Introdction Finite elds play an increasingly important role in modern digital commnication systems. Typical areas of applications are cryptographic sc

Transcription

1 A New Architectre for a Parallel Finite Field Mltiplier with Low Complexity Based on Composite Fields Christof Paar y IEEE Transactions on Compters, Jly 996, vol 45, no 7, pp Abstract In this paper a new bit-parallel strctre for a mltiplier with low complexity in Galois elds is introdced. The mltiplier operates over composite elds GF ((2 n ) m ), with = nm. The Karatsba-Ofman algorithm is investigated and applied to the mltiplication of polynomials over GF (2 n ). It is shown that this operation has a complexity of order O( log 2 3 ) nder certain constraints regarding. A complete set of primitive eld polynomials for composite elds is provided which perform modlo redction with low complexity. As a reslt, mltipliers for elds GF (2 ) p to = 32 with low gate conts and low delays are listed. The architectres are highly modlar and ths well sited for VLSI implementation. This paper was presented in part at the Swedish-Rssian Worshop on Information Theory, Agst 22-27, 993, Molle, Sweden y The athor is with the Electrical and Compter Engineering Department, Worcester Polytechnic Institte, Worcester, MA christof@ece.wpi.ed 0

2 Introdction Finite elds play an increasingly important role in modern digital commnication systems. Typical areas of applications are cryptographic schemes [] or error correction codes sch as Reed-Solomon codes [2]. For ecient VLSI implementation of sch systems ecient hardware strctres for the two fndamental eld operations, addition and mltiplication, mst be provided. Whereas addition can be implemented with a very low space and time complexity for elds in standard representation, fast mltipliers sally possess a mch higher complexity. Dring the last decade varios bit-parallel mltipliers over Galois elds GF (2 ) have been developed, see e.g. [3] [4] [5] [6]. All these mltipliers show a space complexity measred in the nmber of two inpt mod-2 adders (logical XOR) and nmber of two inpt mod-2 mltipliers (logical AND) of O( 2 ). This paper presents a new architectre of a bit parallel, i.e. fast, mltiplier for extension elds of GF (2) with a signicantly improved space complexity. The application of (mltiple) eld extensions to mltipliers has been proposed before in [7], [8] by Afanasyev and in [9] by Pincin. The reslts there show also a low space complexity althogh the internal strctre of the mltiplier is dierent. We consider nite elds GF (2 n ) with n >. The elements of an extension eld GF ((2 n ) m ) may be represented in the standard (or canonical) base as polynomials with a maximm degree of m? over GF (2 n ): A(x) = a m? x m? + + a 0, where a i 2 GF (2 n ) and A = A(x) mod P (x) 2 GF ((2 n ) m ). The eld polynomial of the extension eld is an irredcible (or even primitive) polynomial P (x) of degree m over GF (2 n ). Fields of the form GF ((2 n ) m ) are sometimes referred to as composite elds [0] and have frther applications, for instance in the generation of m-seqences []. Composite elds GF ((2 n ) m ) are isomorphic to elds GF (2 ) i = nm. Mltiplication of two elements A and B of a composite eld can be performed in the standard representation as: A(x) B(x) mod P (x): () The eld mltiplication in () may be performed in two steps:. Ordinary polynomial mltiplication (); 2. Redction modlo the eld polynomial (mod). We will treat both steps separately. The basic arithmetic operations, addition and mltiplication, which are reqired for both steps are performed in the grond eld GF (2 n ). The ey idea of the mltiplier introdced here is the application of the Karatsba-Ofman algorithm (KOA) [2] [3] for ecient polynomial mltiplication to Step. Ecient refers to the fact that the algorithm saves mltiplications at the cost of extra additions. Hence, if the algorithm is expected to improve the complexity, mltiplication in the eld mst be more \costly" than addition. This condition is natrally fllled for polynomials over elds GF (2 n ): Addition can be realized with n XOR gates, mltiplication reqires n 2 AND gates and at least n 2? XOR gates sing traditional approaches.

3 In the seqel the following notations will be sed for the eld polynomials: Q(y) = y n + q n? y n? + + q 0, with q i 2 GF (2) denotes an irredcible polynomial of the grond eld GF (2 n ), and P (x) = x m + p n? x n? + + p 0, with p i 2 GF (2 n ) denotes an irredcible polynomial of the composite eld GF ((2 n ) m ). All irredcible polynomials Q(y) and P (x) sed in this paper are (monic) primitive polynomials. By (;!;! 2 ; : : : ;! n? ) we denote a base for GF (2 n ) over GF (2), where Q(!) = 0. 2 Preliminaries 2. General Mltiplication in GF (2 n ) Review of the Mastrovito Mltiplier The mltiplier proposed in this paper ses the architectre of Mastrovito [5], [4] to perform mltiplication in the grond eld GF (2 n ). First, we will introdce a matrix notation for the mltiplication A(y)B(y) = C(y) mod Q(y) in the eld GF (2 n ). All elements are binary polynomials of degree less than n: c n? y n? + : : : + c 0 = (a n? y n? + : : : + a 0 )(b n? y n? + : : : + b 0 ) mod Q(y): Alternatively, the elements B(y) and C(y) can be represented as colmn vectors containing the polynomial coecients. By introdcing the matrix Z = f(a(y); Q(y)) the mltiplication can be described as: C = 0 B@ c 0 c. c n? 0 f 0;0 f 0;n? 0 B@ CA = ZB =..... CA f n?;0 f n?;n? B@ b 0 b. b n? CA : (2) The matrix Z is named \prodct matrix". Its coecients f ij 2 GF (2) depend recrsively on the coecients a i and on the coecients q i of the Q matrix which will be introdced below in Eqation (4): f ij = ( ai ; j = 0 ; i = 0; : : : ; n? (i? j)a i?j + P j? t=0 q j??t;ia n??t ; j = ; : : : ; n? ; i = 0; : : : ; n? where the step fnction is dened as (3) () = ( 0 0 < 0: The matrix-vector prodct in Eqation (2) describes the entire eld mltiplication. The Q matrix which is reqired to bild Z is a fnction of the binary eld polynomial Q(y) of 2

4 degree n. Its binary entries q i;j are dened sch that: 0 B@ y n y n+. y 2n?2 0 q 0;0 q 0;n? 0 B@ CA..... CA q n?2;0 q n?2;n? B@ ỵ. y n? CA mod Q(y): (4) The Q matrix describes the representation of the polynomials y n ; y n+ ; : : : ; y 2n?2 in the eqivalence classes mod Q(y), i.e. after the redction modlo Q(y). The implementational complexity of the matrix-vector prodct (3) depends solely on the primitive polynomial Q(y). In [5] primitive polynomials are given for elds GF (2 n ), n = 2; 3; : : : ; 6. The polynomials are optimm with respect to the nmber of gates reqired to mltiply in the eld. For the elds in this range in which primitive trinomials of the form: Q(y) = y n + y + (5) exist, the space complexity is given by: #AND + #XOR = 2n 2? : Sch trinomials were fond for n = 2; 3; 4; 6; 7; 9; 0; ; 5. For the case n = 5 the trinomial Q(y) = y 5 + y 2 + exists. By exploiting the specic redndancies of the corresponding prodct matrix (2) the same complexity cold be realized. For other vales of n the complexity is higher as shown in [4, Table 4.5]. The delay (or time complexity) of the mltiplier is pper bonded by: T = T AND + T XOR + 2dlog 2 ne, measred in gate delays. Some Comments on the Mastrovito Mltiplier Next, we will state some additional facts abot the Mastrovito mltiplier. First we will give a formla for compting the matrix Q. The binary entries q i;j of Q in Eqation (4) can be compted recrsively after the rst row is lled with the coecients of Q(y) = y n + q n? y n? + : : : + q y +, i.e. q 0;j = q j where q 0 =, throgh: q i;j = ( q i?;n? ; i = ; : : : ; n? 2 ; j = 0; q i?;j? + q i?;n? q 0;j ; i = ; : : : ; n? 2 ; j = ; : : : ; n? : The recrsion follows immediately from [6, Lemma ] throgh the sbstittions f j! q 0;j and p [i] j! q i;j. Since the matrix-vector operation in Eqation (2) reqires exactly n 2 mod 2 mltiplications, the space complexity can be frther specied as: #AND = n 2 (6) #XOR = n 2? (7) 3

5 where Eqation (7) is only valid for elds with irredcible polynomials which possess property (5). The time complexity can be frther specied into mltiples of XOR and AND gate delays. The delays will be denoted as T xor and T and, respectively. If it is taen into consideration that each path throgh the mltiplier contains only one mod 2 mltiplier, it follows directly that the overall delay can be pper bonded by: T T and + 2T xor dlog 2 ne: (8) 2.2 Mltiplication with a constant in GF (2 n ) In Section 4 it will be shown that for the achievement of a low complexity for the operation \modp (x)" which is the second step in the eld mltiplication () it is crcial to have an ecient scheme for the mltiplication of an arbitrary element with a constant in GF (2 n ). The reslts from Section 2. for mltiplication of two arbitrary elements can be applied directly to constant mltiplication as well. If Eqation (3) is applied to a xed element A(y) = a n? y n? + + a 0, it yields a xed binary prodct matrix Z. Example: Let Q(y) = y 7 + y + the primitive eld polynomial of GF (2 7 ). primitive element of the eld is denoted!, where Q(!) = 0. The mltiplication with the eld element A(y) =! 47 = y 4 + y 3 + y 2 + y + is described by: C =! 47 B = ZB = 0 B@ b 0 + b 3 + b 4 + b 5 + b 6 b 0 + b + b 3 b 0 + b + b 2 + b 4 b 0 + b + b 2 + b 3 + b 5 b 0 + b + b 2 + b 3 + b 4 + b 6 b + b 2 + b 3 + b 4 + b 5 b 2 + b 3 + b 4 + b 5 + b 6 Each operation \+" in (9) denotes a mod 2 addition. The : (9) CA Considering (9) it is obvios that constant mltiplication in GF (2 n ) does not reqire any mltiplication bt only mod 2 additions. The average complexity for constant mltiplication in GF (2 n ) is given by [4, Section 5..2] #XOR = n2 2? n: (0) However, to realize constant mltiplication with low complexity it is necessary to solve the optimization problem on Boolean eqations of form (9). The cost fnction of the optimization problem is the nmber of mod 2 additions reqired to realize a set of n eqations in n variables b i, where each eqation is a sm over certain b i. We applied a greedy algorithm to the problem which yields sboptimm soltions. In every step of the iterative algorithm the occrrence of all possible pairs b i + b j is determined. The most often occrring pair 4

6 b + b l is precompted. Ths, a locally optimm soltion is fond. The pair is considered a new element b = b + b l. In the next iteration step again all possible pairs b i + b j are investigated, inclding the new element b. The algorithm eventally terminates when all possible pairs occr only once. E.g., application of the algorithm to Eqation (9) reslts in optimized sms which can be realized with 4 XOR gates whereas a direct implementation reqires 26 XOR gates. 3 Ecient Polynomial Mltiplication 3. The Karatsba-Ofman Algorithm In this section an ecient scheme for mltiplying two polynomials will be derived. This is the rst and, with respect to the complexities, major step for performing the entire eld mltiplication (). We apply a \divide-and-conqer" algorithm which was rst described by Karatsba and Ofman in 962 in the \Dolady Aademii Na SSSR," the English translation of which followed in 963 [2]. A more compact version is described in [3, Section 4.3.3]. A detailed description of the algorithm's comptational complexity is given in [5, Section 3], where the KOA is referred to as \Split." However, this reference contains an error in the derivation of the additive complexity, leading to a somewhat incorrect complexity formla. The KOA provides a recrsive algorithm which redces the mltiplicative complexity of m 2 and for large enogh m the additive complexity of (m? ) 2 reqired by the \school boo method." We consider the mltiplication of two polynomials A(x) and B(x) with a maximm degree of m? over a eld F, i.e. each polynomial possesses at most m coecients from F. We are interested in nding the prodct C 0 (x) = A(x)B(x) with deg(c 0 (x)) 2m? 2. The consideration here is restricted to polynomials where m is a power of two: m = 2 t, t integer. To apply the algorithm, both polynomials are split into a lower and an pper half: A = x m m 2 (x 2? a m? + + am ) + (xm 2? am ? a 0 ) = x m 2 A h + A l B = x m m 2 (x 2? b m? + + bm ) + (xm 2? bm ? b 0 ) = x m 2 B h + B l : () Using (), a set of axiliary polynomials D(x) is dened: D 0 (x) = A l (x)b l (x) D (x) = [A l (x) + A h (x)][b l (x) + B h (x)] (2) D 2 (x) = A h (x)b h (x): The prodct polynomial C 0 (x) = A(x)B(x) is achieved by: the error will be otlined later C 0 (x) = D 0 (x) + x m 2 [D (x)? D 0 (x)? D 2 (x)] + x m D 2 (x): (3) 5

7 Ths far the procedre has redced the nmber of coecient mltiplications to 3=4m 2. However, the algorithm can be applied recrsively to the three polynomial mltiplications in (2). The next iteration step splits the polynomials A l ; A h ; and(a l + A h ) and their B conterparts again in half. The algorithm eventally terminates after t steps. In the nal step the polynomials D (t) i (x) are degenerated into single coecients, i.e. deg(d (t) (x)) = 0. Since every step exactly halves the nmber of coecients, the algorithm terminates after t = log 2 m steps. The following two theorems provide expressions for the comptational and the time complexity of the KOA for polynomials over elds of characteristic 2 with respect to a parallel hardware implementation. Theorem Consider two arbitrary polynomials in one variable of degree less or eqal m?, where m is a power of two, with coecients in a eld F of characteristic 2. By sing the Karatsba-Ofman algorithm the polynomials can be mltiplied with: mltiplications and additions, respectively, in F. # = m log 2 3 ; (4) # 6m log 2 3? 8m + 2; (5) Theorem 2 Consider two arbitrary polynomials in one variable of degree less or eqal m?, where m is a power of two, with coecients in a eld F of characteristic 2. A parallel realization of the Karatsba-Ofman algorithm for the mltiplication of the two polynomials can be implemented with a time complexity (or delay) of: T = T + 3 (log 2 m) T ; (6) where \ T " and \ T "denote the delay of one mltiplier and one adder, respectively, in F. It shold be noted that the sbtractions in (3) are additions if F has characteristic 2. For the proof of the theorems three stages of the algorithm will be distingished: Proof.. In the rst stage the mere splitting of the polynomials is considered. Since splitting itself taes no comptation, only the two smmations in Eqation (2) are of interest. Taing into accont that the nmber of polynomials triples in each iteration step, whereas the length of the polynomials is redced by half, one obtains: # = X log 2 m i= 3 i? 2 m 2 i = 2mlog 2 3? 2m: Since all additions of one iteration can be performed in parallel in a hardware realization, the delay eqals: T = T log 2 m; where \T " denotes the delay for one adder in F. 6

8 2. In the second stage the achieved 3 log 2 m = m log 2 3 polynomials (each consisting of one coecient) are actally mltiplied. This reqires: # 2 = m log 2 3 mltiplications. The delay of a parallel implementation is: T 2 = T ; where \T " denotes the delay cased by one mltiplier in F. 3. The third stage merges the polynomials according to Eqation (3). There are two inds of additions (or sbtractions) involved: Sbtracting three polynomials with 2 i? coecients and 2 i? 2 additions de to the overlapping 2 of three terms: # 3 = X log 2 m i= 3 log 2 m?i [2(2 i? ) + (2 i? 2)] = 4m log 2 3? 6m + 2: The delay eqals: T 3 = 2 (log 2 m) T : The overall complexities in the Theorems and 2 are now obtained by smmation of the partial complexities. 2 However, the right hand side of the additive complexity (5) is an pper bond becase the recrsive algorithm bears redndancies which can be eliminated in a parallel realization. For instance, for the vale m = 4 the pper bond in (5) can be redced from 24 to Karatsba-Ofman Algorithm for Polynomials over GF (2 n ) If the Karatsba-Ofman algorithm is applied to mltiplication in composite elds, the polynomials A(x); B(x) are elements of the eld GF ((2 n ) m ). The operations described above refer to arithmetic with the coecients a i ; b j which are elements of GF (2 n ). As a conseqence, we can now bild a mltiplier in the eld GF ((2 n ) m ) by sing identical modles providing GF (2 n ) arithmetic. Its modlarity maes the mltiplier especially sited for VLSI implementations. The modle \GF (2 n ) adder" simply consists of n parallel mod 2 adders. For the modle \GF (2 n ) mltiplier" the parallel strctres described in Section 2. were sed. Assming condition (5) for all eld polynomials Q(y) of the grond eld, the overall complexity for polynomial mltiplication (in AND and XOR gates) follows from the Eqations (4) and (5): #AND = n 2?log 2 3 log 2 3 (7) #XOR n! log2 3 (n 2 + 6n? )? 8 + 2n ; certain n (8) 2 Reference [5] is here wrong by claiming that only 2 i? 4 coecients overlap. 7

9 where = nm and m = 2 t. Both formlas (7), (8) imply that the order of elementary gates increases only proportional to log 2 3 as increases if n can be ept nder a certain limit. This is in particlar possible for all applications where is a power of two which are of great technical interest. To achieve an expression for the time complexity, Eqation (6) with appropriate expressions for T and T can be applied. Addition in GF (2 n ) has a delay of one XOR gate, i.e. T = T xor. The delay for mltiplication, T, in the grond eld GF (2 n ) is pper bonded by (8). Hence, the overall delay for parallel mltiplication of polynomials of degree m?, m = 2 t, over GF (2 n ) can be pper bonded by: T T xor (2dlog 2 ne + 3 log 2 m) + T and : (9) 4 Redction Modlo the Primitive Polynomial This section describes the second step of the eld mltiplication, the operation \ mod P (x)". The pre polynomial mltiplication of two polynomials A(x)B(x) reslts in a prodct polynomial C 0 (x) over GF (2 n ) with deg(c 0 (x)) 2m? 2. In order to perform a mltiplication in GF ((2 n ) m ), C 0 (x) mst be redced modlo the eld polynomial P (x). The General Case GF ((2 n ) m ) First, general composite elds GF ((2 n ) m ) with arbitrary vales for n and m will be considered. The modlo operation reslts in a polynomial C(x) with deg(c(x)) m? which represents the desired eld element: C(x) = c m? x m? + + c 0 C 0 (x) mod P (x), where C(x) 2 GF ((2 n ) m ). The redction modlo P (x) can be viewed as a linear mapping of the 2m? coecients of C 0 (x) into the m coecients of C(x). This mapping can be represented in a matrix notation as follows: 0 B@ c 0 c. c m? CA = 0 0 r0;0 r0;m?2 0 0 r ;0 r ;m? r m?;0 r m?;m?2 0 CA B@ c 0 0. c 0 m? c 0 m. c 0 2m?2 The matrix on the right hand side of (20) consists of a (m; m) identity matrix and a (m; m?) matrix R which we may name the redction matrix. R is solely a fnction of the chosen eld polynomial P (x) = x m + p m? x m? + + p 0, i.e. to every P (x) a redction matrix is niqely assigned. R's recrsive dependency on P (x) is the following: r ij = ( p j ; i = 0; : : : ; m? ; j = 0 r i?;j? + r m?;j? r i0 ; i = 0; : : : ; m? ; j = ; : : : ; m? 2 8 CA (20) (2)

10 where r i?;j? = 0 if j = 0. From Eqation (2) it follows directly that r ij 2 GF (2 n ) since p i 2 GF (2 n ). It shold be emphasized that (20) does not reqire any general mltiplication bt only additions and mltiplications with a constant from GF (2 n ). Both operations reqire only mod 2 adders. First, a general expression for the average complexity will be derived. In general the matrix-vector prodct in Eqation (20) reqires m(m? ) constant mltiplications and m(m? ) additions. On average one constant mltiplication has the complexity given by Eqation (0). Ths the average implementational complexity of (20) is: #XOR = m(m? ) +m(m? ) cnst = 2 (( + )? n? ); where = nm: (22) n However certain eld polynomials yield matrices with a complexity considerably smaller than the average complexity in (22). In order to obtain sch low complexity polynomials an exhastive compter based search throgh all primitives polynomials P (x) was performed for each pair of parameters (n; m). The nmber of primitive polynomials I p of degree m over GF (2 n ) is given by [0]: I p = m (2mn? ); where () denotes the Eler fnction. The complexity of mltiplication with each of the I p redction matrices was evalated as follows. For every matrix the nmber of additions and constant mltiplications was compted. Redndancies within the rows of R, i.e. at least two elements are eqal: r ij = r i, were taen into accont, ths redcing the nmber of constant mltiplications. However, we did not consider all possible redndancies and the best polynomials P opt fond dring the search can ths be considered sboptimm. The Special Case GF ((2 n ) 2 ) For the special case m = 2 we can perform the two operations polynomial mltiplication and modlo redction in jst one single step de to its simplicity. This method was rst described in [8]. In this case we now that there exist primitive polynomials of the form P (x) = x 2 + x + p 0 [6, Theorem ]. Hence the mltiplication of two eld elements in GF ((2 n ) m ) is the following: C(x) = A(x)B(x) mod P (x) = [a 0 b 0 + p 0 a b ] + x[(a 0 + a )(b 0 + b ) + a 0 b 0 ]: (23) Eqation (23) reqires only 3 mltiplications, 4 additions and one constant mltiplication with p 0. Hence, the exhastive search determined in the cases m = 2 those primitive polynomials P (x) which have a constant p 0 with a minimm complexity with respect to constant mltiplication. The maximm delay in Eqation (23) is cased by the comptation of the coecient c 0 = a 0 b 0 + p 0 a b. It is composed of the delays for one general mltiplication a 0 b 0 and a b, one mltiplication with p 0 and one addition. 9

11 mod A B mod P A B mod P n m P (x) XOR AND XOR 2 T and T xor ; ;! ; ;! ; ;! ; ;! ; ;! ; 0; 0; ;! ; ;! ; ; ; 0;! ; ;! ; 0; 0;!;! ; ;! ;! 62 ;! 6 ;! 3! ; ;! ; 0; 0;! 26! ; ;! ; 0; 0; ; 0; 0; ; 0;! Table : Composite elds GF ((2 n ) m ) p to nm = 32, primitive eld polynomials, and the space complexities and theoretical delays of parallel mltipliers 5 Reslts Table gives insight in the complexities and architectres of parallel mltipliers in composite elds GF (2 ) = 2; 4; : : : ; 32. For each eld an optimized eld polynomial P (x) and a mltiplier with a minimm complexity is given. A description of the table's contents is given below. All colmns are explained from left to right, where each colmn is named after its heading symbol. ; n; m: denotes the eld order 2, where the parameters n and m determine the composition GF ((2 n ) m ) of the eld. The binary eld polynomials Q(y) of the grond elds GF (2 n ) are given in [4, Table 4.5]. P(x): Primitive polynomials over GF (2 n ) are given which possess minimm complexity with respect to the operation \modp (x)". The character! denotes a primitive element of the eld GF (2 n ), sch that Q(!) = 0. Each row contains the m coecients of a polynomial, highest coecient leftmost (e.g. for n = m = 2, P (x) = x 2 + x +! 2.) mod: In the cases m = 4; 8 the space complexity for the operation modp (x) is given. For the case m = 2 the complexity for mltiplying with the coecient p 0 of P (x) is given. 0

12 AB mod P: The overall space complexity for a parallel mltiplier in GF ((2 n ) m ) is given in bold face letters. 2 : The space complexity of many previosly sggested architectres is lower bonded by 2? XOR gates and 2 AND gates, where = nm. In order to allow comparison with those mltipliers, we provide the vales 2. A B mod P: The theoretical delay of the entire mltiplier is shown in bold face letters. However, delays cased by roting or high fanots which may occr in an actal VLSI implementation are not considered. As an example, the mltiplier over GF (2 6 ) is explained below. Example. The eld considered is GF ((2 4 ) 4 ). The eld polynomial of the grond eld GF (2 4 ) is Q(y) = y 4 +y+. The primitive polynomial of the composite eld is P (x) = x 4 +x 3 +x 2 +!, where Q(!) = 0. The operation modlo P (x) reqires 35 mod 2 adders. The overall complexity for a parallel mltiplier in the composite eld reslts in 44 mod 2 mltipliers and 258 mod 2 adders. The theoretical delay, i.e. the critical path throgh the mltiplier, consists of 2 T xor (XOR gate delays) and T and (AND gate delay). Figre provides a bloc diagram of the mltiplier's architectre. The inpt variables are a 0 ; : : : ; a 3 and b 0 ; : : : ; b 3, the otpt variables are c 0 ; : : : ; c 3. Each set of variables represents a polynomial, which is an element in GF ((2 4 ) 4 ) in standard representation. Each variable is actally a for bit wide bs, representing an element in the grond eld. blocs having an \!" attached are mltipliers with the constant element!. The The mltiplier was also implemented on an FPGA, serving as a coprocessor for Reed-Solomon decoder with 6 bit symbols realized on a digital signal processor [7]. 6 Conclsions It is shown that the introdction of composite elds GF ((2 n ) m ) leads to a signicantly improved parallel mltiplier with respect to the nmber of mod 2 adders and mltipliers if compared to traditional architectres over GF (2 ) with = nm. The mltiplication of two polynomials, which is the most costly step in standard based Galois eld mltiplication, can be performed with an asymptotical complexity of O( log 2 3 ) nder the condition that = n2 t and that n can be ept nder a certain limit. It is fond that the nmber of gates for modlo redction taes less than 0% of the overall gate cont for the entire eld mltiplication for the cases considered. An improved mltiplier is given for every eld GF (2 ), = 2; 4; : : : ; 32, if compared to the 2 2? complexity bond of many traditional architectres. To the athors nowledge the gate cont of 48 AND/62 XOR is the lowest one reported in technical literatre for bit parallel mltiplication in GF (2 8 ). Considering the wide range of application of this eld, e.g. in space commnication or in optical storage systems sch as CDs, this architectre is certainly of technical interest.

13 a 0 b 0 a 0 a b 0 b a b a 0 a 2 b 0 c 0 0 c 0 c 0 2 c 0 3?@! c 2 c 3 a a 3 b b 3 a 2 b c 0 4?@! c 0 a 2 a 3 b 2 b 3 a 3 c 0 5 c 0 c Figre : Bloc diagram of a parallel mltiplier in GF ((2 4 ) 4 ) 2

14 A frther advantage for a VLSI implementation is the high natral modlarity of the architectre. A mltiplier can be bild by sing a relatively small nmber of the two modles GF (2 n ) adder and mltiplier. References [] A. Odlyzo, \Discrete logarithms in nite elds and their cryptographic signicance," in Lectre Notes in Compter Science 209, pp. 224{36, Springer-Verlag, Berlin, 984. [2] R. Blaht, Theory and Practice of Error Control Codes. Reading, Massachsetts: Addison-Wesley, 983. [3] C. Wang, T. Trong, H. Shao, L. Detsch, J. Omra, and I. Reed, \VLSI architectres for compting mltiplications and inverses in GF (2 m )," IEEE Trans. Comp., vol. C-34, pp. 709{77, Agst 985. [4] T. Itoh and S. Tsjii, \Strctre of parallel mltipliers for a class of elds GF (2 )," Inform. and Comp., vol. 83, pp. 2{40, 989. [5] E. Mastrovito, \VLSI design for mltiplication over nite elds GF (2 m )," in Lectre Notes in Compter Science 357, pp. 297{309, Springer-Verlag, Berlin, March 989. [6] M. Hasan, M. Wang, and V. Bhargava, \Modlar constrction of low complexity parallel mltipliers for a class of nite elds GF (2 m )," IEEE Trans. Comp., vol. 4, pp. 962{97, Agst 992. [7] V. Afanasyev, \Complexity of VLSI implementation of nite eld arithmetic," in II. Intern. Worshop on Algebraic and Combinatorial Coding Theory, (Leningrad, USSR), pp. 6{7, September 990. [8] V. Afanasyev, \On the complexity of nite eld arithmetic," in 5th Joint Soviet-Swedish Intern. Worshop on Information Theory, (Moscow, USSR), pp. 9{2, Janary 99. [9] A. Pincin, \A new algorithm for mltiplication in nite elds," IEEE Trans. Comp., vol. 38, pp. 045{049, Jly 989. [0] D. Green and I. Taylor, \Irredcible polynomials over composite Galois elds and their applications in coding techniqes," Proc. IEE, vol. 2, pp. 935{939, September 974. [] J. Komo and M. Lam, \Primitive polynomials and m-seqences over GF (q m )," IEEE Trans. Inform. Theory, vol. 39, pp. 643{647, March 993. [2] A. Karatsba and Y. Ofman, \Mltiplication of mltidigit nmbers on atomata," Sov. Phys.-Dol. (Engl. transl.), vol. 7, no. 7, pp. 595{596,

15 [3] D. Knth, The Art of Compter Programming. Volme 2: Seminmerical Algorithms. Reading, Massachsetts: Addison-Wesley, 2nd ed., 98. [4] E. Mastrovito, VLSI Architectres for Comptation in Galois Fields. PhD thesis, Linoping University, Dept. Electr. Eng., Linoping, Sweden, 99. [5] R. Fateman, \Polynomial mltiplication, powers and asymptotic analysis: Some comments," SIAM J. Compt., vol. 7, pp. 96{2, September 974. [6] C. Paar, Ecient VLSI Architectres for Bit-Parallel Comptation in Galois Fields. PhD thesis, (Engl. transl.), Institte for Experimental Mathematics, University of Essen, Essen, Germany, Jne 994. ISBN 3{8{33280{0. [7] C. Paar and O. Hooijen, \Implementation of a reprogrammable Reed-Solomon decoder over GF (2 6 ) on a digital signal processor with external arithmetic nit," in Forth International ESA Worshop on Digital Signal Processing Techniqes Applied to Space Commnications, (King's College, London), September 26{