Galois Field Elements

The Galois field section of the library is initialized by parsing a given primitive poly- nomial P (x) of degree k, which constructs F2k. Any element C ∈ F₂k can be represented

in the form

C = ck−1· αk−1+ ck−2· αk−2+ · · · + c2· α2+ c1· α + c0 (8.1)

where {c0, . . . , ck−1} ∈ F2 and α is the primitive element. This structure is stored as an

unsigned byte array containing {c0, . . . , ck−1}, as shown in Fig. 8.1. Thus, each element

usesk−1₈  + 1 bytes of memory. Any leading bits after ck−1in the last byte are set to 0.

c0 c1 c2 c3 c4 c5 c6 c7

Byte 0

Byte

Additionbetween two elements

C = ck−1· αk−1+ · · · + c2· α2+ c1· α + c0 (8.2)

D = dk−1· αk−1+ · · · + d2· α2+ d1· α + d0 (8.3)

is simply a combination of like terms

C + D = (ck−1+ dk−1) · αk−1+ · · · + (c2+ d2) · α2+ (c1+ d1) · α + (c0+ d0) (8.4)

Since addition over F2 is computed as a bit-wise XOR, the library’s Galois field element

structure allows addition to be trivially performed as a byte-wise XOR operation. Further- more, this structure makes it easy to check if a given element is equal to 0 or 1, which is used in deciding when a term is to be removed (0) and when a division can be ignored (1). During library initialization, the elements αk_{, α}k+1_{, . . . , α}2k−2 _{are precomputed and}

cached. First, αkis derived directly from the given primitive polynomial,

P (x) = xk+ ck−1· xk−1+ · · · + c1· x + 1 (8.5)

for {c1, . . . , ck−1} ∈ F2. Since P (α) = 0,

αk = ck−1· αk−1+ · · · + c1· α + 1 (8.6)

To compute αk+1_{, first compute a 1-bit left shift of α}k_.

αk+1 = ck−1· αk+ ck−2· αk−1+ · · · + c1· α2+ α (8.7)

This element can contain the term αk, which must be minimized by the primitive polyno- mial. Thus, if ck−1is 1, the ck−1αkterm is removed and the minimized form of αkis added.

This derives the minimized form for αk+1_{. Computation continues in this fashion (shift by}

1, minimize if needed) until all αk, αk+1_{, . . . , α}2k−2_{have been derived. These elements are}

later used during the multiplication procedure.

Example 8.1 Given the primitive polynomial P (x) = x4+ x3+ 1, initialize the library by computingα4_{, α}5_{, and α}6_{. Here,k = 4, and each element of F}

c3· α3+ c2· α2+ c1· α + c0 (8.8)

which is stored as one byte in the following form.

0 0 0 0 c3 c2 c1 c0 (8.9)

Notice that there are4 leading bits that are unused; these are always set to 0. P (α) = α4+ α3+ 1 = 0. Hence, α4 = α3+ 1, which is stored as

c3 c2 c1 c0

α4 _{= 0 0 0 0 1 0 0 1} (8.10)

To compute α5, take the α4 element and shift the result left 1 bit. Thec3 term is dropped

since the leading4 bits are always 0.

0 0 0 0 0 0 1 0 (8.11)

Then, sincec3 was1, add α4.

0 0 0 0 0 0 1 0

+ 0 0 0 0 1 0 0 1

0 0 0 0 1 0 1 1

(8.12)

This givesα5 _{= α}3_{+ α + 1. Similarly, α}6 _{is derived as}

0 0 0 0 0 1 1 0

+ 0 0 0 0 1 0 0 1

0 0 0 0 1 1 1 1

(8.13)

Multiplication requires temporarily increasing the size of the byte-array to store the intermediate result, which can have values up to α2(k−1)_.

This result needs to be divided by the given minimum polynomial. Each α term with an exponent of k or larger is replaced by its minimized equivalent, which was computed during initialization. That is, for i ≥ k, each term for which ci = 1 is removed and the minimized

form of αi is added in.

Example 8.2 Consider again the setup for F24 from Example 8.1. Compute the product of

the following two elements:

α3+ α2+ 1 (8.15)

α2 + α (8.16)

These elements are stored, respectively, as

0 0 0 0 1 1 0 1 (8.17)

0 0 0 0 0 1 1 0 (8.18)

The intermediate result is computed using the basic shift-and-add procedure.

1 1 0 1 x 0 1 1 0 0 0 0 0 1 1 0 1 1 1 0 1 + 0 0 0 0 0 0 1 0 1 1 1 0 (8.19)

The intermediate result of the multiplication isα5_{+ α}3_{+ α}2_{+ α, which needs to be further}

minimized. The value ofα5 was determined during initialization to beα3 + α + 1. The α5 term from the intermediate result is removed and the minimized form is added.

0 0 0 0 1 1 1 0

+ 0 0 0 0 1 0 1 1

0 0 0 0 0 1 0 1

(8.20)

So the minimized result of the product isα2_{+ 1.}

Division of two Galois field elements, C = B_A, requires finding the multiplicative inverse of the divisor: C = B·A−1. To find the inverse, the library implements the extended Euclidean algorithm over F2k, depicted in Algorithm 5. The algorithm requires a nonmin-

imized representation of the element P (α), so the size of object is temporarily increased to allow the storage of the αk bit. The function DIV returns the quotient and remainder of a Euclidean division; that is, DIV (A, B) returns {Q, R}, where A = B · Q + R. This procedure is described in Algorithm 6; here, DEG returns the highest degree of a given element in F2k, i.e., DEG(α4+ α3+ 1) would return 4.

Example 8.3 Given P (x) = x8+ x4 + x3_{+ x + 1, which generates F}28, find A−1 where

A = α6 _{+ α}4 _{+ α + 1. Table 8.1 shows the steps Algorithm 6 goes through to find the}

inverse.

Algorithm 5: Inverse of an Element Over F2k

Input: M := P (α) where P (x) was used to generate F2k, A ∈ F₂k

Output: A−1over F2k {Q0, Q1} := {0, 0}; {R0, R1} := {M, A}; {U0, U1} := {0, 1}; i := 1; while Ri 6= 1 do if Ri == 0 then

ERROR: No inverse exists end

{Qi+1, Ri+1} := DIV (Ri−1, Ri);

Ui+1:= (Qi+1· Ui) + Ui−1;

i := i + 1; end

Table 8.1: Steps to derive the inverse of α6_{+ α}4_{+ α + 1} i Qi Ri Ui 0 0 α8_{+ α}4_{+ α}3_{+ α + 1 0} 1 0 α6_{+ α}4_{+ α + 1 1} 2 α2_{+ 1 α}2 _α2_{+ 1} 3 α4+ α2 α + 1 α6+ α2+ 1 4 α 1 α7_{+ α}6_{+ α}3_{+ α}

Algorithm 6: DIV (Euclidean Division Over F2k)

Input: A, B ∈ F2k

Output: {Q, R} such that A = B · Q + R {Q, R} := {0, A};

while DEG(R) ≥ DEG(B) do S := αDEG(R)−DEG(B); Q := Q + S;

R := R + S · B; end

return {Q, R};

The derived inverse is A−1 = α7 _{+ α}6 _{+ α}3 _{+ α. Correctness can be checked by}

computingA · A−1 and verifying that the result is1 (mod P (x)).