## [Binary Towers](https://eprint.iacr.org/2023/1784.pdf#page=7.48)
In this subsection, we review towers of field extensions. The following explicit construction is due to Wiedemann [Wie88], and appears also in Cohen [Coh92] and Fan and Paar [FP97], for example; we refer to Blake et al. [Bla+93, § 3.4] for further historical remarks. We define a sequence of rings inductively, by setting $\mathcal{T}_0:=\mathbb{F}_2, \mathcal{T}_1:=\mathbb{F}_2\left[X_0\right] /\left(X_0^2+X_0+1\right)$, and, for each $\iota>1, \mathcal{T}_\iota:=\mathcal{T}_{\iota-1}\left[X_{\iota-1}\right] /\left(X_{\iota-1}^2+X_{\iota-2} \cdot X_{\iota-1}+1\right)$. It is shown in [Wie88, Thm. 1] that, for each $\iota>1$, the polynomial $X_{\iota-1}^2+X_{\iota-2} \cdot X_{\iota-1}+1$ is irreducible in $\mathcal{T}_{\iota-1}\left[X_{\iota-1}\right]$. We conclude by induction that, for each $\iota \geq 0$, the ring $\mathcal{T}_\iota$ is a field, isomorphic precisely to $\mathbb{F}_{2^{2^\iota}}$.

For each $\iota>0$, we naturally realize $\mathcal{T}_{\iota-1}$ as a subfield of $\mathcal{T}_\iota$, corresponding to (the equivalence classes of) the constant polynomials. Applying induction, we obtain a natural tower construction $\mathcal{T}_0 \subset \mathcal{T}_1 \subset \cdots \subset \mathcal{T}_\iota$. Moreover, for each $\iota \geq 0$, we have a straightforward identification of rings:
$$
\mathcal{T}_\iota=\mathbb{F}_2\left[X_0, \ldots, X_{\iota-1}\right] /\left(X_0^2+X_0+1, \ldots, X_{\iota-1}^2+X_{\iota-2} \cdot X_{\iota-1}+1\right)
$$

This identification respects the tower structure in the obvious way; indeed, $\mathcal{T}_{\iota-1} \subset \mathcal{T}_\iota$ is precisely the subring consisting of the equivalence classes of those polynomials in which only the variables $X_0, \ldots, X_{\iota-2}$ appear.

It holds-say, by Gröbner basis considerations-that, for each $\iota \geq 0$, each equivalence class in $\mathcal{T}_\iota$ has a unique multilinear representative. We conclude that the set of monomials $1, X_0, X_1, X_0 \cdot X_1, \ldots, X_0 \cdots X_{\iota-1}$ gives a basis of $\mathcal{T}_\iota$ as an $\mathbb{F}_2$-vector space; we call this basis the multilinear basis. For each $v \in \mathcal{B}_\iota$, with boolean components $\left(v_0, \ldots, v_{\iota-1}\right)$, say, we write $\beta_v:=\prod_{i=0}^{\iota-1}\left(v_i \cdot X_i+\left(1-v_i\right)\right)$; that is, $\beta_v$ is that basis vector corresponding to the product of precisely those indeterminates among the list $X_0, \ldots, X_{\iota-1}$ indexed by $v$ 's components. Slightly abusing notation, we occasionally write $\beta_0, \ldots, \beta_{2^\iota-1}$ for this latter basis; in other words, we define $\beta_{\{v\}}:=\beta_v$, where we again identify $\{v\}=\sum_{i=0}^{\iota-1} 2^i \cdot v_i$. More generally, for each pair of integers $\iota \geq 0$ and $\kappa \geq 0$, the set $1, X_\iota, X_{\iota+1}, X_\iota \cdot X_{\iota+1}, \ldots, X_\iota \cdots \cdots X_{\iota+\kappa-1}$ likewise gives a $\mathcal{T}_\iota$-basis of $\mathcal{T}_{\iota+\kappa}$; we again write $\left(\beta_v\right)_{v \in \mathcal{B}_\kappa}$ for this basis. That is, for each $v \in \mathcal{B}_\kappa$, we write $\beta_v:=\prod_{i=0}^{\kappa-1}\left(v_i \cdot X_{\iota+i}+\left(1-v_i\right)\right)$.

We briefly survey the efficiency of tower-field arithmetic. In practice, we represent all $\mathcal{T}_\iota$-elements in coordinates with respect to the multilinear $\mathbb{F}_2$-basis, which we moreover sort in lexicographic order. In particular, each $\mathcal{T}_\iota$-element $\alpha$ admits a length- $2^\iota$ coordinate vector $\left(a_0, \ldots, a_{2^\iota-1}\right)$, with components in $\mathbb{F}_2$; we note, in light of our lexicographic basis-ordering, that this vector's $0^{\text {th }}$ and $1^{\text {st }}$ halves respectively define $\mathcal{T}_{\iota-1}$-elements $\alpha_0$ and $\alpha_1$ for which $\alpha=\alpha_1 \cdot X_{\iota-1}+\alpha_0$ in fact holds.

Throughout, addition amounts to bitwise XOR. We multiply $\mathcal{T}_\iota$-elements in the following way. To multiply the elements $\alpha_1 \cdot X_{\iota-1}+\alpha_0$ and $\alpha_1^{\prime} \cdot X_{\iota-1}+\alpha_0^{\prime}$ of $\mathcal{T}_\iota$, say, we first use the Karatsuba technique - that is, we use three recursive multiplications in $\mathcal{T}_{\iota-1}$-to obtain the expression $\alpha_1 \cdot \alpha_1^{\prime} \cdot X_{\iota-1}^2+\left(\alpha_0 \cdot \alpha_1^{\prime}+\alpha_1 \cdot \alpha_0^{\prime}\right) \cdot X_{\iota-1}+\alpha_0 \cdot \alpha_0^{\prime}$. We then reduce this latter polynomial by subtracting $\alpha_1 \cdot \alpha_1^{\prime} \cdot\left(X_{\iota-1}^2+X_{\iota-2} \cdot X_{\iota-1}+1\right)$ from it; this step itself entails computing the product $\alpha_1 \cdot \alpha_1^{\prime} \cdot X_{\iota-2}$ in $\mathcal{T}_{\iota-1}$.

It is shown by Fan and Paar [FP97, § III] that, in the Wiedemann tower, each such "constant multiplication"-that is, each multiplication of a $\mathcal{T}_\iota$-element by the constant $X_{\iota-1}$-can be carried out in linear time $\Theta\left(2^\iota\right)$. In light of this fact, and using the "master theorem" for recurrence relations (see e.g. Cormen, Leiserson, Rivest, and Stein [CLRS22, Thm. 4.1]), we conclude that this recursive, Karatsuba-based approach features complexity $\Theta\left(2^{\log 3 \cdot \iota}\right)$ (we refer also to [FP97, § IV] for a thorough analysis).

We finally record a further key property, whereby field-elements may be multiplied by subfield-elements especially efficiently. In slightly more detail, the complexity of multiplying a $\mathcal{T}_\iota$-element by a $\mathcal{T}_{\iota+\kappa}$-element grows just linearly in the extension degree of $\mathcal{T}_{\iota+\kappa}$ over $\mathcal{T}_\iota$. We express this precisely as follows. For each element $\alpha \in \mathcal{T}_{\iota+\kappa}$, with coordinate representation $\left(a_v\right)_{v \in \mathcal{B}_\kappa}$ with respect to the multilinear $\mathcal{T}_\iota$-basis of $\mathcal{T}_{\iota+\kappa}$, say, and each scalar $b \in \mathcal{T}_\iota$, the representation of $b \cdot \alpha$ with respect to this basis is $\left(b \cdot a_v\right)_{v \in \mathcal{B}_\kappa}$. We conclude that the multiplication of a $\mathcal{T}_{\iota+\kappa}$-element by a $\mathcal{T}_\iota$-element can be carried out in $2^\kappa \cdot \Theta\left(2^{\log 3 \cdot \iota}\right)$ time. This property-that is, that whereby elements of differently-sized fields can be efficiently multiplied-has been noted by previous authors; we refer for example to Bernstein and Chou [BC14, § 2.4].


In [1]:
# Multiply v1 * v2 in the binary tower field
# See https://blog.lambdaclass.com/snarks-on-binary-fields-binius/
# for introduction to how binary tower fields work
#
# The general rule is that if i = b0b1...bk in binary, then the
# index-i bit is the product of all x_i where b_i=1, eg. the
# index-5 bit (32) is x_2 * x_0
#
# Multiplication involves multiplying these multivariate polynomials
# as usual, but with the reduction rule that:
# (x_0)^2 = x_0 + 1
# (x_{i+1})^2 = x_{i+1} * x_i + 1

def binmul(v1, v2, length=None):
    if v1 < 256 and v2 < 256 and rawmulcache[v1][v2] is not None:
        return rawmulcache[v1][v2]
    if v1 < 2 or v2 < 2:
        return v1 * v2
    if length is None:
        length = 1 << (max(v1, v2).bit_length() - 1).bit_length()
    halflen = length//2
    quarterlen = length//4
    halfmask = (1 << halflen)-1

    L1, R1 = v1 & halfmask, v1 >> halflen
    L2, R2 = v2 & halfmask, v2 >> halflen

    # Optimized special case (used to compute R1R2_high), sec III of
    # https://ieeexplore.ieee.org/document/612935
    if (L1, R1) == (0, 1):
        outR = binmul(1 << quarterlen, R2, halflen) ^ L2
        return R2 ^ (outR << halflen)

    # x_{i+1}^2 reduces to 1 + x_{i+1} * x_i
    # Uses Karatsuba to only require three sub-multiplications for each input
    # halving (R1R2_high doesn't count because of the above optimization)
    L1L2 = binmul(L1, L2, halflen)
    R1R2 = binmul(R1, R2, halflen)
    R1R2_high = binmul(1 << quarterlen, R1R2, halflen)
    Z3 = binmul(L1 ^ R1, L2 ^ R2, halflen)
    return (
        L1L2 ^
        R1R2 ^
        ((Z3 ^ L1L2 ^ R1R2 ^ R1R2_high) << halflen)
    )

# A wrapper object that makes it easy to work with binary fields
class BinaryFieldElement():

    def __init__(self, value):
        if isinstance(value, BinaryFieldElement):
            value = value.value
        self.value = value

    def __add__(self, other):
        othervalue = other if isinstance(other, int) else other.value
        if self.value < 256 and othervalue < 256:
            return addcache[self.value][othervalue]
        return BinaryFieldElement(self.value ^ othervalue)
    
    __sub__ = __add__

    def __neg__(self):
        return self

    def __mul__(self, other):
        othervalue = other if isinstance(other, int) else other.value
        if self.value < 256 and othervalue < 256:
            return mulcache[self.value][othervalue]
        return BinaryFieldElement(binmul(self.value, othervalue))

    def __pow__(self, other):
        if other == 0:
            return BinaryFieldElement(1)
        elif other == 1:
            return self
        elif other == 2:
            return self * self
        else:
            return self.__pow__(other % 2) * self.__pow__(other // 2) ** 2

    def inv(self):
        L = 1 << (self.value.bit_length() - 1).bit_length()
        return self ** (2**L - 2)

    def __truediv__(self, other):
        if isinstance(other, int):
            other = BinaryFieldElement(other)
        return BinaryFieldElement(binmul(self.value, other.inv().value))

    def __eq__(self, other):
        othervalue = other if isinstance(other, int) else other.value
        return self.value == othervalue

    def __repr__(self):
        return '<'+str(self.value)+'>'

    def bit_length(self):
        return 1 << (self.value.bit_length() - 1).bit_length()

    def to_bytes(self, length, byteorder):
        assert length >= (self.bit_length() + 7) // 8
        return self.value.to_bytes(length, byteorder)

    @classmethod
    def from_bytes(cls, b, byteorder):
        return cls(int.from_bytes(b, byteorder))

rawmulcache = [[None for _ in range(256)] for _ in range(256)]
addcache = [[None for _ in range(256)] for _ in range(256)]
mulcache = [[None for _ in range(256)] for _ in range(256)]

for i in range(256):
    for j in range(256):
        rawmulcache[i][j] = binmul(i, j)
        addcache[i][j] = BinaryFieldElement(i ^ j)
        mulcache[i][j] = BinaryFieldElement(binmul(i, j))
