Page : 1 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Lecture-5 Mathematical Background: Extension Finite Fields Network Security Design Fundamentals ET-IDA , v33 Prof. W. Adi

Page : 2 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Eucledian Algorithm, Remainder Eucledian Algorithm, Remainder Greatest Common Divisor (gcd) Greatest Common Divisor (gcd) Group Theory, Rings, Finite Fields Group Theory, Rings, Finite Fields Element’s Order, Euler Theorem Element’s Order, Euler Theorem Prime Numbers Prime Numbers Prime Number Generation Prime Number Generation Extension Fields Extension Fields Outlines Mathematical Background In Discrete Mathematics, number theory part 1 part 2 part 3 part 4

Page : 3 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Representing information in security systems as “Vectors” (Efficient algebra for modern cryptography!) (101)  5 Element in GF(13) ( )  85 Element in GF(89) Large data blocks require large field modulus and hence more complex arithmetic Possible representation of data as vectors having entries from some GF: ( ) Elements are from GF(13) ( ) Elements are from GF(7) ( ) Elements are from GF(673) Question: Can we construct an algebraic system with Operational arithmetic using such vector representation ? The answer is yes, by using extended finite fields

Page : 4 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Vector representation as a Polynomials over GF(2) A (x) = A(x) is a Polynomial over GF(2), a i  GF(2) Example : Polynomial A(x) = x 6 + x 5 + x 3 +1 over GF(2) Corresponding vector ( ) Position MSB LSB Example : Position Vector ( ) Corresp. Polynomial A(x) = x 6 + x 5 + x + 1

Page : 5 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Vector Arithmetic over GF(2) Addition: A(x) = 1 + x B(x) = 1 + x + x 3 A(x) + B(x) = x 3 ( as 1+1=2=0 in GF(2) ) A(x) + B(x) = 2 + 2x + x 3 Multiplication: A(x) B(x)= (1 + x) (1 + x + x 3 ) = 1(1 + x + x 3 ) + x(1 + x + x 3 ) = 1 + x + x 3 + x + x 2 + x 4 = 1 + x 2 + x 3 4 In binary form A(x)  0011 B(x)  1011 A(x) + B(x)  1000 In binary form B(x) 1011 A(x) A(x) * B(x)   

Page : 6 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 A polynomial g(x) of degree m over GF(2) ( a i  GF(2) ) irreducible polynomial Is said to be an irreducible polynomial if factorizing g(x) is not possible over GF(2) g(x) = Properties of irreducible polynomials periodeThe period e of g(x) is the smallest e such that x e = 1 [mod g(x)] The period e is actually the multiplicative order of x modulo g(x). e divides 2 m -1 primitive plynomial If e = 2 m -1, the irreducible polynomial is called a primitive plynomial The reciprocal of a polynomial is defined as g*(x) = x m g(1/x) (mirror polynomial) The period of a reciprocal irreducible polynomial g*(x) is equal to that of g(x) self-reciprocal irreducible polynomial If g*(x) = g(x), then g(x) is said to be a self-reciprocal irreducible polynomial (symmetric) (highest possible period is a divisor of 2 m/2 + 1 ) What is the use of such “Irreducible Polynomials” ? Field algebra on vectors requires Irreducible Polynomials! (Notice: A field on integers required a “prime number” ) Self-reciprocal Polynomial can not be primitive!

Page : 7 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 The ring of polynomials Z g(x) modulo an irreducible polynomial g(x) of degree m over GF(2) is an extension field with 2 m elements. This is assigned as GF( 2 m ). The ring of polynomials Z g(x) The ring of polynomials modulo irreducible g(x) is an extension field How to construct such algebraic systems? - Select g(x) as an irreducible polynomial and use it as a field modulus! Finding irreducible polynomials: There are corresponding theories and techniques similar to those of prime integers for testing and generating irreducible polynomial. (out of the scope of this lecture) The following is a full list of the irreducible polynomials over GF(2) up to degree 11.

Page : 8 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 List of all irreducible Polynomials over GF(2 ) up to degree 11 (all 1 Polynomial)

Page : 9 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Smallest Extension Field GF(2 2 ) : full operational algebra on vectors/polynomials g(x) = x 2 + x + 1= 111 is irreducible of degree m=2 over GF(2). g(x) is the modulus, therefore x 2 + x + 1 = 0 => x 2 = x + 1 GF(2 2 ) elements are : Addition and multiplication tables in GF(2 2 ) are:       xx xx xx xxx xxx xx xx xxx xxx      x 11 1+x   (1+x) (1+x) = x 2 + 2x + 1 = x 2 + 1=(x+1)+1= x 2=0 Over GF(2). Renainder of division or divide: (x 2 +1) / (x 2 + x + 1) = 1 + x / (x 2 + x + 1)

Page : 10 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Non-zero elements in GF(2 m ) build a cyclic group. The multiplicative order of any element in GF(2 m ) is a divisor of 2 m -1. [ possible multiplicative orders are only the divisors of (2 m -1) ] Multiplicative order and primitive elements in GF (2 m ) A Primitive Element: Is the element having the highest possible multiplicative order = 2 m -1. The exponents of this element generate the whole group Number of existing primitive elements: is  (2 m -1) Number of elements having order k: is  (k)

Page : 11 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Given an extension field over GF(2) generated by the irreducible generator polynomial g(x) Of degree m, where g(x) = 1 + g 1 x 1 + g 2 x g m x m. [all computations are modulo g(x) ] The result is GF(2 m ). Summary and selection of some extension field properties 1.Any non-zero element  in GF(2 m ) has a multiplicative inverse. Or in other words the 2 m –1 non-zero elements build a cyclic group under multiplication. Group’s order is 2 m -1. (inverse computation: by using the extended gcd for polynomials) 2.The multiplicative order of any element is a divisor of 2 m –1, the number of elements with order t is  (t) 3. For any non-zero element   GF(2 m ) the following holds  = 1 ( reason: the order of any element divides the group‘s order 2 m -1 ) 4. If ,   GF(2 m ) then : (  +  ) 2 =  2 +  2 or [f(x)] 2 = f(x 2 ) ( Notice : squaring is a linear operation in GF(2 m ) ( Notice : squaring is a linear operation in GF(2 m ) 2 m -1 In GF(2 m ) the following relationships hold:

Page : 12 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Example:Element’s order over an extension field Example: Element’s order over an extension field GF(2 4 ) Compute the exponents of the element x over GF(2 4 ) which is generated by the irreducible polynomial P(x)= (x 4 + x +1 ) Solution If P(x)= x 4 + x +1 is the modulus then it is equal to zero, that is x 4 + x +1 = 0, thus x 4 = x +1. the exponents of x in GF(2 4 ) are: x = x 0010mod (x 4 + x +1 ) x 2 = x mod (x 4 + x +1 ) x 3 = x mod (x 4 + x +1 ) x 4 = x 4 = x mod (x 4 + x +1 ) x 5 = x x 4 = x 2 +x 0110mod (x 4 + x +1 ) x 6 = x (x 2 +x)= x 3 +x mod (x 4 + x +1 ) x 7 = x (x 3 +x 2 ) = ( x 4 +x 3 ) = x +1+x mod (x 4 + x +1 ) x 8 = x 4 + x 2 +x = 1+x + x 2 +x = 1+x mod (x 4 + x +1 ) x 9 = x 3 + x 1010mod (x 4 + x +1 ) x 10 = x 4 + x 2 = x +1 + x mod (x 4 + x +1 ) x 11 = x 3 + x 2 +x 1110mod (x 4 + x +1 ) x 12 = x 4 + x 3 + x 2 = x +1+ x 3 + x mod (x 4 + x +1 ) x 13 = x 4 + x 3 + x 2 +x = x 3 + x mod (x 4 + x +1 ) x 14 = x 4 + x 3 + x= x+1+x 3 + x = x mod (x 4 + x +1 ) x 15 = x 4 + x = x x = mod (x 4 + x +1 ) Important notice: In GF (2 4 ): the order of any element Is a divisor of =15 Divisors of 15 are 1, 3,5,15 !  The order can only be 1 or 3 or 5 or 15 ! The order of the element x is 15= => x is a primitive element msb lsb -> Ord (  i ) = k / gcd (i,k) Ord (x 1,2,4,7,8,11,13,14 ) = 15

Page : 13 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Hardware Architectures for Arithmetic in GF (2 n ) Addition Parallel Sequential

Page : 14 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 I(x)  … i(2), i(1), i(0) MSB h m h m-1 h 1 S 1 S S 0 S M-1 S m B (x) h 0 h 2 h 3 B (x) = H(x) ∙ I(x) Hardware Architectures for Arithmetic in GF (2 m ) Multiplication H(x)

Page : 15 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 g0g0 g1g1 g2g2 g0g0 g m-1 Hardware Architectures for Arithmetic in GF (2 m ) Division I(x) R(x) G(x) = Q(x) +

Page : 16 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Hardware Architectures for Arithmetic in GF (2 m ) Division and Multiplication Remainder

Page : 17 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Arithmetic in Z p(x),size (2 16 ) Example: Simultaneous Division and Multiplication S(x) = x 16 I(x) mod (1 + x 2 + x 15 + x 16 ) Multiply the data stream I(x) by x 16 and divide it simultaneously by (1 + x 2 + x 15 + x 16 ) The contents of the register after entering all I(x) bits is the rest of x 16 I(x) mod (1 + x 2 + x 15 + x 16 ) S(x) = x 16 I(x) mod (1 + x 2 + x 15 + x 16 )

Page : 18 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Example:Element’s order over an extension field Example: Element’s order over an extension field GF(2 3 ) Compute the exponents of the element x over GF(2 3 ) which is generated by the irreducible polynomial P(x)= (x 3 + x +1 ) Solution If P(x)= x 3 + x +1 is the modulus then it is equal to zero, that is x 3 + x +1 = 0, thus x 3 = x +1. the exponents of x in GF(2 3 ) are: x = x 010mod (x 3 + x +1 ) x 2 = x 2 100mod (x 3 + x +1 ) x 3 = x 3 = x mod (x 3 + x +1 ) x 4 = x x 3 = x 2 + x 110mod (x 3 + x +1 ) x 5 = x x 4 = x 3 +x 2 = x x 2 111mod (x 3 + x +1 ) x 6 = (x 3 ) 2 = (x+1) 2 = x mod (x 3 + x +1 ) x 7 = x (x 2 +1) = ( x 3 +x ) = x+1 + x = 1 001mod (x 3 + x +1 ) Important notice: In GF (2 3 ): the order of any element Is a divisor of =7 Divisors of 7 are 1, 7 !  The order can only be 1 or 7 ! The order of the element x is 7= => x is a primitive element + A possible hardware generator for the exponents of x x 0 x 1 x 2 Initial state = x = 010 LSB MSB x 0 =1 x 1 x 3 msb lsb x 8 = x

Page : 19 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 gcd Algorithm for Polynomials Start P 1 (x), P 2 (x) yes ? R(x)=R p 2 (x) [ P 1 (x)]=0 no P 1 (x)  P 2 P 2  R(x) gcd  c -1 P 2 (x) End PS: [ c -1 is the inverse of the leading coefficient of P 2 (x) ]

Page : 20 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Extended gcd Algorithm for Polynomials Start Divide P 1 (x) by P 2 (x) P 1 (x) / P 2 (x) = Q(x) + R(x) / P 2 (x) Input: P 1 (x), P 2 (x), P 2 (x)  0 Initialization: A 1 (x) =1, B 1 (x) =0 A 2 (x) =0, B 2 (x) =1 Find the leading coefficient c of P 2 (x) yes no gcd [ P 1 (x), P 2 (x) ] = A(x) P 1 (x) + B(x) P 2 (x)

Page : 21 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Solution: Compute gcd [ P 1 (x), P 2 (x) ] = A(x) P 1 (x) + B(x) P 2 (x) if gcd =1, then the inverse is B(x) Operating modulo x 4 + x + 1 : R [ (x) ( x 4 + x + 1) + ( x 2 + 1) ( x 3 + x + 1 ) ] = 1 R [ ( x 2 + 1) ( x 3 + x + 1 ) ] = 1 Example: Example: Compute the multiplicative inverse of x 3 + x + 1 modulo x 4 + x + 1 P 1 (x) A2(x)A1(x) P 2 (x) B2(x)B1(x)R(x)Qx) x 4 + x + 1x 3 + x xx x 3 + x + 1x x – x. 1 = x x 1 – x. x = x B2 = B1 – q B2 A2 = A1 – q A2 0 - x. 1= x gcd [ P 1 (x), P 2 (x) ] = (x) ( x 4 + x + 1) + ( x 2 + 1) ( x 3 + x + 1 ) = 1 ( x 4 + x + 1) => ( x 2 + 1)  ( x 3 + x + 1 ) -1 modulo ( x 4 + x + 1) ( x 4 + x + 1) Check: ( x 2 + 1) ( x 3 + x + 1 ) = x 5 + x 3 + x 2 + x 3 + x + 1  1 modulo ( x 4 + x + 1) x 4 + x + 1=0 x 4 = x + 1 x 5 = x 2 + x Extended gcd Algorithm:

Page : 22 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Some extension field properties GF (2 m ) as a vector space 6.If   GF(2 m ) is a root for g(x)=0, then are all the roots of g(x) ( Proof : direct application of 4) 7. If ( ) are linearly independent they build the normal basis for this GF(2 m ) 8.The multiplicative order of any element divides 2 m -1. period of g(x) 9.The order of the element x is called the period of g(x) (or the exponent to which g(x) belongs) primitive polynomial 10. The polynomial is called a primitive polynomial if the order of x is maximal=(2 m -1). self reciprocal 11. If g(x) = x m g(1/x) then the polynomial is called self reciprocal. The highest possible period of a self reciprocal irreducible polynomial is 2 m/2 + 1

Page : 23 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Arithmetic in GF (2 m ) is sometimes very attractive for practical hardware implementations Example: Normal Base representation (Massey-Omura) If  is a root of the field generating irreducible polynomial P(x) over GF(2), then  0  1  2  3...  m-1 build a Canonical Base for GF(2 m ). GF(2 m ) is equivalent to a vector space with dimension m: represent a base for a vector space if: = 0 If and only if b 0 = b 1 = b 2 =... = b m-1 = 0, (Base vectors are linearly independent). then represents the so called a Normal Base If however are linearly independent, Squaring is equal to ring rotation when using normal base: i.e if b = [b 0 b 1 b 2... b m-1 ] then: Or in normal base representation Example of squaring in a normal base system: If a = a 2 is = 11010