Example 5.17 Integer Representation of Finite Field Element

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing

cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography.

Polynomial f(x) = x8₊_x4₊_x3₊_x_{+ 1 is irreducible over} _{. The set of all polynomials modulo} f(x) over forms a field of 28_{elements; they are all polynomials over} _{of degree less than 8.} So any element in field is

where b7, b6, b5, b4, b3, b2, b1, b0, . Thus, any element in this field can be represented as an integer of 8 binary bits b7b6bb5b4b3b2b1b0, or a byte. In the hexadecimal encoding, we can use a letter to encode an integer value represented by 4 bits:

Since a byte has eight bits, the hexadecimal encoding of a byte can use two quoted characters 'XY' such that '0' 'X' 'F' and '0' 'Y' 'F'. That is, any element in field can be viewed as a byte in the interval ['00', 'FF'].

Conversely, any byte in the interval ['00', 'FF'] can be viewed as an element in field . For example, the byte 01010111 (or the hexadecimal value '57') corresponds to the element

(polynomial)

From Corollary 5.4 and Example 5.17, we can view field as the field of all non-negative integers up to deg(f) binary bits. Clearly, this field has 2deg(f)_{elements. Therefore, for any}

natural number n > 0, the set {0, 1}n_{forms a field of 2}n_{elements. Let us use "}_n_{-bit binary field"}

to name this field. Operations in this field follows the operations between polynomials of degrees less than n over . Addition is very simple as shown in Example 5.18.

Example 5.18.

Let f be a degree-8 irreducible polynomial over . In the 8-bit binary field, addition follows polynomial addition by adding coefficients modulo 2 (so 1 + 1 = 0). For example (in

hexadecimal) '57' + '83' = 'D4':

So, addition in this field is independent from the definition polynomial f.

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

two polynomials modulo f. The modulo operation can be done by applying the extended Euclid algorithm for polynomials. Later (in Example 5.19) we shall show another method for achieving field multiplication which is based on a different way for the field representation.

The n-bit binary field is a useful field because of its natural interpretation of integers. It has many applications in coding and cryptography. A new encryption standard, the Advanced

Encryption Standard (AES), works in the 8-bit binary field. We will introduce the AES in Chapter 7.

Finally we notice that in Theorem 5.6 we have never assumed p as prime. In fact, in Theorem 5.5, F can be any field, and F[x]f is called an extended field from the underlying subfieldF

via field extension. Since F can be any field, it can of course be an extended field from another underlying subfield. In many applications of finite fields, we need to know more information about the relation between extended fields and underlying subfields (for example, we will need to know this relation when we study the AES later). Also, a different way for finite fields

representation may also ease computation (e.g., the multiplication in Example 5.18 can be eased without using the Euclid algorithm if we use a different field representation). The next section serves the purpose for a better understanding of the structure of finite fields.

5.4.3 Finite Fields Constructed Using Polynomial Basis

This section is intended to provide the knowledge for helping a better understanding of some cryptosystems based on a general form of finite fields. We present it by assuming that the reader is familiar with the knowledge of vector space in linear algebra. However, this section may be skipped without causing difficulty for reading most parts of the rest of this book.

In §5.4.2 we have shown that under isomorphism, field is the finite field of order pdeg₍_f_). However, often it may not be very convenient for us to use fields modulo an irreducible

polynomial. In this final part of our course in algebraic foundations, let us construct finite fields using the roots of an irreducible polynomial over a finite field F. Fields constructed this way are more frequently used in applications.

Let F be a finite field and n be any positive integer. Let f(x) be an irreducible polynomial over F of degree n. We know that f(x) has exactly n roots in somewhere since f(x) can be factored into n linear polynomials there. We shall see in a moment that "somewhere" or "there" is exactly the space we are constructing.

Denote these n roots of f(x) = 0 by

Equation 5.4.6

Since f(x) is irreducible over F, none of these roots can be in F.

. Theorem 5.7

Let F be any finite field and let f(x) F[x] be an irreducible polynomial of degree n over F. Then for q being any root of f(x) = 0, elements

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

are linearly independent over F, that is, for ri F with i = 0, 1, 2, …, n –1:

Equation 5.4.7

Proof Let q be any root of f(x) = 0. We know q 1 since f(x) is irreducible over field F which contains 1. Suppose that the elements 1, q, q2_{, …,}_qn–1_{were not linearly independent over}_F_. That is, the linear combination (5.4.7) is possible for some ri F which are not all zero (i = 0, 1,

2, …, n–1). This is equivalent to q being a root of

With ri F (i = 0, 1, …, n–1), by Definition 5.21, r(x) is an element in the field F[x] f and

therefore r(x) = 0 means r(x) = 0 (mod f(x)). Let an be the leading coefficient of f(x). Then an

F, a n 0 and an–1 f(x)|r(x). But this is impossible since an–1 f(x) is of degree n while r(x) is of

degree less than n, unless r(x) is the zero polynomial. This contradicts the supposed condition that ri F are not all zero (i = 0, 1, …, n–1).

Definition 5.22: Polynomial BasisLet F be a finite field and f(x) be a degree-n irreducible polynomial over F. Then for any root q of f(x) = 0, elements 1, q, q2_{, …,}_qn–1_{are called a}

(polynomial) basis (of a finite vector space) over F.

We know from a fact in linear algebra that a basis of n elements spans an n-dimension vector space. The spanning uses the scalars in F, that is, the space so spanned has the following structure

Equation 5.4.8

. Theorem 5.8

Let F be a finite field and f(x) be a degree-n irreducible polynomial over F. Then for any root q of f(x) = 0, the vector space in (5.4.8) is a finite field of (#F)n_elements.

Proof First, we show that the space in (5.4.8) is a ring. The only non-trivial part is to show that Closure Axiom holds for multiplication. To do so, we note that from

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

Equation 5.4.9

with an F and an 0, we have

and so qn_{is a linear combination of the basis 1,}_q_,_q 2_{, …,}_qn–1_{. Multiplying}_q_{to (}_5.4.9_{), we can} further derive that for any positive integer m n, q m_{can be expressed as a linear combination}

of the same basis. Therefore, for any u, v in the space in (5.4.8), uv, as a linear combination of 1, q, …, qm_for_m ₂₍_n_{–1), must be a linear combination of the basis 1,}_q_{, …,}_qn–1_{, and hence is} in the space in (5.4.8). So we have shown Closure Axiom.

Secondly, to show that the space in (5.4.8) is a field, we only need to show that the space does not contain zero-divisors. To do so, we can use the linear independence relation in (5.4.7) and check that for uv = 0, either the scalars of u, or those of v, must all be zero, and hence either u = 0 or v = 0.

Finally, notice that since the spanning process uses #F elements of F as scalars and the basis of n elements, the space spanned has exactly (#F)n_elements.

Definition 5.23: Finite Field Let q be the number of elements in a finite field F. The finite field spanned by a basis of n elements over F is denoted by .

. Theorem 5.9

Let F be a finite field of q elements and let be a finite field spanned over F. Then

the characteristic of is that of F; i.

F is a subfield of ;

ii.

any element satisfying aq_{if and only if a F}_.

iii.

Proof Let 1, q, q2_{, …}_qn–1_{be a basis of} _over_F_.

Let char(F) denote the characteristic of F. Then adding any element in to itself char(F) times we obtain

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

Thus char( ) = char(F).

Since the basis contain 1, using scalars in F, any element in F is a linear combination of 1 and hence is a linear combination of the basis.

ii.

( ) Consider the subfield F = {0} F* where F* is a multiplicative group of the non- zero elements. So for any a F, either a = 0 or a F*. The former case satisfies aq₌_a

trivially. For the latter case, by Lagrange's Theorem (Corollary 5.2), ord(a)|#F* = q–1 and therefore aq–1_{= 1. So}_aq₌_a_{is also satisfied.}

iii.

( ) Any satisfying aq₌_a_{must be root of polynomial}_xq_{– x}_{= 0. This polynomial}

has degree q and therefore has at most q roots in including 0. By (ii), F is a subfield of , which already contains all the roots of xq_{– x}_{= 0. No other elements of} _{, can be a root of}_xq

– x.

In our course of spanning the field over a field F of q elements, we have never assumed or required that q be a prime number, that is, we have not assumed or required that F be a prime field. The following theorem provides the relationship between F and field spanned over F and stipulates the nature of q.

In document Modern Cryptography Theory & Practice pdf (Page 187-192)