Appendix A Finite or Galois Fields

Size: px

Start display at page:

Download "Appendix A Finite or Galois Fields"

Winifred Stevens
5 years ago
Views:

1 Appendix A Finite or Galois Fields Finite or Galois fields are used in the design and in the interpretation of the operation of some arithmetic and algebraic circuits. The axioms and the main properties of the finite or Galois fields are studied in this Appendix, which is oriented to have an immediate reference, excluding any demonstrations. Any of the texts listed in the References or any other of the many that exits on these issues can be consulted in order to have a more detailed approach of the addressed issues. A.1 General Properties A set of axioms defining a field as well as Theorems of interest for its application to the design of circuits are enunciated bellow. A.1.1 Axioms Given a set of elements, C, the axioms to define a field used here are: I. Internal laws of composition Two internal laws of composition, (operator EXOR, or addition) and (operator AND or product) are defined in C, being C closed for the same: 8x; y 2 C ðaþ x y 2 C ðbþ x y 2 C Often the symbol is replaced by or deleted, writing x y or just xy instead of x y. Also, when there is no possible confusion, the symbol is replaced by +. II. Commutativity of the internal laws of composition Both internal laws of composition are commutative: 8x; y 2 C ðaþ x y ¼ y x ðbþ x y ¼ y x A. Lloris Ruiz et al., Algebraic Circuits, Intelligent Systems Reference Library 66, DOI: / , Ó Springer-Verlag Berlin Heidelberg

2 318 Appendix A: Finite or Galois Fields III. Associativity of the internal laws of composition Both internal laws of composition are associative: 8x; y; z 2 C; ðaþ ðx yþz ¼ x ðyzþ ðbþ ðx yþz ¼ x ðyzþ Usually parenthesis are deleted and it will be written x y z or x y z, so that, thanks to the associativity, the internal laws of composition are not restricted to be binary operators, but can be applied to any number of operands. IV. Distributivity of the internal laws of composition The product is distributive over addition: 8x; y; z 2 C; x ðy zþ ¼ðx yþðx zþ V. Neutral elements There are neutral elements for both internal laws of composition, which are denominated 0 (neutral element for addition) and 1 (neutral element for the product): (a) Cj8x 2 C; x 0 ¼ 0 x ¼ x (b) Cj8x 2 C; x 1 ¼ 1 x ¼ x VI. Opposite of each element Every element of C has its opposite, which is represented as -x: 8x 2 C; 9 x 2 Cjx x ¼ 0 VII. Inverse of each nonzero element Every element of C different from 0 has its inverse, which is represented as x -1 : 8x 2 C; x 6¼; 9x 1 2 Cjx x 1 ¼ 1 VIII. 0 and 1 are different The elements 0 and 1 are different. Obviously, this axiom VIII also establishes that the minimum number of elements in C is two. Nothing is said in the axioms about the total number of elements or its type. There are fields with an infinite number of elements and there are others fields with a finite number of elements; these last are also known as Galois fields, in honor of the French mathematician Evariste Galois. The following sections are devoted to the Galois fields. Under the axiom II, all the considered fields in this text are commutative.

3 Appendix A: Finite or Galois Fields 319 A.1.2 Theorems Some theorems and corollaries valids for any field are described at the following, not including its demonstration: Theorem 1 (a) The neutral element for addition, 0, is unique. (b) The neutral element for the product, 1, is unique. Theorem 2 The opposite of every element is unique. Theorem 3 The inverse of each nonzero element is unique. Theorem 4 The inverse of x -1 is x: ðx 1 Þ 1 ¼ x Theorem 5 For the opposite of the addition x y it holds that: ðx yþ ¼ð xþð yþ Theorem 6 There are no zero divisors. It means: xy ¼ 0 ) x ¼ 0ory ¼ 0 Theorem 7 For the inverse of the product x y it holds: ðx yþ 1 ¼ x 1 y 1 Theorem 8 The inverse of 1 is 1. Theorem 9 The cancellation law for multiplication is verified: x y ¼ x z ) y ¼ z or x ¼ 0 Theorem 10 The following equalities are met for the exponents: x m x n ¼ x mþn x m x n ¼ x m n ðx m Þ n ¼ x mn

4 320 Appendix A: Finite or Galois Fields A.2 GF(2) The simplest example of a Galois field is the one which only contains two elements, i.e., in this case C = {0, 1}. In this field, called the Galois field of order 2 or GF(2), the operations and are defined by Tables A.1 and A.2, and correspond to the addition and the product modulo 2. Furthermore, from the definitions of the operations and it is immediate that in GF(2) the inverse of x and the opposite of x are x itself: x 1 ¼ x; x ¼ x In GF(2) the following equations are also met: x x ¼ 0 x x ¼ x 2 ¼ x Table A.1 Operation in GF(2) Table A.2 Operation in GF(2) Any switching function may be expressed using the operators in GF(2), so called as Reed-Muller (EXOR-AND logic) expansion. On the other hand, in the processing of digital systems the Boolean algebra (logic AND-OR) is used, in which the used operators are AND (), OR (+) and NOT (-). Any switching function can be also developed based on these operators. It is logical to expect that these two sets of operators have a simple relationship, so it is easy to move from one development to another. Specifically, to move from the development AND-EXOR to the development AND-OR, the following substitutions can be used: x y ¼ x y x y ¼ x y þ x y To transform an expression AND-OR into the AND-EXOR equivalent expression, the following identities can be used:

5 Appendix A: Finite or Galois Fields 321 x y ¼ x y x þ y ¼ðxyÞxy x ¼ x 1 A.3 GF(p) Let suppose p an integer number, C = {0, 1,, p - 1}, and the operations and are defined as the addition and the product modulo m, respectively. For example, in Tables A.3 and A.4 are the addition and product module 5. It is straightforward to check that C 5 = {0, 1, 2, 3, 4}, with the operations defined in Tables A.3 and A.4, is a Galois field, which is called as GF(5). In this case the opposite and the inverse of each element (remember that 0 has not inverse) are given in Tables A.5 and A.6. Table A.3 Operation in GF(5) Table A.4 Operation in GF(5) Table A.5 Opposites in GF(5) Opposite Table A.6 Inverses in GF(5) Inverse

6 322 Appendix A: Finite or Galois Fields It is easy to see that if and only if p is prime (or a power of a prime number, as shown in the next section), GF(p), defined as done in the previous paragraph, is a Galois field. It is easy to show that if there is another finite field with p elements, then it is isomorphic to GF(p). In general, it is proved that two finite fields are isomorphic if they have the same number of elements. For each element e = 0, of any Galois field, its order is defined as the smallest integer n such that e n = 1, and it is indicated as ord(e) = n. For example, in GF(5), it is immediately to check that ord(1) = 1, ord(2) = 4, ord(3) = 4, ord(4) = 2. It is said that an element e of GF(p) isprimitive if ord(e) = p - 1. A primitive element is also known as a generator, because the successive powers of a primitive element generate all nonzero elements of GF(p). In GF(5), 2 and 3 are primitive elements, resulting: 2 1 ¼ 2; 2 2 ¼ 4; 2 3 ¼ 3; 2 4 ¼ ¼ 3; 3 2 ¼ 4; 3 3 ¼ 2; 3 4 ¼ 1 In any Galois field there is an element 0 (one and only one), an element 1 (one and only one) and primitive elements (at least one). The characteristic of a Galois field is the number of different elements that can be obtained by adding the unit element with itself as many times as desired. It is straightforward to check that for a Galois field GF(p), its characteristic is p. For any element e of GF(p) the following equality, due to Fermat, is verified: A.4 GF(p m ) e p 1 ¼ 1; or e p ¼ e Given a Galois field GF(p), Galois fields with p m elements GF(p m ) can be built as an extension of that field, being m any integer greater than 1, as shown in Appendix B for the case of polynomials on GF(2). GF(p m ) can be considered as a vector space of dimension m over GF(p), defining the addition in the vector space as the ordinary addition in GF(p m ), and the scalar product as the product of the elements in GF(p m ) by the elements of GF(p). As GF(p m ) is a vector space, different bases can be used for each GF(p m ). The Galois field GF(p m ) can be defined using polynomials with coefficients belonging to GF(p), as it is detailed in Appendix B. It is shown that the characteristic of the Galois field GF(p m )isp. Also, if a finite field GF with characteristic p, then the number of elements is of the form p m, m = 1, 2, For any Galois field of characteristic p, the following expression is verified for any elements e 1,, e n, of that field: ðe 1 þþe n Þ p ¼ ðe 1 Þ p þþðe n Þ p

7 Appendix A: Finite or Galois Fields 323 For any prime number p and any integer m, it is shown that there is a Galois field GF(p m ). For any element e of GF(p m ) it is verified that e pm ¼ e: References Garret, P. B.: Abstract Algebra. Chapman & Hall (2008) Howie, J.M.: Field and Galois Theory. Springer (2006) Lidl, R.; Niederreiter, H.: Introduction to Finite Fields and Their Applications. Cambridge University Press (1986) Stewart, I.: Galois Theory. Chapman and Hall (1989)

8 Appendix B Polynomial Algebra Several applications of digital systems, such as information codification, cryptography, o digital circuit test, make use of the properties of polynomials over GF(2) and over GF(p). This Appendix summarizes the main properties of these polynomials, without showing demonstrations for most cases. The main objective is to have a close reference, as well as unifying the nomenclature. For a more detailed presentation and for inspecting the demonstrations not provided here, the list of references provided at the end of the Appendix may be used. The Appendix will start showing some general properties of polynomials, later particularizing to polynomials over GF(2) and over GF(p). After that, the Galois fields GF(2 m ) are studied in detail, finally analyzing the Galois fields GF(p m ) and GF((p m ) n ). B.1 General Properties If n is a non-negative integer, a polynomial P(x) in the variable x is: Px ðþ¼a n x n þ a n 1 x n 1 þþa 1 x þ a 0 where a i are constants, called coefficients, not all null and belonging to a number field, for example, real numbers, complex numbers, or a numeric Galois field. P(x)isofdegree n when a n = 0; the degree of P will be represented as g(p). If a n = 1, the polynomial P(x) is said to be monic. A polynomial is defined by its coefficients. Concretely, P(x) = {a i } = (a n, a n-1,, a 1, a 0 ) will be used as definition, and the different polynomial operations may be defined depending on the coefficients, as it is done in the following. It is usual to assume a n = 0, but it is also clear that as many coefficients a j = 0, j [ n as it is desired may be added (for example, for equaling the lengths of two polynomials, if this was required for some polynomial operation). The coefficient a 0 is called independent term, as it is not multiplied by x. Itis obvious that when a 0 = 0 for P(x), then P(x) = xq(x). A. Lloris Ruiz et al., Algebraic Circuits, Intelligent Systems Reference Library 66, DOI: / , Ó Springer-Verlag Berlin Heidelberg

9 326 Appendix B: Polynomial Algebra B.1.1 Polynomial Operations Polynomial addition (subtraction): given the polynomials P ={a i } and Q = {b i }, their addition S = P + Q (subtraction R = P - Q) is defined as S ={a i + b i } (R ={a i - b i }), where a i + b i,or(a i - b i ), is computed in the coefficient field. Polynomial product: given the n polynomials P = {a i } and Q = {b i }, their product M = PQ is defined as M ¼ c i ¼ P o jþk¼i a jb k, where a j b k is computed in the coefficient field. It is verified that g(m) = g(p) + g(q). The cancellation law is verified for the polynomial product, i.e., if it is assumed that P = 0: PQ ¼ PR 7! Q ¼ R Polynomial division: given any polynomials P (dividend) and Q (divider), the division of P by Q is defined by the quotient, C, and the remainder, R: P ¼ QC þ R Imposing the restriction g(r) \ g(q), C and R are unique. The relationship above for R can also be expressed as: R ¼ PmodQ; or also R ¼ jpj Q A polynomial P (dividend) is said to be divisible by another Q (divider) when there exists a third polynomial C (quotient) such as P = QC, i.e., it is an exact (null remainder) division, and Q is said to be divisor of P. Given any two polynomials, not always there exists an exact quotient. An irreducible polynomial is that with all its divisors being of degree zero. Integer numbers m can be found for every polynomial P(x), so P(x) is a divider of the bynomial x m - 1. Given e as the minimum of all of these integers m for a given P(x); this value e is known as the order of the polynomial P(x). A reducible polynomial P has dividers (Q 1,, Q s ) whose degree is larger than zero. Given the set of all irreducible dividers of P(I 1,, I t ), P can always be expressed in a unique form as the product of all these irreducible polynomials: P ¼ c Y I j ; j ¼ 1;...; t Given the reducible polynomials P and Q, their greatest common divisor (gcd(p, Q)) is the monic polynomial of larger degree that divides both of them. If the greatest common divisor of two polynomials is of degree zero, the polynomials are said to be relatively prime. The Euclides algorithm can be used for computing gcd(p, Q) - v. [McCoy01] which is detailed below:

10 Appendix B: Polynomial Algebra 327 Algorithm B.1 Euclides algorithm (1) Let g(p) \ g(q). P is divided by Q: P ¼ QC 1 þ R 1 (2) If R 1 = 0, the current divisor, Q, is divided by the current remainder, R 1 : Q ¼ R 1 C 2 þ R 2 (3) Again, if R 2 = 0, the current divisor, R 1, is divided by the current remainder, R 2, and so on until a null remainder is obtained: R k 1 ¼ R k C kþ1 (4) It results gcd(p, Q) = gcd(q, R 1 ) = gcd(r 1, R 2 ) = _ = gcd(r k,0)= R k. End algorithm It is obvious that the Euclides algorithm will find gcd(p, Q) in a finite number of iterations, since the degree of the remainder is reduced in each division. The computation of gcd(p, Q) through successive divisions may have as main drawback the difficulties for implementing division. In this case, it must be taken into account that the Euclides algorithm can be also applied through successive subtractions. Given P and Q, g(p) \ g(q), it is demonstrated that: gcdðp; QÞ ¼ gcdðp Q; QÞ This equivalence is applied iteratively until it gets to a null difference, and the gcd(p, Q) is the last non-null difference. P - x d Q, with d = g(p) - g(q), can be used instead of P - Q in order to speed up the computation process, i.e., it is applied gcd(p, Q) = gcd(p - x d Q, Q), and once more the process ends when it gets to a null difference. It can be also easily demonstrated -v. [Garr08] that if R = gcd(p, Q) there are two polynomials A and B such: R ¼ AP þ BQ This decomposition, known as extendend Euclides algorithm, is useful for some calculations. Thus, in the following it will be shown how to obtain the polynomials A and B. In the computation of gcd(p, Q) through successive divisions: P ¼ QC 1 þ R 1 Q ¼ R 1 C 2 þ R 2 R 1 ¼ R 2 C 3 þ R 3... R i 2 ¼ R i 1 C i þ R i...

11 328 Appendix B: Polynomial Algebra so the main term in this iteration is R i ¼ R i 2 R i 1 C i where R -1 = P and R 0 = Q. The computation ends when R m = 0, and gcd(p, Q) = R m-1. Assuming that R i can be decomposed as R, i.e., that R i ¼ A i P þ B i Q and substituting in the main term R i results in: R i ¼ R i 2 R i 1 C i ¼ðA i 2 P þ B i 2 QÞ ða i 1 P þ B i 1 QÞC i ¼ðA i 2 A i 1 C i ÞP þðb i 2 B i 1 C i ÞQ Thus, the main terms for the iterative computation of A i and B i are, respectively: A i ¼ A i 2 A i 1 C i B i ¼ B i 2 B i 1 C i where A -1 = 1, A 0 = 0, B -1 = 0 and B 0 = 1, as it is immediate to check. The computation of A and B requires as many iterations as the computation of gcd(p, Q). In the way A i and B i have been defined, A i P + B i Q is equal to the remainder generated in the iteration, for all iterations. Defining the operation COC(R 1, R 2 ), which provides the quotient polynomial resulting from dividing the polynomial R 1 by the polynomial R 2, the following algorithm would provide the greatest common divisor of two polynomials P(x) and Q(x), as well as the polynomials A and B above. Algorithm B.2 After the execution of the Algorithm B.2 for computing gcd(p, Q), polynomials A 1 and B 1 are stored in the registers A 1 and B 1, respectively. The greatest common divisor is stored in R 1, and can also be computed applying gcd(p, Q) = A 1 P + B 1 Q.

12 Appendix B: Polynomial Algebra 329 Example B.1 Given P(x) 5 x 8 + x 7 + x + 1 and Q(x) 5 x 5 + x + 1, with coefficients in GF(2), compute gcd(p, Q). Applying Euclides Algorithm B.2, through successive divisions, leads to: x 8 þ x 7 þ x þ 1 ¼ x 5 þ x þ 1 x 3 þ x 2 þ x 4 þ x 2 þ x þ 1ðP ¼ QC 1 þ R 1 Þ x 5 þ x þ 1 ¼ x 4 þ x 2 þ x þ 1 x þ x 3 þ x 2 þ 1 ðq ¼ R 1 C 2 þ R 2 Þ x 4 þ x 2 þ x þ 1 ¼ x 3 þ x 2 þ 1 ðx þ 1Þ ð R1 ¼ R 2 C 3 Þ Since the remainder of the last division is null, gcd(p, Q)= x 3 + x The computations above yielded: C 1 = x 3 + x 2, C 2 = x, C 3 = x + 1. In the computation of A it holds: A 1 ¼ 1; A 0 ¼ 0; A 1 ¼ A 1 A 0 C 1 ¼ 1; A 2 ¼ A 0 A 1 C 2 ¼ x In the same way, in the computation of B it holds: B 1 ¼ 0; B 0 ¼ 1; B 1 ¼ B 1 B 0 C 1 ¼ x 3 þ x 2 ; B 2 ¼ B 0 B 1 C 2 ¼ 1 þ x 3 þ x 2 x ¼ x 4 þ x 3 þ 1 It is immediate to check that A 2 P + B 2 Q = R 2 = gcd(p, Q). A new iteration in A and B leads to: A 3 ¼ A 1 A 2 C 3 ¼ 1 þ xxþ ð 1Þ ¼ x 2 þ x þ 1 B 3 ¼ B 1 B 2 C 3 ¼ x 3 þ x 2 þ x 4 þ x 3 þ 1 ðx þ 1Þ ¼ x 5 þ x 2 þ x þ 1 It is easily checked that A 3 P + B 3 Q = R 3 = 0. Table B.1 shows the contents of the different registers during the application of Algorithm B.1 to the polynomials above for computing gcd(p, Q). Now applying the Euclides algorithm through succesive subtractions leads to: Table B.1 Algorithm for computing gcd(p, Q) Q TEMP R 2 R 1 A 1 A 2 B 1 B 2 1 x 5 + x +1 x 8 + x 7 + x x 3 + x 2 x 5 + x x 4 + x 2 + x +1 x 5 + x x 3 + x 2 2 X x 4 + x 2 + x x 3 + x 2 +1 x 4 + x 2 + x +1 4 x 3 + x 2 1 x 5 x 3 + x 2 x 4 + x x +1 x 3 + x x 0 x 3 + x x 4 + x 3 +1 x x 2 + x +1 5 x 4 + x 3 +1 x 5 + x 2 + x +1

13 330 Appendix B: Polynomial Algebra gcdðp; QÞ ¼ gcd x 8 þ x 7 þ x þ 1; x 5 þ x þ 1 ¼ gcd x 8 þ x 7 þ x þ 1 x 3 x 5 þ x þ 1 ; x 5 þ x þ 1 ¼ gcd x 7 þ x 4 þ x 3 þ x þ 1; x 5 þ x þ 1 ¼ gcd x 7 þ x 4 þ x 3 þ x þ 1 x 2 x 5 þ x þ 1 ; x 5 þ x þ 1 ¼ gcd x 4 þ x 2 þ x þ 1; x 5 þ x þ 1 ¼ gcd x 5 þ x þ 1; x 4 þ x 2 þ x þ 1 ¼ gcdðx 5 þ x þ 1 xðx 4 þ x 2 þ x þ 1Þ; x 4 þ x 2 þ x þ 1Þ ¼gcd x 3 þ x 2 þ 1; x 4 þ x 2 þ x þ 1 ¼ gcd x 4 þ x 2 þ x þ 1; x 3 þ x 2 þ 1 ¼ gcd x 4 þ x 2 þ x þ 1 x x 3 þ x 2 þ 1 ; x 3 þ x 2 þ 1 ¼ gcd x 3 þ x 2 þ 1; x 3 þ x 2 þ 1 ¼ gcdðx 3 þ x 2 þ 1 x 3 þ x 2 þ 1 ; x 3 þ x 2 þ 1Þ ¼ gcd x 3 þ x 2 þ 1; 0 ¼ x 3 þ x 2 þ 1 h Example B.2 Given P(x) 5 5x 8 + 4x 7 +3x 6 + x 4 +5x 3 + x 2 +2x +5 and Q(x) 5 3x 5 + x 3 +3x + 4, with coefficients in GF(7), compute gcd(p, Q). Applying Euclides algorithm, through successive divisions, leads to: 5x 8 þ 4x 7 þ 3x 6 þ x 4 þ 5x 3 þ x 2 þ 2x þ 5 ¼ 3x 5 þ x 3 þ 3x þ 4 4x 3 þ 6x 2 þ 2x5 þ x 4 þ x 3 þ 6x 2 þ 6 ðp ¼ QC 1 þ R 1 Þ 3x 5 þ x 3 þ 3x þ 4 ¼ x 4 þ x 3 þ 6x 2 þ 6 ð3x þ 4Þþ4x 2 þ 6x þ 1 ðq ¼ R 1 C 2 þ R 2 Þ x 4 þ x 3 þ 6x 2 þ 6 ¼ 4x 2 þ 6x þ 1 2x 2 þ 6x þ 6 ðr 1 ¼ R 2 C 3 Þ Since the remainder of the last division is null, gcd(p, Q) = 4x 2 +6x +1. The computations above yielded: C 1 = 4x 3 +6x 2 +2x 5, C 2 = 3x +4, C 3 = 2x 2 +6x +6. In the computation of A it holds: A 1 ¼ 1; A 0 ¼ 0; A 1 ¼ A 1 A 0 C 1 ¼ 1; A 2 ¼ A 0 A 1 C 2 ¼ 3x ð þ 4Þ ¼ 4x þ 3 In the same way, in the computation of B it holds: B 1 ¼ 0; B 0 ¼ 1; B 1 ¼ B 1 B 0 C 1 ¼ 4x 3 þ 6x 2 þ 2x þ 5 ¼ 3x 3 þ x 2 þ 5x þ 2 B 2 ¼ B 0 B 1 C 2 ¼ 1 þ 4x 3 þ 6x 2 þ 2x þ 5 ð3x þ 4Þ ¼ 5x 4 þ 6x 3 þ 2x 2 þ 2x It is immediate to check that A 2 P + B 2 Q = R 2 = gcd(p, Q). A new iteration in A and B leads to: A 3 ¼ A 1 A 2 C 3 ¼ 1 þ ð3x þ 4Þ 2x 2 þ 6x þ 6 ¼ 6x 3 þ 5x 2 þ 4 B 3 ¼ B 1 B 2 C 3 ¼ 4x 3 þ 6x 2 þ 2x þ 5 5x 4 þ 6x 3 þ 2x 2 þ 2x 2x 2 þ 6x þ 6 ¼ 4x 6 þ 5x 2 þ 2 It is easily checked that A 3 P + B 3 Q = R 3 = 0. Table B.2 shows the contents of the different registers during the application of Algorithm B.1 to the polynomials above for computing gcd(p, Q). Applying the Euclides algorithm through successive subtractions leads to the same result above. h

14 Appendix B: Polynomial Algebra 331 Table B.2 Algorithm for computing gcd(p, Q) Q TEMP R2 R1 A1 A2 B1 B2 1 3x 5 + x 3 +3x +4 5x 8 +4x 7 +3x 6 + x 4 +5x 3 + x 2 +2x x 3 +6x 2 +2x +5 3x 5 + x 3 +3x x 4 + x 3 +6x x 5 + x 3 +3x x 3 + x 2 +5x x +4 x 4 + x 3 +6x x 2 +6x +1 x 4 + x 3 +6x x 3 + x 2 +5x x x 3 + x 2 +5x +2 5x 4 +6x 3 +2x 2 +2x 2 2x 2 +6x +6 4x 2 +6x x x 2 +6x x 4 +6x 3 +2x 2 +2x 4x +3 6x 3 +5x x 4 +6x 3 +2x 2 +2x 4x 6 +5x 2 +2

15 332 Appendix B: Polynomial Algebra If P and Q are relatively prime, then 1 = AP + BQ. In the case AP = 0, as it sometimes happens, then BQ = 1, i.e., B = Q -1. Thus, it results in a procedure for computing the inverse of a polynomial Q(x). B.1.2 Congruence Relationship The polynomials M and N are said to be congruent modulo the polynomial Q if: jm j Q ¼ jn The congruence relationship with respect to a given modulo Q is an equivalence relation and, therefore, all polynomials are classified into mutually exclusive classes, each of which may be represented by their remainder. If g(q) = p, the representative of each equivalence class is the value 0 or a polynomial of degree less than p. These equivalence classes form a commutative algebra of dimension p over the field of the coefficients. Let Q be a monic polynomial of degree n: j Q It is obvious that: or also: That can be written as: or: Q ¼ x n þ Xn 1 a i x i i¼0 jqj Q ¼ 0 x n þ Xn 1 a i x i ¼ 0 Q jx n jx n i¼0 j Q þ Xn 1 a i x i ¼ 0 Q i¼0 j Q ¼ Xn 1 a i x i i¼0 Q ðb:2þ So, in the modular algebra modulo Q ¼ x n þ P n 1 i¼0 a ix i, x n can be substituted by the remainder summands of the polynomial Q, with negative sign (i.e. P n 1 i¼0 a ix i ).

16 Appendix B: Polynomial Algebra 333 B.2 Polynomials Over GF(2) If the coefficients of the polynomials belong to GF(2), each polynomial is given by a combination of zeros and ones. This binary information, like any other, can be given in parallel or in serial. When information is given in serial, usually the order of the coefficients is high to low (first a n, last a 0 ), because of the requirements of the division. The coefficients of polynomials over GF(2) are 0 or 1, so that there are 2 n polynomials of degree n (a n have to be 1), and there are 2 n polynomials of degree less than n (that is, with n = 0). The 2 n polynomials of degree less than n can be represented by the 2 n possible combinations of zeros and ones, as is done in Table B.3 for the case n = 4. In the Table B.3, besides the binary coordinates of each polynomial, the corresponding hexadecimal value is given, in brackets, which can also be used to represent the polynomial. Whether the information is given in serial or parallel, the operations with polynomials can be performed directly on the n-tuples of zeros and ones that represent them. For example, with parallel data, let suppose the polynomials P(x) = (1, 0, 0, 1) and Q(x) = (1, 0, 1, 0, 1). Equaling the lengths of P(x) and Q(x), it is immediate that: Table B.3 Polynomials over GF(2) of degree less than four (0) (1) 2 x 0010 (2) 3 x (3) 4 x (4) 5 x (5) 6 x 2 + x 0110 (6) 7 x 2 + x (7) 8 x (8) 9 x (9) 10 x 3 + x 1010 (A) 11 x 3 + x (B) 12 x 3 + x (C) 13 x 3 + x (D) 14 x 3 + x 2 + x 1110 (E) 15 x 3 + x 2 + x (F) Px ðþþqx ðþ¼ð0; 1; 0; 0; 1Þþð1; 0; 1; 0; 1Þ ¼ ð1; 1; 1; 0; 0Þ This addition can be made over GF(2), using binary adders as follows (without considering the carries):

17 334 Appendix B: Polynomial Algebra The same result will be obtained for P(x) - Q(x) and P(x) +Q(x), since the addition and the subtraction over GF(2) are the same operation. For the product of the polynomials given above, P(x) Q(x), applying the definition it results: i.e.: c 0 ¼ a 0 b 0 c 1 ¼ a 0 b 1 þ a 1 b 0 c 2 ¼ a 0 b 2 þ a 1 b 1 þ a 2 b 0 c 3 ¼ a 0 b 3 þ a 1 b 2 þ a 2 b 1 þ a 3 b 0 c 4 ¼ a 0 b 4 þ a 1 b 3 þ a 2 b 2 þ a 3 b 1 c 5 ¼ a 1 b 4 þ a 2 b 3 þ a 3 b 2 c 6 ¼ a 2 b 4 þ a 3 b 3 c 7 ¼ a 3 b 4 Px ðþqx ðþ¼ð1; 0; 0; 1Þð1; 0; 1; 0; 1Þ ¼ ð1; 0; 1; 1; 1; 1; 0; 1Þ It is immediate that for the product P(x) Q(x), being P(x) = a n-1 x n a 0 and Q(x) = b n-1 x n b 0, the following matrix expression can be used: a a 1 a c 0 a n 2 a n 3... a ¼ a n 1 a n 2... a 1 a a n 1... a 2 a a n 1 a n a n 1 c 2n b b n 1 The division is usually implemented by means of successive subtractions. Given P(x) and Q(x) defined over GF(2), the following algorithm generates the quotient C(x) and the remainder R(x): Algorithm B.3 3

18 Appendix B: Polynomial Algebra 335 After the execution of the Algorithm B.3, the remainder and the quotient are stored in the registers D and C, respectively. Sometimes it will be of interest to consider only irreducible polynomials over GF(2). It is easy to see that the irreducible polynomials, except x + 1, have an odd number of elements. Therefore, the simpler irreducible polynomials are trinomials. For every polynomial P(x), integer numbers m such that P(x) is a divisor of the binomial x m + 1, can be found. Let e be the minimum of all integers m for a given P(x). If P(x) is irreducible and g(p) = n, it is shown that, under these conditions, e is a divisor of 2 n - 1 [Lid86]. Therefore, the maximum value of e for the polynomials P(x), with g(p) = n, is2 n - 1. Example B.3 Let be the polynomial Q(x) =x 2 + x + 1 with coefficients in GF(2), and consider the residues modulo Q(x) of every polynomial in GF(2). Remember that, according to (B.2), in the modular algebra modulo Q(x), x 2 can be substituted by x + 1. The residues modulo Q(x) are all the polynomials of degree less than 2; i.e., C = {0, 1, x, x + 1}. The addition and the product of polynomials modulo Q(x) are used as operations and, respectively. Tables B.4 and B.5 correspond to these operations. It is immediate to check that it is a degree four Galois field; concretely, it is GF(2 2 ), that is an extension of GF(2). The elements zero and one are, obviously, 0 and 1. The inverse of each element is given in Table B.6. Moreover, observing Table B.4 it is immediate that, in this case, the opposite of each element is the element itself. Table B.4 Operation (Example B.3) 0 1 x x x x x +1 x x x x x +1 x +1 x 1 0 Table B.5 Operation (Example B.3) 1 x x x x +1 x x x +1 1 x +1 x +1 1 x Table B.6 Inverse (Example B.3) Inverse 1 1 x x +1 x +1 x

19 336 Appendix B: Polynomial Algebra It is easy to check that x is a generator element of GF(2 2 ); in fact, the elements 0 and 1 are included, and multiplying by x each new element of this Galois field, all the element of C will be generated: x, x 2 = x +1, (x +1)x = x 2 + x = x x = 1. In addition, x + 1 is also a generator element; in fact: (x + 1)(x +1)= x, x(x +1)= 1. Given that = 0, the characteristic of this Galois field is 2. h Example B.4 Let be the polynomial Q(x) =x with coefficients in GF(2), and consider the residues modulo Q(x). These residues, as in Example B.3, will be 0, 1, x and x + 1. The addition and the product of polynomials modulo Q(x) are used again as operations and, respectively. The Tables B.7 and B.8 correspond to these operations. It is immediate to check that it is not a Galois field, since x + 1 has no inverse. It is easy to check that x is not a generator element; in fact, 1 x = x, x x = x 2 = 1, and the element x + 1 is not generated. h Table B.7 Operation (Example B.4) 0 1 x x x x x +1 x x x x x +1 x +1 x 1 0 Table B.8 Operation (Example B.4) 1 x x x x +1 x x 1 x +1 x +1 x +1 x +1 0 From the above examples it results that not all polynomials over GF(2) can be used as modules to generate Galois fields GF(2 m ). Those that can be used are known as primitive polynomials. It is also met that if P(x) is primitive, with g(p) = n, the minimum value of e such that x e + 1 is a multiple of P(x) is exactly 2 n - 1. The number of primitive polynomials of a given degree n, N(n), is given by the following expression [Gre74]: NðnÞ ¼uð2 n 1Þ=n where u(k) is the Euler function (also known as totient function). The values N(n) for the initial values n are given in Table B.9. The Euler function grows very rapidly, so that the number of primitive polynomials can be very large for values of n not too large; for example, there are more than 67 million primitive polynomials for n = 32. Given a primitive polynomial P(x), with g(p) = n, it is shown that its inverse P -1 (x), defined as follows:

20 Appendix B: Polynomial Algebra 337 Table B.9 Number of primitive polynomials n u(2 n - 1) N(n) n u(2 n - 1) N(n) , , , ,000 18, ,768 2, ,147,483,648 67,108,864 P 1 ðþ¼x x n Pðx 1 Þ is also primitive [Pet72]. For example, P(x) = x 3 + x +1 is a primitive polynomial, then P -1 (x) = x 3 P(x -1 ) = x 3 (x -3 + x -1 +1)= 1+x 2 + x 3 is also a primitive polynomial. Primitive polynomials of degree up to n = 150 are given in Table B.10. For each n a single polynomial is given: that polynomial with minimal number of summands (a trinomial, if present, or pentanomial, except for n = 1) and, therefore, the simpler implementation (its inverse has the same cost). Each cell of Table B.10 Primitive polynomials over GF(2) up to n = , 6, 2, 1 51, 16, 15, 1 76, 36, 35, 1 101, 7, 6 126, 37, 36, 1 2, 1 27, 5, 2,1 52, 3 77, 31, 30, 1 102, 77, 76, 1 127, 1 3, 1 28, 3 53, 16, 15, 1 78, 20, 19, 1 103, 9 128, 29, 27, 2 4, 1 29, 2 54, 37, 36, 1 79, 9 104, 11, 10, 1 129, 5 5, 2 30, 23, 2, 1 55, 24 80, 38, 37, 1 105, , 3 6, 1 31, 3 56, 22, 21, 1 81, 4 106, , 48, 47, 1 7, 1 32, 22, 2, 1 57, 7 82, 38, 35, 3 107, 65, 63, 2 132, 29 8, 4, 3, 2 33, 13 58, 19 83, 46, 45, 1 108, , 52, 51, 1 9, 4 34, 27, 2, 1 59, 22, 21, 1 84, , 7, 6, 1 134, 57 10, 3 35, 2 60, 1 85, 28, 27, 1 110, 13, 12, 1 135, 11 11, 2 36, 11 61, 16, 15, 1 86, 13, 12, 1 111, , 126, 125, 1 12, 6, 4, 1 37, 12, 10, 2 62, 57, 56, 1 87, , 45, 43, 2 137, 21 13, 4, 3, 1 38, 6, 5, 1 63, 1 88, 72, 71, 1 113, 9 138, 8, 7, 1 14, 10, 6, 1 39, 4 64, 4, 3, 1 89, , 82, 81, 1 139, 8, 5, 3 15, 1 40, 21, 19, 2 65, 18 90, 19, 18, 1 115, 15, 14, 1 140, 29 16, 12, 3, 1 41, 3 66, 10, 9, 1 91, 84, 83, 1 116, 71, 70, 1 141, 32, 31, 1 17, 3 42, 23, 22, 1 67, 10, 9, 1 92, 13, 12, 1 117, 20, 18, 2 142, 21 18, 7 43, 6, 5, 1 68, 9 93, 2 118, , 21, 20, 1 19, 6, 5, 1 44, 27, 26, 1 69, 29, 27, 2 94, , 8 144, 70, 69, 1 20, 3 45, 4, 3, 1 70, 16, 15, 1 95, , 118, 111, 7 145, 52 21, 2 46, 21, 20, 1 71, 6 96, 49, 2 121, , 60, 59, 1 22, 1 47, 5 72, 53, 47, 6 97, 6 122, 60, 59, 1 147, 38, 37, 1 23, 5 48, 28, 27, 1 73, 25 98, , 2 148, 27 24, 7, 2, 1 49, 9 74, 16, 15, 1 99, 47, 45, 2 124, , 110, 109, 1 25, 3 50, 27, 26, 1 75, 11, 10, 1 100, , 108, 107, 1 150, 53

21 338 Appendix B: Polynomial Algebra Table B.10 corresponds to a polynomial, of the exponents of x are given, except the exponent 0, which appears in all polynomials. For example, the cell 26, 6, 2, 1 corresponds to the polynomial x 26 + x 6 + x 2 + x + 1. In [Raj03] a more extended list of the primitive polynomials is shown. As an example of the using of primitive polynomials, the FIPS 186 standard [Nat09] proposes using the primitive polynomials x x 7 + x 6 + x 3 +1,x x 74 +1,x x 12 + x 7 + x 5 +1,x x and x x 10 + x 5 + x Example B.5 Let be the polynomial Q(x) =x 4 + x over GF(2). The different remainders that can be obtained when dividing by Q(x) any other polynomial are: always the values 0 and 1; multiplying the successive remainders by x (so all the powers of x are generated) results in x, x 2, x 3 and x 4, but x 4 can be replaced by x 3 +1; the same technique is used (by multiplying the previous remainder by x and replace x 4 by x 3 + 1); the remainders that occur in the second (and fifth) column of Table B.11 are obtained. Since x 3 + x 2 the same remainders are repeated, i.e., x 15 = 1. The power which rises x to generate the corresponding remainder with respect to Q(x) is given in the first (and fourth) column of Table B.11. Table B.11 Generation of the remainders in the Example B.5 x -? (0) x 7 x 2 + x (E) x (8) x 8 x 3 + x 2 + x 0111 (7) x 1 x 0100 (4) x 9 x (A) x 2 x (2) x 10 x 3 + x 0101 (5) x 3 x (1) x 11 x 3 + x (B) x 4 x (9) x 12 x (C) x 5 x 3 + x (D) x 13 x 2 + x 0110 (6) x 6 x 3 + x 2 + x (F) x 14 x 3 + x (3) The coefficients (the polynomial of the second column, in the order x 0, x 1, x 2, x 3 ) and the hexadecimal value (in parentheses) are given in the third (and sixth) column of Table B.11. h The 16 possible residues (i.e., all polynomials over GF(2)) of degree less than 4 are given in Table B.11, that form a Galois field GF(2 4 ) of order 16. To represent the 16 elements of GF(2 4 ) any of the columns in Table B.11 can be used.

22 Appendix B: Polynomial Algebra 339 In Example B.5, the successive powers of x generate all the elements of GF(2 4 ); that is, x is a generator element or primitive element or primitive root of GF(2 4 ); in this case the polynomial Q(x) is a primitive polynomial. It is easily verified that x 2, x 4, x 7, x 8, x 11, x 13 y x 14 are also primitive elements, i.e., the successive powers of each of these elements generate all the polynomials of degree less than 4. Obviously, since x 15 = 1, any multiple of 15 can be added to any of the above exponents of x. In general, if a is a root of x 4 + x 3 +1,a 2, a 4, a 7, a 8, a 11, a 13 and a 14 are also roots of x 4 + x Using a type 2 LFSR (see Chap. 4) whose associate polynomial is precisely Q(x), as shown in Fig. B.1, it is easy to generate the residues of the Table B.11 starting from any initial content different to all zeros. For example, from 1000, the 14 rows of the third (and sixth) column of Table B.11 are generated. It can be interpreted that in each iteration, the shift to the right in the LFSR2 of Fig. B.1 corresponds to a multiplication by x of the previous content, and with the feedbacks the remainder modulo Q(x) is calculated. The elements of GF(2 5 ){x 2 + x 5 + 1} are given in Table B.12, which will later be used. Fig. B.1 LFSR2 of the Example B.5 Table B.12 Generation of the remainders in GF(2 5 ){x 5 + x 2 +1} x -? 0 x 15 x 4 + x 3 + x 2 + x +1 x 0 1 x 16 x 4 + x 3 + x +1 x 1 x x 17 x 4 + x +1 x 2 x 2 x 18 x +1 x 3 x 3 x 19 x 2 + x x 4 x 4 x 20 x 3 + x 2 x 5 x 2 +1 x 21 x 4 + x 3 x 6 x 3 + x x 22 x 4 + x 2 +1 x 7 x 4 + x 2 x 23 x 3 + x 2 + x +1 x 8 x 3 + x 2 +1 x 24 x 4 + x 3 + x 2 + x x 9 x 4 + x 3 + x x 25 x 4 + x 3 +1 x 10 x 4 +1 x 26 x 4 + x 2 + x +1 x 11 x 2 + x +1 x 27 x 3 + x +1 x 12 x 3 + x 2 + x x 28 x 4 + x 2 + x x 13 x 4 + x 3 + x 2 x 29 x 3 +1 x 14 x 4 + x 3 + x 2 +1 x 30 x 4 + x

23 340 Appendix B: Polynomial Algebra Example B.6 Determine the type of each one of the polynomials of degree 4. The possible polynomials that are strictly degree 4 to be analyzed are: x 4 +1, x 4 + x 3 +1, x 4 + x 2 +1, x 4 + x +1, x 4 + x 3 + x 2 +1, x 4 + x 3 + x +1, x 4 + x 2 + x +1,x 4 + x 3 + x 2 + x + 1. The rest of the polynomials not including the summand 1 obviously are reducible. Analyzing one by one, it results: x is reducible; concretely, x 4 +1= (x 2 + 1)(x 2 + 1); x 4 + x is primitive, according to Example B.4; x 4 + x is irreducible and it divides to x 6 + 1; thus, it is not primitive; x 4 + x + 1 is the inverse of x 4 + x 3 + 1; thus, it is primitive; x 4 + x 3 + x is reducible: x 4 + x 3 + x 2 +1= (x 3 + x + 1)(x + 1); x 4 + x 3 + x + 1 is reducible: x 4 + x 3 + x +1= (x 3 + 1)(x + 1); x 4 + x 2 + x + 1 is reducible: x 4 + x 2 + x +1= (x 3 + x 2 + 1);(x + 1); x 4 + x 3 + x 2 + x + 1 is irreducible, but it is not primitive, since it divides to x h B.3 Polynomials Over GF(p) Let suppose now that the coefficients of the polynomials belong to GF(p), being p a prime number; there will be p n polynomials of degree n and other p n polynomials of degree less than n. For example, for p = 3, all the polynomials of degree less than two are given in Table B.13. Each polynomial can be represented by the ternary coordinates that are given in the last column of Table B.13, which are the coefficients of the two possible summands. Table B.13 Polynomial over GF(3) of degree less than two x 10 4 x x x x x +2 22

24 Appendix B: Polynomial Algebra 341 The addition, subtraction, multiplication and division operations are performed identically or similarly to those described for GF(2), but now the operations between the coefficients are performed in GF(p). For the division, the Algorithm B.3, applicable to GF(2), has to be modified to take into account the different values of the coefficients. Specifically, for the division by means of successive subtractions, it is immediate that, given P(x) and Q(x) defined in GF(p), and being, in each iteration, a n and b m the non-zero coefficients of the highest power of x in P(x) and Q(x), respectively, the following algorithm generates the quotient C(x) and remainder R(x): Algorithm B.4 After applying Algorithm B.4, the remainder and the quotient are stored in registers D and C, respectively. For every polynomial P(x) integer numbers m such that P(x) is divisor of the binomial x m - 1 can be found. Let e be the minimum of all integers m for a given P(x). If P(x)) is irreducible and g(p) = n, it is shown that, under these conditions, e is a divisor of p n - 1 [Lid86]. Therefore, the maximum value of e for the polynomials P(x) (i.e., the order of P(x)), with g(p) = n, isp n - 1. The monic polynomials P(x) of order p n - 1 such that P(0) = 0 are called primitive polynomials. The primitive polynomials for p = 3, 5, 7 and different values of n are given in Table B.14; in this table only the primitive polynomials with minimal summands have been included; specifically, in each cell of the table the coefficients of a polynomial (first the coefficient of x n ) are given; a more complete list of primitive polynomials can be seen in [Lid86]. Each primitive polynomial can be used as a module to generate a Galois field GF(p n ), as seen in the following example.

25 342 Appendix B: Polynomial Algebra Table B.14 Primitive polynomials over GF(p) for p = 3, 5 and 7 p = 3 p = 3 p = 5 p = 5 p = 5 p = 5 p = 7 p = 7 p = 7 p = 7 p = 7 p = 7 n = n = n = n = n = n = n =

26 Appendix B: Polynomial Algebra 343 Example B.7 A primitive polynomial for p = 3 and n =2 is x 2 + x +2. Construct GF(3 2 ){x 2 + x +2}. The elements of GF(3 2 ){x 2 + x + 2} are all the polynomials of degree lower than 2 with coefficients in GF(3): 0, 1, 2, x, x +1,x +2,2x, 2x +1,2x + 2. The addition is obtained immediately, such as is given in Table B.15, from what the opposite of each element is obtained, which is given in Table B.16. It is also easy to calculate the multiplication, which is given in Table B.17, from what the inverse of each element is obtained, which is given in Table B.18. Table B.15 Addition table for GF(3 2 ){x 2 + x +2} x x +1 x +2 2x 2x +1 2x x x +1 x +2 2x 2x +1 2x x +1 x +2 x 2x +1 2x +2 2x x +2 x x +1 2x +2 2x 2x +1 x x x +1 x +2 2x 2x +1 2x x +1 x +1 x +2 x 2x +1 2x +2 2x x +2 x +2 x x +1 2x +2 2x 2x x 2x 2x +1 2x x x +1 x +2 2x +1 2x +1 2x +2 2x x +1 x +2 x 2x +2 2x +2 2x 2x x +2 x x +1 Table B.16 Table of opposites for GF(3 2 ){x 2 + x +2} x 2x x +1 2x +2 x +2 2x +1 2x x 2x +1 x +2 2x +2 x +1 Using a Type 2 3LFSRmod3 (see Chap. 4) which associate polynomial x 2 + x + 2, as shown in Fig. B.2, it is easy to generate the non-zero elements of GF(3 2 ){x 2 + x + 2} starting with any initial content different of all zeros. For example, from 10 the remaining rows of the third (and sixth) column of Table B.19 are generated. It can be interpreted that, for each iteration, the shift to the right in the 3LFSR2 of Fig. B.2 corresponds to the multiplication by x of the previous content, and with the feedback, the remainder modulo Q(x) is calculated. h

27 344 Appendix B: Polynomial Algebra Table B.17 Multiplying table for GF(3 2 ){x 2 + x +2} 1 2 x x +1 x +2 2x 2x +1 2x x x +1 x +2 2x 2x +1 2x x 2x +2 2x +1 x x +2 x +1 x x 2x 2x +1 1 x +1 x +2 2x +2 2 x +1 x +1 2x +2 1 x +2 2x 2 x 2x +1 x +2 x +2 2x +1 x +1 2x 2 2x +2 1 x 2x 2x x x x +2 2x +1 x x +1 2x +1 x +2 2x +2 x 1 x x 2x +2 2x +2 x x +1 x 1 2x x +2 Table B.18 Table of inverses for GF(3 2 ){x 2 + x +2} x x +1 x +1 x x +2 2x +1 2x 2x +2 2x +1 x +2 2x +2 2x Fig. B.2 3LFSR2 of the Example B.7 Table B.19 Generation of elements of GF(3 2 ){x 2 + x + 2} with an 3LFSR2 x -? 0 00 (0) x (6) x (3) x 5 2x 02 (2) x 1 x 01 (1) x 6 x (7) x 2 2x (5) x 7 x (4) x 3 2x (8) B.4 Finite Fields GF(2 m ) The polynomials with coefficients over GF(2), of degree less than m, with the operation addition of polynomials and product of polynomials modulo a primitive polynomial of degree m, P(x), form a finite field of characteristic two or Galois field GF(2 m ); this Galois field is also represented as GF(2 m ){P(x)}. GF(2 4 ){x 4 + x 3 + 1} can be used as an example of the Galois field, as described above in Example B.5.

28 Appendix B: Polynomial Algebra 345 In GF(2 m ){P(x)} the order of any element must be a divisor of 2 m - 1. The order of primitive elements is precisely 2 m - 1. As GF(2 m ){P(x)} is a particular case of GF(p m ) (see Appendix A), for any element B of GF(2 m ){P(x)} it is verified that B 2m ¼ B, that it is equivalent to B 2m 1 ¼ 1, or B 2m 2 ¼ B 1. As seen, the different non-zero elements of GF(2 m ){P(x)} can be represented as powers of a primitive root (potential representation) or as a polynomial of degree less than m (polynomial representation). As an example, the elements of GF(2 4 ){x 4 + x 3 + 1} are given in the first column of Table B.20 as powers of a primitive root a, and the same elements are given in the third column of this table as polynomials of the root a of degree less than 4. Table B.20 Potential representation and with standard bases {1, a, a 2, a 3 } and {1, a 2, a 4, a 6 } for the elements of GF(2 4 ){x 4 + x 3 +1} {1, a, a 2, a 3 } {1, a 2, a 4, a 6 } a -? = (0) (0) a 0 = (8) (8) a 0001 a 0100(4) a 6 + a 4 + a 2 011(7) a a (2) a (4) a a (1) a (A) a a (9) a (2) a a 3 + a (D) a 6 + a (5) a a 3 + a 2 + a (F) a (1) a a 2 + a (E) a 6 + a (B) a a 3 + a 2 + a 0111(7) a (9) a a (A) a (C) a a 3 + a 0101(5) a 6 + a (D) a a 3 + a (B) a 4 + a (6) a a (C) a 6 + a 4 + a (F) a a 2 + a 0110(6) a 6 + a (3) a a 3 + a (3) a 4 + a (E) With regard to the potential representation, each element can be represented by the binary value of the exponent, and to represent the zero element, the combination of all ones can be used, that does not appear in the representation of the non-zero elements. This is what is done in the second column of Table B.20 for the elements of GF(2 4 ){x 4 + x 3 + 1}. The different operations with the corresponding polynomials can be more or less complex depending on the form of representation of the elements of GF(2 m ){P(x)}. For example, the addition is more easily executed in the polynomial representation, while the potential representation is more suitable for the multiplication. Since GF(2 m ){P(x)} can be considered as a vector space of dimension m over GF(2), to represent the different elements of GF(2 m ){P(x)} different bases may be used. It is known that {b 0,b 1,,b m-1 } is a basis of GF(2 m ){P(x)} [Lidl86] if the following expression is verified:

29 346 Appendix B: Polynomial Algebra b 0 b 1... b m 2 b m 1 b 2 0 b b 2 m 2 b 2 m ¼ 0 b 2m 2 0 b 2m b 2m 2 m 2 b 2m 2 m 1 b 2m 1 0 b 2m b 2m 1 m 2 b 2m 1 m 1 Different types of bases are considered at the following. B.4.1 Standard Basis The basis {1, a, a 2, a 3,, a m-2, a m-1 } can be used in the representation of the elements of GF(2 m ){P(x)}, called standard basis (or polynomial, orcanonical) being a any primitive element of GF(2 m ){P(x)}. Selected a basis, each element of GF(2 m ){P(x)} can be represented with an m- tuple over GF(2), which are the coefficients of the elements of the basis. The 16 elements of GF(2 4 ){x 4 + x 3 + 1} are given as powers of a primitive element, a, in the first column of Table B.20. The representation used for the exponent of the first column is given in the second column of Table B.20. Each element is expressed as a polynomial of a in the third column; in this case, the primitive element a is the initial point and the basis used is {1, a, a 2, a 3 }. The m-tuples and its hexadecimal value for the different elements of GF(2 4 ){x 4 + x 3 + 1} using the basis {1, a, a 2, a 3 } are given in the forth column. Previously it has been shown that a 2 is a primitive element. From a 2, the resulting standard basis is {1, a 2, a 4, a 6 }. With this basis, the development of each element of GF(2 4 ){x 4 + x 3 + 1} is given in the fifth column of Table B.20, and the corresponding m-tuples are shown in the sixth column. Another standard basis results when starting with any other primitive element. B.4.2 Normal Basis For the representation of the elements of GF(2 m ){P(x)} other bases may be used. In fact, in practice several different bases are used, depending on the operations that seek to make, because the complexity of each operation, as already indicated, may depend heavily on the basis used. One often used basis is known as normal basis, which is of the form fb; B 2 ; B 4 ;...; B 2m 2 ; B 2m 1 g, where B is a suitable element of GF(2 m ){P(x)}, not necessarily a primitive element, such that the various elements of fb; B 2 ; B 4 ;...; B 2m 2 ; B 2m 1 g are linearly independent. Normal bases always exist in a finite field. For example, {a, a 2, a 4, a 8 }isa normal basis for GF(2 4 ){x 4 + x 3 + 1}, being a a primitive root. On this basis the different elements of GF(2 4 ){x 4 + x 3 + 1} are given in Table B.21 and represented vectorially as shown in the third and sixth columns of the same table. Note that, in this case, the polynomials corresponding to the different elements of GF(2 m ){P(x)} do not have to be of lower degree than m, but will always be equal to a polynomial of degree less than m in standard basis.

30 Appendix B: Polynomial Algebra 347 Table B.21 Representation of the elements of GF(2 4 ){x 4 + x 3 + 1} with the normal basis {a, a 2, a 4, a 8 } (0) a 7 a 8 + a (C) 1 a 8 + a 4 + a 2 + a 1111(F) a 8 a ) a a 0001(1) a 9 a 8 + a 4 + a 1101(D) a 2 a (2) a 10 a 8 + a (A) a 3 a 8 + a 2 + a 1011(B) a 11 a 4 + a (6) a 4 a (4) a 12 a 8 + a 4 + a (E) a 5 a 4 + a 0101(5) a 13 a 2 + a 0011(3) a 6 a 4 + a 2 + a 0111(7) a 14 a 8 + a 1001(9) It is easy to see that, when vector representation is used with a normal basis, squaring any element consists of rotating its vector representation one position to the left. This is the great advantage of normal bases. Indeed, let suppose the normal basis fb; B 2 ; B 4 ;...; B 2m 2 ; B 2m 1 g and E any element: E ¼ e m 1 B 2m :1 þ e m 2 B 2m 2 þþe 1 B 2 þ e 0 B When calculating E 2, the products with coefficients e i e j, i = j, will appear duplicated and, therefore, will be anulated (e i e j + e j e i = 0). Moreover, e i e i = e i (in GF (2), a a = a). Applying this, it results: But B 2m 1 ¼ B. Thus: E 2 ¼ e m 1 B 2m þ e m 2 B 2m 1 þþe 1 B 4 þ e 0 B 2 E 2 ¼ e m 2 B 2m 1 þ e m 3 B 2m 2 þþe 1 B 4 þ e 0 B 2 þ e m 1 B That is, given the vector representation of E with a normal basis, E ¼ðe m 1 ; e m 2 ;...; e 1 ; e 0 Þ, E 2 is obtained with a rotation to the left of E; i.e.,, it results E 2 ¼ðe m 2 ; e m 3 ;...; e 1 ; e 0 ; e m 1 Þ: As a result of this, it is easy to see that the vector representation of the element 1 of GF(2 m ) on a normal basis is always (1, 1,, 1, 1). Indeed, as 1 2 = 1, the only vector different to all-zero vector (which is the representation of 0) to be reproduced after rotate one position is the one that includes only ones. pffiffiffi Also, as a result of this, it is immediate that, with a normal basis, E is pffiffiffi obtained with a rotation to the right of E, E ¼ðe0 ; e m 1 ; e m 2 ;...; e 2 ; e 1 Þ. In some cases there are normal bases that simplify the implementation of multiplication: these are the optimal normal bases [Mul89, Men93]. Two types of optimal normal bases can exist in GF(2 m ){P(x)}: Type I and Type II. There is an optimal normal basis of Type I (see [Mul89]) if p = m + 1 is prime and 2 is a primitive element of GF(p). The elements of an optimal normal basis Type I are generated from the elements of GF(2 m ){P(x)} of order p, as is done in Examples B.8 and B.9.

COMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162

COMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162 COMPUTER ARITHMETIC 13/05/2010 cryptography - math background pp. 1 / 162 RECALL OF COMPUTER ARITHMETIC computers implement some types of arithmetic for instance, addition, subtratction, multiplication