as follows: : '''Input''': ''A'' ∈ GF(''p''<sup>''m''</sup>) : '''Output''': ''A''<sup>−1</sup> :# ''r'' ← (''p''<sup>''m''</sup> − 1)/(''p'' − 1) :# compute ''A''<sup>''r''−1</sup> in GF(''p''<sup>''m''</sup>) :# compute ''A''<sup>''r''</sup> = ''A''<sup>''r''−1</sup> · ''A'' :# compute (''A''<sup>''r''</sup>)<sup>−1</sup> in GF(''p'') :# compute ''A''<sup>−1</sup> = (''A''<sup>''r''</sup>)<sup>−1</sup> · ''A''<sup>''r''−1</sup> :# return ''A''<sup>−1</sup> This algorithm is fast because steps 3 and 5 both involve operations in the subfield GF(''p''). Similarly, if a small value of ''p'' is used, a lookup table can be used for inversion in step 4. The majority of time spent in this algorithm is in step 2, the first exponentiation. This is one reason why this algorithm is well suited for the normal basis, since squaring and exponentiation are relatively easy in that basis. This algorithm is based on the fact that {{math|GF(''p''<sup>''m''</sup>)<sup>*</sup>}} is a cyclic group of order {{math|''p''<sup>''m''</sup>-1}}. Given a nonzero element {{math|''A''}} in [[finite field]] {{math|GF(2<sup>''m''</sup>)}}, we have <math display="block"> A^{-1}=A^{2^m-2}=A^{2^{m-1}} \cdot A^{2^{m-2}} \cdot A^{2^{m-3}} \cdots A^{2^{2}} \cdot A^{2^{1}}=\prod_{i=1}^{m-1}{A^{2^i}}. </math> The above {{math|''A''<sup>−1</sup>}} expression itself is close to that of the multiplicative Norm function in [[finite field]], which is defined as <math display="block"> Norm(A)=\prod_{i=0}^{m-1}{A^{2^i}}. </math> This viewpoint leads us to consider the additive absolute Trace function <ref>{{cite web |url=http://eprint.iacr.org/2020/482.pdf |title=A Trace Based {{math|GF(2<sup>''n''</sup>)}} Inversion Algorithm |access-date=Jan 10, 2025 |archive-url=http://eprint.iacr.org/2020/482 |first1=Haining|last1=Fan |archive-date=May 6, 2020 }}</ref> , which is defined as <math display="block"> Tr(A)=\sum_{i=0}^{m-1}{A^{2^i}}. </math> If {{math|''Tr''(''A'')}}=0, then we have <math display="block"> A=\sum_{i=1}^{m-1}{A^{2^i}} </math> and can express {{math|''A''<sup>−1</sup>}} as <math display="block"> A^{-1}=A^{-2}\sum_{i=1}^{m-1}{A^{2^i}}=\sum_{i=1}^{m-1}{A^{2^i-2}}=\sum_{j=0}^{m-2}{(A^2)^{2^{j}-1}}. </math> In some {{math|GF(2<sup>''m''</sup>)}}s, for example, {{math|GF(2<sup>8</sup>)}} used in [[Advanced Encryption Standard]] (AES), this formula needs 1 less multiplication operation than Feng and Itoh-Tsujii algorithm for elements with Trace value 0: because <math display="block"> 0=Tr(A)=A+A^2+A^4+A^8+A^{16}+A^{32}+A^{64}+A^{128}, </math> we have <math display="block"> A=A^2+A^4+A^8+A^{16}+A^{32}+A^{64}+A^{128} </math> and <math display="block"> A^{-1}=1+A^2+A^6+A^{14}+A^{30}+A^{62}+A^{126}=1+ \{(A+A^3+A^7)+[(A+A^{3}+A^{7})^8A^7] \}^2. </math> This additive formula needs 3 multiplications, 4 additions and 6 squarings. But the multiplicative formula <math display="block"> A^{-1}=A^{254}=A^2A^4A^8A^{16}A^{32}A^{64}A^{128}=\{ A(A \cdot A^2A^4)^2 (A \cdot A^2A^4)^{16} \}^2 </math> needs 4 multiplications and 7 squarings. == See also == * [[Finite field arithmetic]] ==References== {{reflist}} <!-- ==External links== * [http://www.win.tue.nl/~henkvt/ItohTsujiiEnciclopediaOfInfoSec-Submitted.pdf A thorough discussion of the Itoh-Tsujii algorithm by Guajardo] --> {{DEFAULTSORT:Itoh-Tsujii inversion algorithm}} [[Category:Finite fields]] [[Category:Computational number theory]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Cite journal
(
edit
)
Template:Cite web
(
edit
)
Template:Math
(
edit
)
Template:Reflist
(
edit
)