COMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162

Similar documents
Chapter 4 Finite Fields

A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

Finite Fields. Mike Reiter

Mathematical Foundations of Cryptography

Finite Fields: An introduction through exercises Jonathan Buss Spring 2014

ECEN 5022 Cryptography

Rings. EE 387, Notes 7, Handout #10

2a 2 4ac), provided there is an element r in our

Lecture 7: Polynomial rings

Fields in Cryptography. Çetin Kaya Koç Winter / 30

Finite Fields and Error-Correcting Codes

Polynomials. Chapter 4

Public-key Cryptography: Theory and Practice

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

LECTURE NOTES IN CRYPTOGRAPHY

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

MTH310 EXAM 2 REVIEW

Math 312/ AMS 351 (Fall 17) Sample Questions for Final

Commutative Rings and Fields

Groups, Rings, and Finite Fields. Andreas Klappenecker. September 12, 2002

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

1. Group Theory Permutations.

Mathematics for Cryptography

Galois fields/1. (M3) There is an element 1 (not equal to 0) such that a 1 = a for all a.

Chapter 3. Rings. The basic commutative rings in mathematics are the integers Z, the. Examples

Chapter 4 Mathematics of Cryptography

Finite Fields. SOLUTIONS Network Coding - Prof. Frank H.P. Fitzek

AN ALGEBRA PRIMER WITH A VIEW TOWARD CURVES OVER FINITE FIELDS

CHAPTER 3. Congruences. Congruence: definitions and properties

MATH 361: NUMBER THEORY FOURTH LECTURE

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Discrete Logarithms. Let s begin by recalling the definitions and a theorem. Let m be a given modulus. Then the finite set

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

3 The fundamentals: Algorithms, the integers, and matrices

Ch 7 Summary - POLYNOMIAL FUNCTIONS

Congruences and Residue Class Rings

, a 1. , a 2. ,..., a n

MATH 431 PART 2: POLYNOMIAL RINGS AND FACTORIZATION

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

4 PRIMITIVE ROOTS Order and Primitive Roots The Index Existence of primitive roots for prime modulus...

Mathematics 136 Calculus 2 Everything You Need Or Want To Know About Partial Fractions (and maybe more!) October 19 and 21, 2016

Algebra. Modular arithmetic can be handled mathematically by introducing a congruence relation on the integers described in the above example.

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

Math 511, Algebraic Systems, Fall 2017 July 20, 2017 Edition. Todd Cochrane

Intro to Rings, Fields, Polynomials: Hardware Modeling by Modulo Arithmetic

Partial Fractions. June 27, In this section, we will learn to integrate another class of functions: the rational functions.

Solutions to Homework for M351 Algebra I

Introduction to finite fields

Basic Concepts in Number Theory and Finite Fields

CDM. Finite Fields. Klaus Sutner Carnegie Mellon University. Fall 2018

Rings. Chapter 1. Definition 1.2. A commutative ring R is a ring in which multiplication is commutative. That is, ab = ba for all a, b R.

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

(Rgs) Rings Math 683L (Summer 2003)

Part IA Numbers and Sets

+ 1 3 x2 2x x3 + 3x 2 + 0x x x2 2x + 3 4

Lecture 6: Finite Fields (PART 3) PART 3: Polynomial Arithmetic. Theoretical Underpinnings of Modern Cryptography

Moreover this binary operation satisfies the following properties

A Generalization of Wilson s Theorem

MATH 115, SUMMER 2012 LECTURE 12

Fast Polynomial Multiplication

Many of the groups with which we are familiar are arithmetical in nature, and they tend to share key structures that combine more than one operation.

Integration of Rational Functions by Partial Fractions

Lecture 6: Introducing Complexity

CHAPTER 10: POLYNOMIALS (DRAFT)

Basic elements of number theory

Basic elements of number theory

1. Algebra 1.5. Polynomial Rings

Galois Fields and Hardware Design

Modern Algebra Prof. Manindra Agrawal Department of Computer Science and Engineering Indian Institute of Technology, Kanpur

Number Theory. Modular Arithmetic

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

Integration of Rational Functions by Partial Fractions

We say that a polynomial is in the standard form if it is written in the order of decreasing exponents of x. Operations on polynomials:

Quasi-reducible Polynomials

Integers and Division

Sets. We discuss an informal (naive) set theory as needed in Computer Science. It was introduced by G. Cantor in the second half of the nineteenth

Chapter Five Notes N P U2C5

4 Number Theory and Cryptography

Number Theory, Algebra and Analysis. William Yslas Vélez Department of Mathematics University of Arizona

Math 3 Variable Manipulation Part 3 Polynomials A

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5

POLYNOMIALS. x + 1 x x 4 + x 3. x x 3 x 2. x x 2 + x. x + 1 x 1

Definition 6.1 (p.277) A positive integer n is prime when n > 1 and the only positive divisors are 1 and n. Alternatively

ECEN 5682 Theory and Practice of Error Control Codes

1/30: Polynomials over Z/n.

Chapter 8. Exploring Polynomial Functions. Jennifer Huss

8 Appendix: Polynomial Rings

Coding Theory ( Mathematical Background I)

Polynomials. In many problems, it is useful to write polynomials as products. For example, when solving equations: Example:

Algebraic Systems, Fall 2012, Skeleton notes as of 11/16/12

Linear Feedback Shift Registers (LFSRs) 4-bit LFSR

Discrete Math, Second Problem Set (June 24)

Section VI.33. Finite Fields

Reference Material /Formulas for Pre-Calculus CP/ H Summer Packet

CSE 20: Discrete Mathematics

MATH 4400 SOLUTIONS TO SOME EXERCISES. 1. Chapter 1

Algebraic structures I

MODULAR ARITHMETIC KEITH CONRAD

Transcription:

COMPUTER ARITHMETIC 13/05/2010 cryptography - math background pp. 1 / 162

RECALL OF COMPUTER ARITHMETIC computers implement some types of arithmetic for instance, addition, subtratction, multiplication of integers and reals necessary for basic computations as found in the programming languages arithemtic operations directly supported by the processor but normally unsuited for cryptography 13/05/2010 cryptography - math background pp. 2 / 162

COMPUTER ARITHMETIC computers can perform standard arithmetic operations on: integers, i.e. 0 1 2 1 2 reals, i.e. 1,2 4,3 1,5 10 6 sometimes also other kinds of numbers, i.e., complex numbers and normally NOTHING ELSE 13/05/2010 cryptography - math background pp. 3 / 162

COMPUTER ARITHMETIC standard computer operations are: arithmetic 1 st species: addition, subtraction. arithmetic 2 nd species: multiplication, division (integer or real). possibly arithmetic 3 rd species: power, root, sometimes (unfrequently) trascendental: exp, log, trigonometry, 13/05/2010 cryptography - math background pp. 4 / 162

COMPUTER ARITHMETIC all the previous operations can be computed directly by the processor of the computer machine (assembler) instrucitons exist for each operation numbers are normally represented in: two s complement (integers) IEEE 754 Floating Point (reals) 13/05/2010 cryptography - math background pp. 5 / 162

INTEGERS NATURAL natural binary: binary digit b { 0, 1 } b n b n 1 b n 2 b 3 b 2 b 1 = = b n 1 n 2 1 0 n 2 + b n 1 2 + + b 2 2 + b 1 2 range: [0, 2 n 1]. for instance: 10101100 = 2 7 + 2 5 + 2 3 + 2 2 = = 128 + 32 + 8 + 4 = 172 13/05/2010 cryptography - math background pp. 6 / 162

INTEGERS TWO S COMPLEMENT two s Complement: binary digit b { 0, 1 } σb n 1 b n b 3 b 2 b 1 = = σ2 n 1 + b n 1 2 n 2 + + b 2 2 1 + b 1 2 0 bit σ is called sign bit range: [ 2 n 1, 2 n 1 1]. for instance: 01001101 = + 2 6 + 2 3 + 2 2 + 2 0 = 32 + 8 + 4 + 1 = 45 and: 10101100 = 2 7 + 2 5 + 2 3 + 2 2 = 128 + 32 + 8 + 4 = 84 13/05/2010 cryptography - math background pp. 7 / 162

ADDITION OF NATURAL INTEGERS 13/05/2010 cryptography - math background pp. 8 / 162

ADDITION OF TWO S COMPLEMENT INTEGERS 13/05/2010 cryptography - math background pp. 9 / 162

NATURAL MULTIPLICATION 13/05/2010 cryptography - math background pp. 10 / 162

FULL ADDER a b a b cin cout sum = 0 0 0 0 0 0 0 0 1 0 1 1 cout Full Adder cin 0 1 0 0 1 1 0 1 1 1 0 2 1 0 0 0 1 1 1 0 1 1 0 2 1 1 0 1 0 2 1 1 1 1 1 3 sum sum = a XOR b XOR cin cout = a AND b OR a AND cin OR b AND cin 13/05/2010 cryptography - math background pp. 11 / 162

RIPPLE CARRY ADDER addition of natural integers of 3 bits a2 b2 a1 b1 a0 b0 c3 Full Adder c2 Full Adder c1 Full Adder c0 s2 s1 s0 13/05/2010 cryptography - math background pp. 12 / 162

CONSIDERATIONS integer and real computer arithmetic is NOT used (or seldom used) for cryptography instead, finite algebraic structures are generally adopted for instance, finite FIELDS or RINGS theory of such structures follows 13/05/2010 cryptography - math background pp. 13 / 162

ALGEBRAIC STRUCTURES 13/05/2010 cryptography - math background pp. 14 / 162

ALGEBRAIC STRUCTURE an algebraic structure A is: A = S, op 1, op 2,, s 0, s 1, where: S is a set of elements, or numbers (in a very broad sense), called support set op i is a binary operatore over the elements of the support set S s i is a special element of the support set S 13/05/2010 cryptography - math background pp. 15 / 162

STRUCTURES EXAMPLES natural integers (semigroup): N = {1, 2, 3, }, + natural numbers, equipped with the binary operator of addition (+) natural integers plus 0 (monoid): N 0 = {0, 1, 2, 3, }, +, 0 natural numbers, equipped with the binary operator of addition (+), plus the special element 0 (neutral element for +) 13/05/2010 cryptography - math background pp. 16 / 162

STRUCTURES EXAMPLE relative integers (abelian group): {, 2, 1, 0, 1, 2, }, +, 0 relative integer numbers, equipped with: the binary operator of addition (+) the special element 0, neutral for (+) this an algebraic structure with one operation and one special element 13/05/2010 cryptography - math background pp. 17 / 162

STRUCTURES EXAMPLE natural integers (semiring): {1, 2, 3, }, +,, 1 natural integer numbers, equipped with: the binary operator of addition (+) the binary operator of multiplication ( ) the special element 1, neutral for ( ) an algebraic structure with two operations and one special element 13/05/2010 cryptography - math background pp. 18 / 162

STRUCTURES EXAMPLE relative integers (commutative ring): Z = {, 2, 1, 0, 1, 2, }, +,, 0, 1 Relative integer numbers, equipped with: the binary operator of addition (+) + the binary operator of multiplication ( ) the special element 0, neutral for (+) the special element 1, neutral for ( ) an algebraic structure with two operations and two special elements 13/05/2010 cryptography - math background pp. 19 / 162

CONSIDERATIONS there are many possible algebraic structures each of them is characterized by properties (axioms and theorems) for instance: a + b = b + a (axiom for N) a 2 b 2 = (a + b) (a b) (theorem for Z) 13/05/2010 cryptography - math background pp. 20 / 162

GROUPS 13/05/2010 cryptography - math background pp. 21 / 162

DEFINITION a GROUP G is an algebraic structure: G = S,, 1 WHERE: S is the support set is a binary operator, called product 1 is a special element, neutral for ( ) if the support S is a finite set, G is said to be a finite group 13/05/2010 cryptography - math background pp. 22 / 162

AXIOMS OF GROUP groups must satisfy (by definition) the following axioms for every a, b, c S: a b S (closure) (a b) c = a (b c) (associativity) 1 a = a 1 (1 is neutral and commutes) a a a = a a = 1 ( of inverse) 13/05/2010 cryptography - math background pp. 23 / 162

GROUPS EXAMPLE the group of non-singular square matrices of order 2, with real elements M = M 2, 2, matrix product, identity matrix I M is closed the matrix product is associative the matrix I is the neutral element for product each matrix admits an inverse one NOTE: matrix product is NOT commutative 13/05/2010 cryptography - math background pp. 24 / 162

ABELIAN GROUPS in some groups, the product operator is commutative, i.e., a b = b a abelian (or commutative) group: a group G such that the operator ( ) is commutative G = S, +, 1 in abelian groups, the symbol ( ) is normally replaced by (+), which is called addition instead of product PAY ATTENTION: a few mathematicians still go on calling (+) a product operator!! 13/05/2010 cryptography - math background pp. 25 / 162

ABELIAN GROUPS EXAMPLES the world is plenty of abelian groups for instance: relative integers, with addition Z = {, 2, 1, 0, 1, 2, }, +, 0 rational integers, with multiplication Q = {, p / q, },, 1 and many others 13/05/2010 cryptography - math background pp. 26 / 162

ITERATED OPERATION given a group G (not necessarily abelian), an element g of the group G, and a positive or null integer k 0, it is defined: g k = g g g (for k times) g 0 = 1 (if k = 0) the operation g k is called iterated multiplication (or power ) most cryptography lives on it 13/05/2010 cryptography - math background pp. 27 / 162

ITERATION EXAMPLES given Z = {, 2, 1, 0, 1, 2, },, 1 z k = z z z (k times) usually called power of order k. in groups with an operation denoted (+) + instead of ( ), the writing kg replaces g k given Z = {, 2, 1, 0, 1, 2, }, +, 0 which is an abelian group: kz = z + z + + z the usual multiple times k (k times) 13/05/2010 cryptography - math background pp. 28 / 162

GROUP GENERATORS given a finite group G, an element g G is said to be a generator for G, if its powers cover all the elements of G: f G k 0 such that f = g k in the practice a generator is a single element that allows to construct the whole group by iteration a group G may admit no generators, a single generator or more generators 13/05/2010 cryptography - math background pp. 29 / 162

DISCRETE LOGARITHM (DH) given a generator element g G for the group, and whatever element f G, define: k = log g f - discrete log. base g the (smallest) integer k 0 such that f = g k the (smallest) integer k 0 necessarily exists, since g is a generator element for G given a group G, it is relatively simple to compute f = g k, but it may be very complex to compute k starting from g and f 13/05/2010 cryptography - math background pp. 30 / 162

CONSIDERATIONS groups (usually abelian) are an important algebraic structure for cryptography normally finite groups are used (examples will come soon) the basic operations for cryptographic applications are iteration and discrete logarithm however, abelian groups appear also under the form of rings and fields (see next slides) 13/05/2010 cryptography - math background pp. 31 / 162

RINGS AND FIELDS 13/05/2010 cryptography - math background pp. 32 / 162

RINGS DEFINITION a RING R is an algebraic structure: R = S, +,, 0, and usually also 1 where: S, +, 0 is an abelian group w.r.t. (+) and for every a, b, c S: a b S (closure) a (b + c) = (a b) + (a c) (left distribution) (b + c) a = (b a) + (c a) (right distribution) 13/05/2010 cryptography - math background pp. 33 / 162

RINGS DETAILS the operator (+) must be commutative if the operator ( ) commutes as well, R is said to be a commutative ring if ( ) has its own neutral element 1, R is said to be a a ring with unity if the support set S of R is a finite set, R is said to be a finite ring 13/05/2010 cryptography - math background pp. 34 / 162

RINGS EXAMPLE the ring R of relative integer numbers, with ordinary addition and multiplication: Z = {, 2, 1, 0, 1, 2, }, +,, 0, 1 R is a commutative ring, since the operator ( ) commutes and R is said to have a unity, since the operation ( ) has its own neutral element, 1 the symbol Z is worldwide used for denoting this particular ring 13/05/2010 cryptography - math background pp. 35 / 162

FIELDS DEFINITION a FIELD F is an algebraic structure: F = S, +,, 0, 1 where: S, +, 0 is an abelian group w.r.t. (+) S,, 1 is an abelian group w.r.t. ( ) and for every a, b, c S: a (b + c) = (a b) + (a c) (left distribution) (b + c) a = (b a) + (c a) (right distribution) if the support set S of F is finite, F is said to be a finite field 13/05/2010 cryptography - math background pp. 36 / 162

FIELDS EXAMPLES the field Q of rational integer numbers, with ordinary addition and multiplication: Q = {, p / q, }, +,, 0, 1 Q is an infinite field other examples of infinite fields: real numbers, with addition and multiplication complex numbers, with addition and multiplication and many others 13/05/2010 cryptography - math background pp. 37 / 162

CONSIDERATIONS rings and fields are the most popular and used algebraic structures in particular, the mathematical theory of fields is well developed, and for finite fields (almost) everything that is of some interest has been investigated and clarified and an important part of cryptography actually relies upon finite fields 13/05/2010 cryptography - math background pp. 38 / 162

MODULAR OPERATIONS 13/05/2010 cryptography - math background pp. 39 / 162

PRELIMINARIES there are many finite rings, but few finite fields, here: modular finite rings modular finite fields finite extension fields in particular, binary finite extension fields all these are used in cryptography 13/05/2010 cryptography - math background pp. 40 / 162

MODULAR RINGS everybody knows what integer division is given: an integer N an integer D (dividend, positive, null or neg.) (divisor, always positive, non-null) there are two uniquely determined positive or null integers Q and R, such that: N = Q D + R and 0 R < D Q: quotient, R: remainder 13/05/2010 cryptography - math background pp. 41 / 162

INTEGER DIVISION EXAMPLES N = Q D + R 5 = 2 2 + 1 Q = 2, R = 1, 1 < 2 9 = 3 3 + 0 Q = 3, R = 0, 0 < 3 20 = 3 6 + 2 Q = 3, R = 2, 2 < 3 5 = 3 2 + 1 Q = 3, R = 1, 1 < 2 8 = 2 4 + 0 Q = 2, R = 0, 0 < 4 9 = 3 4 + 3 Q = 3, R = 3, 3 < 4 13/05/2010 cryptography - math background pp. 42 / 162

COMPUTING mod n from the definition and the examples, it is clear that (for n 1): if a 0 then else a mod n = r s. t. a = q n + r and r < n a mod n = n r s. t. a = q n + r and 0 r < n for instance: r = 4 mod 3 = 2 because 4 = 2 3 + 2 but also 4 = 1 3 + 1 and hence r = 3 1 = 2 13/05/2010 cryptography - math background pp. 43 / 162

THE mod OPERATOR one writes (a Z and n 1): a mod n = b to indicate the remainder b 0 of the (integer) division of a by n here the symbol mod indicates a binary operator: mod: Z N N if n = 1, then a mod n = a (trivial case) 13/05/2010 cryptography - math background pp. 44 / 162

MODULAR CONGRUENCE given a modulus n 1, two integers a, b Z are said to be congruent modulus n, iff: a = b mod n a mod n = b mod n i.e., iff the remainder of a divided by n equals the remainder of b divided by n the modular congruence = mod n has the usual formal properties of equality: Riflexivity: a = a mod n Simmetry: a = b mod n b = a mod n Transitivity: a = b mod n and b = c mod n a = c mod n here mod is a side indication, meaning that equality = is interpreted in the modular way 13/05/2010 cryptography - math background pp. 45 / 162

CONGRUENCE EXAMPLES It holds: 4 = 0 mod 2 In fact: 4 mod 2 = 0 = 0 mod 2 It holds: 5 = 1 mod 2 In fact: 5 mod 2 = 1 = 1 mod 2 It holds: 11 = 7 mod 4 In fact: 11 mod 4 = 3 = 7 mod 4 It holds: 13 = 2 mod 5 In fact: 13 mod 5 = 2 = 2 mod 5 It holds: 9 = 5 mod 2 In fact: 9 mod 2 = 1 = 5 mod 2 13/05/2010 cryptography - math background pp. 46 / 162

RESIDUE CLASSES given any modulus n 1, the set A of all the integers a Z that are congruent mod n, has the following form: A = {b ± k n k Z and 0 b < n} each set A is called a residue class (mod n). there are exactly n 1 such classes the integer b A is the reduced form of every other element of the class A A = {, 4, 1, 0, 2, 5, } is the residue class of 5 mod 3; 2 is the reduced form 13/05/2010 cryptography - math background pp. 47 / 162

IMPORTANT DETAIL it is true that, for any modulus n 1: n = 0 mod n put another way, 0 and n can always be freely exchanged more generally: k kn = 0 mod n 13/05/2010 cryptography - math background pp. 48 / 162

COMPUTATION mod n an algebraic expression over the integers, containing (+) and ( ), is said to be computed mod n (for n 1), if the result of the integer division by n is taken (instead of the full result) for instance: 5 + 3 2 1 = 2 mod 4 13/05/2010 cryptography - math background pp. 49 / 162

PROPERTIES OF mod given n 1 and any two integers a, b Z: (a + b) mod n = ((a mod n) + (b mod n)) mod n (a b) mod n = ((a mod n) (b mod n)) mod n (a b) mod n = ((a mod n) (b mod n)) mod n put another way, the operator mod commutes with (+), ( ) and ( ) this is very useful for optimizing expression computations 13/05/2010 cryptography - math background pp. 50 / 162

COMPUTING mod n EXAMPLE it holds: 5 + 3 2 1 = 2 mod 4 in fact: 5 + 3 2 1 = 10 and 10 mod 4 = 2 but also: 5 mod 4 = 1 and 3 2 mod 4 = 2 and 1 mod 4 = 3 and (1 + 2 + 3) mod 4 = 6 mod 4 = 2 13/05/2010 cryptography - math background pp. 51 / 162

MODULAR RINGS 13/05/2010 cryptography - math background pp. 52 / 162

THE MODULAR RING Z n given a positive integer n 1, the following algebraic structure: Z n = {0, 1, 2,, n 1}, +,, 0, 1 is called modular ring of order n, provided, for every a, b Z n : a + b a b is computed mod n is computed mod n Z n contains exactly n elements Z 1 contains only 0 (n = 1, trivial case) 13/05/2010 cryptography - math background pp. 53 / 162

MODULAR ADDITION suppose for instance n = 6 modular addition works in Z 6 as follows: 1 + 2 = 3 mod 6 = 3 (1 + 2 = 3 mod 6) 3 + 4 = 7 mod 6 = 1 (3 + 4 = 1 mod 6) 5 + 5 = 10 mod 6 = 4 4 5 = 1 mod 6 = 5 0 5 = 5 mod 6 = 1 13/05/2010 cryptography - math background pp. 54 / 162

OPPOSITE ELEMENT suppose for instance n = 10 opposite elements in Z 10 can be found as follows: 5 = 5 mod 10 = 1 ( 5 = 1 mod 10) 3 = 3 mod 10 = 7 ( 3 = 7 mod 10) 8 = 8 mod 10 = 2 ( 8 = 2 mod 10) clearly: a = n a mod n this is coherent with: a + ( a) = a + (n a) = a + n a = n = 0 mod n 13/05/2010 cryptography - math background pp. 55 / 162

MODULAR MULTIPLICATION suppose for instance n = 9 modular multiplication works in Z 9 as follows: 1 2 = 6 mod 9 = 6 (1 2 = 6 mod 9) 3 4 = 12 mod 9 = 3 (3 4 = 12 mod 9) 5 5 = 25 mod 9 = 7 4 5 = 20 mod 9 = 2 0 5 = 0 mod 9 = 0 13/05/2010 cryptography - math background pp. 56 / 162

MODULAR POWERS modular powers: a m = a a a mod n (for m 1 times) a 0 = 1 mod n (by definition) for instance, given n = 6: 2 2 = 4 mod 6 = 4 (2 2 = 4 mod 6) 2 3 = 8 mod 6 = 2 (2 3 = 2 mod 6) 2 6 = 64 mod 6 = 4 (2 6 = 4 mod 6) note: 2 6 = (2 3 ) 2 = (2) 2 = 4 mod 6 i.e., one can use the normal, well-known properties of exponents 13/05/2010 cryptography - math background pp. 57 / 162

HINTS ON GENERATORS consider the ring Z 5 and the element 2: 1 2 mod 5 = 2 mod 5 = 2 2 2 mod 5 = 4 mod 5 = 4 3 2 mod 5 = 6 mod 5 = 1 4 2 mod 5 = 8 mod 5 = 3 5 2 mod 5 = 10 mod 5 = 0 Z 5 6 2 mod 5 = 12 mod 5 = 2 (periodic) the element 2 is an additive generator for the ring Z 5 theorem: for any ring Z n, any element e 0 such that (e, n) = 1 is an additive generator 13/05/2010 cryptography - math background pp. 58 / 162

HINTS ON GENERATORS consider the ring Z 5 and the element 3: 3 1 mod 5 = 3 mod 5 = 3 3 2 mod 5 = 9 mod 5 = 4 3 3 mod 5 = 27 mod 5 = 2 3 4 mod 5 = 81 mod 5 = 1 3 5 mod 5 = 243 mod 5 = 3 (periodic ) Z 5 (excluding 0) the element 3 is a multiplicative generator for the ring Z 5 how to determine the multiplicative generators for a modular ring Z n, of a generic modulus n, is a very complex problem 13/05/2010 cryptography - math background pp. 59 / 162

MORE ON MODULAR RINGS 13/05/2010 cryptography - math background pp. 60 / 162

MODULAR COMPUTATION frequently, computing the operator mod does not really require to perform a division remember in fact that n = 0 mod n whenever in an expression to be computed mod n, a term +n (or n) occurs, delete it (since it is = 0 mod n) whenever in an expression to be computed mod n, a factor n occurs, delete the product chain it is contained in (since it is = 0 mod n) 13/05/2010 cryptography - math background pp. 61 / 162

MOD. COMPUT. EXAMPLES one should immediately see that: (2 + 3) 4 8 5 + 16 = 0 mod 4 in fact (this must become instinctive): a 4 = 0 mod 4 (whatever a is) 8 b = 0 mod 4 (whatever b is) and 16 = 0 mod 4 a well-known application: 123456 mod 3 = (1 10 5 + 2 10 4 + 3 10 3 + 4 10 2 + 5 10 1 + 6 10 0 ) mod 3 = (1 + 2 + 3 + 4 + 5 + 6) mod 3 = 21 mod 3 = 0 123456 = 0 mod 3 since 10 x = 1 mod 3 for every x 0 it is the well-known rule for checking the divisibility by 3 of decimal integer numbers 13/05/2010 cryptography - math background pp. 62 / 162

MOD. COMPUT. PROBLEM what is the check rule of divisibility by 3 for binary natural numbers? that is, given: B = 10010100101011000101010 how do I quickly check whether the binary number B is divisible by 3? i might first convert B to decimal, but 13/05/2010 cryptography - math background pp. 63 / 162

MODULAR REDUCTION given any modulus n 1 and any integer a n, the task of finding an integer 0 b < n, such that a = b mod n is called reduction for instance, taken n = 7 and a = 20: b = a mod n = 20 mod 7 = 6 20 = 6 mod 7 it is said that 6 is the reduced form of 20, modulus 7 (as already seen before) actually reduction is nothing but another name for taking the result of a mod n 13/05/2010 cryptography - math background pp. 64 / 162

GREATEST COMMON DIVISOR given any two integers a, b Z, their greatest common divisor, g.c.d., usually denoted (a, b) = d, is the largest positive integer d (i.e., d 1) dividing exactly (remainder 0) both a and b for instance: (2, 3) = 1, (12, 8) = 4, ( 30, 12) = 6, ( 2, 5) = 1 (not 1!) two integers a, b Z are said to be co-prime (or relatively prime), i.e., they share no common integer factor 2, if and only if (a, b) = 1 for finding the g.c.d. efficiently: Euclid algorithm 13/05/2010 cryptography - math background pp. 65 / 162

ABOUT THE INVERSION IN Z n given a Z n (n 2), when is it possible to find b Z n, such that: a b = 1 mod n (b is the multiplicative inverse of a)? theorem: the multiplicative inverse b of a exists (and is unique) if and only if (a, n) = 1, i.e., if a and n are co-prime (they share no common integer factor 2) 13/05/2010 cryptography - math background pp. 66 / 162

INVERSION IN Z n EXAMPLE let n = 6, i.e., work in Z 6 : 2 1 mod 6 does not exist, (2, 6) = 2 3 1 mod 6 does not exist, (3, 6) = 3 4 1 mod 6 does not exist, (4, 6) = 2 5 1 mod 6 = 5 exists, (5, 6) = 1 and is 5, since 5 5 = 25 = 1 mod 6 clearly, if n is a prime integer, any positive integer a < n is co-prime with n, hence 13/05/2010 cryptography - math background pp. 67 / 162

LINEAR EQUATIONS IN Z n take the modular equation: a y = b mod n where a, b Z n are fixed coefficients, and y Z n is the unknown variable to be found theorem: there exists a unique solution if and only if a, n are co-prime i.e. iff a, n share no common factor 2 i.e. iff (a, n) = 1 how to find the solution in some cases, later 13/05/2010 cryptography - math background pp. 68 / 162

FERMAT LITTLE THEOREM theorem: take any prime integer p 2, and any integer a 0, then: a p = a mod p (P. Fermat) for instance, taken p = 3 (prime): 2 3 = 8 = 2 mod 3 3 3 = 27 = 0 = 3 mod 3 4 3 = 64 = 1 = 4 mod 3 13/05/2010 cryptography - math background pp. 69 / 162

CONSEQUENCES if p 2 is a prime integer: Since: a p = a mod p It follows: a p 1 = 1 mod p (with the condition that a 0 mod p) for instance, taken p = 5 (prime): 2 4 = 16 = 1 mod 5 3 4 = 81 = 1 mod 5 4 4 = 256 = 1 mod 5 13/05/2010 cryptography - math background pp. 70 / 162

SOLVING LIN. EQ.S IN Z p linear equations of the form: a y = b mod p (p 2 prime) a, b Z p coeff.s and y Z p variable, admit the following (unique, mod p) solution: y = a 1 b = a p 2 b mod p (by Fermat) since, being p prime, (a, p) = 1 caution: be sure that a mod p 0! the same can be instanced for systems of linear equations (see later) 13/05/2010 cryptography - math background pp. 71 / 162

MODULAR FIELDS 13/05/2010 cryptography - math background pp. 72 / 162

MODULAR FIELDS we have seen that Z n (for any n 2) is a modular (finite) ring of n 1 elements to be a (finite) field, Z n only lacks the inverse elements for multiplication, i.e. the possibility to invert all its elements that is, given any a Z n, how do I find a Z n such that a a = 1 (of course, mod n)? Is it possible to find such an a for any integer a < n and any value of n? 13/05/2010 cryptography - math background pp. 73 / 162

MODULAR FIELDS we know that, given any positive a < n, there exists a positive integer a such that a a = 1, if and only if a, n are co-prime clearly, if n is a prime integer, every positive integer a < n will be co-prime with n conversely, if n is not a prime integer, there must exist some a < n that is not co-prime with n theorem: all elements of Z n (but 0) are invertible if and only if n is a prime integer pay attention: if n is not a prime integer, a few elements of Z n may be invertible, but not all of them 13/05/2010 cryptography - math background pp. 74 / 162

MODULAR INVERSION given any prime integer p 2 (Fermat): a p = a mod p a p 1 = 1 mod p (with the condition that a 0 mod p) let us go on with the idea a p 2 = a 1 mod p (still with the condition that a 0 mod p) that is, a p 2 behaves as the multiplicative inverse element of a (if p is prime!) 13/05/2010 cryptography - math background pp. 75 / 162

INVERSION EXAMPLES for instance, taken p = 5 (prime), and knowing that p 2 = 3, one has: 1 3 = 1 mod 5 and 1 1 = 1 mod 5 2 3 = 3 mod 5 and 2 3 = 1 mod 5 3 3 = 2 mod 5 and 3 2 = 1 mod 5 4 3 = 4 mod 5 and 4 4 = 1 mod 5 5 3 = 0 mod 5 no inverse (since 5 = 0 mod 5) 6 3 = 1 mod 5 and 6 1 = 1 mod 5 (the behaviour is periodic) 13/05/2010 cryptography - math background pp. 76 / 162

INVERSION THAT IS taken p = 5 (prime) one has: 1 1 = 1 mod 5 2 1 = 3 mod 5 3 1 = 2 mod 5 4 1 = 4 mod 5 while 0 has no inverse, of course note that for each element of Z 5 we have found an inverse (but for 0) 13/05/2010 cryptography - math background pp. 77 / 162

MODULAR FIELD F p (or GF(p)) every (finite) modular ring Z n, such that n 2 is a prime integer, can be turned into a (finite) field simply add inversion to it, and compute the inverse using Fermat s litte theorem such a field is denoted F p (or also Galois Field of order p, GF(p)) a different field for every prime p 13/05/2010 cryptography - math background pp. 78 / 162

MODULAR FIELD F p (or GF(p)) given a prime integer p 2: F p = {0, 1, 2,, p 1}, +,, 0, 1 is called modular (Galois) field of order p, or GF(p), provided, for every element a, b F p : a + b a b is computed mod p is computed mod p a = p a so that a + ( a) = p = 0 mod p a 1 = a p 2 so that a a 1 = a a p 2 = a p 1 = 1 mod p F p is finite and contains exactly p elements 13/05/2010 cryptography - math background pp. 79 / 162

LINEAR EQUATIONS IN F p given a prime integer p 2, take the modular linear equation: a y = b mod p where a, b F p are fixed coefficients, and y F p is the unknown variable to be found: the unique solution (mod p) is: y = a 1 b mod p for instance, given p = 7 (prime): 5 y = 3 mod 7 y = 5 1 3 = 5 5 3 = 3125 3 = 9375 = 2 mod 7 and actually 5 2 = 10 = 3 mod 7 13/05/2010 cryptography - math background pp. 80 / 162

LINEAR SYSTEMS IN F p given a prime integer p 2, take the system of modular linear equations: A Y = B mod p where: A [F p ] m,m is a square matrix of order m 2 of fixed coefficients in F p B [F p ] m is a vector of order m 2 of constant terms in F p and Y [F p ] m is the vector of the unknown variables to be found in F p 13/05/2010 cryptography - math background pp. 81 / 162

LINEAR SYSTEMS IN F p the above system of linear equations admits a unique solution (mod p) iff det(a) 0 in this case (det(a) 0), the solution is: Y = A 1 B mod p the determinant det(a), the matrix inverse A 1 and the matrix-vector product A 1 B are computed as usual, remembering to take all the operations mod p over their entries 13/05/2010 cryptography - math background pp. 82 / 162

THE BINARY FIELD 13/05/2010 cryptography - math background pp. 83 / 162

THE BINARY FIELD F 2 (or GF(2)) when p = 2 (smallest prime excluding 1): F 2 = {0, 1}, +,, 0, 1 this is a well-know structure, since 0 + 0 = 0 0 0 = 0 0 = 2 0 = 2 = 0 0 + 1 = 1 0 1 = 0 1 = 2 1 = 1 1 + 0 = 1 1 0 = 0 IDENTITY 1 + 1 = 2 = 0 1 1 = 1 1 1 = 1 XOR gate AND gate IDENTITY 13/05/2010 cryptography - math background pp. 84 / 162

THE BINARY FIELD F 2 (or GF(2)) in F 2 addition and subtraction coincide! observe in fact: 0 + 0 = 0 0 0 = 0 + ( 0) = 0 + 0 = 0 0 + 1 = 1 0 1 = 0 + ( 1) = 0 + 1 = 1 1 + 0 = 1 1 0 = 1 + ( 0) = 1 + 0 = 1 1 + 1 = 0 1 1 = 1 + ( 1) = 1 + 1 = 0 XOR gate still XOR gate do not extend this feature to p > 2! 13/05/2010 cryptography - math background pp. 85 / 162

THE BINARY FIELD F 2 (or GF(2)) the field F 2 (or GF(2)) is also called the binary field and is the simplest its hardware counterpart are the XOR and AND gates it is the natural field where to compute arithmetic (most arithmetic circuits are formed by XOR and AND gates only) 13/05/2010 cryptography - math background pp. 86 / 162

POLYNOMIALS 13/05/2010 cryptography - math background pp. 87 / 162

POLYNOMIALS everybody knows univariate polynomials (i.e., containing a single variable x) with integer coefficients: C(x) = c n x m + c m 1 x m 1 + + c 1 x + c 0 where c i Z, for every 0 i m the integer m 0 is the degree of C(x) here, we are interested in polynomials not as functions of the variable x, but as objects that can be manipulated in various ways 13/05/2010 cryptography - math background pp. 88 / 162

POLYNOMIALS the set of all the polynomials (of any degree) with integer coefficients is denoted Z[x] polynomials in Z[x] can be added, subtracted and multiplied. They form a commutative ring with unity (the ring Z[x] is infinite): Z[x] = Z[x], +,, 0, 1 in general however, there is no multiplicative inverse element, i.e. given any polynomial P(x) Z[x] it is not possible to find P (x) Z[x] such that P(x) P (x) = 1 13/05/2010 cryptography - math background pp. 89 / 162

POLYNOMIAL DIVISION given any two polynomials P(x), D(x) Z[x], there exist two unique polynomials Q(x), R(x) Q[x] (with rational coeff.s), such that: P(x) = Q(x) D(x) + R(x) degree(r(x)) < degree(d(x)) Q(x) is the quotient, R(x) is the remainder this property resembles integer division but note that Q(x), R(x) have rational coeff. s, i.e., in general the coeff.s are not integer the algorithm for finding R(x) is well-known 13/05/2010 cryptography - math background pp. 90 / 162

EXAMPLE OF DIVISION IN Z[x] take x 4 + 2x 3 1, x 2 + 3 Z[x] +1x 4 +2x 3 1 +1x 2 +3 +1x 4 +2x 3 +0x 2 +0x 1 +1x 2 1x 4 3x 2 +0x 4 +2x 3 3x 2 +0x 1 +1x 2 +2x 2x 3 6x +0x 4 +0x 3 3x 2 6x 1 +1x 2 +2x 3 +3x 2 +9 +0x 4 +0x 3 +0x 2 6x +8 end 6x +8 x 2 +2x 3 remainder quotient in this special case, no need of rational numbers (because the most significant coefficient of the divisor x 2 + 3 is 1!) verify: (x 2 + 2x 3) (x 2 + 3) + ( 6x + 8) = x 4 + 3x 2 + 2x 3 + 6x 3x 2 9 6x + 8 = x 4 + 2x 3 1 as it is expected to be 13/05/2010 cryptography - math background pp. 91 / 162

POLYNOMIALS OVER MODULAR RINGS AND FIELDS 13/05/2010 cryptography - math background pp. 92 / 162

POLYNOMIALS OVER RINGS restrict the set of the coeff. s of polynomials to the modular ring Z n (for a fixed n 2) such polynomials can be added, subtracted and multiplied mod n, in the obvious way Z n [x] = Z n [x], + mod n, mod n, 0, 1 but in general, it is not possible to find multiplicative inverse elements the structure Z n [x] is still an infinite commutative ring with unity, as is Z[x] sample additions and multiplications 13/05/2010 cryptography - math background pp. 93 / 162

POLYNOMIALS OVER FIELDS restrict the set of the coeff. s of polynomials to the finite field F p (for a fixed prime p 2) such polynomials can be added, subtracted and multiplied mod n, in the obvious way F p [x] = F p [x], + mod p, mod p, 0, 1 but in general, it is not possible to find multiplicative inverse elements the structure F p [x] is still an infinite commutative ring with unity, as are Z[x], Z n [x] 13/05/2010 cryptography - math background pp. 94 / 162

POLYNOMIAL DIVISION IN F p [x] given any two polynomials P(x), D(x) F p [x], there exist two unique polynomials Q(x), R(x) F p [x], such that: P(x) = S(x) D(x) + R(x) degree(r(x)) < degree(d(x)) S(x) is the quotient, R(x) is the remainder this property resembles integer division note that S(x), R(x) have coeff. s in F p [x]! the algorithm for finding S(x), R(x) is wellknown (same as for the polynomials in Z[x]) 13/05/2010 cryptography - math background pp. 95 / 162

EXAMPLE OF DIVISION IN F 3 [x] take x 4 + 2x 3 + 1, 2x 2 + 1 F 3 [x] x 4 +2x 3 +1 +2x 2 +1 +1x 4 +2x 3 +0x 2 +0x +1 +2x 2 1x 4 2x 2 +0x 4 +2x 3 +1x 2 +0x +1 +2x 2 +1x 2x 3 1x +0x 4 +0x 3 +1x 2 +2x +1 +2x 2 +1x + 2 1x 2 2 +0x 4 +0x 3 +0x 2 +2x +2 end 2x +2 2x 2 + x + 2 remainder quotient pay attention to: 1 = 2, 2 = 1, 2 1 = 2 mod 3. verify (remember also that: 4 = 1, 6 = 0, 3 = 0 mod 3): (2x 2 + x + 2) (2x 2 + 1) + (2x + 2) = 4x 4 + 2x 2 + 2x 3 + x + 4x 2 + 2 + 2x + 2 = = 4x 4 + 2x 3 + 6x 2 + 3x + 4 = x 4 + 2x 3 + 0x 2 + 0x + 1 = x 4 + 2x 3 + 1 mod 3 13/05/2010 cryptography - math background pp. 96 / 162

POLYNOMIAL MOD. CONGRUENCE given any polynomials P(x), D(x) ( Z[x] or Z n [x] or F p [x]), write: P(x) mod D(x) = R(x) with R(x) the remainder of P(x) / D(x) modulus D(x) congruence: P(x) = Q(x) mod D(x) P(x) mod D(x) = Q(x) mod D(x) 13/05/2010 cryptography - math background pp. 97 / 162

PROPERTIES OF POLY MOD. CONGRUENCE the operator mod commutes: (P(x) + Q(x)) mod D(x) = ((P(x) mod D(x)) + (Q(x) mod D(x))) mod D(x) the same holds for subtraction (P(x) Q(x)) mod D(x) = ((P(x) mod D(x)) (Q(x) mod D(x))) mod D(x) same properties as mod n modular reduction by a polynomial D(x) defined as for modular reduction by an integer n 13/05/2010 cryptography - math background pp. 98 / 162

POLY MOD. COMPUTATION IN PARTICULAR taking mod D(x) is equivalent to assuming that D(x) = 0 (remember n = 0 mod n!) for instance (in Z[x]), see immediately that: x 3 + 2x + 5 = 2x + 7 mod (x 3 2) because: x 3 2 = 0 x 3 = 2 and: x 3 + 2x + 5 = 2 + 2x + 5 = 2x + 7 verify dividing: (x 3 + 2x + 5) mod (x 3 2)! 13/05/2010 cryptography - math background pp. 99 / 162

POLYNOMIALS OVER THE BINARY FIELD F 2 (GF(2)) 13/05/2010 cryptography - math background pp. 100 / 162

POLYNOMIALS OVER F 2 (GF(2)) when the field of the coefficients is F 2 (or GF(2)), things become very simple a coefficient is either 0 or 1 (i.e., a bit) a power x i is either present (coeff. 1, usually not written) or absent (coeff. 0) a polynomial in F 2 [x] is nothing but a list of powers of x 13/05/2010 cryptography - math background pp. 101 / 162

EXAMPLES OF OP.S IN F 2 [x] let A(x), B(x) F 2 [x]: A(x) = x 2 + x + 1 and B(x) = x 3 + x then: A(x) + B(x) = (x 2 + x + 1) + (x 3 + x) = = x 3 + x 2 + x + x + 1 = x 3 + x 2 + (1 + 1)x + 1 = = x 3 + x 2 + 0x + 1 = x 3 + x 2 + 1 A(x) B(x) = (x 2 + x + 1) (x 3 + x) = = x 5 + x 4 + x 3 + x 3 + x 2 + x = x 5 + x 4 + x 2 + x pay attention to: 1 + 1 = 0! in general: 1 + 1 + + 1 (even times) = 0! 13/05/2010 cryptography - math background pp. 102 / 162

EXAMPLES OF OP.S IN F 2 [x] sometimes peculiarities may occur: (x + 1) 2 = (x + 1)(x + 1) = x 2 + x + x + 1 = = x 2 + 1 (different from ordinary algebra) (x + 1) 3 = (x + 1)(x + 1)(x + 1) = x 3 + x 2 + + x 2 + x 2 + x + x + x + 1 = x 3 + x 2 + x + 1 (different from ordinary algebra) can you infer the general rule? 13/05/2010 cryptography - math background pp. 103 / 162

PLYNOMIAL DIVISION IN F 2 [x] take x 4 + x 3 + 1, x 2 + 1 F 2 [x] x 4 x 3 1 x 2 1 x 4 x 3 1 x 2 x 4 x 2 x 3 x 2 1 x 2 x x 3 x x 2 x 1 x 2 x 1 x 2 1 x end x x 2 + x + 1 remainder quotient pay attention to: 1 = 1 mod 2, i.e. add. and sub. coincide verify: (x 2 + x + 1) (x 2 + 1) + x = x 4 + x 2 + x 3 + x + x 2 + 1 + x = = x 4 + x 3 + 1 mod 2 as it is expected to be hence we can write: (x 4 + x 3 + 1) = x mod (x 2 + 1) 13/05/2010 cryptography - math background pp. 104 / 162

PLYNOMIAL REDUCTION IN F 2 [x] computing polynomial division of F(x) by G(x) is like setting G(x) = 0 and replacing in F(x) from the previous slide: G(x) = x 2 + 1, hence G(x) = 0 x 2 + 1 = 0 x 2 = 1 and replacing in F(x) = x 4 + x 3 + 1, it yields: x 4 + x 3 + 1 = (x 2 ) 2 + x x 2 + 1 = 1 2 + x 1 + 1 = 1 + x + 1 = x hence we have: (x 4 + x 3 + 1) = x mod (x 2 + 1) as seen before by performing a full division. but reduction DOES NOT REALLY REQUIRE TO COMPUTE A FULL DIVISION (since we are not interested in the quotient, but only in the remainder) 13/05/2010 cryptography - math background pp. 105 / 162

POLYNOMIALS OVER F 2 a polynomial in F 2 [x] can be identified to a string of bits for instance: x 5 + x 4 + x 2 + 1 110101 (degree 5 6 bits) in general: F(x) string of n + 1 bits (supposing F(x) is of degree n) for any degree n, how many different polynomials? answer: 2 n + 1 13/05/2010 cryptography - math background pp. 106 / 162

IRREDUCIBLE POLYNOMIALS 13/05/2010 cryptography - math background pp. 107 / 162

IRREDUCIBLE POLYNOMIALS a polynomial of degree m 2 is said to be irreducible if it cannot be factored into two or more polynomials of lower degree A(x) is irreducible if there do not exist any two polynomials B(x), C(x) (not reducing to pure constant terms) such that A(x) = B(x) C(x) for every degree, there exist irreducible polynomials in Z[x], Z n [x] and F p [x], for any integer n and prime integer p 13/05/2010 cryptography - math background pp. 108 / 162

IRREDUCIBLE POLYNOMIALS x and x + 1 are irreducible by definition is x 2 + x irreducible? no, because x 2 + x = x (x + 1) is x 2 + 1 irreducible? no, because x 2 + 1 = (x + 1) (x + 1) is x 2 + x + 1 irreducible? yes, but why? 13/05/2010 cryptography - math background pp. 109 / 162

RUFFINI RULE a polynomial F(x) admits the linear factor (x a) iff a is a root of F(x) for the polynomials over F 2 (or GF(2)): F(x) admits the factor (x 1), which coincides with (x + 1), iff 1 is a root of F(x) hence, replace x in F(x) with 1 and see if F(1) = 0; if so, F(x) = F (x) (x + 1) in practice, just count the terms of F(x) 13/05/2010 cryptography - math background pp. 110 / 162

USE OF RUFFINI RULE Ruffini rule gives an easy way for checking whether a polynomial F(x) F 2 [x] admits the linear factor (x + 1) does (x 2 + x + 1) admit factor (x + 1)? no, since it has 3 terms (and 3 is odd) does moreover (x 2 + x + 1) admit factor x? no, since it contains the constant term +1 since the only linear factors in F 2 [x] are (x + 1) and x, and a F(x) of degree 2 can only be split into linear factors, (x 2 + x + 1) is irreducible of course, Ruffini rule works also in F p [x] 13/05/2010 cryptography - math background pp. 111 / 162

BINARY EXTENSION FIELDS 13/05/2010 cryptography - math background pp. 112 / 162

MOVING TOWARDS FIELDS remember that F 2 [x] is not a polynomial field (there are no multiplicative inverse elements, in general) how to make it into a polynomial field? the answer is contained in irreducible polynomials 13/05/2010 cryptography - math background pp. 113 / 162

THE EXTENSION FIELD GF(2 n ) select an irreducible polynomial G(x) F 2 [x] of degree n G(x) is called generator polynomial the extension field GF(2 n ) (for n 2) is: GF(2 n ) = F 2 [x n ], +,, 0, 1 where: F 2 [x n ] set of all the polynomials over F 2 of degree under n +, are the polynomial addition and multiplication modulus the selected (and fixed) polynomial G(x) G(x) is the generator polynomial of GF(2 n ). 13/05/2010 cryptography - math background pp. 114 / 162

THE EXTENSION FIELD GF(2 n ) fixed a generator G(x) of degree n, take A(x), B(x) GF(2 n ), and compute addition and multiplication as follows: A(x) + B(x) mod G(x) and similarly for subtraction A(x) B(x) mod G(x) always take the result mod G(x) 13/05/2010 cryptography - math background pp. 115 / 162

EXAMPLE IN GF(2 2 ) the elements of GF(2 n ) with n = 2 (i.e. GF(2 2 )) are all the polynomials in F 2 [x] of degree under n = 2, i.e. deg. 0 or 1 0, 1 degree 0 x, x + 1 degree 1 then GF(2 2 ) contains 2 2 = 4 elements this is, in some sense, the simplest possible field of polynomials 13/05/2010 cryptography - math background pp. 116 / 162

EXAMPLE IN GF(2 2 ) fix the generator polynomial G(x) = x 2 + x + 1 (degree n = 2, irred.): (x + 1) + x = 1 mod G(x) (x + 1) 2 = x 2 + 1 = x + 1 + 1 = x mod G(x) remember in fact that taking mod G(x) is equivalent to setting G(x) = 0, hence: x 2 + x + 1 = 0 x 2 = x + 1 an replacing x 2 in x 2 + 1 yields x 13/05/2010 cryptography - math background pp. 117 / 162

EXAMPLE IN GF(2 3 ) the elements of GF(2 3 ) are all the polynomials in F 2 [x] of degree under n = 3, i.e. degree 0, 1 or 2 0, 1 degree 0 x, x + 1 degree 1 x 2, x 2 + 1, x 2 + x, x 2 + x + 1 degree 2 then GF(2 2 ) contains 2 3 = 8 elements in general, GF(2 n ) contains 2 n elements 13/05/2010 cryptography - math background pp. 118 / 162

EXAMPLE IN GF(2 3 ) fix gen. G(x) = x 3 + x 2 + 1 (deg. n = 3, irred.). it holds: x 3 + x 2 + 1 = 0, i.e., x 3 = x 2 + 1. (x + 1) 3 = x 3 + x 2 + x + 1 = = x 2 + 1 + x 2 + x + 1 = x mod G(x) (x 2 + 1) (x 2 + x + 1) = = x 4 + x 3 + x 2 + x 2 + x + 1= x 4 + x 3 + x + 1 = = = x x 3 + x 3 + x + 1 = x(x 2 + 1) + x 2 + 1 + x + 1 = = x 3 + x + x 2 + x = x 3 + x 2 = = x 2 + 1 + x 2 = 1 mod G(x) note that: x 2 + x + 1 = (x 2 + 1) 1 mod G(x) 13/05/2010 cryptography - math background pp. 119 / 162

FINITENESS OF GF(2 n ) the elements of GF(2 n ) (with n 2) are all the polynomials of F 2 [x] of degree under n (i.e. of deg. n 1, n 2,, 1, 0) then they can be identified to the strings of bits of length exactly n there are 2 n such strings the field GF(2 n ) is finite and its cardinality is of 2 n elements (which are polynomials) 13/05/2010 cryptography - math background pp. 120 / 162

HOW TO FIND THE INVERSE we have not yet spoken of multiplicative inverse elements in GF(2 n ) but it is necessary to have inverse elements for GF(2 n ) to be a field inverse elements can be found in GF(2 n ) using the generalization of Fermat little theorem 13/05/2010 cryptography - math background pp. 121 / 162

FERMAT LITTLE THEOREM take an irreducible generator polynomial G(x) of degree n 2 and any polynomial F(x) GF(2 n ), pose k = 2 n, then: F(x) k = F(x) mod G(x) (generalisation of Fermat little theorem) for instance, taken G(x) = x 2 + x + 1 (of deg. n = 2, irred.), it holds k = 2 2 = 4 and hence: (x + 1) 4 = ((x + 1) 2 ) 2 = (x 2 + 1) 2 = (x + 1 + 1) 2 = = x 2 = x + 1 mod G(x) as it is expected to be 13/05/2010 cryptography - math background pp. 122 / 162

CONSEQUENCES if the generator G(x) is an irreducible polynomial of degree n 2 and k = 2 n : since: F(x) k = F(x) mod G(x) it follows: F(x) k 1 = 1 mod G(x) and also: F(x) k 2 = F(x) 1 mod G(x) (with the condition that F(x) 0 mod G(x)) therefore F(x) k 2 is the multiplicative inverse element of F(x) (mod G(x)) 13/05/2010 cryptography - math background pp. 123 / 162

INVERSION EXAMPLE taken the generator G(x) = x 2 + x + 1 (of deg. n = 2, irred.), it holds k = 2 2 = 4, and hence: (x + 1) 4 2 = (x + 1) 2 = x 2 + 1 = = x + 1 + 1 = x mod G(x) and in fact: (x + 1) x = x 2 + x = x + 1 + x = 1 mod G(x) this means that x is the inverse element of (x + 1) (of course, mod G(x)) 13/05/2010 cryptography - math background pp. 124 / 162

MULTIPLICATIVE GENERATORS the monomial x is a multiplicative generator for binary extension fields for instance: G(x) = x 2 + x + 1 (irred.) x 0 mod G(x) = 1 x 1 mod G(x) = x x 2 mod G(x) = x + 1 GF(2 2 ) (excluding 0) x 3 mod G(x) = x x 2 mod G(x) = x (x + 1) mod G(x) = = x 2 + x = x + 1 + x = 1 (periodic ). the same holds for GF(p n ) 13/05/2010 cryptography - math background pp. 125 / 162

FIELD GF(2 n ) IN SUMMARY given an irreducible generator polynomial G(x) of degree n 2, the algebraic structure: GF(2 n ) = < F 2 [x n ], +,, 0, 1 > is a finite field of 2 n elements. the elements of GF(2 n ) are polynomials with coefficients over GF(2) (or F 2 ) all the operations are computed mod G(x). multiplicative inverse exist for all the elements of GF(2 n ) (but for 0), and can by found by Fermat little theorem 13/05/2010 cryptography - math background pp. 126 / 162

MODULAR EXTENSION FIELDS 13/05/2010 cryptography - math background pp. 127 / 162

POLINOMYALS OVER F p (GF(p)) consider polynomials with coefficients over F p (also called GF(p)), for a fixed prime integer p 2 a coefficient can be: 0, 1, 2, p 1 then a polynomial in F p [x] is a list of powers of x, with coefficients as above example: x 2 + 2x + 1 (for p = 3, prime) 13/05/2010 cryptography - math background pp. 128 / 162

POLYNOMIALS OVER F p EXAMPLES for the prime p = 3: (x + 1) + (x 2 + 2x + 1) = x + 1 + x 2 + 2x + 1 = = x 2 + 3x + 2 = x 2 + 2 since 3 = 0 mod 3 for the prime p = 5: (x 2 + 3) (x 3 + 2x + 4) = = x 5 + 2x 3 + 4x 2 + 3x 3 + 6x + 12 = = x 5 + 5x 3 + 4x 2 + 6x + 12 = = x 5 + 4x 2 + x + 2 since 5 = 0, 6 = 1 and 12 = 2 mod 5 13/05/2010 cryptography - math background pp. 129 / 162

THE EXTENSION FIELD GF(p n ) the ideas for building modular fields F p (p 2 prime), and binary extension fields F 2 [x n ] (n 2), can be combined the result is the family of modular extension fields F p [x n ] (p, n 2, p is a prime integer) fields F p [x n ] are also denoted GF(p n ) (Galois Fields of order p n, p is prime) 13/05/2010 cryptography - math background pp. 130 / 162

THE EXTENSION FIELD GF(p n ) take an irreducible generator polynomial G(x) F p [x], for a prime integer p 2, of degree n 2, the algebraic structure: GF(p n ) = F p [x n ], +,, 0, 1 is a finite field of p n elements the elements of GF(p n ) are polynomials with coefficients over GF(p) (or F p ) all the operations are computed mod G(x) the field GF(p n ) contains p n elements 13/05/2010 cryptography - math background pp. 131 / 162

FERMAT LITTLE THEOREM take an irreducible generator polynomial G(x) F p [x], for a prime p 2, of degree n 2, and take any polynomial F(x) GF(p n ), pose k = p n, then: F(x) k = F(x) mod G(x) (generalisation of Fermat little theorem) hence it follows (as in previous cases): F(x) k 1 = 1 mod G(x) F(x) k 2 = F(x) 1 mod G(x) (inverse!) (with the cond. that F(x) 0 mod G(x)) 13/05/2010 cryptography - math background pp. 132 / 162

FIELD EXAMPLE GF(3 2 ) fix p = 3 (prime) and n = 2 the elements of GF(3) are: 0, 1, 2 the elements of GF(3 2 ) are: 0, 1, 2 (deg. 0, 3 poly. s) x, 2x, x + 1, x + 2, 2x + 1, 2x + 2 (deg. 1, 6 poly. s) there are k = 3 2 = 9 elements in GF(3 2 ) take the generator G(x) = x 2 + 1 in GF(3) the polynomial G(x) is irreducible were not so, G(x) should split into two linear factors of the type (x + a), with a = 0, 1 or 2 but none of the a s is a root of G(x) 13/05/2010 cryptography - math background pp. 133 / 162

INVERSION EXAMPLE IN GF(3 2 ) remember that: G(x) = 0 x 2 + 1 = 0 x 2 = 1 = 2 as 1 = 2 mod 3 to compute an inverse element: (2x + 1) 1 = (2x + 1) 9 2 = (2x + 1) 7 = = (2x + 1) 6 (2x + 1) = ((2x + 1) 2 ) 3 (2x + 1) = = (4x 2 + 4x + 1) 3 (2x + 1) = (x 2 + x + 1) 3 (2x + 1) = = (2 + x + 1) 3 (2x + 1) = (x + 3) 3 (2x + 1) = x 3 (2x + 1) = = x 2 x (2x + 1) = 2x (2x + 1) = 4x 2 + 2x = = x 2 + 2x = 2x + 2 mod G(x) and in fact: (2x + 1)(2x + 2) = 4x 2 + 4x + 2x + 2 = 4x 2 + 6x + 2 = = x 2 + 2 = 2 + 2 = 4 = 1 mod G(x) as it is expected to be 13/05/2010 cryptography - math background pp. 134 / 162

COMPOSITE GALOIS FIELDS suppose GF(p h ) is a modular extension field, the elements of which consist of polynomials of degree under h with coeff.s that are integers mod p construct a new, larger modular extension field, using the elements of GF(p h ) as coefficients of new polynomials, of degree under k this new field is GF(GF(p h )) k = GF(p hk ), and is called a composite (Galois) field the elements of GF(p hk ) are polynomials, the coefficients of which are themselves polynomials (the coeff.s of the latter ones are integers mod p) 13/05/2010 cryptography - math background pp. 135 / 162

COMPOSITE GALOIS FIELDS dually: let GF(p m ) be a modular extension field. It can be constructed by using polynomials of degree under m, with coeff.s that are integers mod p but, if m = hk (for h, k 2), i.e. if m is decomposable into non-trivial factors, then the field GF(p m ) can be itself decomposed into two nested fields: coefficient field GF(p h ) - internal field complete field GF(GF(p h ) k ) = GF(p hk ) - external field (the roles of h, k are interchangeable) this decomposition may be very helpful in the implementations, but does not always apply if m is itself prime, no decomposition is possible 13/05/2010 cryptography - math background pp. 136 / 162

EXAMPLE COMPOSITE FIELD take p = 2 (binary extension fields). G(x) = x 4 + x 3 + 1 (irreducible, check yourself!) G(x) generates GF(2 4 ), with 2 4 = 16 elements. but 4 = 2 2, hence GF(2 4 ) = GF(GF(2 2 ) 2 ) (here h = k = 2) construct the two nested fields: Internal field, use the gen. G 2 1 (y) = y + y + 1 (irred. over GF(2)) External field, use the gen. G 2 (x) = x 2 + y x + 1 (irred. over GF(2 2 )) elem.s of GF(2 4 ): (ay 1 + by 0 )x 1 + (cy 1 + dy 0 )x 0 (a, b, c, d = 0, 1) of course, interpret G 2 (x) as follows: G 2 (x) = (0y + 1) x 2 + (1y + 0) x 1 + (0y + 1) x 0 since its coeff.s are themselves polynomials (use two distinct variables y and x to avoid confusion). complete yourself (in particular, check that G 2 (x) is irreducible over GF(2 2 )). Try with the field GF(2 6 ). 13/05/2010 cryptography - math background pp. 137 / 162

CONCLUSIONS ON FINITE FIELDS 13/05/2010 cryptography - math background pp. 138 / 162

THE COMPLETION THEOREM there exist only three familes of finite fields: modular fields: GF(p) for every prime p 2 the elements are 0, 1,, p 1 GF(2) is the simplest case, called binary field binary extension fields: GF(2 n ) for every integer n 2 the elements are the polynomials of degree under n with coefficients 0 or 1 modular extension fields: GF(p n ) for every prime p 3 and integer n 2 the elements are the polynomials of degree under n with coefficients 0, 1,,, p 1 no other family of finite fields exist 13/05/2010 cryptography - math background pp. 139 / 162

FIELD ISOMORPHISM two fields F, F are isomorphic iff there exists a one-to-one function θ: F F such that, taken the elements a, b F, it holds: θ(a + b) = θ(a) + θ(b) and θ( a) = θ(a) θ(a b) = θ(a) θ(b) and θ(a 1 ) = θ(a) 1 θ(0) = 0 and θ(1) = 1 in practice, ϕ commutes with field operations two isomorphic fields need have the same number of elements (θ is one-to-one) 13/05/2010 cryptography - math background pp. 140 / 162

THE ISOMORPHISM THEOREM let F, F be any two extension fields generated by the irred. polynomials G (x), G (x), respectively theorem: if F, F are of the same size, they are necessarily isomorphic, i.e. there exists an isomorphism θ: F F in other terms, each element f of F admits a corresponding element θ(f) in F, behaving in the same way (and viceversa) 13/05/2010 cryptography - math background pp. 141 / 162

THE ISOMORPHISM THEOREM the extension fields GF(2 n ) (and GF(p n )) DO NOT DEPEND on the chosen irreducible generator polynomial that is, fixed an integer n 2 (and prime p 2), there exists a unique GF(2 n ) (and GF(p n )) put another way, if G (x), G (x) are both irreducible generators of degree n, they are equivalent for building GF(2 n ) (and GF(p n )) hence, select G (x) or G (x) at will (but do not mix them during the computation, of course) 13/05/2010 cryptography - math background pp. 142 / 162

ISOMORPHISM EXAMPLE the binary extension field GF(2 3 ) (size 2 3 = 8) can be generated in two different ways: G (x) = x 3 + x 2 + 1 G (x) = x 3 + x + 1 since both G (x) and G (x) are irreducible over GF(2) each of G (x) and G (x) yields a representation of GF(2 3 ) constructing the isomorphism θ is not so immediate, though not really difficult 13/05/2010 cryptography - math background pp. 143 / 162

FIELD REPRESENTATION it is said that two irreducible polynomials G (x), G (x), of identical degree, generate two DIFFERENT REPERSENTATIONS of the SAME FINITE EXTENSION FIELD the isomorphism function θ can be effectively determined, starting from G (x), G (x) the function θ is actually a linear transformation an extension field admits as many different representations as the number of irreducible polynomials of identical degree 13/05/2010 cryptography - math background pp. 144 / 162

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback