WO1991020028A1

WO1991020028A1 - Universal galois field multiplier

Info

Publication number: WO1991020028A1
Application number: PCT/SE1991/000384
Authority: WO
Inventors: Edoardo Mastrovito
Original assignee: Edoardo Mastrovito
Priority date: 1990-06-15
Filing date: 1991-05-31
Publication date: 1991-12-26
Also published as: SE9002124D0; AU8076591A; SE466822B; SE9002124L

Abstract

The present invention provides a novel apparatus for computing products in Galois fields GF(pm) with emphasis on the case p = 2. The elements of the field are represented in polynomial basis and no basis conversion is required. The apparatus consists of two distinct subunits. The first subunit simultaneously produces the first m α-multiples of one of the two elements to be multiplied. The second subunit simultaneously produces the m inner products of the second element and the m vectors consisting of suitable components of the above mentioned α-multiples. Both subunits are capable of operating over any Galois field GF(pm) where m is an integer in the range [2, M]. Consequently, the apparatus is programmable for operation over any of the above mentioned Galois fields.

Description

Universal galois field multiplier

The invention is concerned with the multiplication of two arbitrary elements belonging to a Galois field, especially an apparatus for performing such multiplication.

Galois fields are finite fields consisting of p^m elements, where p is a prime number and m a positive integer. The field GF(2^m) is of particular importance in practice because its elements can be represented by binary polynomials of degree at most m-1 in a particular primitive element. This primitive element is a root of the irreducible primitive polynomial of degree m that generates the Galois field.

Galois fields are of fundamental importance in the construction, encoding and decoding of several classes of powerful error-control codes (here abbreviated ECC) like Bose-Chaudury-Hocqenhem codes (called BCH codes), Reed-Solomon codes (called RS codes) and Goppa codes. The reader is referred to F.J. MacWilliams, N.J.A. Sloane "The Theory of Error- Correcting Codes", Amsterdam: North-Holland 1977, for details on the theory of ECC and an introduction to the theory of finite fields. The book by R.E. Blahut, "Theory and practice of Error Control Codes", Cambridge, MA: Addison-Wesley, 1984, gives another treatment of the same theories with emphasis on the practical aspects.

The main parameters of an ECC are the block length n, the number of information symbols k (also called the dimension) and the minimum (Hamming) distance d between two any codewords of the code. A code with minimum distance d is capable of correcting t errors and s erasures as long as 2t + s≤ d-1. ECCs are very useful in practice for improving the reliability of a noisy communication channel. However, different applications require different codes with different parameters n, k, d. These parameters are all directly or indirectly related to the number (=2^m) of elements of the Galois field GF(2^m). For example the maximum block length n of an RS code is 2^m + 1. This means that, if we are constrained to use one single Galois field we are also limited in our selection of ECC.

Building a dedicated hardware for every code of practical interest is obviously unreasonable. Sometimes dedicated hardware can though be motivated by standardization and/or by extreme speed requirements. In many other situations a flexible, programmable device capable of implementing different codes over different Galois fields would be the most appropriate choice. The most crucial and important single unit in a device capable of providing the aforementioned flexibility, is a fast universal Galois field multiplier (here abbreviated UGM) capable of operating over a number of different Galois fields. Actually, multiplication is by far the most common operation occurring in the encoding/decoding procedures of, for example, BCH and RS codes. Successive multiplications can also be used to compute the inverse of a field element. Inversion is required in the decoding of, for example, BCH and RS codes.

A prior art UGM has resulted in a cellular-array multiplier which is too slow to be really practical. The poor performance of the prior art UGM is due to a worst signal path of about 6m levels of logic when the UGM is operated over GF(2^m). Details on the prior art UGM are found in B.A. Laws, C.K. Rushforth, "A Cellular-Array Multiplier for GF(2^m)", IEEE Trans. Comput., Vol. C-20, pp. 1573-1578, December 1971.

The principal object of the invention is to provide a novel apparatus for computing products of elements belonging to a Galois field GF(p^m ) with emphasis on the case p =2. The new apparatus has fewer components and higher speed than previous art apparatus.

It is a feature of this invention to be programmable for operation over any Galois field GF(p^m ) with 2≤ m≤ M where M is an arbitrary positive integer greater than one.

The invention, as well as the embodiments thereof, is defined in the appended claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of apparatus according to a preferred organization.

FIG. 2 is a more detailed block diagram of a sub-unit of apparatus used to compute α-A over different fields of characteristic two.

FIG. 3 is yet a more detailed block diagram of a sub-unit of apparatus used to compute the inner product of two binary vectors.

FIG. 4 is an example of apparatus for the fields GF(2 ^m), 2≤ m≤ 4.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT The discussion of apparatus requires a review of some basic properties of a Galois field. A Galois field GF(p^m) is an algebraic finite field consisting of p^m elements, where p is a prime and m a positive integer. Among the field elements are included the null element, 0, and the unit element, 1. Upon the elements in the field are defined the operations of addition, subtraction, multiplication and division. Addition, subtraction and multiplication are associative and commutative and multiplication is distributive with respect to addition and subtraction. Further, any of the four aforementioned operations results always in an element of the field.

The present invention is primarily concerned with, but not limited to fields of characteristic two (i.e. p = 2) which are denoted by GF(2^m). The smallest of these fields ( m=1) consists actually only of a null element 0 and a unit element 1 and it is called the binary field GF(2). Addition and multiplication in GF(2) are performed modulo 2, i.e. 0+0=1+1=0, 0+1=1+0=1, 0.0=0-1 =1 .=0, 1.1=1 and -1=1. Addition is thus the same as exclusive-or (XOR) whereas multiplication is the same as logical AND.

In GF(2^m), m > 1, each element can be represented by a polynomial of degree m-1 or less with binary coefficients. Each element is a residue modulo an irreducible polynomial of degree m over GF(2), and all arithmetic operations on the coefficients are performed modulo 2. Alternatively, the field GF(2^m) can be seen as a linear vector space over

GF(2) of dimension m (in which case it should be denoted GF(2)^m).

For each integer m there exists only one finite field with 2^m elements (this is true in general for fields of any characteristic). In general, however, there exist several different representations of the elements of a finite field. The particular representation is given by the particular irreducible polynomial chosen to generate the finite field.

Representing an element A as a polynomial α₀ + α₁x + ... + α_{m- 2}x^m-2 + α_m-1x^m _-1 corresponds to choosing the set of field elements {1, α, ..., α^m-2, α^m-1} as a basis of GF(2^m). Every element can thus be expressed as a linear combination of the basis elements. In particular, the elements αⁱ, i = 0,

1 , ..., m—1 are represented in this basis by the polynomials xⁱ, i=0, 1, ..., m— 1 and the expression α₀ + a₁x + ... + a_{m- 2}x^{m- 2} + a_m-1x^m-1 is equivalent to α₀ + α₁ α + ... + α_m_₂α + α _m-1α ^{m- 1}. The type of basis discussed above is naturally called the polynomial basis.

In the following we call P(x) the irreducible polynomial generating the field and which has the field element a as a root, i.e. P(α) = 0. A(x) is the polynomial associated with the field element A, B(x) the polynomial associated with the field element B and C(x) the polynomial associated with the product of A and B . Then the product is given by the following expression

C(x) = A(x)-B(x) mod P(x) =

= [b₀A(x) + b₁ xA(x) + ... + b_m-1x ^m-1A(x)] mod P(x) = 1 = [b₀A(x) mod P(x)] + [b₁xAix) mod P(x)] + ... + [ .

b_{m - 1}x^m-lA(x) mod P(*x)]. (1)

We define now the polynomials Z_t _(x) as follows:

where z_i,_j∈ GF(2). Then

C(x) = b ₀Z_0,(x) + b₁Z_1r{x) + ... + b_m-1Z_m-1, (x). (3)

- And in matrix notation

where Z is the m by m binary matrix in equation (4). We see that the product C can be obtained by computing the m inner products Z_-,jB,j = 0,1..., m-1, where Z_{- j} denotes theJ:th row of Z. First, though, the entries of Z have to be generated and this can be done as follows. We generate the m columns of Z simultaneously by cascading m-l identical cells where each cell implements the operation xA(x) mod P(x) (the first column Z₀, _ is the element A itself, see equation (2)). We call such a cell the α-cell and the cascaded structure the α-array.

The polynomial P(x) used to generate the field is of the form x^m + x^m'1p_mΛ + ... + xp_± + 1 (the first and last coefficient must necessarily be ones if P(x) is to be irreducible). Then the expression xA(x) mod P(x) can be written as follows:

In equation (5) we have utilized the fact that α^m = α^m-1 p. _{m- 1}+ .•• + αφ₁ + 1 (or equivalently x^m = x^m' p_mΛ+ ... + x_p1 + 1). Equation (5) describes the function of the α-cell for fixed m: for each p_t≠ 0, i = 1, 2, ..., m-1, one sum αm-1 ^{+ α}i-1 has to be computed whereas the coefficient of x⁰ is A's most significant coefficient a_m-1. We call α_m-1 the feedback (FB) signal.

Having described the mathematical preliminaries, a preferred embodiment of the novel UGM will now follow.

A. Hardware

Fig. 1 shows the general structure of the novel TJGM. The notation is consistent with the previous section. Unit 1 is the α-array that generates the entries of the matrix Z as defined in equation (4). Unit 2 computes the m inner products c_j = Z _,j.B,j = 0,1..., m-1 and is here called the IP network. The IP network consists in turn of m identical cells, where each cell, here called the IP-cell, computes one inner product. The UGM requires the input field elements to have zeros in the unused high-order positions, i.e. α_i = b_i= 0, i > m-1.

Fig. 2 shows a preferred implementation of the α-cell 11 for performing the operation xA(x) mod P(x) (or, equivalently, αA). The α-cell can be programmed to operate over any of the fields GF(2^m), 2≤ m≤ M by means of the binary vectors P = (p₁,p₂,p₃, ...,p_M-1) and S = (s₁, s₂, s₃, s_M-1) shown in Fig. 2.

Suppose we want to program the UGM for operation over GF(2^m) where m is a particular value in the usable range. Then the components of the vector S are set as follows:

The vector S determines the feedback signal FB of Fig. 2. The first m-1 components of the vector P are the m-l middle coefficients of the irreducible polynomial P(x) chosen to generate the field. The remaining coefficients p_m through p_M-1 are, for example, set to zero.

We see in Fig. 2 that the α-cell has a regular bit-slice structure consisting of m-l identical subcells (unit 111 in Fig. 2). In each subcell there is one binary adder (XOR), one switch SW and one multiplexer MX.

The switch SW in subcell #i is controlled by the signal s_i in the following way: SW is closed if s_i = 1 , SW is open if s_i = 0. The multiplexer MX is controlled by the signal p_i in the following way: if p_i = 1 then MX passes the signal coming from the binary adder (= α_m-1 + α_i-1), if p_i = 0 then MX passes the other input (= α_i-1). Fig. 3 shows a preferred implementation of the IP-cell 21 based on twoinput gates. M AND gates and M-1 XOR gates are required. The multiplexer MX appended to the output of the IP-cell is required to zero the product coefficients c_i for i > m -1 since these are not used. In this case the signal v_i is the i:th component of a vector V = (v₀, v₁, ..., v_M-1) that could be set as follows

The multiplexer MX would then zero the output if v_i = 1. If v_i = 0 the output of the XOR-tree is selected. Fig. 4 shows the complete UGM for the case M = 4 together with a table of values for the vectors S and V for 2≤ m≤ 4. Notice that m≥ 2 implies that the first two components s₀ and s₁ of S are always zero and need not be generated (the multiplexer could be skipped in those IP-cells). The field generator P(x) is not indicated but can be chosen as follows: P(x) = x⁴ + x + 1 for m = 4, P(x) = x³ + x + 1 for m = 3 and P(x) = x² + x + 1 for m = 2.

The extension to a new value of M is straightforward.

Operating the UGM for m < M means that only a part of α-array is used. This fact can be easily illustrated by help of equation (4). First we define the vectors C_L, C_U} _B_L and B_υ as follows

where the superscript T indicates transposition. Then we have

where Z₁, Z₂ and Z₃ are submatrices of Z defined according to the subdivision of Z indicated in equation (8). The product of interest for us is Z₁. B_L and we want it to appear on the lines of C_L. To have this product correctly computed we must ensure that the product Z₃.B_U is always zero.

But this is the case since B_U is required to be zero. What remains to take care of is the product Z₂.B _L since this is normally non-zero and it would appear on the lines of C_U (the unused lines that we wish to be zero). The zeroing of these lines is done through the multiplexer MX and the control signal v_i mentioned above and shown in Fig. 3.

B. Complexity

The α-array consists of m - 1 α-cells where each cell contains m - 1 XOR gates, m -1 switches and m -1 multiplexers. Since switches and multiplexers are much simpler than XOR gates we approximate the complexity of a switch-multiplexer pair by that of one XOR gate. Then the complexity of the α-array can be estimated to 2(m-1)² gates. The IP-network consists of m IP-cells where each cell contains 2m -1 gates. Totally 2m²-m gates for the IP-network. Finally we need 3m register to store the vectors P, S and V needed to program the UGM (these registers are loaded from an external unit). The complexity N_UGM for the whole UGM can therefore be estimated by

N_UGM≈ 2(m - 1)² + 2m²-m + 3m.

Compared to a prior art UGM with complexity ~ 7m² +3m the present UGM requires about 50% less components.

C. Performance

The performance of the UGM is directly related to the worst signal path (WSP) between any input and any output of the UGM. We will give an upper bound on the length L_wsp (in gates) of the WSP. In doing this we approximate the delay of a switch-multiplexer pair by that of one XOR gate.

The WSP through the UGM must go through m-l α-cells and one IP-cell. The length of the WSP through the IP-cell is fixed and it is easily found to be 1 + [log₂M] gates.

The WSP through the α-array depends on the choice of P(x). It consists however of three parts: switches, XOR gates and multiplexers. The number of XOR gates along the WSP can be much less than m - 1 by smart choice of P(x). The following is a table over the number of XOR gates along the WSP through the α-array for some good P(x) and m≤ 16:

In the table we indicate only the powers of x in P(x) whose coefficients are non-zero . We see that the number of XOR gates is at least one and at most for m≤ 8. For m > 8 a better upper bound seems to be We use as an

upper bound for all m.

The number of switches and multiplexers along the WSP is not easily determined exactly. We assume worst case and say therefore that the WSP goes through m-1 switches and m - 1 multiplexers. According to the approximation above this corresponds to about m - 1 XOR gates.

The total length L_WSP of the WSP can now be upper bounded by L_WSP≤ (m-1) + m/2 + 1 + [log₂M] = 1.5m + [log₂M ] [Gates] which is considerably better than the ~ 6m gates of a prior art UGM.

D. Comments

One skilled in the art will immediately recognize that several changes could be made in the above design without departing form the basic structure. For example, instead of storing the three vectors P, S and V in registers one could design some simple logic that generates both S and V from P (in this case also the highest coefficient p_m of P(x) must be entered into the UGM). The programming of the UGM would thus be simplified to one single operation instead of three. The UGM is also easily modified to perform the operation A.B + D by adding one input and one XOR gate to each IP-cell. Further, the design of the sub-cell 111 can alternatively be done by using an AND gate instead of the multiplexer MX. The AND gate computes the product am -1pi. This product enters then the XOR gate (instead of the feedback signal a_m-1) to produce the sum a_m-1p_i + a_i-1.

The same general structure of Fig. 1 can be utilized for UGMs operating over fields of characteristic other than 'two. Only the details get slightly more complicated since all coefficient operations must be performed modulo the prime p, p > 2, that is the XOR gate becomes a mod p-adder and the AND gate a mod p-multiplier. Further, for prime p > 2 we have -1≠1 mod p which means that signs must be considered. For example, suppose P(x) is a monic (i.e. with the highest coefficient pM = 1) irreducible polynomial of degree M over GF(p) that has α as a root, i.e. P(α) = 0. Then

where pi' is the additive inverse of p_i in GF(p). Now equation (5) becomes

The design of the α-cell follows directly from equation (10). The α-cell consists of M-1 identical sub-cells where each sub-cell performs the operation plus one cell for computing where

juxtaposition means modulo p-multiplication and "+" modulo p-addition. Since P is known in advance the additive inverses

can be precomputed and input to the multiplier instead of the original coefficients pt. The α-cell is made programmable for operation over different fields GF(p^m), 2≤ m≤ M just the same way as for p = 2 by means of switches and the control vector S. The new α-array is obtained simply by cascading M-1 α-cells just as before. The α-array is connected to the IP network as before to compute the necessary inner products. The IP cell is modified to compute the inner product of two p-ary vectors of length M. The control vector V is used as for p = 2. The vectors & and V can either be stored in registers which are loaded from outside or they can be derived from the coefficients of P (in fact only the position of the highest coefficient p is relevant to this purpose) by some simple logic. We notice finally that the binary representation of each coefficient will require [log₂p] bits. For example the three elements of GF(3) require two bits. Accordingly, it is intended that all matter contained in the above descriptions and the following drawings shall be interpreted as illustrative and not in a limiting sense.

Claims

CLAIMS 1. A multiplier for performing multiplication of two elements in the finite field GF(p^m) with p^m elements, and obtaining a product vector of m p- ary components, where m is an integer equal to or greater than 2 or equal to or less than M, where M is an integer equal to or greater than 2, each of said p^m elements of GF(p^m) represented by a vector of m p-ary coefficients according to a polynomial basis representation, c h a r a c t e r i z e d b y a) first logic means (1) including a cascade of at least one α-cell (11) for developing for the first of said two elements the first m αmultiples, each α-multiple being the product of α^l and said element for i = 0, 1, 2 , ..., m-1, where α is an element of the field GF(p^m) satisfying the equation P(x) = 0 for x = α, where P(x) is a polynomial of degree m which is irreducible over the field GF(p); and b) second logic means (2) including at least two IP cells (21), where each IP cell will simultaneously develop the inner product of the second element and every p-ary vector whose components are the j:th components of all said α-multiples for j = 0, 1, 2, ..., m-1, each of said m inner products being one component of said product vector.

2. The multiplier recited in claim 1 w h e r e i n: a) said first logic means (1) comprise means for changing of said irreducible polynomial, whereby said first logic means are programmable for operation over any of said finite fields GF(p^m ), 2≤ m≤M, including all possible representations of said finite fields; and b) means for selectively connecting the output of said second logic means (2) to a logical zero.

3. The multiplier recited in claim 1 or 2 w h e r e i n each of the p^m elements of GF(p^m) is represented by a vector of m p-ary components according to a polynomial basis representation of the form A = α₀ + α₁α + ... + α_m-2α^m-2 + α_m-1α^m-1, where A is an element of GF(p^m ), α₀, α₁, ..., α_m-2, α_{m- 1} are the p-ary components of A , and α is an element of GF(p ^m) satisfying the equation P(x) = 0 for x = α, where P(x) is a polynomial of degree m which is irreducible over the field GF(p).

4. The multiplier recited in claim 2 or 3 wherein: a) the unused inputs of said first logic means (1) are set to logical zero; and b) the unused inputs and outputs of said second logic means (2) are set to logical zero.

5. The multiplier recited in claim 1,2, 3 or 4 wherein p = 2.