Galois Fields, Linear Feedback Shift Registers and their Applications

Transcription

1 Galois Fields, Linear Feedback Shift Registers and their Alications With 85 illustrations as well as numerous tables, diagrams and examles by Ulrich Jetzek ISBN (Book): ISBN (E-Book): For further information and order see htt:// Carl Hanser Verlag, München

2 Acknowledgements First of all, I would like to thank all the students I have been working with. All their questions, comments and remarks during my various lectures showed an intense interest in Galois Fields, Linear Feedback Shift Registers and their alications. This was a strong motivation moment to write this book. Furthermore, I am grateful for the cooeration I had with the editor of Hanser Fachbuchverlag, Mrs. Mirja Werner. From the very beginning she had trust in my idea about this book and always suorted me in writing this book. We had several fruitful discussions regarding structure, content and details of this book. I would also like to thank the editor, Mrs. Natalia Silakova, who accomanied me in the finalization hase of this book. Many other eole contributed to this book. Therefore, I would also like to thank all those eole who are not mentioned exlicitly in this section. Finally, my thanks go to my family my wife Carola and my children Julia, Franziska and Christian. They always showed lots of understanding while I was writing this book. And they had lots of atience when I (unfortunately) had no time to share and enjoy together with them. Remark: The author of this book has written and described the entire content of this book to his best knowledge. However, the author does not take any resonsibility for any develoments and/or roducts which may have been develoed based on the content of this book. The book is intended as a textbook to get acquainted with Galois Fields, Linear Feedback Shift Registers and their alications. Therefore, the reader is required to make sure by himself whether any software or hardware imlementation or any roduct derived from the content of this book works as wanted.

3 Contents 1 Introduction Finite Grous and Fields Modular Arithmetic Grous,Rings andfields Galois Fields PrimeFields ExistenceofPrimeFields Generators ofprimefields Multilicative Inverses inprimefields Cyclic StructureofPrimeFields ExtensionFields ExistenceofExtension Fields Irreducible Polynomials Modular Arithmeticover Polynomials Primitive or Generator Polynomials Lessonslearned Exercises Working with Extension Fields Primitive Polynomial Reresentations Addition over Extension Fields Multilication over Extension Fields Multilication inolynomial form Multilication by meansofstringreresentation Multilication using therimitive olynomial Multilicative Inversewithin ExtensionFields Lessonslearned Exercises... 55

4 10 Contents 4 Linear Feedback Shift Registers Ring Counters Johnson Counters Design of Linear Feedback Shift Registers Based on Galois Field Theory Design of linear feedback shift register circuits basedon rimitiveolynomials LFSRs basedonirreducible (non-rimitive) olynomials LFSRs basedonreducible olynomials Furthertoics relatedto linear feedbackshiftregisters Checking if a secific olynomial is rimitive, irreducible or reducible A systematic way of how to determine rimitive olynomials LessonsLearned Exercises Correlation Functions and Pseudo-random Sequences Correlation Functions MaximumLengthSequences(m-Sequences) Real random sequencesandtheir roerties Proerties ofm-sequences Lessonslearned Exercises Alications of Galois Fields and Linear Feedback Shift Registers LFSRs withintheglobal Positioning System(GPS) The Positioning Princile ofgps GPS codes C/A-code generation within the Global Positioning System (GPS) P-code Generation withintheglobal Positioning System DataTransmissionin GPS The sreading rincile

5 Contents LFSRs ingalileo Motivation behind GALILEO HistoryofGALILEO GALILEOServices GALILEOandGPS comarison GALILEOoen-service (OS) systemcodes LFSRAlications incrytograhy A5/1 astream ciherusedin GSM Trivium Cyclic Redundancy Checks (CRC) Using LFSRs Thecoreidea ofcrc Themathematicaldescritionof CRC Imlementation asectsofcrc Otimizing CRC-calculation Lessonslearned Exercises Aendix Problem Solutions Solutions to roblems in Chater Solutions to roblems in Chater Solutions to roblems in Chater Solutions to roblems in Chater Solutions to roblems in Chater Listofrimitiveandirreducible olynomials Index

6 2.3 Galois Fields Isolation: a) a,b F it holds that a + b = c F b) a,b F it holds that a b = d F 2. Associativity: a) a,b,c F it holds that (a + b) + c = a + (b + c) b) a,b,c F it holds that (a b) c = a (b c) 3. Neutral element: a) Regarding addition, there exists an element 0 F, so that a + 0 = a F a F b) Regarding multilication, there exists an element 1 F,so that a 1 = a F a F 4. Inverse element: a) For each element a F there exists an additive inverse element ( a), so that a + ( a) = 0 (neutral element of addition). b) For all elements a F \0 there exists a multilicative inverse element a 1 F so that a a 1 = 1 F. 5. Distributivity law: a field F obeys the distributivity law, i.e. a,b,c F :(a + b) c = (a c) + (b c) Examles The set of real numbers R and the set of comlex numbers C each form a field. Both fields have an infinite number of elements. 2.3 Galois Fields In the last section we defined the algebraic structures of grous, rings and fields. These definitions are valid for element sets with an infinite number as well as for those with a finite number. Fields based uonafinitenumberofelementsareof articular interest when it comes to technical alications in crytograhy, channel coding, mobile communication or navigation systems. Therefore, in the following sections we will focus on such finite fields, which are called Galois Fields. For that urose, we will now have a closer look at element sets of the form Z m = {0,1,2,3,...,m 1}. If we aly modulo-m-addition and modulo-m-multilication, such a set will always obey the isolation roerty, i.e. the result of any oeration will always be within the given set of elements. In addition, it is obvious

7 24 2 Finite Grous and Fields that such sets contain the neutral element of addition, namely 0, as well as the neutral element of multilication, namely 1. Without roof it shall be stated that associativity, commutativity as well as the distributivity law are fulfilled. However, one question remains: For which elements of Z m does a multilicative inverse exist? In order to answer this question, let us first consider the case in which m is a comosite number, i.e. m is the roduct of at least two rimes 1 and 2. m = 1 2 (2.1) Since the condition 2 1, 2 m 1holds, 1 and 2 themselves are elements of Z m. Suose we want to check if 1 has a multilicative inverse w.r.t. modulus m. According to the definition of the multilicative inverse, the following condition must hold: mod m 1 (2.2) Looking for the multilicative inverse of 1 means looking for some element 1 1 Z m so that the Equation (2.2) is fulfilled. Therefore, if we check the multiles of 1,i.e. 1,2 1,3 1,..., thesewill be greater than 1 itself as long as the roduct is smaller than m. Ifwemultily 1 by 2 or calculate 1 2,theresultmodular m is identical to 0. However, if we multily 1 by ( 2 + 1) or calculate 1 ( 1 + 1) and assume that 1 = 2or 2 = 2, i.e. the smallest rime, then the roduct modular m will be at least 2. Hence, no multilicative inverse exists in this case. Therefore, it is imossible to build a field on any comosite integer m. A finite set of elements Z m = {0,1,2,3,...,m 1}, where m is comosite, will always form a ring together with the two oerations addition and multilication. An element a has a multilicative inverse a 1 mod m if and only if the greatest common divisor (gcd) of m and a is equal to one, i.e. if m and a are said to be relatively rime, gcd(m, a) = 1. Let us look at an examle. Examle: Suose m = 6. Z 6 = {0,1,2,3,4,5} The multilication table for this Z 6 is given by:

8 2.3 Galois Fields 25 Withresecttothegivenexamle,itisobviousthatform = 6 = 2 3, the elements 2 and 3 are not relatively rime with resect to m = 6 and therefore do NOT have a multilicative inverse. (Neither does the element 4 have a multilicative inverse, since the gcd (m = 6,4) = 2 is also greater than one Prime Fields In order to better understand the structure and handling of rime fields, we need to answer a few questions. For which rimes does a finite field exist? What is a generator of a field? The answers are rovided in the following sections Existence of Prime Fields An essential message about the existence of Prime Fields is stated within the following theorem, namely, that we can generate a Prime Field over any rime integer. Theorem: Existence of Prime Fields The set of elements GF() = {0,1,2,3,..., 1}, where is a rime, forms afield. GF() is named Galois Field or Prime Field with characteristic. Hence, the smallest field that exists is GF(2) = {0,1}. Table 2.1 Addition and Multilication Table of GF(2) Addition mod 2 Multilication mod If we want to imlement modular-2-arithmetic in a digital circuit, it is interesting to see that modular-2-addition directly corresonds to an exclusive-or, XOR-oeration, while modular-2-multilication directly corresonds to an ANDoeration. Let us look at another examle: GF(7) = {0,1,2,3,4,5,6},where = 7isarime

9 26 2 Finite Grous and Fields Examle: GF(7) = {0,1,2,3,4,5,6},where = 7isarime Table 2.2 Addition Table of GF(7) One asect which can be directly derived from Table 2.2 is that the additive inverse ( a) of any element a is not a negative integer, but rather the element which adds u to zero modulus 7. If a = 2, then ( a) = 2 mod7 5, since 2 + 5mod7 0. Table 2.3 Multilication Table of GF(7) Since each row of the multilication table contains a 1 as a result, each element of the given set has a multilicative inverse. Choose an element a by selecting a secific row, then find the 1 -entry of multilication. The corresonding column contains the multilicative inverse a 1 mod 7. Forlargervaluesofrimes it may, of course, not be so convenient to write down the multilication table. Therefore, in general, the multilicative inverse a 1 mod can be calculated by means of the so-called Extended Euclidean Algorithm (EEA). For a detailed descrition of the EEA the interested reader is referred to e.g. [1]

10 2.3 Galois Fields Generators of Prime Fields Within this section we will see that there exists a second method to determine the multilicative inverse of any element a of GF(). The idea of this method is to make use of a generator or a rimitive element of GF(). Suose we calculate the different owers of an element of the rime field GF(): y = i mod with i = 1,2,3,..., 1 (2.3) Since multilication is done with modulus, we can be sure that y will be an integer of GF()foreachi. Definition: Generator or rimitive element of GF() An element for which all owers i mod with i = 1,2,3,..., 1yield all elements of GF() excet 0, is called a generator or a rimitive element of GF(). According to [2] the following statement alies. Theorem: Existence of generators for Prime Fields GF() Every rime field or Galois Field GF() = {0,1,2,3,..., 1} contains at least one generator or rimitive element. At the same time, it needs to be noted that not all elements of GF()aregenerators of the field. Since a 0 mod 1, there must exist an integer i 0 0, so that a i 0 mod 1. The smallest ositive integer i 0 for which the given condition is fulfilled is called the order of the element a,ord(a). Therefore, if and only if an element a has the order 1, this element is a generator of GF(). Table 2.4 showstheowersofallelementsofgf(17). The first column shows the increasing exonent while the first row lists all elements of GF(17). In a secific column the various owers of the element a shown in the to row, i.e. a i mod 17, are resented in the table. The bottom row shows the order for each element a. One imortant observation is that the element orders are different from the elements of GF(17). Another oint to note is that in total 8 elements (3,5,6,7,10,11, 12,14) with the element order equal to 16 exist. Each of these elements is a generator of GF(17).

11 28 2 Finite Grous and Fields Examle: Galois Field GF(17) Table 2.4 Element orders of GF(17) a = i a i mod ord(a) = Therefore, if we identify a generator of GF(), we may create a looku table containing all owers of, i.e. all elements of GF() Multilicative Inverses in Prime Fields In order to find the multilicative inverse for a secific element a we can make use of the ower laws of modulus. For any multilicative inverse the following condition must hold: a a 1 mod 1 i j mod 1 (2.4) Since is a generator, 1 mod 1. Therefore, if we want to identify the multilicative inverse for any element a i mod, the exonent of the mulitlicative inverse a 1 mod j mod can easily be calculated by using the condition

12 2.3 Galois Fields 29 that i + j 1 and therefore j = ( 1) i (2.5) Examle Suose we want to determine the multilicative inverse of a = 13 in GF(17). Case 1: As a generator we will use the element = 3. a = mod 17 According to Equation (2.5) the generator exonent j of the multilicative inverse is equal to: j = (17 1) 4 = 12. Therefore, the multilicative inverse can be found in the looku table as: 12 mod mod 17 4 Case 2: As a generator we will use the element = 10 a = mod 17 According to Equation (2.5) the generator exonent j of the multilicative inverse is equal to: j = (17 1) 12 = 4. Therefore, the multilicative inverse can be found in the looku table as: 4 mod mod 17 4 Therefore, if it is ossible to generate a looku table, as shown for the owers of all elements of GF(17) in Table 2.4, it is easyto findthe multilicative inverse for any element a of GF(). It should, however, be noted that, for examle in crytograhic alications, rime fields with a large characteristic are needed. Large in this case means rimes consisting of 300 or more decimals. In such cases it will, of course, not be ossible to create a looku table. However, a different way of finding the multilicative inverse for an element a in GF() is to use the Extended Euclidean Algorithm. For a detailed descrition regarding this algorithm, the reader is referred to [1] Cyclic Structure of Prime Fields It is imortant to note that with resect to a generator of a Prime Field GF(), a cyclic structure is created in the following way:

13 30 2 Finite Grous and Fields mod mod mod mod mod mod mod mod mod Figure 2.3 Exonents of the rimitive element A grahical reresentation of this cyclic structure is shown in Figure 2.4 for the Prime Field GF(17) using the generator = 3. Within the figure each arrow denotes the following: take the element at the beginning of the arrow, multily this element with the generator modulus (in the given examle: 3 mod 17.).The result yields the end of the arrow Figure 2.4 Cyclic structure of Prime Field GF(17), generator: = 3

14 2.3 Galois Fields 31 One imortant roerty of this cyclic structure is the fact that the element 0 is never art of the described cyclic structure Extension Fields In Section we introduced the smallest Prime Field, namely GF(2) containing only the elements {0,1}. Although digital systems are based on the mentioned element set {0,1}, we usually work with larger numbers reresented in binary format. Therefore, two questions arise. Is it advantageous to work with Prime Fields in technical systems? Which disadvantages do we need to take into account? Letushavealookatasimleexamle.SuoseweworkwiththePrimeField GF(67).Since =67 is arimenumber,the setofelements {0,1,2,3,...,65,66}definitely forms a field, i.e. we can erform addition and multilication within the field. While the modular oeration is erformed, the field is closed, i.e. the result of any addition or multilication will result in an element of the Prime Field GF(67). Associativity and commutativity are fulfilled, and finally each element a contains an additive inverse a ( a + ) mod and a multilicative inverse a 1 mod. However, if we reresent each element of this rime field in binary format, e.g. in order to imlement our Galois Fields oerations in software or hardware, we need tonote the following (seefigure 2.5): 0 = = = = = = = = = = = = = elements of GF(67) Overhead (61 numbers) Figure Bit reresentation needed for GF(67) Since = 67 is larger than 64 = 2 6, we need 7 bits to reresent all elements of GF(67). However, in the case of 7-bit reresentation it is ossible to handle 128

15 32 2 Finite Grous and Fields different numbers, hence 61 numbers are not used, and we need to accet a large overhead. If we look at technical systems, in articular comuter systems, data is most often arranged in bytes whereas 8 bits form a single byte or in multile bytes, e.g. 16 or 32 bits. Therefore, the question is whether it is ossible to generate fields which do not have a rime number of elements, but rather a ower of 2 elements, i.e. 2 m elements Existence of Extension Fields It is ossible to generate such fields, these are called extension fields and the following theorem holds. Theorem: Existence of Extension Fields For any rime and any ositive integer m it is ossible to generate a Galois Field GF( m ). We call this field an Extension Field with a characteristic and an extension m. The Extension Field GF( m )containsn = m elements. It should be noted that the above theorem is the generalization of the corresonding theorem stating the existence of Prime Fields (comare Section 2.3.1). In Section we saw that eachelement of a rime field GF()isasingleinteger within the range 0,1,2,..., 1. Since we extended the Pime Field GF() bythe exonent m, each element of an extension field is an m-elementary vector of the following format: (a m 1 a m 2 a m 3...a 1 a 0 ) with a i 0,1,2,..., 1fori = 0,1,2,...,m 1 A second interretation of the field elements is to consider each element to be a olynomial of degree m 1. ( am 1 x m 1 + a m 2 x m 2 + a m 3 x m 3 + +a 1 x 1 + a 0 x 0) with a i 0,1,2,..., 1fori = 0,1,2,...,m 1 Although the above theorem states that we may generate an extension field with the hel of any rime, in the following sections we will focus on extension fields with the characteristic = 2, i.e. we will articularly look at the extension fields of the form GF(2 m ). The reason for this restriction is simle, namely that most alications of extension fields are imlemented in digital systems and therefore we need to work with binary vectors of various lengths.

16 2.3 Galois Fields 33 In the revious aragrah, we introduced two different reresentations of extension field elements. It is imortant to see that even a single integer like 0 or 1 needs to be seen as a olynomial of degree m 1 if it is an element of an extension field. The same alies to terms like x or x 2. Examle Let us have a look at the elements of the Extension Field GF(2 4 ). Vector reresentation Polynomial reresentation x 3 + 0x 2 + 0x 1 + 0x x 3 + 0x 2 + 0x 1 + 1x x 3 + 0x 2 + 1x 1 + 0x x 3 + 0x 2 + 1x 1 + 1x x 3 + 1x 2 + 0x 1 + 0x x 3 + 1x 2 + 1x 1 + 1x 0 We can see that in total 2 4 = 16 elements exist in GF(2 4 ) Irreducible Polynomials In order to work with the extension field elements, we need to understand how modular oerations are erformed within extension fields. In Section we demonstrated that addition and multilication in a rime field GF()isdonewith modulus, where is, of course, a rime. Since the field elements of extension fields are olynomials, multilication within an extension field GF( m )isdone modularly with a certain olynomial (x). The largest field element of a rime field GF() alwaysis 1, and the alied modulus must be larger than the greatest field element. Hence, we erform additions and multilications in GF() with modulus. The analog regarding extension fields is that all elements of the extension field GF( m )areolynomials of degree m 1. Hence the olynomial used for modular oerations must be of a higher degree, namely of degree m. The second asect concerns the roerties of the modulus. In a rime field GF() the modulus is a rime and is therefore only divisible by itself and by one. Let us recall why it is of significance that is rime. Within a rime field it is ossible to erform addition and multilication and also to erform the inverse functions,

17 34 2 Finite Grous and Fields i.e. subtraction and inverse multilication.esecially the latter oeration requires that all elements of the rime field excet 0 have a multilicative inverse. This is the case only if all elements (excet 0) are relatively rime w.r.t.,i.e.thegreatest common divisor for and any rime field element a must be equal to one, i.e. the gcd(, a) = 1. The analog w.r.t. extension fields means that we need a modular olynomial (x), for which the following condition must hold. If and only if the olynomial (x) is relatively rime in regard to all extension field elements a(x) excet the 0-olynomial, then for any extension field element a(x) excet the 0-olynomial a multilicative inverse will exist. Definition: Irreducible olynomial i (x) A olynomial i(x)ofdegreem is said to be irreducible if it cannot be exressed as the roduct of at least two olynomials of lower degree k < m. Definition: Reducible olynomial r (x) A olynomial r (x) ofdegreem is said to reducible if it can be exressed as the roduct of at least two olynomials of lower degree k < m. In order to continue with our analogies, we can state that an irreducible olynomial i(x) in the world of extension fields is the analog of a rime in the world of rime fields, and that a reducible olynomial r (x)in the world of extension fields is the analog of a comosite number in the world of rime fields. Let us have a look at an examle for the extension field GF(2 4 ). Examle r (x) = x 4 + x 2 + x = x (x 3 + x + 1) r (x) isreducible (x) = x 4 + x 3 + x 2 + x + 1 (x) isirreducible For r (x) it is obvious that a olynomial of degree one, namely x, is contained in each summand of the olynomial r (x). Therefore x can be extracted, and we can rewrite r (x)asaroductoftwoolynomialsoflowerdegree.itisthereforeobvious that r (x)isreducible. Without roof, we can state that the olynomial (x) in the above examle is irreducible. If we look at r (x) in the above examle, we can directly conclude that it is a necessary condition that (x) does not contain any zeroes within GF(). This means that if we calculate the value of (x)forallossiblevalues 0,1,2,..., 1andtake

18 2.3 Galois Fields 35 the result modulus, the result will never be equal to zero. The question, however, remains if this condition is not only necessary, but also sufficient for a olynomial to be irreducible. Let us have a look at an examle. Examle r (x) = x 4 + x For: x = 0: r (0) = = 1mod21 x = 1: r (1) = = 3mod21 We have thus roven that r (x) does not contain any zeroes within GF(2). Hence, we might assumer (x) to be irreducible. However, we can write r (x) as: r (x) = (x 2 + x + 1) (x 2 + x + 1) = x 4 + x 3 + x 2 + x 3 + x 2 + x + x 2 + x + 1 = x 4 + 2x 3 + 3x 2 + 2x + 1 x 4 + x The above equation shows the result if we square the term (x 2 + x + 1). The second line shows all summands of the roduct. As we stated at the beginning of Section , the elements of an extension field, in our case GF(2 4 ), are olynomials with coefficients of GF(), in our case coefficients of GF(2) = {0,1}. Hence, for all resulting summands of our roducts, the coefficients are calculated with the hel of modulus, in our case, modulus 2. Therefore, 2x 3 mod 2 0, and 2x mod 2 0. And finally, 3x 2 mod 2 1x 2. The above examle roves that the condition that (x) does not contain any zeroes within GF()isNOTsufficienttobesurethat(x)isirreducible. To summarize this section, we need to state the following oints. For an irreducible olynomial i(x) it is a necessary, but not a sufficient condition that it does not contain any zeroes within GF(), i.e. it cannot be exressed as the roduct of at least two olynomials of lower degree. An irreducible olynomial i(x) ofdegreem over GF() sans an extension field GF( m )with m elements, where each element is a olynomial of degree m 1.

19 Index A A5/1 14 autocorrelation function 86 eriodic86 B balance roerty 92 C CDMA 99 sreading112 cihers symmetric 133 Code Division Multile Access (CDMA) 155 correlation function 84 correlation receiver 113 counter 60 Johnson counter 62 ringcounter60 CRC 141 imlementation asects 148 mathematical descrition 142 cross-correlation 102 crytograhy LFSR alications in 132 cyclic redundancy check (CRC) 14, 141 cyclic shift 85 E Extended Euclidean Algorithm 29 extension field 31 addition 47 existenceof32 multilication 49 multilicative inverse 52 F field, definition 22 G Galois Field 23 Galois, Evariste 18 generator 27 Global Positioning System 99 Global System for Mobile Communication (GSM) 137 Gold sequence 102 GPS 14 data transmission in 110 received signal level 118 GPS codes C/A-code99, 100 P-code99 grou, definition 20 GSM 137 D Digital Communication System 17 H Hamming distance 84

20 180 Index L linear feedback shift register 60 based on irreducible olynomial 67 based on rimitive olynomial 64 M Maximum Length Sequence (m-sequence) 89 modular arithmetic 18 modular arithmetic over olynomials 36 modulo oeration definition18 m-sequence 63, 78, 89 lengthof71, 91 roertiesof92 multilicative inverse 23 P olynomial generator 37 irreducible34 rimitive37 reducible34 rime field 25 multilicative inverse 28 rimitive element 27 rimitive olynomial systematic search for 76 rimitive olynomial reresentation 45 coefficient reresentation 46 olynomial form 45 string reresentation 46 seudo random sequence 81 R random sequence, roerties of 91 ring, definition 21 run-length roerty 92 S satellite navigation 97, 155 signal narrow band 115 wideband115 state diagram Johnson counter 62 ringcounter61 state sequence LFSR based on irreducible olynomial 69 LFSR based on rimitive olynomial of degree 4 66 LFSR based on rimitive olynomial of degree 5 68 LFSR based on reducible olynomial 71 stream ciher 133 A5/1137 Trivium140