Finite Fields

(1)

Applied Cryptography

(Finite Fields)

Too much math - See Too much math - See

(2)

Finite Fields

The next morning at daybreak, Star flew indoors, The next morning at daybreak, Star flew indoors,

seemingly keen for a lesson. I said, "Tap eight." She did seemingly keen for a lesson. I said, "Tap eight." She did a brilliant exhibition, first tapping it in 4, 4, then giving me a brilliant exhibition, first tapping it in 4, 4, then giving me

a hasty glance and doing it in 2, 2, 2, 2, before coming a hasty glance and doing it in 2, 2, 2, 2, before coming

for her nut. It is astonishing that Star learned to count up for her nut. It is astonishing that Star learned to count up

to 8 with no difficulty, and of her own accord discovered to 8 with no difficulty, and of her own accord discovered

that each number could be given with various different that each number could be given with various different

divisions, this leaving no doubt that she was consciously divisions, this leaving no doubt that she was consciously thinking each number. In fact, she did mental arithmetic, thinking each number. In fact, she did mental arithmetic, although unable, like humans, to name the numbers. But although unable, like humans, to name the numbers. But

she learned to recognize their spoken names almost she learned to recognize their spoken names almost

immediately and was able to remember the sounds of immediately and was able to remember the sounds of

the names. Star is unique as a wild bird, who of her own the names. Star is unique as a wild bird, who of her own

free will pursued the science of numbers with keen free will pursued the science of numbers with keen

interest and astonishing intelligence. interest and astonishing intelligence.

—

(3)

Introduction

 will now introduce finite fields_{will now introduce finite fields}

 of increasing importance in cryptography_{of increasing importance in cryptography}

 AES, Elliptic Curve, IDEA, Public KeyAES, Elliptic Curve, IDEA, Public Key

 concern operations on “numbers”_{concern operations on “numbers”}

 where what constitutes a “number” and the where what constitutes a “number” and the

type of operations varies considerably

 start with concepts of _{start with concepts of}groups, rings, fields_{groups, rings, fields} from abstract algebra

(4)

Group

 a set of elements or “numbers”_{a set of elements or “numbers”}

 with some operation whose result is also in _{with some operation whose result is also in} the set (

the set (closure)closure)  obeys:_obeys:

 associative law:associative law: (a.b).c = a.(b.c)(a.b).c = a.(b.c)  has identity has identity ee:: e.a = a.e = ae.a = a.e = a

 has has inversesinverses aa-1-1:: a.aa.a-1-1 = e = e

 if _ifcommutative _commutative_{a.b = b.a}_{a.b = b.a}

(5)

Cyclic Group

 define _defineexponentiation_{exponentiation} as repeated _{as repeated} application of operator

application of operator

 example:example: aa-3-3 = a.a.a = a.a.a

 and let identity be:_{and let identity be:} _e=_e=_a_a00

 a group is cyclic _{a group is cyclic}if every element is a _{if every element is a} power of some fixed element

power of some fixed element

 i.e. i.e. b =b = aakk for some for some aa and every and every bb in group in group

(6)

Ring

 _{a set of “numbers”}_{a set of “numbers”}

 with two operations (_{with two operations (}addition and multiplication_{addition and multiplication}) ₎

which form: which form:

 _{an abelian group with addition operation}_{an abelian group with addition operation}  _{and multiplication:}_{and multiplication:}

 has closurehas closure  is associativeis associative

 distributive over addition:distributive over addition: a(b+c) = ab + aca(b+c) = ab + ac

 _{if multiplication operation is commutative, it forms a}_{if multiplication operation is commutative, it forms a}

commutative ring commutative ring

 _if_if_{multiplication operation has an identity and no}_{multiplication operation has an identity and no}

zero divisors, it forms an

(7)

Field

 a set of numbers _{a set of numbers}

 with two operations which form:_{with two operations which form:}

 abelian group for addition abelian group for addition

 abelian group for multiplication (ignoring 0) abelian group for multiplication (ignoring 0)

 ringring

 have hierarchy with more axioms/laws_{have hierarchy with more axioms/laws}

(8)

Modular Arithmetic

 define _definemodulo operator_{modulo operator} “_“_{a mod n”}_{a mod n”} to be _{to be}

remainder when a is divided by n

 use the term _{use the term}congruence_congruence for: _for:_{a = b mod n}_{a = b mod n}  when divided by when divided by n,n, a & b have same remainder a & b have same remainder  eg. 100 = 34 mod 11 eg. 100 = 34 mod 11

 b is called a _{b is called a}residue_residue of a mod n_{of a mod n}

 since with integers can always write: since with integers can always write: a = qn + ba = qn + b  usually chose usually chose smallestsmallest positivepositive remainder as residue remainder as residue

• ie. ie. 0 <= b <= n-1_{0 <= b <= n-1}

 process is known as process is known as modulo reductionmodulo reduction

(9)

Divisors

 say a non-zero number _{say a non-zero number}_b_b divides_divides _a_a if for _{if for} some

some _m_m have have _a=mb_a=mb ( (_a,b,m_a,b,m all integers) all integers)  that is _{that is}_b_b divides into _{divides into}_a_a with no remainder _{with no remainder}

 denote this _{denote this}_b|a_b|a

 and say that _{and say that}_b_b is a _{is a}divisor_divisor of _of_a_a

(10)

Modular Arithmetic Operations

 is 'clock arithmetic'_{is 'clock arithmetic'}

 uses a finite number of values, and loops _{uses a finite number of values, and loops} back from either end

back from either end

 modular arithmetic is when do addition & _{modular arithmetic is when do addition &} multiplication and modulo reduce answer multiplication and modulo reduce answer  can do reduction at any point, ie_{can do reduction at any point, ie}

(11)

Modular Arithmetic

 can do modular arithmetic with any group of _{can do modular arithmetic with any group of}

integers:

integers: _Z_Z_n_n_{= {0, 1, … , n-1}}_{= {0, 1, … , n-1}}

 form a commutative _{form a commutative}ring_ring for addition_{for addition}

 with a multiplicative identity_{with a multiplicative identity}  _{note some peculiarities}_{note some peculiarities}

 if if (a+b)(a+b)=(a+c) mod n =(a+c) mod n

then

then_{b=c mod n}_{b=c mod n}

 but if but if (a.b)(a.b)=(a.c) mod n =(a.c) mod n

then

(12)

Modulo 8 Addition Example

(13)

Greatest Common Divisor (GCD)

 a common problem in number theory_{a common problem in number theory}

 GCD (a,b) of a and b is the largest number _{GCD (a,b) of a and b is the largest number} that divides evenly into both a and b

that divides evenly into both a and b

 eg GCD(60,24) = 12eg GCD(60,24) = 12

 often want _{often want}no common factors_{no common factors} (except 1) _{(except 1)} and hence numbers are

and hence numbers are relatively primerelatively prime

 eg GCD(8,15) = 1eg GCD(8,15) = 1

(14)

Euclidean Algorithm

 an efficient way to _{an efficient way to}find the GCD(a,b)_{find the GCD(a,b)}  uses theorem that: _{uses theorem that:}

 GCD(a,b) = GCD(b, a mod b)GCD(a,b) = GCD(b, a mod b)

 Euclidean Algorithm to compute GCD(a,b) is: _{Euclidean Algorithm to compute GCD(a,b) is:}

EUCLID(a,b)

1. A = a; B = b 1. A = a; B = b

2. if B = 0 return A = gcd(a, b) 2. if B = 0 return A = gcd(a, b) 3. R = A mod B

3. R = A mod B 4. A = B

(15)

Example GCD(1970,1066)

1970 = 1 x 1066 + 904

1970 = 1 x 1066 + 904 gcd(1066, 904)gcd(1066, 904) 1066 = 1 x 904 + 162

1066 = 1 x 904 + 162 gcd(904, 162)gcd(904, 162) 904 = 5 x 162 + 94

904 = 5 x 162 + 94 gcd(162, 94)gcd(162, 94) 162 = 1 x 94 + 68

162 = 1 x 94 + 68 gcd(94, 68)gcd(94, 68) 94 = 1 x 68 + 26

94 = 1 x 68 + 26 gcd(68, 26)gcd(68, 26) 68 = 2 x 26 + 16

68 = 2 x 26 + 16 gcd(26, 16)gcd(26, 16) 26 = 1 x 16 + 10

26 = 1 x 16 + 10 gcd(16, 10)gcd(16, 10) 16 = 1 x 10 + 6

16 = 1 x 10 + 6 gcd(10, 6)gcd(10, 6) 10 = 1 x 6 + 4

10 = 1 x 6 + 4 gcd(6, 4)gcd(6, 4) 6 = 1 x 4 + 2

6 = 1 x 4 + 2 gcd(4, 2)gcd(4, 2) 4 = 2 x 2 + 0

(16)

Galois Fields

 finite fields play a key role in cryptography_{finite fields play a key role in cryptography}

 can show number of elements in a finite _{can show number of elements in a finite} field

field mustmust be a power of a primebe a power of a prime p pnn

 _{known as Galois fields}_{known as Galois fields}

 denoted GF(p_{denoted GF(p}nn)₎

 in particular often use the fields:_{in particular often use the fields:}

 GF(p)GF(p)

(17)

Galois Fields GF(p)

 GF(p) is the set of integers {0,1, … , p-1} _{GF(p) is the set of integers {0,1, … , p-1}} with arithmetic operations modulo prime p with arithmetic operations modulo prime p  these form a finite _{these form a finite}field_field

 since have multiplicative inversessince have multiplicative inverses

 hence arithmetic is “well-behaved” and _{hence arithmetic is “well-behaved” and}

can do addition, subtraction, multiplication, can do addition, subtraction, multiplication,

(18)

GF(

7 ₇

) Multiplication Example

_{) Multiplication Example}

 _{0 1 2 3 4 5} ₆

0 0 0 0 0 0 0 0 1 0 1 2 3 4 5 6

2 0 2 4 6 1 3 5

(19)

Finding Inverses

EXTENDED EUCLID(

EXTENDED EUCLID(mm, , bb))

1.

1. (A1, A2, A3)=(1, 0, (A1, A2, A3)=(1, 0, mm); ); (B1, B2, B3)=(0, 1,

(B1, B2, B3)=(0, 1, bb))

2. if

2. if B3 = 0B3 = 0

return

return A3 = gcd(A3 = gcd(mm, , bb); no inverse); no inverse

3. if

3. if B3 = 1 B3 = 1

return

return B3 = gcd(B3 = gcd(mm, , bb); B2 = ); B2 = bb–1–1_mod_mod_m_m

4.

4. Q = A3 div B3Q = A3 div B3

5.

5. (T1, T2, T3)=(A1 – Q B1, A2 – Q B2, A3 – Q B3)(T1, T2, T3)=(A1 – Q B1, A2 – Q B2, A3 – Q B3)

6.

6. (A1, A2, A3)=(B1, B2, B3)(A1, A2, A3)=(B1, B2, B3)

7.

7. (B1, B2, B3)=(T1, T2, T3)(B1, B2, B3)=(T1, T2, T3)

8. goto

(20)

Inverse of 550 in GF(1759)

Q A1 A2 A3 B1 B2 B3

— 1 0 1759 0 1 550

3 0 1 550 1 –3 109

5 1 –3 109 –5 16 5

21 –5 16 5 106 –339 4

1 106 –339 4 –111 355 1

(21)

Polynomial Arithmetic

 can compute using polynomials_{can compute using polynomials}

f

f((xx) = a) = a_n_nxxnn + a_{+ a} n-1

n-1xxn-1n-1 + … + a + … + a11x + x + aa00 = ∑ a = ∑ aiixxii

• nb. not interested in any specific value of x_{nb. not interested in any specific value of x}

• which is known as the indeterminate_{which is known as the indeterminate}

 several alternatives available_{several alternatives available}

 ordinary polynomial arithmeticordinary polynomial arithmetic

 poly arithmetic with coords mod ppoly arithmetic with coords mod p

 poly arithmetic with coords mod p and poly arithmetic with coords mod p and

polynomials mod m(x)

(22)

Ordinary Polynomial Arithmetic

 add or subtract corresponding coefficients_{add or subtract corresponding coefficients}  multiply all terms by each other_{multiply all terms by each other}

 eg_eg

let

let ff((xx) = ) = xx33 + ₊x_x22 + 2 and _{+ 2 and}g_g(₍x_x) = _{) =}x_x22 – _–x _x+ 1_{+ 1}

f

f((xx) + ) + gg((xx) = ) = xx33 + 2_{+ 2}x_x22 – _–x _x+ 3_{+ 3}

f

f((xx) – ) – gg((xx) = ) = xx33 + ₊x _x+ 1_{+ 1}

f

(23)

Polynomial Arithmetic with

Modulo

Coefficients

_Coefficients

 when computing value of each coefficient _{when computing value of each coefficient} do calculation modulo some value

do calculation modulo some value

 forms a polynomial ringforms a polynomial ring

 could be modulo any prime_{could be modulo any prime}

 but we are most interested in mod 2_{but we are most interested in mod 2}

 i.e. i.e. all coefficients are 0 or 1all coefficients are 0 or 1

 eg. let eg. let ff((xx) = ) = xx33 + + xx22 and and gg((xx) = ) = xx22 + + x x + 1+ 1

f

f((xx) + ) + gg((xx) = ) = xx33 + ₊x _x+ 1_{+ 1}

f

(24)

Polynomial Division

 can write any polynomial in the form:_{can write any polynomial in the form:}

 ff((xx) = ) = qq((xx) ) gg((xx) + ) + rr((xx))

 can interpret can interpret rr((xx) ) as being a remainderas being a remainder  rr((xx) = ) = ff((xx) mod ) mod gg((xx))

 if have no remainder say _{if have no remainder say}g_g(₍x_x) divides _{) divides}f_f(₍x_x)₎  if _ifg_g(₍x_x) has no divisors other than itself & 1 _{) has no divisors other than itself & 1}

say it is

say it is irreducibleirreducible (or prime) (or prime) polynomial polynomial  arithmetic modulo an irreducible _{arithmetic modulo an irreducible}

(25)

Polynomial GCD

 can find greatest common divisor for polys_{can find greatest common divisor for polys}

 c(x)c(x) = GCD( = GCD(a(x), b(x)a(x), b(x)) if ) if c(x)c(x) is the poly of greatest is the poly of greatest

degree which divides both

degree which divides both a(x), b(x)a(x), b(x)

 can adapt Euclid’s Algorithm to find it:_{can adapt Euclid’s Algorithm to find it:}

EUCLID[

EUCLID[aa((xx)), b, b((xx)])]

1.

1. A(A(xx) = ) = aa((xx); B(); B(xx) = ) = bb((xx))

2. if

2. if B(B(xx) = 0 ) = 0 return return A(A(xx) = gcd[) = gcd[aa((xx)), b, b((xx)])]

3.

3. R(R(xx) = A() = A(xx) mod B() mod B(xx))

4.

4. A(A(xx) ¨ B() ¨ B(xx))

5.

5. B(B(xx) ¨ R() ¨ R(xx))

(26)

Modular Polynomial

Arithmetic

 can compute in field GF(2_{can compute in field GF(2}nn) ₎

 polynomials with coefficients modulo 2polynomials with coefficients modulo 2

 whose degree is less than nwhose degree is less than n

 hence must reduce modulo an irreducible poly hence must reduce modulo an irreducible poly

of degree n (for multiplication only)

 form a finite field_{form a finite field}

 can always find an inverse_{can always find an inverse}

(27)

Example GF(2

(28)

Computational

Considerations

 since coefficients are 0 or 1, can represent _{since coefficients are 0 or 1, can represent} any such polynomial as a

any such polynomial as a bit stringbit string

 addition_addition becomes XOR of these bit strings_{becomes XOR of these bit strings}  multiplication_{multiplication} is shift & XOR_{is shift & XOR}

 cf long-hand multiplicationcf long-hand multiplication

 modulo reduction done by repeatedly _{modulo reduction done by repeatedly}

substituting highest power with remainder substituting highest power with remainder

(29)

Computational Example

 _in_in_GF(2_GF(233) have _{) have}(x(x22+1) is 101_{+1) is 101}

2

2 & (x & (x22+x+1) is 111+x+1) is 11122

 so _soaddition_addition is_is

 (x(x22+1) + (x+1) + (x22+x+1) = x +x+1) = x  101 XOR 111 = 010101 XOR 111 = 010

2

2  and _andmultiplication_{multiplication} is_is

 (x+1).(x(x+1).(x22+1) = x.(x+1) = x.(x22+1) + 1.(x+1) + 1.(x22+1) +1) = x

= x33+x+x_+x+x22+1 = x_{+1 = x}33+x_+x22+x+1 _+x+1

 011*101 = 3*5=15= 1111011*101 = 3*5=15= 1111

2

 polynomial _polynomialmodulo reduction_{modulo reduction} (get q(x) & r(x)) is_{(get q(x) & r(x)) is}

 (x(x33+x+x22+x+1 ) mod (x+x+1 ) mod (x33+x+1) = 1.(x+x+1) = 1.(x33+x+1) + (x+x+1) + (x22) = x) = x22  1111 mod 1011 = 1111 XOR 10111111 mod 1011 = 1111 XOR 1011 = 0100 = 0100

2

(30)

Using a Generator

 equivalent definition of a finite field_{equivalent definition of a finite field}  a _agenerator_generator g is an element whose _{g is an element whose}

powers generate all non-zero elements powers generate all non-zero elements

 in F have 0, gin F have 0, g00, g, g11, …, g, …, gq-2q-2

 can create generator from _{can create generator from}root_root of the _{of the} irreducible polynomial

irreducible polynomial

 then implement multiplication by adding _{then implement multiplication by adding} exponents of generator

(31)

Summary

 have considered:_{have considered:}

 concept of groups, rings, fieldsconcept of groups, rings, fields

 modular arithmetic with integersmodular arithmetic with integers

 Euclid’s algorithm for GCDEuclid’s algorithm for GCD

 finite fields GF(p)finite fields GF(p)