Group

 a set S of elements or “numbers”

 may be finite or infinite
 with some operation ‘.’ so G=(S,.)
 Obeys CAIN:
 Closure: a,b in S, then a.b in S
 Associative law: (a.b).c = a.(b.c)
 has Identity e: e.a = a.e = a
 has iNverses a-1: a.a-1 = e
 if commutative a.b = b.a
 then forms an abelian group
 Cyclic Group
 define exponentiation as repeated
application of operator
 example: a3 = a.a.a
 and let identity be: e=a0
 a group is cyclic if every element is a
power of some fixed element a
 i.e., b = ak for some a and every b in group
 a is said to be a generator of the group
 Ring
 a set of “numbers”
 with two operations (addition and multiplication)
which form:
 an abelian group with addition operation
 and multiplication:
 has closure
 is associative
 distributive over addition: a(b+c) = ab + ac
 if multiplication operation is commutative, it
forms a commutative ring
 if multiplication operation has an identity and no
zero divisors, it forms an integral domain
 Field
 a set of numbers
 with two operations which form:
 abelian group for addition
 abelian group for multiplication (ignoring 0)
 ring
 have hierarchy with more axioms/laws
 group -> ring -> field
Group, Ring, Field
 Finite (Galois) Fields
 finite fields play a key role in cryptography
 can show number of elements in a finite
field must be a power of a prime pn
 known as Galois fields
 denoted GF(pn)
 in particular often use the fields:
 GF(p)
 GF(2n)
 Galois Fields GF(p)
 GF(p) is the set of integers {0,1, … , p-1}
with arithmetic operations modulo prime p
 these form a finite field
 since have multiplicative inverses
 find inverse with Extended Euclidean algorithm
 hence arithmetic is “well-behaved” and can
do addition, subtraction, multiplication, and
division without leaving the field GF(p)
GF(7) Multiplication Example
 0 1 2 3 4 5 6
0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6
2 0 2 4 6 1 3 5
3 0 3 6 2 5 1 4
4 0 4 1 5 2 6 3
5 0 5 3 1 6 4 2
6 0 6 5 4 3 2 1
 Polynomial Arithmetic
 can compute using polynomials
f(x) = anxn + an-1xn-1 + … + a1x + a0 = ∑ aixi
• n.b. not interested in any specific value of x
• which is known as the indeterminate
 several alternatives available
 ordinary polynomial arithmetic
 poly arithmetic with coefs mod p
 poly arithmetic with coefs mod p and
polynomials mod m(x)
Ordinary Polynomial Arithmetic
 add or subtract corresponding coefficients
 multiply all terms by each other
 eg
let f(x) = x3 + x2 + 2 and g(x) = x2 – x + 1
f(x) + g(x) = x3 + 2x2 – x + 3
f(x) – g(x) = x3 + x + 1
f(x) x g(x) = x5 + 3x2 – 2x + 2
 Polynomial Arithmetic with
Modulo Coefficients
 when computing value of each coefficient
do calculation modulo some value
 forms a polynomial ring
 could be modulo any prime
 but we are most interested in mod 2
 ie all coefficients are 0 or 1
 eg. let f(x) = x3 + x2 and g(x) = x2 + x + 1
f(x) + g(x) = x3 + x + 1
f(x) x g(x) = x5 + x2
 Polynomial Division
 can write any polynomial in the form:
 f(x) = q(x) g(x) + r(x)
 can interpret r(x) as being a remainder
 r(x) = f(x) mod g(x)
 if have no remainder say g(x) divides f(x)
 if g(x) has no divisors other than itself & 1
say it is irreducible (or prime) polynomial
 arithmetic modulo an irreducible
polynomial forms a field
 Polynomial GCD
 can find greatest common divisor for polys
 c(x) = GCD(a(x), b(x)) if c(x) is the poly of greatest
degree which divides both a(x), b(x)
 can adapt Euclid’s Algorithm to find it:
Euclid(a(x), b(x))
if (b(x)=0) then return a(x);
else return
Euclid(b(x), a(x) mod b(x));
 all foundation for polynomial fields as see next
 Modular Polynomial
Arithmetic
 can compute in field GF(2n)
 polynomials with coefficients modulo 2
 whose degree is less than n
 hence must reduce modulo an irreducible poly
of degree n (for multiplication only)
 form a finite field
 can always find an inverse
 can extend Euclid’s Inverse algorithm to find
Example GF(23)
 Computational
Considerations
 since coefficients are 0 or 1, can represent
any such polynomial as a bit string
 addition becomes XOR of these bit strings
 multiplication is shift & XOR
 cf long-hand multiplication
 modulo reduction done by repeatedly
substituting highest power with remainder
of irreducible poly (also shift & XOR)
 Computational Example
 in GF(23) have (x2+1) is 1012 & (x2+x+1) is 1112
 so addition is
 (x2+1) + (x2+x+1) = x
 101 XOR 111 = 0102
 and multiplication is
 (x+1).(x2+1) = x.(x2+1) + 1.(x2+1)
= x3+x+x2+1 = x3+x2+x+1
 011.101 = (101)<<1 XOR (101)<<0 =
1010 XOR 101 = 11112
 What is a Field?

A field is a set of elements with two custom-defined arithmetic

operations: most commonly, addition and multiplication. The
elements of the field are an additive abelian group, and the non-
zero elements of the field are a multiplicative abelian group. This
means that all elements of the field have an additive inverse, and
all non-zero elements have a multiplicative inverse.

A field is called finite if it has a finite number of elements. The most

commonly used finite fields in cryptography are the field Fp (where

p is a prime number) and the field F2m.

 Finite Fields

A finite field or Galois field denoted by GF(q=pn), is a field with

characteristic p, and a number q of elements. As we have seen,
such a finite field exists for every prime p and positive integer n, and
contains a subfield having p elements. This subfield is called ground
field of the original field.

For the rest of this class, we will consider only the two most used cases
in cryptography: q=p, with p a prime and q=2m. The former case,
GF(p), is denoted as the prime field, whereas the latter, GF(2m), is
known as the finite field of characteristic two or simply binary field.
 Finite Fields

A finite field is a field with a finite number of elements.

The number of elements in a finite field is called the

order of the field. Fields of the same order are

isomorphic: they display exactly the same algebraic

structure differing only in the representation of the

elements.
 The field F2m
‘Plegaria del Codificador teórico: Juro por Galois que seré leal a las nobles
tradiciones de la teoría de códigos; que hablaré de ella en el secreto lenguaje sólo
conocido por los contados iniciados; y que celosamente vigilaré la sagrada teoría de
aquellos que quisieran profanarla para usarla en aplicaciones mundanas”.
J. L. Massey

Although the description of the field F2m is complicated, this field is extremely
beautiful and also quite useful, because its computations can be done efficiently
when implemented in hardware. There are several ways to describe arithmetic in
F2m; the most common one is the so-called polynomial representation.
 Generating polynomial
The finite field F=GF(2m) is completely described by a monic irreducible
polynomial, often called generating polynomial, of the form
f  x   x m  k m 1x m 1  k m  2 x m  2  ...  k1x  k0

Where ki  GF(2) for i=0,1,…,m-1. Let  be a root of the monic irreducible

polynomial in (0), i.e., f() = 0, Then
f      m  k m 1 m 1  k m  2 m  2  ...  k1  k0  0
Then, taking advantage of the fact that over GF(2) addition is
equivalent to subtraction, we get the important relation
m 1
m
   ki i
i 0
Generating polynomial and polynomial
basis

Then, we define the polynomial or canonical basis of GF(2m) over

GF(2) using the primitive element  and its m first powers

{1, , 2,…, m-1},

which happen to be linearly independent over GF(2).

 Polynomial representation

Using the canonical basis we can uniquely represent any number

A  F=GF(2m) as
m 1
A   ai i
i 0
Sometimes, it is more convenient to represent a field element using the
so-called coordinate representation,

Polynomial Rep.  Coordinate Rep.

am 1 m 1  am  2 m  2  ...  a1  a0   am1, am2 ..., a1, a0 
 Element’s Representation
By using the polynomial basis given in last equation, we can represent any
number A  F=GF(2m) uniquely by

m 1
A   ai i
i 0
Where all the coefficients aI's belong to the characteristic field
GF(2). Elements of the field are m-bit strings. The rules for
arithmetic in F can be defined by polynomial representation. Since
F operates on bit strings, computers can perform arithmetic in this
field very efficiently.
 Order definition
• The order of an element  in F, is defined as the smallest positive integer k
such that k=1. Any finite field always contains at least one element, called
a primitive element, which has order q-1. We say that f(x) is a primitive
polynomial, if any one of its roots, say , is a primitive element in F. If f(x)
is primitive, then all the q elements of F, can be expressed as the union of
the zero element and the set of the first q-1 powers of ,

0, , 2 , 3 , , q1  1
In fact, this is always the case for any finite field F=GF(2m) where we can
always define the so-called polynomial basis of GF(2m) over GF(2) as as
the linearly independent set of the first m powers of 

{1, , 2,…, m-1}

 An example

Example. Let K = GF(24), F = GF(2), with defining primitive

polynomial f(x) given by

f(x) = x4 + x + 1

Then, if  is a root of f(x), we have f()=0, which implies that

f() = 4 +  + 1 = 0

This equation over GF(2), means that  satisfies the following

equation

 4 =  + 1.

Using the above equation, one can now express each one of the
15 nonzero elements of K over F as is shown in the next table.
 Discrete log table
i i Coordinates
0 1 (0 0 0 1)
1  (0 0 1 0)
2 2 (0 1 0 0)
3 3 (1 0 0 0)
4 4=+1 (0 0 1 1)
5 5=2+ (0 1 1 0)
6 6=3+2 (1 1 0 0)
7 7=3++1 (1 0 1 1)
8 8=2+1 (0 1 0 1)
9 9=3+ (1 0 1 0)
10 10=2++1 (0 1 1 1)
11 11=3+2+ (1 1 1 0)
12 12=3+2++1 (1 1 1 1)
13 13=3+2+1 (1 1 0 1)
14 14=3+1 (1 0 0 1)
Finite fields: definitions and
operations

FF22m finite
finitefield
fieldoperations
operations::Addition,
Addition,Squaring,
Squaring,
m

multiplicationand
multiplication andinversion
inversion
 Arithmetic in the field F2m
The irreducible generating polynomial used for these sample
calculations is again f(x) =x4+x+1.
Notice that all the coefficients are reduced modulo 2!!
Addition
(0110)+(0101)=(0011).
Multiplication
(1101)(1001)
= (x3+x2+1)(x3+1) mod f(x)
= x6+x5+2x3+x2+1 mod f(x)
= x6+x5+x2+1 mod f(x)
= (x4+x+1)(x2+x)+(x3+x2+x+1) mod f(x)
= x3+x2+x+1
= (1111).
 Arithmetic in the field F2m
Exponentiation
To compute (0010)4, first find
(0010)2 = (0010)(0010)
= x x mod f(x)
= x2
= (0100).
Then
(0010)4 = (0010)2(0010)2
= (0100)(0100)
= x2x2 mod f(x)
= (x4+x+1)(1)+(x+1) mod f(x)
=x+1
= (0011).
 Two-steps Multipliers
In most algorithms the modular product is computed in two
steps: polynomial multiplication followed by modular reduction.
Let A(x), B(x) and (x)  GF(2m) and P(x) be the irreducible field
generator polynomial.
In order to compute the modular product we first obtain the product
polynomial C(x), of degree at most 2m-2, as
m 1 m 1
Polynomial productC  x   A x  B x     a  i   b  i 
 i  i 
2m-1 coordinates  i 0  i 0 
• Then, in the second step, a reduction operation is performed in order
to obtain the m-1 degree polynomial C’(x) is defined as

Reduction step C  x   C  x  mod P x 

m coordinates
 GF(2m) Squarer
In most algorithms the modular product is computed in two
steps: polynomial multiplication followed by modular reduction.
Let A(x)  GF(2m) be an arbitrary element in the field and P(x) be
the irreducible field generator polynomial.
In order to compute the modular square of the element A(x) we first
obtain the polynomial product C(x), of degree at most 2m-2, as

Polynomial product  m1  m1 

C  x   A x  A x     ai i   ai i 
 i 0  i 0 
2m-1 coordinates

• Then, in a second step, a reduction operation is performed in order

to obtain the m-1 degree polynomial C’(x) defined as

Reduction step C  x   C  x  mod P x 

m coordinates
 Exercises
2) Consider the polynomial

P x   x 6  x 5  x 4  x  1

a) Show that P(x) forms a field in GF(2m).

b) Is P(x) a primitive polynomial?
c) Find 47 as a polynomial of degree less or equal to 5.
d) Find the positive number k that satisfies:
     1
k 4 3
 Some definitions

Here, we restrict our discussion to the numbers that belongs to the

finite field F=GF(2m) over K=GF(2). K is also known as the
characteristic field. The elements of F are polynomials of degree less
than m, with coefficients in K; that is,

{am-1xm-1+am-2xm-2+...+a2x2+a1x+a0|ai= 0 or 1}.

These elements are frequently written in vector form as (am-1 ... a1

a0).

F has exactly 2m-1 nonzero elements plus the zero element.

 The Binary Field F2m

A polynomial p in GF(2m) is irreducible if p is not a unit element

and if p=fg then f or g must be a unit, that is, a constant
polynomial.

Let us consider a finite field F=GF(2m) over K=GF(2).

Elements of F: Polynomials of degree less than m, with

coefficients in K, such that,

{aF
Fact: The field m-1x
has +a
m-1
m-2x
exactly
m-2+...+a x2+a x+a |a = 0 or 1}.
q-1=22m-1 nonzero
1 0 i
elements plus

the zero element.

 Computational Example (con't)
 in GF(23) have (x2+1) is 1012 & (x2+x+1) is 1112
 polynomial modulo reduction (get q(x) & r(x)) is
 (x3+x2+x+1 ) mod (x3+x+1) = 1.(x3+x+1) + (x2) = x2
 1111 mod 1011 = 1111 XOR 1011 = 01002
 Using a Generator
 equivalent definition of a finite field
 a generator g is an element whose
powers generate all non-zero elements
 in F have 0, g0, g1, …, gq-2
 can create generator from root of the
irreducible polynomial
 then implement multiplication by adding
exponents of generator
 Summary
 have considered:
 divisibility & GCD
 modular arithmetic with integers
 concept of groups, rings, fields
 Euclid’s algorithm for GCD & Inverse
 finite fields GF(p)
 polynomial arithmetic in general and in GF(2n)