COMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162

Transcription

1 COMPUTER ARITHMETIC 13/05/2010 cryptography - math background pp. 1 / 162

2 RECALL OF COMPUTER ARITHMETIC computers implement some types of arithmetic for instance, addition, subtratction, multiplication of integers and reals necessary for basic computations as found in the programming languages arithemtic operations directly supported by the processor but normally unsuited for cryptography 13/05/2010 cryptography - math background pp. 2 / 162

3 COMPUTER ARITHMETIC computers can perform standard arithmetic operations on: integers, i.e reals, i.e. 1,2 4,3 1, sometimes also other kinds of numbers, i.e., complex numbers and normally NOTHING ELSE 13/05/2010 cryptography - math background pp. 3 / 162

4 COMPUTER ARITHMETIC standard computer operations are: arithmetic 1 st species: addition, subtraction. arithmetic 2 nd species: multiplication, division (integer or real). possibly arithmetic 3 rd species: power, root, sometimes (unfrequently) trascendental: exp, log, trigonometry, 13/05/2010 cryptography - math background pp. 4 / 162

5 COMPUTER ARITHMETIC all the previous operations can be computed directly by the processor of the computer machine (assembler) instrucitons exist for each operation numbers are normally represented in: two s complement (integers) IEEE 754 Floating Point (reals) 13/05/2010 cryptography - math background pp. 5 / 162

6 INTEGERS NATURAL natural binary: binary digit b { 0, 1 } b n b n 1 b n 2 b 3 b 2 b 1 = = b n 1 n n 2 + b n b b 1 2 range: [0, 2 n 1]. for instance: = = = = /05/2010 cryptography - math background pp. 6 / 162

7 INTEGERS TWO S COMPLEMENT two s Complement: binary digit b { 0, 1 } σb n 1 b n b 3 b 2 b 1 = = σ2 n 1 + b n 1 2 n b b bit σ is called sign bit range: [ 2 n 1, 2 n 1 1]. for instance: = = = 45 and: = = = 84 13/05/2010 cryptography - math background pp. 7 / 162

8 ADDITION OF NATURAL INTEGERS 13/05/2010 cryptography - math background pp. 8 / 162

9 ADDITION OF TWO S COMPLEMENT INTEGERS 13/05/2010 cryptography - math background pp. 9 / 162

10 NATURAL MULTIPLICATION 13/05/2010 cryptography - math background pp. 10 / 162

11 FULL ADDER a b a b cin cout sum = cout Full Adder cin sum sum = a XOR b XOR cin cout = a AND b OR a AND cin OR b AND cin 13/05/2010 cryptography - math background pp. 11 / 162

12 RIPPLE CARRY ADDER addition of natural integers of 3 bits a2 b2 a1 b1 a0 b0 c3 Full Adder c2 Full Adder c1 Full Adder c0 s2 s1 s0 13/05/2010 cryptography - math background pp. 12 / 162

13 CONSIDERATIONS integer and real computer arithmetic is NOT used (or seldom used) for cryptography instead, finite algebraic structures are generally adopted for instance, finite FIELDS or RINGS theory of such structures follows 13/05/2010 cryptography - math background pp. 13 / 162

14 ALGEBRAIC STRUCTURES 13/05/2010 cryptography - math background pp. 14 / 162

15 ALGEBRAIC STRUCTURE an algebraic structure A is: A = S, op 1, op 2,, s 0, s 1, where: S is a set of elements, or numbers (in a very broad sense), called support set op i is a binary operatore over the elements of the support set S s i is a special element of the support set S 13/05/2010 cryptography - math background pp. 15 / 162

16 STRUCTURES EXAMPLES natural integers (semigroup): N = {1, 2, 3, }, + natural numbers, equipped with the binary operator of addition (+) natural integers plus 0 (monoid): N 0 = {0, 1, 2, 3, }, +, 0 natural numbers, equipped with the binary operator of addition (+), plus the special element 0 (neutral element for +) 13/05/2010 cryptography - math background pp. 16 / 162

17 STRUCTURES EXAMPLE relative integers (abelian group): {, 2, 1, 0, 1, 2, }, +, 0 relative integer numbers, equipped with: the binary operator of addition (+) the special element 0, neutral for (+) this an algebraic structure with one operation and one special element 13/05/2010 cryptography - math background pp. 17 / 162

18 STRUCTURES EXAMPLE natural integers (semiring): {1, 2, 3, }, +,, 1 natural integer numbers, equipped with: the binary operator of addition (+) the binary operator of multiplication ( ) the special element 1, neutral for ( ) an algebraic structure with two operations and one special element 13/05/2010 cryptography - math background pp. 18 / 162

19 STRUCTURES EXAMPLE relative integers (commutative ring): Z = {, 2, 1, 0, 1, 2, }, +,, 0, 1 Relative integer numbers, equipped with: the binary operator of addition (+) + the binary operator of multiplication ( ) the special element 0, neutral for (+) the special element 1, neutral for ( ) an algebraic structure with two operations and two special elements 13/05/2010 cryptography - math background pp. 19 / 162

20 CONSIDERATIONS there are many possible algebraic structures each of them is characterized by properties (axioms and theorems) for instance: a + b = b + a (axiom for N) a 2 b 2 = (a + b) (a b) (theorem for Z) 13/05/2010 cryptography - math background pp. 20 / 162

21 GROUPS 13/05/2010 cryptography - math background pp. 21 / 162

22 DEFINITION a GROUP G is an algebraic structure: G = S,, 1 WHERE: S is the support set is a binary operator, called product 1 is a special element, neutral for ( ) if the support S is a finite set, G is said to be a finite group 13/05/2010 cryptography - math background pp. 22 / 162

23 AXIOMS OF GROUP groups must satisfy (by definition) the following axioms for every a, b, c S: a b S (closure) (a b) c = a (b c) (associativity) 1 a = a 1 (1 is neutral and commutes) a a a = a a = 1 ( of inverse) 13/05/2010 cryptography - math background pp. 23 / 162

24 GROUPS EXAMPLE the group of non-singular square matrices of order 2, with real elements M = M 2, 2, matrix product, identity matrix I M is closed the matrix product is associative the matrix I is the neutral element for product each matrix admits an inverse one NOTE: matrix product is NOT commutative 13/05/2010 cryptography - math background pp. 24 / 162

25 ABELIAN GROUPS in some groups, the product operator is commutative, i.e., a b = b a abelian (or commutative) group: a group G such that the operator ( ) is commutative G = S, +, 1 in abelian groups, the symbol ( ) is normally replaced by (+), which is called addition instead of product PAY ATTENTION: a few mathematicians still go on calling (+) a product operator!! 13/05/2010 cryptography - math background pp. 25 / 162

26 ABELIAN GROUPS EXAMPLES the world is plenty of abelian groups for instance: relative integers, with addition Z = {, 2, 1, 0, 1, 2, }, +, 0 rational integers, with multiplication Q = {, p / q, },, 1 and many others 13/05/2010 cryptography - math background pp. 26 / 162

27 ITERATED OPERATION given a group G (not necessarily abelian), an element g of the group G, and a positive or null integer k 0, it is defined: g k = g g g (for k times) g 0 = 1 (if k = 0) the operation g k is called iterated multiplication (or power ) most cryptography lives on it 13/05/2010 cryptography - math background pp. 27 / 162

28 ITERATION EXAMPLES given Z = {, 2, 1, 0, 1, 2, },, 1 z k = z z z (k times) usually called power of order k. in groups with an operation denoted (+) + instead of ( ), the writing kg replaces g k given Z = {, 2, 1, 0, 1, 2, }, +, 0 which is an abelian group: kz = z + z + + z the usual multiple times k (k times) 13/05/2010 cryptography - math background pp. 28 / 162

29 GROUP GENERATORS given a finite group G, an element g G is said to be a generator for G, if its powers cover all the elements of G: f G k 0 such that f = g k in the practice a generator is a single element that allows to construct the whole group by iteration a group G may admit no generators, a single generator or more generators 13/05/2010 cryptography - math background pp. 29 / 162

30 DISCRETE LOGARITHM (DH) given a generator element g G for the group, and whatever element f G, define: k = log g f - discrete log. base g the (smallest) integer k 0 such that f = g k the (smallest) integer k 0 necessarily exists, since g is a generator element for G given a group G, it is relatively simple to compute f = g k, but it may be very complex to compute k starting from g and f 13/05/2010 cryptography - math background pp. 30 / 162

31 CONSIDERATIONS groups (usually abelian) are an important algebraic structure for cryptography normally finite groups are used (examples will come soon) the basic operations for cryptographic applications are iteration and discrete logarithm however, abelian groups appear also under the form of rings and fields (see next slides) 13/05/2010 cryptography - math background pp. 31 / 162

32 RINGS AND FIELDS 13/05/2010 cryptography - math background pp. 32 / 162

33 RINGS DEFINITION a RING R is an algebraic structure: R = S, +,, 0, and usually also 1 where: S, +, 0 is an abelian group w.r.t. (+) and for every a, b, c S: a b S (closure) a (b + c) = (a b) + (a c) (left distribution) (b + c) a = (b a) + (c a) (right distribution) 13/05/2010 cryptography - math background pp. 33 / 162

34 RINGS DETAILS the operator (+) must be commutative if the operator ( ) commutes as well, R is said to be a commutative ring if ( ) has its own neutral element 1, R is said to be a a ring with unity if the support set S of R is a finite set, R is said to be a finite ring 13/05/2010 cryptography - math background pp. 34 / 162

35 RINGS EXAMPLE the ring R of relative integer numbers, with ordinary addition and multiplication: Z = {, 2, 1, 0, 1, 2, }, +,, 0, 1 R is a commutative ring, since the operator ( ) commutes and R is said to have a unity, since the operation ( ) has its own neutral element, 1 the symbol Z is worldwide used for denoting this particular ring 13/05/2010 cryptography - math background pp. 35 / 162

36 FIELDS DEFINITION a FIELD F is an algebraic structure: F = S, +,, 0, 1 where: S, +, 0 is an abelian group w.r.t. (+) S,, 1 is an abelian group w.r.t. ( ) and for every a, b, c S: a (b + c) = (a b) + (a c) (left distribution) (b + c) a = (b a) + (c a) (right distribution) if the support set S of F is finite, F is said to be a finite field 13/05/2010 cryptography - math background pp. 36 / 162

37 FIELDS EXAMPLES the field Q of rational integer numbers, with ordinary addition and multiplication: Q = {, p / q, }, +,, 0, 1 Q is an infinite field other examples of infinite fields: real numbers, with addition and multiplication complex numbers, with addition and multiplication and many others 13/05/2010 cryptography - math background pp. 37 / 162

38 CONSIDERATIONS rings and fields are the most popular and used algebraic structures in particular, the mathematical theory of fields is well developed, and for finite fields (almost) everything that is of some interest has been investigated and clarified and an important part of cryptography actually relies upon finite fields 13/05/2010 cryptography - math background pp. 38 / 162

39 MODULAR OPERATIONS 13/05/2010 cryptography - math background pp. 39 / 162

40 PRELIMINARIES there are many finite rings, but few finite fields, here: modular finite rings modular finite fields finite extension fields in particular, binary finite extension fields all these are used in cryptography 13/05/2010 cryptography - math background pp. 40 / 162

41 MODULAR RINGS everybody knows what integer division is given: an integer N an integer D (dividend, positive, null or neg.) (divisor, always positive, non-null) there are two uniquely determined positive or null integers Q and R, such that: N = Q D + R and 0 R < D Q: quotient, R: remainder 13/05/2010 cryptography - math background pp. 41 / 162

42 INTEGER DIVISION EXAMPLES N = Q D + R 5 = Q = 2, R = 1, 1 < 2 9 = Q = 3, R = 0, 0 < 3 20 = Q = 3, R = 2, 2 < 3 5 = Q = 3, R = 1, 1 < 2 8 = Q = 2, R = 0, 0 < 4 9 = Q = 3, R = 3, 3 < 4 13/05/2010 cryptography - math background pp. 42 / 162

43 COMPUTING mod n from the definition and the examples, it is clear that (for n 1): if a 0 then else a mod n = r s. t. a = q n + r and r < n a mod n = n r s. t. a = q n + r and 0 r < n for instance: r = 4 mod 3 = 2 because 4 = but also 4 = and hence r = 3 1 = 2 13/05/2010 cryptography - math background pp. 43 / 162

44 THE mod OPERATOR one writes (a Z and n 1): a mod n = b to indicate the remainder b 0 of the (integer) division of a by n here the symbol mod indicates a binary operator: mod: Z N N if n = 1, then a mod n = a (trivial case) 13/05/2010 cryptography - math background pp. 44 / 162

45 MODULAR CONGRUENCE given a modulus n 1, two integers a, b Z are said to be congruent modulus n, iff: a = b mod n a mod n = b mod n i.e., iff the remainder of a divided by n equals the remainder of b divided by n the modular congruence = mod n has the usual formal properties of equality: Riflexivity: a = a mod n Simmetry: a = b mod n b = a mod n Transitivity: a = b mod n and b = c mod n a = c mod n here mod is a side indication, meaning that equality = is interpreted in the modular way 13/05/2010 cryptography - math background pp. 45 / 162

46 CONGRUENCE EXAMPLES It holds: 4 = 0 mod 2 In fact: 4 mod 2 = 0 = 0 mod 2 It holds: 5 = 1 mod 2 In fact: 5 mod 2 = 1 = 1 mod 2 It holds: 11 = 7 mod 4 In fact: 11 mod 4 = 3 = 7 mod 4 It holds: 13 = 2 mod 5 In fact: 13 mod 5 = 2 = 2 mod 5 It holds: 9 = 5 mod 2 In fact: 9 mod 2 = 1 = 5 mod 2 13/05/2010 cryptography - math background pp. 46 / 162

47 RESIDUE CLASSES given any modulus n 1, the set A of all the integers a Z that are congruent mod n, has the following form: A = {b ± k n k Z and 0 b < n} each set A is called a residue class (mod n). there are exactly n 1 such classes the integer b A is the reduced form of every other element of the class A A = {, 4, 1, 0, 2, 5, } is the residue class of 5 mod 3; 2 is the reduced form 13/05/2010 cryptography - math background pp. 47 / 162

48 IMPORTANT DETAIL it is true that, for any modulus n 1: n = 0 mod n put another way, 0 and n can always be freely exchanged more generally: k kn = 0 mod n 13/05/2010 cryptography - math background pp. 48 / 162

49 COMPUTATION mod n an algebraic expression over the integers, containing (+) and ( ), is said to be computed mod n (for n 1), if the result of the integer division by n is taken (instead of the full result) for instance: = 2 mod 4 13/05/2010 cryptography - math background pp. 49 / 162

50 PROPERTIES OF mod given n 1 and any two integers a, b Z: (a + b) mod n = ((a mod n) + (b mod n)) mod n (a b) mod n = ((a mod n) (b mod n)) mod n (a b) mod n = ((a mod n) (b mod n)) mod n put another way, the operator mod commutes with (+), ( ) and ( ) this is very useful for optimizing expression computations 13/05/2010 cryptography - math background pp. 50 / 162

51 COMPUTING mod n EXAMPLE it holds: = 2 mod 4 in fact: = 10 and 10 mod 4 = 2 but also: 5 mod 4 = 1 and 3 2 mod 4 = 2 and 1 mod 4 = 3 and ( ) mod 4 = 6 mod 4 = 2 13/05/2010 cryptography - math background pp. 51 / 162

52 MODULAR RINGS 13/05/2010 cryptography - math background pp. 52 / 162

53 THE MODULAR RING Z n given a positive integer n 1, the following algebraic structure: Z n = {0, 1, 2,, n 1}, +,, 0, 1 is called modular ring of order n, provided, for every a, b Z n : a + b a b is computed mod n is computed mod n Z n contains exactly n elements Z 1 contains only 0 (n = 1, trivial case) 13/05/2010 cryptography - math background pp. 53 / 162

54 MODULAR ADDITION suppose for instance n = 6 modular addition works in Z 6 as follows: = 3 mod 6 = 3 (1 + 2 = 3 mod 6) = 7 mod 6 = 1 (3 + 4 = 1 mod 6) = 10 mod 6 = = 1 mod 6 = = 5 mod 6 = 1 13/05/2010 cryptography - math background pp. 54 / 162

55 OPPOSITE ELEMENT suppose for instance n = 10 opposite elements in Z 10 can be found as follows: 5 = 5 mod 10 = 1 ( 5 = 1 mod 10) 3 = 3 mod 10 = 7 ( 3 = 7 mod 10) 8 = 8 mod 10 = 2 ( 8 = 2 mod 10) clearly: a = n a mod n this is coherent with: a + ( a) = a + (n a) = a + n a = n = 0 mod n 13/05/2010 cryptography - math background pp. 55 / 162

56 MODULAR MULTIPLICATION suppose for instance n = 9 modular multiplication works in Z 9 as follows: 1 2 = 6 mod 9 = 6 (1 2 = 6 mod 9) 3 4 = 12 mod 9 = 3 (3 4 = 12 mod 9) 5 5 = 25 mod 9 = = 20 mod 9 = = 0 mod 9 = 0 13/05/2010 cryptography - math background pp. 56 / 162

57 MODULAR POWERS modular powers: a m = a a a mod n (for m 1 times) a 0 = 1 mod n (by definition) for instance, given n = 6: 2 2 = 4 mod 6 = 4 (2 2 = 4 mod 6) 2 3 = 8 mod 6 = 2 (2 3 = 2 mod 6) 2 6 = 64 mod 6 = 4 (2 6 = 4 mod 6) note: 2 6 = (2 3 ) 2 = (2) 2 = 4 mod 6 i.e., one can use the normal, well-known properties of exponents 13/05/2010 cryptography - math background pp. 57 / 162

58 HINTS ON GENERATORS consider the ring Z 5 and the element 2: 1 2 mod 5 = 2 mod 5 = mod 5 = 4 mod 5 = mod 5 = 6 mod 5 = mod 5 = 8 mod 5 = mod 5 = 10 mod 5 = 0 Z mod 5 = 12 mod 5 = 2 (periodic) the element 2 is an additive generator for the ring Z 5 theorem: for any ring Z n, any element e 0 such that (e, n) = 1 is an additive generator 13/05/2010 cryptography - math background pp. 58 / 162

59 HINTS ON GENERATORS consider the ring Z 5 and the element 3: 3 1 mod 5 = 3 mod 5 = mod 5 = 9 mod 5 = mod 5 = 27 mod 5 = mod 5 = 81 mod 5 = mod 5 = 243 mod 5 = 3 (periodic ) Z 5 (excluding 0) the element 3 is a multiplicative generator for the ring Z 5 how to determine the multiplicative generators for a modular ring Z n, of a generic modulus n, is a very complex problem 13/05/2010 cryptography - math background pp. 59 / 162

60 MORE ON MODULAR RINGS 13/05/2010 cryptography - math background pp. 60 / 162

61 MODULAR COMPUTATION frequently, computing the operator mod does not really require to perform a division remember in fact that n = 0 mod n whenever in an expression to be computed mod n, a term +n (or n) occurs, delete it (since it is = 0 mod n) whenever in an expression to be computed mod n, a factor n occurs, delete the product chain it is contained in (since it is = 0 mod n) 13/05/2010 cryptography - math background pp. 61 / 162

62 MOD. COMPUT. EXAMPLES one should immediately see that: (2 + 3) = 0 mod 4 in fact (this must become instinctive): a 4 = 0 mod 4 (whatever a is) 8 b = 0 mod 4 (whatever b is) and 16 = 0 mod 4 a well-known application: mod 3 = ( ) mod 3 = ( ) mod 3 = 21 mod 3 = = 0 mod 3 since 10 x = 1 mod 3 for every x 0 it is the well-known rule for checking the divisibility by 3 of decimal integer numbers 13/05/2010 cryptography - math background pp. 62 / 162

63 MOD. COMPUT. PROBLEM what is the check rule of divisibility by 3 for binary natural numbers? that is, given: B = how do I quickly check whether the binary number B is divisible by 3? i might first convert B to decimal, but 13/05/2010 cryptography - math background pp. 63 / 162

64 MODULAR REDUCTION given any modulus n 1 and any integer a n, the task of finding an integer 0 b < n, such that a = b mod n is called reduction for instance, taken n = 7 and a = 20: b = a mod n = 20 mod 7 = 6 20 = 6 mod 7 it is said that 6 is the reduced form of 20, modulus 7 (as already seen before) actually reduction is nothing but another name for taking the result of a mod n 13/05/2010 cryptography - math background pp. 64 / 162

65 GREATEST COMMON DIVISOR given any two integers a, b Z, their greatest common divisor, g.c.d., usually denoted (a, b) = d, is the largest positive integer d (i.e., d 1) dividing exactly (remainder 0) both a and b for instance: (2, 3) = 1, (12, 8) = 4, ( 30, 12) = 6, ( 2, 5) = 1 (not 1!) two integers a, b Z are said to be co-prime (or relatively prime), i.e., they share no common integer factor 2, if and only if (a, b) = 1 for finding the g.c.d. efficiently: Euclid algorithm 13/05/2010 cryptography - math background pp. 65 / 162

66 ABOUT THE INVERSION IN Z n given a Z n (n 2), when is it possible to find b Z n, such that: a b = 1 mod n (b is the multiplicative inverse of a)? theorem: the multiplicative inverse b of a exists (and is unique) if and only if (a, n) = 1, i.e., if a and n are co-prime (they share no common integer factor 2) 13/05/2010 cryptography - math background pp. 66 / 162

67 INVERSION IN Z n EXAMPLE let n = 6, i.e., work in Z 6 : 2 1 mod 6 does not exist, (2, 6) = mod 6 does not exist, (3, 6) = mod 6 does not exist, (4, 6) = mod 6 = 5 exists, (5, 6) = 1 and is 5, since 5 5 = 25 = 1 mod 6 clearly, if n is a prime integer, any positive integer a < n is co-prime with n, hence 13/05/2010 cryptography - math background pp. 67 / 162

68 LINEAR EQUATIONS IN Z n take the modular equation: a y = b mod n where a, b Z n are fixed coefficients, and y Z n is the unknown variable to be found theorem: there exists a unique solution if and only if a, n are co-prime i.e. iff a, n share no common factor 2 i.e. iff (a, n) = 1 how to find the solution in some cases, later 13/05/2010 cryptography - math background pp. 68 / 162

69 FERMAT LITTLE THEOREM theorem: take any prime integer p 2, and any integer a 0, then: a p = a mod p (P. Fermat) for instance, taken p = 3 (prime): 2 3 = 8 = 2 mod = 27 = 0 = 3 mod = 64 = 1 = 4 mod 3 13/05/2010 cryptography - math background pp. 69 / 162

70 CONSEQUENCES if p 2 is a prime integer: Since: a p = a mod p It follows: a p 1 = 1 mod p (with the condition that a 0 mod p) for instance, taken p = 5 (prime): 2 4 = 16 = 1 mod = 81 = 1 mod = 256 = 1 mod 5 13/05/2010 cryptography - math background pp. 70 / 162

71 SOLVING LIN. EQ.S IN Z p linear equations of the form: a y = b mod p (p 2 prime) a, b Z p coeff.s and y Z p variable, admit the following (unique, mod p) solution: y = a 1 b = a p 2 b mod p (by Fermat) since, being p prime, (a, p) = 1 caution: be sure that a mod p 0! the same can be instanced for systems of linear equations (see later) 13/05/2010 cryptography - math background pp. 71 / 162

72 MODULAR FIELDS 13/05/2010 cryptography - math background pp. 72 / 162

73 MODULAR FIELDS we have seen that Z n (for any n 2) is a modular (finite) ring of n 1 elements to be a (finite) field, Z n only lacks the inverse elements for multiplication, i.e. the possibility to invert all its elements that is, given any a Z n, how do I find a Z n such that a a = 1 (of course, mod n)? Is it possible to find such an a for any integer a < n and any value of n? 13/05/2010 cryptography - math background pp. 73 / 162

74 MODULAR FIELDS we know that, given any positive a < n, there exists a positive integer a such that a a = 1, if and only if a, n are co-prime clearly, if n is a prime integer, every positive integer a < n will be co-prime with n conversely, if n is not a prime integer, there must exist some a < n that is not co-prime with n theorem: all elements of Z n (but 0) are invertible if and only if n is a prime integer pay attention: if n is not a prime integer, a few elements of Z n may be invertible, but not all of them 13/05/2010 cryptography - math background pp. 74 / 162

75 MODULAR INVERSION given any prime integer p 2 (Fermat): a p = a mod p a p 1 = 1 mod p (with the condition that a 0 mod p) let us go on with the idea a p 2 = a 1 mod p (still with the condition that a 0 mod p) that is, a p 2 behaves as the multiplicative inverse element of a (if p is prime!) 13/05/2010 cryptography - math background pp. 75 / 162

76 INVERSION EXAMPLES for instance, taken p = 5 (prime), and knowing that p 2 = 3, one has: 1 3 = 1 mod 5 and 1 1 = 1 mod = 3 mod 5 and 2 3 = 1 mod = 2 mod 5 and 3 2 = 1 mod = 4 mod 5 and 4 4 = 1 mod = 0 mod 5 no inverse (since 5 = 0 mod 5) 6 3 = 1 mod 5 and 6 1 = 1 mod 5 (the behaviour is periodic) 13/05/2010 cryptography - math background pp. 76 / 162

77 INVERSION THAT IS taken p = 5 (prime) one has: 1 1 = 1 mod = 3 mod = 2 mod = 4 mod 5 while 0 has no inverse, of course note that for each element of Z 5 we have found an inverse (but for 0) 13/05/2010 cryptography - math background pp. 77 / 162

78 MODULAR FIELD F p (or GF(p)) every (finite) modular ring Z n, such that n 2 is a prime integer, can be turned into a (finite) field simply add inversion to it, and compute the inverse using Fermat s litte theorem such a field is denoted F p (or also Galois Field of order p, GF(p)) a different field for every prime p 13/05/2010 cryptography - math background pp. 78 / 162

79 MODULAR FIELD F p (or GF(p)) given a prime integer p 2: F p = {0, 1, 2,, p 1}, +,, 0, 1 is called modular (Galois) field of order p, or GF(p), provided, for every element a, b F p : a + b a b is computed mod p is computed mod p a = p a so that a + ( a) = p = 0 mod p a 1 = a p 2 so that a a 1 = a a p 2 = a p 1 = 1 mod p F p is finite and contains exactly p elements 13/05/2010 cryptography - math background pp. 79 / 162

80 LINEAR EQUATIONS IN F p given a prime integer p 2, take the modular linear equation: a y = b mod p where a, b F p are fixed coefficients, and y F p is the unknown variable to be found: the unique solution (mod p) is: y = a 1 b mod p for instance, given p = 7 (prime): 5 y = 3 mod 7 y = = = = 9375 = 2 mod 7 and actually 5 2 = 10 = 3 mod 7 13/05/2010 cryptography - math background pp. 80 / 162

81 LINEAR SYSTEMS IN F p given a prime integer p 2, take the system of modular linear equations: A Y = B mod p where: A [F p ] m,m is a square matrix of order m 2 of fixed coefficients in F p B [F p ] m is a vector of order m 2 of constant terms in F p and Y [F p ] m is the vector of the unknown variables to be found in F p 13/05/2010 cryptography - math background pp. 81 / 162

82 LINEAR SYSTEMS IN F p the above system of linear equations admits a unique solution (mod p) iff det(a) 0 in this case (det(a) 0), the solution is: Y = A 1 B mod p the determinant det(a), the matrix inverse A 1 and the matrix-vector product A 1 B are computed as usual, remembering to take all the operations mod p over their entries 13/05/2010 cryptography - math background pp. 82 / 162

83 THE BINARY FIELD 13/05/2010 cryptography - math background pp. 83 / 162

84 THE BINARY FIELD F 2 (or GF(2)) when p = 2 (smallest prime excluding 1): F 2 = {0, 1}, +,, 0, 1 this is a well-know structure, since = = 0 0 = 2 0 = 2 = = = 0 1 = 2 1 = = = 0 IDENTITY = 2 = = = 1 XOR gate AND gate IDENTITY 13/05/2010 cryptography - math background pp. 84 / 162

85 THE BINARY FIELD F 2 (or GF(2)) in F 2 addition and subtraction coincide! observe in fact: = = 0 + ( 0) = = = = 0 + ( 1) = = = = 1 + ( 0) = = = = 1 + ( 1) = = 0 XOR gate still XOR gate do not extend this feature to p > 2! 13/05/2010 cryptography - math background pp. 85 / 162

86 THE BINARY FIELD F 2 (or GF(2)) the field F 2 (or GF(2)) is also called the binary field and is the simplest its hardware counterpart are the XOR and AND gates it is the natural field where to compute arithmetic (most arithmetic circuits are formed by XOR and AND gates only) 13/05/2010 cryptography - math background pp. 86 / 162

87 POLYNOMIALS 13/05/2010 cryptography - math background pp. 87 / 162

88 POLYNOMIALS everybody knows univariate polynomials (i.e., containing a single variable x) with integer coefficients: C(x) = c n x m + c m 1 x m c 1 x + c 0 where c i Z, for every 0 i m the integer m 0 is the degree of C(x) here, we are interested in polynomials not as functions of the variable x, but as objects that can be manipulated in various ways 13/05/2010 cryptography - math background pp. 88 / 162

89 POLYNOMIALS the set of all the polynomials (of any degree) with integer coefficients is denoted Z[x] polynomials in Z[x] can be added, subtracted and multiplied. They form a commutative ring with unity (the ring Z[x] is infinite): Z[x] = Z[x], +,, 0, 1 in general however, there is no multiplicative inverse element, i.e. given any polynomial P(x) Z[x] it is not possible to find P (x) Z[x] such that P(x) P (x) = 1 13/05/2010 cryptography - math background pp. 89 / 162

90 POLYNOMIAL DIVISION given any two polynomials P(x), D(x) Z[x], there exist two unique polynomials Q(x), R(x) Q[x] (with rational coeff.s), such that: P(x) = Q(x) D(x) + R(x) degree(r(x)) < degree(d(x)) Q(x) is the quotient, R(x) is the remainder this property resembles integer division but note that Q(x), R(x) have rational coeff. s, i.e., in general the coeff.s are not integer the algorithm for finding R(x) is well-known 13/05/2010 cryptography - math background pp. 90 / 162

91 EXAMPLE OF DIVISION IN Z[x] take x 4 + 2x 3 1, x Z[x] +1x 4 +2x x x 4 +2x 3 +0x 2 +0x 1 +1x 2 1x 4 3x 2 +0x 4 +2x 3 3x 2 +0x 1 +1x 2 +2x 2x 3 6x +0x 4 +0x 3 3x 2 6x 1 +1x 2 +2x 3 +3x x 4 +0x 3 +0x 2 6x +8 end 6x +8 x 2 +2x 3 remainder quotient in this special case, no need of rational numbers (because the most significant coefficient of the divisor x is 1!) verify: (x 2 + 2x 3) (x 2 + 3) + ( 6x + 8) = x 4 + 3x 2 + 2x 3 + 6x 3x 2 9 6x + 8 = x 4 + 2x 3 1 as it is expected to be 13/05/2010 cryptography - math background pp. 91 / 162

92 POLYNOMIALS OVER MODULAR RINGS AND FIELDS 13/05/2010 cryptography - math background pp. 92 / 162

93 POLYNOMIALS OVER RINGS restrict the set of the coeff. s of polynomials to the modular ring Z n (for a fixed n 2) such polynomials can be added, subtracted and multiplied mod n, in the obvious way Z n [x] = Z n [x], + mod n, mod n, 0, 1 but in general, it is not possible to find multiplicative inverse elements the structure Z n [x] is still an infinite commutative ring with unity, as is Z[x] sample additions and multiplications 13/05/2010 cryptography - math background pp. 93 / 162

94 POLYNOMIALS OVER FIELDS restrict the set of the coeff. s of polynomials to the finite field F p (for a fixed prime p 2) such polynomials can be added, subtracted and multiplied mod n, in the obvious way F p [x] = F p [x], + mod p, mod p, 0, 1 but in general, it is not possible to find multiplicative inverse elements the structure F p [x] is still an infinite commutative ring with unity, as are Z[x], Z n [x] 13/05/2010 cryptography - math background pp. 94 / 162

95 POLYNOMIAL DIVISION IN F p [x] given any two polynomials P(x), D(x) F p [x], there exist two unique polynomials Q(x), R(x) F p [x], such that: P(x) = S(x) D(x) + R(x) degree(r(x)) < degree(d(x)) S(x) is the quotient, R(x) is the remainder this property resembles integer division note that S(x), R(x) have coeff. s in F p [x]! the algorithm for finding S(x), R(x) is wellknown (same as for the polynomials in Z[x]) 13/05/2010 cryptography - math background pp. 95 / 162

96 EXAMPLE OF DIVISION IN F 3 [x] take x 4 + 2x 3 + 1, 2x F 3 [x] x 4 +2x x x 4 +2x 3 +0x 2 +0x +1 +2x 2 1x 4 2x 2 +0x 4 +2x 3 +1x 2 +0x +1 +2x 2 +1x 2x 3 1x +0x 4 +0x 3 +1x 2 +2x +1 +2x 2 +1x + 2 1x x 4 +0x 3 +0x 2 +2x +2 end 2x +2 2x 2 + x + 2 remainder quotient pay attention to: 1 = 2, 2 = 1, 2 1 = 2 mod 3. verify (remember also that: 4 = 1, 6 = 0, 3 = 0 mod 3): (2x 2 + x + 2) (2x 2 + 1) + (2x + 2) = 4x 4 + 2x 2 + 2x 3 + x + 4x x + 2 = = 4x 4 + 2x 3 + 6x 2 + 3x + 4 = x 4 + 2x 3 + 0x 2 + 0x + 1 = x 4 + 2x mod 3 13/05/2010 cryptography - math background pp. 96 / 162

97 POLYNOMIAL MOD. CONGRUENCE given any polynomials P(x), D(x) ( Z[x] or Z n [x] or F p [x]), write: P(x) mod D(x) = R(x) with R(x) the remainder of P(x) / D(x) modulus D(x) congruence: P(x) = Q(x) mod D(x) P(x) mod D(x) = Q(x) mod D(x) 13/05/2010 cryptography - math background pp. 97 / 162

98 PROPERTIES OF POLY MOD. CONGRUENCE the operator mod commutes: (P(x) + Q(x)) mod D(x) = ((P(x) mod D(x)) + (Q(x) mod D(x))) mod D(x) the same holds for subtraction (P(x) Q(x)) mod D(x) = ((P(x) mod D(x)) (Q(x) mod D(x))) mod D(x) same properties as mod n modular reduction by a polynomial D(x) defined as for modular reduction by an integer n 13/05/2010 cryptography - math background pp. 98 / 162

99 POLY MOD. COMPUTATION IN PARTICULAR taking mod D(x) is equivalent to assuming that D(x) = 0 (remember n = 0 mod n!) for instance (in Z[x]), see immediately that: x 3 + 2x + 5 = 2x + 7 mod (x 3 2) because: x 3 2 = 0 x 3 = 2 and: x 3 + 2x + 5 = 2 + 2x + 5 = 2x + 7 verify dividing: (x 3 + 2x + 5) mod (x 3 2)! 13/05/2010 cryptography - math background pp. 99 / 162

100 POLYNOMIALS OVER THE BINARY FIELD F 2 (GF(2)) 13/05/2010 cryptography - math background pp. 100 / 162

101 POLYNOMIALS OVER F 2 (GF(2)) when the field of the coefficients is F 2 (or GF(2)), things become very simple a coefficient is either 0 or 1 (i.e., a bit) a power x i is either present (coeff. 1, usually not written) or absent (coeff. 0) a polynomial in F 2 [x] is nothing but a list of powers of x 13/05/2010 cryptography - math background pp. 101 / 162

102 EXAMPLES OF OP.S IN F 2 [x] let A(x), B(x) F 2 [x]: A(x) = x 2 + x + 1 and B(x) = x 3 + x then: A(x) + B(x) = (x 2 + x + 1) + (x 3 + x) = = x 3 + x 2 + x + x + 1 = x 3 + x 2 + (1 + 1)x + 1 = = x 3 + x 2 + 0x + 1 = x 3 + x A(x) B(x) = (x 2 + x + 1) (x 3 + x) = = x 5 + x 4 + x 3 + x 3 + x 2 + x = x 5 + x 4 + x 2 + x pay attention to: = 0! in general: (even times) = 0! 13/05/2010 cryptography - math background pp. 102 / 162

103 EXAMPLES OF OP.S IN F 2 [x] sometimes peculiarities may occur: (x + 1) 2 = (x + 1)(x + 1) = x 2 + x + x + 1 = = x (different from ordinary algebra) (x + 1) 3 = (x + 1)(x + 1)(x + 1) = x 3 + x x 2 + x 2 + x + x + x + 1 = x 3 + x 2 + x + 1 (different from ordinary algebra) can you infer the general rule? 13/05/2010 cryptography - math background pp. 103 / 162

104 PLYNOMIAL DIVISION IN F 2 [x] take x 4 + x 3 + 1, x F 2 [x] x 4 x 3 1 x 2 1 x 4 x 3 1 x 2 x 4 x 2 x 3 x 2 1 x 2 x x 3 x x 2 x 1 x 2 x 1 x 2 1 x end x x 2 + x + 1 remainder quotient pay attention to: 1 = 1 mod 2, i.e. add. and sub. coincide verify: (x 2 + x + 1) (x 2 + 1) + x = x 4 + x 2 + x 3 + x + x x = = x 4 + x mod 2 as it is expected to be hence we can write: (x 4 + x 3 + 1) = x mod (x 2 + 1) 13/05/2010 cryptography - math background pp. 104 / 162

105 PLYNOMIAL REDUCTION IN F 2 [x] computing polynomial division of F(x) by G(x) is like setting G(x) = 0 and replacing in F(x) from the previous slide: G(x) = x 2 + 1, hence G(x) = 0 x = 0 x 2 = 1 and replacing in F(x) = x 4 + x 3 + 1, it yields: x 4 + x = (x 2 ) 2 + x x = x = 1 + x + 1 = x hence we have: (x 4 + x 3 + 1) = x mod (x 2 + 1) as seen before by performing a full division. but reduction DOES NOT REALLY REQUIRE TO COMPUTE A FULL DIVISION (since we are not interested in the quotient, but only in the remainder) 13/05/2010 cryptography - math background pp. 105 / 162

106 POLYNOMIALS OVER F 2 a polynomial in F 2 [x] can be identified to a string of bits for instance: x 5 + x 4 + x (degree 5 6 bits) in general: F(x) string of n + 1 bits (supposing F(x) is of degree n) for any degree n, how many different polynomials? answer: 2 n /05/2010 cryptography - math background pp. 106 / 162

107 IRREDUCIBLE POLYNOMIALS 13/05/2010 cryptography - math background pp. 107 / 162

108 IRREDUCIBLE POLYNOMIALS a polynomial of degree m 2 is said to be irreducible if it cannot be factored into two or more polynomials of lower degree A(x) is irreducible if there do not exist any two polynomials B(x), C(x) (not reducing to pure constant terms) such that A(x) = B(x) C(x) for every degree, there exist irreducible polynomials in Z[x], Z n [x] and F p [x], for any integer n and prime integer p 13/05/2010 cryptography - math background pp. 108 / 162

109 IRREDUCIBLE POLYNOMIALS x and x + 1 are irreducible by definition is x 2 + x irreducible? no, because x 2 + x = x (x + 1) is x irreducible? no, because x = (x + 1) (x + 1) is x 2 + x + 1 irreducible? yes, but why? 13/05/2010 cryptography - math background pp. 109 / 162

110 RUFFINI RULE a polynomial F(x) admits the linear factor (x a) iff a is a root of F(x) for the polynomials over F 2 (or GF(2)): F(x) admits the factor (x 1), which coincides with (x + 1), iff 1 is a root of F(x) hence, replace x in F(x) with 1 and see if F(1) = 0; if so, F(x) = F (x) (x + 1) in practice, just count the terms of F(x) 13/05/2010 cryptography - math background pp. 110 / 162

111 USE OF RUFFINI RULE Ruffini rule gives an easy way for checking whether a polynomial F(x) F 2 [x] admits the linear factor (x + 1) does (x 2 + x + 1) admit factor (x + 1)? no, since it has 3 terms (and 3 is odd) does moreover (x 2 + x + 1) admit factor x? no, since it contains the constant term +1 since the only linear factors in F 2 [x] are (x + 1) and x, and a F(x) of degree 2 can only be split into linear factors, (x 2 + x + 1) is irreducible of course, Ruffini rule works also in F p [x] 13/05/2010 cryptography - math background pp. 111 / 162

112 BINARY EXTENSION FIELDS 13/05/2010 cryptography - math background pp. 112 / 162

113 MOVING TOWARDS FIELDS remember that F 2 [x] is not a polynomial field (there are no multiplicative inverse elements, in general) how to make it into a polynomial field? the answer is contained in irreducible polynomials 13/05/2010 cryptography - math background pp. 113 / 162

114 THE EXTENSION FIELD GF(2 n ) select an irreducible polynomial G(x) F 2 [x] of degree n G(x) is called generator polynomial the extension field GF(2 n ) (for n 2) is: GF(2 n ) = F 2 [x n ], +,, 0, 1 where: F 2 [x n ] set of all the polynomials over F 2 of degree under n +, are the polynomial addition and multiplication modulus the selected (and fixed) polynomial G(x) G(x) is the generator polynomial of GF(2 n ). 13/05/2010 cryptography - math background pp. 114 / 162

115 THE EXTENSION FIELD GF(2 n ) fixed a generator G(x) of degree n, take A(x), B(x) GF(2 n ), and compute addition and multiplication as follows: A(x) + B(x) mod G(x) and similarly for subtraction A(x) B(x) mod G(x) always take the result mod G(x) 13/05/2010 cryptography - math background pp. 115 / 162

116 EXAMPLE IN GF(2 2 ) the elements of GF(2 n ) with n = 2 (i.e. GF(2 2 )) are all the polynomials in F 2 [x] of degree under n = 2, i.e. deg. 0 or 1 0, 1 degree 0 x, x + 1 degree 1 then GF(2 2 ) contains 2 2 = 4 elements this is, in some sense, the simplest possible field of polynomials 13/05/2010 cryptography - math background pp. 116 / 162

117 EXAMPLE IN GF(2 2 ) fix the generator polynomial G(x) = x 2 + x + 1 (degree n = 2, irred.): (x + 1) + x = 1 mod G(x) (x + 1) 2 = x = x = x mod G(x) remember in fact that taking mod G(x) is equivalent to setting G(x) = 0, hence: x 2 + x + 1 = 0 x 2 = x + 1 an replacing x 2 in x yields x 13/05/2010 cryptography - math background pp. 117 / 162

118 EXAMPLE IN GF(2 3 ) the elements of GF(2 3 ) are all the polynomials in F 2 [x] of degree under n = 3, i.e. degree 0, 1 or 2 0, 1 degree 0 x, x + 1 degree 1 x 2, x 2 + 1, x 2 + x, x 2 + x + 1 degree 2 then GF(2 2 ) contains 2 3 = 8 elements in general, GF(2 n ) contains 2 n elements 13/05/2010 cryptography - math background pp. 118 / 162

119 EXAMPLE IN GF(2 3 ) fix gen. G(x) = x 3 + x (deg. n = 3, irred.). it holds: x 3 + x = 0, i.e., x 3 = x (x + 1) 3 = x 3 + x 2 + x + 1 = = x x 2 + x + 1 = x mod G(x) (x 2 + 1) (x 2 + x + 1) = = x 4 + x 3 + x 2 + x 2 + x + 1= x 4 + x 3 + x + 1 = = = x x 3 + x 3 + x + 1 = x(x 2 + 1) + x x + 1 = = x 3 + x + x 2 + x = x 3 + x 2 = = x x 2 = 1 mod G(x) note that: x 2 + x + 1 = (x 2 + 1) 1 mod G(x) 13/05/2010 cryptography - math background pp. 119 / 162

120 FINITENESS OF GF(2 n ) the elements of GF(2 n ) (with n 2) are all the polynomials of F 2 [x] of degree under n (i.e. of deg. n 1, n 2,, 1, 0) then they can be identified to the strings of bits of length exactly n there are 2 n such strings the field GF(2 n ) is finite and its cardinality is of 2 n elements (which are polynomials) 13/05/2010 cryptography - math background pp. 120 / 162

121 HOW TO FIND THE INVERSE we have not yet spoken of multiplicative inverse elements in GF(2 n ) but it is necessary to have inverse elements for GF(2 n ) to be a field inverse elements can be found in GF(2 n ) using the generalization of Fermat little theorem 13/05/2010 cryptography - math background pp. 121 / 162

122 FERMAT LITTLE THEOREM take an irreducible generator polynomial G(x) of degree n 2 and any polynomial F(x) GF(2 n ), pose k = 2 n, then: F(x) k = F(x) mod G(x) (generalisation of Fermat little theorem) for instance, taken G(x) = x 2 + x + 1 (of deg. n = 2, irred.), it holds k = 2 2 = 4 and hence: (x + 1) 4 = ((x + 1) 2 ) 2 = (x 2 + 1) 2 = (x ) 2 = = x 2 = x + 1 mod G(x) as it is expected to be 13/05/2010 cryptography - math background pp. 122 / 162

123 CONSEQUENCES if the generator G(x) is an irreducible polynomial of degree n 2 and k = 2 n : since: F(x) k = F(x) mod G(x) it follows: F(x) k 1 = 1 mod G(x) and also: F(x) k 2 = F(x) 1 mod G(x) (with the condition that F(x) 0 mod G(x)) therefore F(x) k 2 is the multiplicative inverse element of F(x) (mod G(x)) 13/05/2010 cryptography - math background pp. 123 / 162

124 INVERSION EXAMPLE taken the generator G(x) = x 2 + x + 1 (of deg. n = 2, irred.), it holds k = 2 2 = 4, and hence: (x + 1) 4 2 = (x + 1) 2 = x = = x = x mod G(x) and in fact: (x + 1) x = x 2 + x = x x = 1 mod G(x) this means that x is the inverse element of (x + 1) (of course, mod G(x)) 13/05/2010 cryptography - math background pp. 124 / 162

125 MULTIPLICATIVE GENERATORS the monomial x is a multiplicative generator for binary extension fields for instance: G(x) = x 2 + x + 1 (irred.) x 0 mod G(x) = 1 x 1 mod G(x) = x x 2 mod G(x) = x + 1 GF(2 2 ) (excluding 0) x 3 mod G(x) = x x 2 mod G(x) = x (x + 1) mod G(x) = = x 2 + x = x x = 1 (periodic ). the same holds for GF(p n ) 13/05/2010 cryptography - math background pp. 125 / 162

126 FIELD GF(2 n ) IN SUMMARY given an irreducible generator polynomial G(x) of degree n 2, the algebraic structure: GF(2 n ) = < F 2 [x n ], +,, 0, 1 > is a finite field of 2 n elements. the elements of GF(2 n ) are polynomials with coefficients over GF(2) (or F 2 ) all the operations are computed mod G(x). multiplicative inverse exist for all the elements of GF(2 n ) (but for 0), and can by found by Fermat little theorem 13/05/2010 cryptography - math background pp. 126 / 162

127 MODULAR EXTENSION FIELDS 13/05/2010 cryptography - math background pp. 127 / 162

128 POLINOMYALS OVER F p (GF(p)) consider polynomials with coefficients over F p (also called GF(p)), for a fixed prime integer p 2 a coefficient can be: 0, 1, 2, p 1 then a polynomial in F p [x] is a list of powers of x, with coefficients as above example: x 2 + 2x + 1 (for p = 3, prime) 13/05/2010 cryptography - math background pp. 128 / 162

129 POLYNOMIALS OVER F p EXAMPLES for the prime p = 3: (x + 1) + (x 2 + 2x + 1) = x x 2 + 2x + 1 = = x 2 + 3x + 2 = x since 3 = 0 mod 3 for the prime p = 5: (x 2 + 3) (x 3 + 2x + 4) = = x 5 + 2x 3 + 4x 2 + 3x 3 + 6x + 12 = = x 5 + 5x 3 + 4x 2 + 6x + 12 = = x 5 + 4x 2 + x + 2 since 5 = 0, 6 = 1 and 12 = 2 mod 5 13/05/2010 cryptography - math background pp. 129 / 162

130 THE EXTENSION FIELD GF(p n ) the ideas for building modular fields F p (p 2 prime), and binary extension fields F 2 [x n ] (n 2), can be combined the result is the family of modular extension fields F p [x n ] (p, n 2, p is a prime integer) fields F p [x n ] are also denoted GF(p n ) (Galois Fields of order p n, p is prime) 13/05/2010 cryptography - math background pp. 130 / 162

131 THE EXTENSION FIELD GF(p n ) take an irreducible generator polynomial G(x) F p [x], for a prime integer p 2, of degree n 2, the algebraic structure: GF(p n ) = F p [x n ], +,, 0, 1 is a finite field of p n elements the elements of GF(p n ) are polynomials with coefficients over GF(p) (or F p ) all the operations are computed mod G(x) the field GF(p n ) contains p n elements 13/05/2010 cryptography - math background pp. 131 / 162

132 FERMAT LITTLE THEOREM take an irreducible generator polynomial G(x) F p [x], for a prime p 2, of degree n 2, and take any polynomial F(x) GF(p n ), pose k = p n, then: F(x) k = F(x) mod G(x) (generalisation of Fermat little theorem) hence it follows (as in previous cases): F(x) k 1 = 1 mod G(x) F(x) k 2 = F(x) 1 mod G(x) (inverse!) (with the cond. that F(x) 0 mod G(x)) 13/05/2010 cryptography - math background pp. 132 / 162

133 FIELD EXAMPLE GF(3 2 ) fix p = 3 (prime) and n = 2 the elements of GF(3) are: 0, 1, 2 the elements of GF(3 2 ) are: 0, 1, 2 (deg. 0, 3 poly. s) x, 2x, x + 1, x + 2, 2x + 1, 2x + 2 (deg. 1, 6 poly. s) there are k = 3 2 = 9 elements in GF(3 2 ) take the generator G(x) = x in GF(3) the polynomial G(x) is irreducible were not so, G(x) should split into two linear factors of the type (x + a), with a = 0, 1 or 2 but none of the a s is a root of G(x) 13/05/2010 cryptography - math background pp. 133 / 162

134 INVERSION EXAMPLE IN GF(3 2 ) remember that: G(x) = 0 x = 0 x 2 = 1 = 2 as 1 = 2 mod 3 to compute an inverse element: (2x + 1) 1 = (2x + 1) 9 2 = (2x + 1) 7 = = (2x + 1) 6 (2x + 1) = ((2x + 1) 2 ) 3 (2x + 1) = = (4x 2 + 4x + 1) 3 (2x + 1) = (x 2 + x + 1) 3 (2x + 1) = = (2 + x + 1) 3 (2x + 1) = (x + 3) 3 (2x + 1) = x 3 (2x + 1) = = x 2 x (2x + 1) = 2x (2x + 1) = 4x 2 + 2x = = x 2 + 2x = 2x + 2 mod G(x) and in fact: (2x + 1)(2x + 2) = 4x 2 + 4x + 2x + 2 = 4x 2 + 6x + 2 = = x = = 4 = 1 mod G(x) as it is expected to be 13/05/2010 cryptography - math background pp. 134 / 162

135 COMPOSITE GALOIS FIELDS suppose GF(p h ) is a modular extension field, the elements of which consist of polynomials of degree under h with coeff.s that are integers mod p construct a new, larger modular extension field, using the elements of GF(p h ) as coefficients of new polynomials, of degree under k this new field is GF(GF(p h )) k = GF(p hk ), and is called a composite (Galois) field the elements of GF(p hk ) are polynomials, the coefficients of which are themselves polynomials (the coeff.s of the latter ones are integers mod p) 13/05/2010 cryptography - math background pp. 135 / 162

136 COMPOSITE GALOIS FIELDS dually: let GF(p m ) be a modular extension field. It can be constructed by using polynomials of degree under m, with coeff.s that are integers mod p but, if m = hk (for h, k 2), i.e. if m is decomposable into non-trivial factors, then the field GF(p m ) can be itself decomposed into two nested fields: coefficient field GF(p h ) - internal field complete field GF(GF(p h ) k ) = GF(p hk ) - external field (the roles of h, k are interchangeable) this decomposition may be very helpful in the implementations, but does not always apply if m is itself prime, no decomposition is possible 13/05/2010 cryptography - math background pp. 136 / 162

137 EXAMPLE COMPOSITE FIELD take p = 2 (binary extension fields). G(x) = x 4 + x (irreducible, check yourself!) G(x) generates GF(2 4 ), with 2 4 = 16 elements. but 4 = 2 2, hence GF(2 4 ) = GF(GF(2 2 ) 2 ) (here h = k = 2) construct the two nested fields: Internal field, use the gen. G 2 1 (y) = y + y + 1 (irred. over GF(2)) External field, use the gen. G 2 (x) = x 2 + y x + 1 (irred. over GF(2 2 )) elem.s of GF(2 4 ): (ay 1 + by 0 )x 1 + (cy 1 + dy 0 )x 0 (a, b, c, d = 0, 1) of course, interpret G 2 (x) as follows: G 2 (x) = (0y + 1) x 2 + (1y + 0) x 1 + (0y + 1) x 0 since its coeff.s are themselves polynomials (use two distinct variables y and x to avoid confusion). complete yourself (in particular, check that G 2 (x) is irreducible over GF(2 2 )). Try with the field GF(2 6 ). 13/05/2010 cryptography - math background pp. 137 / 162

138 CONCLUSIONS ON FINITE FIELDS 13/05/2010 cryptography - math background pp. 138 / 162

139 THE COMPLETION THEOREM there exist only three familes of finite fields: modular fields: GF(p) for every prime p 2 the elements are 0, 1,, p 1 GF(2) is the simplest case, called binary field binary extension fields: GF(2 n ) for every integer n 2 the elements are the polynomials of degree under n with coefficients 0 or 1 modular extension fields: GF(p n ) for every prime p 3 and integer n 2 the elements are the polynomials of degree under n with coefficients 0, 1,,, p 1 no other family of finite fields exist 13/05/2010 cryptography - math background pp. 139 / 162

140 FIELD ISOMORPHISM two fields F, F are isomorphic iff there exists a one-to-one function θ: F F such that, taken the elements a, b F, it holds: θ(a + b) = θ(a) + θ(b) and θ( a) = θ(a) θ(a b) = θ(a) θ(b) and θ(a 1 ) = θ(a) 1 θ(0) = 0 and θ(1) = 1 in practice, ϕ commutes with field operations two isomorphic fields need have the same number of elements (θ is one-to-one) 13/05/2010 cryptography - math background pp. 140 / 162

141 THE ISOMORPHISM THEOREM let F, F be any two extension fields generated by the irred. polynomials G (x), G (x), respectively theorem: if F, F are of the same size, they are necessarily isomorphic, i.e. there exists an isomorphism θ: F F in other terms, each element f of F admits a corresponding element θ(f) in F, behaving in the same way (and viceversa) 13/05/2010 cryptography - math background pp. 141 / 162

142 THE ISOMORPHISM THEOREM the extension fields GF(2 n ) (and GF(p n )) DO NOT DEPEND on the chosen irreducible generator polynomial that is, fixed an integer n 2 (and prime p 2), there exists a unique GF(2 n ) (and GF(p n )) put another way, if G (x), G (x) are both irreducible generators of degree n, they are equivalent for building GF(2 n ) (and GF(p n )) hence, select G (x) or G (x) at will (but do not mix them during the computation, of course) 13/05/2010 cryptography - math background pp. 142 / 162

143 ISOMORPHISM EXAMPLE the binary extension field GF(2 3 ) (size 2 3 = 8) can be generated in two different ways: G (x) = x 3 + x G (x) = x 3 + x + 1 since both G (x) and G (x) are irreducible over GF(2) each of G (x) and G (x) yields a representation of GF(2 3 ) constructing the isomorphism θ is not so immediate, though not really difficult 13/05/2010 cryptography - math background pp. 143 / 162

144 FIELD REPRESENTATION it is said that two irreducible polynomials G (x), G (x), of identical degree, generate two DIFFERENT REPERSENTATIONS of the SAME FINITE EXTENSION FIELD the isomorphism function θ can be effectively determined, starting from G (x), G (x) the function θ is actually a linear transformation an extension field admits as many different representations as the number of irreducible polynomials of identical degree 13/05/2010 cryptography - math background pp. 144 / 162