Table of Low-Weight Binary Irreducible Polynomials Gadiel Seroussi Computer Systems Laboratory HPL-98-135 August, 1998 finite fields, A table of low-weight irreducible polynomials over the irreducible finite field F2 is presented. For each integer n in the polynomials range 2 = n = 10,000, a binary irreducible polynomial f(x) of degree n and minimum posible weight is listed. Among those of minimum weight, the polynomial listed is such that the degree of f(x) – xn is lowest (similarly, subsequent lower degrees are minimized in case of ties). All the polynomials listed are either trinomials or pentanomials. The general question of whether an irreducible polynomial of weight at most 5 (or any other fixed odd weight w = 5) exists for every value of n is an open one. Low-weight irreducibles are useful when implementing the arithmetic of the finite n field F2 ), as the number of operations in the reduction of the product of two polynomials of degree n – 1 modulo an irreducible of degree n and weight w is proportional to (w – 1)n. Internal Accession Date Only Ó Copyright Hewlett-Packard Company 1998 1 Background Large nite elds are useful in the implementation of cryptographic proto cols, and in par- ticular in elliptic curve cryptography. Typical choices of elds include F , realized as the p n integers mo dulo a prime p, and F , often realized as the set of p olynomials of degree at 2 most n 1 in F [x], mo dulo an irreducible p olynomial f x 2 F [x] of degree n. It is the 2 2 latter case that motivates this note. n , all choices of From an algebraic point of view, for the purp ose of implementing F 2 irreducible f for a given n are equivalent. However, cho osing f of low weight number of n nonzero co ecients can lead to more ecient implementation of the arithmetic of F ,asthe 2 complexityof reducing a p olynomial of degree 2n 2 mo dulo f is prop ortional to w 1n, where w denotes the weightoff . For n>1, the lowest p ossible weightisw =3,i.e., f b eing a trinomial. The existence, distribution and other prop erties of irreducible trinomials over F have b een extensively studied in the literature. In particular, it follows from a theorem 2 of Swan [5] that irreducible trinomials do not exist for n 0 mo d 8, and that they are rather scarce when n 3 or 5 mo d 8; see also [1],[3], and references therein. The tables in [2] show that up to n =5; 000, irreducible trinomials exist for slightly over one half of the values of n. When an irreducible trinomial of degree n do es not exist, the next best choice is a pentanomial, e.g., w =5. In the app endix, we present a table of low-weight binary irreducible p olynomials of degree n in the range 2 n 10; 000. For each degree n in that range, an irreducible trinomial is listed if one exists; otherwise an irreducible p entanomial was always found and is listed. The table contains 5; 148 trinomials and 4; 851 p entanomials. In fact, there is no known value of n for which an irreducible p olynomial of weight w 5 do es not exist. The general question, however, is op en for any xed odd weight w>3. The following heuristic argument would seem to reinforce the exp ectation that values of n for which irreducible p entanomials do not exist, if any,must b e rare. The probability of a random p olynomial of degree n being irreducible is roughly 1=n [3]. The number of pentanomials 3 of degree n with constant co ecient equal to one is of the order of n . Therefore, if the density of irreducibles among p entanomials is anywhere near their density among arbitrary p olynomials of degree n, then the likeliho o d of nding an irreducible p entanomial of degree n should be very high. A similar argument for trinomials pits a probability of 1=n against anumber of trinomials of the order of n. n j The table in the app endix is organized a follows: A trinomial x + x +1, n>j > 0, is n j j j 1 2 3 represented by the pair n; j . Apentanomial x + x + x + x +1, with n> j >j >j > 0, 1 2 3 is represented by the quadruple n; j ;j ;j . Polynomials are listed in increasing order of n, 1 2 3 going in each page from left to right rst and top to b ottom next. When a trinomial is listed, it has the lowest value j among all irreducible trinomials of the same degree. For pentanomials, the rst irreducible in alphab etical order of j ;j ;j is listed i.e., lowest j , 1 2 3 1 then lowest j , then lowest j . 2 3 1 It should b e noted that for all p entanomials listed, the value of j is quite low, whichhas 1 some other implementation advantages. The maximum value of j for pentanomials in the 1 table is j =56 for n = 9760. In fact, the value of j for most pentanomials in the table is 1 1 quite close to and below the real solution t to the equation n = tt 1t2=6, consistent with the heuristic argument ab ove. For n =10; 000, we have t 40. The p olynomials in the table were generated with a C++ program based on V. Shoup's NTL library [4], using a deterministic irreducibility test. The rst 2048 entries were indep en- dently veri ed with the Maple symbolic package. The table is available in machine-readable form from the author. The choice of n = 10; 000 as the stopping point for the table is quite arbitrary, and n only intended to amply cover all presently envisioned cryptographic applications where F 2 n is used. It follows from the table that in implementing F for those applications, one can 2 safely assume that an irreducible of weight w 5 is available. Since binary irreducibility testing can b e implemented quite eciently, it should not b e particularly dicult to extend the table to larger values of n. References [1] E.R. Berlekamp. Algebraic Coding Theory. Aegean Park Press, Laguna Hills, 1984. [2] I.F. Blake, S. Gao and R.J. Lamb ert. Construction and distribution problems for irre- ducible trinomials over nite elds, in Applications of Finite Fields, D. Gollman, editor, Oxford: Oxford University Press, 1996. [3] R. Lidl and H. Niederreiter. Finite Fields, in Encyclopedia of Mathematics and its Applications, G.-C. Rota, editor, Addison-Wesley, 1983. [4] V. Shoup. NTL: A library for doing number theory, on the World Wide Web at http://www.cs.wisc.edu/~sh oup/ ntl/ . [5] R.G. Swan. Factorization of p olynomials over nite elds. Paci c J. Math., 12, pp. 1099{1106, 1962. App endix: Table of Low-Weight Binary Irreducible Poly- nomials for 2 n 10; 000.