Circuits and methods for performing exponentiation and inversion of finite field elements

Abstract

An exponentiation circuit for computing an exponential power of a finite field element includes combinatory logic circuits that map input digits of a multi-digit field element β to output digits of an output multi-digit field element β2m. The exponentiation circuit is capable of computing a power of a field element without performing any multiplication operations and requires only exclusive-OR logic operations to generate the output exponential field element. A circuit for generating a multiplicative inverse of a finite field element can be constructed from a set of parallel exponentiation circuits, with each of the parallel exponentiation circuits generating a different multi-digit field element β2m directly from the input field element β. Multiplier circuits multiply together the outputs of the parallel exponentiation circuits to generate the multiplicative inverse of the field element β.

Description

BACKGROUND

Communication systems, particularly wireless communications and high-speed transmissions, often require the use of forward error correction algorithms to identify bit errors in received signals. Finite field arithmetic is highly useful in such forward error correction algorithms. Encryption algorithms also commonly use finite field arithmetic.

A finite field, commonly called a Galois field, is a field that contains only a finite number of numerical elements. One example of a Galois field is a set of five-digit binary numbers. There are a total of 32 such numbers and, for example, 31 of those numbers could constitute a Galois field. An important characteristic of a Galois field is that the arithmetic operators (addition, subtraction, multiplication, and division) are defined such that any arithmetic operation performed on elements of the field will always yield one of the elements in the field. In the binary example given, the addition and subtraction operations can be carried out as exclusive-OR (XOR) logic operations, and multiplication can be carried out as logical shifts, AND, and XOR operations. Note that in some cases, such operations will yield results that are not within the set of five-digit numbers. However, as applied within the Galois field, these arithmetic operations are defined using an irreducible generator polynomial which creates a modulo operation on the result, whereby the result remains within the Galois field (i.e., the result is one of the finite number of elements).

In the discipline of Galois field mathematics, addition, subtraction, and multiplication of field elements are well understood, and these operations can be mapped efficiently into hardware or software domains. However, dividing one field element by another in a Galois field does not map very efficiently into either of the hardware or software domains. The most accepted way of performing division is to multiply the dividend by the multiplicative inverse of the divisor, as follows:β_i/β_j=β_i×β_j⁻¹  (1)where, β_i, and β_j are elements of the field. The multiplicative inverse of an element of a Galois field can be found either by using a ROM-based a look-up table (LUT) or by using a recursive circuit to implement Fermat's Little Theorem (Pierre de Fermat, first published in 1640). Using the look-up table approach, the function requires a fair amount of memory to implement, specifically 2^m×m, where 2^m=N+1, and N is the number of elements in the Galois field.

Fermat's Little Theorem states that, for any Galois field element β, the multiplicative inverse can be found by computing β⁻¹=β^N−2, where N is the total number of elements in the field. β^N−2 can be found recursively via two methods:β⁻¹=β^N−2=β²×β⁴×β⁸× . . . ×β^2m−1  (2)β⁻¹=β^N−2=(β× . . . (β×(β×β²)²)² . . . )²  (3)where 2^m=N+1. Using equation (2), the ability to efficiently raise a Galois field element to a power of 2^m, i.e., 2, 4, 8, etc., is of critical importance. In equation (3), it is the ability to efficiently square a Galois field element that is the most critical item. For either recursive approach, the β^m operation is performed via a recursive application of a squaring operation, which is accomplished by multiplying the field element by itself.

FIG. 1 illustrates a serial computation architecture 100 required to implement the approach of equation (2). In particular, a squaring operation 102 denoted by ( )² is performed on the element β to produce β². A second squaring operation 104 is performed on the output β² of the first squaring operation 102 to produce β⁴. A first multiplication operation 106 is then performed on the outputs of the first and second squaring operations 102 and 104 (β² and β⁴) to yield β⁶. A third squaring operation 108 is performed on the output β⁴ of the second squaring operation 104 to produce β⁸. A second multiplication operation 110 is then performed on the outputs of the first multiplication operation 106 (β⁶) and the third squaring operation 108 (β⁸) to yield β¹⁴. This process is repeated for m−2 stages until the output of the multiplier of the m−2^th stage yields β^N−2. For example, where m=5 and 2^m=N+1=32, the circuit in FIG. 1 would include one additional stage with squaring operation 112 and multiplication operation 114 to yield an output value β³⁰=β⁻¹. Each of the squaring operations and multiplication operations can be carried out by performing an actual multiplication operation in hardware or software or by using a look-up table.

FIG. 2 illustrates the serial computation architecture 200 required to implement the approach of equation (3). In particular, a squaring operation 202 denoted by ( )² is performed on the element β to produce β². A second squaring operation 204 is performed on the output β² of the first squaring operation 202 to produce β⁴. A first multiplication operation 206 is then performed on the outputs of the first and second squaring operations 202 and 204 (β² and β⁴) to yield β⁶. A third squaring operation 208 is performed on the output β⁶ of the first multiplication operation 206 to produce β¹². A second multiplication operation 210 is then performed on the output of the third squaring operation 208 (β¹²) and the output of the first squaring operation 202 (β²) to yield β¹⁴. This process is repeated for m−2 stages until the output of the m−2^th stage yields β^N−2. For example, where m=5 and 2^m=N+1=32, the circuit in FIG. 2 would include one additional stage with squaring operation 212 and multiplication operation 214 to yield an output value β³⁰=β⁻¹.

The types of serial architecture shown in FIGS. 1 and 2 have long computation delays, decreasing the data throughput. Accordingly, there remains a need for an efficient approach to computing the multiplicative inverse of elements in a Galois field.

SUMMARY

A technique is described herein for constructing a field exponentiation circuit to any power of 2^m based upon matrix algebra, which greatly reduces the amount of hardware required, reduces the processing delay through the circuit, and increases data throughput. The field exponentiation circuit is particularly useful for computing powers of an element of a Galois field having an exponent of 2^m (i.e., powers of 2, 4, 8, 16, etc.), which can be used to compute the multiplicative inverse of the element as necessary to carry out division.

In accordance with one embodiment, an exponentiation circuit for computing an exponential power of a finite field element includes combinatory logic circuits that map input digits (e.g., bits) of a multi-digit field element β to output digits (bits) of an output multi-digit field element β^2m. Certain output digits are generated by the combinatory logic circuits as logical combinations of certain input digits. In some instances, at least some of the output digits are generated by the combinatory logic circuits from only one of the input digits by directly mapping an input digit to an output digit.

An underlying exponentiation matrix determines the mapping of the input bits to the output bits and can be implemented in combinatory logic circuits requiring only exclusive-OR combinations. In this manner, the exponentiation circuit is capable of computing a power of a field element without performing any multiplication operations.

A circuit for generating a multiplicative inverse of a finite field element can be constructed from a plurality of parallel exponentiation circuits, with each of the parallel exponentiation circuits generating a different multi-digit field element β^2m directly from the input field element β. Multiplier circuits multiply together the outputs of the parallel exponentiation circuits to generate the multiplicative inverse of the field element β. The underlying matrix algebra concept can be further extended to construct circuits that multiply a finite field element by a constant using only combinatory logic circuits.

The above and still further features and advantages of the present invention will become apparent upon consideration of the following definitions, descriptions and descriptive figures of specific embodiments thereof wherein like reference numerals in the various figures are utilized to designate like components. While these descriptions go into specific details of the invention, it should be understood that variations may and do exist and would be apparent to those skilled in the art based on the descriptions herein.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating a serial computation architecture for computing a multiplicative inverse of an element of a Galois field.

FIG. 2 is a block diagram illustrating another serial computation architecture for computing a multiplicative inverse of an element of a Galois field.

FIG. 3 is a block diagram illustrating a parallel computation architecture for computing a multiplicative inverse of an element of a Galois field in accordance with an embodiment of the invention.

FIGS. 4A-D are circuit diagrams illustrating logic circuits for generating powers of an element of a Galois field required to compute the multiplicative inverse of the element for a specific generator polynomial.

FIG. 5 is a flow diagram illustrating operations to perform exponentiation of an element of a Galois field and to generate a multiplicative inverse of an element of a Galois field in accordance with an embodiment of the invention.

FIG. 6 is a circuit diagram illustrating logic circuits for multiplying an element of a Galois field by a constant according to another embodiment of the invention.

DETAILED DESCRIPTION

The invention described herein presents a novel technique for constructing a field exponentiation circuit to any power of 2^m based upon matrix algebra, which greatly reduces the amount of hardware required, reduces the processing delay through the circuit, and increases the data throughput. The field exponentiation circuit is particularly useful for computing powers of an element of a Galois field having an exponent of 2^m (i.e., powers of 2, 4, 8, 16, etc.), which can be used to compute the multiplicative inverse of the element as necessary to carry out division in accordance with equation (1).

FIG. 3 is a block diagram illustrating the circuit topology for the approach described herein. The architecture depicted in FIG. 3 is a conceptual diagram illustrating major functional units, and does not necessarily illustrate physical relationships. Like the circuit topology shown in FIG. 1, powers of 2^m of an input element β are computed to support determination of the multiplicative inverse β⁻¹ according to equation (2) above. However, the circuit topology shown in FIG. 3 has the advantage of computing the several β^2m component values in parallel and computing products of these values in parallel, which decreases the data throughput delay. In particular, the input element β whose inverse is to be determined is supplied directly to each exponentiation circuit 302, 304, 306, and 308 in parallel. Exponentiation circuit 302 generates an output β². In parallel with circuit 302, exponentiation circuit 304 generates an output β⁴, exponentiation circuit 306 generates an output β⁸, exponentiation circuit 308 generates an output β¹⁶, and so on up to β^2m−1. Note that all of these circuits generate their respective power of β directly from the input of the element β itself. None of the outputs of any of the exponentiation circuits is used as an input to any other exponentiation circuits.

As shown in FIG. 3, the outputs of exponentiation circuits are multiplied together to generate the final output. In particular, a multiplication circuit 310 performs a multiplication operation on the output of exponentiation circuit 302 (β²) and the output of exponentiation circuit 304 (β⁴) to yield β⁶. Likewise, a multiplication circuit 312 performs a multiplication operation on the output of exponentiation circuit 306 (β⁸) and the output of exponentiation circuit 308 (β¹⁶) to yield β²⁴. Higher order exponential terms are multiplied in pairs in the same manner, as applicable, depending on the value of m, up to the power of 2^m−1 (i.e., up to β^2m−1). In the case of m=5 and 2^m=N+1=32, exponentiation circuit 308 is the highest order required. In this case, to compute the inverse of element β, a multiplication circuit 314 performs a multiplication operation on the output of multiplication operation 310 (β⁶) and the output of multiplication operation 312 (β²⁴) to yield β³⁰=β^N−2=β⁻¹. The multiplication circuits 310, 312, and 314 shown in FIG. 3 can be implemented in hardware and/or software and can carry out a multiplication operation or be implemented as a look-up table.

As explained below in greater detail, the technique described herein is capable of generating the β^2m elements in a manner that both requires less circuitry and that is considerably faster than traditional circuitry. Each of the parallel exponential stages requires only simple logic circuitry to generate the output exponential value from the input element value and completely avoids the need to perform multiplication operations in the exponential stages or the need for a serial arrangement of any exponential stages. As used herein and in the claims, the terms “circuit” and “circuitry” refer to any hardware, software, look-up table, or combinations thereof for performing logical or arithmetic operations. Thus, for example, any of the exponential operations, multiplication operations, and logical components thereof shown in the figures can be implemented in hardware, software, look-up tables, or combinations thereof, and the terms “circuit” and “circuitry” are to be understood to cover any of these implementations.

The derivation of the 2^m circuit elements 302, 304, 306, and 308 shown in FIG. 3 is as follows:

Given that β is an element of a Galois field of size 2ⁿ (βεGF(2ⁿ)), β may be represented as:

$\begin{array}{cc}\beta =\sum _{i=0}^{n-1}{\beta }_i{\alpha }^i,{\beta }_i\in \left\{0,1\right\}& \left(4\right)\end{array}$

Staying with the example described above, where m=5, each element β in the field would be a five-digit binary number. If each digit (bit) is assigned a subscript designating its order, the element β can be expressed as: β₄, β₃, β₂, β₁, β₀. For example, if β=11010, then β₄=1, β₃=1, β₂=0, β₁=1, and β₀=0.

Using the standard algebraic sum of partial sums method, β² is computed as follows:

$\frac{\begin{array}{c}{\beta }_4{\alpha }^4+{\beta }_3{\alpha }^3+{\beta }_2{\alpha }^2+{\beta }_1{\alpha }^1+{\beta }_0{\alpha }^0\times \\ \underset{\_}{{\beta }_4{\alpha }^4+{\beta }_3{\alpha }^3+{\beta }_2{\alpha }^2+{\beta }_1{\alpha }^1+{\beta }_0{\alpha }^0}\\ {\beta }_4{\beta }_0{\alpha }^4+{\beta }_3{\beta }_0{\alpha }^3+{\beta }_2{\beta }_0{\alpha }^2+{\beta }_1{\beta }_0{\alpha }^1+{\beta }_0^2{\alpha }^0\\ {\beta }_4{\beta }_1{\alpha }^5+{\beta }_3{\beta }_1{\alpha }^4+{\beta }_2{\beta }_1{\alpha }^3+{\beta }_1^2{\alpha }^2+{\beta }_1{\beta }_0{\alpha }^1\\ {\beta }_4{\beta }_2{\alpha }^6+{\beta }_3{\beta }_2{\alpha }^5+{\beta }_2^2{\alpha }^4+{\beta }_2{\beta }_1{\alpha }^3+{\beta }_2{\beta }_0{\alpha }^2\\ {\beta }_4{\beta }_3{\alpha }^7+{\beta }_3^2{\alpha }^6+{\beta }_3{\beta }_2{\alpha }^5+{\beta }_3{\beta }_1{\alpha }^4+{\beta }_3{\beta }_0{\alpha }^3\\ {\beta }_4^2{\alpha }^8+{\beta }_4{\beta }_3{\alpha }^7+{\beta }_4{\beta }_2{\alpha }^6+{\beta }_4{\beta }_1{\alpha }^5+{\beta }_4{\beta }_0{\alpha }^4\end{array}}{\begin{array}{ccccc}{\beta }_4^2{\alpha }^8+& {\beta }_3^2{\alpha }^6+& {\beta }_2^2{\alpha }^4+& {\beta }_1^2{\alpha }^2+& {\beta }_0^2{\alpha }^0\end{array}}$

Note that because polynomial arithmetic is being used (addition and subtraction are exclusive-OR operations), the sums of identical terms cancel, leaving only the β_i²α²ⁱ terms. In addition, note that from equation (4), β_iε{0,1}, thus β_i²=β_i.

Therefore

$\begin{array}{cc}{\beta }^2=\sum _{i=0}^{n-1}{\beta }_i{\alpha }^{\alpha i}& \left(5\right)\end{array}$

To compute β⁴, we note that

$\begin{array}{cc}{\beta }^4={\beta }^2\times {\beta }^2=\left(\sum _{i=0}^{n-1}{\beta }_i{\alpha }^{2i}\right)\times \left(\sum _{i=0}^{n-1}{\beta }_i{\alpha }^{2i}\right)& \left(6\right)\end{array}$

As was shown for β², the cross products of the two summations equal 0, leaving only the β_i²α⁴ⁱ terms, which reduces to

$\begin{array}{cc}{\beta }^4=\sum _{i=0}^{n-1}{\beta }_i{\alpha }^{4i}& \left(7\right)\end{array}$ since β_iε{0,1} and β_i⁴=β_i. By extension, it follows that this relationship holds for all non-negative powers of 2, i.e., β^2m:

$\begin{array}{cc}{\beta }^{2m}=\sum _{i=0}^{n-1}{\beta }_i{\alpha }^{2^{m}i},m\in \{0,1,2,\dots \}& \left(8\right)\end{array}$

In order to create an efficient method of computing β^2m, equation (8) is restated using the following matrix relationship:

$\begin{array}{cc}{\beta }^{2^m}={\theta }^{2^m}\times \beta \mathrm{where}{\theta }^{2^m}={\left[\begin{array}{c}{\left({\alpha }^{n-1}\right)}^{2^m}\\ {\left({\alpha }^{n-2}\right)}^{2^m}\\ \dots \\ {\left({\alpha }^1\right)}^{2^m}\\ {\left({\alpha }^0\right)}^{2^m}\end{array}\right]}^T\mathrm{and}\beta =\left[\begin{array}{c}{\beta }_{n-1}\\ {\beta }_{n-2}\\ \dots \\ {\beta }_1\\ {\beta }_0\end{array}\right]& \left(9\right)\end{array}$

η^2m is an exponentiation matrix and is equal to the transform of the first n elements of the field raised to the 2^m power. This matrix is multiplied by the vector form of the field value, using standard sum of product computations, to generate the result. Note that the transform matrix will contain only values of 0 and 1, thereby greatly simplifying the array computations. Also note that the transform matrix is a constant given a specific generator polynomial, and thus can be pre-computed. The result is a simple transformation of the input field value.

Briefly, a generator polynomial is an equation used to adapt the arithmetic operations in a Galois field in a modulo manner such that any arithmetic operation on elements of the field result in another element of the field. For example, suppose the digits of β in the foregoing example are coefficients of a polynomial:β₄α⁴+β₃α³+β₂α²+β₁α¹+β₀α⁰  (10)

If, for example, this expression is squared, there will be terms with exponents of a greater than α⁴ with non-zero coefficients, which would inherently be outside of the field. The polynomial generator in effect maps higher order terms back into the terms of the field in a deterministic manner when performing arithmetic operations. This will be demonstrated with an example below. While the technique described herein employs a particular Galois field and a particular generator polynomial, it will be appreciated that the invention is not limited to any particular Galois (finite) field or field size or any particular generator polynomial, and the concepts described herein can be applied to other finite fields and other generator polynomials.

Given a method for constructing a circuit to compute β^2m, an efficient multiplicative inversion technique can be constructed, using the equality from equation (2). Note that all the terms of equation (2) are of the form β^2m and are functions of the input field value β. Therefore, all the terms can be computed in parallel and the product can be computed using a balanced multiplication tree, as shown previously in FIG. 3. The circuit also uses the pre-computed exponentiation matrix that is both smaller and faster than traditional circuitry.

By way of example, given a field over GF(2⁵) with a generator polynomial of α⁵+α²+1 (00101₂), the β^2m operations are computed as follows:

$\begin{array}{cc}{\theta }^2={\left[\begin{array}{c}{\left({\alpha }^{n-1}\right)}^2\\ {\left({\alpha }^{n-2}\right)}^2\\ \dots \\ {\left({\alpha }^1\right)}^2\\ {\left({\alpha }^0\right)}^2\end{array}\right]}^T={\left[\begin{array}{c}{\left({\alpha }^4\right)}^2\\ {\left({\alpha }^3\right)}^2\\ {\left({\alpha }^2\right)}^2\\ {\left({\alpha }^1\right)}^2\\ {\left({\alpha }^0\right)}^2\end{array}\right]}^T={\left[\begin{array}{ccccc}0& 1& 1& 0& 1\\ 0& 1& 0& 1& 0\\ 1& 0& 0& 0& 0\\ 0& 0& 1& 0& 0\\ 0& 0& 0& 0& 1\end{array}\right]}^T=\left[\begin{array}{ccccc}0& 0& 1& 0& 0\\ 1& 1& 0& 0& 0\\ 1& 0& 0& 1& 0\\ 0& 1& 0& 0& 0\\ 1& 0& 0& 0& 1\end{array}\right]& \\ {\theta }^4={\left[\begin{array}{c}{\left({\alpha }^{n-1}\right)}^4\\ {\left({\alpha }^{n-2}\right)}^4\\ \dots \\ {\left({\alpha }^1\right)}^4\\ {\left({\alpha }^0\right)}^4\end{array}\right]}^T={\left[\begin{array}{c}{\left({\alpha }^4\right)}^4\\ {\left({\alpha }^3\right)}^4\\ {\left({\alpha }^2\right)}^4\\ {\left({\alpha }^1\right)}^4\\ {\left({\alpha }^0\right)}^4\end{array}\right]}^T={\left[\begin{array}{ccccc}1& 1& 0& 1& 1\\ 0& 1& 1& 1& 0\\ 0& 1& 1& 0& 1\\ 1& 0& 0& 0& 0\\ 0& 0& 0& 0& 1\end{array}\right]}^T=\left[\begin{array}{ccccc}1& 0& 0& 1& 0\\ 1& 1& 1& 0& 0\\ 0& 1& 1& 0& 0\\ 1& 1& 0& 0& 0\\ 1& 0& 1& 0& 1\end{array}\right]& \\ {\theta }^8={\left[\begin{array}{c}{\left({\alpha }^{n-1}\right)}^8\\ {\left({\alpha }^{n-2}\right)}^8\\ \dots \\ {\left({\alpha }^1\right)}^8\\ {\left({\alpha }^0\right)}^8\end{array}\right]}^T={\left[\begin{array}{c}{\left({\alpha }^4\right)}^8\\ {\left({\alpha }^3\right)}^8\\ {\left({\alpha }^2\right)}^8\\ {\left({\alpha }^1\right)}^8\\ {\left({\alpha }^0\right)}^8\end{array}\right]}^T={\left[\begin{array}{ccccc}0& 0& 0& 1& 0\\ 1& 1& 1& 1& 0\\ 1& 1& 0& 1& 1\\ 0& 1& 1& 0& 1\\ 0& 0& 0& 0& 1\end{array}\right]}^T=\left[\begin{array}{ccccc}0& 1& 1& 0& 0\\ 0& 1& 1& 1& 0\\ 0& 1& 0& 1& 0\\ 1& 1& 1& 0& 0\\ 0& 0& 1& 1& 1\end{array}\right]& \\ {\theta }^{16}={\left[\begin{array}{c}{\left({\alpha }^{n-1}\right)}^{16}\\ {\left({\alpha }^{n-2}\right)}^{16}\\ \dots \\ {\left({\alpha }^1\right)}^{16}\\ {\left({\alpha }^0\right)}^{16}\end{array}\right]}^T={\left[\begin{array}{c}{\left({\alpha }^4\right)}^{16}\\ {\left({\alpha }^3\right)}^{16}\\ {\left({\alpha }^2\right)}^{16}\\ {\left({\alpha }^1\right)}^{16}\\ {\left({\alpha }^0\right)}^{16}\end{array}\right]}^T={\left[\begin{array}{ccccc}0& 0& 1& 0& 0\\ 1& 0& 0& 1& 1\\ 0& 0& 0& 1& 0\\ 1& 1& 0& 1& 1\\ 0& 0& 0& 0& 1\end{array}\right]}^T=\left[\begin{array}{ccccc}0& 1& 0& 1& 0\\ 0& 0& 0& 1& 0\\ 1& 0& 0& 0& 0\\ 0& 1& 1& 1& 0\\ 0& 1& 0& 1& 1\end{array}\right]& \end{array}$

To assist with understanding, an explanation of how the elements of matrix θ² are generated is provided. The same methodology can be extended to matrices θ⁴, θ⁸, and θ¹⁶ in a straightforward manner. In the matrix representation, α⁰ is expressed as the row of values 00001, α¹ is expressed as the row of values 00010, α² is expressed as the row of values 00100, α³ is expressed as the row of values 01000, and α⁴ is expressed as the row of values 10000.

The bottom row of the transposed θ² matrix is (α⁰)²=α⁰=00001.

The second row from the bottom of the transposed θ² matrix is (α¹)²=α²=00100.

The middle row of the transposed θ² matrix is (α²)²=α⁴=10000.

The second row from the top of the transposed θ² matrix is (α³)²=α⁶. Representing α⁶ in the matrix requires consideration of the generator polynomial, α⁵+α²+1=0. Using polynomial algebra (addition and subtraction are the XOR operation), this polynomial can be rewritten as α⁵=α²+1, or α⁵=α²+α⁰. Consequently, α⁶ can be rewritten as α⁶=α¹α⁵. Substituting α²+α⁰ for α⁵ yields α⁶=α¹(α²+α⁰)=α³+α¹, which is expressed as 01010 in the matrix, since only α³ and α¹ have a coefficient of 1.

The top row of the transposed θ² matrix is (α⁴)²=α⁸. Repeatedly using the substitution α⁵=α²+α⁰ yields: α⁸=α³α⁵=α³(α²+α⁰)=α⁵+α³=(α²+α⁰)+α³=α³+α²+α⁰, which is expressed as 01101 in the matrix. By performing similar substitutions with higher order terms of α, the matrix elements of θ⁴, θ⁸, θ¹⁶ shown above can readily be determined.

To illustrate the application of the exponentiation matrix θ^2m, β² is found using the following equation (again noting that addition is carried out as a logical exclusive-OR operation):

${\beta }^2={\theta }^2\times \beta =\left[\begin{array}{ccccc}0& 0& 1& 0& 0\\ 1& 1& 0& 0& 0\\ 1& 0& 0& 1& 0\\ 0& 1& 0& 0& 0\\ 1& 0& 0& 0& 1\end{array}\right]\times \left[\begin{array}{c}{\beta }_4\\ {\beta }_3\\ {\beta }_2\\ {\beta }_1\\ {\beta }_0\end{array}\right]=\left[\begin{array}{c}{\beta }_2\\ {\beta }_4\oplus {\beta }_3\\ {\beta }_4\oplus {\beta }_1\\ {\beta }_3\\ {\beta }_4\oplus {\beta }_0\end{array}\right]$

This array maps into the digital logic circuit shown in FIG. 4A. In other words, for this particular generator polynomial, the exponentiation circuit 302 shown in FIG. 3 can be implemented with the logic circuit shown in FIG. 4A. In particular, the five bits β₄, β₃, β₂, β₁, and β₀ of an input element β are mapped into the five bits of the output β² as follows:β₄²=β₂,β₃²=β₄⊕β₃,β₂²=β₄⊕β₁,β₁²=β₃, andβ₀²=β₄⊕β₁,

Therefore, computing β² over GF(2⁵) with a generator polynomial of α⁵+α²+1 requires three 2-input Exclusive-OR functions. If implemented in a field programmable gate array (FPGA), a total of three logic elements (look up tables, or LUTS) would be required to perform the operation.

FIGS. 4B-4D show the logic diagrams for the remaining required β^2m operations, namely, the β⁴, β⁸, and β¹⁶ exponential generators 304, 306, and 308 of FIG. 3, respectively, for this polynomial generator example. More specifically, the β⁴ exponential generator 304 shown in FIG. 4B maps the input bits of an element β into the output bits of β⁴. In accordance with equation (9), β⁴=θ⁴×β. For the matrix θ⁴ given above for this generator polynomial, the bits of β⁴ are determined as:β₄⁴=β₄⊕β₁,β₃⁴=β₄⊕β₃⊕β₂,β₂⁴=β₃⊕β₂,β₁⁴=β₄⊕β₃, andβ₀⁴=β₄⊕β₂⊕β₀.

The β⁸ exponential generator 306 shown in FIG. 4C maps the input bits of an element β into the output bits of β⁸. In accordance with equation (9), β⁸=θ⁸×β. For the matrix θ⁸ given above for this generator polynomial, the bits of β⁸ are determined as:β₄⁸=β₃⊕β₂,β₃⁸=β₃⊕β₂⊕β₁,β₂⁸=β₃⊕β₁,β₁⁸=β₄⊕β₃⊕β₂, and

The β¹⁶ exponential generator 308 shown in FIG. 4D maps the input bits of an element β into the output bits of β¹⁶. In accordance with equation (9), β¹⁶=θ¹⁶×β. For the matrix θ¹⁶ given above for this generator polynomial, the bits of β¹⁶ are determined as:β₄¹⁶=β₃⊕β₁,β₃¹⁶=β₁,β₂¹⁶=β₄,β₁¹⁶=β₃⊕β₂⊕β₁, andβ₀¹⁶=β₃⊕β₁⊕β₀.

Examining the remaining β^2m operators, a total of 23 2-input exclusive-OR functions are required to perform all the field exponentiation operations β², β⁴, β⁸, and β¹⁶. Even fewer are required if certain redundancy is eliminated. For example, two of the two-input exclusive-OR functions of the β⁴ exponentiation circuit 304 shown in FIG. 4B have the same inputs β₃ and β₄. Instead, a single exclusive-OR function could be used whose output is used both as the output β₁⁴ and as an input to another two-input exclusive-OR function along with β₂ to produce β₃⁴. Ignoring the savings gained by eliminating such redundancy, the total number of exclusive-OR operations required to generate the exponential values in this example is broken down in Table 1.

TABLE 1
Galois field Exponentiation Function Requirements
		Exclusive-OR	FPGA
	Value	Functions	LUTs
	β2	3	3
	β4	7	5
	β8	8	5
	β16	5	3
	Total	23	16

By way of comparison, a full Galois multiplier requires 19 2-input Exclusive-OR functions and 16 2-input logical AND functions. Thus, all the exponentiation operations required to perform a multiplicative inversion occur in approximately one-third the size of a single Galois field multiplier.

The multi-stage serial squaring-and-multiplying techniques illustrated in FIGS. 1 and 2 are convenient from the standpoint that a standard multiplier circuit can be used to carry out both the squaring and multiplication operations (the squaring operation involves multiplying an input by itself), and the multiplicative inverse of a finite field element can be computed by stringing together a number of such multiplier circuits in a multi-stage configuration.

A unique aspect of the technique described herein is that the 2^m powers of a finite field element are computed in a more elegant and efficient manner without the use of multipliers or look-up tables that implement multiplication operations. Rather, the technique is based on the insight that there is actually a combinatorial way to represent the 2^m powers of a finite field element which is much simpler and can be implemented in parallel.

The expression in equation (8) is important in understanding how exponentiation circuits can be constructed with relatively few components and/or operations. In effect, as higher orders of β are computed, the cross-products keep disappearing (canceling out) such that the computations do not become more complex even at higher powers of β. This characteristic permits the relationships between β and the powers of β to be represented in a simple n×n exponentiation matrix which transforms the digits (in this case bits) β to digits (bits) of the output power of β (β^2m). The exponentiation matrix can be implemented using only combinatory logic, where each bit of the output exponential β^2m is either equal to the value of one of the input bits of β or an exclusive-OR combination of certain bits of β. This is because, by its nature, the exponentiation matrix yields summations of input bits, which are performed logically as an exclusive-OR operation. As used herein and in the claims the terms combinatory logic and combinatory logic circuits refer to circuitry (implemented in hardware, software, look-up tables, or combinations thereof) that maps input digits to output digits based on only logical relationships. These logical relationships include mapping logical combinations of certain input digits of an input field element to output digits of the output field element. These logical relationships may also include the direct mapping of an input digit to an output digit in some instances, as shown for example with the direct mapping of input bit β₂ to output bit β₄² in exponentiation circuit 302 in FIG. 4A. All of the logical combinations employed by the combinatory logic are exclusive-OR combinations of the input digits.

FIG. 5 is a flow diagram summarizing the operations performed to carry out exponentiation of a finite field element and computation of the multiplicative inverse of a field element in accordance with an embodiment of the invention. In operation 510, a multi-digit field element β of a finite field is supplied to each of a plurality of parallel exponentiation circuits. In operation 520, each of the exponentiation circuits essentially maps the digits of the input field element β to output digits of an output multi-digit field element β^2m, which is a 2^m power of the input field element β, where m is an integer greater than zero and where the value of m is different for each exponentiation circuit. This mapping is accomplished using combinatory logic circuits. In operation 530, the output multi-digit field elements β^2m from each of the parallel exponentiation circuits are multiplied together to generate the multiplicative inverse of the field element β.

Although not applicable to the subject of Galois field inversion, the matrix algebra approach used to derive the exponentiation matrices also applies to multiplying a Galois field value by a constant α^N:

$\begin{array}{cc}{\alpha }^N\times \beta ={\theta }_N\times \beta \mathrm{where}\text{}{\theta }_N={\left[\begin{array}{c}{\alpha }^{n-1}\times {\alpha }^N\\ {\alpha }^{n-2}\times {\alpha }^N\\ \dots \\ {\alpha }^1\times {\alpha }^N\\ {\alpha }^0\times {\alpha }^N\end{array}\right]}^T={\left[\begin{array}{c}{\alpha }^{N+n-1}\\ {\alpha }^{N+n-2}\\ \dots \\ {\alpha }^{N+1}\\ {\alpha }^N\end{array}\right]}^T\mathrm{and}\beta =\left[\begin{array}{c}{\beta }_{n-1}\\ {\beta }_{n-2}\\ \dots \\ {\beta }_1\\ {\beta }_0\end{array}\right]& \left(11\right)\end{array}$ Continuing with the example of a field over GF(2⁵) with a generator polynomial of α⁵+α²+1 (00101₂), multiplying a field value by α⁷ would be computed as follows:

$\begin{array}{cc}{\theta }_7={\left[\begin{array}{c}{\alpha }^{N+n-1}\\ {\alpha }^{N+n-2}\\ \dots \\ {\alpha }^{N+1}\\ {\alpha }^N\end{array}\right]}^T={\left[\begin{array}{c}{\alpha }^{11}\\ {\alpha }^{10}\\ {\alpha }^9\\ {\alpha }^8\\ {\alpha }^7\end{array}\right]}^T={\left[\begin{array}{ccccc}0& 0& 1& 1& 1\\ 1& 0& 0& 0& 1\\ 1& 1& 0& 1& 0\\ 0& 1& 1& 0& 1\\ 1& 0& 1& 0& 0\end{array}\right]}^T=\left[\begin{array}{ccccc}0& 1& 1& 0& 1\\ 0& 0& 1& 1& 0\\ 1& 0& 0& 1& 1\\ 1& 0& 1& 0& 0\\ 1& 1& 0& 1& 0\end{array}\right]& \\ {\alpha }^7\times \beta ={\theta }_7\times \beta =\left[\begin{array}{ccccc}0& 1& 1& 0& 1\\ 0& 0& 1& 1& 0\\ 1& 0& 0& 1& 1\\ 1& 0& 1& 0& 0\\ 1& 1& 0& 1& 0\end{array}\right]\times \left[\begin{array}{c}{\beta }_4\\ {\beta }_3\\ {\beta }_2\\ {\beta }_1\\ {\beta }_0\end{array}\right]=\left[\begin{array}{c}{\beta }_3\oplus {\beta }_2\oplus {\beta }_0\\ {\beta }_2\oplus {\beta }_1\\ {\beta }_4\oplus {\beta }_1\oplus {\beta }_0\\ {\beta }_4\oplus {\beta }_2\\ {\beta }_4\oplus {\beta }_3\oplus {\beta }_1\end{array}\right]& \end{array}$

Therefore, computing α⁷×β over GF(2⁵) with a generator polynomial of α⁵+α²+1 requires eight 2-input exclusive-OR functions. This array maps into the digital logic circuit shown in FIG. 6. If implemented in an FPGA, a total of five LUTs would be required to perform the operation.

Taking into consideration this extension of multiplying a finite field element by a constant, it will be appreciated that the invention encompasses the use of matrix algebra with finite field elements, resulting in arrays that are summations of input values that can be used to raise a field element to a power or to carry out multiplication by a constant.

The invention can be used in any hardware or software application that requires finite field arithmetic, such as encryption or forward error correction algorithms. As previously described, forward error correction codes are used extensively in communications to ensure the accuracy of data being received. Properly encoding data with finite field arithmetic allows a relatively small check word to be used to check the accuracy of a large amount of data and to determine which data is erroneous. Using the techniques of the present invention, the computations required to perform these types of operations can be carried out with less hardware and/or less and faster processing.

Having described preferred embodiments of circuits and methods for performing exponentiation and inversion of finite field elements, it is believed that other modifications, variations and changes will be suggested to those skilled in the art in view of the teachings set forth herein. It is therefore to be understood that all such variations, modifications and changes are believed to fall within the scope of the present invention as defined by the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims

1. A circuit for generating a multiplicative inverse of a finite field element, comprising: a plurality of parallel exponentiation circuits, each of the parallel exponentiation circuits comprising combinatory logic circuits configured to receive input digits of a multi-digit field element β of a finite field, the combinatory logic circuits being further configured to map the input digits to output digits of an output multi-digit field element β2m, where m is an integer greater than zero and m has a different value for each of the parallel exponentiation circuits; anda plurality of multiplier circuits configured to multiply together outputs of the parallel exponentiation circuits to generate the multiplicative inverse of the field element β.

2. The circuit of claim 1, wherein at least some of the output digits are generated by the combinatory logic circuits as logical combinations of certain input digits and at least some of the output digits are generated by the combinatory logic circuits from only one of the input digits by directly mapping an input digit to an output digit.

3. The circuit of claim 1, wherein the parallel exponentiation circuits do not perform any multiplication operations.

4. The circuit of claim 1, wherein the parallel exponentiation circuits generate exponential powers of the field element β using only combinatory logic on the digits of the field element β.

5. The circuit of claim 4, wherein the combinatory logic includes only exclusive-OR combinations.

6. The circuit of claim 4, wherein the combinatory logic implements logical relationships between the field element β and the output field element β2m specified by an exponentiation matrix.

7. The circuit of claim 6, wherein the exponentiation matrix implemented by the combinatory logic circuits is an n×n matrix equal to the transform of the first n elements of the finite field raised to the 2m power, where n is the number of digits of the multi-digit field element β.

8. The circuit of claim 1, wherein the multi-digit field element β is a multi-bit binary field element.

9. The circuit of claim 1, wherein each of the exponentiation circuits is implemented with at least one of: a look-up table; a plurality of exclusive-OR gates; and software.

10. The circuit of claim 1, wherein each of the parallel exponentiation circuits is configured to generate the output multi-digit field element β2m directly from only the input digits of the multi-digit field element β, and none of the outputs of any of the parallel exponentiation circuits is an input to any of the parallel exponentiation circuits.

11. A method for generating a multiplicative inverse of a finite field element, comprising: receiving input digits of a multi-digit field element β of a finite field at a plurality of parallel exponentiation circuits, each of the parallel exponentiation circuits: generating an output multi-digit field element β2m for a different value of m, where m is a positive integer, by mapping via combinatory logic circuits the input digits to output digits of the output multi-digit field element β2m; andsupplying the output multi-digit field element β2m as an output of the exponentiation circuit; andmultiplying together outputs of the parallel exponentiation circuits to generate the multiplicative inverse of the field element β.

12. The method of claim 11, wherein at least some of the output digits are generated by the combinatory logic circuits as logical combinations of certain input digits and at least some of the output digits are generated by the combinatory logic circuits from only one of the input digits by directly mapping an input digit to an output digit.

13. The method of claim 11, wherein the parallel exponentiation circuits generate respective output multi-digit field elements β2m without performing any multiplication operations.

14. The method of claim 11, wherein the parallel exponentiation circuits generate exponential powers of the field element β using only combinatory logic on the digits of the field element β.

15. The method of claim 11, wherein the method implements, via the combinatory logic circuits in each of the parallel exponentiation circuits, logical relationships between the field element β and the output field element β2m specified by an exponentiation matrix.

16. The method of claim 11, wherein each of the output multi-digit field elements β2m is generated directly from only the input digits of the multi-digit field element β, and none of the output multi-digit field elements β2m is generated from outputs of any of the parallel exponentiation circuits.

17. The method of claim 11, wherein the multi-digit field element β is a multi-bit binary field element.

18. The method of claim 11, wherein generating the output multi-digit field elements β2m is performed via at least one of: a look-up table; a plurality of exclusive-OR gates; and software.

19. The method of claim 14, wherein the combinatory logic that generates the output multi-digit field elements β2m includes only exclusive-OR combinations.

20. The method of claim 15, wherein the exponentiation matrix implemented by the combinatory logic circuits is an n×n matrix equal to the transform of the first n elements of the finite field raised to the 2m power, where n is the number of digits of the multi-digit field element β.