Information Security Lab. Dept. of Computer Engineering 87/121 PART I Symmetric Ciphers CHAPTER 4 Finite Fields 4.1 Groups, Rings, and Fields 4.2 Modular Arithmetic 4.3 The Euclidean Algorithm 4.4 Finite Fields of the Form GF(p) 4.5 Polynomial Arithmetic 4.6 Finite Fields of the Form GF(2 n )

Information Security Lab. Dept. of Computer Engineering 88/ Groups, Rings, and Fields Groups  A group G, denoted by {G,  } : a set of elements with a binary operation, denoted by   The following axioms are obeyed. (A1) Closure : For a, b  G, a  b  G (A2) Associative : a  (b  c) = (a  b)  c for all a,b,c  G (A3) Identity element :  e  G such that e  a = a  e = a (A4) Inverse element : For each a,  a  1  G such that a  a  1 = e (A5) Commutative : a  b = b  a for a, b  G  A group is said to be abelian if it satisfies (A5)  finite group (finite order), infinite group

Information Security Lab. Dept. of Computer Engineering 89/ Groups, Rings, and Fields Groups  Example : Define S n to be the set of all permutations of n distinct symbols. Each element of S n is represented by a permutation of the integers in {1,2,…, n}. S n is a group A1 : For ,   S n, the composite mapping     S n For example,  = {3, 2, 1},  = {1, 3, 2}    = {2, 3, 1}  S n A2 : The composition of mappings is easily seen to be associative. A3 : For S n the identity element is {1, 2, …, n} A4 : For any  = {2, 3, 1},  S n,    1 = {3, 1, 2}  S n {2, 3, 1}  {3, 1, 2} = {1, 2, 3}

Information Security Lab. Dept. of Computer Engineering 90/121 Cyclic Group  define exponentiation as repeated application of group operator a 3 = a  a  a  let identity be : e = a 0  A group G is cyclic if every element is a power of some fixed element b = a k for some a and every b  G a is said to be a generator of the group G  Additive finite group G = {0, 1, 2, 3, 4, 5, 6 } G is cyclic group; identity = 0 ( 1 0 ), generator = 1 3 = 1 3 = Groups, Rings, and Fields

Information Security Lab. Dept. of Computer Engineering 91/121 Rings  A ring R, denoted by { R, +,  } is a set of elements with two binary operations called addition and multiplication such that for all a, b, c in R, the following axioms are obeyed : (A1 ~ A5) : an abelian group with addition operation (M1) Closure under multiplication: for a, b  R, a  b  R (M2) Associativity of multiplication : for a, b, c  R a  (b  c) = ( a  b )  c (M3) Distributive laws: for a, b, c  R a  (b + c) = a  b + a  c, (a + b)  c = a  c + b  c  Ring : the set of all n-square matrices over real numbers 4.1 Groups, Rings, and Fields

Information Security Lab. Dept. of Computer Engineering 92/121 Rings  A ring is said to be commutative if it satisfies the following condition: (M4) commutativity of multiplication : for a, b  R, ab = ba  Let S be the set of even integers under the usual addition and multiplication : S is a comm. ring. Integral domain  An integral domain, which is a commutative ring that obeys the following axioms: (M5) Multiplicative identity : for all a  R,  1  R such that a1 = 1a = a (M6) No zero divisors : If a, b in R and ab = 0, then either a = 0 or b = Groups, Rings, and Fields

Information Security Lab. Dept. of Computer Engineering 93/121 Fields  A field F, denoted by { F, +,  } is a set of elements with two binary operations, called addition and multiplication such that for all a, b, c in F the following axioms are obeyed : (A1~M6) F is an integral domain: F satisfies axioms A1-M6 (M7) Multiplicative inverse : For each a in F, except 0,  a  1  F such that aa  1 = (a  1 )a = 1  A field is an additive abelian group and multiplicative group  have hierarchy with more axioms/laws group  ring  field 4.1 Groups, Rings, and Fields

Information Security Lab. Dept. of Computer Engineering 94/ Groups, Rings, and Fields Field Group (A1) Closure under addition (A2) Associativity of addition (A3) Additive identity (A4) Additive inverse (A5) Commutativity of addition (M1) Closure under multiplication (M2) Associativity of multiplication (M3) Distributive law (M4) Commutativity of multiplication (M5) Multiplicative identity (M6) No zero divisors (M7) Multiplicative inverse Abelian group Ring Commutative ring Integral Domain Groups, Rings, and Fields Fig. 4.1 Groups, Rings, and Fields

Information Security Lab. Dept. of Computer Engineering 95/ Modular Arithmetic  n : positive integer, a : any nonnegative integer a = qn + r 0  r  n; q =  a/n   define modulo operator “a mod n” to be remainder r (residue) when a is divided by n (modulus) eq : 11 mod 7 = 4  Two integers a and b are said to be congruent modulo n, if (a mod n) = (b mod n). a and b have same remainder. a  b (mod n) eq : 73  4 (mod 23), 21   9 (mod 10)  Process is known as modulo reduction

Information Security Lab. Dept. of Computer Engineering 96/121 Divisors  A non-zero number b divides a if for some m, a = mb where a, b, m are all integers; i.e. b divides into a with no remainder; denoted by b|a  If b|a then b is a divisor of a; 1,2,3,4,6,8,12,24 divide 24 If a|1, then a =  1, If a|b and b|a, then a =  b Any b  0 divides 0. If b|g and b|h, then b|(mg + nh) for integers m, n Properties of Congruence  Congruence have the following properties 1. a  b (mod n) if n|(a – b) 2. a  b (mod n)  n|(b – a) 3. a  b (mod n) and b  c (mod n)  a  c (mod n) 4.2 Modular Arithmetic

Information Security Lab. Dept. of Computer Engineering 97/121 Modular Arithmetic Operations  The (mod n) operator maps all integers into the set of integers {0, 1, …, (n – 1)}; 'clock arithmetic‘  Modular arithmetic exhibits following properties: 1. (a + b) mod n = [(a mod n) + (b mod n)] mod n 2. (a  b) mod n = [(a mod n)  (b mod n)] mod n 3. (a  b) mod n = [(a mod n)  (b mod n)] mod n  Define (a mod n) = r a ; a = jn + r a for some j (b mod n) = r b b = kn + r b for some k (a + b) mod n = (jn + r a + kn + r b ) mod n = (r a + r b + (k + j)n ) mod n = (r a + r b ) mod n = [(a mod n) + (b mod n)] mod n 4.2 Modular Arithmetic

Information Security Lab. Dept. of Computer Engineering 98/121 Properties of Modular Arithmetic  Define the set Z n as the set of nonnegative integers less than n: set of residue, residue classes modulo n. Z n = {0, 1, …, n  1}  The residue classes modulo n [r] = { a | a is an integer, a  r (mod n) } The residue classes modulo 4 : { [0], [1], [2], [3] }  Z n = a commutative ring for addition with a multiplicative identity; Table 4.2 Properties of Modular Arithmetic for Z n  Two integers are relatively prime if their only common positive integer factor is Modular Arithmetic

Information Security Lab. Dept. of Computer Engineering 99/121 Properties of Modular Arithmetic  if (a + b) = (a + c) mod n then b = c mod n (  a) : additive inverse of a ((  a) + a + b) = ((  a) + a + c) mod n  b = c mod n  if (a  b) = (a  c) mod n, then b = c mod n only if a is relatively prime to n if a is relatively prime to n, then  a  1 ((a  1 )  a  b) = ((a  1 )  a  c) mod n  b = c mod n 4.2 Modular Arithmetic

Information Security Lab. Dept. of Computer Engineering 100/ The Euclidean Algorithm Greatest Common Divisor (gcd)  gcd : A common problem in number theory.  gcd(a, b) : (greatest common divisor of a and b) is the largest number that divides evenly into both a and b gcd(a, b) = max{ k ; such that k|a and k|b } gcd(60, 24) = 12  If gcd(a, b) = 1, i.e. if a and b have no common factors (except 1) and hence a and b are relatively prime gcd(8,15) = 1  8 and 15 are relatively prime Finding the Greatest Common Divisor  The Euclidean algorithm : based on the following fact. gcd(a, b) = gcd(b, a mod b) for any positive integer a, b

Information Security Lab. Dept. of Computer Engineering 101/121 Finding the Greatest Common Divisor gcd(a, b) = gcd(b, a mod b) Proof: Let d = gcd(a, b). We have d|a, d|b. a can be expressed a = kb + r  r (mod b)  a mod b = r where k, r  I Thus (a mod b) = r = a – kb. Since d|a, d|b,  d|(a mod b) This means that d is a common divisor of b and (a mod b). Conversely, let d = gcd(b, (a mod b))  d|b, d|(a mod b). Then d|kb and d|(kb + (a mod b))  d|a. Thus, d =gcd(a, b)  Euclidean Algorithm to compute gcd(a,b) : Euclid(a, b) // Input : a, b; Output : gcd(a, b) // Step 1: A = a; B = b ; Step 2: if B == 0 return A = gcd(a, b); Step 3: R = A mod B; Step 4: A = B; B = R; goto Step The Euclidean Algorithm

Information Security Lab. Dept. of Computer Engineering 102/121 Finding the Greatest Common Divisor  To find gcd(1970, 1066) 1970 = 1 x gcd(1066, 904) 1066 = 1 x gcd(904, 162) 904 = 5 x gcd(162, 94) 162 = 1 x gcd(94, 68) 94 = 1 x gcd(68, 26) 68 = 2 x gcd(26, 16) 26 = 1 x gcd(16, 10) 16 = 1 x gcd(10, 6) 10 = 1 x gcd(6, 4) 6 = 1 x gcd(4, 2) 4 = 2 x gcd(2, 0) Therefore, gcd(1970, 1066) = The Euclidean Algorithm

Information Security Lab. Dept. of Computer Engineering 103/ Finite Fields of The Form GF( p )  Finite fields play a key role in cryptography  The number of elements in a finite field must be a power of a prime p n  The finite field of order p n is known as Galois fields, denoted by GF(p n ).  in particular often use the fields: GF(p) : prime field ( n = 1); GF(2 n ): binary field (p = 2) Finite Fields of order p  GF(p) is the set of integers {0,1, …, p  1} with arithmetic operations modulo prime p

Information Security Lab. Dept. of Computer Engineering 104/ Finite Fields of The Form GF( p ) Finite Fields of order p  Any integer Z n = {0, 1, …, n – 1} has a multiplicative inverse  the integer is relatively prime to n. If n is prime, then all of the nonzero integer in Z n are relatively prime to n, and there exists a multiplicative inverse for them.  For each w  Z p w  0, there exists a z  Z p such that wz = zw = 1  Z p is in fact a finite field GF(p); hence can do addition, subtraction, multiplication, and division.  Table 4.3 shows arithmetic in GF(7) (next slide)

Information Security Lab. Dept. of Computer Engineering 105/ Finite Fields of The Form GF( p ) Table 4.3 Arithmetic in GF(7)

Information Security Lab. Dept. of Computer Engineering 106/ Finite Fields of The Form GF( p ) Finding the Multiplicative Inverse in GF(p)  How to find the multiplicative inverse of an element a in a finite filed GF(p); Extended Euclidean Algorithm Extended Euclid(a, b) INPUT : two non-negative integers a and b with a  b OUTPUT: d = gcd(a, b) and integers x, y such that ax + by = d Step 1: if b = 0 then d  a, x  1, y  0 and return (d, x, y); Step 2: Set x 2  1, x 1  0, y 2  0, y 1  1; Step 3: While b > 0 do 3.1: q   a/b , r  a – qb, x  x 2 – qx 1, y  y 2 – qy 1 ; 3.2: a  b, b  r, x 2  x 1, x 1  x, y 2  y 1, y 1  y; Step 4: Set d  a, x  x 2, y  y 2 and return (d, x, y)  Extended Euclid (p, a); px + ay = 1  y = a  1 mod p

Information Security Lab. Dept. of Computer Engineering 107/ Finite Fields of The Form GF( p ) Finding the Multiplicative Inverse in GF(p)  Extended Euclid (p, a); px + ay = 1  y = a  1 mod p px + ay = 1 ay = 1 – px  ay  1 (mod p)  Example : Find the inverse of 3 in GF(7); 3  1 = 5 q r x y a b x 2 x 1 y 2 y  1   1 1   1 3  2 6 d  a = 1, x  x 2 =  1, y  y 2 =  2 (  5)  px + ay = d  7(  1 ) + 3(5) = 1  3  1 = 5

Information Security Lab. Dept. of Computer Engineering 108/ Polynomial Arithmetic Ordinary Polynomial Arithmetic  A polynomial of degree n (n  0) is an expression of the form; The variable x is referred to as the indeterminate a i : i-th coefficient : an element of coefficient set S Such polynomials are defined over S; a n  0 A zeroth-degree polynomial is called constant polynomial; if a n = 1, monic polynomial  Polynomial arithmetic operations : addition, subtraction, multiplication, division.

Information Security Lab. Dept. of Computer Engineering 109/ Polynomial Arithmetic Ordinary Polynomial Arithmetic  polynomial addition and subtraction, multiplication  See Fig. 4.3 Example of polynomial Arithmetic

Information Security Lab. Dept. of Computer Engineering 110/ Polynomial Arithmetic Polynomial Arithmetic with Coefficient in Z p  A polynomial of degree n (n  0) is an expression of the form; where a i  Z p  When computing value of each coefficient do calculation modulo any prime p F[x] = { f | } : Polynomial ring  Polynomial arithmetic operations : addition, subtraction, multiplication. When polynomial arithmetic is performed over a field, then division is possible. (coefficients  Z p )

Information Security Lab. Dept. of Computer Engineering 111/ Polynomial Arithmetic Polynomial Arithmetic with Coefficient in Z p  Division : r(x) = f(x) mod g(x)  If there is no remainder (r(x) = 0), g(x) divides f(x); denoted by g(x) | f(x). g(x) is a factor of f(x) or g(x) is a divisor of f(x)  A polynomial f(x) over a field F is called irreducible  f(x) cannot be expressed as a product of two polynomials. An irreducible polynomial is called a prime polynomial  An arithmetic modulo an irreducible polynomial forms a field. F[x] / f(x)

Information Security Lab. Dept. of Computer Engineering 112/ Polynomial Arithmetic Finding the Greatest Common Divisor  The polynomial c(x) is said to be the greatest common divisor of a(x) and b(x); c(x) = gcd(a(x), b(x)) if (1) c(x) divides both a(x) and b(x) (2) any divisor of a(x) and b(x) is a divisor of c(x)  Can adapt Euclid’s Algorithm to find it: EUCLID(a(x), b(x)) Step 1: A(x)  a(x); B(x)  b(x); Step 2: if B(x) = = 0 return A(x) = gcd[a(x), b(x)]; Step 3: R(x)  A(x) mod B(x); Step 4: A(x)  B(x); B(x)  R(x); Step 5: goto Step 2;

Information Security Lab. Dept. of Computer Engineering 113/ Finite Fields of the Form GF(2 n )  F[x]; Polynomial ring over a field Z p (GF(p)); (p =prime)  m(x) : An irreducible polynomial of degree n F[x]/m(x) (= set of polynomials less than degree n ) forms a field GF(p n ) : Extension fields of GF(p) GF(p n ) = { a n  1 x n  1 + a n  2 x n  2 +  + a 1 x + a 0 } a i  Z p  Let p = 2; GF(2 n ) : called binary field GF(2 n ) : Extension Field of GF(2) (= Z 2 ) = { 0, 1 } GF(2 n ) = { (a n  1, a n  2,…, a 1, a 0 ) } a i  GF(2) = {0, 1} = { a n  1 x n  1 + a n  2 x n  2 +  + a 1 x + a 0 }

Information Security Lab. Dept. of Computer Engineering 114/ Finite Fields of the Form GF(2 n ) (a) Addition Table 4.6 Polynomial Arithmetic Module (x 3 + x + 1)

Information Security Lab. Dept. of Computer Engineering 115/ Finite Fields of the Form GF(2 n ) (a) Multiplication Table 4.6 Polynomial Arithmetic Module (x 3 + x + 1)

Information Security Lab. Dept. of Computer Engineering 116/ Finite Fields of the Form GF(2 n ) Computation Consideration  Addition becomes XOR of these bit strings  Multiplication is shift & XOR.  Modulo reduction done by repeatedly substituting highest power with remainder of irreducible polynomial (also shift & XOR)  Example : x x+1 x 2 x 2 +1 x 2 +x x 2 +x+1 GF(2 3 ) = { 000, 001, 010, 011, 100, 101, 110, 111} m(x) = x 3 + x + 1 Addition : (x 2 +1) + (x 2 +x+1) = x ; 101  111 = 010 Multiplication : (x+1)  (x 2 +1) = x  (x 2 +1)+1  (x 2 +1) = x 3 +x 2 +x+1 (011)  (101) = (101)<<1  (101)<<0 =1010  101= 1111

Information Security Lab. Dept. of Computer Engineering 117/ Finite Fields of the Form GF(2 n ) Computation Consideration Modulo reduction : (x 3 +x 2 +x+1 ) mod (x 3 +x+1) = 1  (x 3 +x+1) + (x 2 ) = x mod 1011 = 1111  1011 = 0100 Using Generator  A generator g of a finite field F of order q (contains q elements) is an element whose first q – 1 powers generate all non-zero elements of F. That is, the elements of F consists of 0, g 0, g 1, …, g q  2  A generator is a root of the irreducible polynomial f(x) For example, f(x) = x 3 +x+1 : irreducible polynomial f(g) = 0  f(g) = g 3 +g+1= 0  g 3 = g+1

Information Security Lab. Dept. of Computer Engineering 118/ Finite Fields of the Form GF(2 n ) Using Generator Table 4.8 Generator for GF(2 3 ) using x 3 + x + 1

Information Security Lab. Dept. of Computer Engineering 119/121 KEY POINTS  A field is set of elements on which two arithmetic operations (addition and multiplication) have been defined and which has the properties of ordinary arithmetic such as closure, associativity, commutativity, and having both additive and multiplicative inverses.  Modular arithmetic is a kind of integer arithmetic that reduces all numbers to one of a fixed set [0, …, n – 1] for some number n. Any integer outside this range is reduced to one in this range by taking the remainder after division by n.  The greatest common divisor of two integers is the largest positive integer that exactly divides both integers.

Information Security Lab. Dept. of Computer Engineering 120/121 KEY POINTS  Finite fields are important in several area of cryptography. A finite field is simply a field with a finite number of elements. It can be shown that the order of a finite field (number of elements in the field) must be a power of a prime p n, where n is a positive integer.  Finite fields of order p can be defined using arithmetic mod p  Finite fields of order p n, for n > 1 can be defined using arithmetic over polynomials.

Information Security Lab. Dept. of Computer Engineering 121/121 Summary  have considered: concept of groups, rings, fields modular arithmetic with integers Euclid’s algorithm for GCD finite fields GF(p) polynomial arithmetic in general and in GF(2 n )