An Introduction To Galois Fields and Reed-Solomon Coding: James Westall James Martin
An Introduction To Galois Fields and Reed-Solomon Coding: James Westall James Martin
James Westall
James Martin
School of Computing
Clemson University
Clemson, SC 29634-1906
October 4, 2010
1 Fields
A field also has additive and multiplicative identities (0 and 1) such that a + 0 = a
and 1a = a for any element in the field. Elements of a field must have additive and
multiplicative inverses. The additive inverse of a is an element b such that a+b = 0
and the multiplicative inverse of a is an element c such that ac = 1.
The existence of these inverses implicitly defines the operations of subtraction and
division. The value of a − c is a + (−c) where −c is the additive inverse of c.
Similarly, the value of a/c is a × c−1 where c−1 is the multiplicative inverse of c.
Division by 0, the additive identity, is not defined. This implies that the additive
and multiplicative identities are not the same (0 6= 1), and also that ab = 0 if and
only if either a = 0 or b = 0.
1
1.1 Finite fields
Well known fields having an infinite number of elements include the real numbers,
R C Q
, the complex numbers , and the rational numbers . However, the integers
Z
under the usual arithmetic, , do not constitute a field because only +1 and -1
have multiplicative inverses.
+ 0 1 2
0 0 1 2
1 1 2 0
2 2 0 1
× 0 1 2
0 0 0 0
1 0 1 2
2 0 2 1
Although the real, complex, and rational fields all have an infinite number of ele-
Z
ments finite fields also exist. The symbol p refers the integers {0, 1, .., p − 1} using
Z
modulo p arithmetic. p is a field if and only if p is a prime number.
Regardless of whether or not p is prime each element x has an additive inverse with
the value p − x. This follows from the fact that (x + p − x = p = 0 mod p). If p is
prime then each element x also has a multiplicative inverse y whose value is chosen
so that xy = 1 mod p. There is no simple formula for computing y. For small p,
a simple O(p) algorithm is to multiply a by 2, 3, ...p − 1 halting when the result
is modp is 1. For large values of p a variant of Euclid’s greatest common divisor
algorithm is more efficient.
2
+ 0 1 2 3 4 5 6
0 0 1 2 3 4 5 6
1 1 2 3 4 5 6 0
2 2 3 4 5 6 0 1
3 3 4 5 6 0 1 2
4 4 5 6 0 1 2 3
5 5 6 0 1 2 3 4
6 6 0 1 2 3 4 5
is a permutation of the values {0, 1, ..., p − 1} and each row of the multiplication
table except the first row will also be a permutation of the elements of the field.
As noted previously, a value of 1 in the multiplication table identifies a pair of
multiplicative inverses.
The fields, denoted GF (pm), are comprised of the polynomials of degree m − 1 over
Z
the field p . These polynomials are expressed as am−1 xm−1 + ... + a1 x1 + a0 x0 where
the coefficients ai take on values in the set {0, 1, ..., p − 1}.
3
1.2.1 Polynomial arithmetic in GF (2m )
These operations are used in manipulating the coefficients during multiplication and
addition of polynomials, but the basic algorithms used in adding and multiplying
polynomials over the integers remain applicable.
To add two or more polynomials, for each power of x present in the summands, just
add the corresponding coefficients modulo 2. If a particular power appears an odd
number of times in the summands it will have a coefficient of 1 in the sum. If it
appears an even number of times or does not appear at all, it will have a coefficient
of 0 in the sum. For example,
(x2 + 1) + (x + 1) + (x2 + x + 1) = 1.
Similarly,
(x2 + x + 1)(x + 1) = x3 + x2 + x + x2 + x + 1 = x3 + 1.
Note that the polynomials of degree m − 1 are closed under polynomial addition.
The sum is always a polynomial of degree no more than degree m−1. Furthermore,
because of the xor method of addition, each polynomial is its own additive inverse.
4
1.2.3 The generating polynomial of GF (2m )
The polynomials of degree m − 1 are not closed under multiplication. For example,
xm−1 times xm−1 is x2m−2. Thus for all m > 1, the degree of the product may
exceed than m − 1.
Note that the requirement that g(x) be irreducible is implicit in this definition of
multiplication. Suppose g(x) is not irreducible. Then there exist two polynmials
a(x) and b(x) such that g(x) = a(x)b(x). However, g(x) = 0modg(x). Hence a(x)
and b(x) are divisors of zero, and it has previously been shown that fields may not
contain zero divisors.
Z
It is the case that both x3 + x + 1 and x3 + x2 + 1 are irreducible over 2. Therefore,
either one can be used to generate a field of 8 elements representing polynomials
of degree 2. The mapping of coefficients to numbers for x3 + x + 1 is given in the
table 7.
5
Dec Bin Poly
0 000 0
1 001 1
2 010 x
3 011 x+1
4 100 x2
2
5 101 x +1
6 110 x2 + x
7 111 x2 + x + 1
Z
those we developed for the field 7 . Addition can be performed by inspection. For
example 3 + 5 represents (x + 1) + (x2 + 1) = x2 + x which is 6. So 3 + 5 = 6.
Z
An equivalent approach is to remember that polynomial addition over 2 is defined
by the xor operation. So 3 + 5 = 011 xor 101 = 110 = 6. Code to implement
addition over GF (2m ) for m less than or equal to the word size of the computer is
trival.
int gf_add(
int v1,
int v2)
{
return(v1 ^ v2);
}
The gf add() function was used to produce the following addition table.
+ 0 1 2 3 4 5 6 7
0 0 1 2 3 4 5 6 7
1 1 0 3 2 5 4 7 6
2 2 3 0 1 6 7 4 5
3 3 2 1 0 7 6 5 4
4 4 5 6 7 0 1 2 3
5 5 4 7 6 1 0 3 2
6 6 7 4 5 2 3 0 1
7 7 6 5 4 3 2 1 0
6
1 1
_________________
1 0 1 1 | 1 1 1 1 0
1 0 1 1
-------
1 0 0 0
1 0 1 1
-------
0 1 1 <-- (x + 1)
1
_________________
1 0 1 1 | 1 0 0 0
1 0 1 1
-------
0 1 1 (x + 1)
Here we see that the remainder is (x + 1). In general the remainder when the
high order term of the generator is divided by the generator itself will always be
comprised of the generator absent its high order term.
This also follows from the fact that g(x) = q(x) + r(x). The quotient with the
high order term is divided by the generator is always the high order term, and the
remainder is thus necesssarily the remainder of the terms.
int gf_mult(
7
int m, // GF(2 ^ M)
int poly, // low order terms of g(x)
int v1,
int v2)
{
int prod = 0;
int k;
int mask;
/* Multiply phase */
/* Reduce phase */
mask = 1 << m;
mask <<= m - 2;
8
return(prod);
}
Any element of GF (2m ) may be used as a logarithmic base. We will use base 2 in
the following example in GF (23). As usual log2(k) = j if and only if 2j = k, and
then it is also true that log2−1 (j) = k. It is also the case that, as usual, log2 (0) is
undefined and for a more subtle reason so is log2−1 (2m − 1). The latter follows from
the fact that in GF (2m) j 2 −1 = 1 for any non-zero j and log2(1) has already been
m
defined to be 0.
The following simple algorithm can be used to construct the table of logarithms
shown below. As expected, the inverse logarithm table is simply a table of powers
of 2.
gf->ilog[0] = 1;
prod = 2;
for (i = 1; i < gf->size - 1; i++)
{
gf->ilog[i] = prod;
gf->log[prod] = i;
9
prod = gf_mult(gf, prod, 2);
}
i 0 1 2 3 4 5 6 7
log2 (i) - 0 1 3 2 6 4 5
log2−1 (i) 1 2 4 3 6 7 5 -
The following examples show how to use the tables to perform multiplication.
As usual ab = log2−1 (log2(a) + log2 (b)). Thus, to multiply 3 × 4, we first see that
log2(3) = 3 and log2 (4) = 2. To add the logarithms, we use normal integer addition
not xor because we are operating on exponents and not elements of the field, and
we find 2 + 3 = 5. Finally, we see log2−1(5) = 7. We can verify from table 9 that 7
is the correct answer.
Since we are using integer arithmetic to add the exponents, we can get a value
too large to use as an index into the inverse logarithm table. As previously noted
n2 −1 = 1 for all values, n, in the Galois field. Thus successive exponentiation
m
2 Reed-Solomon Codes
Reed-Solomon codes can be used to perform a form of forward error correction FEC
in computer networks. The specific type of correction is called erasure correction.
The objective of erasure correction is to recover from loss of entire packets. They
can be used in conjunction with traditional error detecting cyclic codes by simply
treating packets with errors as lost.
The encoding and decoding employs arithmetic in the domain GF (2m). We will
use m = 3 as an example. GF (23) consists of 8 elements. Each element is a
polynomial of degree 2 and is encoded in an 3 bit value. We will use the generator
g(x) = x3 + x + 1.
10
The value, m, is the word size of the encoding. Each packet is subdivided into words
of length m bits and check values must be computed for each word. Therefore, in
the real world word sizes of 8, 16, or 32 instead of 3 would normally be used.
The packet stream that is actually transmitted consists of FEC groups containing
both data packets and check packets used in reconstructing lost data packets. Data
packets are fixed size and check packets have the same length as data packets.
A FEC group consists of n data and k check packets where n +k <= 2m . Successful
receipt of any n packets from the combination data and check packets is sufficient
to permit reconstruction of the n data packets.
The required matrix is derived from Vandermonde matrix which is known to possess
property (2). For arbitrary, n and m this matrix has the following form. The fact
that the largest value in GF (2m) is 2m − 1 necessarily constrains the number of
rows and columns in the matrix (n + k) to be less than or equal to 2m .
00 01 02 0(n−1)
...
10 11 12 ... 1(n−1)
20 21 22 ... 2(n−1)
... ... ... ... ...
(2m − 1)0 (2m − 1)1 (2m − 1)2 ... (2m − 1)(n−1)
11
1 0 0
1 1 1
1 2 4
1 3 5
V =
1 4 6
1 5 7
1 6 2
1 7 3
This matrix is known to possess property(2) but clearly does not possess property
(1). Nevertheless, by a series of linear transformations in which a multiple of one
column is added to another, we can obtain property (1) while preserving property
(2). For example, if we add column 1 to column 0 and column 2, then row 1 is
transformed to have the desired values 0 1 0. To fix up row 2 of the matrix we
multiply column 2 by the multiplicative inverse of 4 and then add column 2 to 1
and 2× column 2 to column 1. This process can be continued until the first n rows
constitute an identity matrix. We will call this transformed matrix D.
1 0 0
0 1 0
0 0 1
1 1 6
D=
4 3 2
5 2 2
5 3 4
4 2 4
For simplicity we will assume that each data packet consists of only one 3 bit word.
If an actual packet consisted of 12,000 bits, the process described below would have
to be repeated 4,000 times, once for each data word in the packet.
12
The bottom k rows of the transformed Vandermonde matrix, D, constitute the
encoding matrix E that is used to create the k check packets.
1 1 6
4 3 2
E=
5 2 2
5 3 4
4 2 4
The matrix E has dimension k × n where k is the number of check packets and n
is the number of data packets. When the n × 1 vector of data words is multiplied
by E as shown an k × 1 vector of check values is produced. In this example we
assume that the 3 data words have the values {4, 5, 6}.
3
1 1 6
4 3
2
4 5
5 2 2 × 5 = 4
5 3 4 6 3
4 2 4 2
Each of the 8 “packets” must also carry an identifier that allows the recipient to
determine exactly which packets of a FEC group have been received. The values
contained in the 8 “packets” that are sent are thus:
{(0, 4), (1, 5), (2, 6), (3, 3), (4, 5), (5, 4), (6, 3), (7, 2)}.
13
Continuing with our numeric example, suppose only packets 3, 4, and 5 containing
the first three check values {3, 5, 4} are received. The receiver doesn’t know what
the data values are so we will call them d0, d1, and d2. Nevertheless the receiver
must know what values of m, n and k are in use. Thus, the receiver can construct a
matrix D′ consisting of rows of the modified Vandermonde matrix that correspond
to the packets that were received.
1 1 6
D′ =
4 3 2
5 2 2
Because the receiver also knows the algorithm by which the check packets were
constructed, the receiver knows that:
1 1 6 d0 3
4 3 2 × d1 = 5
5 2 2 d2 4
Multiplying the received check values by D′−1 recovers the original values.
5 6 2 3 4
5 7 3 × 5 = 5
3 3 3 4 6
Three parameters determine the cost of the FEC procedure. The value of m defines
the Galois field as GF (2m ) and also defines the word size of the encoding to be m.
14
For example, a packet having 210 bits, consists of 256 words over GF (24) but only
64 words of GF (216).
The size of a FEC group is n + k where n is the number of data packets in a group
and k is the number of check packets. The matrix D consists of n + k rows and
n columns. The encoding matrix E that is used to generate the checksums has
dimension k rows and n columns.
Note that doubling of both k and n which keeps the fraction of FEC packets con-
stant quadruples the cost of generating the checksums. This is a strong motivator
for the use of an FEC group interleaver as opposed to a large value of n for for
additional robustness against error bursts.
Error recovery begins with the inversion of the n × n matrix comprised of rows
from the D matrix corresponding to the n packets in the FEC group that were
actually received. In the worse case this inversion is O(n3 ). In practice the cost of
the inversion is proportional to the number of check rows that must replace identity
rows in the decode matrix. When the inversion has been completed, it is necessary
to multiply the received vector of n words by the n × n inverse matrix for each
word in the packet. As noted above this requires O(n2 ) multiplies and sums.
15
2.4 Example
16