EE 387, John Gill, Stanford University

Notes #6, November 5, Handout #23

Burst errors
Denition: A burst of length l is an n-tuple whose nonzero symbols are conned to a span of l symbols and no fewer. Denition: A wraparound burst of length l is any cyclic shift of a burst of length l. A burst is specied by location and burst pattern. Location is dened to be least signicant digit of burst. Burst pattern for a burst of length l is a polynomial b(x) of degree l 1. Burst: e(x) = xib(x), where i is location and b(x) is pattern (b0 = 0). Wraparound burst: e(x) = xib(x) mod (xn 1). Example: Consider the following 10-tuples: 0001011000 is a burst of length 4, location 3, pattern 1 + x2 + x3 . 1100000010 is a wraparound burst of length 4, location 8, pattern 1 + x2 + x3 . (It is a burst of length 9.)
EE 387 Notes #6, Page 1

Burst error detection

Cyclic codes are optimal for burst error detection. Theorem: Every (shortened) cyclic code with generator polynomial of degree r can detect all burst errors of length r. Proof : We must show that no burst of length r is a codeword. Such a burst is of the form e(x) = xib(x) where b(x) = 0 and deg b(x) < r. Constant coecient of g(x) is nonzero, so g(x) and xi are relative prime. Thus if g(x) | xib(x) then g(x) | b(x). Not possible since deg b(x) < deg g(x). The burst error detecting ability is exactly r because g(x) is a codeword that is a burst of length r + 1. Most burst errors of length > r can be detected. For binary alphabets: P(burst of length l is detected) = 1 2r+1 1 2r l =r+1 l >r+1

Exercise: The burst error detecting ability of any (n, k) block code is n k.
EE 387 Notes #6, Page 2

Characterizations of BEC codes

Lemma: A block code can correct all bursts of length l if and only if no two codewords dier by the sum of two bursts of length l.
0
111 000 ? 111 000 111 000 111 000 11111 00000 11111 00000 11111 00000 11111 00000 11111 00000 11111 00000 11111 00000 11111 00000

r(x)

c(x)

11 00 11 00 11 00 11111 00000 11111 00000 11111 00000 11111 00000

? 11 00

Corollary: A linear block code can correct all bursts of length l if and only if no codeword is the sum of two bursts of length l. Theorem: (Rieger Bound): The burst error correcting ability l of an (n, k) linear block code satises 2l n k. Proof : All Q2l polynomials of degree < 2l must have distinct syndromes. Otherwise the dierence of two such polynomials would be a codeword that is a sum of 2 bursts of length l.
EE 387 Notes #6, Page 3

Burst error correcting eciency

Denition: The burst error correcting eciency of an (n, k) linear block code with burst error correcting ability l is dened to be burst error correction eciency = By the Rieger bound, BEC eciency is 1. Reed-Solomon codes have 2t check symbols and can correct t random errors and therefore burst errors of length t. Reed-Solomon codes are nonbinary codes with BEC eciency 1. Fire codes are a class of cyclic codes with any desired burst error correcting ability and burst error correcting eciency approximately 2/3. Ecient burst-error correcting codes can be found by computer search.
Another lower bound (approximate) on number of checks needed to correct bursts of length l in blocklength n is n k l + logQ n. This bound is usually stronger than the Rieger bound. EE 387 Notes #6, Page 4

2l . nk

Cyclic decoding principle

Theorem: (Cyclic decoding principle) Let r(x) be a senseword for a cyclic code. If symbol j of the cyclic shift r (i)(x) can be corrected, then the same error magnitude can be used to correct symbol (j i) mod n of r(x).
0 r(x) ji

r (i)(x) i j

r (i)(x) mod g(x) = s[i](x) e(x) s(x) = r(x) mod g(x) e(i)(x) The syndromes s[1](x), . . . , s[n1](x) of cyclic shifts r (1)(x), . . . , r (n1)(x) can be computed by repeatedly shifting syndrome register with g(x) feedback.
EE 387 Notes #6, Page 5

Cyclic decoding
Lemma: The syndrome of r (1)(x) is s[1](x) = xs(x) mod g(x). Proof : Lets evaluate the syndrome of r (1)(x). r (1)(x) mod g(x) = (xr(x) rn1(xn 1)) mod g(x) = xr(x) mod g(x) (since g(x) | (xn 1)) = x(r(x) mod g(x)) mod g(x) = xs(x) mod g(x) = s[1](x) The cyclic decoding principle suggests the following decoding method: Calculate s(x) = r(x) mod g(x). Shift syndrome register with feedback until s[i](x) contains a syndrome that is known to correspond to error e(x). Decode r(x) using e(i)(x). This method works especially well for burst errors (see error trapping later).
EE 387 Notes #6, Page 6

Shift register decoder example

Example: Let g(x) = x4 + x + 1, a primitive polynomial over GF(2). This polynomial generates a (15, 11) binary cyclic Hamming code. The columns of the parity-check 1 0 0 0 0 1 0 0 H= 0 0 1 0 0 0 0 1 matrix are xi mod g(x) for i = 0, . . . , 14: 1 0 0 1 1 0 1 0 1 1 1 1 1 0 1 0 1 1 1 1 0 0 . 0 1 1 0 1 0 1 1 1 1 0 0 0 1 1 0 1 0 1 1 1 1

A single bit error in the msb of r(x) is e(x) = x14 .

The syndrome of e(x) = x14 is 1001 = 1 + x3, which is the last column of H. If we shorten the code to, say, (12, 8), the syndrome of an error in the msb would be x11 mod g(x) = 0111 = x + x2 + x3.
We can generalize this approach to correcting short burst errors. It can be shown that the generator polynomial (x + 1)(x4 + x + 1) = x5 + x4 + x2 + 1 can correct bursts of length 2. A decoder should correct the msb when the syndrome register contains the syndromes of either x14 or x13 + x14 . EE 387 Notes #6, Page 7

Shift register decoder for Hamming code

The decoder below corrects the msb when the shift register contains 1001.
syndrome computation error location

r(x) s(x)
parallel transfer

clear SR

c(x)

The decoder can be pipelined. In the rst phase, the syndrome of r(x) is computed using the rst LFSR. In the second phase, the buered codeword is corrected one bit at a time. If the syndrome register is nonzero at the end of the correction phase, an uncorrectable error has been detected.
EE 387 Notes #6, Page 8

Error trapping
replacements If error pattern e(x) is in low order n k symbols, then deg e(x) < n k.

r(x)

1111 0000 1111 0000 1111 0000 1111 0000 nk

In this case, s(x) = r(x) mod g(x) = e(x) mod g(x) = e(x) . The syndrome polynomial is the same as the error polynomial. In general, r(x) s(x) is a codeword obtained by correcting only check digits. If s(x) is a plausible i.e., correctable error pattern, we estimate e(x) = s(x). Since deg s(x) < n k, only error patterns that are conned to n k consecutive locations can be corrected by this method. By Rieger bound, correctable burst have length 1 (n k), so they can be rotated 2 into low order n k positions.

EE 387 Notes #6, Page 9

Error trapping (2)

To tell when to correct msb of r(x), compute syndrome of r (nk)(x). This rotates r(x) msb (position n 1) to check digits msb (position n k 1).
nk k

r(x)

r (nk)(x)

nk

Then we test syndrome of shifted senseword to see if it is a burst of length l located in high-order l check digits. When correctable burst is located in the high-order l check symbols, then the low-order n k l syndrome digits are 0.
0 0 ... 0 x x ... x l
EE 387 Notes #6, Page 10

nkl

Error trapping (3)

One way to compute syndrome of r (nk)(x) is to shift s(x) n k times in a LFSR with feedback polynomial g(x). The result is s[nk](x). Better method: inject received symbols into the syndrome LFSR at the high end: r (nk)(x) mod g(x) = xnk r(x) mod g(x) = xnk s(x) mod g(x) The corresponding circuit:
r(x) s(x)

c(x)
The syndrome circuit uses the same datapath as the systematic encoder.

EE 387 Notes #6, Page 11

Fire codes: denition

A Fire code is a cyclic code over GF(q) with generator polynomial g(x) = (x2t1 1)p(x) = x2t1 p(x) p(x) satisfying the following conditions: 1. p(x) is a prime polynomial over GF(q) of degree m and order e. 2. m t. 3. p(x) does not divide x2t1 1. 4. gcd(q, 2t 1) = 1. (This condition is always satised for q = 2m.) The blocklength n is the order of the generator polynomial g(x). Recall that the order is the smallest n > 0 such that g(x) | xn 1. Recall also that any larger n would result in minimum distance 2. In general, the order of a polynomial is the lcm of orders of its factors. In the case of Fire codes, n = lcm(e, 2t 1) .
Fire codes were discovered by Philip Fire in 1959 and were the basis for his Stanford University Engineers thesis. EE 387 Notes #6, Page 12

Fire codes: properties

Burst error correcting ability is t and m. Burst error correcting eciency is 2t . 2t 1 + m When m = t (most ecient), burst error correcting eciency is 2 2t . 3t 1 3 Error trapping decoder requires n steps. Chiens fast decoder uses partial syndromes s0(x) = r(x) mod (x2t1 1) s1(x) = r(x) mod p(x) The fast decoder corrects in (2t 1) + e n steps.
EE 387 Notes #6, Page 13

Error-trapping decoder for Fire code

Example: Generator polynomial for (35, 27) Fire code is g(x) = (x5 + 1)(x3 + x + 1) = x8 + x6 + x5 + x3 + x + 1 . This code corrects burst errors of length 3. BEC eciency: (2 3)/8 = 3/4.
r(x)

c(x)

Figure 1: Error-trapping decoder for (35, 27) Fire code

EE 387 Notes #6, Page 14

Fast decoding for Fire codes

Fire code with g(x) = (x7 + 1)(x4 + x + 1) can correct bursts of length 4. The blocklength is n = lcm(7, 15) = 105.

r(x) s0(x)

r(x) s1(x)

Syndrome computation for r = 011100100011010110111010:

0000000 1000000 0100000 1010000 1101000 1110100 0111010 1011101 0101110 0010111 0001011 1000101 0100010 1010001 1101000 0110100 0011010 1001101 1100110 0110011 0011001 0001100 1000110 0100011 0000 1000 0100 1010 1101 0010 0001 0100 1010 0101 0110 0011 0101 0110 0011 1101 1010 1101 1010 0101 0110 1011 0001 1100

EE 387 Notes #6, Page 15

Fast decoding for Fire codes (2)

The burst pattern can be identied by shifting the s0(x) syndrome register. [0] s0 (x) = 0100011 [1] b(x) = 1101 s0 (x) = 1010001 [2] s (x) = 1101000
0

Since 2 right shifts = 5 left shifts, error location satises i mod 7 = 5. s1 (x) = 1100 s1 (x) = 0110 s1 (x) = 0011
[2] [1] [0]

Determine error location by shifting s1(x) until burst b(x) is recognized.

s1 (x) = 1101 = b(x) Since 3 right shifts = 12 left shifts, error location satises i mod 15 = 12. Error location is unique solution modulo 105: i = 12.
EE 387 Notes #6, Page 16

[3]

Interleaved codes
Denition: The -way interleave of an (n, k) block code C is the (n, k) block code C {} in which each subsequence (cj , cj+, cj+2, . . . , cj+(n1) ) ,
c{3} c{1} c{0} c{2} c{4}

j = 0, 1, . . . , 1

of n codeword symbols spaced symbols apart is a codeword of C. For example,

Each row is a codeword of C. The symbols of c are transmitted by columns.

EE 387 Notes #6, Page 17

One way to represent a -way interleaved code c0 c c2 c c+1 c2+1 1 c = . . . . . . c1 c21 c31

is by a n matrix: c(n1) c(n1)+1 . ... . cn1

Interleaved codes: burst error protecting ability

Theorem: If the burst error correcting ability of C is l, then the burst error correcting ability of the -way interleave C {} is l. Proof : Consider a burst of length h in the interleaved codeword.
11 00 11 00 11 00 111 000 11 00 11 00 111 000 11 00 111 000 11 00 111 000 11 00 111 000 11 00 111 000 11 00 111 000 11 00 111 000 11 00 111 000 11 00 111 000 11 00 111 000 11 00 111 000 111 000 111 000 11 11 00 00 111 000 11 11 00 00 111 000 11 11 00 00 111 000 11 11 00 00 111 000

11111 00000 11111 00000 11111 00000 11111 00000 11111 00000 11111 00000 11111 00000 11111 00000 checks

correctable burst

uncorrectable burst

5-way interleaved (24, 20) shortened Reed-Solomon code over GF(32)

Every row has h/ consecutive errors (usually at least h/ errors). A burst of length l causes a burst of length l in any row correctable. Conversely, an uncorrectable burst of length l + 1 in one row is not correctable. Its length in the serialized data is l + 1.
EE 387 Notes #6, Page 18

Interleaved codes: burst error protecting ability (2)

Burst error correcting eciency of an interleaved code is This is the same as the eciency of the base code C.
2l 2l = . (n k) nk

Interleaving is a simple, eective way to handle long bursts. Only costs: memory: the code array (except for last column) must be stored before any row decoding can be completed (n 1) symbols delay: the code array (except for last column) must be received before decoding the rst row (n 1) symbols in worst case. Storage cost can be reduced about half by using a convolutional interleaver.

The interleaver memory is split between transmitter and receiver.

EE 387 Notes #6, Page 19

Burst errors: summary

A burst error of length l is an n-tuple whose nonzero symbols are conned to a span of l symbols and no fewer. The burst error detecting ability of every (n, k) block code is n k. Every (n, k) cyclic code can detect all bursts of length n k. An (n, k) cyclic code can detect all but 2(nk) of bursts of length > n k + 1. Rieger bound: if l is the burst error correcting ability of an (n, k) linear block code, then 2l n k. Burst error correcting eciency:
2l . nk

Cyclic burst correcting codes can decode in n steps using error trapping. Fire code has generator polynomial g(x) = (x2t1 1)p(x) and can correct bursts of length m. The -way interleave of a code multiplies the burst error protection ability by .
The Rieger bound holds for all (n, k) block codes, not just linear. EE 387 Notes #6, Page 20

Subelds of nite elds

Suppose GF(q) GF(Q) have characteristic p. Then q = pm , Q = pM , mM

GF(Q) is a vector space over GF(q) of dimension n. Q = q n pM = (pm)n = pmn M = nm m | M . The exponent of the subeld divides the exponent of the extension eld. Example: Subelds of GF(235) are GF(27), GF(25), GF(2) . GF(219) is not contained in GF(235) since 19 is not a divisor of 35. Smallest subeld that contains both GF(219) and GF(235) is GF(2lcm(19,35)) = GF(21935) = GF(2665) .

GF(235 ) has additive subgroups of order 219 but no subeld of size 219 .

EE 387 Notes #6, Page 21

Examples of subelds: GF(28)

GF(28) GF(24) GF(22) GF(2). These are called tower elds GF(q 2 ).
GF(256) GF(16) GF(4) GF(2) [ 240 ] [ 12 ] [ 2] [ 2]
m

GF(4) GF(2) GF(16) GF(4) GF(256) GF(16)

two zeroes of x2 + x + 1. 12 zeroes of three prime polynomials of degree 4. x4 + x + 1, x4 + x3 + 1, x4 + x3 + x2 + x + 1 . 240 zeroes of 30 prime polynomials of degree 8. x8 + x4 + x3 + x2 + 1, . . . , x8 + x7 + x6 + x5 + x4 + x3 + 1
EE 387 Notes #6, Page 22

Examples of subelds: GF(212)

GF(4096) [4020]
2

12
3

GF(64)

[ 54 ]

GF(16)

[12]

4
3 2

GF(8) [ 6 ] GF(4) [ 2 ]
3

2
3 2

GF(2) [ 2 ]

GF(212) has 4096 64 16 + 4 = 4020 elements not in any proper subeld. Each maximally complex element of GF(212) is a zero of some prime polynomial over GF(2) of degree 12, so there are 4020 = 335 prime polynomials of degree 12. 12
6 There are (4095) = 2 4 7 12 4095 = 1728 primitive elements, so there are 3 5 13 1728 12 = 144 primitive polynomials over GF(2) of degree 12.
EE 387 Notes #6, Page 23

Conjugacy classes
GF(Q) can be partitioned into conjugacy classes for any subeld GF(q) GF(Q). Each conjugacy class consists of all the zeroes of a minimal polynomial over GF(q). Example: GF(16) GF(2). Conjugacy classes for 0 and 1 are {0} and {1}. element conjugacy class 3 5 7 {, 2, 4, 8} {5, 10} {7, 14, 13, 11} (16 = ) (20 = 5) (22 = 7) {3, 6, 12, 24 = 9} (18 = 3)

Every element of GF(Q) = GF(q m) is a power of a primitive element . Conjugacy classes can be represented by exponents (logs base ). The exponents of the members of the conjugacy class containing i are i, qi mod (Q1), q 2i mod (Q1), . . . , q r1i mod (Q1) for some r m. (In fact, r | m.)
EE 387 Notes #6, Page 24

Conjugacy classes: GF(64)

Example: GF(64) GF(2). Conjugacy classes, represented using exponents: {0} ( GF(2)) {1, 2, 4, 8, 16, 32} {3, 6, 12, 24, 48, 33} {5, 10, 20, 40, 17, 34} {7, 14, 28, 56, 49, 35} {9, 18, 36} ( GF(8)) {11, 22, 44, 25, 50, 37} {13, 26, 52, 41, 19, 38} {15, 30, 60, 57, 51, 39} {21, 42} ( GF(4)) {23, 46, 29, 58, 53, 43} {27, 54, 45} ( GF(8)) {31, 62, 61, 59, 55, 47}

Exponents in each conjugacy class are found by multiplying by 2 modulo 63. Elements with fewer than 6 conjugates belong to proper subelds. The exponents of the nonzero elements of proper subelds of GF(64). GF(2) = {0} GF(4) = {21, 42} GF(8) = {9, 18, 36}, {27, 54, 45}
EE 387 Notes #6, Page 25

Minimal polynomials for GF(64)

Exponential table for GF(64) dened by primitive polynomial x6 + x + 1:
0 8 16 24 32 40 48 56 0 100000 001100 110010 100010 100100 111101 101100 111110 1 010000 000110 011001 010001 010010 101110 010110 011111 2 001000 000011 111100 111000 001001 010111 001011 111111 3 000100 110001 011110 011100 110100 111011 110101 101111 4 000010 101000 001111 001110 011010 101101 101010 100111 5 000001 010100 110111 000111 001101 100110 010101 100011 6 110000 001010 101011 110011 110110 010011 111010 100001 7 011000 000101 100101 101001 011011 111001 011101 100000

Minimal polynomial of 9 is x3 + x2 + 1 because 9 = 000110 , 18 = 111100 , 27 = 011100 27 + 18 + 1 = 0 Minimal polynomial of 21 is x2 + x + 1 because 21 = 110111 , 42 = 010111 42 + 21 + 1 = 0 Minimal polynomial of is x6 + x + 1 .
EE 387 Notes #6, Page 26

GF(2m) arithmetic: summary

Addition/subtraction: bitwise XOR (m gates/ops) Multiplication: bit serial (shift and add) bit parallel (combinational) subeld representation log and anti-log tables software Division (reciprocal): Euclidean algorithm lookup tables sequential search time-memory tradeo exponentiation subeld representation log and anti-log tables software

Division is performed as multiplication by reciprocal: a/b = a b1 . Single-cycle division is not needed because decoders use few divides. Most multiplication and division methods take O(m2) bit operations.

EE 387 Notes #6, Page 27

Multiplication by constants
GF(2m) is a vector space over GF(2) of dimension m. We choose a basis {1, , 2, . . . , m1} for some usually a primitive element. Multiplication by constant b = b0 + b1 + + bm1m1 is a linear mapping. It can be described by an m m matrix B over GF(2). To derive the components of B, use the distributive law: a b = (a0 + a1 + + am1m1) b = a0b + a1(b) + + am1(m1b) . The products bi = ib for 0 i < m can be precomputed. The components of these vectors can be stored in a binary matrix b0 b0,0 b0,1 b0,m1 b1,1 b1,m1 b1 b1,0 B= . = . . . . ... . . . . bm1 bm1,0 bm1,1 bm1,m1

EE 387 Notes #6, Page 28

Multiplication by constants (2)

The product a b is the vector-matrix product b0,0 b0,1 b1,1 b y = a b = aB = [ a0 a1 am1 ] 1,0 . . . . bm1,0 bm1,1
m1

Each bit yj of product y is the inner product of row a with column j of B: yj =

i=0

b0,m1 b1,m1 . . ... . bm1,m1

aibi,j =

ai
i: bi,j =1

In the above formula sum is XOR, product is logical AND. Any GF(2m) scaler can be built using m(m 1) 2-input XOR gates. The typical scaler uses 1 m2 XOR gates. 2
These gate count estimates do not include the use of common subexpressions. Finding the minimum circuit is an NP-complete problem. EE 387 Notes #6, Page 29

Example: scaler in GF(26)

GF(26) = binary polynomials modulo x6 + x + 1 (a primitive polynomial). Multiplication by b = [ 1 1 0 0 0 1 ] is dened by the matrix B shown below. The rows of B are xib (i = 0, . . . , 5), msb on right. Successive rows of B are obtained by shifting previous row right using the feedback pattern [ 1 1 0 0 0 0 ] corresponding to 1 + x + x6. y0 = a0 a1 a5 1 1 0 0 0 1 1 0 1 0 0 0 y1 = a0 a2 a5 0 1 0 1 0 0 y2 = a1 a3 B = 0 0 1 0 1 0 y3 = a2 a4 0 0 0 1 0 1 y4 = a3 a5 y5 = a0 a4 1 1 0 0 1 0

The product y = a b = aB can be read from columns of B.

EE 387 Notes #6, Page 30

Matrix of multiplier matrices

The matrix Mb corresponding to multiplier b = xj mod p(x) consists of m consecutive rows xj mod p(x), . . . , xj+m1 mod p(x) from the matrix of powers of primitive element x. Since p(x) is primitive, the matrix of powers of x modulo p(x) is the same as the matrix of powers of primitive element . For GF(24), the (15 + 3) 4 matrix to the right (lsb rst) contains all multiplier matrices. For example, M7 consists of rows 1 1 1 0 M7 = 0 1 1 1 7 to 10 from this table. 0 1 1 0 0 1 1 0 i 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 0 1 2 i 1000 0100 0010 0001 1100 0110 0011 1101 1010 0101 1110 0111 1111 1011 1001 1000 0100 0010

EE 387 Notes #6, Page 31

General multiplication
Let GF(2m) be polynomials over GF(2) modulo prime p(x) of degree m. For a(x), b(x) in GF(2m) let ti = a(x)b(x) = (t0 + t1x + + tm1xm1 + tmxm + + t2m2x2m2) mod p(x) = t0 + t1x + + tm1xm1 + tm(xm mod p(x)) + + t2m2(x2m2 mod p(x)) We can precompute the m 1 polynomials xm mod p(x), . . . , x2m2 mod p(x) and store them as rows of (m 1) m binary matrix: m m x mod p(x) xm+1 mod p(x) m+1 = . T = . . . x2m2 mod p(x) 2m2 Rows of T are obtained by shifts with feedback corresponding to p(x).
EE 387 Notes #6, Page 32

i j=0 aj bij

be the coecient of xi in a(x)b(x).

General multiplication (2)

The product y = a b can be expressed in matrix notation: y = (a0, . . . , am1 ) (b0, . . . , bm1) = [ t0, t1, . . . , tm1 ] + [ tm, . . . , t2m2 ] T = [ t0, t1, . . . , t2m2 ] I . T

where I is the m m identity matrix and T is (m 1) m. Low-level computational formula for product bits yj for j = 0, . . . , m 1:
m2 j m2 m1

yj = tj +
i=0

tm+iTij =
l=0

al bjl +
i=0

Tij
l=i+1

albm+il .

Each bit of the product vector is a sum of a subset of the produt terms aibj .

The product vector consists of m bilinear functions of a and b . EE 387 Notes #6, Page 33

General multiplication example

GF(24) can be dened by any of three prime polynomials over GF(2): p1(x) = x4 + x + 1 , p2(x) = x4 + x3 + 1 , p3(x) = x4 + x3 + x2 + x + 1 The respective T matrices are 1 0 0 1 1 1 0 0 T1 = 0 1 1 0 , T2 = 1 1 0 1 , 1 1 1 1 0 0 1 1 The equations for the product dened using T3: 1 1 1 1 [ y0, y1, y2 , y3 ] = [ t0, t1, t2, t3 ] + [ t4, t5, t6 ]1 0 0 0 0 1 0 0 1 1 1 1 T3 = 1 0 0 0 0 1 0 0

= [ t0 t4 t5, t1 t4 t6, t2 t4, t3 t4 ] .

Even though p3 (x) is not primitive, it is prime and can be used to dene GF(24). EE 387 Notes #6, Page 34

General multiplication example (2)

Expanding the matrix form yields these Boolean equations: t0 t1 t2 t3 t4 t5 t6 = a0 b 0 = a0 b 1 a1 b 0 = a0 b 2 a1 b 1 a2 b 0 = a0 b 3 a1 b 2 a2 b 1 a3 b 0 = a1 b 3 a2 b 2 a3 b 1 = a2 b 3 a3 b 2 = a3 b 3 y0 y1 y2 y3 = t0 t4 t5 = t1 t4 t6 = t2 t4 = t3 t4

For every GF(2m) every product aibj appears in at least one equation. Therefore m2 AND gates are needed by the obvious method. The number of XOR gates is (m 1)2 to compute {t0, t1, . . . , t2m2} plus the number of 1s in T to compute {y0 , y1, . . . , ym1 } from {t0, t1, . . . , t2m2}. Polynomials like x6 + x + 1 result in T matrices with few 1s.
We ignore common subexpression simplication. EE 387 Notes #6, Page 35

Multiplication using subeld representation

Galois elds can be represented using subelds larger than the eld integers. GF(22m) = pairs from GF(2m) mod degree 2 prime polynomial over GF(2m). Good choice: prime quadratic of the form x2 + x + 1, where is in GF(2m). a b = (a0 + a1x)(b0 + b1x) = a0b0 + (a0b1 + a1b0)x + a1b1x2 = a0b0 + (a0b1 + a1b0)x + a1b1(x + 1) = (a0b0 + a1b1) + (a0b1 + a1b0 + a1b1)x Final answer: components of (y0, y1) = (a0, a1) (b0, b1) are y0 = a0b0 + a1b1 y1 = a0b1 + a1b0 + a1b1 The only common subexpression is a1b1, which aects both y0 and y1.

EE 387 Notes #6, Page 36

Multiplication using subeld representation (2)

Multiplication in GF(22m) uses operations in the subeld GF(2m). In the circuit below, there are four multipliers, one scaler, and three adders. a0 a1 b0 b1 The multiplications could be performed in parallel, sequentially, or two at a time. We can trade o between time and gates. y1 y0

EE 387 Notes #6, Page 37

Reciprocals: Euclidean algorithm

Suppose GF(Q) is represented by polynomials modulo prime polynomial p(x). Extended Euclidean algorithm for gcd(r(x), p(x)) nds a(x), b(x) such that a(x)r(x) + b(x)p(x) = gcd(r(x), p(x)) = 1 If deg p(x) = m, algorithm takes O(m) operations on m-digit registers. Implementation is straightforward. Drawback: O(m) clocks. Remainders ri(x) and coecients ai(x) can share memory. p(x) r(x)

a(x) The nal remainder r is a constant, and the reciprocal is r 1a(x).

EE 387 Notes #6, Page 38

Reciprocals: table lookup

Store precomputed reciprocals in 2m m ROM. For current gate arrays, one bit of ROM costs about 1/8 of 2-input NAND gate. Reciprocal table for GF(28) costs 256 gates. Combinational multiplier for GF(28) uses 64 ANDs + 66 XORs 260 gates. However, lookup tables are not as feasible for larger elds. For example, the gate equivalent of a reciprocal table for GF(210) is about
1 210 10 = 1280 8

This is much larger than about 400 gates for a combinational multiplier.

The lookup table size can be reduced by using precomputation to transform the input to a value whose reciprocal is known, then postcomputation to adjust the inverse. For example, if the inverse of i is (obtained from a table) then the inverse of is i . EE 387 Notes #6, Page 39

Sequential search
The reciprocal of a can be found by testing a b = 1 for each element b of GF(2m). All nonzero values b can be generated using a maximum-length linear feedback shift register. For example, when eld is dened by p(x) = x5 + x2 + 1:

initial value: a nal value: 1

initial value: 1 nal value: a1

Shifting a register multiplies the contents by the primitive element . The left shift register is loaded with a while the right shift register is loaded with 1. The registers are shifted simultaneously until the left shift register reaches 1. After every shift, the ratio of the left register to the right register is a. If i is the number of shifts needed, then a i = 1, so the value i in the right shift register is the reciprocal of a.
EE 387 Notes #6, Page 40

Time-memory tradeo
An associative memory such as a hash table can be used to reduce the number of clocks needed to nd the reciprocal without using a complete lookup table. For example, suppose we store the reciprocals of 16i for i = 0, 1, . . . , (2m)/16, The following program fragment nds the reciprocal of a in at most 16 steps: for (i = 0; i < 16; i++) { if (a i is in reciprocal table) { return i reciprocal(a i) ; } } The search time can be decreased by using a larger associative memory.

The same approach can be used to reduce the storage needed for computing the discrete logarithm from 2m entries for a direct table lookup to (2m)/c entries if c lookups are used.

EE 387 Notes #6, Page 41

Reciprocals: exponentiation
If is any nonzero element of GF(q) then q1 = 1. Therefore 1 = q2 . Powers of can be computed eciently by squaring and multiplying by . Binary representation of 2m 2 contains m bits: 11 102 .

square initial value: 1

The successive values of the storage element are 1 , 2 , 6 , 14 , . . . , 2 We obtain 2

m m

= 1 in m 1 clocks, one multiply/squaring per clock.

In GF(2m) squaring is linear and can be represented by an m m binary matrix.

EE 387 Notes #6, Page 42

Reciprocals: subeld representation

Suppose GF(22m) = pairs from GF(2m) modulo prime x2 + x + 1 over GF(2m). Special case: x + b. Use Euclidean algorithm to compute (x + b)1 : x2 + x + 1 = (x + b)(x + ( + b)) + (b2 + b + 1) +b 1 x + ( + b) = 2 + 2 x b2 + b + 1 b + b + 1 b + b + 1 In general, the reciprocal of an arbitrary element ax + b (a = 0): (x + b)1 = (ax + b)1 = a1 (x + b/a)1 = = x + ( + b/a) a((b/a)2 + (b/a) + 1)

ax + (a + b) a + b a = 2 + 2 x b2 + ab + a2 b + ab + a2 b + ab + a2

Denominator = 0 because a = 0 and x2 + x + 1 is prime. Computation of (ax + b)1 uses operations from the subeld GF(2m): one inverse, one scaler, one squaring, and three multiplications.
EE 387 Notes #6, Page 43

Reciprocals: recursive combinational circuit

If is in GF(22m), then ( 2
m m

+1 2m 1

= (2

+1)(2m1)

= 2

2m

= 1.

Since order of 2 +1 divides 2m 1, it belongs to small subeld GF(2m). Its reciprocal can be computed using a small circuit. Example: Reciprocal circuit for GF(28) = GF((24)2):

16-th power

17
16

inverse in GF(16)

17

Circuit for 2 is linear, uses 1 m2 XOR gates. Multipliers use O(m2) gates. 2 Subeld reciprocal unit is small. Overall cost of circuit 3 general multipliers.

This method was discovered by Itoh and Tsujii in 1988. Hardware implementations of Galois eld arithmetic are presented in Christof Paars 1994 University of Essen doctoral thesis, Ecient VLSI Architectures for Bit-Parallel Computation in Galois Fields. EE 387 Notes #6, Page 44