A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

Transcription

1 Byte multiplication 1 Field arithmetic A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties: F is an abelian group under addition, meaning - F is closed under the operation: x + y F for all x, y F, - addition is commutative: x + y y + x for all x, y F, - addition is associative: (x + y) + z x + ( y + z ) for every x, y,z F, - 0 is the additive identity: x + 0 x for all x F, - for every x F there must be an additive inverse x F which satisfies x + ( x) 0; F is an abelian monoid under multiplication, meaning - F is closed under the operation: xy F for all x, y F, - multiplication is commutative: xy yx for all x, y F, - multiplication is associative: (xy)z x(yz ) for every x, y,z F, - 1 is the multiplicative identity: x 1 x for all x F,

2 Byte multiplication 2 For every nonzero x F there must be a (nonzero) multiplicative inverse x 1 F satisfying x(x 1 ) 1; Multiplication distributes over addition: x( y + z ) xy + xz for all x, y,z F. In any field, we can define subtraction and division as follows: x y means x + ( y ), and x / y means x( y 1 ). In particular, division by 0 will be undefined, since 0 has no multiplicative inverse! You are already familiar with examples of fields: the rational numbers, the real numbers, even the complex numbers are all fields. (Why?) Note that some other familiar number systems are not fields: the natural numbers, the integers, n n matrices, Z 10, Z 12 (why?). These examples of fields are all infinite sets. There are finite fields as well, the most important being Z p, the integers under arithmetic modulo a prime p. (Why is this a finite field?) The field Z 2 is used to produce bit arithmetic.

3 Byte multiplication 3 There are other binary fields that are useful for cryptology. In particular, we now describe GF (2 8 ), the Galois field with elements. (In general, a Galois field GF ( p n ) with p n elements for any power of any prime number is similarly defined, but these other fields play no role in cryptology, so we will not consider them here.) Begin by defining Z 2 [X ] to be the set of polynomials in X with coefficients in Z 2 ; these polynomials are added and multiplied in the obvious way, using mod 2 arithmetic: (X 3 + X +1)( X +1) X 4 + X 3 + X 2 +1 because 2X 0 (mod 2). (We also include the constant polynomials 0 and 1.) Long division works much the same as long division with integers: X 2 +1 X 2 + X +1) X 4 + X 3 +1 X 4 + X 3 + X 2 X 2 +1 X 2 + X +1 X

4 Byte multiplication 4 This computation can be summarized by writing it in the form X 4 + X 3 +1 X (mod X 2 + X +1). Therefore, by specifying a particular polynomial modulus P (X ), arithmetic in Z 2 [X ] extends to a congruence arithmetic for polynomials in Z 2 [X ] mod P (X ). It should be immediately clear from this that by dividing by P (X ), every polynomial in Z 2 [X ] can be seen to be congruent mod P (X ) to a unique polynomial in Z 2 [X ] of degree less than that of P (X ) (its remainder in the division). It is also clear that Z 2 [X ] mod P (X ) is an abelian group under addition and an abelian monoid under multiplication; further, the distributive law of multiplication over addition will hold here as well. The only field property that is not so easy to check is the one asserting that every nonzero polynomial in Z 2 [X ] mod P (X ) has a multiplicative inverse. The difficulty arises because it is not always true!

5 Byte multiplication 5 Recall that Z 10 is not a field because no factor of the modulus (like 2 or 5) can have a multiplicative inverse. More generally, Z n is not a field if n is a composite number. The same is true in Z 2 [X ] mod P (X ) if the polynomial P (X ) factors nontrivially: if P(X ) Q(X ) R(X ), where Q(X ) and R(X ) are polynomials of degree less than that of P (X ), then neither Q(X ) nor R(X ) can have a multiplicative inverse in Z 2 [X ] mod P (X ): if Q(X ) had a multiplicative inverse polynomial Q ( X ), multiplication of the congruence Q(X ) R(X ) P(X ) 0 (mod P(X )) by Q ( X ) would prove that R( X ) 0 (mod P (X )), that is, R(X ) is a multiple of P (X ) in addition to being a factor of P (X ), forcing P (X ) and R(X ) to have the same degree. But this would contradict our assumption that each of the factors Q(X ) and R(X ) has degree smaller than that of P (X ). In other words, if P (X ) factors nontrivially, then Z 2 [X ] mod P (X ) is not a field.

6 Byte multiplication 6 On the other hand, suppose P (X ) has no nontrivial factors (it is irreducible). Then, if D(X ) is any polynomial of smaller degree than P (X ), D(X ) is not a factor of P (X ), so long division of P (X ) by D(X ) will produce a quotient polynomial Q(X ) and remainder polynomial R(X ) where R(X ) has degree smaller than both P (X ) and Q(X ): P(X ) D(X ) Q(X ) + R(X ) Indeed, we can use the Euclidean algorithm on these polynomials, dividing D(X ) by R(X ), and so on, until we find either a remainder equal to 0, or until the degree of the final remainder is 0. The first case is impossible since we have assumed that P (X ) is irreducible. So it must be that the gcd of P (X ) and D(X ) is a constant polynomial. But the only nonzero constant polynomial in Z 2 [X ] is 1, so it follows that P (X ) and D(X ) are relatively prime in Z 2 [X ] mod P (X ). The extended Euclidean algorithm applied to these polynomials will then discover polynomials A(X ) and B(X ) so that A(X )P(X ) + B(X )D(X ) 1, whence B(X )D(X ) 1 (mod P(X )). Therefore, every nonzero polynomial of smaller degree than P (X ) has a multiplicative inverse in Z 2 [X ] mod P (X )!

7 Byte multiplication 7 It follows that if P (X ) is irreducible, then Z 2 [X ] mod P (X ) is a field. And since every polynomial in this field s congruent to a unique polynomial of degree less than n deg P ( X ), every element of this field is congruent to a polynomial of the form b n 1 X n 1 +b n 2 X n 2 + +b 1 X +b 0 where the b i ±1. Clearly, then, this field contains exactly 2 n elements. It is for this reason that we give it the label GF (2 n ). By selecting an irreducible polynomial of degree 8, like P (X ) X 8 + X 4 + X 3 + X +1 (how do you check that it is irreducible?), we obtain the field GF (2 8 ). We use this field to represent the set of all 8-bit bytes via the association b 7 X 7 +b 6 X 6 + +b 1 X +b 0 b 7 b 6 b 1 b 0 (that is, the powers of X act as placeholders for the bits). Observe that addition of polynomials corresponds to bitwise XOR of the bytes. What does multiplication of elements of GF (2 8 ) correspond to in byte form?

8 Byte multiplication 8 Multiplication of X with the polynomial B(X ) b 7 X 7 +b 6 X 6 + +b 1 X +b 0 simply adds 1 to each of the exponents in B(X ) if b 7 0, so if the leftmost bit is 0, it has the effect of shifting the bits of b 7 b 6 b 1 b 0 to the left one place, dropping the bit b 7, and attaching 0 as the new rightmost bit. But when b 7 1, then X B(X ) X ( X 7 +b 6 X 6 + +b 1 X +b 0 ) X 8 +b 6 X 7 + +b 1 X 2 +b 0 X P (X ) + X 8 +b 6 X 7 + +b 1 X 2 +b 0 X and since X 8 appears twice in the last expression, this term cancels out. This has the effect of shifting the bits of b 7 b 6 b 1 b 0 to the left one place, dropping the bit b 7, attaching a 0 as the rightmost bit, then computing an XOR with Multiplication of an arbitrary polynomial A( X ) in GF (2 8 ) with B(X ) can then be accomplished by muliplying B(X ) by those of 1, X,, X 7 corresponding to each successive nonzero term in A( X ), then summing the results. In byte form, this corresponds to repeated application of the above steps and a final XOR of the results.

9 Byte multiplication 9 For instance, to multiply the bytes A and B , we recognize that A corresponds to the polynomial X 7 + X 6 + X 4 and B to X 5 + X 4 + X 2 + X +1, so we multiply B(X ) by X successively four, six, and seven times, then sum the results: B AB