sign in sign up
<<
Home , Finite field

Spring 2019 Chris Christensen MAT/CSC 483

Introduction to finite fields

To understand AES and some other modern cryptosystems, it is necessary to understand a bit about finite fields.

A is an algebraic object. The elements of a field can be added, subtracted, multiplied, and divided (except by 0). Often in undergraduate courses the that are used come from a field. The rational numbers  (i.e., the fractions of ) form a field, the real numbers  form a field, and the complex numbers  form a field.

Number theory studies the integers  . The integers do not form a field. Integers can be added, subtracted, and multiplied; but integers cannot always be divided. 6 divided by 3 5 is 2, but 5 divided by 2 is not an ; is a rational . The integers form an 2 algebraic object called a .

The ring of integers modulo 26

Recall that when we explored affine ciphers we noted that the integers mod 26 do not form a field. The integers modulo 26 can be added, subtracted, and multiplied (so they do form a ring). But, recall that only 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, and 25 have multiplicative inverses mod 26. We can determine the inverse of integers that are relatively prime to the modulus by using the extended .

Finite field of p elements

If we mod the integers and the modulus is a prime, say p, then each positive integer that is less p is relatively prime to p and, therefore, has a multiplicative inverse modulo p. So, when we mod by a prime p we construct a finite field of p elements; the integers mod p is a finite field.

Here are three examples.

5

The integers modulo 5 is a field of 5 elements {0, 1, 2, 3, 4}. Here are the addition and multiplication tables:

+ 01234 × 1234 001234 11234 112340 22413 223401 33142 334012 44321 440123

number additive inverse number multiplicative inverse 00 1 1 14 2 3

23 3 2 32 4 4 41

The identity for addition is 0, and the identity for multiplication is 1. This is a field. We denote the field of 5 elements by5

3

The integers modulo 3 is a field of 5 elements 3 .

+ 01 2 × 12 0 01 2 112 1120 221 2 201

2

The integers modulo 2 is a field of 2 elements 2 .

+ 01 × 1 001 11 110

Viewing 0 and 1 as bits, + is just XORing bits, and multiplication is … well, multiplication is not very interesting. (Addition is essentially logical exclusive OR, and multiplication is essentially logical AND.)

So, for each prime p, the integers modulo p is a finite field of p elements. It is also possible to construct fields for which the number of elements is a power of a prime p.

Rings of and the field of rational functions

Like the integers, the polynomials with integer coefficients form a ring. We can add and subtract polynomials with integer coefficients, and the result will be a with integer coefficients. We can multiply polynomials with integer coefficients, and the result will be a polynomial with integer coefficients. But, we cannot always divide X 2 − 4 XX3 +−2 polynomials with integer coefficients: =X + 2 , but is not a X − 2 X 2 + 7 polynomial – it is a rational function. The polynomials with integer coefficients do not form a field, they form a ring. Algebraically, the ring of polynomials with integer coefficients is like the ring of integers.

The ring of integers modulo a prime p is a field of p elements. It is possible to mimic that construction by taking a ring of polynomials modulo a “prime polynomial” to construct fields of pn elements.

Finite field of pn elements

4

Because we will be working with strings of 0s and 1s, it would be useful for us to construct fields having elements that are strings of 0s and 1s. If we are working with strings of length n, such a field would have 2n elements.

Let’s construct a field of 4 elements; we will mimic the construction of the integers

modulo a prime p. We begin with the polynomials having coefficients from 2 ; i.e., each of the coefficients of our polynomials is either 0 or 1. Select a polynomial of degree

2 that is irreducible over 2 (i.e., it does not factor into polynomials of smaller degree having coefficients 0 and 1). This corresponds to the prime integer p.

2 ++ For example, XX1 is irreducible over 2 . By polynomial long division, divide each polynomial having coefficients 0 and 1 by XX2 ++1 and take the remainder. What does the remainder look like? After division, the remainder is of degree less than 2; so, the remainder will look like x + where each coefficient is either 0 or 1. So, there are 4 possible remainders: 0x += 00, 0x += 11, 10xx+=, and 11xx+= + 1. These 4 elements form a field.

Sometimes polynomials model “real world” situations, and X is treated as an unknown for which we want to solve. We will look at polynomials in a slightly different way. We do not care about solving for the “value of X;” we only care about the polynomial itself. Thinking this way, a polynomial is determined by its coefficients; the powers of X are just used to separate the coefficients. We could just as well think of a polynomial as a vector where the components are the coefficients; e.g., the four remainders that we obtained above could be written as (0, 0), (0, 1), (1, 0), and (1, 1). We could use these vectors as the elements of our field of 4 elements rather than the corresponding polynomials (but we will have to remember from time to time that they “really are polynomials” to make sense of multiplication). Or, because we will be working with strings of bits with strings, we might replace the 4 polynomials by the 2-bit strings 00, 01, 10, 11.

We have the following correspondences:

polynomial vector bit string 0X + 0 (0, 0) 00 0X + 1 (0, 1) 01 1X + 0 (1, 0) 10 1X + 1 (1, 1) 11

We will be thinking about bit strings. We have always been able to add (XOR) strings of bits, but we want to come up with a way to multiply strings of bits. Then we can apply some of the mathematical ideas that we used with the classical ciphers to strings of bits.

Addition

There are three ways to think of addition.

For example, to add (1, 0) and (1, 1), we can think of adding the corresponding polynomials mod 2:

X + 0 X +1 01X +

Or, we could just add the vectors mod 2:

(1, 0) (1, 1) (0, 1)

Or, we could XOR the two-bit strings:

10 11 01 .

Here is the addition table for our field of 4 elements:

+ (0, 0) (0, 1) (1, 0) (1, 1) (0, 0) (0, 0) (0, 1) (1, 0) (1, 1) (0, 1) (0, 1) (0, 0) (1, 1) (1, 0) (1, 0) (1, 0) (1, 1) (0, 0) (0, 1) (1, 1) (1, 1) (1, 0) (0, 1) (0, 0)

Multiplication

To multiply, we must recall the polynomial origins of our operations.

To multiply (1, 0)× (1, 1) , we must multiply

XX×( += 1) X2 + X

and then go mod XX2 ++1. By polynomial long division mod 2, we obtain

XX22+ =1( XX + ++ 11)

Mod XX2 ++1, this becomes (the remainder) 1. So, (1, 0)× (1, 1) = (0, 1) .

Here is the multiplication table for our field of 4 elements.

× (0, 1) (1, 0) (1, 1) (0, 1) (0, 1) (1, 0) (1, 1)

(1, 0) (1, 0) (1, 1) (0, 1) (1, 1) (1, 1) (0, 1) (1, 0)

8

To construct a field of 82= 3 elements, we would need to mod out by an irreducible polynomial of degree 3; the remainders would look like XX2 ++ where each coefficient is either 0 or 1.

To construct a field of 16= 24 elements, we would need to mod out by an irreducible polynomial of degree 4; the remainders would look like XXX32+ ++.

To construct a field of bytes, we would need to mod out by an irreducible polynomial of degree 8.

Let’s construct a field of 8 elements.

We will use the polynomial XX32++1, which is irreducible over . 2

32 2 The remainders after division by XX++1 look like {ax++ bx c:,, a b c ∈2}; i.e., the remainders look like 3-dimensional vectors where each component is 0 or 1. Or, we could think of the remainders as being 3-bit strings.

Addition is XORing bits.

Addition (0,0,0) (0,0,1) (0,1,0) (1,0,0) (1,0,1) (1,1,1) (0,1,1) (1,1, 0) (0,0,0) (0,0,0) (0,0,1) (0,1,0) (1,0,0) (1,0,1) (1,1,1) (0,1,1) (1,1, 0) (0,0,1) (0,0,1) (0,0,0) (0,1,1) (1,0,1) (1,0,0) (1,1, 0) (0,1, 0) (1,1,1) (0,1,0) (0,1,0) (0,1,1) (0,0,0) (1,1,0) (1,1,1) (1,0,1) (0,0,1) (1,0,0) (1,0,0) (1,0,0) (1,0,1) (1,1,0) (0,0,0) (0,0,1) (0,1,1) (1,1,1) (0,1,0) (1,0,1) (1,0,1) (1,0,0) (1,1,1) (0,0,1) (0,0,0) (0,1, 0) (1,1, 0) (0,1,1) (1,1,1) (1,1,1) (1,1, 0) (1, 0,1) (0,1,1) (0,1,0) (0,0,0) (1,0,0) (0,0,1) (0,1,1) (0,1,1) (0,1,0) (0,0,1) (1,1,1) (1,1,0) (1,0,0) (0,0,0) (1,0,1) (1,1, 0) (1,1, 0) (1,1,1) (1, 0, 0) (0,1, 0) (0,1,1) (0,0,1) (1,0,1) (0,0,0)

Multiplication is polynomial multiplication modulo XX32++1.

Multiplication (0, 0,1) (0,1, 0) (1, 0, 0) (1, 0,1) (1,1,1) (0,1,1) (1,1, 0) (0,0,1) (0,0,1) (0,1,0) (1,0,0) (1,0,1) (1,1,1) (0,1,1) (1,1, 0) (0,1, 0) (0,1, 0) (1, 0, 0) (1, 0,1) (1,1,1) (0,1,1) (1,1, 0) (0, 0,1) (1, 0, 0) (1, 0, 0) (1, 0,1) (1,1,1) (0,1,1) (1,1,0) (0,0,1) (0,1,0) (1, 0,1) (1, 0,1) (1,1,1) (0,1,1) (1,1, 0) (0, 0,1) (0,1,0) (1,0,0) (1,1,1) (1,1,1) (0,1,1) (1,1,0) (0,0,1) (0,1,0) (1,0,0) (1,0,1) (0,1,1) (0,1,1) (1,1,0) (0,0,1) (0,1,0) (1,0,0) (1, 0,1) (1,1,1) (1,1, 0) (1,1, 0) (0,0,1) (0,1,0) (1,0,0) (1,0,1) (1,1,1) (0,1,1)

16

The simplified AES we will examine uses a field of 16 elements obtained taking the irreducible polynomial XX4 ++1 as the modulus. For example,

(1, 0, 1, 1) + (0, 1, 1, 0) = (1, 1, 0, 1)

and

(1, 0, 1, 1) × (1, 1, 0, 1) = (0, 1, 1, 0)

Note: Although E.H. Moore proved that for each pn , p prime, there is an unique finite field of pn elements, the uniqueness is “up to ” – an algebraic term. Addition is the same for all finite fields of pn elements; it is just addition modulo pn . But, multiplication of two elements from the field depends on which irreducible polynomial is used as the modulus.