-
Computer Security
Introduction to Finite Fields
Howon Kim
2017.3
Agenda

Groups, Rings, and Fields

Modular Arithmetic

The Euclidean Algorithm

Finite Fields of the form GF(p)

Polynomial Arithmetic

Finite Fields of the form GF(2n)
2
Group



a set of elements or “numbers”
with some operation whose result is also in the set
(closure)
obeys:




if commutative


associative law: (a.b).c = a.(b.c)
has identity e: e.a = a.e = a
has inverses a-1: a.a-1 = e
a.b = b.a
then forms an abelian group
Example

Z is a group under addition operation
3
Group
– example
Let Nn denote a set of n distinct symbols s.t. {1,2,…n}

A permutation of n distinct symbols is a one-to-one mapping from
Nn to Nn

Define Sn to be the set of all permutations of n distinct symbols

Each element of Sn is represented by a permutation of the
integers in {1,2,…n}

We can easily demonstrate that Sn is a group:

Closure
- If  ,   Sn , then the composite mapping    is formed by
permuting the elements of  according to the permutation  .
For example, {3,2,1}∙{1,3,2}={2,3,1}, clearly     Sn

  {3, 2,1},   {1,3, 2}.     {2,3,1}
Since the 3rd element of  is 2,
the 2 nd element of  is 3,
and the 1st element of  is 1.
4
Group

Associative ? (a.b).c = a.(b.c) ?
-

– example
set of n distinct symbols s.t. {1,2,…n}
  {3, 2,1},   {1,3, 2},   {2,1,3}.
(   )      (    ) ?
 (   )   ?
(   )  {3, 2,1} {1,3, 2}  {2,3,1}
(   )    {2,3,1} {2,1,3}  {1,3, 2}
  (  )?
(    )  {1,3, 2} {2,1,3}  {2,3,1}
  (    )  {3, 2,1} {2,3,1}  {1,3, 2}
Has Identity e ?

The identity mapping is the permutation that does not alter the order
of the n elements. For Sn, the identity element is {1,2,…,n}
5
Group

– example
Has an inverse element ? a-1: a.a-1 = e
For any   Sn, the mapping that undoes the permutation defined by
 is the inverse element for  . There will always be such an inverse.
For example,
-
   1  e
  {2,3,1},  1  {3,1, 2}, e  {1, 2,3}



So, Sn is a group !
If a group has a finite number of elements  finite
group. (the order of this group is equal to the number
of elements in the group)
Otherwise, the group is an infinite group
6
Abelian Group

A group is said to be abelian if it satisfies the following
additional condition:

Commutative : a.b = b.a for all a,b in G

Example :
-
-
-
The set of integers under addition is an abelian group
The set of nonzero real numbers under multiplication is an
abelian group
The set Sn is a group but not an abelian group (for n>2)
7
Cyclic Group

We define exponentiation as repeated application
of the group operator




example: a3 = a*a*a
Also, we define: a0 = e (identity element)
A group G is cyclic if every element of G is a power
ak of some fixed element a in G.
The element a is said to generate the group G and it
is a generator of the group

A cyclic group is always abelian

Example

Z is cyclic under addition. Both 1 and -1 are generators
8
Ring

A ring R is a set of elements with two binary
operations, addition and multiplication, such that for
all a,b,c in R the following characteristics are
obeyed:

an abelian group with respect to addition






in multiplication:




has closure
is associative
has identity element
has inverse element
is commutative
has closure
is associative
distributive over addition:
a(b+c) = ab + ac
In essence, a ring is a set in which we can do
addition, subtraction, and multiplication without
leaving the set
9
Commutative Ring, Integral Domain

A ring is said to be commutative if it satisfies the following
additional condition:


Commutativity of multiplication ab = ba for all a,b in ring R
if multiplication operation has identity and no zero divisors, it
forms an integral domain


Integral domain is a commutative ring that has the following
characteristics:
Multiplicative identity
- There is an element 1 in R such that a1=1a=a for all a in R

No zero divisors
- If a,b in R and ab=0, then either a=0 or b=0
Zero divisor ?
A nonzero element a of a ring is a left zero divisor if there exists a nonzero
b such that ab=0. Right zero divisors are also defined analogously. that is, a
nonzero element a of a ring is a right zero divisor if there exists a nonzero c such
that ca=0. An element that is both a left and a right zero
10
Field


A Field is a set of elements in which we can do
addition, subtraction, multiplication, and division w/o
leaving the set
Division is defined as follows;

a/b = a(b-1)
11
Field F or {F, +, *}

A Field is an abelian group for addition. {F,+}



A Field is an abelian group for multiplication.{F – {0}, *}




We denote the identity element as 0.
We denote the inverse of a as –a.
We denote the identity element as 1.
We denote the inverse of a as a-1.
Distributive laws is holded

a*(b+c) = a*b + a*c for all a, b, c in F

(a+b)*c = a*c + b*c for all a, b, c in F
Example


R (real number), C (complex number)
Not Z (integer: not every element of the set has a multiplicative
inverse)
12
Groups, Rings and Fields
13
Agenda

Groups, Rings, and Fields

Modular Arithmetic

The Euclidean Algorithm

Finite Fields of the form GF(p)

Polynomial Arithmetic

Finite Fields of the form GF(2n)
14
Modular Arithmetic

Given any positive integer n and any nonnegative integer
a, if we divide a by n, we get an integer quotient q and an
integer remainder r
a  qn  r 0  r  n; q  a / n

r is called the residue of a mod n

r usually have 0 <= r <= n-1
-12 mod 7 ≡ -5 mod 7 ≡ 2 mod 7 ≡ 9 mod 7
15
Modular Arithmetic


Define modulo operator a mod n to be
remainder when a is divided by n.
use the term congruence for: a ≡ b mod n


when divided by n, a & b have same remainder
eg. 100 ≡ 34 mod 11
16
Modulo 7 Example
...
-21 -20 -19 -18 -17 -16 -15
-14 -13 -12 -11 -10
-9
-8
-7
-6
-5
-4
-3
-2
-1
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
...
17
Divisors

b divides a





a = mb for some m, where a, b, and m are
integers.
i.e., there is no remainder.
Equivalently, a is divided by b.
denote this by b|a
b is a divisor of a

Example: All of 1,2,3,4,6,8,12,24 divide 24

Prime number

a number p > 1 that is divisible only by 1 and
itself.
18
Properties of the Congruence

a ≡ b mod n if n | (a – b)
Proof:
 if n|(a-b), then we can write (a-b)=kn for
some k.
 Also we can write a=b+kn
 Therefore, if we apply mod operation in this
equation, (a mod n) = (b mod n).
 We can say the a and b are congruent modulo
n.
 Example: Are –11 and 5 congruent on mod 8?
 Since 8|(-11-5) = 8|(-16), these are
congruent on modulo 8!



a ≡ b mod n iff b ≡ a mod n
a ≡ b mod n and b ≡ c mod n imply a ≡ c
mod n.
19
Modular Arithmetic



The mod n operator maps all integers into
the set of integers {0, 1, … , n-1}
Then, can we perform arithmetic operations
within this set?  yes, we can
This technique is known as modular
arithmetic.
20
Properties of Modular Arithmetic
1. [(a mod n) + (b mod n)] mod n = (a+b) mod n
2. [(a mod n) - (b mod n)] mod n = (a-b) mod n
3. [(a mod n) * (b mod n)] mod n = (a*b) mod n
Proof of property 1:
Define (a mod n)=ra, (b mod n) = rb.
Then we can write a = ra + jn for some int j.
And b = rb + kn for some int k.
Then, (a+b)mod n = (ra + jn + rb + kn) mod n
= (ra + rb + (j+k)n) mod n
= (ra +rb) mod n
= [(a mod n) + (b mod n)] mod n.
21
Properties of Modular Arithmetic

We define the set of residue or residue classes
modulo n as the set of nonnegative integers less than
n:


We can label the residue classes modulo n as
[0],[1],[2],…[n-1], where


Zn = {0, 1, … , n-1}
[r]={a: a is an integer, a ≡r (mod n)}
The residue classes modulo 4 are




[0]={…,-8,-4,0,4,…}
[1]={…,-7,-3,1,5,…}
[2]={…,-6,-2,2,6,…}
[3]={…,-5,-1,3,7,…}
22
Properties of Modular Arithmetic

If we perform modular arithmetic within Zn, the
properties hold:
23
Properties of Modular Arithmetic

It forms a commutative ring for addition

with a multiplicative identity

Note some peculiarities
if (a+b)≡(a+c) mod n then b≡c mod n
 It is an ordinary arithmetic.
 but (ab)≡(ac) mod n then b≡c mod n only if a is
relatively prime to n
 Example:
 Though (6*3) ≡ (6*7) ≡ 2 (mod 8), 3 !≡ 7 (mod 8) since 6 (a)
and 8 (n) are not relatively prime.

24
Example: mod 8
(2+6) mod 8 = 0
Additive inverse
All integers mod 8 have an additive inverse
25
Example: mod 8
(3*3) mod 8 =1
Multiplicative
inverse
Not all integers mod 8 have a multiplicative inverse (It’s ring!, not Field)
26
Agenda

Groups, Rings, and Fields

Modular Arithmetic

The Euclidean Algorithm

Finite Fields of the form GF(p)

Polynomial Arithmetic

Finite Fields of the form GF(2n)
27
Euclid’s Algorithm


Algorithm to find the Greatest Common Divisor
Euclid’s Algorithm is based on the following theorem:



Let d=gcd(a,b). Then by definition of gcd, d|a and
d|b. Also a can be expressed in the form: a = kb + r.
since a mod b = r, it can be expressed as (a mod b) = a –
kb for some k.
Because d|b, d also divides kb. And d|a. Therefore, d|(a
mod b).
We already know d|b. So by gcd definition, d = gcd(b, a mod
b) !


gcd(a, b) = gcd(b, a mod b)
Proof:
Conversely, if d = gcd(b, a mod b), then d|kb and thus
d|[kb + (a mod b)], which is equivalent to d|a.
Thus the set of common divisors of a and b is equal to the
set of common divisors of b and ( a mod b).
Relatively prime

a=kb+r=kb + a mod b
a and b are relatively prime if gcd(a, b) = 1.
28
Euclid’s Algorithm

gcd(a, b) = gcd(b, a mod b)




gcd(55,22) = gcd(22, 55 mod 22) = gcd(22,11)
= gcd(11,0)=11
gcd(18,12) = gcd(12, 6) = gcd(6, 0) = 6
gcd(11,10) = gcd(10, 1) = gcd(1, 0) = 1
Euclid's Algorithm to compute GCD(a,b):


A=a, B=b
while B>0



R = A mod B
A = B, B = R
return A
29
Example

gcd (1970,1066)=gcd(1066,1970 mod 1066)=…
b
1970 = 1 x 1066 + 904 a mod b
1066 = 1 x 904 + 162
gcd(1066, 904)
904 = 5 x 162 + 94
gcd(162, 94)
162 = 1 x 94 + 68
gcd(94, 68)
94 = 1 x 68 + 26
gcd(68, 26)
68 = 2 x 26 + 16
gcd(26, 16)
26 = 1 x 16 + 10
gcd(16, 10)
16 = 1 x 10 + 6
gcd(10, 6)
10 = 1 x 6 + 4
gcd(6, 4)
6 = 1 x 4 + 2
gcd(4, 2)
4 = 2 x 2 + 0
gcd(2, 0)=2
gcd(904, 162)
Therefore, gcd (1970,1066)=2
30
Agenda

Groups, Rings, and Fields

Modular Arithmetic

The Euclidean Algorithm

Finite Fields of the form GF(p)

Polynomial Arithmetic

Finite Fields of the form GF(2n)
31
Finite Fields

Infinite vs. finite fields



It can be shown that the order of a finite field, i.e.,
the number of elements in the field
must be a power of a prime, pn.



Infinite fields are not of particular interest in our context.
Finite fields play a key role in cryptography
The finite field of order pn is called as Galois fields (GF)
Denoted by GF(pn)
We will study about the two special cases.


(n=1), the prime field: GF(p)
(n>1 and p is 2), the binary field: GF(2n)
32
Galois Field GF(p)

GF(p) is the set of integers Zp = {0,1, … , p-1} with
arithmetic operations modulo prime p.


Previously, we have studied the set Zn={0,1,…,n-1}. It is
commutative ring. Here, any integer in Zn has a
multiplicative inverse iff that integer is relatively prime to n.
So, if n is prime, then all of the nonzero integers in Zn are
relatively prime to n, and there exists a multiplicative inverse
for all of the nonzero integers in Zn.

These form a finite field

Arithmetic is “well-behaved”

We can do addition, subtraction, multiplication, and division
without leaving the field GF(p).
33
Example: GF(7)
34
Example: GF(7)
35
Finding the Multiplicative Inverse in
GF(p)

Extended Euclid algorithm to compute b-1
mod m
If we equate A and B with A3 and B3 respectively,
we can get the same Euclidean algorithm as shown previously.
EXTENDED EUCLID(m, b)
1.
(A1, A2, A3)=(1, 0, m);
(B1, B2, B3)=(0, 1, b)
2. if B3 = 0 return “no inverse”
// no inverse
3. if B3 = 1 return B2
// B2 = b–1 mod m
4. Q =  A3 / B3 
// Q: quotient
5. (T1, T2, T3)=(A1 – Q*B1,
A2 – Q*B2,
A3 – Q*B3)
6. (A1, A2, A3)=(B1, B2, B3)
7. (B1, B2, B3)=(T1, T2, T3)
8. goto 2
gcd(m, b)
A  m, B  b
if B  0 return gcd(m, b)
Q   A / B 
T3  A  Q * B
A B
B  T3
36
Finding the Multiplicative Inverse in
GF(p)

Extended Euclid algorithm to compute b-1
mod m

Throughout the
computation, the following
relationships hold:
mT1+bT2=T3
EXTENDED EUCLID(m, b)
mA1+bA2=A3
1.
(A1, A2, A3)=(1, 0, m);
mB1+bB2=B3
(B1, B2, B3)=(0, 1, b)

Also, if gcd(m,b)=1 then on
2. if B3 = 0 return “no inverse”
the final step, A3=1 and B3=0.
// no inverse
3. if B3 = 1 return B2

Also on the preceding step.
// B2 = b–1 mod m
B3=1.
4. Q =
// Q: quotient
In case of B3=1,
5. (T1, T2, T3)=(A1 – Q*B1,
mB1+bB2=B3
A2 – Q*B2,
A3 – Q*B3)
mB1+bB2=1
6. (A1, A2, A3)=(B1, B2, B3)
bB2=1-mB1
7. (B1, B2, B3)=(T1, T2, T3)
bB2=1 (mod m)
8. goto 2
That is, B2 ≡ b-1 mod m
37
Example: 550-1 mod 1759
38
Agenda

Groups, Rings, and Fields

Modular Arithmetic

The Euclidean Algorithm

Finite Fields of the form GF(p)

Polynomial Arithmetic

Finite Fields of the form GF(2n)
39
Polynomial Arithmetic

Polynomial of degree n >= 0.


The ai is called the coefficient.
Three classes of polynomial arithmetic


ordinary polynomial arithmetic
polynomial arithmetic where the arithmetic on the
coefficients is performed modulo p.


That is, the coefficients are in Zp , GF(p).
polynomial arithmetic where the coefficients are in
Zp and the polynomials are defined modulo a
polynomial m(x).
40
1. Ordinary Polynomial Arithmetic

Addition and subtraction


Multiplication



add or subtract corresponding coefficients.
multiply all terms by each other.
consider all possible combinations.
Example
let f(x) = x3 + x2 +
f(x) + g(x) = x3 + 2x2
f(x) – g(x) = x3 + x +
f(x) x g(x) = x5 + 3x2

2 and g(x) = x2 – x + 1
– x + 3
1
– 2x + 2
41
2. Poly. Arithmetic with Coefficients in Zp

When computing value of each coefficient,
do calculation modulo p.

p can be any prime.

But, we are most interested in mod 2





i.e. all coefficients are 0 or 1.
The coefficient addition is equivalent to the logical XOR.
Addition and subtraction are equivalent.
The coefficient multiplication is equivalent to the logical
AND.
Example

let f(x) = x3 + x2 and g(x) = x2 + x + 1
 f(x) + g(x) = x3 + x + 1, f(x)g(x) = x5 + x2
42
2. Poly. Arithmetic with Coefficients in Zp:
Examples
43
2. Poly. Arithmetic with Coefficients in Zp:
division

We consider polynomial division.
Fortunately, it is an exact division.
But it is not in general…

There can be some remainder.



f(x) = q(x)g(x)
Then, interpret
r(x) = f(x) mod
Example: x3 + x
+ r(x)
r(x) as a remainder, i.e.,
g(x)
+ 1 = (x + 1)(x2 + x) + 1
44
2. Poly. Arithmetic with Coefficients in Zp:
division

We consider the division 5/3

In a set rational number set



In a field Z7


The division is simply expressed as 5/3
The rational number is a Field
5/3=(5 X 3-1) mod 7 = (5 X 5) mod 7 = 4 (It is also an exact
solution)
In an integer set

5/3=1 + 2/3 (the quotient is 1 and the remainder is 2/3. It
is not an exact division)
45
2. Poly. Arithmetic with Coefficients in Zp:
division

If we attempt to perform polynomial division over a coefficient
set that is not a field, then we find that division is not always
defined


If the coefficient set is the integers then does not have a solution,
because it require a coefficient with a value of 5/3
However, even if the coefficient set is a field, polynomial
division is not necessarily exact. In general, division will produce
a quotient and a remainder
f ( x)  q ( x) g ( x)  r ( x)


If degree of f(x) is n and degree of g(x) is m (m<=n),
Then degree of the quotient q(x) is n-m and the degree of the
remainder is at most m-1
46
f ( x)  q ( x) g ( x)  r ( x)
3. Modular Polynomial Arithmetic

Analogy to integer arithmetic




r(x) = f(x) mod g(x)
if there is no remainder, say g(x) divides
f(x).
g(x) is a divisor of f(x).
Irreducible polynomial



if g(x) has no divisors other than itself &
1, then we say that it is irreducible
polynomial.
i.e., g(x) cannot be expressed as a product
of two polynomials.
Similar to a prime number in integer
arithmetic.
47
Finding the Polynomial GCD

The polynomial c(x) is said to be the gcd of
a(x) and b(x) if



C(x) divides both a(x) and b(x)
Any divisor of a(x) and b(x) is a divisor
of c(x)
The previous theorem also holds:

gcd([a(x),b(x)] = gcd[ b(x), a(x) mod b(x)]
48
Polynomial GCD

The Euclidean alg for polynomial is as
follows:
EUCLID[a(x), b(x)]
1.
2.
3.
4.
5.
6.
A(x) = a(x); B(x) = b(x)
if B(x) = 0 return A(x) = gcd[a(x), b(x)]
R(x) = A(x) mod B(x)
A(x) = B(x)
B(x) = R(x)
goto 2
49
Agenda

Groups, Rings, and Fields

Modular Arithmetic

The Euclidean Algorithm

Finite Fields of the form GF(p)

Polynomial Arithmetic

Finite Fields of the form GF(2n)
50
Galois Field GF(2n)


Arithmetic modulo an irreducible polynomial
forms a field.
GF(2n)


Polynomials with coefficients modulo 2 with
degree ≤ n.
Modular polynomial arithmetic using an irreducible
polynomial with degree n.
51
Example: GF(23) with x3 + x + 1
52
Example: GF(23)
Diagonal :
Due to the commutative property
of the addition operation
53
Example: GF(23)
All the elements (except zero) have multiplicative inverse
It is finite field ! (GF(pn)), where p is prime
54
Computational Considerations

A polynomial f(x) in GF(2n) can be represented by its
n binary coefficients
(an-1an-2…a0)
That is, every polynomial in GF(2n) can be
represented by an n-bit number

Addition (Subtraction)

Performed by adding (XOR) the corresponding coefficients
( x 6  x 4  x 2  x  1)  ( x 7  x  1)  x 7  x 6  x 4  x 2
(01010111)
{57}
 10000011 

{83}

11010100
{D 4}
55
Computational Considerations

Multiplication in GF(28) with a minimal polynomial m(x),
m(x)=x8+x4+x3+x+1

With the following observations, we can easily compute the
multiplication

m( x )  x 8  x 4  x 3  x  1
m( x )  x 8  x 4  x 3  x  1
[m( x)  x8 ]mod m( x)  x 4  x 3  x  1 mod m( x)
x8 mod m( x)  x 4  x 3  x  1

Also, the x*f(x) multiplication is as follows:
f ( x)  b7 x 7  b6 x 6  b5 x 5  b4 x 4  b3 x 3  b2 x 2  b1 x  b0
x  f ( x)  x  (b7 x 7  b6 x 6  b5 x 5  b4 x 4  b3 x 3  b2 x 2  b1 x  b0 )
 ( b7 x8  b6 x 7  b5 x 6  b4 x 5  b3 x 4  b2 x 3  b1 x 2  b0 x ) mod m ( x )
if b7  1,
 (b6 x 7  b5 x 6  b4 x 5  b3 x 4  b2 x 3  b1 x 2  b0 x )  ( x 4  x 3  x  1)

To summarize,
(b6b5b4b3b2b1b0 ) if b7  0

x  f ( x)  
(b6b5b4b3b2b1b0 )  (00011011) if b7  1
56
Computational Considerations
Example: GF(28) with x8+x4+x3+x+1
shift
X4+x3+x+1
Now we have all
the multiplication results
Using above results,
57
Computational Considerations : Summary

Addition (and Subtraction)



bitwise XOR
efficient HW and SW
Multiplication

shift and XOR
58
Next…

We will study on AES crypto algorithm.
59
Q&A
60