Misplaced Pages

Carry-less product

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
(Redirected from Carry-less multiplication)
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "Carry-less product" – news · newspapers · books · scholar · JSTOR (April 2017) (Learn how and when to remove this message)
Computing the carry-less product.

The carry-less product of two binary numbers is the result of carry-less multiplication of these numbers. This operation conceptually works like long multiplication except for the fact that the carry is discarded instead of applied to the more significant position. It can be used to model operations over finite fields, in particular multiplication of polynomials from GF(2), the polynomial ring over GF(2).

The operation is also known as an XOR multiplication, as carry-discarding addition is equivalent to an exclusive or.

Definition

Given two numbers a = i a i 2 i {\displaystyle \textstyle a=\sum _{i}a_{i}2^{i}} and b = i b i 2 i {\displaystyle \textstyle b=\sum _{i}b_{i}2^{i}} , with a i , b i { 0 , 1 } {\displaystyle a_{i},b_{i}\in \{0,1\}} denoting the bits of these numbers, the carry-less product of these two numbers is defined to be c = i c i 2 i {\displaystyle \textstyle c=\sum _{i}c_{i}2^{i}} , with each bit c i {\displaystyle c_{i}} computed as the exclusive or of products of bits from the input numbers as follows:

c i = j = 0 i a j b i j {\displaystyle c_{i}=\bigoplus _{j=0}^{i}a_{j}b_{i-j}}

Example

Consider a = 101000102 and b = 100101102, with all numbers given in binary. Then the carry-less multiplication of these is essentially what one would get from performing a long multiplication but ignoring the carries.

                  1 0 1 0 0 0 1 0 = a
   ---------------|---|-------|--
   1 0 0 1 0 1 1 0|0 0 0 0 0 0 0
       1 0 0 1 0 1 1 0|0 0 0 0 0
               1 0 0 1 0 1 1 0|0
   ------------------------------
   1 0 1 1 0 0 0 1 1 1 0 1 1 0 0
             ^ ^

So the carry-less product of a and b would be c = 1011000111011002. For every bit set in the number a, the number b is shifted to the left as many bits as indicated by the position of the bit in a. All these shifted versions are then combined using an exclusive or, instead of the regular addition which would be used for regular long multiplication. This can be seen in the columns indicated by ^, where regular addition would cause a carry to the column to the left, which does not happen here.

Multiplication of polynomials

The carry-less product can also be seen as a multiplication of polynomials over the field GF(2). This is because the exclusive or corresponds to the addition in this field.

In the example above, the numbers a and b correspond to polynomials

A = i a i X i = X 7 + X 5 + X 1 B = i b i X i = X 7 + X 4 + X 2 + X 1 {\displaystyle A=\sum _{i}a_{i}X^{i}=X^{7}+X^{5}+X^{1}\qquad B=\sum _{i}b_{i}X^{i}=X^{7}+X^{4}+X^{2}+X^{1}}

and the product of these is

C = A B = i c i X i = X 14 + X 12 + X 11 + X 7 + X 6 + X 5 + X 3 + X 2 {\displaystyle C=A\cdot B=\sum _{i}c_{i}X^{i}=X^{14}+X^{12}+X^{11}+X^{7}+X^{6}+X^{5}+X^{3}+X^{2}}

which is what the number c computed above encodes. Notice how ( X 7 X 1 ) + ( X 1 X 7 ) 0 {\displaystyle (X^{7}\cdot X^{1})+(X^{1}\cdot X^{7})\equiv 0} and ( X 7 X 2 ) + ( X 5 X 4 ) 0 {\displaystyle (X^{7}\cdot X^{2})+(X^{5}\cdot X^{4})\equiv 0} thanks to the arithmetic in GF(2). This corresponds to the columns marked ^ in the example.

Applications

The elements of GF(2), i.e. a finite field whose order is a power of two, are usually represented as polynomials in GF(2). Multiplication of two such field elements consists of multiplication of the corresponding polynomials, followed by a reduction with respect to some irreducible polynomial which is taken from the construction of the field. If the polynomials are encoded as binary numbers, carry-less multiplication can be used to perform the first step of this computation.

Such fields have applications in cryptography and for some checksum algorithms.

Implementations

Recent x86 processors support the CLMUL instruction set and thus provide a hardware instruction to perform this operation.

It's also part of RISC-V Bit-Manipulation ISA-extensions Zbc: Carry-less multiplication.

For other targets it is possible to implement the computation above as a software algorithm, and many cryptography libraries will contain an implementation as part of their finite field arithmetic operations.

Other bases

The definition of a carry-less product as the result of a long multiplication discarding carry would readily apply to bases other than 2. But the result depends on the basis, which is therefore an essential part of the operation. As this operation is typically being used on computers operating in binary, the binary form discussed above is the one employed in practice.

Polynomials over other finite fields of prime order do have applications, but treating the coefficients of such a polynomial as the digits of a single number is rather uncommon, so the multiplication of such polynomials would not be seen as a carry-less multiplication of numbers.

See also

References

  1. Shay Gueron (2011-04-13). "Intel Carry-Less Multiplication Instruction and its Usage for Computing the GCM Mode - Rev 2". Intel.
Categories: