Multiplication in Galois fields with the xtimes function

In my previous post, I wrote about finite fields (Galois fields) of order 2ⁿ, abbreviated GF(2ⁿ). Their elements are congruence classes of polynomials over the field Z₂ = { 0, 1 }. Each congruence class consists of all polynomials that leave the same remainder when divided by some fixed polynomial m.

To multiply two elements B and C from GF(2ⁿ), you choose a polynomial b from B and a polynomial c from C, and then calculate d = (b ⋅ c) mod m. The result d is a polynomial, which belongs to some congruence class D in GF(2ⁿ). D is the product of B and C.

In section 4.2 of the AES spec, you can find a different algorithm for multiplication in GF(2⁸), which is conceptually simpler than the algorithm above, because it doesn't need polynomial multiplication and modulo division, but only addition and shifting of coefficients. However, I myself needed some time to understand how exactly the algorithm works and why exactly it is correct. So I decided to write about it and share my understanding of it. That's the first section of this post.

The AES spec states this algorithm only for GF(2⁸) but it can easily be generalized to GF(2ⁿ) for arbitrary n. And in fact, it is just the algorithm presented in the GCM spec for multiplication in GF(2¹²⁸), although the spec doesn't say this. So in the second section of this post, I will explain the connection between the algorithms in both specs in more detail. So read until the end if you are - like I was - struggling to understand section 6.3 of the GCM spec on multiplication of blocks. (Why is this pseudo-code correct? What's the magic bit string R?)

In case you're curious to see the algorithm I'm talking about in code, take a look at my Ruby implementation of it.

Multiplication in GF(2⁸) following the AES spec

The goal of the algorithm in the AES spec is to calculate (b ⋅ c) mod m for polynomials b, c of degree < 8 and the fixed polynomial m = x⁸+x⁴+x³+x+1. I'll break down the algorithm into three steps:

1. Calculate p ⋅ x for some polynomial p of degree < 8,
2. calculate (p ⋅ x) mod m for some polynomial p of degree < 8 (this is called the xtimes function),
3. reduce the calculation of (b ⋅ c) mod m to repeated applications of the function from step 2.

Calculation of p ⋅ x

Let's give the coefficients of p names: Let p = p₇x⁷ + p₆x⁶ + p₅x⁵ + p₄x⁴ + p₃x³ + p₂x² + p₁x + p₀. Of course, p doesn't have to have degree 7; p₇ can be zero, just as any other coefficient.

If you multiply p with x, you'll get p ⋅ x = p₇x⁸ + p₆x⁷ + p₅x⁶ + p₄x⁵ + p₃x⁴ + p₂x³ + p₁x² + p₀x.

If you model polynomials as finite sequences of their coefficients, p is (p₇, p₆, p₅, p₄, p₃, p₂, p₁, p₀) and p ⋅ x is (p₇, p₆, p₅, p₄, p₃, p₂, p₁, p₀, 0). So multiplication of polynomials with x is extremely simple: you just have to add a zero to the sequence of coefficients.

Calculation of (p ⋅ x) mod m

Now we're going to define the so-called xtimes function. It should satisfy the condition xtimes(p) = (p ⋅ x) mod m. But we don't want to use this equation as definition, as we are searching for something simpler.

If p ⋅ x has degree < 8 (i.e. if p₇ is zero), then (p ⋅ x) mod m is just p ⋅ x. So we can define:

xtimes(p) = (p₆, p₅, p₄, p₃, p₂, p₁, p₀, 0) if p₇ = 0.

(Note that we choose to omit the leading zero coefficient p₇. If you actually define polynomials as finite sequences, this omission has to be justified. After all, the sequence (0, p₆, p₅, p₄, p₃, p₂, p₁, p₀, 0) is different from the sequence (p₆, p₅, p₄, p₃, p₂, p₁, p₀, 0). However, the omission is certainly justified here because in the end, we are interested in finding a representative of a congruence class. And leading zero coefficients surely don't change the congruence class of the polynomial.)

If, on the other hand, p₇ is not zero, we have to calculate the reduction modulo m. In the case of AES, m is fixed, but let's do the reduction for an arbitrary polynomial of degree 8, m = m₈x⁸ + m₇x⁷ + m₆x⁶ + m₅x⁵ + m₄x⁴ + m₃x³ + m₂x² + m₁x + m₀. Remember that the coefficients are members of the field Z₂ = { 0, 1 }. Addition and subtraction in Z₂ are both the XOR operation.

Since p₇ is not zero, it must be 1. And since m has degree 8, we have m₈ = 1 as well. So the polynomial long division of p ⋅ x by m looks like this:

(x⁸ + p₆x⁷ + ... + p₀x) / (x⁸ + m₇x⁷ + ... m₁x + m₀) = 1
- (x⁸ + m₇x⁷ + ... m₁x + m₀)
-------------------------------
(1 - 1)x⁸ + (p₆ - m₇)x⁷ + ... + (p₀ - m₁)x + (0 - m₀)

So written as a sequence, the remainder polynomial is (1 - 1, p₆ - m₇, ..., p₀ - m₁, 0 - m₀) = (0, p₆ - m₇, ..., p₀ - m₁, m₀).

With the same justification as above, we skip the leading zero. Since subtraction in Z₂ is the XOR operation, we can calculate the remainder like this: (p₆, p₅, p₄, p₃, p₂, p₁, p₀, 0) XOR (m₇, m₆, m₅, m₄, m₃, m₂, m₁, m₀).

Now, back to the spec. Here, m is the fixed polynomial x⁸+x⁴+x³+x+1, so the second part of the xtimes definition looks like this:

xtimes(p) = (p₆, p₅, p₄, p₃, p₂, p₁, p₀, 0) XOR (0, 0, 0, 1, 1, 0, 1, 1) if p₇ = 1.

Note that the the algorithm works just as well for other Galois fields GF(2ⁿ): For n=8, we only used the fact that m has degree 8. However, the modulus polynomial for GF(2ⁿ) has always degree n. Meaning: So far, the algorithm works for every n.

Reduction of multiplication to xtimes

We can use the xtimes function to calculate (b ⋅ c) mod m for arbitrary polynomials over Z₂ of degree < 8. For example, let c be x²+x:

b ⋅ (x²+x) mod m
= (bx² + bx) mod m
= (bx² mod m) + (bx mod m)

Okay, (bx mod m) is just xtimes(b), that's good. The first summand can also be expressed in terms of xtimes:

bx² mod m
= (bx ⋅ x) mod m
= ((bx mod m) ⋅ x) mod m
= (xtimes(b) ⋅ x) mod m
= xtimes(xtimes(b))

So we have:

b ⋅ (x²+x) mod m = xtimes(xtimes(b)) + xtimes(b)

In general, the algorithm for calculating (b ⋅ c) mod m works like this: Apply the xtimes function k times to b if c_k is one. Then add all the results.

All of this works just the same for other Galois fields, even of different orders. So it's no surprise that we find the same algorithm in the GCM spec, where it is used to multiply 128-bit blocks instead of bytes.

Multiplication in GF(2¹²⁸) following the GCM spec

To spare you the hassle to look it up, here is a screenshot of the multiplication algorithm in the GCM spec:

Just like above, one factor is fixed (Y) and the coefficients of the other (X) are inspected.

The blocks V_i are the results of repeated applications of xtimes to Y. The blocks Z_i are the result of adding all V_is that correspond to a coefficient 1.

The V_i+1 is analogous to the xtimes definition, but there is a little gotcha: In GCM, the order of the coefficient is reversed, so the bit sequence x₀x₁...x₁₂₇ represents the polynomial x₀ + x₁ ⋅ x + ... + x₁₂₇ ⋅ x¹²⁷.

When I explained above how to calculate p ⋅ x, I represented polynomials by bit sequences and assumed a different ordering, so that the x₀x₁...x₁₂₇ would represent the polynomial x₀ ⋅ x¹²⁷ + ... + x₁₂₆ ⋅ x + x₁₂₇.

That's why multiplying a polynomial with x is not achieved by shifting the coefficients not to the left but to the right, and that's the explanation for the ">> 1" in the definition of V_i+1.

It also explains why the distinction between cases in the definition of V_i+1 works by looking at the least significant (right-most) bit, while the distinction in my xtimes definition worked by looking at the first/left-most/most significant bit.

And the unusual ordering of coefficients is the reason that the loop in step 3 ranges from 0 to 127, instead of the other way around.

Finally, the bit string R = 11100001 || 0¹²⁰ is a shifted representation of the modulus polynomial. In the case of GCM, this polynomial is m = x¹²⁸+x⁷+x²+x+1. To define xtimes, we discarded the highest order coefficient and wrote the other ones in a bit sequence. This gives us the bit sequence 0¹²⁰ || 10000111. But again, GCM reverses the coefficients, so you end up with R.