Galois Fields and Hardware Design

Transcription

1 Galois Fields and Hardware Design Construction of Galois Fields, Basic Properties, Uniqueness, Containment, Closure, Polynomial Functions over Galois Fields Priyank Kalla Associate Professor Electrical and Computer Engineering, University of Utah

2 Agenda Introduction to Field Construction Constructing F 2 k and its elements Addition, multiplication and inverses over GFs Conjugates and their minimal polynomials GF containment and algebraic closure Hardware design over GFs

3 Integral and Euclidean Domains Definition An integral domain R is a set with two operations (+, ) such that: 1 The elements of R form an abelian group under + with additive identity 0. 2 The multiplication is associative and commutative, with multiplicative identity 1. 3 The distributive law holds: a(b +c) = ab+ac. 4 The cancellation law holds: if ab = ac and a 0, then b = c. Examples: Z,R,Q,C,Z p,f[x],f[x,y]. Finite rings Z n,n p are not integral domains.

4 Euclidean Domains Definition A Euclidean domain D is an integral domain where: 1 associated with each non-zero element a D is a non-negative integer f(a) s.t. f(a) f(ab) if b 0; and 2 a,b (b 0), (q,r) s.t. a = qb +r, where either r = 0 or f(r) < f(b). Can apply the Euclid s algorithm to compute g = GCD(g 1,...,g t ) GCD(a,b,c) = GCD(GCD(a,b),c) Then g = i u ig i, i.e. GCD can be represented as a linear combination of the elements

5 Euclid s Algorithm Inputs: Elements a, b D, a Euclidean domain Outputs: g = GCD(a, b) 1: Assume a > b, otherwise swap a,b {/* GCD(a, 0) = a */} 2: while b 0 do 3: t := b 4: b := a (mod b) 5: a := t 6: end while 7: return g := a Algorithm 1: Euclid s Algorithm

6 GCD(84, 54) = 6 84 = = = = Lemma If g = gcd(a,b) then s,t such that s a+t b = g. Unroll Euclid s algorithm to find s, t. A HW assignment!

7 Euclidean Domains D = Z,R,Q,C,Z p The ring F[x] is a Euclidean domain where F is any field The ring R = F[x,y] is NOT a Euclidean domain where F is any field For x,y R,GCD(x,y) = 1, but cannot write 1 = f 1 (x,y) x +f 2 (x,y)y Z 2 k is neither and integral domain not a Euclidean domain

8 Fields Definition Let D be a Euclidean domain, and p D be a prime element. Then D (mod p) is a field. That is why Z (mod p) is a field In R[x],x 2 +1 is a prime actually called an irreducible polynomial So R[x] (mod x 2 +1) is a field and is the field of complex numbers C R[x] (mod p) = {f(x) g(x) R[x],f(x) = g(x) (mod p)}

9 R[x] (mod x 2 +1) = C Let f,g R[x] (mod x 2 +1) f = remainder of division by x 2 +1, it is linear Let f = ax +b, g = cx +d f g = (ax +b)(cx +d) (mod x 2 +1) = acx 2 +(ad +bc)x +bd (mod x 2 +1) = (ad +bc)x +(bd ac) after reducing by x 2 = 1 Replace x with i = 1, and we get C C is a 2 (=degree(x 2 +1)) dimensional extension of R Intuitively, that is why C R (containment and closure)

10 Recall from my previous slides: From Rings to Fields Rings Integral Domains Unique Factorization Domains Euclidean Domains Fields Now you know the reason for this containment

11 Construct Galois Extension Fields F p [x] is a Euclidean domain, let P(x) be irreducible over F p, and let degree of P(x) = k F p [x] (mod P(x)) = F p k, a finite field of p k elements Denote GFs as F q, q = p k for prime p and k 1 F p k is a k-dimensional extension of F p, so F p F p k Our interest F 2 k = F 2 [x] (mod P(x)) where P(x) F 2 [x] is a degree-k irreducible polynomial

12 Study F 2 k Irreducible polynomials of any degree k always exist over F 2, so F 2 k can be constructed for arbitrary k 1 Table: Some irreducible polynomials in F 2 [x]. Degree Irreducible Polynomials 1 x;x +1 2 x 2 +x +1 3 x 3 +x +1;x 3 +x x 4 +x +1;x 4 +x 3 +1;x 4 +x 3 +x 2 +x +1

13 F 2 k = F 2 [x] (mod P(x)), let α be a root of P(x), i.e. P(α) = 0 P(x) has no roots in F 2 (irreducible); root lies in its algebraic extension F 2 k Any element A F 2 k: A = k 1 i=0 (a i α i ) = a 0 +a 1 α+ +a k 1 α k 1 where a i F 2 The degree of A < k Think of A = {a k 1,...,a 0 } as a bit-vector

14 Example of F 16 F 2 4 as F 2 [x] (mod P(x)), where P(x) = x 4 +x 3 +1, P(α) = 0 Any element A F 16 = a 3 α 3 +a 2 α 2 +a 1 α+a 0 (degree < 4) Table: Bit-vector, Exponential and Polynomial representation of elements in F 2 4 = F 2 [x] (mod x 4 +x 3 +1) a 3 a 2 a 1 a 0 Expo Poly a 3 a 2 a 1 a 0 Expo Poly α 3 α α 4 α α α 1010 α 10 α 3 +α 0011 α 12 α α 5 α 3 +α α 2 α α 14 α 3 +α α 9 α α 11 α 3 +α α 13 α 2 +α 1110 α 8 α 3 +α 2 +α 0111 α 7 α 2 +α α 6 α 3 +α 2 +α+1

15 Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that (n times) = 0.

16 Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that (n times) = 0. What is the characteristic of F 2 k? Of F p k?

17 Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course!

18 Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course! In F 2 k coefficients reduced modulo 2

19 Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course! In F 2 k coefficients reduced modulo 2

20 Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course! In F 2 k coefficients reduced modulo 2 α 5 +α 11 = α 3 +α+1+α 3 +α 2 +1 = 2 α 3 +α 2 +α+2 = α 2 +α (as characteristic of F 2 k = 2) = α 13

21 Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course! In F 2 k coefficients reduced modulo 2 α 5 +α 11 = α 3 +α+1+α 3 +α 2 +1 = 2 α 3 +α 2 +α+2 = α 2 +α (as characteristic of F 2 k = 2) = α 13 Addition in F 2 k is Bit-vector XOR operation

22 Add, Mult in F 2 k α 4 α 10 = (α 3 +1)(α 3 +α) = α 6 +α 4 +α 3 +α = α 4 α 2 +(α 4 +α 3 )+α = (α 3 +1) α 2 +(1)+α (as α 4 = α 3 +1) = α 5 +α 2 +α+1 = α 4 α+α 2 +α+1 = (α 3 +1) α+α 2 +α+1 = α 4 +α 2 +1 = α 3 +α 2 Reduce everything (mod P(x) = x 4 +x 3 +1), and 1 = +1 in F 2 k

23 Every non-zero element has an inverse How to find the inverse of α? HW for you: think Euclidean algorithm! What is the inverse of α in our F 16 example?

24 Vanishing Polynomials of F q Lemma Let A be any non-zero element in F q, then A q 1 = 1. Theorem [Generalized Fermat s Little Theorem] Given a finite field F q, each element A F q satisfies: A q A or A q A 0 Example Given F 2 2 = {0,1,α,α +1} with P(x) = x 2 +x +1, where P(α) = = 0; 1 22 = 1; α 22 = α (mod α 2 +α+1) and (α+1) 22 = α+1 (mod α 2 +α+1)

25 Irreducible versus Primitive Polynomials An irreducible poly P(x) is primitive if its root α can generate all non-zero elements of the field. F q = {0,1 = α q 1,α,α 2,α 3,...,α q 2 } x 4 +x 3 +1 is primitive but x 4 +x 3 +x 2 +x +1 is not α 4 = α 3 +α 2 +α+1 α 5 = α 4 α = (α 3 +α 2 +α+1)(α) = (α 4 )+α 3 +α 2 +α = (α 3 +α 2 +α+1)+(α 3 +α 2 +α) = 1

26 Conjugates of α Theorem Let f(x) F 2 [x] be an arbitrary polynomial, and let β be an element in F 2 k for any k > 1. If β is a root of f(x), then for any l 0,β 2l is also a root of f(x). Elements β 2l are conjugates of each other. Example Let F 16 = F 2 [x] (mod P(x) = x 4 +x 3 +1). Let P(α) = 0. Let us find conjugates of α as α 2l. l = 1 : α 2 l = 2 : α 4 = α 3 +1 l = 3 : α 8 = α 3 +α 2 +α l = 4 : α 16 = α (conjugates start to repeat) So α,α 2,α 3 +1,α 3 +α 2 +α are conjugates of each other.

27 Get the irreducible polynomial back from conjugates Example Over F 16 = F 2 [x] (mod x 4 +x 3 +1), conjugate elements: α,α 2,α 4,α 8 α 3,α 6,α 12,α 24 α 7,α 14,α 28,α 56 α 5,α 10 Minimal Polynomial of an element β Let e be the smallest integer such that β 2e = β. Construct the polynomial f(x) = e 1 i=0 (x +β2i ). Then f(x) is an irreducible polynomial, and it is also called the irreducible polynomial of β.

28 Get the irreducible polynomial back from conjugates Minimal polynomial of any element β is: f(x) = e 1 i=0 (x +β2i ) Example Over F 16 = F 2 [x] (mod x 4 +x 3 +1), conjugate elements and their minimal polynomials are: α,α 2,α 4,α 8 : f 1 (x) = (x+α)(x +α 2 )(x +α 4 )(x +α 8 ) = x 4 +x 3 +1 α 3,α 6,α 12,α 24 : f 2 (x) = x 4 +x 3 +x 2 +1 α 7,α 14,α 28,α 56 : f 3 (x) = x 4 +x +1 α 5,α 10 : f 4 (x) = x 2 +x +1 Some observations... Note that f 4 = x 2 +x +1 is the polynomial used to construct F 4. Also notice that associated with every element in F 2 k is a minimal polynomial and its roots (conjugates), that demonstrate the containment of fields and also the uniqueness of the fields upto the labeling of the elements.

29 Containment of fields and elements Figure: Containment of fields: F 2 F 4 F 16 Additive & Multiplicative closure: α 5 +α 10 = 1, α 5 α 10 = 1.

30 Containment and Closure Theorem F 2 n F 2 m if n divides m. Example: F 2 F 2 2 F 2 4 F F 2 F 2 3 F F 2 F 2 5 F F 2 F 2 7 F and so on Algebraic Closure of F q The algebraic closure of F 2 k is the union of ALL such fields F 2 n where k n.

31 Polynomial Functions over F q Any combinational circuit with k-bit inputs and k-bit output Implements a function f : B k B k Can be viewed as a function f : F 2 k F 2 k or f : Z 2 k Z 2 k Need symbolic representations: view them as polynomial functions Treat the circuit f : B k B k as a polynomial function Please see the last section in my book chapter

32 Polynomial Functions f : F q F q Every function is a polynomial function over F q Consider 1-bit right-shift operation Z[2 : 0] = A[2 : 0] >> 1 {a 2 a 1 a 0 } A {z 2 z 1 z 0 } Z α α α α 101 α α 110 α 2 +α 011 α α 2 +α α+1

33 Polynomial Functions f : F q F q Every function is a polynomial function over F q Consider 1-bit right-shift operation Z[2 : 0] = A[2 : 0] >> 1 {a 2 a 1 a 0 } A {z 2 z 1 z 0 } Z α α α α 101 α α 110 α 2 +α 011 α α 2 +α α+1 Z = (α 2 +1)A 4 +(α 2 +1)A 2 over F 2 3 where α 3 +α+1 = 0

34 Polynomial Functions f : F q F q Theorem (From [1]) Any function f : F q F q is a polynomial function over F q, that is there exists a polynomial F F q [x] such that f(a) = F(a), for all a F q. Analyze f over each of the q points, apply Lagrange s interpolation formula q i n F(x) = (x x i) i n (x n x i ) f(x n), (1) n=1

35 Hardware Applications over F 2 k Elliptic Curve Cryptography y 2 +xy = x 3 +ax 2 +b over GF(2 k ) R Compute Slope: y 2 y 1 x 2 x 1 P Q R = P + Q Computation of inverses over F 2 k is expensive R

36 Point addition using Projective Co-ordinates Curve: Y 2 +XYZ = X 3 Z +ax 2 Z 2 +bz 4 over F 2 k Let (X 3, Y 3, Z 3 ) = (X 1, Y 1, Z 1 ) + (X 2, Y 2, 1) A = Y 2 Z1 2 +Y 1 B = X 2 Z 1 +X 1 C = Z 1 B D = B 2 (C +az1) 2 Z 3 = C 2 E = A C X 3 = A 2 +D +E F = X 3 +X 2 Z 3 G = X 3 +Y 2 Z 3 Y 3 = E F +Z 3 G No inverses, just addition and multiplication

37 Multiplication in GF(2 4 ) Input: A = (a 3 a 2 a 1 a 0 ) B = (b 3 b 2 b 1 b 0 ) A = a 0 +a 1 α+a 2 α 2 +a 3 α 3 B = b 0 +b 1 α+b 2 α 2 +b 3 α 3 Irreducible Polynomial: P = (11001) P(x) = x 4 +x 3 +1, P(α) = 0 Result: Output G = A B (mod P(x))

38 Multiplication over GF(2 4 ) a 3 a 2 a 1 a 0 b 3 b 2 b 1 b 0 a 3 b 0 a 2 b 0 a 1 b 0 a 0 b 0 a 3 b 1 a 2 b 1 a 1 b 1 a 0 b 1 a 3 b 2 a 2 b 2 a 1 b 2 a 0 b 2 a 3 b 3 a 2 b 3 a 1 b 3 a 0 b 3 s 6 s 5 s 4 s 3 s 2 s 1 s 0 In polynomial expression: S = s 0 +s 1 α+s 2 α 2 +s 3 α 3 +s 4 α 4 +s 5 α 5 +s 6 α 6 S should be further reduced (mod P(x))

39 Multiplication over GF(2 4 ) s 6 s 5 s 4 s 3 s 2 s 1 s 0 s s 4 s 4 α 4 (mod P(α)) s 5 0 s 5 s 5 s 5 α 5 (mod P(α)) + s 6 s 6 s 6 s 6 s 6 α 6 (mod P(α)) g 3 g 2 g 1 g 0 s 4 α 4 (mod α 4 +α 3 +1) = s 4 (α 3 +1) = s 4 α 3 +s 4 s 5 α 5 (mod α 4 +α 3 +1) = s 5 (α 3 +α+1) = s 5 α 3 +s 5 α+s 5 s 6 α 6 (mod α 4 +α 3 +1) = s 6 (α 3 +α 2 +α+1) = s 6 α 3 +s 6 α 2 +s 6 α+s 6 G = g 0 +g 1 α+g 2 α 2 +g 3 α 3

40 Montgomery Architecture A B R 2 R 2 MM MM A R B R MM A B R MM "1" G = A B (mod P) Figure: Montgomery multiplier over GF(2 k ) Montgomery Multiply: F = A B R 1, R = α k Barrett architectures do not require precomputed R 1 We can verify 163-bit circuits, and also catch bugs! Conventional techniques fail beyond 16-bit circuits

41 Verification: The Mathematical Problem Let us take verification of GF multipliers as an example: Given specification polynomial: f : Z = A B (mod P(x)) over F 2 k, for given k, and given P(x), s.t. P(α) = 0 Given circuit implementation C Primary inputs: A = {a 0,...,a k 1 },B = {b 0,...,b k 1 } Primary Output Z = {z 0,...,z k 1 } A = a 0 +a 1 α+a 2 α 2 + +a k 1 α k 1 B = b 0 +b 1 α+ +b k 1 α k 1, Z = z 0 +z 1 α+ +z k 1 α k 1 Does the circuit C correctly compute specification f? Mathematically: Construct a miter between the spec f and implementation C Model the circuit (gates) as polynomials {f 1,...,f s } F 2 k[x 1,...,x d ] Apply Weak Nullstellensatz

42 Equivalence Checking over F 2 k Circuit1: Circuit Equations X A B X Y 1? Circuit2: Circuit Equations Y Figure: The equivalence checking setup: miter. Spec can be a polynomial f, or a circuit implementation C Model the miter gate as: t(x Y) = 1, where t is a free variable

43 Verify a polynomial spec against circuit C A Z1 = A B (mod P) Z1 B A Bit level Circuit t(z Z1) = 1 Miter feasible? B Z Figure: The equivalence checking setup: miter. When Z = Z 1, t(z Z 1 ) = 1 has no solution: infeasible miter When Z Z 1 : let t 1 = (Z Z 1 ). Then t (t 1 ) = 1 always has a solution! Apply Nullstellensatz over F 2 k

44 Example Implementation Circuit: Mastrovito Multiplier over F 4 Figure: A 2-bit Multiplier Write A = a 0 +a 1 α as a polynomial f A : A+a 0 +a 1 α Polynomials modeling the entire circuit: ideal J = f 1,...,f 10 f 1 : z 0 +z 1 α+z; f 2 : b 0 +b 1 α+b; f 3 : a 0 +a 1 α+a; f 4 : s 0 +a 0 b 0 ; f 5 : s 1 +a 0 b 1 ; f 6 : s 2 +a 1 b 0 ; f 7 : s 3 +a 1 b 1 ; f 8 : r 0 +s 1 +s 2 ; f 9 : z 0 +s 0 +s 3 ; f 10 : z 1 +r 0 +s 3 x

45 Continue with multiplier verification So far, ideal J = f 1,...,f 10 models the implementation Let polynomial f : Z A B denote the spec Miter polynomial f m : t (Z Z 1 ) 1 Update the ideal representation of the miter: J = J + f,f m Finally: ideal J = f 1,...,f 10, f, f m represents the miter circuit J F 2 k[a,b,z,z 1,a 0,a 1,b 0,b 1,r 0,s 0,...,s 3,t] Verification problem: is the variety V F4 (J) =? How will we solve this problem?

46 Weak Nullstellensatz over F 2 k Theorem (Weak Nullstellensatz over F 2 k) Let ideal J = f 1,...,f s F 2 k[x 1,...,x n ] be an ideal. Let J 0 = x1 2k x 1,...,xn 2k x n be the ideal of all vanishing polynomials. Then: V (J) = V F2 k F (J +J 2 0) = reducedgb(j +J k 0 ) = {1} Proof: V (J) =V F2 k F (J) F 2 k 2 k =V (J) V F2 F (J k 2 k 0) = V (J) V F2 k F (J 2 0) k =V (J +J F2 0) k Remember: V Fq (J 0 ) = V Fq (J 0 ). The variety of J 0 does not change over the field or the closure!

47 Apply Weak Nullstellesatz to the Miter Note: Word-level polynomials f A : A+a 0 +a 1 α F 2 k Gate level polynomials f 4 : s 0 +a 0 b 0 F 2 Since F 2 F 2 k, we can treat ALL polynomials of the miter, collectively, over the larger field F 2 k, so J F 2 k[a,b,z,z 1,a 0,a 1,...,z 0,z 1 ] Consider word-level vanishing polynomials: A 22 A What about bit-level vanishing polynomials: a 2 0 a 0 So, J 0 = W 2k W,B 2 B, where W are all the word-level variables, and B are all the bit-level variables Now compute G = GB(J +J 0 ). If G = {1}, the circuit is correct. Otherwise there is definitely a BUG within the field F 2 k

48 [1] R. Lidl and H. Niederreiter, Finite Fields. Cambridge University Press, 1997.