1

I have been reading the paper on SNEIKEN and SNEIKHA authenticated encryption and cryptographic hashing when I came upon some interesting optimization that was used to perform field multiplcation in order to create 32-bit permutations.

As part of the encryption phase, the author uses two field multiplications to implement two separate 32-bit permutations.

For the decryption phase, the permutations are reversed by two field multiplications using inverse polynomials.

The field is defined over $F(x) = 2^{32} + 1$.

For encryption :

$permutation (word) = word * (x^{25} + x^{24} + 1)$

$permutation (word) = word * (x^{17} + x^{9} + 1)$

For decryption :

$permutation (word) = word * (x^{28} + x^{21} + x^{20} + x^{14} + x^{12} + x^{7} + x^{6} + x^{5} + x^{4})$

$permutation (word) = word * (x^{27} + x^{19} + x^{18} + x^{17} + x^{11} + x^{9} + x^{3} + x^{2} + 1)$

All seems pretty straight forward and until I reach the part of implementation.

The field multiplies are implemented as a series of rotations and xors :

Encryption :

$permutation (word) = rotl (word , 25) \oplus rotl (word , 24) \oplus rotl (word , 0)$

. . .

Each of the four multiplications are implemented as above where the terms of each field polynomial represent the number of bits to rotate the word from right to left.

I am unable to see how one goes from field multiplication of polynomials to rotation and xor.

Is there something specific about the field chracteristic $F(x) = 2^{32} + 1$ that enables this or is this a more general thing related to field multiplcation?

What is the reasoning/math behind this implementation?

Note : The section in the specification link where this is discussed is on 11.

hardyrama
  • 2,288
  • 1
  • 17
  • 41
cookiecipher
  • 359
  • 1
  • 8

1 Answers1

4

This is arithmetic in the finite ring of polynomials with binary coefficients reduced modulo the polynomial $x^{32}+1$. It's not a field, because the polynomial $x^{32}+1$ is not irreducible#.

This ring has $2^{32}$ elements, which we can consider either as polynomials of degree less than 32 with binary coefficients, or as 32-bit bitstrings, or as integers in $[0,2^{32}-1)$ per the convention that we replace $x$ with the integer 2 to obtain the integer corresponding to a polynomial, e.g. $x^6+1$ is the integer 65 or 41h.

With this representation, ring addition is simply bitwise XOR of bitstrings, or operator ^ in languages like C with support of bitwise arithmetic.

Mutiplication is per polynomial arithmetic with binary coefficients, followed by polynomial reduction modulo the polynomial $x^{32}+1$. To perform that reduction, we can simply take the exponents modulo $32$ (then simplify terms of the same order). Using the representation as bitstrings or integers, multiplying by $x^k$ is thus left rotation of a 32-bit word by $k$ bits.

Thus multiplication by $P_{252400}(x)=(x^{25}+x^{24}+1)$ can be coded in C as:

#include <stdint.h> // brings portable unsigned 32-bit type uint32_t

// 32-bit left rotation
inline uint32_t rotl32(uint32_t p, int k) { return p<<k | p>>(32-k); }


// multiplication by x^25 + x^24 + 1 modulo x^32 + 1 
inline uint32_t mul252400(uint32_t p) { return rotl32(p,25) ^ rotl32(p,24) ^ p; }

# Notice that $x^{32}+1=(x+1)^{32}$ in the (infinite) ring of polynomials with binary coefficients.

fgrieu
  • 149,326
  • 13
  • 324
  • 622