0

While studying GF multiplication in the AES algorithm, I came across the following paper:

A new architecture for a parallel finite field multiplier with low complexity based on composite fields

In section 4.2 of this paper, it deals with the multiplication of two field elements in $GF((2^n)^2)$ and uses the following expression: $$C(x)=A(x)B(x)~mod~P(x)=[a_0b_0+p_0a_1b_1]+x[(a_0+a_1)(b_0+b_1)+a_0b_0]$$ For $n=2$, $p={10}_2$

The problem here is that when I calculate $2\otimes2$ in $GF((2^2)^2)$, I get $3$ using the above expression. As far as I know, $2\otimes2$ is $4$, but I don't know if this expression is wrong or if my knowledge is wrong, hence my question.

Calculation of mine based on the equation:

For $A=\{a_1,a_0\}=\{0010\}$ and $B=\{b_1,b_0\}=\{0010\}$, $$a_0b_0=\{11\}$$ $$a_1b_1=\{00\}$$ $$a_0+a_1=\{10\},~b_0+b_1=\{10\}$$

Thus,

$$a_0b_0+p_0a_1b_1=\{11\}+\{10\}\otimes\{00\}=\{11\}$$ $$(a_0+a_1)(b_0+b_1)+a_0b_0=\{10\}\otimes\{10\}+\{11\}=\{11\}+\{11\}=\{00\}$$

Therefore, $$C(x)=\{11\}+x\{00\}$$

lemoncake
  • 11
  • @xxxxxxxxx Actually, I'm trying to build a circuit that calculates multiplications based on the equation and it seems that this equation gives me weired answer for many cases including inputs of 2 and 2 – lemoncake May 29 '24 at 08:56
  • 2
    It is difficult to say anything helpful (when I'm unwilling to invest the time to study your link). Probably you have misunderstood the identity of elements of finite fields, may be the fact that the meaning of a basis representation (=a sequence of 4 bits) depends on the choice of a basis. Also the fact that you didn't explain that for you $2\neq1+1$ will confuse all the readers who have only seen finite fields in books on algebra. Anyway $2\otimes2$ is meaningless unless you explain what $2$ means. – Jyrki Lahtonen May 29 '24 at 09:59
  • 3
    (cont'd) If $GF(4)={0,1,2,3}$, then (in the usual computer implementation) we have, indeed $2\cdot2=3$ (what's denoted $2$ is a root of the polynomial $x^2+x+1$, and in that case $2+1=3=2\cdot2$ is the other root). Whereas in the usual computer implementation of $GF(16)$ we have, indeed $2\cdot2=4$. That is simply because in that representation of elements of a finite field $2$ from $GF(4)$ is not the same element as the $2$ from $GF(16)$. – Jyrki Lahtonen May 29 '24 at 10:02
  • 2
    Anyway, may you can start from here. I'm afraid I won't be able to comment on the details, because they depend heavily on the chosen representation, and a big part of the game is to design circuitry efficiently converting one representation to another. The details of those processes are (if memory serves) straight forward. But studying the details would qulaify as work, and you cannot afford my rates. – Jyrki Lahtonen May 29 '24 at 10:05
  • 1
    @xxxxxxxxx A very common trick in computer implementations of finite fields of characteristic two is to denote an element $$z=b_0+b_1\alpha+b_2\alpha^2+\cdots+b_{n-1}\alpha^{n-1}$$ by the bitstring $$z=b_{n-1}\ldots b_1b_0.$$ And then write this bitstring as if it were an integer. Hhere all the coefficients $b_i\in{0,1}$ and $\alpha$ is a root of prescribed irreducible polynomial $f(x)\in GF(2)[x]$. – Jyrki Lahtonen May 29 '24 at 10:11
  • 1
    (cont'd) So if we construct the field of four elements $$GF(4)={0,1,\alpha,\alpha+1},$$ where $\alpha^2+\alpha+1=0$, then in the implementation $0=00_2$, $1=01_2$, $\alpha=10_2=2$ and $\alpha^2=\alpha+1=11_2=3$ (hence $2\cdot2=3$). The advantages are: A) very efficient use of memory, B) addition becomes bitwise XOR, something supported by the simplest CPUs. The disadvantages emanate chiefly from the fact that there are tons of programmers who think that $GF(2^n)$ consists of a range of integers, and hence fail in the algebra. – Jyrki Lahtonen May 29 '24 at 10:14
  • 1
    @JyrkiLahtonen - in the case of normal basis as used by Canright for GF(2^2), 3 is the multiplicative identity. GF(2^2) = {0, 3, α, α ⊕ 3}. Multiplication table: 0 ⊗ z = 0 ; 1 ⊗ 1 = 2 ; 1 ⊗ 2 = 3 ; 1 ⊗ 3 = 1 ; 2 ⊗ 2 = 1 ; 2 ⊗ 3 = 2 ; 3 ⊗ 3 = 3. Powers of 1: 1^0 = 3 ; 1^1 = 1 ; 1^2 = 2 . Powers of 2: 2^0 = 3 ; 2^1 = 2 ; 2^2 = 1. – rcgldr Jun 01 '24 at 15:29
  • Thanks @rcgldr. Relieved to see you here. I really didn't want to check that article :-) – Jyrki Lahtonen Jun 01 '24 at 17:36
  • @JyrkiLahtonen - the article linked to in OP's question is dated 1993, and is a generic method for composite field multiply, with the goal of reducing propagation delay time using parallel operations. Canright's article is dated 2005, and uses normal basis mapping with the goal of reducing gate count and area on chips, versus trying to minimize propagation delay time. Still the methods from the 1993 article could be used to parallelize a multiply, but since Canright's article is about mapping to compute 1/z, there is no GF(((2^2)^2)^2) multiply, only GF((2^2)^2) and GF(2^2). – rcgldr Jun 01 '24 at 22:49

0 Answers0