Galois Fields and Hardware Design

Transcription

1 Galois Fields and Hardware Design Construction of Galois Fields, Basic Properties, Uniqueness, Containment, Closure, Polynomial Functions over Galois Fields Priyank Kalla Associate Professor Electrical and Computer Engineering, University of Utah October 22-29, 2014

2 Agenda Introduction to Field Construction Constructing F 2 k and its elements Addition, multiplication and inverses over GFs Conjugates and their minimal polynomials GF containment and algebraic closure Hardware design over GFs Then we will verify hardware over GFs using Gröbner bases P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

3 Integral and Euclidean Domains Definition An integral domain R is a set with two operations (+, ) such that: 1 The elements of R form an abelian group under + with additive identity 0. 2 The multiplication is associative and commutative, with multiplicative identity 1. 3 The distributive law holds: a(b +c) = ab+ac. 4 The cancellation law holds: if ab = ac and a 0, then b = c. Examples: Z,R,Q,C,Z p,f[x],f[x,y]. Finite rings Z n,n p are not integral domains. P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

4 Euclidean Domains Definition A Euclidean domain D is an integral domain where: 1 associated with each non-zero element a D is a non-negative integer f(a) s.t. f(a) f(ab) if b 0; and 2 a,b (b 0), (q,r) s.t. a = qb +r, where either r = 0 or f(r) < f(b). Can apply the Euclid s algorithm to compute g = GCD(g 1,...,g t ) Then g = i u ig i P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

5 Euclidean Domains D = Z,R,Q,C,Z p The ring F[x] is a Euclidean domain where F is any field The ring R = F[x,y] is NOT a Euclidean domain where F is any field For x,y R,GCD(x,y) = 1, but cannot write 1 = f 1 (x,y) x +f 2 (x,y)y Z 2 k is neither and integral domain not a Euclidean domain P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

6 Fields Definition Let D be a Euclidean domain, and p D be a prime element. Then D (mod p) is a field. That is why Z (mod p) is a field In R[x],x 2 +1 is a prime actually called an irreducible polynomial So R[x] (mod x 2 +1) is a field and is the field of complex numbers C R[x] (mod p) = {f(x) g(x) R[x],f(x) = g(x) (mod p)} P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

7 R[x] (mod x 2 +1) = C Let f,g R[x] (mod x 2 +1) f = remainder of division by x 2 +1, it is linear Let f = ax +b, g = cx +d f g = (ax +b)(cx +d) (mod x 2 +1) = acx 2 +(ad +bc)x +bd (mod x 2 +1) = (ad +bc)x +(bd ac) after reducing by x 2 = 1 Replace x with i = 1, and we get C C is a 2 (=degree(x 2 +1)) dimensional extension of R Intuitively, that is why C R (containment and closure) P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

8 Recall from my previous slides: From Rings to Fields Rings Integral Domains Unique Factorization Domains Euclidean Domains Fields Now you know the reason for this containment P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

9 Construct Galois Extension Fields F p [x] is a Euclidean domain, let P(x) be irreducible over F p, and let degree of P(x) = k F p [x] (mod P(x)) = F p k, a finite field of p k elements Denote GFs as F q, q = p k for prime p and k 1 F p k is a k-dimensional extension of F p, so F p F p k Our interest F 2 k = F 2 [x] (mod P(x)) where P(x) F 2 [x] is a degree-k irreducible polynomial P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

10 Study F 2 k Irreducible polynomials of any degree k always exist over F 2, so F 2 k can be constructed for arbitrary k 1 Table: Some irreducible polynomials in F 2 [x]. Degree Irreducible Polynomials 1 x;x +1 2 x 2 +x +1 3 x 3 +x +1;x 3 +x x 4 +x +1;x 4 +x 3 +1;x 4 +x 3 +x 2 +x +1 P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

11 F 2 k = F 2 [x] (mod P(x)), let α be a root of P(x), i.e. P(α) = 0 P(x) has no roots in F 2 (irreducible); root lies in its algebraic extension F 2 k Any element A F 2 k: A = k 1 i=0 (a i α i ) = a 0 +a 1 α+ +a k 1 α k 1 where a i F 2 The degree of A < k Think of A = {a k 1,...,a 0 } as a bit-vector P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

12 Example of F 16 F 2 4 as F 2 [x] (mod P(x)), where P(x) = x 4 +x 3 +1, P(α) = 0 Any element A F 16 = a 3 α 3 +a 2 α 2 +a 1 α+a 0 (degree < 4) Table: Bit-vector, Exponential and Polynomial representation of elements in F 2 4 = F 2 [x] (mod x 4 +x 3 +1) a 3 a 2 a 1 a 0 Expo Poly a 3 a 2 a 1 a 0 Expo Poly α 3 α α 4 α α α 1010 α 10 α 3 +α 0011 α 12 α α 5 α 3 +α α 2 α α 14 α 3 +α α 9 α α 11 α 3 +α α 13 α 2 +α 1110 α 8 α 3 +α 2 +α 0111 α 7 α 2 +α α 6 α 3 +α 2 +α+1 P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

13 Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that (n times) = 0. P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

14 Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that (n times) = 0. What is the characteristic of F 2 k? Of F p k? P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

15 Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course! P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

16 Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course! In F 2 k coefficients reduced modulo 2 P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

17 Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course! In F 2 k coefficients reduced modulo 2 P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

18 Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course! In F 2 k coefficients reduced modulo 2 α 5 +α 11 = α 3 +α+1+α 3 +α 2 +1 = 2 α 3 +α 2 +α+2 = α 2 +α (as characteristic of F 2 k = 2) = α 13 P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

19 Add, Mult in F 2 k Definition The characteristic of a finite field F q with unity element 1 is the smallest integer n such that (n times) = 0. What is the characteristic of F 2 k? Of F p k? Characteristic = 2 and p, respectively, of course! In F 2 k coefficients reduced modulo 2 α 5 +α 11 = α 3 +α+1+α 3 +α 2 +1 = 2 α 3 +α 2 +α+2 = α 2 +α (as characteristic of F 2 k = 2) = α 13 Addition in F 2 k is Bit-vector XOR operation P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

20 Add, Mult in F 2 k α 4 α 10 = (α 3 +1)(α 3 +α) = α 6 +α 4 +α 3 +α = α 4 α 2 +(α 4 +α 3 )+α = (α 3 +1) α 2 +(1)+α (as α 4 = α 3 +1) = α 5 +α 2 +α+1 = α 4 α+α 2 +α+1 = (α 3 +1) α+α 2 +α+1 = α 4 +α 2 +1 = α 3 +α 2 Reduce everything (mod P(x) = x 4 +x 3 +1), and 1 = +1 in F 2 k P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

21 Every non-zero element has an inverse How to find the inverse of α? HW for you: think Euclidean algorithm! What is the inverse of α in our F 16 example? P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

22 Vanishing Polynomials of F q Lemma Let A be any non-zero element in F q, then A q 1 = 1. Theorem [Generalized Fermat s Little Theorem] Given a finite field F q, each element A F q satisfies: A q A or A q A 0 Example Given F 2 2 = {0,1,α,α +1} with P(x) = x 2 +x +1, where P(α) = = 0; 1 22 = 1; α 22 = α (mod α 2 +α+1) and (α+1) 22 = α+1 (mod α 2 +α+1) P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

23 Irreducible versus Primitive Polynomials An irreducible poly P(x) is primitive if its root α can generate all non-zero elements of the field. F q = {0,1 = α q 1,α,α 2,α 3,...,α q 2 } x 4 +x 3 +1 is primitive but x 4 +x 3 +x 2 +x +1 is not α 4 = α 3 +α 2 +α+1 α 5 = α 4 α = (α 3 +α 2 +α+1)(α) = (α 4 )+α 3 +α 2 +α = (α 3 +α 2 +α+1)+(α 3 +α 2 +α) = 1 P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

24 Conjugates of α Theorem Let f(x) F 2 [x] be an arbitrary polynomial, and let β be an element in F 2 k for any k > 1. If β is a root of f(x), then for any l 0,β 2l is also a root of f(x). Elements β 2l are conjugates of each other. Example Let F 16 = F 2 [x] (mod P(x) = x 4 +x 3 +1). Let P(α) = 0. Let us find conjugates of α as α 2l. l = 1 : α 2 l = 2 : α 4 = α 3 +1 l = 3 : α 8 = α 3 +α 2 +α l = 4 : α 16 = α (conjugates start to repeat) So α,α 2,α 3 +1,α 3 +α 2 +α are conjugates of each other. P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

25 Get the irreducible polynomial back from conjugates Example Over F 16 = F 2 [x] (mod x 4 +x 3 +1), conjugate elements: α,α 2,α 4,α 8 α 3,α 6,α 12,α 24 α 7,α 14,α 28,α 56 α 5,α 10 Minimal Polynomial of an element β Let e be the smallest integer such that β 2e = β. Construct the polynomial f(x) = e 1 i=0 (x +β2i ). Then f(x) is an irreducible polynomial, and it is also called the irreducible polynomial of β. P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

26 Get the irreducible polynomial back from conjugates Minimal polynomial of any element β is: f(x) = e 1 i=0 (x +β2i ) Example Over F 16 = F 2 [x] (mod x 4 +x 3 +1), conjugate elements and their minimal polynomials are: α,α 2,α 4,α 8 : f 1 (x) = (x+α)(x +α 2 )(x +α 4 )(x +α 8 ) = x 4 +x 3 +1 α 3,α 6,α 12,α 24 : f 2 (x) = x 4 +x 3 +x 2 +1 α 7,α 14,α 28,α 56 : f 3 (x) = x 4 +x +1 α 5,α 10 : f 4 (x) = x 2 +x +1 Some observations... Note that f 4 = x 2 +x +1 is the polynomial used to construct F 4. Also notice that associated with every element in F 2 k is a minimal polynomial and its roots (conjugates), that demonstrate the containment of fields and also the uniqueness of the fields upto the labeling of the elements. P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

27 Containment of fields and elements Figure: Containment of fields: F 2 F 4 F 16 Additive & Multiplicative closure: α 5 +α 10 = 1, α 5 α 10 = 1. P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

28 Containment and Closure Theorem F 2 n F 2 m if n divides m. Example: F 2 F 2 2 F 2 4 F F 2 F 2 3 F F 2 F 2 5 F F 2 F 2 7 F and so on Algebraic Closure of F q The algebraic closure of F 2 k is the union of ALL such fields F 2 n where k n. P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

29 Hardware Applications over F 2 k Elliptic Curve Cryptography y 2 +xy = x 3 +ax 2 +b over GF(2 k ) R Compute Slope: y 2 y 1 x 2 x 1 P Q R = P + Q Computation of inverses over F 2 k is expensive R P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

30 Point addition using Projective Co-ordinates Curve: Y 2 +XYZ = X 3 Z +ax 2 Z 2 +bz 4 over F 2 k Let (X 3, Y 3, Z 3 ) = (X 1, Y 1, Z 1 ) + (X 2, Y 2, 1) A = Y 2 Z1 2 +Y 1 B = X 2 Z 1 +X 1 C = Z 1 B D = B 2 (C +az1) 2 Z 3 = C 2 E = A C X 3 = A 2 +D +E F = X 3 +X 2 Z 3 G = X 3 +Y 2 Z 3 Y 3 = E F +Z 3 G No inverses, just addition and multiplication P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

31 Multiplication in GF(2 4 ) Input: A = (a 3 a 2 a 1 a 0 ) B = (b 3 b 2 b 1 b 0 ) A = a 0 +a 1 α+a 2 α 2 +a 3 α 3 B = b 0 +b 1 α+b 2 α 2 +b 3 α 3 Irreducible Polynomial: P = (11001) P(x) = x 4 +x 3 +1, P(α) = 0 Result: Output G = A B (mod P(x)) P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

32 Multiplication over GF(2 4 ) a 3 a 2 a 1 a 0 b 3 b 2 b 1 b 0 a 3 b 0 a 2 b 0 a 1 b 0 a 0 b 0 a 3 b 1 a 2 b 1 a 1 b 1 a 0 b 1 a 3 b 2 a 2 b 2 a 1 b 2 a 0 b 2 a 3 b 3 a 2 b 3 a 1 b 3 a 0 b 3 s 6 s 5 s 4 s 3 s 2 s 1 s 0 In polynomial expression: S = s 0 +s 1 α+s 2 α 2 +s 3 α 3 +s 4 α 4 +s 5 α 5 +s 6 α 6 S should be further reduced (mod P(x)) P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

33 Multiplication over GF(2 4 ) s 6 s 5 s 4 s 3 s 2 s 1 s 0 s s 4 s 4 α 4 (mod P(α)) s 5 0 s 5 s 5 s 5 α 5 (mod P(α)) + s 6 s 6 s 6 s 6 s 6 α 6 (mod P(α)) g 3 g 2 g 1 g 0 s 4 α 4 (mod α 4 +α 3 +1) = s 4 (α 3 +1) = s 4 α 3 +s 4 s 5 α 5 (mod α 4 +α 3 +1) = s 5 (α 3 +α+1) = s 5 α 3 +s 5 α+s 5 s 6 α 6 (mod α 4 +α 3 +1) = s 6 (α 3 +α 2 +α+1) = s 6 α 3 +s 6 α 2 +s 6 α+s 6 G = g 0 +g 1 α+g 2 α 2 +g 3 α 3 P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

34 Montgomery Architecture A B R 2 R 2 MM MM A R B R MM A B R MM "1" G = A B (mod P) Figure: Montgomery multiplier over GF(2 k ) Montgomery Multiply: F = A B R 1, R = α k Barrett architectures do not require precomputed R 1 We can verify 163-bit circuits, and also catch bugs! Conventional techniques fail beyond 16-bit circuits P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

35 Verification: The Mathematical Problem Let us take verification of GF multipliers as an example: Given specification polynomial: f : Z = A B (mod P(x)) over F 2 k, for given k, and given P(x), s.t. P(α) = 0 Given circuit implementation C Primary inputs: A = {a 0,...,a k 1 },B = {b 0,...,b k 1 } Primary Output Z = {z 0,...,z k 1 } A = a 0 +a 1 α+a 2 α 2 + +a k 1 α k 1 B = b 0 +b 1 α+ +b k 1 α k 1, Z = z 0 +z 1 α+ +z k 1 α k 1 Does the circuit C correctly compute specification f? Mathematically: Construct a miter between the spec f and implementation C Model the circuit (gates) as polynomials {f 1,...,f s } F 2 k[x 1,...,x d ] Apply Weak Nullstellensatz P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

36 Equivalence Checking over F 2 k Circuit1: Circuit Equations X A B X Y 1? Circuit2: Circuit Equations Y Figure: The equivalence checking setup: miter. Spec can be a polynomial f, or a circuit implementation C Model the miter gate as: t(x Y) = 1, where t is a free variable P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

37 Verify a polynomial spec against circuit C A Z1 = A B (mod P) Z1 B A Bit level Circuit t(z Z1) = 1 Miter feasible? B Z Figure: The equivalence checking setup: miter. When Z = Z 1, t(z Z 1 ) = 1 has no solution: infeasible miter When Z Z 1 : let t 1 = (Z Z 1 ). Then t (t 1 ) = 1 always has a solution! Apply Nullstellensatz over F 2 k P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

38 Example Implementation Circuit: Mastrovito Multiplier over F 4 Figure: A 2-bit Multiplier Write A = a 0 +a 1 α as a polynomial f A : A+a 0 +a 1 α Polynomials modeling the entire circuit: ideal J = f 1,...,f 10 f 1 : z 0 +z 1 α+z; f 2 : b 0 +b 1 α+b; f 3 : a 0 +a 1 α+a; f 4 : s 0 +a 0 b 0 ; f 5 : s 1 +a 0 b 1 ; f 6 : s 2 +a 1 b 0 ; f 7 : s 3 +a 1 b 1 ; f 8 : r 0 +s 1 +s 2 ; f 9 : z 0 +s 0 +s 3 ; f 10 : z 1 +r 0 +s 3 P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

39 Continue with multiplier verification So far, ideal J = f 1,...,f 10 models the implementation Let polynomial f : Z A B denote the spec Miter polynomial f m : t (Z Z 1 ) 1 Update the ideal representation of the miter: J = J + f,f m Finally: ideal J = f 1,...,f 10, f, f m represents the miter circuit J F 2 k[a,b,z,z 1,a 0,a 1,b 0,b 1,r 0,s 0,...,s 3,t] Verification problem: is the variety V F4 (J) =? How will we solve this problem? P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

40 Weak Nullstellensatz over F 2 k Theorem (Weak Nullstellensatz over F 2 k) Let ideal J = f 1,...,f s F 2 k[x 1,...,x n ] be an ideal. Let J 0 = x1 2k x 1,...,xn 2k x n be the ideal of all vanishing polynomials. Then: V (J) = V F2 k F (J +J 2 0) = reducedgb(j +J k 0 ) = {1} Proof: V (J) =V F2 k F (J) F 2 k 2 k =V (J) V F2 F (J k 2 k 0) = V (J) V F2 k F (J 2 0) k =V (J +J F2 0) k Remember: V Fq (J 0 ) = V Fq (J 0 ). The variety of J 0 does not change over the field or the closure! P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

41 Apply Weak Nullstellesatz to the Miter Note: Word-level polynomials f A : A+a 0 +a 1 α F 2 k Gate level polynomials f 4 : s 0 +a 0 b 0 F 2 Since F 2 F 2 k, we can treat ALL polynomials of the miter, collectively, over the larger field F 2 k, so J F 2 k[a,b,z,z 1,a 0,a 1,...,z 0,z 1 ] Consider word-level vanishing polynomials: A 22 A What about bit-level vanishing polynomials: a 2 0 a 0 So, J 0 = W 2k W,B 2 B, where W are all the word-level variables, and B are all the bit-level variables Now compute G = GB(J +J 0 ). If G = {1}, the circuit is correct. Otherwise there is definitely a BUG within the field F 2 k P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36

42 Polynomial Functions over F q Any combinational circuit with k-bit inputs and k-bit output Implements a function f : B k B k Can be viewed as a function f : F 2 k F 2 k or f : Z 2 k Z 2 k Need symbolic representations: view them as polynomial functions Treat the circuit f : B k B k as a polynomial function Please see the last section in my book chapter P. Kalla (Univ. of Utah) F k and Hardware Design October 22-29, / 36